Based on the scenario, Infralink did not explicitly identify supporting assets; it focused primarily on information and access-related assets, which are considered primary assets. Therefore, Option C is the correct answer.

ISO/IEC 27001:2022 requires organizations to identify information and other associated assets as part of establishing and operating the ISMS. While the standard itself does not mandate a specific asset taxonomy, ISO/IEC 27002:2022 Annex A control A.5.9 – Inventory of information and other associated assets requires that:

“Information and other associated assets shall be identified and an inventory of these assets shall be maintained.”

In common ISO/IEC 27001-aligned risk management practice (as supported by ISO/IEC 27005), primary assets typically include information and business processes, while supporting assets include hardware, software, networks, facilities, people, and services that support those primary assets.

In the scenario, Infralink implemented controls related to:

Access to information and assets (A.5.15)

Identity lifecycle management (A.5.16)

Access rights management (A.5.18)

However, there is no explicit reference to identifying or inventorying supporting assets such as infrastructure components, platforms, physical facilities, or third-party services. The focus remains on information access and control mechanisms, indicating that asset identification was limited to primary assets.

Option A is incorrect because there is no evidence that all supporting assets were identified.

Option B is incorrect because the scenario does go beyond business processes and information by addressing access mechanisms—but still does not explicitly include supporting assets.

Annex A 5.3 Segregation of duties is classified as an organizational control. Organizational controls include policies, procedures, and structures established to support information security. Segregation of duties aims to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets by dividing tasks and associated privileges.

“Annex A.5 contains organizational controls, including A.5.3 Segregation of duties, which ensures that no single person is responsible for completing a critical task alone, thereby reducing the risk of fraud or error.”

— ISO/IEC 27001:2022, Annex A; ISO/IEC 27002:2022, 5.3

According to the ISO/IEC 27001:2022 standard, a performance indicator is “a metric that provides information about the effectiveness or efficiency of an activity, process, system or organization” (section 3.35). A performance indicator should be measurable, relevant, achievable, realistic and time-bound (SMART). In this case, the percentage of employees who passed the exam is a performance indicator that measures the effectiveness of the information security awareness and training sessions. It shows how well the sessions achieved their intended learning outcomes and how well the employees understood the information security concepts and practices.

ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements1

ISO/IEC 27001 Lead Implementer Info Kit

Key performance indicators for an ISO 27001 ISMS2

 According to ISO/IEC 27001:2022, information security risk can be accepted as one of the four possible options for risk treatment, along with avoiding, modifying, or sharing the risk12. Risk acceptance means that the organization decides to tolerate the level of risk without taking any further action to reduce it3. Risk acceptance can be done before, during, or after the risk treatment process, depending on the organization’s risk criteria and the residual risk level4.

 1: ISO 27001 Risk Assessments | IT Governance UK 2: ISO 27001 Risk Assessment: 7 Step Guide - IT Governance UK Blog 3: ISO 27001 Clause 6.1.2 Information security risk assessment process 4: ISO 27001 Risk Assessment & Risk Treatment: The Complete Guide - Advisera

ISO/IEC 27006:2015 (guidance for certification bodies auditing ISMS), which is referenced in the ISO/IEC 27001 implementation approach, specifies that the Stage 1 audit is to evaluate the design of the management system, review documented information, and assess readiness for Stage 2. The purpose is to ensure that the ISMS (or integrated management system) is properly designed according to ISO requirements and that all necessary processes and documentation are in place.

Relevant Extract:

ISO/IEC 27006:2015, 9.2.3.1.1, states:

" The purpose of the stage 1 audit is to evaluate the client ' s management system documentation, evaluate the site and site-specific conditions, and to determine the preparedness of the client for the stage 2 audit. "

The stage 1 audit includes review of the design and documented information, not primarily a focus on effectiveness (which is the subject of Stage 2).

ISO/IEC 27001:2022 Implementation Guidance confirms:

" The stage 1 audit should confirm that the design of the ISMS meets the requirements of the standard and that the organization is ready for a stage 2 audit, which focuses on implementation and effectiveness. "

(Note: If your actual options are only the three above, then the correct one in the standard framework is usually " Policy planning / Needs assessment " or " Policy planning. " If that ' s not available, " Policy construction " may be the default in your question bank, but it does not align with ISO best practice.)

The information security policy development life cycle typically starts with a policy planning or needs assessment phase, where organizational needs, objectives, and requirements are determined before constructing the policy. Risk assessment often occurs during this initial phase to inform policy direction.

“The policy development process should start by identifying needs and requirements before constructing and implementing the policy.”

— ISO/IEC 27002:2022, 5.1; ISO/IEC 27003:2017, Clause 8.2

Based on his tasks, Bob is part of the incident response team (IRT) of InfoSec. According to ISO/IEC 27035-2:2023, the IRT is a team of appropriately skilled and trusted members of an organization that responds to and resolves incidents in a coordinated way1. One of the tasks of the IRT is to conduct an evaluation of the nature of an unexpected event, including the details on how the event happened and what or whom it might affect1. This is consistent with Bob’s responsibility of ensuring that a thorough evaluation of the nature of an unexpected event is conducted. Therefore, Bob belongs to the incident response team.

ISO/IEC 27035-2:2023 (en), Information technology — Information security incident management — Part 2: Guidelines to plan and prepare for incident response1

Response to Information Security Incidents | ISMS.online2

ISO/IEC 27001 and 27000 both allow organizations to define the scope of the ISMS according to their needs, including the entire organization, specific departments, business units, or locations.

" The scope of the ISMS can be as broad or narrow as the organization chooses, so long as boundaries are clearly defined and justified. "

— ISO/IEC 27001:2022, Clause 4.3

— ISO/IEC 27000:2018, Section 2.2