Pass the APMG-International ISO/IEC 27001 ISO-IEC-27001-Foundation Questions and answers with ExamsMirror

Annex A of ISO/IEC 27001:2022 is titled:

“Reference control objectives and controls.” It provides areference list of information security controls, structured into 4 themes: organizational, people, physical, and technological.

The standard explicitly states in Clause 6.1.3: “Organizations can design controls as required or identify them from any source. Annex A contains a list of possible information security controls.” This means controls in Annex A are not mandatory (eliminating option C). Risk acceptance criteria (A) are defined in Clause 6.1.2, not Annex A. Annex A also does not provide measures for treatment effectiveness (D).

Thus, Annex A is best described as areference list of information security controls. Correct answer:B.

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27001:2022 standards and certification guidance:

Before a certification audit can begin, thescope of the ISMSmust be clearly defined and agreed with the Certification Body. ISO/IEC 27001 Clause 4.3 requires: “The scope shall be available as documented information.”

Certification Bodies require this scope statement to plan audit duration, resources, and coverage. Only after the scope is agreed does the Stage 1 audit begin, which reviews documented information and readiness. Stage 2 focuses on implementation and effectiveness. Evidence of corrective actions (C) is checked at Stage 2 if issues were identified earlier. Records provision (D) occurs during Stage 2, not first.

Thus, the first step in preparing for certification isA: Agreeing the scope of the ISMS with the Certification Body auditor.

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27001 & 27002:2022 standards:

ISO/IEC 27001 Annex A lists reference controls. ISO/IEC 27002 providesdetailed guidance on the implementation of those controls, including purpose, guidance, and examples. Clause 6.1.3 of ISO/IEC 27001 makes the link explicit: controls from Annex A are referenced, but ISO/IEC 27002 explains how to implement them.

However, ISO/IEC 27002 doesnotprovide a process for risk management—that is covered by ISO/IEC 27005. Risk management requirements are in ISO/IEC 27001 (Clauses 6.1.2 and 6.1.3).

Therefore, statement 1 is true, but statement 2 is false. Correct answer:A.

Clause 9.2.2 of ISO/IEC 27001:2022 specifies requirements for the internal audit programme. It requires organizations to:

“Plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned, changes affecting the organization, and the results of previous audits.”

This makes optionCcorrect, since importance of the processes is a required factor. Option A is incorrect because audits do not need third-party auditors; objectivity can be maintained internally if independence is respected. Option B is wrong because previous audit results must be considered, not disregarded. Option D is also incorrect — the standard does not specify a 3-year cycle; frequency depends on risks and needs.

Thus, the correct verified answer isC.

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27000 standards:

According to ISO/IEC 27000:2018, Clause 3.35:

“Integrity is the property of accuracy and completeness.”

This is one of the three core principles of information security (CIA triad):

Confidentiality: ensuring information is not made available to unauthorized persons (related to option B).

Integrity: ensuring data is accurate, complete, and unaltered except by authorized means.

Availability: ensuring information is accessible and usable when required (related to option A).

Option D incorrectly mixes availability and confidentiality. The precise ISO definition isaccuracy and completeness, which matches option C.

Thus, the correct verified answer isC.

Clause 7.5 (Documented Information) specifies that organizations must maintain documentationnecessary for the effectiveness of the ISMS. Additionally, Clause 9.3 (Management Review) requires “records of decisions related to continual improvement opportunities” as an output of management review. This is a core requirement and forms part of the documented information that must be retained and controlled. Third-party materials (B), budgets (C), and cross-reference statements to other ISO standards (D) are not required by ISO/IEC 27001. Only documents that directly demonstrate compliance, decision-making, and continual improvement are mandated. Therefore, the verified minimum required documentation includesrecords of management review decisionsrelated to continual improvement, confirmingAnswer: A.

ISO/IEC 27001 requires internal audits and sets out how they must be conducted: “The organization shall conduct internal audits at planned intervals…” (9.2.1) and “plan, establish, implement and maintain an audit programme(s)… [and] select auditors and conduct audits that ensure objectivity and the impartiality of the audit process” (9.2.2). These extracts confirm that practitioners (internal to the organization) can conduct internal audits provided objectivity and impartiality are ensured (e.g., they do not audit their own work). Surveillance audits (option A) and audits of Accredited Training Organizations or Certification Bodies (options C, D) are third-party activities outside the remit of an internal practitioner under ISO/IEC 27001; the standard’s audit requirement is focused on the organization’s own internal audit programme. Therefore, conducting an internal audit (B) is the correct practitioner activity per Clause 9.2.

Clause 5.2 (Information security policy) requires that the policy:

“includes information security objectives (or provides a framework for setting them)”

“includes a commitment to satisfy applicable requirements related to information security”

“includes a commitment to continual improvement of the ISMS.”

Among the listed options, the exact mandatory requirement is“a commitment to satisfy applicable requirements related to information security”. Option B partially reflects Clause 5.2 (commitment to continual improvement), but the wording given in the standard prioritizes the satisfaction of applicable requirements (e.g., legal, regulatory, contractual). Option C is not a policy requirement. Option D (Statement of Applicability) is a separate mandatory document (Clause 6.1.3) and not part of the policy itself.

Thus, the correct answer isA.

Clause 6.1.2 (Information security risk assessment) requires organizations to “define and apply an information security risk assessment process that… establishes and maintains information security risk criteria, including criteria for accepting risk.”

This means that acceptable levels of risk (risk acceptance criteria) must be explicitly defined. These criteria ensure consistent decision-making when evaluating whether identified risks need further treatment or can be tolerated.

Option A is incorrect because exclusions relate to the ISMS scope (Clause 4.3), not risk assessment planning. Option B is not a requirement; effectiveness of risk assessment methods is not required to be measured, though methods must be applied consistently. Option D is false—the standard clearly specifies required elements for risk assessment.

Thus, the correct answer isC: The criteria for acceptable levels of risk.

Clause 5.1 (Leadership and Commitment) requires that:

“Top management shall demonstrate leadership and commitment with respect to the information security management system by… ensuring that the resources needed for the ISMS are available… and supporting persons to contribute to the effectiveness of the ISMS.”

This makes it explicit thattop managementhas the responsibility to ensure personnel are supported so they can contribute to the ISMS. Option B (line management) may provide local support, but ultimate accountability rests with top management. Auditors (C) only evaluate compliance, not provide support. Practitioners (D) help implement, but they don’t bear formal responsibility under the standard.

Thus, the verified answer isA: Top management of the organization.