APMG-International ISO-IEC-27001-Foundation Exam - Topic 2 Question 13 Discussion

Actual exam question for APMG-International's ISO-IEC-27001-Foundation exam

Question #: 13
Topic #: 2

[All ISO-IEC-27001-Foundation Questions]

Which statement describes a requirement of an internal audit programme?

AThe programme must use third party auditors to ensure impartiality

BPrevious audit results are disregarded to ensure objectivity

CThe programme must consider the importance of the target processes

DAll processes must be audited within a 3-year cycle

Show Suggested Answer

Suggested Answer: C

Clause 9.2.2 of ISO/IEC 27001:2022 specifies requirements for the internal audit programme. It requires organizations to:

''Plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned, changes affecting the organization, and the results of previous audits.''

This makes option C correct, since importance of the processes is a required factor. Option A is incorrect because audits do not need third-party auditors; objectivity can be maintained internally if independence is respected. Option B is wrong because previous audit results must be considered, not disregarded. Option D is also incorrect --- the standard does not specify a 3-year cycle; frequency depends on risks and needs.

Thus, the correct verified answer is C.

by Flo at Apr 11, 2026, 02:01 AM

Limited Time Offer

25%

Off

Get Premium ISO-IEC-27001-Foundation Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Tamala

3 days ago

I think option C sounds right because it makes sense to focus on the most critical processes in an audit program.

upvoted 0 times

...