Pass the APMG-International ISO/IEC 27001 ISO-IEC-27001-Foundation Questions and answers with ExamsMirror

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:

Annex A.6.1 (Terms and conditions of employment) states:

“The contractual agreements with employees and contractors shall state their and the organization’s responsibilities for information security.”

This means the control applies not just to employees, but also contractors and, where relevant, third-party users who are subject to contractual obligations with the organization. The goal is to ensure thatall parties engaged in work under the organization’s control understand their security responsibilities before, during, and after employment or contract engagement.

Options A and B are too narrow, excluding key groups. Option C misrepresents the scope by implying a mutual responsibility but not identifying the individuals covered. The explicit scope includesemployees, contractors, and third-party users.

Therefore, the correct answer isD.

Clause 8.1 (Operational planning and control) requires organizations to:

“Ensure that changes are controlled. The organization shall review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary.”

This requirement ensures that operational processes are planned, controlled, and adjusted where unexpected changes occur. Risk assessments (B) are covered in Clause 6.1.2 (Planning), not operations. Scheduling second-party audits (C) is not an ISMS requirement but part of supplier/customer arrangements. Documenting objectives (D) belongs to Clause 6.2 (Planning).

Thus, the required operational planning and control activity is A: Review the consequences of unintended changes.

Clause 9.2 (Internal Audit) and Clause 9.3 (Management Review) highlight that audit outputs and management reviews are key inputs for evaluating ISMS performance. Surveillance audits, conducted by Certification Bodies, check ongoing compliance and effectiveness. ISO certification schemes (per ISO/IEC 17021) require surveillance audits to verify whether corrective actions and continuous improvements are being made. A critical focus area is theresults of internal audits and management reviews, ensuring that the organization maintains its ISMS between certification cycles.

Option A is incorrect — third-party audits are performed by independent Certification Bodies, not customers. Option B is incorrect — certificates are typically valid forthree yearswith annual surveillance. Option D is incorrect — Stage 1 is primarily adocumentation and readiness review, not evidence observation.

Therefore, the verified correct answer isC.

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:

Annex A.5.12 (Classification of information) states:

“Information should be classified according to the information security needs of the organization based on confidentiality, integrity and availability.”

This aligns directly with option B. Option A (labelling) is a separate control (Annex A.5.13). Option C (security perimeters) is under physical controls (Annex A.7.1). Option D (access control rules) relates to Annex A.5.15 and A.8.2.

Thus, the verified correct statement for the Classification of information control isB.

Clause 4.3 (Determining the scope of the ISMS) requires consideration of:

“the external and internal issues referred to in 4.1; the requirements referred to in 4.2; and interfaces and dependencies between activities performed by the organization, and those that are performed by other organizations.”

This confirms that dependencies between activities are a required factor when defining scope. Options B (quality levels), C (lessons learned), and D (regular activities for improvement) are not scope requirements, though they may be relevant in planning or improvement processes.

Thus, the verified answer is A: Dependencies between activities performed by the organization.