Clause 4.1 specifies exactly what must be determined when establishing context: “ The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system. ” This requirement is about understanding internal and external issues (e.g., culture, capabilities, regulatory environment) that influence the ISMS’s effectiveness. Objectives (option B) are addressed later in Clause 6.2; processes (option C) are addressed in Clause 4.4 and operational planning; and “which clauses apply” (option D) is not a determination step—ISO/IEC 27001’s requirements in Clauses 4–10 are not optional. Therefore, the direct, required factor per 4.1 is determining internal (and external) issues relevant to the organization’s purpose and ISMS outcomes.

Clause 6.2 (Information security objectives) requires that objectives:

“be consistent with the information security policy”

“be measurable (if practicable)”

“take into account applicable information security requirements”

“be monitored, communicated, and updated as appropriate.”

From this, option A is correct since consistency with policy is an explicit requirement. Option B is incorrect because the standard allows objectives to be measurable “if practicable” (not mandatory for all). Option C is incorrect—objectives are not transferred contractually to third parties, though third-party agreements may include security requirements. Option D is incorrect because the standard requires regular review “as appropriate,” not a fixed annual cycle.

Thus, the verified requirement is A: They shall be consistent with the information security policy.

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27013 standards:

ISO/IEC 27013 is titled:

“ Information technology — Security techniques — Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1. ”

This standard provides organizations with specific advice on how to integrate an Information Security Management System (ISMS) with an IT Service Management System (ITSMS). ISO/IEC 20000-1 is the IT Service Management requirements standard, but integration guidance is provided in 27013. ISO/IEC 27002 (A) is guidance for controls, not integration. Option D is incorrect since ISO/IEC 27013 explicitly exists for this purpose.

Therefore, the correct verified answer is B: ISO/IEC 27013 .

Clause 6.1.2 (Information security risk assessment) requires organizations to “ define and apply an information security risk assessment process that… establishes and maintains information security risk criteria, including criteria for accepting risk. ”

This means that acceptable levels of risk (risk acceptance criteria) must be explicitly defined. These criteria ensure consistent decision-making when evaluating whether identified risks need further treatment or can be tolerated.

Option A is incorrect because exclusions relate to the ISMS scope (Clause 4.3), not risk assessment planning. Option B is not a requirement; effectiveness of risk assessment methods is not required to be measured, though methods must be applied consistently. Option D is false—the standard clearly specifies required elements for risk assessment.

Thus, the correct answer is C: The criteria for acceptable levels of risk.

Clause 9.2 (Internal Audit) and Clause 9.3 (Management Review) highlight that audit outputs and management reviews are key inputs for evaluating ISMS performance. Surveillance audits, conducted by Certification Bodies, check ongoing compliance and effectiveness. ISO certification schemes (per ISO/IEC 17021) require surveillance audits to verify whether corrective actions and continuous improvements are being made. A critical focus area is the results of internal audits and management reviews , ensuring that the organization maintains its ISMS between certification cycles.

Option A is incorrect — third-party audits are performed by independent Certification Bodies, not customers. Option B is incorrect — certificates are typically valid for three years with annual surveillance. Option D is incorrect — Stage 1 is primarily a documentation and readiness review , not evidence observation.

Therefore, the verified correct answer is C .

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:

Annex A in ISO/IEC 27001 refers directly to ISO/IEC 27002 for control guidance. In ISO/IEC 27002:2022, Clause 6.8 is titled:

“ Information security event reporting – Information security events should be reported through appropriate management channels as quickly as possible. ”

This control ensures breaches, incidents, or suspected issues are reported for action. The other options (B, C, D) are not the exact titles in Annex A. The official title is Information security event reporting , confirming Answer: A .

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27005 standards:

ISO/IEC 27005:2022 is titled:

“ Information security, cybersecurity and privacy protection — Guidance on managing information security risks. ”

This standard provides structured methodologies for identifying, analyzing, evaluating, and treating risks, in alignment with ISO/IEC 27001’s risk management requirements (Clause 6.1.2 and 6.1.3). It supports organizations in implementing the risk management process that underpins an ISMS. Options A and B are titles of other ISO standards (ISO/IEC 27007 for auditing, ISO/IEC 27001 for requirements). Option D refers to ISO/IEC 27002 (controls).

Thus, the correct answer is C: Guidance on managing information security risks .

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:

Annex A.5.1 (Policies for information security) specifies:

“ Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur. ”

This clearly identifies the review frequency requirement: planned intervals and whenever there are significant changes. Options A and B (six-monthly or annually) are not prescribed by ISO — timing is left to the organization. Option C is also wrong, since Certification Bodies do not dictate policy review schedules.

Therefore, the verified correct answer is D .

Clause 6.1.3 (c) requires organizations to:

“ compare the controls determined in 6.1.3 b) with those in Annex A and verify that no necessary control has been omitted; and prepare a Statement of Applicability. ” It also requires organizations to select risk treatment options considering “ the organization’s risk acceptance criteria. ”

This shows that risk acceptance criteria are a fundamental factor when selecting risk treatment options. Options C and D are incorrect because Annex A and ISO/IEC 27002 are reference sets, not the sole sources of controls — organizations can design their own. Criteria for performing risk assessments (B) are part of 6.1.2 (risk assessment process), not risk treatment.

Thus, the correct requirement is A: Criteria for accepting identified risks .

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:

Annex A, control 6.8 (Information security event reporting) specifies:

“ Information security events should be reported through appropriate management channels as quickly as possible. The organization should require all employees and contractors to note and report any observed or suspected information security events. ”

This wording confirms that the required reporting covers “observed or suspected events.” Specific event types like information disclosure (A) or unauthorized access (B) are examples but not the broad requirement. Asset disposal (C) is addressed separately under equipment lifecycle controls (Annex A.7.14).

Therefore, the verified correct answer is D: Observed or suspected events .