New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

APMG-International ISO-IEC-27001-Foundation Exam - Topic 3 Question 9 Discussion

Actual exam question for APMG-International's ISO-IEC-27001-Foundation exam
Question #: 9
Topic #: 3
[All ISO-IEC-27001-Foundation Questions]

To whom are the information security policies required to be communicated, according to the control in Annex A of ISO/IEC 27001?

Show Suggested Answer Hide Answer
Suggested Answer: D

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:

Annex A.5.1 (Policies for information security) clearly specifies:

''Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties...''

This means the communication obligation is not limited to top management (A) or only ISMS staff (B), nor does it stop at employees only (C). Instead, ISO/IEC 27001/27002 mandate a broader scope: all relevant personnel and relevant interested parties must be informed. This ensures both internal stakeholders (employees, contractors, temporary staff) and external interested parties (suppliers, partners, regulators, customers, etc.) receive the right policy communications where applicable. Therefore, the correct and verified answer is D.


by Luz at Jan 05, 2026, 05:16 AM

Limited Time Offer

25%

Off

Get Premium ISO-IEC-27001-Foundation Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Timothy
6 days ago
A) Top management. They're the ones calling the shots, so they better know what's up.
upvoted 0 times
...
Latrice
11 days ago
C) Employees within the scope of the ISMS. Can't leave anyone out, that's just asking for trouble.
upvoted 0 times
...
Tyra
16 days ago
D) Relevant personnel and relevant interested parties. Gotta cover all the bases, am I right?
upvoted 0 times
...
Skye
21 days ago
I thought it was just the staff responsible for the ISMS operation, but now I'm questioning if it should be broader than that.
upvoted 0 times
...
Lynna
26 days ago
I feel like the answer might be D, since it mentions relevant personnel and interested parties, but I could be mixing it up with another standard.
upvoted 0 times
...
Rutha
1 month ago
I remember a practice question that emphasized the importance of informing relevant personnel, but I can't recall if that meant just top management or everyone involved.
upvoted 0 times
...
Dan
1 month ago
I think the policies need to be communicated to all employees within the scope of the ISMS, but I'm not entirely sure if it includes external parties too.
upvoted 0 times
...
Tanja
1 month ago
I've got this! The policies have to be shared with the relevant personnel and interested parties according to the ISO standard. Option D is the way to go.
upvoted 0 times
...
Cherry
2 months ago
This is a good one. I remember from the standard that the policies need to be communicated broadly to the appropriate people, not just a limited group. Option D sounds like the right answer.
upvoted 0 times
...
Carey
2 months ago
Wait, I'm a bit confused. Is it just employees within the ISMS scope, or all relevant personnel and parties? I'll have to double-check the standard.
upvoted 0 times
...
Valentin
2 months ago
Okay, I think I know this one. The policies need to be communicated to the relevant personnel and interested parties, not just top management or ISMS staff.
upvoted 0 times
...
Dan
2 months ago
Hmm, this seems like a straightforward policy question. I'll need to remember the key stakeholders for information security policies.
upvoted 0 times
...

Save Cancel