
ISO/IEC 27001 ISO-IEC-27001-Foundation Real Exam Questions and Answers FREE Updated on Apr 07, 2026
ISO-IEC-27001-Foundation Ultimate Study Guide - TorrentExam
NEW QUESTION # 12
Which information is required to be included in the Statement of Applicability?
- A. The risk assessment approach of the organization
- B. The justification for including each information security control
- C. The criteria against which risk will be evaluated
- D. The scope and boundaries of the ISMS
Answer: B
Explanation:
Clause 6.1.3 (d) requires that the organization"produce a Statement of Applicability that contains the necessary controls (see Annex A), and justification for inclusions, whether they are implemented or not, and the justification for exclusions." This is the defining requirement of the SoA: it documents which Annex A controls are relevant, which are implemented, and the justification for inclusion/exclusion. While the ISMS scope (A) is documented in Clause 4.3, and risk evaluation criteria (C) are defined in Clause 6.1.2, these do not belong in the SoA. The SoA does not describe the full risk assessment approach (B); that is part of the risk assessment methodology.
Therefore, the mandatory requirement for the SoA isjustification for including (or excluding) each information security control.
NEW QUESTION # 13
To whom are the information security policies required to be communicated, according to the control in Annex A of ISO/IEC 27001?
- A. Relevant personnel and relevant interested parties
- B. Only staff with accountability for ISMS operation
- C. Top management
- D. Employees within the scope of the ISMS
Answer: A
Explanation:
Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:
Annex A.5.1 (Policies for information security) clearly specifies:
"Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties..." This means the communication obligation is not limited to top management (A) or only ISMS staff (B), nor does it stop at employees only (C). Instead, ISO/IEC 27001/27002 mandate a broader scope: allrelevant personnel and relevant interested partiesmust be informed. This ensures both internal stakeholders (employees, contractors, temporary staff) and external interested parties (suppliers, partners, regulators, customers, etc.) receive the right policy communications where applicable. Therefore, the correct and verified answer isD.
NEW QUESTION # 14
Which action must top management take to provide evidence of its commitment to the establishment, operation and improvement of the ISMS?
- A. Ensuring information security objectives are established
- B. Implementing the actions from internal audits
- C. Producing a risk assessment report
- D. Communicating feedback from interested parties to the organization
Answer: A
Explanation:
Clause 5.1 (Leadership and Commitment) requires top management to demonstrate leadership by:
* "ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization;"
* "ensuring the integration of the ISMS requirements into the organization's processes;"
* "ensuring that the resources needed for the ISMS are available;"
Among the options, the one explicitly mandated isensuring that information security objectives are established. Risk assessments (C) and implementing audit actions (D) are responsibilities of management but not the direct leadership evidence required in Clause 5.1. Communicating interested party feedback (A) is relevant but not specifically cited as leadership evidence. Thus, the verified answer isB.
NEW QUESTION # 15
Identify the missing word(s) in the following sentence.
When planning the ISMS, the organization is specifically required to plan actions to address risks and opportunities and how to [ ? ] these actions.
- A. evaluate the effectiveness of
- B. communicate
- C. apply competent resources to
- D. improve the effectiveness of
Answer: A
Explanation:
Clause 6.1.1 (Planning) states:
"The organization shall plan:
d) actions to address these risks and opportunities; and
e) how to:
* integrate and implement the actions into its ISMS processes; and
* evaluate the effectiveness of these actions."
This confirms the missing words are"evaluate the effectiveness of". Communication (A), applying resources (B), and improving effectiveness (C) are important concepts elsewhere but not the direct requirement stated in this clause.
NEW QUESTION # 16
Which statement is a factor that will influence the implementation of the information security management system?
- A. The ISMS will be scaled to the controls according to the needs of the organization
- B. The ISMS will be separate from the organization's overall management structure
- C. The ISMS will encompass all controls specified within ISO/IEC 27001
- D. The ISMS will be operated as an independent process within the organization
Answer: A
Explanation:
ISO/IEC 27001 makes clear that the ISMS is intended to be tailored to the organization. The standard states: " This document also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in this document are generic and are intended to be applicable to all organizations regardless of type, size or nature." This means implementation is scaled based on each organization's risk, context, and needs, not a fixed one-size-fits-all set of activities or controls. Clause 6.1.3 further reinforces that control selection is flexible and risk-driven: " Organizations can design controls as required or identify them from any source," and "Annex A contains a list of possible information security controls... The information security controls listed in Annex A are not exhaustive and additional information security controls can be included if needed." Together, these extracts verify that the ISMS implementation is influenced by and scaled to the organization's needs and selected controls, not separated from management processes (A, D) nor mandated to include "all controls" (B).
NEW QUESTION # 17
Which action is a required response to an identified residual risk?
- A. The organization shall change practices to avoid the risk occurring
- B. It shall be reviewed by the risk owner to consider acceptance
- C. Top management shall delegate its treatment to risk owners
- D. By default, it shall be controlled by information security awareness and training
Answer: B
Explanation:
Clause 6.1.3 (e) specifies:
"The organization shall obtain risk owners' approval of the information security risk treatment plan and acceptance of the residual information security risks." This confirms that residual risks - those remaining after risk treatment - must be reviewed and formally accepted by the designated risk owner. Option A is incorrect; awareness training is not a default control for all residual risks. Option B misrepresents leadership responsibility; top management ensures processes exist, but risk ownersformally approve residual risk. Option D (avoiding risk) is a treatment option, not the mandated requirement for residual risks.
Thus, the required response isC: Review and acceptance by the risk owner.
NEW QUESTION # 18
Which statement describes Annex A of ISO/IEC 27001?
- A. Provides measures to determine risk treatment effectiveness
- B. Provides a reference list of information security controls and their requirements
- C. Defines a mandatory list of controls that shall be implemented
- D. Defines the criteria for accepting risks
Answer: B
Explanation:
Annex A of ISO/IEC 27001:2022 is titled:
"Reference control objectives and controls." It provides areference list of information security controls, structured into 4 themes: organizational, people, physical, and technological.
The standard explicitly states in Clause 6.1.3: "Organizations can design controls as required or identify them from any source. Annex A contains a list of possible information security controls." This means controls in Annex A are not mandatory (eliminating option C). Risk acceptance criteria (A) are defined in Clause 6.1.2, not Annex A. Annex A also does not provide measures for treatment effectiveness (D).
Thus, Annex A is best described as areference list of information security controls. Correct answer:B.
NEW QUESTION # 19
In which clause would the requirements for internal audit be found?
- A. Planning
- B. Operation
- C. Performance Evaluation
- D. Improvement
Answer: C
Explanation:
The requirements for internal audit are explicitly placed inClause 9.2 (Performance Evaluation)of ISO/IEC
27001:2022. The standard requires:
* "The organization shall conduct internal audits at planned intervals to provide information on whether the information security management system... conforms to the organization's own requirements... and to the requirements of this document." (9.2.1)
* "The organization shall plan, establish, implement and maintain an audit programme(s)..." (9.2.2) This clause clearly falls underPerformance Evaluation (Clause 9), not Planning (Clause 6), Operation (Clause 8), or Improvement (Clause 10). Therefore, the correct answer isC.
NEW QUESTION # 20
Which item is required to be included in an information security policy?
- A. A Statement of Applicability which defines the necessary controls to be implemented
- B. A plan for the continual improvement of the information security management system
- C. A framework enabling concerns with the information security policy to be addressed
- D. A commitment to satisfy applicable requirements related to information security
Answer: D
Explanation:
Clause 5.2 (Information security policy) requires that the policy:
* "includes information security objectives (or provides a framework for setting them)"
* "includes a commitment to satisfy applicable requirements related to information security"
* "includes a commitment to continual improvement of the ISMS."
Among the listed options, the exact mandatory requirement is"a commitment to satisfy applicable requirements related to information security". Option B partially reflects Clause 5.2 (commitment to continual improvement), but the wording given in the standard prioritizes the satisfaction of applicable requirements (e.g., legal, regulatory, contractual). Option C is not a policy requirement. Option D (Statement of Applicability) is a separate mandatory document (Clause 6.1.3) and not part of the policy itself.
Thus, the correct answer isA.
NEW QUESTION # 21
Which of the following statements about the relationship between ISO/IEC 27001 and ISO/IEC 27002 is true?
* ISO/IEC 27002 provides implementation advice on the controls selected during the ISO/IEC 27001 information security risk management process
* ISO/IEC 27002 provides a process for information security risk management which implements the requirements of ISO/IEC 27001
- A. Only 1 is true
- B. Both 1 and 2 are true
- C. Neither 1 or 2 is true
- D. Only 2 is true
Answer: A
Explanation:
Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27001 & 27002:2022 standards:
ISO/IEC 27001 Annex A lists reference controls. ISO/IEC 27002 providesdetailed guidance on the implementation of those controls, including purpose, guidance, and examples. Clause 6.1.3 of ISO/IEC
27001 makes the link explicit: controls from Annex A are referenced, but ISO/IEC 27002 explains how to implement them.
However, ISO/IEC 27002 doesnotprovide a process for risk management-that is covered by ISO/IEC
27005. Risk management requirements are in ISO/IEC 27001 (Clauses 6.1.2 and 6.1.3).
Therefore, statement 1 is true, but statement 2 is false. Correct answer:A.
NEW QUESTION # 22
Which trend in information security performance is required to be considered during a management review of the ISMS?
- A. Decisions related to continual improvement opportunities
- B. Relevant external and internal requirements changes
- C. Validity of information continuity controls
- D. Achievement of information security objectives
Answer: D
Explanation:
Clause 9.3.2 (Management Review Inputs) states that management reviews shall include:
"c) information on the information security performance, including trends in: (1) nonconformities and corrective actions; (2) monitoring and measurement results; (3) audit results; and (4) fulfilment of information security objectives." This makesachievement of information security objectives(option A) a required trend to be considered.
While external/internal requirements (C) and continual improvement opportunities (D) are also part of management review inputs, they are not specifically listed under "trends in performance." Option B is outside the direct requirement.
Thus, the verified answer isA.
NEW QUESTION # 23
Which audit activity related to ISO/IEC 27001 may be carried out by a practitioner?
- A. Conduct an audit of an Accredited Training Organization
- B. Conduct an internal audit of the organization
- C. Conduct an audit of a Certification Body
- D. Conduct a surveillance audit of their own area of the organization
Answer: B
Explanation:
ISO/IEC 27001 requires internal audits and sets out how they must be conducted: "The organization shall conduct internal audits at planned intervals..." (9.2.1) and "plan, establish, implement and maintain an audit programme(s)... [and] select auditors and conduct audits that ensure objectivity and the impartiality of the audit process" (9.2.2). These extracts confirm that practitioners (internal to the organization) can conduct internal audits provided objectivity and impartiality are ensured (e.g., they do not audit their own work). Surveillance audits (option A) and audits of Accredited Training Organizations or Certification Bodies (options C, D) are third-party activities outside the remit of an internal practitioner under ISO/IEC 27001; the standard's audit requirement is focused on the organization's own internal audit programme. Therefore, conducting an internal audit (B) is the correct practitioner activity per Clause 9.2.
NEW QUESTION # 24
Which of the following statements about the differences between an internal audit and a certification audit is true?
An internal audit is conducted at planned intervals and a certification audit is conducted annually An internal audit is known as a 1st party audit and a certification audit is known as a 3rd party audit
- A. Both 1 and 2 are true
- B. Neither 1 or 2 is true
- C. Only 1 is true
- D. Only 2 is true
Answer: D
Explanation:
ISO/IEC 27001 Clause 9.2 requires internal audits to be conducted at planned intervals, but it does not specify an annual frequency. Certification audits, under ISO/IEC 17021 rules, typically occur on a 3-year cycle with annual surveillance, not strictly "annually." This makes statement 1 inaccurate.
Audit types are defined in ISO/IEC 19011:
First-party audits: conducted internally by or on behalf of the organization (internal audits).
Third-party audits: conducted by independent external certification bodies.
Thus, statement 2 is correct. Therefore, the accurate choice is B: Only 2 is true.
NEW QUESTION # 25
Which factor is required to be determined when understanding the organization and its context?
- A. The processes that will be required to operate the ISMS
- B. The information security objectives relevant to the ISMS
- C. The ISO/IEC 27001 clauses which apply to the management system
- D. Internal issues affecting the purpose of the ISMS
Answer: D
Explanation:
Clause 4.1 specifies exactly what must be determined when establishing context: "The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system." This requirement is about understanding internal and external issues (e.g., culture, capabilities, regulatory environment) that influence the ISMS's effectiveness. Objectives (option B) are addressed later in Clause 6.2; processes (option C) are addressed in Clause 4.4 and operational planning; and "which clauses apply" (option D) is not a determination step-ISO/IEC 27001's requirements in Clauses 4-10 are not optional. Therefore, the direct, required factor per 4.1 is determining internal (and external) issues relevant to the organization's purpose and ISMS outcomes.
NEW QUESTION # 26
Identify the missing words in the following sentence.
The organization shall establish, implement, maintain and [ ? ] an information security management system, including the processes needed and their interactions, in accordance with the requirements of this document.
- A. report on
- B. communicate the importance of
- C. enforce standards for
- D. continually improve
Answer: D
Explanation:
Clause 4.4 of ISO/IEC 27001:2022 states:
"The organization shall establish, implement, maintain and continually improve an information security management system, including the processes needed and their interactions, in accordance with the requirements of this document." This requirement highlights that an ISMS is not static; it must evolve continuously to adapt to new risks, technologies, and business changes. Options A, C, and D are not mentioned in the clause. The continual improvement cycle is central to ISO standards, aligning with thePlan-Do-Check-Act (PDCA)model.
Thus, the missing words are"continually improve."
NEW QUESTION # 27
......
APMG-International ISO-IEC-27001-Foundation Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
| Topic 5 |
|
| Topic 6 |
|
Ultimate Guide to Prepare ISO-IEC-27001-Foundation Certification Exam for ISO/IEC 27001: https://actualtests.torrentexam.com/ISO-IEC-27001-Foundation-exam-latest-torrent.html

