UnixTime

Research Note

Quiz Review - Control Attributes and Compliance

Annex A is not a mandatory checklist for every organization. It is a reference set of controls used to help the organization check whether it has overlooked relevant risks or co...

On this page

Quiz topic 1: Annex A purpose

Correct concept

Annex A is not a mandatory checklist for every organization. It is a reference set of controls used to help the organization check whether it has overlooked relevant risks or controls during risk treatment and preparation of the Statement of Applicability.

Reject options that say

  • all organizations must follow every Annex A control;
  • every organization must use the same controls;
  • Annex A replaces the Statement of Applicability.

Exam cue

Annex A helps identify relevant controls; the SoA records applicability and justification.

Quiz topic 2: Clauses 4-10

Correct concept

To achieve ISO/IEC 27001 certification or claim conformity, the organization must comply with the mandatory ISMS process requirements in Clauses 4-10.

Reject options that say

  • follow only Annex A controls;
  • use only ISO/IEC 27002 controls;
  • exclude ISO/IEC 27001 requirements when needed.

Exam cue

Clauses 4-10 cannot be excluded.

Quiz topic 3: Control attributes and risk outcomes

Correct concept

The main purpose of using control attributes when selecting a control for a risk is to ensure the control’s effect on risk matches the desired outcome.

Examples:

Desired risk effect Better control type
Reduce likelihood Preventive
Detect occurrence Detective
Reduce damage/recover Corrective/recovery

Reject options that focus mainly on

  • cost;
  • popularity;
  • ease of implementation.

Those may matter in implementation planning, but they are not the main purpose of control attributes.

Quiz topic 4: Operational capabilities attribute

Correct concept

Reviewing controls by attribute such as “Operational capabilities” can help identify over-protection and reallocate resources.

Example: after a phishing incident, an organization might over-invest in email controls while neglecting backup, incident response, supplier security, or access reviews.

Reject options that say

  • blindly increase detective controls;
  • replace preventive controls;
  • eliminate controls after an incident.

Quiz topic 5: Primary purpose of ISO/IEC 27002 attributes

Correct concept

The primary purpose is to help categorize and analyze control sets.

Attributes are metadata used to sort, group, compare, review, and analyze controls.

They do not make controls mandatory, replace controls, or remove controls from the ISMS.

Quiz topic 6: Relating attributes to frameworks outside ISO

Correct concept

Control attributes can help correlate between different security frameworks.

Examples:

ISO/IEC 27002 area Possible mapping
Asset management NIST CSF Identify
Access control NIST CSF Protect
Logging and monitoring NIST CSF Detect
Incident response NIST CSF Respond
Backup and recovery NIST CSF Recover

Overall memory cues

  • Control attributes = metadata.
  • Annex A = reference control set.
  • SoA = applicability and justification record.
  • Clauses 4-10 = mandatory ISMS requirements.
  • ISO 27002 = guidance, not the certifiable standard.
  • Exam
  • Quiz
  • Iso27001
  • Iso27002

Note Metadata

Aliases: Quiz Review

Source: 03 Exam Prep/Quiz Review - Control Attributes and Compliance.md