ISO-IEC-27001-Foundation ISO/IEC 27001 (2022) Foundation Exam Questions and Answers

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:

In ISO/IEC 27002:2022, which provides control guidance for Annex A of ISO/IEC 27001, Clause 5.19 is titled:“Information security in supplier relationships.”

This control requires organizations to ensure that information security is addressed in supplier agreements and relationships. It is part of theOrganizational Controls theme. The other options are not control titles in Annex A:

“Responsibilities and procedures” (B) was used in older standards like ISO/IEC 27001:2005 but no longer exists.

“Protection of documents” (C) relates to document control but is not a specific Annex A control.

“Change control” (D) is relevant to ITIL/ITSM but not listed as a control title in Annex A.

Therefore, the correct Annex A control title isA: Information security in supplier relationships.

Clause 9.3.2 (Management Review Inputs) states that management reviews shall include:

“c) information on the information security performance, including trends in: (1) nonconformities and corrective actions; (2) monitoring and measurement results; (3) audit results; and (4) fulfilment of information security objectives.”

This makesachievement of information security objectives(option A) a required trend to be considered. While external/internal requirements (C) and continual improvement opportunities (D) are also part of management review inputs, they are not specifically listed under “trends in performance.” Option B is outside the direct requirement.

Thus, the verified answer isA.

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:

Annex A.5.36 (Compliance with policies, rules and standards for information security) requires:

“Compliance with the organization’s information security policies, rules and standards for information security should be regularly reviewed.”

This directly matches option A. Option B refers to contractual compliance, which is part of supplier management controls (Annex A.5.19). Option C relates to Annex A.5.7 (Contact with authorities). Option D refers to asset return controls (Annex A.5.9).

Thus, the correct answer isA.

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27001 & 27002:2022 standards:

ISO/IEC 27001 Annex A lists reference controls. ISO/IEC 27002 providesdetailed guidance on the implementation of those controls, including purpose, guidance, and examples. Clause 6.1.3 of ISO/IEC 27001 makes the link explicit: controls from Annex A are referenced, but ISO/IEC 27002 explains how to implement them.

However, ISO/IEC 27002 doesnotprovide a process for risk management—that is covered by ISO/IEC 27005. Risk management requirements are in ISO/IEC 27001 (Clauses 6.1.2 and 6.1.3).

Therefore, statement 1 is true, but statement 2 is false. Correct answer:A.

Clause 6.1.3 (c) requires organizations to:

“compare the controls determined in 6.1.3 b) with those in Annex A and verify that no necessary control has been omitted; and prepare a Statement of Applicability.” It also requires organizations to select risk treatment options considering “the organization’s risk acceptance criteria.”

This shows thatrisk acceptance criteriaare a fundamental factor when selecting risk treatment options. Options C and D are incorrect because Annex A and ISO/IEC 27002 are reference sets, not the sole sources of controls — organizations can design their own. Criteria for performing risk assessments (B) are part of 6.1.2 (risk assessment process), not risk treatment.

Thus, the correct requirement isA: Criteria for accepting identified risks.

The requirements for internal audit are explicitly placed inClause 9.2 (Performance Evaluation)of ISO/IEC 27001:2022. The standard requires:

“The organization shall conduct internal audits at planned intervals to provide information on whether the information security management system… conforms to the organization’s own requirements… and to the requirements of this document.” (9.2.1)

“The organization shall plan, establish, implement and maintain an audit programme(s)…” (9.2.2)

This clause clearly falls underPerformance Evaluation (Clause 9), not Planning (Clause 6), Operation (Clause 8), or Improvement (Clause 10). Therefore, the correct answer isC.

Clause 8.1 (Operational planning and control) requires organizations to:

“Ensure that changes are controlled. The organization shall review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary.”

This requirement ensures that operational processes are planned, controlled, and adjusted where unexpected changes occur. Risk assessments (B) are covered in Clause 6.1.2 (Planning), not operations. Scheduling second-party audits (C) is not an ISMS requirement but part of supplier/customer arrangements. Documenting objectives (D) belongs to Clause 6.2 (Planning).

Thus, the required operational planning and control activity is A: Review the consequences of unintended changes.

Clause 6.1.2 defines the mandatory elements of risk assessment. Under risk identification, the standard requires: “identifies the information security risks:1) apply the information security risk assessment process to identify risks…; and2) identify the risk owners.” By contrast, considering likelihood and determining levels of risk (options B and D) are part ofrisk analysis(6.1.2 d) “assess the realistic likelihood…”; “determine the levels of risk”), and prioritization for treatment (option C) is part ofrisk evaluation(6.1.2 e) “prioritize the analysed risks for risk treatment”). Therefore, the specific activity that belongs torisk identificationis toidentify the risk owners. This sequencing is prescribed to ensure each risk has a designated owner responsible for decisions on treatment and acceptance downstream.

Clause 9.2 (Internal Audit) and Clause 9.3 (Management Review) highlight that audit outputs and management reviews are key inputs for evaluating ISMS performance. Surveillance audits, conducted by Certification Bodies, check ongoing compliance and effectiveness. ISO certification schemes (per ISO/IEC 17021) require surveillance audits to verify whether corrective actions and continuous improvements are being made. A critical focus area is theresults of internal audits and management reviews, ensuring that the organization maintains its ISMS between certification cycles.

Option A is incorrect — third-party audits are performed by independent Certification Bodies, not customers. Option B is incorrect — certificates are typically valid forthree yearswith annual surveillance. Option D is incorrect — Stage 1 is primarily adocumentation and readiness review, not evidence observation.

Therefore, the verified correct answer isC.

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27000 standards:

ISO/IEC 27000 defines:

Risk analysis: “process to comprehend the nature of risk and to determine the level of risk” (Clause 3.58).

Risk assessment: the overall process of risk identification, risk analysis, and risk evaluation.

Risk evaluation: compares results of risk analysis against risk criteria to determine priority.

Risk management: coordinated activities to direct and control an organization with regard to risk.

Therefore, the missing word in the given definition is“analysis”.

This is important for ISMS implementation: organizations must understand the distinctions. Risk analysis is the core technical evaluation stage, while assessment is the broader process including evaluation, and management refers to the overall governance of risks.

Thus, the correct verified answer isB: Analysis.

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27001:2022 standards and certification guidance:

Before a certification audit can begin, thescope of the ISMSmust be clearly defined and agreed with the Certification Body. ISO/IEC 27001 Clause 4.3 requires: “The scope shall be available as documented information.”

Certification Bodies require this scope statement to plan audit duration, resources, and coverage. Only after the scope is agreed does the Stage 1 audit begin, which reviews documented information and readiness. Stage 2 focuses on implementation and effectiveness. Evidence of corrective actions (C) is checked at Stage 2 if issues were identified earlier. Records provision (D) occurs during Stage 2, not first.

Thus, the first step in preparing for certification isA: Agreeing the scope of the ISMS with the Certification Body auditor.

Clause 6.1.3 (d) requires that the organization“produce a Statement of Applicability that contains the necessary controls (see Annex A), and justification for inclusions, whether they are implemented or not, and the justification for exclusions.”

This is the defining requirement of the SoA: it documents which Annex A controls are relevant, which are implemented, and the justification for inclusion/exclusion. While the ISMS scope (A) is documented in Clause 4.3, and risk evaluation criteria (C) are defined in Clause 6.1.2, these do not belong in the SoA. The SoA does not describe the full risk assessment approach (B); that is part of the risk assessment methodology. Therefore, the mandatory requirement for the SoA isjustification for including (or excluding) each information security control.