Your company decided to go for the ISO 27001 certification. After conducting risk assessment, you are identifying controls to mitigate the risks. To meet the requirements of the standard, you prepared a statement of applicability which includes all the controls recommended by Annex A of the standard, merged the identified controls into the statement, and provided a justification for each included or excluded control. Which of the following best describes this process?
A. Categorization and Classification
B. Verification and Validation
C. Certification and Accreditation
D. Scoping and Tailoring

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Scoping and Tailoring.

NIST Risk Management Framework (RMF)

Scoping and Tailoring

Scoping refers to selecting baseline security controls from a security control framework or standard (e.g. ISO 27001 Annex A or NIST SP 800-53).

Tailoring refers to modifying the list of selected security controls based on the organization’s security requirements.

Risk Management Framework

• Scoping and Tailoring security controls occurs at the 2nd step, Select Controls.
• Before selecting controls, you have to categorize the information system based on the data types it processes.