APMG-International ISO/IEC 27001 (2022) Foundation Exam ISO-IEC-27001-Foundation Exam Dumps: Updated Questions & Answers (October 2025)

Certification audits are carried out byCertification Bodies (CBs), not the organization itself. ISO/IEC 27001 requires external certification audits to be independent, impartial, and objective. According to ISO/IEC 27006 (Requirements for bodies providing audit and certification of ISMS), the Certification Body determines theaudit duration and number of audit daysbased on factors such as organizational size, complexity, scope, and risk environment. This ensures consistency across organizations and prevents manipulation by the auditee. ISO/IEC 27001 Clause 9.2 and 9.3 addressinternal audit and management review, but the determination of certification audit days is outside the organization’s control; it rests solely with the accredited Certification Body auditors. Thus,Answer: Bis correct, as the CB’s external auditor formally calculates and assigns the audit time.

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:

Annex A, control 6.8 (Information security event reporting) specifies:

“Information security events should be reported through appropriate management channels as quickly as possible. The organization should require all employees and contractors to note and report any observed or suspected information security events.”

This wording confirms that the required reporting covers“observed or suspected events.”Specific event types like information disclosure (A) or unauthorized access (B) are examples but not the broad requirement. Asset disposal (C) is addressed separately under equipment lifecycle controls (Annex A.7.14).

Therefore, the verified correct answer isD: Observed or suspected events.

Clause 5.1 (Leadership and Commitment) requires that:

“Top management shall demonstrate leadership and commitment with respect to the information security management system by… ensuring that the resources needed for the ISMS are available… and supporting persons to contribute to the effectiveness of the ISMS.”

This makes it explicit thattop managementhas the responsibility to ensure personnel are supported so they can contribute to the ISMS. Option B (line management) may provide local support, but ultimate accountability rests with top management. Auditors (C) only evaluate compliance, not provide support. Practitioners (D) help implement, but they don’t bear formal responsibility under the standard.

Thus, the verified answer isA: Top management of the organization.

ISO/IEC 27001 requires internal audits and sets out how they must be conducted: “The organization shall conduct internal audits at planned intervals…” (9.2.1) and “plan, establish, implement and maintain an audit programme(s)… [and] select auditors and conduct audits that ensure objectivity and the impartiality of the audit process” (9.2.2). These extracts confirm that practitioners (internal to the organization) can conduct internal audits provided objectivity and impartiality are ensured (e.g., they do not audit their own work). Surveillance audits (option A) and audits of Accredited Training Organizations or Certification Bodies (options C, D) are third-party activities outside the remit of an internal practitioner under ISO/IEC 27001; the standard’s audit requirement is focused on the organization’s own internal audit programme. Therefore, conducting an internal audit (B) is the correct practitioner activity per Clause 9.2.

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27001 & 27002:2022 standards:

ISO/IEC 27001 Annex A lists reference controls. ISO/IEC 27002 providesdetailed guidance on the implementation of those controls, including purpose, guidance, and examples. Clause 6.1.3 of ISO/IEC 27001 makes the link explicit: controls from Annex A are referenced, but ISO/IEC 27002 explains how to implement them.

However, ISO/IEC 27002 doesnotprovide a process for risk management—that is covered by ISO/IEC 27005. Risk management requirements are in ISO/IEC 27001 (Clauses 6.1.2 and 6.1.3).

Therefore, statement 1 is true, but statement 2 is false. Correct answer:A.

Clause 9.2 (Internal Audit) and Clause 9.3 (Management Review) highlight that audit outputs and management reviews are key inputs for evaluating ISMS performance. Surveillance audits, conducted by Certification Bodies, check ongoing compliance and effectiveness. ISO certification schemes (per ISO/IEC 17021) require surveillance audits to verify whether corrective actions and continuous improvements are being made. A critical focus area is theresults of internal audits and management reviews, ensuring that the organization maintains its ISMS between certification cycles.

Option A is incorrect — third-party audits are performed by independent Certification Bodies, not customers. Option B is incorrect — certificates are typically valid forthree yearswith annual surveillance. Option D is incorrect — Stage 1 is primarily adocumentation and readiness review, not evidence observation.

Therefore, the verified correct answer isC.

The requirements for internal audit are explicitly placed inClause 9.2 (Performance Evaluation)of ISO/IEC 27001:2022. The standard requires:

“The organization shall conduct internal audits at planned intervals to provide information on whether the information security management system… conforms to the organization’s own requirements… and to the requirements of this document.” (9.2.1)

“The organization shall plan, establish, implement and maintain an audit programme(s)…” (9.2.2)

This clause clearly falls underPerformance Evaluation (Clause 9), not Planning (Clause 6), Operation (Clause 8), or Improvement (Clause 10). Therefore, the correct answer isC.

Clause 7.2 (Competence) requires the organization to:

“determine the necessary competence of person(s) doing work under its control that affects its information security performance;”

“ensure that these persons are competent on the basis of appropriate education, training, or experience;”

“retain appropriate documented information as evidence of competence.”

This makesholding up-to-date records on training, skills, experience, and qualifications(D) the correct answer. Option A is irrelevant to competence. Option B is incorrect since ISO does not require Foundation-level training — competence is context-based. Option C is related to compliance but does not ensure individual competence.

Thus, the verified correct answer isD.

Clause 10.1 (Nonconformity and corrective action) specifies:

“The organization shall react to the nonconformity and, as applicable: take action to control and correct it; deal with the consequences; evaluate the need for action to eliminate the cause(s)… Corrective actions shall be appropriate to the effects of the nonconformities encountered.”

This confirms optionB. Option A is inaccurate—ISO requires actions appropriate toeffects, not probability alone. Option C is false—policies may need updating to correct nonconformities. Option D is incorrect, as not every cause can always be eliminated; residual issues may exist.

Thus, the verified requirement isB.

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:

Annex A in ISO/IEC 27001 refers directly to ISO/IEC 27002 for control guidance. In ISO/IEC 27002:2022, Clause 6.8 is titled:

“Information security event reporting – Information security events should be reported through appropriate management channels as quickly as possible.”

This control ensures breaches, incidents, or suspected issues are reported for action. The other options (B, C, D) are not the exact titles in Annex A. The official title isInformation security event reporting, confirmingAnswer: A.