Free Preparation Discussions
MENU
APMG-International ISO-IEC-27001-Foundation Exam Questions
- Topic 1: Compliance: Regulatory compliance refers to an organization’s commitment to understanding and adhering to applicable laws, policies, and regulations to operate within established legal and ethical standards.
- Topic 2: Continuous Improvement Process (CI, CIP): A continuous or continual improvement process (CIP or CI) involves ongoing, systematic efforts to enhance products, services, or operational processes to achieve higher efficiency and effectiveness over time.
- Topic 3: Self Confidence: Self-confidence is the belief in one’s abilities, competence, and value, reflecting a sense of assurance and inner strength.
- Topic 4: Cybersecurity: Cybersecurity, also known as IT security or computer security, involves safeguarding computer systems, networks, and data from unauthorized access, theft, damage, or disruption to ensure the integrity and availability of digital information.
- Topic 5: Security Breaches: Security breaches occur when unauthorized access or violations of security protocols are detected or imminent, potentially compromising data or system integrity.
- Topic 6: Data Security: Data security refers to protecting digital information—such as that stored in databases or networks—from destruction, unauthorized access, or malicious attacks, ensuring confidentiality and integrity.
- Topic 7: Framework Design: Framework design is the process of developing a reusable structural foundation that supports and guides the creation and organization of software systems.
- Topic 8: Information Management (IM): Information management (IM) encompasses the entire lifecycle of information within an organization—from its collection and storage to its distribution, use, and eventual archiving or disposal.
- Topic 9: Risk Management: Risk management is the systematic process of identifying, evaluating, and implementing strategies to reduce or control the impact of potential uncertainties on organizational goals.
Free APMG-International ISO-IEC-27001-Foundation Exam Actual Questions
Note: Premium Questions for ISO-IEC-27001-Foundation were last updated On Apr. 10, 2026 (see below)
Which statement describes a requirement of an internal audit programme?
Clause 9.2.2 of ISO/IEC 27001:2022 specifies requirements for the internal audit programme. It requires organizations to:
''Plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned, changes affecting the organization, and the results of previous audits.''
This makes option C correct, since importance of the processes is a required factor. Option A is incorrect because audits do not need third-party auditors; objectivity can be maintained internally if independence is respected. Option B is wrong because previous audit results must be considered, not disregarded. Option D is also incorrect --- the standard does not specify a 3-year cycle; frequency depends on risks and needs.
Thus, the correct verified answer is C.
What is required to be reported by the Information security event reporting control?
Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:
Annex A, control 6.8 (Information security event reporting) specifies:
''Information security events should be reported through appropriate management channels as quickly as possible. The organization should require all employees and contractors to note and report any observed or suspected information security events.''
This wording confirms that the required reporting covers ''observed or suspected events.'' Specific event types like information disclosure (A) or unauthorized access (B) are examples but not the broad requirement. Asset disposal (C) is addressed separately under equipment lifecycle controls (Annex A.7.14).
Therefore, the verified correct answer is D: Observed or suspected events.
Identify the missing words in the following sentence.
The organization shall establish, implement, maintain and [ ? ] an information security management system, including the processes needed and their interactions, in accordance with the requirements of this document.
Clause 4.4 of ISO/IEC 27001:2022 states:
''The organization shall establish, implement, maintain and continually improve an information security management system, including the processes needed and their interactions, in accordance with the requirements of this document.''
This requirement highlights that an ISMS is not static; it must evolve continuously to adapt to new risks, technologies, and business changes. Options A, C, and D are not mentioned in the clause. The continual improvement cycle is central to ISO standards, aligning with the Plan-Do-Check-Act (PDCA) model.
Thus, the missing words are ''continually improve.''
Identify the missing words in the following sentence.
The organization shall establish, implement, maintain and [ ? ] an information security management system, including the processes needed and their interactions, in accordance with the requirements of this document.
Clause 4.4 of ISO/IEC 27001:2022 states:
''The organization shall establish, implement, maintain and continually improve an information security management system, including the processes needed and their interactions, in accordance with the requirements of this document.''
This requirement highlights that an ISMS is not static; it must evolve continuously to adapt to new risks, technologies, and business changes. Options A, C, and D are not mentioned in the clause. The continual improvement cycle is central to ISO standards, aligning with the Plan-Do-Check-Act (PDCA) model.
Thus, the missing words are ''continually improve.''
To whom are the information security policies required to be communicated, according to the control in Annex A of ISO/IEC 27001?
Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:
Annex A.5.1 (Policies for information security) clearly specifies:
''Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties...''
This means the communication obligation is not limited to top management (A) or only ISMS staff (B), nor does it stop at employees only (C). Instead, ISO/IEC 27001/27002 mandate a broader scope: all relevant personnel and relevant interested parties must be informed. This ensures both internal stakeholders (employees, contractors, temporary staff) and external interested parties (suppliers, partners, regulators, customers, etc.) receive the right policy communications where applicable. Therefore, the correct and verified answer is D.
- Select Question Types you want
- Set your Desired Pass Percentage
- Allocate Time (Hours : Minutes)
- Create Multiple Practice tests with Limited Questions
- Customer Support
Ruthann
11 days agoBrunilda
18 days agoDorothy
25 days agoGilma
1 month agoCyndy
1 month agoEladia
2 months agoSheron
2 months agoLeonardo
2 months agoOdette
2 months agoMona
3 months agoHoney
3 months agoKeneth
3 months agoDick
3 months agoChrista
4 months agoRossana
4 months agoDelisa
4 months agoThad
4 months agoLucy
5 months agoGeoffrey
5 months agoCarmen
5 months agoMargart
5 months agoFausto
6 months agoTaryn
6 months agoAliza
6 months agoHaydee
6 months agoErnestine
7 months ago