When assessing an organization-s security policy according to standards established by the International Organization for Standardization (ISO) 27001 and 27002, when can management responsibilitie
s be defined?
A. Only when assets are clearly defined
B. Only when standards are defined
C. Only when controls are put in place
D. Only procedures are defined