ISO-IEC-27001-Foundation Questions and Answers

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27000 standards:

According to ISO/IEC 27000:2018, Clause 3.35:

“Integrity is the property of accuracy and completeness.”

This is one of the three core principles of information security (CIA triad):

Confidentiality: ensuring information is not made available to unauthorized persons (related to option B).

Integrity: ensuring data is accurate, complete, and unaltered except by authorized means.

Availability: ensuring information is accessible and usable when required (related to option A).

Option D incorrectly mixes availability and confidentiality. The precise ISO definition isaccuracy and completeness, which matches option C.

Thus, the correct verified answer isC.

Clause 10.2 (Continual Improvement) specifies that the organization must“continually improve the suitability, adequacy and effectiveness of the information security management system.”

This makes it clear that three attributes are explicitly required to be addressed:

Suitability: ensuring the ISMS continues to meet organizational needs in changing contexts.

Adequacy: ensuring the ISMS covers the necessary scope and provides sufficient control coverage.

Effectiveness: ensuring the ISMS achieves intended outcomes in protecting information security.

The word“importance”is not part of the continual improvement requirement. Importance is implicit in prioritization of risks and actions, but it is not a required continual improvement attribute in ISO/IEC 27001. Therefore, optionD: Importanceis the correct choice as it is not specified.

This distinction reinforces that continual improvement is not about subjective importance, but about systematic enhancement of the ISMS’ssuitability, adequacy, and effectiveness.

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:

Annex A.5.36 (Compliance with policies, rules and standards for information security) requires:

“Compliance with the organization’s information security policies, rules and standards for information security should be regularly reviewed.”

This directly matches option A. Option B refers to contractual compliance, which is part of supplier management controls (Annex A.5.19). Option C relates to Annex A.5.7 (Contact with authorities). Option D refers to asset return controls (Annex A.5.9).

Thus, the correct answer isA.

Clause 4.4 of ISO/IEC 27001:2022 states:

“The organization shall establish, implement, maintain and continually improve an information security management system, including the processes needed and their interactions, in accordance with the requirements of this document.”

This requirement highlights that an ISMS is not static; it must evolve continuously to adapt to new risks, technologies, and business changes. Options A, C, and D are not mentioned in the clause. The continual improvement cycle is central to ISO standards, aligning with thePlan-Do-Check-Act (PDCA)model.

Thus, the missing words are“continually improve.”

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:

Annex A, control 6.8 (Information security event reporting) specifies:

“Information security events should be reported through appropriate management channels as quickly as possible. The organization should require all employees and contractors to note and report any observed or suspected information security events.”

This wording confirms that the required reporting covers“observed or suspected events.”Specific event types like information disclosure (A) or unauthorized access (B) are examples but not the broad requirement. Asset disposal (C) is addressed separately under equipment lifecycle controls (Annex A.7.14).

Therefore, the verified correct answer isD: Observed or suspected events.

Clause 6.1.3 (c) requires organizations to:

“compare the controls determined in 6.1.3 b) with those in Annex A and verify that no necessary control has been omitted; and prepare a Statement of Applicability.” It also requires organizations to select risk treatment options considering “the organization’s risk acceptance criteria.”

This shows thatrisk acceptance criteriaare a fundamental factor when selecting risk treatment options. Options C and D are incorrect because Annex A and ISO/IEC 27002 are reference sets, not the sole sources of controls — organizations can design their own. Criteria for performing risk assessments (B) are part of 6.1.2 (risk assessment process), not risk treatment.

Thus, the correct requirement isA: Criteria for accepting identified risks.

Clause 6.1.3 (e) specifies:

“The organization shall obtain risk owners’ approval of the information security risk treatment plan and acceptance of the residual information security risks.”

This confirms that residual risks — those remaining after risk treatment — must be reviewed and formally accepted by the designated risk owner. Option A is incorrect; awareness training is not a default control for all residual risks. Option B misrepresents leadership responsibility; top management ensures processes exist, butrisk ownersformally approve residual risk. Option D (avoiding risk) is a treatment option, not the mandated requirement for residual risks.

Thus, the required response isC: Review and acceptance by the risk owner.

Clause 7.2 (Competence) requires the organization to:

“determine the necessary competence of person(s) doing work under its control that affects its information security performance;”

“ensure that these persons are competent on the basis of appropriate education, training, or experience;”

“retain appropriate documented information as evidence of competence.”

This makesholding up-to-date records on training, skills, experience, and qualifications(D) the correct answer. Option A is irrelevant to competence. Option B is incorrect since ISO does not require Foundation-level training — competence is context-based. Option C is related to compliance but does not ensure individual competence.

Thus, the verified correct answer isD.

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27013 standards:

ISO/IEC 27013 is titled:

“Information technology — Security techniques — Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1.”

This standard provides organizations with specific advice on how to integrate an Information Security Management System (ISMS) with an IT Service Management System (ITSMS). ISO/IEC 20000-1 is the IT Service Management requirements standard, but integration guidance is provided in 27013. ISO/IEC 27002 (A) is guidance for controls, not integration. Option D is incorrect since ISO/IEC 27013 explicitly exists for this purpose.

Therefore, the correct verified answer isB: ISO/IEC 27013.

Clause 4.2 of ISO/IEC 27001:2022 states:

“The organization shall determine: a) interested parties that are relevant to the information security management system; b) the relevant requirements of these interested parties; c) which of these requirements will be addressed through the ISMS.”

This confirms that the missing word isrequirements. Neither number, structure, nor influence are specified in the standard.