Free Practice Questions for APMG-International ISO-IEC-27001-Foundation Exam

Answer : D

Clause 6.1.1 (Planning) states:

''The organization shall plan:

d) actions to address these risks and opportunities; and

e) how to:

integrate and implement the actions into its ISMS processes; and

evaluate the effectiveness of these actions.''

This confirms the missing words are ''evaluate the effectiveness of''. Communication (A), applying resources (B), and improving effectiveness (C) are important concepts elsewhere but not the direct requirement stated in this clause.

Answer : B

ISO/IEC 27001 mandates internal audits (Clause 9.2) and continual improvement (Clause 10.1) but does not define the specific audit term ''observation.'' However, the audit framework in 9.2 requires an audit programme and impartial auditors, and management review inputs include ''feedback on the information security performance including trends in... audit results'' and ''opportunities for continual improvement.'' The companion implementation guidance (ISO/IEC 27002) reinforces the concept of opportunities for improvement in the review of policies: ''The reviews should include assessing opportunities for improvement and the need for changes to the approach to information security...'' In practical ISO audit usage (aligned with ISO 19011 guidance referenced in the Study Guide), an observation is a recorded conformity where improvement is advisable---commonly termed an Opportunity for Improvement (OFI). The Study Guide's internal audit section emphasizes running an audit programme to identify ''potential areas of weakness or non-compliance,'' supporting the notion of recording improvement opportunities alongside nonconformities. Therefore, within ISO/IEC 27001 audit practice, the best-fit definition is B: a conformity where there is an opportunity for improvement.

Answer : B

Clause 10.1 (Nonconformity and corrective action) specifies:

''The organization shall react to the nonconformity and, as applicable: take action to control and correct it; deal with the consequences; evaluate the need for action to eliminate the cause(s)... Corrective actions shall be appropriate to the effects of the nonconformities encountered.''

This confirms option B. Option A is inaccurate---ISO requires actions appropriate to effects, not probability alone. Option C is false---policies may need updating to correct nonconformities. Option D is incorrect, as not every cause can always be eliminated; residual issues may exist.

Thus, the verified requirement is B.

Answer : B

ISO/IEC 27001 Clause 9.2 requires internal audits to be conducted at planned intervals, but it does not specify an annual frequency. Certification audits, under ISO/IEC 17021 rules, typically occur on a 3-year cycle with annual surveillance, not strictly ''annually.'' This makes statement 1 inaccurate.

Audit types are defined in ISO/IEC 19011:

First-party audits: conducted internally by or on behalf of the organization (internal audits).

Third-party audits: conducted by independent external certification bodies.

Thus, statement 2 is correct. Therefore, the accurate choice is B: Only 2 is true.

Answer : A

Clause 8.1 (Operational planning and control) requires organizations to:

''Ensure that changes are controlled. The organization shall review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary.''

This requirement ensures that operational processes are planned, controlled, and adjusted where unexpected changes occur. Risk assessments (B) are covered in Clause 6.1.2 (Planning), not operations. Scheduling second-party audits (C) is not an ISMS requirement but part of supplier/customer arrangements. Documenting objectives (D) belongs to Clause 6.2 (Planning).

Thus, the required operational planning and control activity is A: Review the consequences of unintended changes.