APMG-International ISO/IEC 27001 (2022) Foundation ISO-IEC-27001-Foundation Exam Questions

Answer : A

Clause 4.2 of ISO/IEC 27001:2022 states:

''The organization shall determine: a) interested parties that are relevant to the information security management system; b) the relevant requirements of these interested parties; c) which of these requirements will be addressed through the ISMS.''

This confirms that the missing word is requirements. Neither number, structure, nor influence are specified in the standard.

Answer : B

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27000 standards:

ISO/IEC 27000 defines:

Risk analysis: ''process to comprehend the nature of risk and to determine the level of risk'' (Clause 3.58).

Risk assessment: the overall process of risk identification, risk analysis, and risk evaluation.

Risk evaluation: compares results of risk analysis against risk criteria to determine priority.

Risk management: coordinated activities to direct and control an organization with regard to risk.

Therefore, the missing word in the given definition is ''analysis''.

This is important for ISMS implementation: organizations must understand the distinctions. Risk analysis is the core technical evaluation stage, while assessment is the broader process including evaluation, and management refers to the overall governance of risks.

Thus, the correct verified answer is B: Analysis.

Answer : D

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:

Annex A.5.1 (Policies for information security) specifies:

''Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.''

This clearly identifies the review frequency requirement: planned intervals and whenever there are significant changes. Options A and B (six-monthly or annually) are not prescribed by ISO --- timing is left to the organization. Option C is also wrong, since Certification Bodies do not dictate policy review schedules.

Therefore, the verified correct answer is D.

Answer : A

Clause 9.3.2 (Management Review Inputs) states that management reviews shall include:

''c) information on the information security performance, including trends in: (1) nonconformities and corrective actions; (2) monitoring and measurement results; (3) audit results; and (4) fulfilment of information security objectives.''

This makes achievement of information security objectives (option A) a required trend to be considered. While external/internal requirements (C) and continual improvement opportunities (D) are also part of management review inputs, they are not specifically listed under ''trends in performance.'' Option B is outside the direct requirement.

Thus, the verified answer is A.

Answer : A

Clause 4.1 specifies exactly what must be determined when establishing context: ''The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system.'' This requirement is about understanding internal and external issues (e.g., culture, capabilities, regulatory environment) that influence the ISMS's effectiveness. Objectives (option B) are addressed later in Clause 6.2; processes (option C) are addressed in Clause 4.4 and operational planning; and ''which clauses apply'' (option D) is not a determination step---ISO/IEC 27001's requirements in Clauses 4--10 are not optional. Therefore, the direct, required factor per 4.1 is determining internal (and external) issues relevant to the organization's purpose and ISMS outcomes.

Answer : D

Clause 7.2 (Competence) requires the organization to:

''determine the necessary competence of person(s) doing work under its control that affects its information security performance;''

''ensure that these persons are competent on the basis of appropriate education, training, or experience;''

''retain appropriate documented information as evidence of competence.''

This makes holding up-to-date records on training, skills, experience, and qualifications (D) the correct answer. Option A is irrelevant to competence. Option B is incorrect since ISO does not require Foundation-level training --- competence is context-based. Option C is related to compliance but does not ensure individual competence.

Thus, the verified correct answer is D.

Answer : B

Clause 6.1.2 (d) states that during risk analysis, the organization shall:

''assess the potential consequences that would result if the risks identified... were to materialize;''

''assess the realistic likelihood of the occurrence of the risks identified;''

''determine the levels of risk.''

This makes it clear that the required output of risk analysis is the determined levels of risk. Risk acceptance criteria (A) are set earlier in 6.1.2(a), treatment control options (C) belong to 6.1.3, and prioritization (D) is part of risk evaluation (6.1.2 e). Therefore, the verified correct output is B: Determined levels of risk.