APMG-International ISO-IEC-27001-Foundation ISO/IEC 27001 (2022) Foundation Exam Exam Practice Test

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27013 standards:

ISO/IEC 27013 is titled:

“Information technology — Security techniques — Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1.”

This standard provides organizations with specific advice on how to integrate an Information Security Management System (ISMS) with an IT Service Management System (ITSMS). ISO/IEC 20000-1 is the IT Service Management requirements standard, but integration guidance is provided in 27013. ISO/IEC 27002 (A) is guidance for controls, not integration. Option D is incorrect since ISO/IEC 27013 explicitly exists for this purpose.

Therefore, the correct verified answer isB: ISO/IEC 27013.

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:

Annex A.5.1 (Policies for information security) specifies:

“Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.”

This clearly identifies the review frequency requirement: planned intervalsandwhenever there are significant changes. Options A and B (six-monthly or annually) are not prescribed by ISO — timing is left to the organization. Option C is also wrong, since Certification Bodies do not dictate policy review schedules.

Therefore, the verified correct answer isD.

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27001:2022 standards and certification guidance:

Before a certification audit can begin, thescope of the ISMSmust be clearly defined and agreed with the Certification Body. ISO/IEC 27001 Clause 4.3 requires: “The scope shall be available as documented information.”

Certification Bodies require this scope statement to plan audit duration, resources, and coverage. Only after the scope is agreed does the Stage 1 audit begin, which reviews documented information and readiness. Stage 2 focuses on implementation and effectiveness. Evidence of corrective actions (C) is checked at Stage 2 if issues were identified earlier. Records provision (D) occurs during Stage 2, not first.

Thus, the first step in preparing for certification isA: Agreeing the scope of the ISMS with the Certification Body auditor.

Clause 6.1.2 (Information security risk assessment) requires organizations to “define and apply an information security risk assessment process that… establishes and maintains information security risk criteria, including criteria for accepting risk.”

This means that acceptable levels of risk (risk acceptance criteria) must be explicitly defined. These criteria ensure consistent decision-making when evaluating whether identified risks need further treatment or can be tolerated.

Option A is incorrect because exclusions relate to the ISMS scope (Clause 4.3), not risk assessment planning. Option B is not a requirement; effectiveness of risk assessment methods is not required to be measured, though methods must be applied consistently. Option D is false—the standard clearly specifies required elements for risk assessment.

Thus, the correct answer isC: The criteria for acceptable levels of risk.

Clause 9.3.2 (Management Review Inputs) states that management reviews shall include:

“c) information on the information security performance, including trends in: (1) nonconformities and corrective actions; (2) monitoring and measurement results; (3) audit results; and (4) fulfilment of information security objectives.”

This makesachievement of information security objectives(option A) a required trend to be considered. While external/internal requirements (C) and continual improvement opportunities (D) are also part of management review inputs, they are not specifically listed under “trends in performance.” Option B is outside the direct requirement.

Thus, the verified answer isA.

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27000 standards:

ISO/IEC 27000 defines:

Risk analysis: “process to comprehend the nature of risk and to determine the level of risk” (Clause 3.58).

Risk assessment: the overall process of risk identification, risk analysis, and risk evaluation.

Risk evaluation: compares results of risk analysis against risk criteria to determine priority.

Risk management: coordinated activities to direct and control an organization with regard to risk.

Therefore, the missing word in the given definition is“analysis”.

This is important for ISMS implementation: organizations must understand the distinctions. Risk analysis is the core technical evaluation stage, while assessment is the broader process including evaluation, and management refers to the overall governance of risks.

Thus, the correct verified answer isB: Analysis.

Clause 6.1.3 (e) specifies:

“The organization shall obtain risk owners’ approval of the information security risk treatment plan and acceptance of the residual information security risks.”

This confirms that residual risks — those remaining after risk treatment — must be reviewed and formally accepted by the designated risk owner. Option A is incorrect; awareness training is not a default control for all residual risks. Option B misrepresents leadership responsibility; top management ensures processes exist, butrisk ownersformally approve residual risk. Option D (avoiding risk) is a treatment option, not the mandated requirement for residual risks.

Thus, the required response isC: Review and acceptance by the risk owner.

Annex A of ISO/IEC 27001:2022 is titled:

“Reference control objectives and controls.” It provides areference list of information security controls, structured into 4 themes: organizational, people, physical, and technological.

The standard explicitly states in Clause 6.1.3: “Organizations can design controls as required or identify them from any source. Annex A contains a list of possible information security controls.” This means controls in Annex A are not mandatory (eliminating option C). Risk acceptance criteria (A) are defined in Clause 6.1.2, not Annex A. Annex A also does not provide measures for treatment effectiveness (D).

Thus, Annex A is best described as areference list of information security controls. Correct answer:B.

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27005 standards:

ISO/IEC 27005:2022 is titled:

“Information security, cybersecurity and privacy protection — Guidance on managing information security risks.”

This standard provides structured methodologies for identifying, analyzing, evaluating, and treating risks, in alignment with ISO/IEC 27001’s risk management requirements (Clause 6.1.2 and 6.1.3). It supports organizations in implementing the risk management process that underpins an ISMS. Options A and B are titles of other ISO standards (ISO/IEC 27007 for auditing, ISO/IEC 27001 for requirements). Option D refers to ISO/IEC 27002 (controls).

Thus, the correct answer isC: Guidance on managing information security risks.

Clause 9.1 requires:

“The organization shall evaluate the information security performance and the effectiveness of the information security management system.”

This is the central purpose of monitoring, measurement, analysis, and evaluation. Competence (B) is covered under Clause 7.2. Monitoring use of assets (C) and outsourced processes (D) may be done, but they are not the formal purpose described in the standard. Instead, performance evaluation ensures the ISMS continues to meet intended outcomes and supports continual improvement.

Thus, the verified purpose is A: To evaluate information security performance.

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:

Annex A, control 6.8 (Information security event reporting) specifies:

“Information security events should be reported through appropriate management channels as quickly as possible. The organization should require all employees and contractors to note and report any observed or suspected information security events.”

This wording confirms that the required reporting covers“observed or suspected events.”Specific event types like information disclosure (A) or unauthorized access (B) are examples but not the broad requirement. Asset disposal (C) is addressed separately under equipment lifecycle controls (Annex A.7.14).

Therefore, the verified correct answer isD: Observed or suspected events.

Clause 7.2 (Competence) requires the organization to:

“determine the necessary competence of person(s) doing work under its control that affects its information security performance;”

“ensure that these persons are competent on the basis of appropriate education, training, or experience;”

“retain appropriate documented information as evidence of competence.”

This makesholding up-to-date records on training, skills, experience, and qualifications(D) the correct answer. Option A is irrelevant to competence. Option B is incorrect since ISO does not require Foundation-level training — competence is context-based. Option C is related to compliance but does not ensure individual competence.

Thus, the verified correct answer isD.

Clause 7.5 (Documented Information) specifies that organizations must maintain documentationnecessary for the effectiveness of the ISMS. Additionally, Clause 9.3 (Management Review) requires “records of decisions related to continual improvement opportunities” as an output of management review. This is a core requirement and forms part of the documented information that must be retained and controlled. Third-party materials (B), budgets (C), and cross-reference statements to other ISO standards (D) are not required by ISO/IEC 27001. Only documents that directly demonstrate compliance, decision-making, and continual improvement are mandated. Therefore, the verified minimum required documentation includesrecords of management review decisionsrelated to continual improvement, confirmingAnswer: A.

ISO/IEC 27001 mandates internal audits (Clause 9.2) and continual improvement (Clause 10.1) but doesnotdefine the specific audit term “observation.” However, the audit framework in 9.2 requires an audit programme and impartial auditors, and management review inputs include “feedback on the information security performance including trends in… audit results” and “opportunities for continual improvement.” The companion implementation guidance (ISO/IEC 27002) reinforces the concept ofopportunities for improvementin the review of policies: “The reviews should include assessing opportunities for improvement and the need for changes to the approach to information security…” In practical ISO audit usage (aligned with ISO 19011 guidance referenced in the Study Guide), anobservationis a recorded conformity where improvement is advisable—commonly termed an Opportunity for Improvement (OFI). The Study Guide’s internal audit section emphasizes running an audit programme to identify “potential areas of weakness or non-compliance,” supporting the notion of recording improvement opportunities alongside nonconformities. Therefore, within ISO/IEC 27001 audit practice, the best-fit definition isB: a conformity where there is an opportunity for improvement.

Clause 5.2 (Information security policy) requires that the policy:

“includes information security objectives (or provides a framework for setting them)”

“includes a commitment to satisfy applicable requirements related to information security”

“includes a commitment to continual improvement of the ISMS.”

Among the listed options, the exact mandatory requirement is“a commitment to satisfy applicable requirements related to information security”. Option B partially reflects Clause 5.2 (commitment to continual improvement), but the wording given in the standard prioritizes the satisfaction of applicable requirements (e.g., legal, regulatory, contractual). Option C is not a policy requirement. Option D (Statement of Applicability) is a separate mandatory document (Clause 6.1.3) and not part of the policy itself.

Thus, the correct answer isA.