ISO-IEC-27001-Foundation ISO/IEC 27001 (2022) Foundation Exam Questions and Answers

Clause 9.2.2 of ISO/IEC 27001:2022 specifies requirements for the internal audit programme. It requires organizations to:

“ Plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned, changes affecting the organization, and the results of previous audits. ”

This makes option C correct, since importance of the processes is a required factor. Option A is incorrect because audits do not need third-party auditors; objectivity can be maintained internally if independence is respected. Option B is wrong because previous audit results must be considered, not disregarded. Option D is also incorrect — the standard does not specify a 3-year cycle; frequency depends on risks and needs.

Thus, the correct verified answer is C .

Clause 6.1.2 (Information security risk assessment) requires organizations to “ define and apply an information security risk assessment process that… establishes and maintains information security risk criteria, including criteria for accepting risk. ”

This means that acceptable levels of risk (risk acceptance criteria) must be explicitly defined. These criteria ensure consistent decision-making when evaluating whether identified risks need further treatment or can be tolerated.

Option A is incorrect because exclusions relate to the ISMS scope (Clause 4.3), not risk assessment planning. Option B is not a requirement; effectiveness of risk assessment methods is not required to be measured, though methods must be applied consistently. Option D is false—the standard clearly specifies required elements for risk assessment.

Thus, the correct answer is C: The criteria for acceptable levels of risk.

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27000 standards:

According to ISO/IEC 27000:2018, Clause 3.74, a threat is defined as:

“ Potential cause of an unwanted incident, which can result in harm to a system or organization. ”

This definition directly matches option A.

Option B refers to an “information security incident” (ISO/IEC 27000:2018, Clause 3.32).

Option C describes a “vulnerability” (ISO/IEC 27000:2018, Clause 3.67).

Option D refers to “residual risk” (ISO/IEC 27000:2018, Clause 3.61).

The standard emphasizes that threats exploit vulnerabilities, causing incidents that can harm information confidentiality, integrity, and availability. Correctly identifying threats is critical for risk assessment (Clause 6.1.2). Thus, the correct definition per ISO/IEC 27000 is A .

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:

Annex A.5.12 (Classification of information) states:

“ Information should be classified according to the information security needs of the organization based on confidentiality, integrity and availability. ”

This aligns directly with option B. Option A (labelling) is a separate control (Annex A.5.13). Option C (security perimeters) is under physical controls (Annex A.7.1). Option D (access control rules) relates to Annex A.5.15 and A.8.2.

Thus, the verified correct statement for the Classification of information control is B .

Clause 8.1 (Operational planning and control) requires organizations to:

“Ensure that changes are controlled. The organization shall review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary.”

This requirement ensures that operational processes are planned, controlled, and adjusted where unexpected changes occur. Risk assessments (B) are covered in Clause 6.1.2 (Planning), not operations. Scheduling second-party audits (C) is not an ISMS requirement but part of supplier/customer arrangements. Documenting objectives (D) belongs to Clause 6.2 (Planning).

Thus, the required operational planning and control activity is A: Review the consequences of unintended changes.

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:

Annex A in ISO/IEC 27001 refers directly to ISO/IEC 27002 for control guidance. In ISO/IEC 27002:2022, Clause 6.8 is titled:

“ Information security event reporting – Information security events should be reported through appropriate management channels as quickly as possible. ”

This control ensures breaches, incidents, or suspected issues are reported for action. The other options (B, C, D) are not the exact titles in Annex A. The official title is Information security event reporting , confirming Answer: A .

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:

Annex A.5.1 (Policies for information security) specifies:

“ Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur. ”

This clearly identifies the review frequency requirement: planned intervals and whenever there are significant changes. Options A and B (six-monthly or annually) are not prescribed by ISO — timing is left to the organization. Option C is also wrong, since Certification Bodies do not dictate policy review schedules.

Therefore, the verified correct answer is D .

ISO/IEC 27001 makes clear that the ISMS is intended to be tailored to the organization. The standard states: “ This document also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in this document are generic and are intended to be applicable to all organizations regardless of type, size or nature .” This means implementation is scaled based on each organization’s risk, context, and needs, not a fixed one-size-fits-all set of activities or controls. Clause 6.1.3 further reinforces that control selection is flexible and risk-driven: “ Organizations can design controls as required or identify them from any source ,” and “ Annex A contains a list of possible information security controls… The information security controls listed in Annex A are not exhaustive and additional information security controls can be included if needed .” Together, these extracts verify that the ISMS implementation is influenced by and scaled to the organization’s needs and selected controls, not separated from management processes (A, D) nor mandated to include “all controls” (B).

Clause 5.1 (Leadership and Commitment) requires that:

“ Top management shall demonstrate leadership and commitment with respect to the information security management system by… ensuring that the resources needed for the ISMS are available… and supporting persons to contribute to the effectiveness of the ISMS. ”

This makes it explicit that top management has the responsibility to ensure personnel are supported so they can contribute to the ISMS. Option B (line management) may provide local support, but ultimate accountability rests with top management. Auditors (C) only evaluate compliance, not provide support. Practitioners (D) help implement, but they don’t bear formal responsibility under the standard.

Thus, the verified answer is A: Top management of the organization .

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:

Annex A.6.1 (Terms and conditions of employment) states:

“ The contractual agreements with employees and contractors shall state their and the organization’s responsibilities for information security. ”

This means the control applies not just to employees, but also contractors and, where relevant, third-party users who are subject to contractual obligations with the organization. The goal is to ensure that all parties engaged in work under the organization’s control understand their security responsibilities before, during, and after employment or contract engagement.

Options A and B are too narrow, excluding key groups. Option C misrepresents the scope by implying a mutual responsibility but not identifying the individuals covered. The explicit scope includes employees, contractors, and third-party users.

Therefore, the correct answer is D .

Clause 10.1 (Nonconformity and corrective action) specifies:

“ The organization shall react to the nonconformity and, as applicable: take action to control and correct it; deal with the consequences; evaluate the need for action to eliminate the cause(s)… Corrective actions shall be appropriate to the effects of the nonconformities encountered. ”

This confirms option B . Option A is inaccurate—ISO requires actions appropriate to effects , not probability alone. Option C is false—policies may need updating to correct nonconformities. Option D is incorrect, as not every cause can always be eliminated; residual issues may exist.

Thus, the verified requirement is B .

The benefits of implementing an ISMS under ISO/IEC 27001 are well established. Clause 0.1 (General) explains that an ISMS provides a systematic approach to managing sensitive information and “ preserves confidentiality, integrity, and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed. ”

Option A is correct as a benefit, since trust and confidence from stakeholders is an outcome of compliance. Option C is also a benefit, since controls are chosen and tailored based on organizational context and risk assessment (Clause 6.1.3). Option D reflects another real benefit—reducing the probability and/or impact of incidents through effective risk management.

However, staff qualifications (option B) are not guaranteed benefits of implementing an ISMS. While training and competence (Clause 7.2) are required, the standard does not require or provide ISO/IEC 27001 Foundation-level certification for staff. That is an external training/certification scheme, not an ISMS outcome.

Therefore, the benefit NOT relevant to implementing ISO/IEC 27001 is B .