Practice Free ISO-IEC-27001 Foundation Exam Online Questions
Question #1
Which information is required to be included in the Statement of Applicability?
- A . The scope and boundaries of the ISMS
- B . The risk assessment approach of the organization
- C . The criteria against which risk will be evaluated
- D . The justification for including each information security control
Correct Answer: D
D
Explanation:
Clause 6.1.3 (d) requires that the organization “produce a Statement of Applicability that contains the necessary controls (see Annex A), and justification for inclusions, whether they are implemented or not, and the justification for exclusions.”
This is the defining requirement of the SoA: it documents which Annex A controls are relevant, which are implemented, and the justification for inclusion/exclusion. While the ISMS scope (A) is documented in Clause 4.3, and risk evaluation criteria (C) are defined in Clause 6.1.2, these do not belong in the SoA. The SoA does not describe the full risk assessment approach (B); that is part of the risk assessment methodology. Therefore, the mandatory requirement for the SoA is justification for including (or excluding) each information security control.
D
Explanation:
Clause 6.1.3 (d) requires that the organization “produce a Statement of Applicability that contains the necessary controls (see Annex A), and justification for inclusions, whether they are implemented or not, and the justification for exclusions.”
This is the defining requirement of the SoA: it documents which Annex A controls are relevant, which are implemented, and the justification for inclusion/exclusion. While the ISMS scope (A) is documented in Clause 4.3, and risk evaluation criteria (C) are defined in Clause 6.1.2, these do not belong in the SoA. The SoA does not describe the full risk assessment approach (B); that is part of the risk assessment methodology. Therefore, the mandatory requirement for the SoA is justification for including (or excluding) each information security control.
Question #2
Which action must top management take to provide evidence of its commitment to the establishment, operation and improvement of the ISMS?
- A . Communicating feedback from interested parties to the organization
- B . Ensuring information security objectives are established
- C . Producing a risk assessment report
- D . Implementing the actions from internal audits
Correct Answer: B
B
Explanation:
Clause 5.1 (Leadership and Commitment) requires top management to demonstrate leadership by:
“ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization;”
“ensuring the integration of the ISMS requirements into the organization’s processes;” “ensuring that the resources needed for the ISMS are available;”
Among the options, the one explicitly mandated is ensuring that information security objectives are established. Risk assessments (C) and implementing audit actions (D) are responsibilities of management but not the direct leadership evidence required in Clause 5.1. Communicating interested party feedback (A) is relevant but not specifically cited as leadership evidence. Thus, the verified answer is B.
B
Explanation:
Clause 5.1 (Leadership and Commitment) requires top management to demonstrate leadership by:
“ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization;”
“ensuring the integration of the ISMS requirements into the organization’s processes;” “ensuring that the resources needed for the ISMS are available;”
Among the options, the one explicitly mandated is ensuring that information security objectives are established. Risk assessments (C) and implementing audit actions (D) are responsibilities of management but not the direct leadership evidence required in Clause 5.1. Communicating interested party feedback (A) is relevant but not specifically cited as leadership evidence. Thus, the verified answer is B.
Question #3
Which International Standard can be used to implement an integrated management system with ISO/IEC 27001?
- A . ISO/IEC 27003
- B . ISO/IEC 27013
- C . ISO 9001
- D . None of the above
Correct Answer: B
B
Explanation:
ISO/IEC 27013 provides specific guidance on the integration of ISO/IEC 27001 (Information Security Management) and ISO/IEC 20000-1 (IT Service Management). It offers practical advice for organizations seeking a unified management system approach. While ISO/IEC 27003 (A) provides guidance on ISMS implementation, it does not address integration. ISO 9001 (C) is the Quality Management Standard and can be integrated, but the specific standard designed for integrating 27001 with ITSM is ISO/IEC 27013.
Therefore, the correct answer is B: ISO/IEC 27013, as it is explicitly published for this purpose.
B
Explanation:
ISO/IEC 27013 provides specific guidance on the integration of ISO/IEC 27001 (Information Security Management) and ISO/IEC 20000-1 (IT Service Management). It offers practical advice for organizations seeking a unified management system approach. While ISO/IEC 27003 (A) provides guidance on ISMS implementation, it does not address integration. ISO 9001 (C) is the Quality Management Standard and can be integrated, but the specific standard designed for integrating 27001 with ITSM is ISO/IEC 27013.
Therefore, the correct answer is B: ISO/IEC 27013, as it is explicitly published for this purpose.
Question #4
Which statement describes the control for the Compliance with policies, rules and standards for information security within Annex A of ISO/IEC 27001?
- A . Regular review of compliance
- B . Regular review of contractual compliance
- C . Maintain contact with legal authorities
- D . Return assets to their legal owners
Correct Answer: A
A
Explanation:
Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:
Annex A.5.36 (Compliance with policies, rules and standards for information security) requires:
“Compliance with the organization’s information security policies, rules and standards for
information security should be regularly reviewed.”
This directly matches option A.
Option B refers to contractual compliance, which is part of supplier management controls (Annex A.5.19).
Option C relates to Annex A.5.7 (Contact with authorities).
Option D refers to asset return controls (Annex A.5.9).
Thus, the correct answer is A.
A
Explanation:
Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:
Annex A.5.36 (Compliance with policies, rules and standards for information security) requires:
“Compliance with the organization’s information security policies, rules and standards for
information security should be regularly reviewed.”
This directly matches option A.
Option B refers to contractual compliance, which is part of supplier management controls (Annex A.5.19).
Option C relates to Annex A.5.7 (Contact with authorities).
Option D refers to asset return controls (Annex A.5.9).
Thus, the correct answer is A.
Question #5
Which factor is required to be determined when understanding the organization and its context?
- A . Internal issues affecting the purpose of the ISMS
- B . The information security objectives relevant to the ISMS
- C . The processes that will be required to operate the ISMS
- D . The ISO/IEC 27001 clauses which apply to the management system
Correct Answer: A
A
Explanation:
Clause 4.1 specifies exactly what must be determined when establishing context: “The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system.” This requirement is about understanding internal and external issues (e.g., culture, capabilities, regulatory environment) that influence the ISMS’s effectiveness. Objectives (option B) are addressed later in Clause 6.2; processes (option C) are addressed in Clause 4.4 and operational planning; and “which clauses apply” (option D) is not a determination step―ISO/IEC 27001’s requirements in Clauses 4C10 are not optional. Therefore, the direct, required factor per 4.1 is determining internal (and external) issues relevant to the organization’s purpose and ISMS outcomes.
A
Explanation:
Clause 4.1 specifies exactly what must be determined when establishing context: “The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system.” This requirement is about understanding internal and external issues (e.g., culture, capabilities, regulatory environment) that influence the ISMS’s effectiveness. Objectives (option B) are addressed later in Clause 6.2; processes (option C) are addressed in Clause 4.4 and operational planning; and “which clauses apply” (option D) is not a determination step―ISO/IEC 27001’s requirements in Clauses 4C10 are not optional. Therefore, the direct, required factor per 4.1 is determining internal (and external) issues relevant to the organization’s purpose and ISMS outcomes.
Question #6
Which is a control title within Annex A of ISO/IEC 27001?
- A . Information security in supplier relationships
- B . Responsibilities and procedures
- C . Protection of documents
- D . Change control
Correct Answer: A
A
Explanation:
Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:
In ISO/IEC 27002:2022, which provides control guidance for Annex A of ISO/IEC 27001, Clause 5.19 is
titled: “Information security in supplier relationships.”
This control requires organizations to ensure that information security is addressed in supplier agreements and relationships. It is part of the Organizational Controls theme. The other options are not control titles in Annex A:
“Responsibilities and procedures” (B) was used in older standards like ISO/IEC 27001:2005 but no longer exists.
“Protection of documents” (C) relates to document control but is not a specific Annex A control.
“Change control” (D) is relevant to ITIL/ITSM but not listed as a control title in Annex A.
Therefore, the correct Annex A control title is A: Information security in supplier relationships.
A
Explanation:
Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:
In ISO/IEC 27002:2022, which provides control guidance for Annex A of ISO/IEC 27001, Clause 5.19 is
titled: “Information security in supplier relationships.”
This control requires organizations to ensure that information security is addressed in supplier agreements and relationships. It is part of the Organizational Controls theme. The other options are not control titles in Annex A:
“Responsibilities and procedures” (B) was used in older standards like ISO/IEC 27001:2005 but no longer exists.
“Protection of documents” (C) relates to document control but is not a specific Annex A control.
“Change control” (D) is relevant to ITIL/ITSM but not listed as a control title in Annex A.
Therefore, the correct Annex A control title is A: Information security in supplier relationships.
Question #7
What is the definition of a threat according to ISO/IEC 27000?
- A . A potential cause of an unwanted incident which can result in harm to a system or organization
- B . A single or a series of unwanted or unexpected information security events
- C . A weakness of an asset or a control that can be exploited
- D . The risk remaining after risk treatment
Correct Answer: A
A
Explanation:
Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27000 standards:
According to ISO/IEC 27000:2018, Clause 3.74, a threat is defined as:
“Potential cause of an unwanted incident, which can result in harm to a system or organization.” This definition directly matches option A.
Option B refers to an “information security incident” (ISO/IEC 27000:2018, Clause 3.32).
Option C describes a “vulnerability” (ISO/IEC 27000:2018, Clause 3.67).
Option D refers to “residual risk” (ISO/IEC 27000:2018, Clause 3.61).
The standard emphasizes that threats exploit vulnerabilities, causing incidents that can harm information confidentiality, integrity, and availability. Correctly identifying threats is critical for risk assessment (Clause 6.1.2). Thus, the correct definition per ISO/IEC 27000 is A.
A
Explanation:
Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27000 standards:
According to ISO/IEC 27000:2018, Clause 3.74, a threat is defined as:
“Potential cause of an unwanted incident, which can result in harm to a system or organization.” This definition directly matches option A.
Option B refers to an “information security incident” (ISO/IEC 27000:2018, Clause 3.32).
Option C describes a “vulnerability” (ISO/IEC 27000:2018, Clause 3.67).
Option D refers to “residual risk” (ISO/IEC 27000:2018, Clause 3.61).
The standard emphasizes that threats exploit vulnerabilities, causing incidents that can harm information confidentiality, integrity, and availability. Correctly identifying threats is critical for risk assessment (Clause 6.1.2). Thus, the correct definition per ISO/IEC 27000 is A.
Question #8
Which action is a required response to an identified residual risk?
- A . By default, it shall be controlled by information security awareness and training
- B . Top management shall delegate its treatment to risk owners
- C . It shall be reviewed by the risk owner to consider acceptance
- D . The organization shall change practices to avoid the risk occurring
Correct Answer: C
C
Explanation:
Clause 6.1.3 (e) specifies:
“The organization shall obtain risk owners’ approval of the information security risk treatment plan and acceptance of the residual information security risks.”
This confirms that residual risks ― those remaining after risk treatment ― must be reviewed and formally accepted by the designated risk owner.
Option A is incorrect; awareness training is not a default control for all residual risks.
Option B misrepresents leadership responsibility; top management ensures processes exist, but risk owners formally approve residual risk.
Option D (avoiding risk) is a treatment option, not the mandated requirement for residual risks.
Thus, the required response is C: Review and acceptance by the risk owner.
C
Explanation:
Clause 6.1.3 (e) specifies:
“The organization shall obtain risk owners’ approval of the information security risk treatment plan and acceptance of the residual information security risks.”
This confirms that residual risks ― those remaining after risk treatment ― must be reviewed and formally accepted by the designated risk owner.
Option A is incorrect; awareness training is not a default control for all residual risks.
Option B misrepresents leadership responsibility; top management ensures processes exist, but risk owners formally approve residual risk.
Option D (avoiding risk) is a treatment option, not the mandated requirement for residual risks.
Thus, the required response is C: Review and acceptance by the risk owner.
Question #9
Which statement about the conduct of audits is true?
- A . Third party audits are conducted by a customer of the organization
- B . The certificate issued after a successful re-certification audit in typical schemes lasts for one year
- C . One of the focus areas for a surveillance audit is the output from internal audits and management reviews
- D . During Stage 1 of a certification audit, evidence is collected by observing activities
Correct Answer: C
C
Explanation:
Clause 9.2 (Internal Audit) and Clause 9.3 (Management Review) highlight that audit outputs and management reviews are key inputs for evaluating ISMS performance. Surveillance audits, conducted by Certification Bodies, check ongoing compliance and effectiveness. ISO certification schemes (per ISO/IEC 17021) require surveillance audits to verify whether corrective actions and continuous improvements are being made. A critical focus area is the results of internal audits and management reviews, ensuring that the organization maintains its ISMS between certification cycles.
Option A is incorrect ― third-party audits are performed by independent Certification Bodies, not customers.
Option B is incorrect ― certificates are typically valid for three years with annual surveillance.
Option D is incorrect ― Stage 1 is primarily a documentation and readiness review, not evidence observation.
Therefore, the verified correct answer is C.
C
Explanation:
Clause 9.2 (Internal Audit) and Clause 9.3 (Management Review) highlight that audit outputs and management reviews are key inputs for evaluating ISMS performance. Surveillance audits, conducted by Certification Bodies, check ongoing compliance and effectiveness. ISO certification schemes (per ISO/IEC 17021) require surveillance audits to verify whether corrective actions and continuous improvements are being made. A critical focus area is the results of internal audits and management reviews, ensuring that the organization maintains its ISMS between certification cycles.
Option A is incorrect ― third-party audits are performed by independent Certification Bodies, not customers.
Option B is incorrect ― certificates are typically valid for three years with annual surveillance.
Option D is incorrect ― Stage 1 is primarily a documentation and readiness review, not evidence observation.
Therefore, the verified correct answer is C.
Question #10
When are the information security policies required to be reviewed, according to the Policies for information security control?
- A . Every six months
- B . Annually
- C . According to a schedule defined by the Certification Body
- D . At planned intervals and if significant changes occur
Correct Answer: D
D
Explanation:
Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:
Annex A.5.1 (Policies for information security) specifies:
“Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.”
This clearly identifies the review frequency requirement: planned intervals and whenever there are significant changes.
Options A and B (six-monthly or annually) are not prescribed by ISO ― timing is left to the organization.
Option C is also wrong, since Certification Bodies do not dictate policy review schedules.
Therefore, the verified correct answer is D.
D
Explanation:
Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:
Annex A.5.1 (Policies for information security) specifies:
“Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.”
This clearly identifies the review frequency requirement: planned intervals and whenever there are significant changes.
Options A and B (six-monthly or annually) are not prescribed by ISO ― timing is left to the organization.
Option C is also wrong, since Certification Bodies do not dictate policy review schedules.
Therefore, the verified correct answer is D.
1 2