ISO-IEC-27001-Foundation Sample Questions Answers

Clause 9.3.2 (Management Review Inputs) states that management reviews shall include:

“c) information on the information security performance, including trends in: (1) nonconformities and corrective actions; (2) monitoring and measurement results; (3) audit results; and (4) fulfilment of information security objectives.”

This makesachievement of information security objectives(option A) a required trend to be considered. While external/internal requirements (C) and continual improvement opportunities (D) are also part of management review inputs, they are not specifically listed under “trends in performance.” Option B is outside the direct requirement.

Thus, the verified answer isA.

Clause 9.1 requires:

“The organization shall evaluate the information security performance and the effectiveness of the information security management system.”

This is the central purpose of monitoring, measurement, analysis, and evaluation. Competence (B) is covered under Clause 7.2. Monitoring use of assets (C) and outsourced processes (D) may be done, but they are not the formal purpose described in the standard. Instead, performance evaluation ensures the ISMS continues to meet intended outcomes and supports continual improvement.

Thus, the verified purpose is A: To evaluate information security performance.

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:

Annex A.5.36 (Compliance with policies, rules and standards for information security) requires:

“Compliance with the organization’s information security policies, rules and standards for information security should be regularly reviewed.”

This directly matches option A. Option B refers to contractual compliance, which is part of supplier management controls (Annex A.5.19). Option C relates to Annex A.5.7 (Contact with authorities). Option D refers to asset return controls (Annex A.5.9).

Thus, the correct answer isA.

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:

Annex A.5.12 (Classification of information) states:

“Information should be classified according to the information security needs of the organization based on confidentiality, integrity and availability.”

This aligns directly with option B. Option A (labelling) is a separate control (Annex A.5.13). Option C (security perimeters) is under physical controls (Annex A.7.1). Option D (access control rules) relates to Annex A.5.15 and A.8.2.

Thus, the verified correct statement for the Classification of information control isB.

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27000 standards:

According to ISO/IEC 27000:2018, Clause 3.74, athreatis defined as:

“Potential cause of an unwanted incident, which can result in harm to a system or organization.”

This definition directly matches option A.

Option B refers to an “information security incident” (ISO/IEC 27000:2018, Clause 3.32).

Option C describes a “vulnerability” (ISO/IEC 27000:2018, Clause 3.67).

Option D refers to “residual risk” (ISO/IEC 27000:2018, Clause 3.61).

The standard emphasizes that threats exploit vulnerabilities, causing incidents that can harm information confidentiality, integrity, and availability. Correctly identifying threats is critical for risk assessment (Clause 6.1.2). Thus, the correct definition per ISO/IEC 27000 isA.

Clause 9.2 (Internal Audit) and Clause 9.3 (Management Review) highlight that audit outputs and management reviews are key inputs for evaluating ISMS performance. Surveillance audits, conducted by Certification Bodies, check ongoing compliance and effectiveness. ISO certification schemes (per ISO/IEC 17021) require surveillance audits to verify whether corrective actions and continuous improvements are being made. A critical focus area is theresults of internal audits and management reviews, ensuring that the organization maintains its ISMS between certification cycles.

Option A is incorrect — third-party audits are performed by independent Certification Bodies, not customers. Option B is incorrect — certificates are typically valid forthree yearswith annual surveillance. Option D is incorrect — Stage 1 is primarily adocumentation and readiness review, not evidence observation.

Therefore, the verified correct answer isC.

Clause 4.2 of ISO/IEC 27001:2022 states:

“The organization shall determine: a) interested parties that are relevant to the information security management system; b) the relevant requirements of these interested parties; c) which of these requirements will be addressed through the ISMS.”

This confirms that the missing word isrequirements. Neither number, structure, nor influence are specified in the standard.

Clause 10.1 (Nonconformity and corrective action) specifies:

“The organization shall react to the nonconformity and, as applicable: take action to control and correct it; deal with the consequences; evaluate the need for action to eliminate the cause(s)… Corrective actions shall be appropriate to the effects of the nonconformities encountered.”

This confirms optionB. Option A is inaccurate—ISO requires actions appropriate toeffects, not probability alone. Option C is false—policies may need updating to correct nonconformities. Option D is incorrect, as not every cause can always be eliminated; residual issues may exist.

Thus, the verified requirement isB.

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:

In ISO/IEC 27002:2022, which provides control guidance for Annex A of ISO/IEC 27001, Clause 5.19 is titled:“Information security in supplier relationships.”

This control requires organizations to ensure that information security is addressed in supplier agreements and relationships. It is part of theOrganizational Controls theme. The other options are not control titles in Annex A:

“Responsibilities and procedures” (B) was used in older standards like ISO/IEC 27001:2005 but no longer exists.

“Protection of documents” (C) relates to document control but is not a specific Annex A control.

“Change control” (D) is relevant to ITIL/ITSM but not listed as a control title in Annex A.

Therefore, the correct Annex A control title isA: Information security in supplier relationships.

Clause 6.2 (Information security objectives) requires that objectives:

“be consistent with the information security policy”

“be measurable (if practicable)”

“take into account applicable information security requirements”

“be monitored, communicated, and updated as appropriate.”

From this, option A is correct since consistency with policy is an explicit requirement. Option B is incorrect because the standard allows objectives to be measurable “if practicable” (not mandatory for all). Option C is incorrect—objectives are not transferred contractually to third parties, though third-party agreements may include security requirements. Option D is incorrect because the standard requires regular review “as appropriate,” not a fixed annual cycle.

Thus, the verified requirement isA: They shall be consistent with the information security policy.

Clause 6.1.2 defines the mandatory elements of risk assessment. Under risk identification, the standard requires: “identifies the information security risks:1) apply the information security risk assessment process to identify risks…; and2) identify the risk owners.” By contrast, considering likelihood and determining levels of risk (options B and D) are part ofrisk analysis(6.1.2 d) “assess the realistic likelihood…”; “determine the levels of risk”), and prioritization for treatment (option C) is part ofrisk evaluation(6.1.2 e) “prioritize the analysed risks for risk treatment”). Therefore, the specific activity that belongs torisk identificationis toidentify the risk owners. This sequencing is prescribed to ensure each risk has a designated owner responsible for decisions on treatment and acceptance downstream.

Clause 6.1.3 (d) requires that the organization“produce a Statement of Applicability that contains the necessary controls (see Annex A), and justification for inclusions, whether they are implemented or not, and the justification for exclusions.”

This is the defining requirement of the SoA: it documents which Annex A controls are relevant, which are implemented, and the justification for inclusion/exclusion. While the ISMS scope (A) is documented in Clause 4.3, and risk evaluation criteria (C) are defined in Clause 6.1.2, these do not belong in the SoA. The SoA does not describe the full risk assessment approach (B); that is part of the risk assessment methodology. Therefore, the mandatory requirement for the SoA isjustification for including (or excluding) each information security control.