Free Practice Questions for APMG-International ISO-IEC-27001-Foundation Exam

ISO/IEC 27001 Clause 9.2 requires internal audits to be conducted at planned intervals, but it does not specify an annual frequency. Certification audits, under ISO/IEC 17021 rules, typically occur on a 3-year cycle with annual surveillance, not strictly “annually.” This makes statement 1 inaccurate.

Audit types are defined in ISO/IEC 19011:

First-party audits: conducted internally by or on behalf of the organization (internal audits).

Third-party audits: conducted by independent external certification bodies.

Thus, statement 2 is correct. Therefore, the accurate choice is B: Only 2 is true.

Clause 6.2 (Information security objectives) requires that objectives:

“be consistent with the information security policy”

“be measurable (if practicable)”

“take into account applicable information security requirements”

“be monitored, communicated, and updated as appropriate.”

From this, option A is correct since consistency with policy is an explicit requirement. Option B is incorrect because the standard allows objectives to be measurable “if practicable” (not mandatory for all). Option C is incorrect—objectives are not transferred contractually to third parties, though third-party agreements may include security requirements. Option D is incorrect because the standard requires regular review “as appropriate,” not a fixed annual cycle.

Thus, the verified requirement isA: They shall be consistent with the information security policy.

Clause 10.2 (Continual Improvement) specifies that the organization must“continually improve the suitability, adequacy and effectiveness of the information security management system.”

This makes it clear that three attributes are explicitly required to be addressed:

Suitability: ensuring the ISMS continues to meet organizational needs in changing contexts.

Adequacy: ensuring the ISMS covers the necessary scope and provides sufficient control coverage.

Effectiveness: ensuring the ISMS achieves intended outcomes in protecting information security.

The word“importance”is not part of the continual improvement requirement. Importance is implicit in prioritization of risks and actions, but it is not a required continual improvement attribute in ISO/IEC 27001. Therefore, optionD: Importanceis the correct choice as it is not specified.

This distinction reinforces that continual improvement is not about subjective importance, but about systematic enhancement of the ISMS’ssuitability, adequacy, and effectiveness.

Clause 6.1.3 (c) requires organizations to:

“compare the controls determined in 6.1.3 b) with those in Annex A and verify that no necessary control has been omitted; and prepare a Statement of Applicability.” It also requires organizations to select risk treatment options considering “the organization’s risk acceptance criteria.”

This shows thatrisk acceptance criteriaare a fundamental factor when selecting risk treatment options. Options C and D are incorrect because Annex A and ISO/IEC 27002 are reference sets, not the sole sources of controls — organizations can design their own. Criteria for performing risk assessments (B) are part of 6.1.2 (risk assessment process), not risk treatment.

Thus, the correct requirement isA: Criteria for accepting identified risks.

Clause 7.5 (Documented Information) specifies that organizations must maintain documentationnecessary for the effectiveness of the ISMS. Additionally, Clause 9.3 (Management Review) requires “records of decisions related to continual improvement opportunities” as an output of management review. This is a core requirement and forms part of the documented information that must be retained and controlled. Third-party materials (B), budgets (C), and cross-reference statements to other ISO standards (D) are not required by ISO/IEC 27001. Only documents that directly demonstrate compliance, decision-making, and continual improvement are mandated. Therefore, the verified minimum required documentation includesrecords of management review decisionsrelated to continual improvement, confirmingAnswer: A.

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:

Annex A.5.1 (Policies for information security) clearly specifies:

“Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties…”

This means the communication obligation is not limited to top management (A) or only ISMS staff (B), nor does it stop at employees only (C). Instead, ISO/IEC 27001/27002 mandate a broader scope: allrelevant personnel and relevant interested partiesmust be informed. This ensures both internal stakeholders (employees, contractors, temporary staff) and external interested parties (suppliers, partners, regulators, customers, etc.) receive the right policy communications where applicable. Therefore, the correct and verified answer isD.

ISO/IEC 27001 mandates internal audits (Clause 9.2) and continual improvement (Clause 10.1) but doesnotdefine the specific audit term “observation.” However, the audit framework in 9.2 requires an audit programme and impartial auditors, and management review inputs include “feedback on the information security performance including trends in… audit results” and “opportunities for continual improvement.” The companion implementation guidance (ISO/IEC 27002) reinforces the concept ofopportunities for improvementin the review of policies: “The reviews should include assessing opportunities for improvement and the need for changes to the approach to information security…” In practical ISO audit usage (aligned with ISO 19011 guidance referenced in the Study Guide), anobservationis a recorded conformity where improvement is advisable—commonly termed an Opportunity for Improvement (OFI). The Study Guide’s internal audit section emphasizes running an audit programme to identify “potential areas of weakness or non-compliance,” supporting the notion of recording improvement opportunities alongside nonconformities. Therefore, within ISO/IEC 27001 audit practice, the best-fit definition isB: a conformity where there is an opportunity for improvement.

Certification audits are carried out byCertification Bodies (CBs), not the organization itself. ISO/IEC 27001 requires external certification audits to be independent, impartial, and objective. According to ISO/IEC 27006 (Requirements for bodies providing audit and certification of ISMS), the Certification Body determines theaudit duration and number of audit daysbased on factors such as organizational size, complexity, scope, and risk environment. This ensures consistency across organizations and prevents manipulation by the auditee. ISO/IEC 27001 Clause 9.2 and 9.3 addressinternal audit and management review, but the determination of certification audit days is outside the organization’s control; it rests solely with the accredited Certification Body auditors. Thus,Answer: Bis correct, as the CB’s external auditor formally calculates and assigns the audit time.

Clause 6.1.3 (e) specifies:

“The organization shall obtain risk owners’ approval of the information security risk treatment plan and acceptance of the residual information security risks.”

This confirms that residual risks — those remaining after risk treatment — must be reviewed and formally accepted by the designated risk owner. Option A is incorrect; awareness training is not a default control for all residual risks. Option B misrepresents leadership responsibility; top management ensures processes exist, butrisk ownersformally approve residual risk. Option D (avoiding risk) is a treatment option, not the mandated requirement for residual risks.

Thus, the required response isC: Review and acceptance by the risk owner.