Which statement BEST describes the relationship between ISO/IEC 27001 and ISO/IEC 27002 when an IS auditor is evaluating an organisation's information security framework?
- AISO/IEC 27001 specifies the certifiable requirements for an information security management system, while ISO/IEC 27002 provides implementation guidance for the controls referenced in Annex A. Correct
- BISO/IEC 27001 lists detailed technical configuration baselines, while ISO/IEC 27002 lists the certifiable management system clauses that an external registrar can audit against.
- CISO/IEC 27001 and ISO/IEC 27002 are alternative frameworks that an organisation may choose between depending on whether it wants a risk-based or a control-based approach to security.
- DISO/IEC 27001 provides the catalogue of cryptographic algorithms, while ISO/IEC 27002 provides the risk treatment methodology that the certified organisation must adopt.
Why A is correct: This is correct because 27001 contains the audit-certifiable management system requirements and references Annex A controls, and 27002 is the companion guidance describing how each control may be implemented in practice.
Why B is wrong: This is tempting because both standards are well known, but the roles are reversed; configuration baselines are not in either standard and the certifiable clauses sit in 27001, not 27002.
Why C is wrong: This is tempting because candidates know multiple frameworks exist, but the two standards are complementary parts of the same family rather than alternatives chosen between.
Why D is wrong: This is tempting because cryptography and risk treatment are familiar terms, but neither standard is an algorithm catalogue and risk treatment is governed by 27001 clauses, not 27002.