Question 1

Which of the following statements about the relationship between ISO/IEC 27001 and ISO/IEC 27002
is true?
ISO/IEC 27002 provides implementation advice on the controls selected during the ISO/IEC 27001
information security risk management process
ISO/IEC 27002 provides a process for information security risk management which implements the
requirements of ISO/IEC 27001

Accepted Answer

A

Explanation: ISO/IEC 27001 is the standard that specifies the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). A core part of this is the information security risk management process (Clauses 6.1.2 and 8.2). ISO/IEC 27002 serves as a supplementary code of practice. It provides a reference set of generic information security controls and offers detailed implementation guidance for the controls listed in Annex A of ISO/IEC 27001. Therefore, after an organization uses the ISO/IEC 27001 process to identify necessary controls, it can refer to ISO/IEC 27002 for advice on how to implement them. Statement 1 is true, while statement 2 is false.

Question 2

Identify the missing word in the following sentence. The organization shall determine the [ ? ] of interested parties relevant to information security.

Accepted Answer

A

Explanation: The sentence is a direct reference to the requirements outlined in Clause 4.2 of the ISO/IEC 27001 standard. This clause, titled "Understanding the needs and expectations of interested parties," mandates that an organization must first identify relevant interested parties and then determine their specific information security requirements. These requirements are then considered when establishing the scope and controls of the Information Security Management System (ISMS).

Question 3

Which audit activity related to ISO/IEC 27001 may be carried out by a practitioner?

Accepted Answer

B

Explanation: An ISO/IEC 27001 practitioner is an individual within an organization who is competent in the standard's requirements. According to Clause 9.2 of ISO/IEC 27001, the organization must conduct internal audits at planned intervals. These first-party audits are a fundamental activity for verifying the effectiveness and conformity of the Information Security Management System (ISMS). A qualified internal practitioner is the appropriate person to perform this function, ensuring they remain objective and impartial by not auditing their own direct responsibilities. The other options describe third-party audits that require specific accreditation and external authority, which are outside the practitioner's scope.

Question 4

Which statement describes a requirement of an internal audit programme?

Accepted Answer

C

Explanation: ISO/IEC 27001:2022, Clause 9.2.2, mandates that an organization's internal audit programme must be planned, established, and maintained. A key input for this planning is "the importance of the processes concerned." This risk-based approach ensures that audit efforts and resources are prioritized and focused on the processes most critical to the organization's information security objectives. Audits for high-importance processes may be more frequent or in-depth compared to those for less critical processes, thereby making the audit programme more effective and efficient.

Question 5

Which item is required to be defined when planning the organization's risk assessment process?

Accepted Answer

C

Explanation: According to ISO/IEC 27001:2022, when planning and establishing the information security risk assessment process, the organization is explicitly required to define and maintain risk acceptance criteria. These criteria are fundamental to the risk management process as they establish the threshold for which risks are considered acceptable and which ones require treatment. Without these predefined criteria, risk evaluation and treatment decisions would be inconsistent and subjective, undermining the entire purpose of the Information Security Management System (ISMS).

Question 6

Which action is an organization required to take to ensure that personnel are competent to perform their assigned tasks within the ISMS?

Accepted Answer

D

Explanation: ISO/IEC 27001, Clause 7.2 (Competence), mandates that an organization must determine the necessary competence of personnel performing work that affects its information security performance. The standard requires the organization to ensure these persons are competent based on appropriate education, training, or experience. A key and explicit requirement within this clause is to "retain appropriate documented information as evidence of competence." Therefore, holding up-to-date records on training, skills, experience, and qualifications is a required action to demonstrate and ensure that personnel are competent to perform their assigned ISMS tasks.

Question 7

When are the information security policies required to be reviewed, according to the Policies for information security control?

Accepted Answer

D

Explanation: According to ISO/IEC 27001:2022, the information security policy and its topic-specific policies must be reviewed to ensure their ongoing suitability, adequacy, and effectiveness. The standard explicitly mandates this review process to occur "at planned intervals or if significant changes occur." This dual trigger ensures that policies are not only checked periodically as part of a regular cycle (e.g., annually) but are also updated proactively in response to major events, such as changes in business objectives, legal environments, technology, or the threat landscape. This approach maintains the relevance and effectiveness of the organization's information security posture.

Question 8

Which of the following statements about the relationship between ISO/IEC 27001 and ISO/IEC 27002
is true?
ISO/IEC 27002 provides implementation advice on the controls selected during the ISO/IEC 27001
information security risk management process
ISO/IEC 27002 provides a process for information security risk management which implements the
requirements of ISO/IEC 27001

Accepted Answer

B

Explanation: Statement 2 is correct. An internal audit is conducted by the organization itself to review its own Information Security Management System (ISMS) for conformity and is therefore classified as a first-party (1st party) audit. A certification audit is conducted by an independent, accredited certification body to assess conformity with the ISO/IEC 27001 standard, making it a third-party (3rd party) audit. Statement 1 is incorrect because the certification process involves a three-year cycle. It begins with an initial certification audit, followed by annual surveillance audits, and concludes with a re-certification audit before the certificate expires. Describing the "certification audit" as an annual event is an inaccurate simplification of this cycle.

Question 9

What is a requirement for a corrective action made in response to a nonconformity?

Accepted Answer

B

Explanation: According to ISO/IEC 27001:2022, Clause 10.2, when a nonconformity occurs, the organization must implement corrective actions as needed. The standard explicitly states, "Corrective actions shall be appropriate to the effects of the nonconformities encountered." This requirement ensures that the resources and effort invested in fixing a problem are proportional to the actual or potential impact of that problem on the organization's information security objectives. The response must be suitable for the severity and consequences of the identified issue.

Question 10

Which ISMS documentation is part of the minimum scope of documented information required to be managed and controlled?

Accepted Answer

A

Explanation: ISO/IEC 27001 explicitly requires organizations to retain documented information as evidence of the results of management reviews (Clause 9.3.3). A key output of these reviews includes decisions and actions related to continual improvement opportunities. Furthermore, Clause 10.2 (Continual improvement) mandates retaining documented information on the nature of nonconformities and the results of any corrective actions taken. Management decisions are integral to both processes. Therefore, records of these decisions are a required part of the ISMS documentation, serving as evidence that the continual improvement cycle is being managed and controlled.

Free APMG-International ISO-IEC-27001-Foundation Actual Exam Questions