ISC2 Certified Cloud Security Professional (CCSP) Practice Question

Your organization is preparing an internal audit of its ISO/IEC 27001-aligned information security management system (ISMS) that covers several IaaS and PaaS workloads hosted in different regions. To help the audit team determine which Annex A controls must be examined, the lead auditor asks for a single document that lists every control, shows whether it is implemented, and explains any exclusions. Which ISMS artefact should you provide?

Information security policy
Statement of Applicability
Risk treatment plan
Asset inventory register

Report Issue

Answer Description

The Statement of Applicability (SoA) is required by ISO/IEC 27001 clause 6.1.3. It enumerates every Annex A control, notes whether the control is implemented, lists any controls that have been excluded, and justifies those exclusions. Because it maps risk-treatment decisions to specific controls and shows their implementation status, auditors rely on the SoA to define audit scope and verify that the ISMS addresses identified risks.

The risk treatment plan details actions, timelines, and responsible parties for mitigating risks, but it does not necessarily include the full control set or implementation status. An information security policy states management's high-level direction, and an asset inventory register catalogs assets; neither document provides the comprehensive control mapping needed for scoping an internal audit.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.