UnixTime

Research Note

Common Exam Traps

Research note.

On this page

Clauses 4-10 vs Annex A

Trap Correction
Clauses 4-10 can be excluded if not relevant They cannot be excluded
All Annex A controls are mandatory Annex A controls are selected based on risk and justified in the SoA
ISO 27002 is used for certification ISO 27001 is certifiable; ISO 27002 is guidance
No third-party audit means no internal audit Internal audit is mandatory for ISO 27001 conformity

Control attributes

Trap Correction
Attributes are mandatory requirements Attributes are optional metadata
Attributes replace risk assessment They support analysis but do not replace risk assessment
Attributes replace the SoA They do not replace applicability justification
The main purpose is cost reduction Main purpose is categorization, analysis, selection, review, and mapping

A.5.1 Policies

Trap Correction
Having a policy document is enough It must be approved, published, communicated, acknowledged, controlled, and reviewed
Top-level policy should contain every detail It should be concise and link to topic-specific policies
Only employees need access to policy requirements Relevant external parties may also need them
Review only happens annually Review should be planned and triggered by significant changes

A.5.2 Roles and responsibilities

Trap Correction
Only security team needs defined responsibilities Everyone needs baseline responsibilities; special roles need specific ones
Appointing a CISO satisfies the control Not enough; responsibilities must be allocated across the organization
Delegation transfers accountability Accountability remains unless formally reassigned
Contractors are exceptions Contractors and third parties must be covered
“Everyone is responsible” is enough Too vague; specific accountability is needed

A.5.3 Segregation of duties

Trap Correction
SoD applies only to finance It applies to information security, access, change, audit, logs, suppliers, etc.
Small organizations can ignore SoD They need compensating controls where full segregation is impractical
Logging alone is enough Logs must be tamper-resistant and independently reviewed
Two people automatically means segregation Independence and role separation must be effective
SoD eliminates collusion It reduces risk but does not eliminate it

A.5.4 Management responsibilities

Trap Correction
Management responsibility means only top management Line managers and department heads are included
Security team enforces everything Managers must require personnel to follow policies and procedures
Policy approval proves management responsibility Not enough; managers must reinforce security in daily work
Awareness training alone is enough Managers must verify compliance and address non-compliance
Senior people can have informal exceptions Exceptions should be risk-assessed, approved, documented, and reviewed

A.5.5 Contact with authorities

Trap Correction
Authorities means only police It can include regulators, CERTs, emergency services, sector bodies, and other official authorities
A contact list is enough Purpose, trigger, owner, authorization, review, and disclosure rules are also needed
Contact is only needed after incidents Some relationships are time-driven or preparedness-driven
Contacting authorities means sharing everything External disclosure still needs approval and confidentiality handling

A.5.6 Contact with special interest groups

Trap Correction
Only paid memberships count Free advisories, forums, briefings, and professional communities can be suitable
Small organizations can ignore this They need proportionate external awareness
Attendance alone is strong evidence Information should be shared internally or used
Professional networking permits disclosure Confidential information must still be protected

A.5.7 Threat intelligence

Trap Correction
Threat feeds equal threat intelligence Intelligence requires analysis, context, and use
Paid intelligence service satisfies the control by itself The organization still has to analyze and apply it
Internal incident history is enough External threat information is needed for emerging risks
Threat intelligence is only technical It can support management, risk, supplier, incident, and control decisions
AI/search can be used freely for research Sensitive organizational information can leak and must be controlled

A.5.8 Information security in project management

Trap Correction
Applies only to software development Applies to projects that affect systems, services, processes, suppliers, infrastructure, or data flows
Project risk register is enough Information security risk should be distinct and linked to ISMS risk management
Security can wait until go-live Security requirements should be identified early
Commercial software is automatically safe COTS, add-ons, integrations, and customizations still need security assessment
Functional testing is enough Security requirements must also be validated
Project team can remove controls to hit deadlines Security control removal needs proper risk escalation and acceptance

A.5.9 Inventory of information and other associated assets

Trap Correction
Asset inventory means hardware inventory It includes information and associated assets, including software, services, documents, media, and processes
IT is automatically the owner of all assets Business owners are accountable for value, classification, and protection expectations
Custodian equals owner Custodians operate or protect assets day to day; owners remain accountable
Inventory only needs to be created once It must be maintained through project, change, procurement, and disposal processes
Retained records that create liability are not assets They still require inventory, protection, retention, and disposal controls
Disposal can be handled informally Disposal should be recorded, authorized, and reflected in the inventory

A.5.10 Acceptable use of information and other associated assets

Trap Correction
Acceptable use only means internet browsing It covers information and associated assets in multiple forms
Device rules are enough Handling rules for information are also required
Classification labels are enough Users need practical handling procedures for each label
Employees are the only users in scope Contractors and third-party users may also need to accept the rules
A signed acknowledgement proves the control works Awareness, implementation, monitoring, and enforcement still matter

A.5.11 Return of assets

Trap Correction
Return of assets means only laptops It includes devices, cards, keys, documents, media, software, and information
Only termination triggers return Role changes and contract/agreement changes can also trigger return
Access removal is the same as asset return Related, but different controls
Contractors are out of scope Contractors and third-party users can be in scope
Personal-device data is irrelevant Organizational information on personal or third-party equipment must be returned or securely erased where applicable

A.5.12 Classification of information

Trap Correction
ISO defines universal classification labels Organizations define labels that fit their context
Classification only considers confidentiality Integrity, availability, and interested-party requirements also matter
Labels are enough Handling rules must explain what each classification requires
More classification levels are always better Too many levels cause inconsistent use
IT should classify everything Asset owners should classify or approve classification

A.5.13 Labelling of information

Trap Correction
Labelling is the same as classification Labelling makes classification visible or actionable
Only paper documents need labels Digital documents, email, repositories, systems, and media may also need labelling
Labels only matter at creation Labels should remain with information when form changes where practical
Most sensitive content can be ignored in a container The label should reflect the most sensitive information where practical
Visible labels are always best For highly sensitive material, controlled or disguised labelling may be justified

A.5.14 Information transfer

Trap Correction
Information transfer means email only It covers all transfer facilities, including messaging, file sharing, phone, fax, courier, print, removable media, and system integrations
Internal transfer does not need rules Internal and external transfers are both in scope
Disclaimers protect email transfers Disclaimers do not replace transfer controls
Classification is unrelated to transfer Classification should drive approved transfer methods and controls
Third-party transfers can rely on trust Agreements should define required transfer controls
Approved messaging platforms need no control Access, use cases, monitoring, and data types still need limits

A.5.15 Access control

Trap Correction
Access control is only logical/system access It covers physical and logical access
Senior roles automatically need broad access Access still needs business justification
Role-based access solves everything Role profiles must be designed and reviewed
Access review means checking users still exist Review must check whether access is still needed
Least privilege is optional Unnecessary access should be denied

A.5.16 Identity management

Trap Correction
Identity management means account creation It covers the full lifecycle
Shared accounts are acceptable if convenient Shared identities need justification and compensating accountability controls
User means only ordinary employees It includes administrators, support, developers, contractors, third-party users, and other users
Old identities can be reused Redundant identities should not be reissued
Identity and access are the same Identity identifies the user; access defines what the user can use

A.5.17 Authentication information

Trap Correction
User IDs and email addresses are secret authentication information They are identifiers, not secret authentication information
Authentication information means only passwords It can include PINs, recovery answers, biometric data/templates, tokens, and secrets
Identity management and authentication information are the same Identity identifies the user; authentication information helps prove the identity
Temporary/default credentials are harmless They must be controlled and changed
Password testing can be done casually Testing needs proper management authorization

A.5.18 Access rights

Trap Correction
Defining access rules is enough Rights must be provisioned, reviewed, modified, and removed
Leavers are the only problem Movers and long-tenured/promoted staff often retain old access
Access review means checking active users Review must compare actual access to authorized business need
Physical access is separate Physical access rights are in scope
Shared credentials can stay unchanged Change shared credentials when a user no longer needs access

A.5.19 Information security in supplier relationships

Trap Correction
Supplier security only matters when suppliers have system access Physical access, data exposure, products, services, and decision-support information also create risk
Procurement vendor list is enough Security exposure, owner, tiering, agreements, and review matter
Same questionnaire for every supplier is enough Controls should be proportional to risk and exposure
Subcontractors are the supplier’s problem only Delegated activities should be controlled contractually
Trust replaces contract controls Supplier requirements should be defined and enforceable

A.5.20 Addressing information security within supplier agreements

Trap Correction
Any signed supplier contract satisfies the control The agreement must include relevant information security requirements
Security requirements can be agreed after onboarding Required controls should be agreed before access or information sharing
Same security clause fits all suppliers Requirements should reflect supplier relationship, exposure, and risk
Supplier certification replaces contract terms Certification can support assurance, but relationship-specific requirements still matter
Operational staff can waive supplier requirements informally Deviations should be justified, risk-assessed, approved, and documented

A.5.21 Managing information security in the ICT supply chain

Trap Correction
ICT supply-chain risk means only the direct vendor Indirect suppliers, subcontractors, hosting, support, and components can create risk
General supplier management fully covers A.5.21 A.5.21 is specifically about ICT product and service supply chains
The organization must contract directly with every indirect supplier Risk is often managed through the direct supplier agreement and flow-down obligations
Low-risk and critical ICT suppliers need the same review depth Review depth should be proportionate to criticality and exposure
Supplier changes are operational only Changes in hosting, support, subcontractors, or data location can change security risk

A.5.22 Monitoring, review and change management of supplier services

Trap Correction
Supplier due diligence ends after contract signing Supplier services and security practices need ongoing monitoring and review
Receiving reports is enough Reports should be reviewed, evaluated, and acted on
SLA monitoring is the same as security monitoring Security practices, incidents, changes, and controls also matter
Supplier incidents stay with the supplier Supplier incidents may need to trigger the organization’s incident process
Supplier change acceptance is just procurement Material changes should trigger risk review and management approval where relevant

A.5.23 Information security for use of cloud services

Trap Correction
Cloud is just another supplier with no special treatment Cloud has specific shared responsibility, data location, support access, configuration, and exit risks
Provider certification proves the cloud service is secure Certification does not prove the customer’s configuration and responsibilities are handled
Data location is only a technical architecture detail Location affects legal, regulatory, contractual, and risk decisions
Cloud exit can be planned later Exit strategy is part of cloud governance from acquisition
Standard provider terms are automatically unacceptable Standard terms may be accepted if risks above tolerance are understood and approved

A.5.24 Information security incident management planning and preparation

Trap Correction
Incident management starts when an incident occurs The control is about planning and preparation before incidents happen
Incident management is only for cyberattacks Incidents can include failures, data loss, misdirected emails, physical events, and failed controls
A documented plan is enough Processes, roles, responsibilities, and reporting routes must be established and communicated
Every event needs the same escalation Triage and classification should guide escalation and response
Lessons learned are optional Incidents should feed corrective action, risk review, and ISMS improvement

A.5.25 Assessment and decision on information security events

Trap Correction
Every event is automatically an incident Events must be assessed and categorized using defined criteria
The first reporter decides final classification A point of contact may triage, but the incident team or authorized role may confirm classification
Verbal triage is enough The decision and supporting justification should be recorded
Classification is purely technical Legal, contractual, customer, and notification timelines can affect urgency
Categories never need review Categories should be reviewed for clarity, relevance, and usefulness

A.5.26 Response to information security incidents

Trap Correction
A good technical fix proves good incident response Response should follow documented procedures and leave records
Evidence can be considered after recovery Evidence needs should be decided early because response actions can alter evidence
Incident response is only an IT task Responsibilities can include business, legal, privacy, communications, suppliers, and management
Chat history is enough evidence Incident records should show decisions, actions, timing, owners, and follow-up
Procedures can stay generic Procedures should identify relevant activities and responsibilities

A.5.27 Learning from information security incidents

Trap Correction
Closing the incident is enough Knowledge from incidents should strengthen and improve controls
No incidents means the control is working It may mean reporting is weak or evidence is not being captured
Lessons learned means a meeting happened Learning should produce tracked improvements where needed
Human error is a complete root cause The review should examine controls, procedures, training, detection, response, and evidence handling
Lessons are only for security teams Anonymized case studies can improve wider awareness and training

A.5.28 Collection of evidence

Trap Correction
Evidence means screenshots attached to a ticket Evidence should be identified, collected, acquired, preserved, and protected
Chain of custody is only for police cases Chain of custody supports integrity and accountability whenever evidence may matter
Investigation can happen on original evidence Forensic work should use sound copies where originals may be needed later
Evidence collection can wait until legal asks Collection should start early enough to avoid destruction or contamination
Shared folders are fine for evidence Evidence storage should restrict unauthorized access, modification, and destruction

A.5.29 Information security during disruption

Trap Correction
Business continuity is only about restoring operations Security requirements must remain appropriate during disruption
Security can be relaxed informally during a crisis Emergency exceptions should be authorized, recorded, monitored, and reviewed
Disaster recovery plans automatically cover security Security objectives and responsibilities must be explicit
Supplier continuity plans are enough by themselves Supplier continuity arrangements should meet the organization’s security requirements
Testing is optional if the plan is detailed Complex continuity plans need practice and evidence of testing

A.5.30 ICT readiness for business continuity

Trap Correction
Backups equal ICT readiness Readiness also requires priorities, RTO/RPO, dependencies, playbooks, people, and testing
IT decides recovery order alone Recovery priorities should come from business continuity objectives and stakeholder input
RTO/RPO values are useful even if unrealistic Targets must be meaningful and achievable in the operational context
Supplier-hosted services are out of scope Supplier ICT continuity matters where the organization depends on supplier availability
A.5.30 can ignore confidentiality and integrity Availability recovery is not enough if the restored service is insecure; read it with A.5.29
Trap Correction
A legal register is enough Requirements must be owned, kept current, and mapped to controls and evidence
Contracts are legal team-only documents Security commitments in contracts must be extracted and implemented
Requirements change without affecting the ISMS Changes should trigger control, policy, evidence, or contractual updates where needed
Cryptography is only a technical choice Encryption, digital signatures, and electronic communications can have legal or jurisdictional requirements
International or online business is automatically covered Applicable jurisdictions and cross-border obligations may need specialist review

A.5.32 Intellectual property rights

Trap Correction
IP protection means only avoiding pirated software It also covers documents, designs, trademarks, patents, source code, libraries, subscription content, and AI-generated material
Software inventory proves compliance Inventory must be reconciled against licence terms and actual use
Developers can use any library they find Third-party and open-source licences should be reviewed before use
AI-generated content is automatically safe to reuse Provider terms, source material rights, confidentiality, attribution, and ownership need review
Copyright infringement is just a policy issue It can create contractual, civil, and criminal exposure depending on jurisdiction

A.5.33 Protection of records

Trap Correction
Records protection is just backup Records also need integrity, access control, retention, readability, and secure disposal
Keeping records for a long time is enough They must remain readable and usable until the end of retention
Encryption always solves records protection Key retention and future access must be planned
Scanned records are always legally equivalent Legal admissibility and integrity requirements may need review
Annual inventory checks are optional Required records should be checked and documented at least annually

A.5.34 Privacy and protection of PII

Trap Correction
Privacy equals confidentiality only Privacy also includes purpose, minimization, access, retention, transfer, rights, and breach handling
A privacy policy proves compliance Auditors need PII inventory, requirement mapping, controls, training, reviews, and evidence
PII means only customer databases PII may exist in exports, logs, support tickets, spreadsheets, backups, HR files, and supplier systems
Local law is the only requirement Contracts or client requirements can impose stronger PII protections
No recent breach means notification readiness is fine Notification obligations and escalation paths should be known before an incident

A.5.35 Independent review of information security

Trap Correction
Independent always means external Internal review can qualify if the reviewer is independent from the reviewed scope
Certification audit is unrelated A suitably scoped accredited certification audit can satisfy this control
Planned reviews are enough Significant changes should trigger supplementary review when criteria are met
Findings are enough Results should be recorded, reported to management, and tracked to corrective action
Review only means document review People, processes, technologies, approach, and implementation are in scope

A.5.36 Compliance with policies, rules and standards

Trap Correction
Compliance review is only internal audit Managers should review compliance in their own areas, and technical conformity checks may also be needed
Technical checks can be run by anyone Checks should be performed by competent, authorized personnel
Testing tools are harmless Some tools can disrupt systems or look like attack tools and must be controlled
Closing a finding means the issue is fixed Remedial action should be verified for desired effect
One technical issue is isolated by default Similar issues should be considered elsewhere

A.5.37 Documented operating procedures

Trap Correction
Experienced staff make procedures unnecessary Critical operations should not depend on memory or specific individuals
Procedures can be informal Operating procedures should be controlled formal documents where risk requires
Availability means stored somewhere Personnel who need procedures should know where to find the latest approved version
Supplier operations are outside scope Outsourced/network/cloud operations still need documented procedures and service expectations
More detail is always better Procedure detail should match size, complexity, risk, and frequency of use

A.6.1 Screening

Trap Correction
Screening means criminal-record checks only Screening can include identity, CV, qualifications, references, gaps, and role suitability checks where lawful and justified
Strongest screening for everyone is best Screening should be proportional to business need, information classification, law, ethics, and perceived risk
Contractors are outside the control Contractors, temporary staff, and third-party users can be in scope
Candidate-supplied CVs and certificates are enough Independent verification is stronger where permitted
Ongoing screening means constant surveillance Ongoing checks should be triggered by justified risk, role, or access changes and remain lawful
Screening evidence can be kept anywhere Screening records are personal data and need access, retention, and disposal controls

A.6.2 Terms and conditions of employment

Trap Correction
A confidentiality agreement alone satisfies the control Confidentiality helps, but terms should cover broader information security responsibilities
Only employees need security terms Contractors and third-party users in ISMS scope also need appropriate terms
Terms can be signed after onboarding Responsibilities should be accepted before work starts or before confidential access
Security responsibilities never need updating Role, access, facility, customer-site, or remote-work changes can require updated terms
The control only covers personnel duties The organization’s responsibilities, including personnel personal data handling, also matter
Remote work is unrelated Terms may need to cover home work, customer sites, outside-hours work, and post-employment duties where legally valid

A.6.3 Information security awareness, education and training

Trap Correction
Annual awareness training is enough Training should be appropriate to job function, responsibility, policies, procedures, and current threats
Awareness, education, and training mean the same thing Awareness reminds; education builds understanding; training builds role-specific capability
Only employees need training Contractors, third-party users, and relevant interested parties can be in scope
Attendance proves competence Stronger evidence includes role mapping, content, timing, assessment, interview results, and effectiveness review
Specialist staff can rely only on experience Experience or qualifications should be current, relevant, and verified where used instead of formal training
Training happens only at onboarding Refreshers and updates are needed after role, policy, procedure, threat, system, incident, or audit changes

A.6.4 Disciplinary process

Trap Correction
Every mistake requires disciplinary action Response should be evidence-based and proportionate
Informal manager action is enough The process should be formalized and communicated
Suspicion is enough to start action Sufficient evidence of breach or non-compliance should exist
Only employees are relevant Other relevant interested parties can be covered through contracts or agreements
Sanctions alone create security culture Incentives, training, and fair treatment also matter

A.6.5 Responsibilities after termination or change of employment

Trap Correction
This is only about leavers Role changes and contractor/third-party changes are also in scope where relevant
Disabling the user account is enough Physical access, assets, information, notifications, and continuing duties also matter
Movers only need new access added Old-role access should be removed unless still justified
Confidentiality ends on termination Continuing duties can remain valid where defined and legally enforceable
All terminations use the same urgency High-risk cases may need immediate access removal

A.6.6 Confidentiality or non-disclosure agreements

Trap Correction
A generic NDA for everyone is enough Agreements should reflect actual business, legal, contractual, and information security needs
NDA can be signed after disclosure It should be signed before access to confidential information
Only employees need NDAs Personnel and other relevant interested parties can be in scope
NDA replaces technical controls NDA supports confidentiality but does not replace access, classification, handling, and transfer controls
Legal review is optional in all cases Enforceability and legal conflicts may require specialist review

A.6.7 Remote working

Trap Correction
VPN satisfies the control VPN is only one control; endpoint, physical, access, data, and user controls also matter
Home work is automatically secure Home environments can expose information to family members and visitors
Public work has the same risk as home work Public locations increase shoulder-surfing, theft, paper, and conversation risks
Remote devices do not need inventory Equipment used for organization information should be tracked where relevant
All remote-accessible data is approved for remote work Remote access should be limited to required information and tasks

A.6.8 Information security event reporting

Trap Correction
Only confirmed incidents need reporting Observed or suspected events and weaknesses should be reported
Event reporting equals incident response Reporting feeds assessment and response; it is not the whole lifecycle
No reports proves no events It can indicate poor awareness or weak reporting culture
Security events are only technical Physical, paper, human, supplier, and privacy events can be reportable
Users should prove a weakness before reporting Users should not exploit or probe weaknesses without authorization

A.7.1 Physical security perimeters

Trap Correction
A locked front door satisfies the control Larger or higher-risk premises may need multiple internal security zones
Perimeter means only an external wall Internal rooms, floors, cages, archives, and customer zones can be perimeters
Physical security only protects against outsiders Internal personnel, visitors, cleaners, and contractors can also create risk
A floorplan proves the control Auditors need evidence that boundaries are complete and used
Shared building access is outside scope Landlord or building-management access can bypass the organization’s perimeter

A.7.2 Physical entry

Trap Correction
Physical entry is the same as perimeter A.7.1 defines boundaries; A.7.2 controls access points into secure areas
Visitor sign-in alone is enough Visitors may need badges, escorting, area restrictions, and exit logging
Badges work if staff do not wear them Badge discipline and challenge behavior are part of operation
Delivery areas are only logistics Delivery/loading routes can bypass secure areas and affect asset inventory
Physical access never needs review Physical access should be reviewed and removed like logical access

A.7.3 Securing offices, rooms and facilities

Trap Correction
A.7.3 is the same as A.7.1 A.7.1 defines perimeters; A.7.3 designs room/facility protection
Room labels are harmless Signs can reveal high-value targets
Internal directories are low risk Directories and phone lists can support social engineering and targeting
All rooms need the same controls Controls should reflect value, liability, importance, and classification
Specialized physical controls are always better Controls such as shielding need risk and operational justification

A.7.4 Physical security monitoring

Trap Correction
CCTV alone satisfies the control Monitoring needs response procedures, escalation, testing, and records
Physical alarms are facilities-only Information security may need involvement when information/assets are affected
False alarms do not matter Repeated false alarms weaken response and should be managed
Monitoring does not need testing Alarm and notification effectiveness should be tested
Alarm response is separate from incident management Physical breaches can be information security events or incidents

A.7.5 Protecting against physical and environmental threats

Trap Correction
Fire safety alone satisfies the control The control covers relevant physical and environmental threats to infrastructure
Only natural disasters matter Intentional and unintentional man-made threats also matter
Neighboring premises are irrelevant Neighbor hazards can affect the organization’s site and continuity
BCP is separate Fallback and backup arrangements should align to physical/environmental risk
Environmental controls are facilities-only They protect information assets, ICT services, and availability

A.7.6 Working in secure areas

Trap Correction
Badge access satisfies the control A.7.6 controls work practices inside the secure area
Secure-area rules apply only to employees Contractors, suppliers, visitors, and third parties need consistent rules
Mobile phones are harmless Phones can capture photos, video, audio, and messages
Dual control is always mandatory Dual control is applied where risk requires it
Need-to-know is optional Need-to-know limits unnecessary knowledge of sensitive work

A.7.7 Clear desk and clear screen

Trap Correction
Clear desk is just housekeeping It protects against disclosure, loss, damage, and misfiling
Clear screen means turning off monitors It means preventing unauthorized viewing or access, usually through locking
It applies only after work It applies during and outside working hours
Printers are out of scope Printers and fax machines can expose sensitive output
Same rule fits every area Controls should match classification and exposure risk

A.7.8 Equipment siting and protection

Trap Correction
Equipment protection means only server room locks It also covers workstations, screens, network devices, remote equipment, and environmental exposure
Environmental threats are only A.7.5 A.7.5 covers site threats broadly; A.7.8 applies protection to equipment siting
Clear screen fully covers visible screens A.7.7 defines behavior; A.7.8 considers physical screen placement and viewing angle
Remote equipment is out of scope Remote and networked equipment should be inventoried, scoped, risk-assessed, and protected
Electromagnetic shielding is always required Specialized controls require plausible, relevant risk justification

A.7.9 Security of assets off-premises

Trap Correction
VPN solves off-premises asset security Physical assets, paper, media, BYOD, custody, and loss/theft risk remain
BYOD is out of scope because the organization does not own it Organization information accessed from BYOD still creates risk
Insurance replaces security controls Insurance may reduce financial impact but does not protect confidentiality
Asset removal can be informal Removal of sensitive assets should be authorized and recorded
Off-site protection must always equal on-site protection It should be comparable where practical; differences need informed risk acceptance

A.7.10 Storage media

Trap Correction
Storage media means only USB drives It includes backup tapes, disks, removable drives, optical media, printed media, and similar carriers
Encryption alone solves transport Courier, packaging, authorization, records, and key separation also matter
Disposal is enough if a contractor signs a certificate The organization needs a satisfactory audit trail and contractor assurance
Damaged media can always be repaired Sensitive damaged media may need destruction instead of repair
Media controls are separate from classification Handling should follow classification and handling requirements

A.7.11 Supporting utilities

Trap Correction
Supporting utilities means only electricity It also includes cooling, telecoms, water, fire protection, emergency lighting, and related systems
UPS existence proves compliance Capacity, runtime, load, maintenance, testing, and cooling dependency matter
Generator protects all critical operations automatically Scope, fuel, load, cooling, maintenance, and tested runtime must match requirements
Public utilities can be assumed reliable Risk assessment should consider utility disruption
Building management systems are facilities-only In-scope BMS should be protected like other IT systems

A.7.12 Cabling security

Trap Correction
Cabling is only an availability issue Interception and tampering can affect confidentiality and integrity
Labels are cosmetic Labelling reduces incorrect connections and fault-tracing failures
Encryption replaces physical cabling protection Encryption can help, but physical protection and routing still matter
External provider junctions are out of scope They should be considered where they create risk
Power and data can always share routes Segregation may be needed to avoid interference

A.7.13 Equipment maintenance

Trap Correction
Maintenance only protects availability It also protects integrity and confidentiality
Correct operation means no maintenance is needed Equipment can fail suddenly without preventive maintenance
External maintenance access is harmless Maintainers may see data or modify equipment
Repair completion is enough Post-maintenance testing and tamper checks may be required
Maintenance is outside ISMS scope It is in scope when it affects information security

A.7.14 Secure disposal or re-use of equipment

Trap Correction
Deleting files is secure disposal Deleted files may be recoverable
Only computers contain storage Printers, CCTV, network devices, and embedded systems can store data
Encryption always solves disposal risk Key handling, encryption strength, and data sensitivity lifetime matter
Contractor certificate is enough The record should be traceable to specific assets/media
A.7.14 is the same as A.7.10 A.7.10 covers media lifecycle; A.7.14 covers equipment disposal/reuse containing media

A.8.1 User end point devices

Trap Correction
Endpoint security means anti-malware only It also includes patching, encryption, authentication, remote access, timeout, backup, storage, and user training
BYOD is out of scope Organizational information accessed from BYOD remains in scope
VPN alone protects endpoint use Device security, user authentication, storage, and loss/theft controls still matter
Screen timeout is only convenience It prevents misuse of unattended logged-in sessions
Mobile devices are only physical assets They are also technical access points into information systems

A.8.2 Privileged access rights

Trap Correction
Privilege is acceptable if the user is trusted Privilege still needs business need, approval, logging, and review
Full admin is easiest and therefore acceptable Least privilege should be used where possible
Emergency privilege can be informal Emergency access needs procedure, logging, review, and restoration checks
Shared admin accounts are efficient They weaken accountability
Privileged access review is enough Actual privileged activity should also be logged and reviewed

A.8.3 Information access restriction

Trap Correction
Access restriction only means login control It includes application roles, data access, menus, reports, exports, print, and maintenance utilities
Application roles are enough Shared databases, reporting tools, and exports can bypass application roles
Users can see restricted functions as long as access is blocked Restricted functions should normally be hidden or unavailable
Exported data is outside the control Extracted information should follow the same classification and handling rules
Dynamic support access is only a privileged access issue It must also be controlled when it exposes information or functions

A.8.4 Access to source code

Trap Correction
Protecting Git is enough Development tools, CI/CD, libraries, macros, reports, and production copies also matter
Read access to code is low risk Source code can reveal system design and security controls
Production systems can store source code for convenience This should be avoided or strongly justified and controlled
Libraries are outside the control Software libraries are explicitly part of the control

A.8.5 Secure authentication

Trap Correction
Password plus PIN is MFA It is usually repeated single-factor authentication
Authentication errors should be detailed for usability They should not reveal account existence or system details
A.8.5 is the same as A.5.17 A.5.17 handles authentication information; A.8.5 tests the authentication mechanism
Legacy authentication gaps can be ignored They need risk assessment and compensating controls

A.8.6 Capacity management

Trap Correction
Capacity means disk space only It includes compute, storage, network, databases, cloud limits, and people
Cloud removes capacity management Cloud still has quotas, cost limits, scaling behavior, and bottlenecks
Monitoring proves capacity management Trend analysis, forecasting, and action are also needed
Staff capacity is unrelated Inadequate staffing can degrade security operations and availability

A.8.7 Protection against malware

Trap Correction
Antivirus installation proves compliance Coverage, updates, monitoring, response, and awareness evidence are also needed
Malware is only a Windows endpoint issue Many operating systems and device types can face malware risk
Automatic cleaning is always enough Serious infections may require wipe/rebuild and verification
User awareness is optional Awareness is explicit in the control requirement
Free security tools are acceptable by default Tools should be approved and suitable for the risk

A.8.8 Management of technical vulnerabilities

Trap Correction
Running a scanner proves compliance Findings must be risk-rated, treated, retested, and reported
A.8.8 is only patch management It starts with vulnerability information and exposure evaluation
Penetration testing replaces scanning Penetration testing can supplement the vulnerability process
All patches must be installed immediately Timing should be risk-based and consider uptime/resilience
Open vulnerabilities can stay open informally Exceptions require risk acceptance, owner, and review date

A.8.9 Configuration management

Trap Correction
Configuration management means asset inventory It means baselines, implementation, monitoring, and review
Vendor baselines can be copied unchanged They often need local risk-based tailoring
Automation eliminates configuration risk Exceptions, operational impact, and drift still need management
Alerts prove monitoring is effective Alerts must be triaged, escalated, and resolved
Deviations are always nonconformities Deviations can be acceptable when risk-assessed and compensated

A.8.10 Information deletion

Trap Correction
Deletion means physical destruction only Secure deletion, cryptographic erasure, application deletion, and media destruction may all apply
Retention policy proves compliance Deletion records and method suitability are needed
Items awaiting destruction are low risk They must be protected like active information
Cloud data cannot be deleted Cloud deletion needs provider-supported process and evidence
Keeping everything is safer Over-retention increases privacy, legal, and breach impact risk

A.8.11 Data masking

Trap Correction
Masking deletes data Masking usually hides data while the original still exists
Pseudonymised data is anonymous It can be re-linked with a lookup table or key
Anonymisation is easy True anonymisation is hard because combinations of fields can identify people
Lookup tables can stay with tokenized data They should be segregated and protected
Re-combined data can be kept for convenience It should be protected and deleted when no longer needed

A.8.12 Data leakage prevention

Trap Correction
DLP means buying a DLP tool Tooling supports broader data-flow governance
Blocking every transfer is the goal Approved business flows must operate securely
False positives are only technical noise They affect control effectiveness and audit evidence
Authorized transfer is always acceptable Channel, encryption, approval, and risk appetite still matter
Users do not need DLP awareness Users must know approved sharing and reporting routes

A.8.13 Information backup

Trap Correction
Backup success proves recovery Restore tests prove recovery
Backups are only data files Software, systems, configurations, and dependencies may also need backup
Backups need less protection than originals Backups often contain full sensitive data and need equivalent protection
Cloud means backups are automatic Cloud backups/snapshots still need scope, retention, testing, and protection
Archives are useful if retained They must remain readable with required software, media, and key dependencies

A.8.14 Redundancy of information processing facilities

Trap Correction
Every system needs full redundancy Redundancy should be based on availability requirements and risk
Backup is the same as redundancy Backup supports recovery; redundancy supports availability/failover
Cloud automatically satisfies redundancy Cloud design still needs scope, architecture, testing, and evidence
Redundancy means duplicate servers only Networks, storage, power, locations, identity, logging, and dependencies may matter
Redundancy reduces all risk It can introduce replication, synchronization, and access-control risks

A.8.15 Logging

Trap Correction
Logging means storing event files Logs must also be protected and analysed
More logs always means better security Useful risk-based logging and analysis matter
Administrators can review their own logs Separation of duties should be used where possible
SIEM presence proves compliance Coverage, rules, alert review, and escalation matter
Fault logs are only operational Faults can affect integrity and availability and need corrective action

A.8.16 Monitoring activities

Trap Correction
Monitoring is the same as logging Logging records events; monitoring detects anomalies and potential incidents
SIEM/IDS/IPS presence proves compliance Rules, source coverage, thresholds, triage, tuning, and escalation matter
Provider default rules are enough Rules need review in organizational risk context
More alerts means better detection Alert fatigue can reduce detection quality
Only perimeter traffic needs monitoring Identity, endpoints, cloud, applications, and critical systems may also need coverage
In-hours monitoring is enough Out-of-hours escalation must be defined where relevant

A.8.19 Installation of software on operational systems

Trap Correction
This applies only to custom code Vendor software, libraries, utilities, patches, and packages can also be in scope
Developer competence is enough Production installation still needs authorization, testing, logging, and rollback
Emergency changes do not need records Emergency changes still need recording and post-implementation review
Backup alone proves recoverability A fallback or rollback strategy should be defined and usable
Licence checks are not security Licence and support status affect legal, operational, and vulnerability risk

A.8.20 Networks security

Trap Correction
Network security means firewall rules Architecture, zoning, routing, device management, monitoring, encryption, and changes also matter
Physical networks are enough Virtual networks, cloud networks, hypervisors, and management planes are in scope where relevant
Diagrams prove control Diagrams must match actual configuration and operation
Admin networks are automatically trusted Administrative paths can bypass zoning and need strong control
Fault monitoring is enough Potential breaches must be detected, reported, and followed up

A.8.21 Security of network services

Trap Correction
Provider network service means provider-owned risk The organization must identify, agree, and monitor required security features
Uptime SLA is enough Confidentiality, integrity, and security controls also matter
Standard provider package always satisfies the control Provider limitations may need compensating controls or risk acceptance
Failover is continuity-only Security levels should remain appropriate during failover and recovery
Contract signing proves operation Service features and levels must be monitored

A.8.22 Segregation of networks

Trap Correction
Perimeter firewall satisfies segregation Internal and logical zones may also be required
VLAN labels prove segregation Enforced routing/firewall/security group controls matter
Wireless is separate by default Wireless connection to the main network needs risk assessment
Segregation must be physical Logical segregation can be acceptable if effective
Performance exceptions can be informal Security-impacting changes need approval and review

A.8.23 Web filtering

Trap Correction
Web filtering is only productivity control The ISO control focuses on reducing malicious content exposure
Awareness is enough Technical filtering helps because users make mistakes
Vendor categories define policy Categories should be chosen based on risk and business need
Exceptions are harmless Exceptions need authorization and review
C2 attempts are just browsing violations They may indicate compromise and should feed monitoring or incident handling

A.8.24 Use of cryptography

Trap Correction
Encryption automatically satisfies the control Rules, approved methods, and key management are required
Stronger crypto is always better Strength must fit risk, performance, legal, and operational needs
Public keys need no protection Public keys and certificates need integrity and replacement protection
Secret algorithms are safer Home-grown or secret algorithms are normally a serious weakness
Key escrow is automatically acceptable Escrow needs authorization, awareness, monitoring, and abuse prevention

A.8.25 Secure development life cycle

Trap Correction
Secure SDLC means only secure coding It also covers environments, training, review, tools, suppliers, and standards maintenance
Automated scanning proves compliance Findings, standards, competence, and remediation matter
Contractors can use their own rules Third parties should meet the organization’s secure development rules
Code author review is enough Competent independent review is expected where risk requires it

A.8.26 Application security requirements

Trap Correction
Secure coding covers application requirements A.8.26 is requirements; A.8.25 is lifecycle rules
Vendor applications need no requirements Acquired applications also need security requirements
Generic requirements are sufficient Requirements should be specific, approved, and testable
Approval can wait until go-live Requirements should be approved early enough to shape design or selection

A.8.27 Secure system architecture and engineering principles

Trap Correction
Secure coding standard satisfies A.8.27 A.8.27 is broader: architecture and engineering principles
Principles only apply to new software They apply to information system development activities broadly
Zero trust alone satisfies the control Principles must fit the organization and be applied
Documentation is enough Design records should show principles influenced decisions

A.8.28 Secure coding

Trap Correction
Secure SDLC and secure coding are the same A.8.25 is lifecycle rules; A.8.28 is coding principles
Automated tools prove secure coding Tools support verification but do not replace standards and review
One generic standard fits all code Language, framework, and risk context matter
AI-generated code is inherently safer Generated code still needs secure review
Legacy constraints justify informal bypass Exceptions should be documented and approved

A.8.29 Security testing in development and acceptance

Trap Correction
Functional testing is enough Security tests, regression, defective input, and control tests matter
Final penetration test is enough Testing should occur through the lifecycle
Findings can be ignored for go-live Findings need remediation, retest, or risk acceptance
Acceptance is only business sign-off Security acceptance criteria and authorization matter
User testing is only usability Users may try to bypass controls; secure use should be tested or trained

A.8.30 Outsourced development

Trap Correction
Supplier owns development, so supplier owns security The organization remains accountable for accepted systems
A contract alone satisfies the control The organization must direct, monitor, and review development activity
Functional acceptance is enough Supplier deliverables need security review and testing evidence
Only direct suppliers matter Subcontractors and indirect supply chain dependencies can create risk
IP ownership is separate from security IP, licence, and ownership terms affect control and future maintainability

A.8.31 Separation of development, test and production environments

Trap Correction
Dev/test/prod names prove separation Actual access, network, identity, data, and deployment controls must enforce separation
Test data is harmless Production data in test can carry production-level sensitivity
Developers need standing production access Standing access weakens integrity and accountability
Only production needs strong controls Development and test need controls appropriate to their risk
CI/CD automatically enforces separation Pipelines can bypass separation if permissions and approvals are weak

A.8.32 Change management

Trap Correction
Approval alone is enough Impact assessment, testing, rollback, logging, and review are also needed
Change management only applies to code Systems, infrastructure, networks, cloud, facilities, and operational environments can be in scope
Emergency changes are exempt Emergency changes still need control and retrospective review
Release notes replace change records Release records should identify the underlying changes
Functional testing is enough Security control and vulnerability impact should be considered

A.8.33 Test information

Trap Correction
Test data is low risk because it is outside production Sensitivity follows the data, not the environment
Anonymisation always removes risk Re-identification and masking quality matter
Only the test database needs control Logs, caches, screenshots, reports, and debug files can leak data
One approval covers all live-data testing forever Live-data use should be justified and authorized per occasion
Deleting the main test table is enough Copies and secondary outputs also need handling

A.8.34 Protection of information systems during audit testing

Trap Correction
Auditors can test anything by default Operational testing needs scope, agreement, and safeguards
Audit testing is risk-free Scans and tools can disrupt systems or expose information
Only penetration testing needs authorization Assurance tools, scans, and extracts can also require approval
Audit results are normal records Results can expose vulnerabilities and system details
Internal audit planning covers this automatically This control focuses on protecting operational systems during testing
  • Exam
  • Iso27001
  • Iso27002
  • Traps

Note Metadata

Aliases: Exam Traps

Source: 03 Exam Prep/Common Exam Traps.md