UnixTime

Research Note

EXAM-001 - Clauses 4-10 vs Annex A

The exam often tests whether you understand the difference between mandatory management-system requirements and risk-selected controls.

On this page

Exam focus

Clauses 4-10 are mandatory ISMS requirements; Annex A controls are selected and justified through risk treatment and the Statement of Applicability.

Topic Summary

The exam often tests whether you understand the difference between mandatory management-system requirements and risk-selected controls.

Key Concepts

  • ISO/IEC 27001 Clauses 4-10 define the ISMS requirements.
  • Annex A is a control reference set.
  • Annex A controls are not automatically all mandatory.
  • Non-applicability must be justified in the Statement of Applicability.

Common Exam Traps

  • Treating Annex A as a universal checklist.
  • Saying Clauses 4-10 can be excluded.
  • Confusing ISO/IEC 27002 guidance with ISO/IEC 27001 certification requirements.
  • Iso27001
  • ISO27002
  • Exam

Note Metadata

Source: 09-Exam-Preparation/EXAM-001-Clauses-4-10-vs-Annex-A.md