APMG-International ISO/IEC 27001 (2022) Foundation ISO-IEC-27001-Foundation Exam Practice Test

Answer : A

Clause 9.1 requires:

''The organization shall evaluate the information security performance and the effectiveness of the information security management system.''

This is the central purpose of monitoring, measurement, analysis, and evaluation. Competence (B) is covered under Clause 7.2. Monitoring use of assets (C) and outsourced processes (D) may be done, but they are not the formal purpose described in the standard. Instead, performance evaluation ensures the ISMS continues to meet intended outcomes and supports continual improvement.

Thus, the verified purpose is A: To evaluate information security performance.

Answer : C

ISO/IEC 27001 makes clear that the ISMS is intended to be tailored to the organization. The standard states: ''This document also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in this document are generic and are intended to be applicable to all organizations regardless of type, size or nature.'' This means implementation is scaled based on each organization's risk, context, and needs, not a fixed one-size-fits-all set of activities or controls. Clause 6.1.3 further reinforces that control selection is flexible and risk-driven: ''Organizations can design controls as required or identify them from any source,'' and ''Annex A contains a list of possible information security controls... The information security controls listed in Annex A are not exhaustive and additional information security controls can be included if needed.'' Together, these extracts verify that the ISMS implementation is influenced by and scaled to the organization's needs and selected controls, not separated from management processes (A, D) nor mandated to include ''all controls'' (B).

Answer : B

Clause 6.1.2 (d) states that during risk analysis, the organization shall:

''assess the potential consequences that would result if the risks identified... were to materialize;''

''assess the realistic likelihood of the occurrence of the risks identified;''

''determine the levels of risk.''

This makes it clear that the required output of risk analysis is the determined levels of risk. Risk acceptance criteria (A) are set earlier in 6.1.2(a), treatment control options (C) belong to 6.1.3, and prioritization (D) is part of risk evaluation (6.1.2 e). Therefore, the verified correct output is B: Determined levels of risk.

Answer : D

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:

Annex A, control 6.8 (Information security event reporting) specifies:

''Information security events should be reported through appropriate management channels as quickly as possible. The organization should require all employees and contractors to note and report any observed or suspected information security events.''

This wording confirms that the required reporting covers ''observed or suspected events.'' Specific event types like information disclosure (A) or unauthorized access (B) are examples but not the broad requirement. Asset disposal (C) is addressed separately under equipment lifecycle controls (Annex A.7.14).

Therefore, the verified correct answer is D: Observed or suspected events.

Answer : D

Clause 10.2 (Continual Improvement) specifies that the organization must ''continually improve the suitability, adequacy and effectiveness of the information security management system.''

This makes it clear that three attributes are explicitly required to be addressed:

Suitability: ensuring the ISMS continues to meet organizational needs in changing contexts.

Adequacy: ensuring the ISMS covers the necessary scope and provides sufficient control coverage.

Effectiveness: ensuring the ISMS achieves intended outcomes in protecting information security.

The word ''importance'' is not part of the continual improvement requirement. Importance is implicit in prioritization of risks and actions, but it is not a required continual improvement attribute in ISO/IEC 27001. Therefore, option D: Importance is the correct choice as it is not specified.

This distinction reinforces that continual improvement is not about subjective importance, but about systematic enhancement of the ISMS's suitability, adequacy, and effectiveness.

Answer : C

Clause 6.1.2 (Information security risk assessment) requires organizations to ''define and apply an information security risk assessment process that... establishes and maintains information security risk criteria, including criteria for accepting risk.''

This means that acceptable levels of risk (risk acceptance criteria) must be explicitly defined. These criteria ensure consistent decision-making when evaluating whether identified risks need further treatment or can be tolerated.

Option A is incorrect because exclusions relate to the ISMS scope (Clause 4.3), not risk assessment planning. Option B is not a requirement; effectiveness of risk assessment methods is not required to be measured, though methods must be applied consistently. Option D is false---the standard clearly specifies required elements for risk assessment.

Thus, the correct answer is C: The criteria for acceptable levels of risk.

Answer : A

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27000 standards:

According to ISO/IEC 27000:2018, Clause 3.74, a threat is defined as:

''Potential cause of an unwanted incident, which can result in harm to a system or organization.''

This definition directly matches option A.

Option B refers to an ''information security incident'' (ISO/IEC 27000:2018, Clause 3.32).

Option C describes a ''vulnerability'' (ISO/IEC 27000:2018, Clause 3.67).

Option D refers to ''residual risk'' (ISO/IEC 27000:2018, Clause 3.61).

The standard emphasizes that threats exploit vulnerabilities, causing incidents that can harm information confidentiality, integrity, and availability. Correctly identifying threats is critical for risk assessment (Clause 6.1.2). Thus, the correct definition per ISO/IEC 27000 is A.