ISO-IEC-27001-Foundation APMG-International ISO/IEC 27001 (2022) Foundation Exam Free Practice Exam Questions (2025 Updated)

Clause 4.4 of ISO/IEC 27001:2022 states:

“The organization shall establish, implement, maintain and continually improve an information security management system, including the processes needed and their interactions, in accordance with the requirements of this document.”

This requirement highlights that an ISMS is not static; it must evolve continuously to adapt to new risks, technologies, and business changes. Options A, C, and D are not mentioned in the clause. The continual improvement cycle is central to ISO standards, aligning with thePlan-Do-Check-Act (PDCA)model.

Thus, the missing words are“continually improve.”

Clause 6.1.2 (d) states that duringrisk analysis, the organization shall:

“assess the potential consequences that would result if the risks identified… were to materialize;”

“assess the realistic likelihood of the occurrence of the risks identified;”

“determine the levels of risk.”

This makes it clear that the requiredoutput of risk analysis is the determined levels of risk. Risk acceptance criteria (A) are set earlier in 6.1.2(a), treatment control options (C) belong to 6.1.3, and prioritization (D) is part of risk evaluation (6.1.2 e). Therefore, the verified correct output isB: Determined levels of risk.

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27013 standards:

ISO/IEC 27013 is titled:

“Information technology — Security techniques — Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1.”

This standard provides organizations with specific advice on how to integrate an Information Security Management System (ISMS) with an IT Service Management System (ITSMS). ISO/IEC 20000-1 is the IT Service Management requirements standard, but integration guidance is provided in 27013. ISO/IEC 27002 (A) is guidance for controls, not integration. Option D is incorrect since ISO/IEC 27013 explicitly exists for this purpose.

Therefore, the correct verified answer isB: ISO/IEC 27013.

Clause 4.3 (Determining the scope of the ISMS) requires consideration of:

“the external and internal issues referred to in 4.1; the requirements referred to in 4.2; and interfaces and dependencies between activities performed by the organization, and those that are performed by other organizations.”

This confirms that dependencies between activities are a required factor when defining scope. Options B (quality levels), C (lessons learned), and D (regular activities for improvement) are not scope requirements, though they may be relevant in planning or improvement processes.

Thus, the verified answer is A: Dependencies between activities performed by the organization.

Clause 8.1 (Operational planning and control) requires organizations to:

“Ensure that changes are controlled. The organization shall review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary.”

This requirement ensures that operational processes are planned, controlled, and adjusted where unexpected changes occur. Risk assessments (B) are covered in Clause 6.1.2 (Planning), not operations. Scheduling second-party audits (C) is not an ISMS requirement but part of supplier/customer arrangements. Documenting objectives (D) belongs to Clause 6.2 (Planning).

Thus, the required operational planning and control activity is A: Review the consequences of unintended changes.

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:

Annex A in ISO/IEC 27001 refers directly to ISO/IEC 27002 for control guidance. In ISO/IEC 27002:2022, Clause 6.8 is titled:

“Information security event reporting – Information security events should be reported through appropriate management channels as quickly as possible.”

This control ensures breaches, incidents, or suspected issues are reported for action. The other options (B, C, D) are not the exact titles in Annex A. The official title isInformation security event reporting, confirmingAnswer: A.

The requirements for internal audit are explicitly placed inClause 9.2 (Performance Evaluation)of ISO/IEC 27001:2022. The standard requires:

“The organization shall conduct internal audits at planned intervals to provide information on whether the information security management system… conforms to the organization’s own requirements… and to the requirements of this document.” (9.2.1)

“The organization shall plan, establish, implement and maintain an audit programme(s)…” (9.2.2)

This clause clearly falls underPerformance Evaluation (Clause 9), not Planning (Clause 6), Operation (Clause 8), or Improvement (Clause 10). Therefore, the correct answer isC.

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:

Annex A, control 6.8 (Information security event reporting) specifies:

“Information security events should be reported through appropriate management channels as quickly as possible. The organization should require all employees and contractors to note and report any observed or suspected information security events.”

This wording confirms that the required reporting covers“observed or suspected events.”Specific event types like information disclosure (A) or unauthorized access (B) are examples but not the broad requirement. Asset disposal (C) is addressed separately under equipment lifecycle controls (Annex A.7.14).

Therefore, the verified correct answer isD: Observed or suspected events.

ISO/IEC 27001 makes clear that the ISMS is intended to be tailored to the organization. The standard states: “This document also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in this document are generic and are intended to be applicable to all organizations regardless of type, size or nature.” This means implementation is scaled based on each organization’s risk, context, and needs, not a fixed one-size-fits-all set of activities or controls. Clause 6.1.3 further reinforces that control selection is flexible and risk-driven: “Organizations can design controls as required or identify them from any source,” and “Annex A contains a list of possible information security controls… The information security controls listed in Annex A are not exhaustive and additional information security controls can be included if needed.” Together, these extracts verify that the ISMS implementation is influenced by and scaled to the organization’s needs and selected controls, not separated from management processes (A, D) nor mandated to include “all controls” (B).

Clause 6.1.3 (e) specifies:

“The organization shall obtain risk owners’ approval of the information security risk treatment plan and acceptance of the residual information security risks.”

This confirms that residual risks — those remaining after risk treatment — must be reviewed and formally accepted by the designated risk owner. Option A is incorrect; awareness training is not a default control for all residual risks. Option B misrepresents leadership responsibility; top management ensures processes exist, butrisk ownersformally approve residual risk. Option D (avoiding risk) is a treatment option, not the mandated requirement for residual risks.

Thus, the required response isC: Review and acceptance by the risk owner.

Clause 7.2 (Competence) requires the organization to:

“determine the necessary competence of person(s) doing work under its control that affects its information security performance;”

“ensure that these persons are competent on the basis of appropriate education, training, or experience;”

“retain appropriate documented information as evidence of competence.”

This makesholding up-to-date records on training, skills, experience, and qualifications(D) the correct answer. Option A is irrelevant to competence. Option B is incorrect since ISO does not require Foundation-level training — competence is context-based. Option C is related to compliance but does not ensure individual competence.

Thus, the verified correct answer isD.

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:

Annex A.5.1 (Policies for information security) clearly specifies:

“Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties…”

This means the communication obligation is not limited to top management (A) or only ISMS staff (B), nor does it stop at employees only (C). Instead, ISO/IEC 27001/27002 mandate a broader scope: allrelevant personnel and relevant interested partiesmust be informed. This ensures both internal stakeholders (employees, contractors, temporary staff) and external interested parties (suppliers, partners, regulators, customers, etc.) receive the right policy communications where applicable. Therefore, the correct and verified answer isD.

Clause 7.5 (Documented Information) specifies that organizations must maintain documentationnecessary for the effectiveness of the ISMS. Additionally, Clause 9.3 (Management Review) requires “records of decisions related to continual improvement opportunities” as an output of management review. This is a core requirement and forms part of the documented information that must be retained and controlled. Third-party materials (B), budgets (C), and cross-reference statements to other ISO standards (D) are not required by ISO/IEC 27001. Only documents that directly demonstrate compliance, decision-making, and continual improvement are mandated. Therefore, the verified minimum required documentation includesrecords of management review decisionsrelated to continual improvement, confirmingAnswer: A.

ISO/IEC 27001 mandates internal audits (Clause 9.2) and continual improvement (Clause 10.1) but doesnotdefine the specific audit term “observation.” However, the audit framework in 9.2 requires an audit programme and impartial auditors, and management review inputs include “feedback on the information security performance including trends in… audit results” and “opportunities for continual improvement.” The companion implementation guidance (ISO/IEC 27002) reinforces the concept ofopportunities for improvementin the review of policies: “The reviews should include assessing opportunities for improvement and the need for changes to the approach to information security…” In practical ISO audit usage (aligned with ISO 19011 guidance referenced in the Study Guide), anobservationis a recorded conformity where improvement is advisable—commonly termed an Opportunity for Improvement (OFI). The Study Guide’s internal audit section emphasizes running an audit programme to identify “potential areas of weakness or non-compliance,” supporting the notion of recording improvement opportunities alongside nonconformities. Therefore, within ISO/IEC 27001 audit practice, the best-fit definition isB: a conformity where there is an opportunity for improvement.