Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

APMG-International ISO-IEC-27001-Foundation Exam - Topic 3 Question 9 Discussion

Actual exam question for APMG-International's ISO-IEC-27001-Foundation exam
Question #: 9
Topic #: 3
[All ISO-IEC-27001-Foundation Questions]

To whom are the information security policies required to be communicated, according to the control in Annex A of ISO/IEC 27001?

Show Suggested Answer Hide Answer
Suggested Answer: D

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:

Annex A.5.1 (Policies for information security) clearly specifies:

''Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties...''

This means the communication obligation is not limited to top management (A) or only ISMS staff (B), nor does it stop at employees only (C). Instead, ISO/IEC 27001/27002 mandate a broader scope: all relevant personnel and relevant interested parties must be informed. This ensures both internal stakeholders (employees, contractors, temporary staff) and external interested parties (suppliers, partners, regulators, customers, etc.) receive the right policy communications where applicable. Therefore, the correct and verified answer is D.


by Luz at Jan 05, 2026, 05:16 AM

Limited Time Offer

25%

Off

Get Premium ISO-IEC-27001-Foundation Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Loise
3 days ago
Wait, are we sure about that? Seems like a lot of people to inform.
upvoted 0 times
...
Leonor
8 days ago
Totally agree with D, everyone needs to be in the loop!
upvoted 0 times
...
Adelaide
13 days ago
I thought it was just C for employees.
upvoted 0 times
...
Aleta
18 days ago
It's definitely D, relevant personnel and interested parties.
upvoted 0 times
...
Moon
24 days ago
D) Relevant personnel and relevant interested parties. Gotta keep the whole crew in the loop, am I right? *winks*
upvoted 0 times
...
Jenifer
29 days ago
D) Relevant personnel and relevant interested parties. Anything less would be a security breach waiting to happen.
upvoted 0 times
...
Darrin
1 month ago
D) Relevant personnel and relevant interested parties. Sounds like the most comprehensive option to me.
upvoted 0 times
...
Timothy
2 months ago
A) Top management. They're the ones calling the shots, so they better know what's up.
upvoted 0 times
...
Latrice
2 months ago
C) Employees within the scope of the ISMS. Can't leave anyone out, that's just asking for trouble.
upvoted 0 times
...
Tyra
2 months ago
D) Relevant personnel and relevant interested parties. Gotta cover all the bases, am I right?
upvoted 0 times
...
Skye
2 months ago
I thought it was just the staff responsible for the ISMS operation, but now I'm questioning if it should be broader than that.
upvoted 0 times
...
Lynna
3 months ago
I feel like the answer might be D, since it mentions relevant personnel and interested parties, but I could be mixing it up with another standard.
upvoted 0 times
...
Rutha
3 months ago
I remember a practice question that emphasized the importance of informing relevant personnel, but I can't recall if that meant just top management or everyone involved.
upvoted 0 times
...
Dan
3 months ago
I think the policies need to be communicated to all employees within the scope of the ISMS, but I'm not entirely sure if it includes external parties too.
upvoted 0 times
...
Tanja
3 months ago
I've got this! The policies have to be shared with the relevant personnel and interested parties according to the ISO standard. Option D is the way to go.
upvoted 0 times
...
Cherry
3 months ago
This is a good one. I remember from the standard that the policies need to be communicated broadly to the appropriate people, not just a limited group. Option D sounds like the right answer.
upvoted 0 times
...
Carey
3 months ago
Wait, I'm a bit confused. Is it just employees within the ISMS scope, or all relevant personnel and parties? I'll have to double-check the standard.
upvoted 0 times
...
Valentin
4 months ago
Okay, I think I know this one. The policies need to be communicated to the relevant personnel and interested parties, not just top management or ISMS staff.
upvoted 0 times
...
Dan
4 months ago
Hmm, this seems like a straightforward policy question. I'll need to remember the key stakeholders for information security policies.
upvoted 0 times
...

Save Cancel