Hi, doing the ISO 27001 then you get this question: Identify which of the following information security controls are organizational controls: 1. Defining a policy on the use of cryptographic controls – Correct! 2. Implementing cryptographic controls – Incorrect! Implementing cryptographic controls is a technical control. 3. Documenting a clear screen policy – Correct! 4. Training employees how to use cryptographic controls – Incorrect! Training is an HR control. 5. Signing a confidentiality agreement with suppliers – Incorrect! A confidentiality agreement is a legal control. 6. Documenting a procedure for training employees – Correct! 7. Implementing a domain password policy – Incorrect! Implementing domain policies is a technical control. No matter how I answer, then I get it wrong. Why is "Defining a policy on the use of cryptographic controls " an org control?
Answer: Defining and documenting policies, or procedures, are considered organizational controls because they involve the establishment of behaviours, either in terms of rules, lik e policies, or in terms of activities to be performed, like procedures.