Free Practice Questions for APMG-International ISO-IEC-27001-Foundation Exam

ISO/IEC 27001 requires internal audits and sets out how they must be conducted: “The organization shall conduct internal audits at planned intervals…” (9.2.1) and “plan, establish, implement and maintain an audit programme(s)… [and] select auditors and conduct audits that ensure objectivity and the impartiality of the audit process” (9.2.2). These extracts confirm that practitioners (internal to the organization) can conduct internal audits provided objectivity and impartiality are ensured (e.g., they do not audit their own work). Surveillance audits (option A) and audits of Accredited Training Organizations or Certification Bodies (options C, D) are third-party activities outside the remit of an internal practitioner under ISO/IEC 27001; the standard’s audit requirement is focused on the organization’s own internal audit programme. Therefore, conducting an internal audit (B) is the correct practitioner activity per Clause 9.2.

Clause 6.1.2 (Information security risk assessment) requires organizations to “define and apply an information security risk assessment process that… establishes and maintains information security risk criteria, including criteria for accepting risk.”

This means that acceptable levels of risk (risk acceptance criteria) must be explicitly defined. These criteria ensure consistent decision-making when evaluating whether identified risks need further treatment or can be tolerated.

Option A is incorrect because exclusions relate to the ISMS scope (Clause 4.3), not risk assessment planning. Option B is not a requirement; effectiveness of risk assessment methods is not required to be measured, though methods must be applied consistently. Option D is false—the standard clearly specifies required elements for risk assessment.

Thus, the correct answer isC: The criteria for acceptable levels of risk.

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:

Annex A.5.12 (Classification of information) states:

“Information should be classified according to the information security needs of the organization based on confidentiality, integrity and availability.”

This aligns directly with option B. Option A (labelling) is a separate control (Annex A.5.13). Option C (security perimeters) is under physical controls (Annex A.7.1). Option D (access control rules) relates to Annex A.5.15 and A.8.2.

Thus, the verified correct statement for the Classification of information control isB.

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27001 & 27002:2022 standards:

ISO/IEC 27001 Annex A lists reference controls. ISO/IEC 27002 providesdetailed guidance on the implementation of those controls, including purpose, guidance, and examples. Clause 6.1.3 of ISO/IEC 27001 makes the link explicit: controls from Annex A are referenced, but ISO/IEC 27002 explains how to implement them.

However, ISO/IEC 27002 doesnotprovide a process for risk management—that is covered by ISO/IEC 27005. Risk management requirements are in ISO/IEC 27001 (Clauses 6.1.2 and 6.1.3).

Therefore, statement 1 is true, but statement 2 is false. Correct answer:A.

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27000 standards:

According to ISO/IEC 27000:2018, Clause 3.74, athreatis defined as:

“Potential cause of an unwanted incident, which can result in harm to a system or organization.”

This definition directly matches option A.

Option B refers to an “information security incident” (ISO/IEC 27000:2018, Clause 3.32).

Option C describes a “vulnerability” (ISO/IEC 27000:2018, Clause 3.67).

Option D refers to “residual risk” (ISO/IEC 27000:2018, Clause 3.61).

The standard emphasizes that threats exploit vulnerabilities, causing incidents that can harm information confidentiality, integrity, and availability. Correctly identifying threats is critical for risk assessment (Clause 6.1.2). Thus, the correct definition per ISO/IEC 27000 isA.