ISO-IEC-27001-Foundation ISO/IEC 27001 (2022) Foundation Exam Questions and Answers

Clause 7.3 (Awareness) requires:

“Persons doing work under the organization’s control shall be aware of: (a) the information security policy; (b) their contribution to the effectiveness of the ISMS, including the benefits of improved information security performance; (c) the implications of not conforming with the ISMS requirements.”

This applies not only to employees but also contractors and external parties under the organization’s control. Competence (B) requires having skills, training, and experience, while Communication (C) covers defining communication processes (Clause 7.4). Nonconformity and corrective action (A) is part of Clause 10 (Improvement).

Therefore, the specific requirement that ensures contractors are made aware of the information security policies is found in Clause 7.3 Awareness. Correct answer: D.

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27000 standards:

According to ISO/IEC 27000:2018, Clause 3.35:

“Integrity is the property of accuracy and completeness.”

This is one of the three core principles of information security (CIA triad):

Confidentiality: ensuring information is not made available to unauthorized persons (related to option B).

Integrity: ensuring data is accurate, complete, and unaltered except by authorized means.

Availability: ensuring information is accessible and usable when required (related to option A).

Option D incorrectly mixes availability and confidentiality. The precise ISO definition isaccuracy and completeness, which matches option C.

Thus, the correct verified answer isC.

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27000 standards:

According to ISO/IEC 27000:2018, Clause 3.74, athreatis defined as:

“Potential cause of an unwanted incident, which can result in harm to a system or organization.”

This definition directly matches option A.

Option B refers to an “information security incident” (ISO/IEC 27000:2018, Clause 3.32).

Option C describes a “vulnerability” (ISO/IEC 27000:2018, Clause 3.67).

Option D refers to “residual risk” (ISO/IEC 27000:2018, Clause 3.61).

The standard emphasizes that threats exploit vulnerabilities, causing incidents that can harm information confidentiality, integrity, and availability. Correctly identifying threats is critical for risk assessment (Clause 6.1.2). Thus, the correct definition per ISO/IEC 27000 isA.

Clause 6.1.3 (c) requires organizations to:

“compare the controls determined in 6.1.3 b) with those in Annex A and verify that no necessary control has been omitted; and prepare a Statement of Applicability.” It also requires organizations to select risk treatment options considering “the organization’s risk acceptance criteria.”

This shows thatrisk acceptance criteriaare a fundamental factor when selecting risk treatment options. Options C and D are incorrect because Annex A and ISO/IEC 27002 are reference sets, not the sole sources of controls — organizations can design their own. Criteria for performing risk assessments (B) are part of 6.1.2 (risk assessment process), not risk treatment.

Thus, the correct requirement isA: Criteria for accepting identified risks.

ISO/IEC 27001 Clause 9.2 requires internal audits to be conducted at planned intervals, but it does not specify an annual frequency. Certification audits, under ISO/IEC 17021 rules, typically occur on a 3-year cycle with annual surveillance, not strictly “annually.” This makes statement 1 inaccurate.

Audit types are defined in ISO/IEC 19011:

First-party audits: conducted internally by or on behalf of the organization (internal audits).

Third-party audits: conducted by independent external certification bodies.

Thus, statement 2 is correct. Therefore, the accurate choice is B: Only 2 is true.

Clause 4.1 specifies exactly what must be determined when establishing context: “The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system.” This requirement is about understanding internal and external issues (e.g., culture, capabilities, regulatory environment) that influence the ISMS’s effectiveness. Objectives (option B) are addressed later in Clause 6.2; processes (option C) are addressed in Clause 4.4 and operational planning; and “which clauses apply” (option D) is not a determination step—ISO/IEC 27001’s requirements in Clauses 4–10 are not optional. Therefore, the direct, required factor per 4.1 is determining internal (and external) issues relevant to the organization’s purpose and ISMS outcomes.

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27005 standards:

ISO/IEC 27005:2022 is titled:

“Information security, cybersecurity and privacy protection — Guidance on managing information security risks.”

This standard provides structured methodologies for identifying, analyzing, evaluating, and treating risks, in alignment with ISO/IEC 27001’s risk management requirements (Clause 6.1.2 and 6.1.3). It supports organizations in implementing the risk management process that underpins an ISMS. Options A and B are titles of other ISO standards (ISO/IEC 27007 for auditing, ISO/IEC 27001 for requirements). Option D refers to ISO/IEC 27002 (controls).

Thus, the correct answer isC: Guidance on managing information security risks.

Clause 9.2.2 of ISO/IEC 27001:2022 specifies requirements for the internal audit programme. It requires organizations to:

“Plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned, changes affecting the organization, and the results of previous audits.”

This makes optionCcorrect, since importance of the processes is a required factor. Option A is incorrect because audits do not need third-party auditors; objectivity can be maintained internally if independence is respected. Option B is wrong because previous audit results must be considered, not disregarded. Option D is also incorrect — the standard does not specify a 3-year cycle; frequency depends on risks and needs.

Thus, the correct verified answer isC.

Certification audits are carried out byCertification Bodies (CBs), not the organization itself. ISO/IEC 27001 requires external certification audits to be independent, impartial, and objective. According to ISO/IEC 27006 (Requirements for bodies providing audit and certification of ISMS), the Certification Body determines theaudit duration and number of audit daysbased on factors such as organizational size, complexity, scope, and risk environment. This ensures consistency across organizations and prevents manipulation by the auditee. ISO/IEC 27001 Clause 9.2 and 9.3 addressinternal audit and management review, but the determination of certification audit days is outside the organization’s control; it rests solely with the accredited Certification Body auditors. Thus,Answer: Bis correct, as the CB’s external auditor formally calculates and assigns the audit time.

ISO/IEC 27001 makes clear that the ISMS is intended to be tailored to the organization. The standard states: “This document also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in this document are generic and are intended to be applicable to all organizations regardless of type, size or nature.” This means implementation is scaled based on each organization’s risk, context, and needs, not a fixed one-size-fits-all set of activities or controls. Clause 6.1.3 further reinforces that control selection is flexible and risk-driven: “Organizations can design controls as required or identify them from any source,” and “Annex A contains a list of possible information security controls… The information security controls listed in Annex A are not exhaustive and additional information security controls can be included if needed.” Together, these extracts verify that the ISMS implementation is influenced by and scaled to the organization’s needs and selected controls, not separated from management processes (A, D) nor mandated to include “all controls” (B).

Clause 5.2 (Information security policy) requires that the policy:

“includes information security objectives (or provides a framework for setting them)”

“includes a commitment to satisfy applicable requirements related to information security”

“includes a commitment to continual improvement of the ISMS.”

Among the listed options, the exact mandatory requirement is“a commitment to satisfy applicable requirements related to information security”. Option B partially reflects Clause 5.2 (commitment to continual improvement), but the wording given in the standard prioritizes the satisfaction of applicable requirements (e.g., legal, regulatory, contractual). Option C is not a policy requirement. Option D (Statement of Applicability) is a separate mandatory document (Clause 6.1.3) and not part of the policy itself.

Thus, the correct answer isA.

Clause 9.3.2 (Management Review Inputs) states that management reviews shall include:

“c) information on the information security performance, including trends in: (1) nonconformities and corrective actions; (2) monitoring and measurement results; (3) audit results; and (4) fulfilment of information security objectives.”

This makesachievement of information security objectives(option A) a required trend to be considered. While external/internal requirements (C) and continual improvement opportunities (D) are also part of management review inputs, they are not specifically listed under “trends in performance.” Option B is outside the direct requirement.

Thus, the verified answer isA.