Exam focus
Clauses 4-10 are mandatory ISMS requirements; Annex A controls are selected and justified through risk treatment and the Statement of Applicability.
Topic Summary
The exam often tests whether you understand the difference between mandatory management-system requirements and risk-selected controls.
Key Concepts
- ISO/IEC 27001 Clauses 4-10 define the ISMS requirements.
- Annex A is a control reference set.
- Annex A controls are not automatically all mandatory.
- Non-applicability must be justified in the Statement of Applicability.
Common Exam Traps
- Treating Annex A as a universal checklist.
- Saying Clauses 4-10 can be excluded.
- Confusing ISO/IEC 27002 guidance with ISO/IEC 27001 certification requirements.
Related Notes
- Iso27001
- ISO27002
- Exam
Note Metadata
Source: 09-Exam-Preparation/EXAM-001-Clauses-4-10-vs-Annex-A.md