ISO-IEC-27001 Foundation Online Practice Questions

Explanation:
ISO/IEC 27001 makes clear that the ISMS is intended to be tailored to the organization. The standard states: “This document also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in this document are generic and are intended to be applicable to all organizations regardless of type, size or nature.” This means implementation is scaled based on each organization’s risk, context, and needs, not a fixed one-size-fits-all set of activities or controls. Clause 6.1.3 further reinforces that control selection is flexible and risk-driven: “Organizations can design controls as required or identify them from any source,” and “Annex A contains a list of possible information security controls… The information security controls listed in Annex A are not exhaustive and additional information security controls can be included if needed.” Together, these extracts verify that the ISMS implementation is influenced by and scaled to the organization’s needs and selected controls, not separated from management processes (A, D) nor mandated to include “all controls” (B).

Explanation:
Clause 9.2.2 of ISO/IEC 27001:2022 specifies requirements for the internal audit programme.
It requires organizations to:
“Plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned, changes affecting the organization, and the results of previous audits.”
This makes option C correct, since importance of the processes is a required factor.
Option A is incorrect because audits do not need third-party auditors; objectivity can be maintained internally if independence is respected.
Option B is wrong because previous audit results must be considered, not disregarded.
Option D is also incorrect ― the standard does not specify a 3-year cycle; frequency depends on risks and needs.
Thus, the correct verified answer is C.

Explanation:
Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27005 standards:
ISO/IEC 27005:2022 is titled:
“Information security, cybersecurity and privacy protection ― Guidance on managing information security risks.”
This standard provides structured methodologies for identifying, analyzing, evaluating, and treating risks, in alignment with ISO/IEC 27001’s risk management requirements (Clause 6.1.2 and 6.1.3). It supports organizations in implementing the risk management process that underpins an ISMS.
Options A and B are titles of other ISO standards (ISO/IEC 27007 for auditing, ISO/IEC 27001 for requirements).
Option D refers to ISO/IEC 27002 (controls).
Thus, the correct answer is C: Guidance on managing information security risks.

Explanation:
Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:
Annex A.5.1 (Policies for information security) clearly specifies:
“Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties…”
This means the communication obligation is not limited to top management (A) or only ISMS staff (B), nor does it stop at employees only (C). Instead, ISO/IEC 27001/27002 mandate a broader scope: all relevant personnel and relevant interested parties must be informed. This ensures both internal stakeholders (employees, contractors, temporary staff) and external interested parties (suppliers, partners, regulators, customers, etc.) receive the right policy communications where applicable. Therefore, the correct and verified answer is D.

Explanation:
Clause 4.2 of ISO/IEC 27001:2022 states:
“The organization shall determine: a) interested parties that are relevant to the information security management system; b) the relevant requirements of these interested parties; c) which of these requirements will be addressed through the ISMS.”
This confirms that the missing word is requirements. Neither number, structure, nor influence are specified in the standard.