ISO/IEC 27001:2022 requires information security objectives to be established at relevant functions and levels, to be consistent with the information security policy, to be measurable if practicable, and to be monitored, communicated, and updated as appropriate. It also requires documented information on the objectives. Among the answer choices, option C is the best single answer because it expresses one of the core mandatory characteristics of the objectives. Even though options B and D are also requirements, the question asks for one answer only, and option C is the most fundamental wording in the set.
=======
Question # 15
What relevant factor must be considered in internal audit programmes?
Options:
A.
Availability of the certification body auditors
B.
Ensuring that audits are carried out at least twice during the first year of ISMS implementation
C.
The importance of the processes concerned and the results of previous audits
D.
The number of third-party suppliers involved in the area to be audited
ISO/IEC 27001:2022 requires the organization to plan, establish, implement, and maintain an audit programme that takes into consideration the importance of the processes concerned and the results of previous audits. This ensures that audit effort is focused appropriately and that past issues are followed up effectively. The standard does not prescribe a minimum of two audits in the first year, nor does it make certification body availability or supplier count the defining factors. Therefore, option C is correct.
