What is a mandatory requirement related to the results of audits within ISMS?

The requirement for documented corrective actions following audits within an Information Security Management System (ISMS) is fundamental to maintaining compliance with ISO 27001. When an audit identifies non-conformities or areas requiring improvement, it is essential to address these findings through corrective actions. This process not only helps in mitigating risks and vulnerabilities but also enhances the overall effectiveness of the ISMS.

Documented corrective actions ensure accountability and traceability, allowing organizations to demonstrate that they are acting on audit findings. This is crucial for ongoing improvement and for fulfilling compliance obligations, as ISO 27001 emphasizes a continuous improvement approach. Proper documentation also supports future audits and provides evidence of commitment to maintaining information security standards.

In contrast, some of the other options do not align with the principles of ISO 27001. For instance, only recording positive results undermines the purpose of audits, which is to identify areas for improvement, and not reporting audit results fails to maintain transparency and accountability in the ISMS. The idea that audits could be optional contradicts the requirement of regular evaluation to ensure the ISMS remains effective and relevant. Therefore, documenting corrective actions is a key requirement that helps organizations adhere to ISO 27001 standards.