Quiz topic 1: Annex A purpose
Correct concept
Annex A is not a mandatory checklist for every organization. It is a reference set of controls used to help the organization check whether it has overlooked relevant risks or controls during risk treatment and preparation of the Statement of Applicability.
Reject options that say
- all organizations must follow every Annex A control;
- every organization must use the same controls;
- Annex A replaces the Statement of Applicability.
Exam cue
Annex A helps identify relevant controls; the SoA records applicability and justification.
Quiz topic 2: Clauses 4-10
Correct concept
To achieve ISO/IEC 27001 certification or claim conformity, the organization must comply with the mandatory ISMS process requirements in Clauses 4-10.
Reject options that say
- follow only Annex A controls;
- use only ISO/IEC 27002 controls;
- exclude ISO/IEC 27001 requirements when needed.
Exam cue
Clauses 4-10 cannot be excluded.
Quiz topic 3: Control attributes and risk outcomes
Correct concept
The main purpose of using control attributes when selecting a control for a risk is to ensure the control’s effect on risk matches the desired outcome.
Examples:
| Desired risk effect | Better control type |
|---|---|
| Reduce likelihood | Preventive |
| Detect occurrence | Detective |
| Reduce damage/recover | Corrective/recovery |
Reject options that focus mainly on
- cost;
- popularity;
- ease of implementation.
Those may matter in implementation planning, but they are not the main purpose of control attributes.
Quiz topic 4: Operational capabilities attribute
Correct concept
Reviewing controls by attribute such as “Operational capabilities” can help identify over-protection and reallocate resources.
Example: after a phishing incident, an organization might over-invest in email controls while neglecting backup, incident response, supplier security, or access reviews.
Reject options that say
- blindly increase detective controls;
- replace preventive controls;
- eliminate controls after an incident.
Quiz topic 5: Primary purpose of ISO/IEC 27002 attributes
Correct concept
The primary purpose is to help categorize and analyze control sets.
Attributes are metadata used to sort, group, compare, review, and analyze controls.
They do not make controls mandatory, replace controls, or remove controls from the ISMS.
Quiz topic 6: Relating attributes to frameworks outside ISO
Correct concept
Control attributes can help correlate between different security frameworks.
Examples:
| ISO/IEC 27002 area | Possible mapping |
|---|---|
| Asset management | NIST CSF Identify |
| Access control | NIST CSF Protect |
| Logging and monitoring | NIST CSF Detect |
| Incident response | NIST CSF Respond |
| Backup and recovery | NIST CSF Recover |
Overall memory cues
- Control attributes = metadata.
- Annex A = reference control set.
- SoA = applicability and justification record.
- Clauses 4-10 = mandatory ISMS requirements.
- ISO 27002 = guidance, not the certifiable standard.
- Exam
- Quiz
- Iso27001
- Iso27002
Note Metadata
Aliases: Quiz Review
Source: 03 Exam Prep/Quiz Review - Control Attributes and Compliance.md