APMG-International ISO-IEC-27001-Foundation ISO/IEC 27001 (2022) Foundation Exam Exam Practice Test

Clause 10.1 (Nonconformity and corrective action) specifies:

“The organization shall react to the nonconformity and, as applicable: take action to control and correct it; deal with the consequences; evaluate the need for action to eliminate the cause(s)… Corrective actions shall be appropriate to the effects of the nonconformities encountered.”

This confirms optionB. Option A is inaccurate—ISO requires actions appropriate toeffects, not probability alone. Option C is false—policies may need updating to correct nonconformities. Option D is incorrect, as not every cause can always be eliminated; residual issues may exist.

Thus, the verified requirement isB.

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:

Annex A.5.12 (Classification of information) states:

“Information should be classified according to the information security needs of the organization based on confidentiality, integrity and availability.”

This aligns directly with option B. Option A (labelling) is a separate control (Annex A.5.13). Option C (security perimeters) is under physical controls (Annex A.7.1). Option D (access control rules) relates to Annex A.5.15 and A.8.2.

Thus, the verified correct statement for the Classification of information control isB.

Clause 6.2 (Information security objectives) requires that objectives:

“be consistent with the information security policy”

“be measurable (if practicable)”

“take into account applicable information security requirements”

“be monitored, communicated, and updated as appropriate.”

From this, option A is correct since consistency with policy is an explicit requirement. Option B is incorrect because the standard allows objectives to be measurable “if practicable” (not mandatory for all). Option C is incorrect—objectives are not transferred contractually to third parties, though third-party agreements may include security requirements. Option D is incorrect because the standard requires regular review “as appropriate,” not a fixed annual cycle.

Thus, the verified requirement isA: They shall be consistent with the information security policy.

Clause 7.5 (Documented Information) specifies that organizations must maintain documentationnecessary for the effectiveness of the ISMS. Additionally, Clause 9.3 (Management Review) requires “records of decisions related to continual improvement opportunities” as an output of management review. This is a core requirement and forms part of the documented information that must be retained and controlled. Third-party materials (B), budgets (C), and cross-reference statements to other ISO standards (D) are not required by ISO/IEC 27001. Only documents that directly demonstrate compliance, decision-making, and continual improvement are mandated. Therefore, the verified minimum required documentation includesrecords of management review decisionsrelated to continual improvement, confirmingAnswer: A.

Clause 7.3 (Awareness) requires:

“Persons doing work under the organization’s control shall be aware of: (a) the information security policy; (b) their contribution to the effectiveness of the ISMS, including the benefits of improved information security performance; (c) the implications of not conforming with the ISMS requirements.”

This applies not only to employees but also contractors and external parties under the organization’s control. Competence (B) requires having skills, training, and experience, while Communication (C) covers defining communication processes (Clause 7.4). Nonconformity and corrective action (A) is part of Clause 10 (Improvement).

Therefore, the specific requirement that ensures contractors are made aware of the information security policies is found in Clause 7.3 Awareness. Correct answer: D.

Clause 4.1 specifies exactly what must be determined when establishing context: “The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system.” This requirement is about understanding internal and external issues (e.g., culture, capabilities, regulatory environment) that influence the ISMS’s effectiveness. Objectives (option B) are addressed later in Clause 6.2; processes (option C) are addressed in Clause 4.4 and operational planning; and “which clauses apply” (option D) is not a determination step—ISO/IEC 27001’s requirements in Clauses 4–10 are not optional. Therefore, the direct, required factor per 4.1 is determining internal (and external) issues relevant to the organization’s purpose and ISMS outcomes.

Clause 4.2 of ISO/IEC 27001:2022 states:

“The organization shall determine: a) interested parties that are relevant to the information security management system; b) the relevant requirements of these interested parties; c) which of these requirements will be addressed through the ISMS.”

This confirms that the missing word isrequirements. Neither number, structure, nor influence are specified in the standard.

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:

In ISO/IEC 27002:2022, which provides control guidance for Annex A of ISO/IEC 27001, Clause 5.19 is titled:“Information security in supplier relationships.”

This control requires organizations to ensure that information security is addressed in supplier agreements and relationships. It is part of theOrganizational Controls theme. The other options are not control titles in Annex A:

“Responsibilities and procedures” (B) was used in older standards like ISO/IEC 27001:2005 but no longer exists.

“Protection of documents” (C) relates to document control but is not a specific Annex A control.

“Change control” (D) is relevant to ITIL/ITSM but not listed as a control title in Annex A.

Therefore, the correct Annex A control title isA: Information security in supplier relationships.

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27001 & 27002:2022 standards:

ISO/IEC 27001 Annex A lists reference controls. ISO/IEC 27002 providesdetailed guidance on the implementation of those controls, including purpose, guidance, and examples. Clause 6.1.3 of ISO/IEC 27001 makes the link explicit: controls from Annex A are referenced, but ISO/IEC 27002 explains how to implement them.

However, ISO/IEC 27002 doesnotprovide a process for risk management—that is covered by ISO/IEC 27005. Risk management requirements are in ISO/IEC 27001 (Clauses 6.1.2 and 6.1.3).

Therefore, statement 1 is true, but statement 2 is false. Correct answer:A.

The benefits of implementing an ISMS under ISO/IEC 27001 are well established. Clause 0.1 (General) explains that an ISMS provides asystematic approach to managing sensitive informationand “preserves confidentiality, integrity, and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed.”

Option A is correct as a benefit, since trust and confidence from stakeholders is an outcome of compliance. Option C is also a benefit, since controls are chosen and tailored based on organizational context and risk assessment (Clause 6.1.3). Option D reflects another real benefit—reducing the probability and/or impact of incidents through effective risk management.

However,staff qualifications (option B)are not guaranteed benefits of implementing an ISMS. While training and competence (Clause 7.2) are required, the standard does not require or provide ISO/IEC 27001 Foundation-level certification for staff. That is an external training/certification scheme, not an ISMS outcome.

Therefore, the benefitNOT relevantto implementing ISO/IEC 27001 isB.

ISO/IEC 27013 provides specific guidance on theintegration of ISO/IEC 27001 (Information Security Management) and ISO/IEC 20000-1 (IT Service Management). It offers practical advice for organizations seeking a unified management system approach. While ISO/IEC 27003 (A) provides guidance on ISMS implementation, it does not address integration. ISO 9001 (C) is the Quality Management Standard and can be integrated, but the specific standard designed forintegrating 27001 with ITSMis ISO/IEC 27013.

Therefore, the correct answer isB: ISO/IEC 27013, as it is explicitly published for this purpose.

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:

Annex A.5.1 (Policies for information security) specifies:

“Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.”

This clearly identifies the review frequency requirement: planned intervalsandwhenever there are significant changes. Options A and B (six-monthly or annually) are not prescribed by ISO — timing is left to the organization. Option C is also wrong, since Certification Bodies do not dictate policy review schedules.

Therefore, the verified correct answer isD.

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27000 standards:

According to ISO/IEC 27000:2018, Clause 3.35:

“Integrity is the property of accuracy and completeness.”

This is one of the three core principles of information security (CIA triad):

Confidentiality: ensuring information is not made available to unauthorized persons (related to option B).

Integrity: ensuring data is accurate, complete, and unaltered except by authorized means.

Availability: ensuring information is accessible and usable when required (related to option A).

Option D incorrectly mixes availability and confidentiality. The precise ISO definition isaccuracy and completeness, which matches option C.

Thus, the correct verified answer isC.

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:

Annex A.5.1 (Policies for information security) clearly specifies:

“Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties…”

This means the communication obligation is not limited to top management (A) or only ISMS staff (B), nor does it stop at employees only (C). Instead, ISO/IEC 27001/27002 mandate a broader scope: allrelevant personnel and relevant interested partiesmust be informed. This ensures both internal stakeholders (employees, contractors, temporary staff) and external interested parties (suppliers, partners, regulators, customers, etc.) receive the right policy communications where applicable. Therefore, the correct and verified answer isD.

Clause 4.3 (Determining the scope of the ISMS) requires consideration of:

“the external and internal issues referred to in 4.1; the requirements referred to in 4.2; and interfaces and dependencies between activities performed by the organization, and those that are performed by other organizations.”

This confirms that dependencies between activities are a required factor when defining scope. Options B (quality levels), C (lessons learned), and D (regular activities for improvement) are not scope requirements, though they may be relevant in planning or improvement processes.

Thus, the verified answer is A: Dependencies between activities performed by the organization.