Which of the following is NOT a mandatory record in ISMS?

The correct answer is that the risks and requirements of interested parties are not classified as mandatory records within the Information Security Management System (ISMS) framework of ISO 27001. While understanding the risks and requirements of interested parties is indeed important for an effective ISMS, ISO 27001 does not explicitly state that maintaining records of these risks and requirements is a mandatory requirement.

In contrast, the results of the management review are essential records to demonstrate that management has adequately assessed the performance, effectiveness, and continued suitability of the ISMS. These records serve as evidence that the organization is actively engaging in ongoing oversight and improvement of its information security processes.

Additionally, logs of user activities are critical for monitoring system use and detecting any unauthorized access or anomalies, making them essential for maintaining information security. Internal audit results are similarly important as they provide insights into compliance with the ISMS requirements and the effectiveness of controls, establishing a record of performance and areas for improvement.

Thus, while monitoring risks and requirements of interested parties is a vital part of maintaining an effective ISMS, the absence of a requirement to document these as mandatory records differentiates it from the other options listed, which are explicitly required according to the ISO 27001 standards.