Exam ISO-IEC-27001-Lead-Implementer Topic 1 Question 329 Discussion
Actual exam question for PECB's ISO-IEC-27001-Lead-Implementer exam
Question #: 329
Topic #: 1
Question #: 329
Topic #: 1
Question:
An organization has implemented additional controls from other sources alongside the ISO/IEC 27001 Annex A controls. Is this acceptable?
An organization has implemented additional controls from other sources alongside the ISO/IEC 27001 Annex A controls. Is this acceptable?
Suggested Answer: A Vote an answer
ISO/IEC 27001:2022 clause 6.1.3 (Information Security Risk Treatment) explicitly states:
"Organizations can design controls as required or identify them from any source." Annex A provides a reference list, but it is not exhaustive. Organizations are encouraged to adopt additional controls if they are needed based on the results of risk assessment or contextual relevance. This supports flexibility and context-based tailoring of the ISMS.
"Organizations can design controls as required or identify them from any source." Annex A provides a reference list, but it is not exhaustive. Organizations are encouraged to adopt additional controls if they are needed based on the results of risk assessment or contextual relevance. This supports flexibility and context-based tailoring of the ISMS.
by Ternence at Mar 22, 2026, 02:01 PM
0
0
0
10
Comments
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Report Comment
Commenting
You can sign-up / login (it's free).