Clause 4.2 of ISO/IEC 27001:2022 states:

“ The organization shall determine: a) interested parties that are relevant to the information security management system; b) the relevant requirements of these interested parties; c) which of these requirements will be addressed through the ISMS. ”

This confirms that the missing word is requirements . Neither number, structure, nor influence are specified in the standard.

Certification audits are carried out by Certification Bodies (CBs) , not the organization itself. ISO/IEC 27001 requires external certification audits to be independent, impartial, and objective. According to ISO/IEC 27006 (Requirements for bodies providing audit and certification of ISMS), the Certification Body determines the audit duration and number of audit days based on factors such as organizational size, complexity, scope, and risk environment. This ensures consistency across organizations and prevents manipulation by the auditee. ISO/IEC 27001 Clause 9.2 and 9.3 address internal audit and management review , but the determination of certification audit days is outside the organization’s control; it rests solely with the accredited Certification Body auditors. Thus, Answer: B is correct, as the CB’s external auditor formally calculates and assigns the audit time.

Clause 6.1.3 (d) requires that the organization “produce a Statement of Applicability that contains the necessary controls (see Annex A), and justification for inclusions, whether they are implemented or not, and the justification for exclusions.”

This is the defining requirement of the SoA: it documents which Annex A controls are relevant, which are implemented, and the justification for inclusion/exclusion. While the ISMS scope (A) is documented in Clause 4.3, and risk evaluation criteria (C) are defined in Clause 6.1.2, these do not belong in the SoA. The SoA does not describe the full risk assessment approach (B); that is part of the risk assessment methodology. Therefore, the mandatory requirement for the SoA is justification for including (or excluding) each information security control .

Clause 6.1.1 (Planning) states:

“The organization shall plan:

d) actions to address these risks and opportunities; and

e) how to:

integrate and implement the actions into its ISMS processes; and

evaluate the effectiveness of these actions. ”

This confirms the missing words are “evaluate the effectiveness of” . Communication (A), applying resources (B), and improving effectiveness (C) are important concepts elsewhere but not the direct requirement stated in this clause.

ISO/IEC 27001 Clause 9.2 requires internal audits to be conducted at planned intervals, but it does not specify an annual frequency. Certification audits, under ISO/IEC 17021 rules, typically occur on a 3-year cycle with annual surveillance, not strictly “annually.” This makes statement 1 inaccurate.

Audit types are defined in ISO/IEC 19011:

First-party audits: conducted internally by or on behalf of the organization (internal audits).

Third-party audits: conducted by independent external certification bodies.

Thus, statement 2 is correct. Therefore, the accurate choice is B: Only 2 is true.