APMG-International ISO/IEC 27001 (2022) Foundation ISO-IEC-27001-Foundation Exam Questions

Answer : B

Clause 5.1 (Leadership and Commitment) requires top management to demonstrate leadership by:

''ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization;''

''ensuring the integration of the ISMS requirements into the organization's processes;''

''ensuring that the resources needed for the ISMS are available;''

Among the options, the one explicitly mandated is ensuring that information security objectives are established. Risk assessments (C) and implementing audit actions (D) are responsibilities of management but not the direct leadership evidence required in Clause 5.1. Communicating interested party feedback (A) is relevant but not specifically cited as leadership evidence. Thus, the verified answer is B.

Answer : A

Clause 4.2 of ISO/IEC 27001:2022 states:

''The organization shall determine: a) interested parties that are relevant to the information security management system; b) the relevant requirements of these interested parties; c) which of these requirements will be addressed through the ISMS.''

This confirms that the missing word is requirements. Neither number, structure, nor influence are specified in the standard.

Answer : A

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27001:2022 standards and certification guidance:

Before a certification audit can begin, the scope of the ISMS must be clearly defined and agreed with the Certification Body. ISO/IEC 27001 Clause 4.3 requires: ''The scope shall be available as documented information.''

Certification Bodies require this scope statement to plan audit duration, resources, and coverage. Only after the scope is agreed does the Stage 1 audit begin, which reviews documented information and readiness. Stage 2 focuses on implementation and effectiveness. Evidence of corrective actions (C) is checked at Stage 2 if issues were identified earlier. Records provision (D) occurs during Stage 2, not first.

Thus, the first step in preparing for certification is A: Agreeing the scope of the ISMS with the Certification Body auditor.

Answer : D

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:

Annex A.5.1 (Policies for information security) specifies:

''Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.''

This clearly identifies the review frequency requirement: planned intervals and whenever there are significant changes. Options A and B (six-monthly or annually) are not prescribed by ISO --- timing is left to the organization. Option C is also wrong, since Certification Bodies do not dictate policy review schedules.

Therefore, the verified correct answer is D.

Answer : D

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:

Annex A.5.1 (Policies for information security) clearly specifies:

''Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties...''

This means the communication obligation is not limited to top management (A) or only ISMS staff (B), nor does it stop at employees only (C). Instead, ISO/IEC 27001/27002 mandate a broader scope: all relevant personnel and relevant interested parties must be informed. This ensures both internal stakeholders (employees, contractors, temporary staff) and external interested parties (suppliers, partners, regulators, customers, etc.) receive the right policy communications where applicable. Therefore, the correct and verified answer is D.

Answer : A

Clause 9.3.2 (Management Review Inputs) states that management reviews shall include:

''c) information on the information security performance, including trends in: (1) nonconformities and corrective actions; (2) monitoring and measurement results; (3) audit results; and (4) fulfilment of information security objectives.''

This makes achievement of information security objectives (option A) a required trend to be considered. While external/internal requirements (C) and continual improvement opportunities (D) are also part of management review inputs, they are not specifically listed under ''trends in performance.'' Option B is outside the direct requirement.

Thus, the verified answer is A.

Answer : C

The requirements for internal audit are explicitly placed in Clause 9.2 (Performance Evaluation) of ISO/IEC 27001:2022. The standard requires:

''The organization shall conduct internal audits at planned intervals to provide information on whether the information security management system... conforms to the organization's own requirements... and to the requirements of this document.'' (9.2.1)

''The organization shall plan, establish, implement and maintain an audit programme(s)...'' (9.2.2)

This clause clearly falls under Performance Evaluation (Clause 9), not Planning (Clause 6), Operation (Clause 8), or Improvement (Clause 10). Therefore, the correct answer is C.