Practice Free ISO-IEC-27001 Foundation Exam Online Questions
Question #11
Which statement describes a requirement for information security objectives?
- A . They shall be consistent with the information security policy
- B . They shall all be measurable
- C . They shall be contractually transferred to third parties
- D . They shall be reviewed at least annually
Correct Answer: A
A
Explanation:
Clause 6.2 (Information security objectives) requires that objectives:
“be consistent with the information security policy”
“be measurable (if practicable)”
“take into account applicable information security requirements”
“be monitored, communicated, and updated as appropriate.”
From this, option A is correct since consistency with policy is an explicit requirement.
Option B is incorrect because the standard allows objectives to be measurable “if practicable” (not mandatory for all).
Option C is incorrect―objectives are not transferred contractually to third parties, though third-party agreements may include security requirements.
Option D is incorrect because the standard requires regular review “as appropriate,” not a fixed annual cycle.
Thus, the verified requirement is A: They shall be consistent with the information security policy.
A
Explanation:
Clause 6.2 (Information security objectives) requires that objectives:
“be consistent with the information security policy”
“be measurable (if practicable)”
“take into account applicable information security requirements”
“be monitored, communicated, and updated as appropriate.”
From this, option A is correct since consistency with policy is an explicit requirement.
Option B is incorrect because the standard allows objectives to be measurable “if practicable” (not mandatory for all).
Option C is incorrect―objectives are not transferred contractually to third parties, though third-party agreements may include security requirements.
Option D is incorrect because the standard requires regular review “as appropriate,” not a fixed annual cycle.
Thus, the verified requirement is A: They shall be consistent with the information security policy.
Question #12
Which output is a required result from risk analysis?
- A . Risk acceptance criteria
- B . Determined levels of risk
- C . Risk treatment control options
- D . Prioritized risks for treatment
Correct Answer: B
B
Explanation:
Clause 6.1.2 (d) states that during risk analysis, the organization shall:
“assess the potential consequences that would result if the risks identified… were to materialize;” “assess the realistic likelihood of the occurrence of the risks identified;” “determine the levels of risk.”
This makes it clear that the required output of risk analysis is the determined levels of risk. Risk acceptance criteria (A) are set earlier in 6.1.2(a), treatment control options (C) belong to 6.1.3, and prioritization (D) is part of risk evaluation (6.1.2 e). Therefore, the verified correct output is B: Determined levels of risk.
B
Explanation:
Clause 6.1.2 (d) states that during risk analysis, the organization shall:
“assess the potential consequences that would result if the risks identified… were to materialize;” “assess the realistic likelihood of the occurrence of the risks identified;” “determine the levels of risk.”
This makes it clear that the required output of risk analysis is the determined levels of risk. Risk acceptance criteria (A) are set earlier in 6.1.2(a), treatment control options (C) belong to 6.1.3, and prioritization (D) is part of risk evaluation (6.1.2 e). Therefore, the verified correct output is B: Determined levels of risk.
Question #13
Who is required to ensure that staff are supported so that they can contribute to the information security management system?
- A . Top management of the organization
- B . Management responsible for each area of operation
- C . Auditors who audit each area of operation
- D . ISO/IEC 27001 practitioners within the organization
Correct Answer: A
A
Explanation:
Clause 5.1 (Leadership and Commitment) requires that:
“Top management shall demonstrate leadership and commitment with respect to the information security management system by… ensuring that the resources needed for the ISMS are available… and supporting persons to contribute to the effectiveness of the ISMS.”
This makes it explicit that top management has the responsibility to ensure personnel are supported so they can contribute to the ISMS.
Option B (line management) may provide local support, but ultimate accountability rests with top management. Auditors (C) only evaluate compliance, not provide support. Practitioners (D) help implement, but they don’t bear formal responsibility under the standard.
Thus, the verified answer is A: Top management of the organization.
A
Explanation:
Clause 5.1 (Leadership and Commitment) requires that:
“Top management shall demonstrate leadership and commitment with respect to the information security management system by… ensuring that the resources needed for the ISMS are available… and supporting persons to contribute to the effectiveness of the ISMS.”
This makes it explicit that top management has the responsibility to ensure personnel are supported so they can contribute to the ISMS.
Option B (line management) may provide local support, but ultimate accountability rests with top management. Auditors (C) only evaluate compliance, not provide support. Practitioners (D) help implement, but they don’t bear formal responsibility under the standard.
Thus, the verified answer is A: Top management of the organization.
Question #14
Identify the missing word(s) in the following sentence.
When planning the ISMS, the organization is specifically required to plan actions to address risks and opportunities and how to [ ? ] these actions.
- A . communicate
- B . apply competent resources to
- C . improve the effectiveness of
- D . evaluate the effectiveness of
Correct Answer: D
D
Explanation:
Clause 6.1.1 (Planning) states:
“The organization shall plan:
d) actions to address these risks and opportunities; and e) how to:
integrate and implement the actions into its ISMS processes; and evaluate the effectiveness of these actions.”
This confirms the missing words are “evaluate the effectiveness of”. Communication (A), applying resources (B), and improving effectiveness (C) are important concepts elsewhere but not the direct requirement stated in this clause.
D
Explanation:
Clause 6.1.1 (Planning) states:
“The organization shall plan:
d) actions to address these risks and opportunities; and e) how to:
integrate and implement the actions into its ISMS processes; and evaluate the effectiveness of these actions.”
This confirms the missing words are “evaluate the effectiveness of”. Communication (A), applying resources (B), and improving effectiveness (C) are important concepts elsewhere but not the direct requirement stated in this clause.
Question #15
Which activity is a required element of information security risk identification?
- A . Determine the risk owners
- B . Consider the likelihood of the occurrence
- C . Prioritize the risk for treatment
- D . Determine the level of risk
Correct Answer: A
A
Explanation:
Clause 6.1.2 defines the mandatory elements of risk assessment. Under risk identification, the standard requires: “identifies the information security risks: 1) apply the information security risk assessment process to identify risks…; and 2) identify the risk owners.” By contrast, considering likelihood and determining levels of risk (options B and D) are part of risk analysis (6.1.2 d) “assess the realistic likelihood…”; “determine the levels of risk”), and prioritization for treatment (option C) is part of risk evaluation (6.1.2 e) “prioritize the analysed risks for risk treatment”). Therefore, the specific activity that belongs to risk identification is to identify the risk owners. This sequencing is prescribed to ensure each risk has a designated owner responsible for decisions on treatment and acceptance downstream.
A
Explanation:
Clause 6.1.2 defines the mandatory elements of risk assessment. Under risk identification, the standard requires: “identifies the information security risks: 1) apply the information security risk assessment process to identify risks…; and 2) identify the risk owners.” By contrast, considering likelihood and determining levels of risk (options B and D) are part of risk analysis (6.1.2 d) “assess the realistic likelihood…”; “determine the levels of risk”), and prioritization for treatment (option C) is part of risk evaluation (6.1.2 e) “prioritize the analysed risks for risk treatment”). Therefore, the specific activity that belongs to risk identification is to identify the risk owners. This sequencing is prescribed to ensure each risk has a designated owner responsible for decisions on treatment and acceptance downstream.
1 2