The ISO/IEC 27001 (2022) Foundation Exam (ISO-IEC-27001-Foundation)

Clause 9.2.2 of ISO/IEC 27001:2022 specifies requirements for the internal audit programme. It requires organizations to:

“ Plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned, changes affecting the organization, and the results of previous audits. ”

This makes option C correct, since importance of the processes is a required factor. Option A is incorrect because audits do not need third-party auditors; objectivity can be maintained internally if independence is respected. Option B is wrong because previous audit results must be considered, not disregarded. Option D is also incorrect — the standard does not specify a 3-year cycle; frequency depends on risks and needs.

Thus, the correct verified answer is C .

ISO/IEC 27001 requires internal audits and sets out how they must be conducted: “ The organization shall conduct internal audits at planned intervals …” (9.2.1) and “ plan, establish, implement and maintain an audit programme(s)… [and] select auditors and conduct audits that ensure objectivity and the impartiality of the audit process ” (9.2.2). These extracts confirm that practitioners (internal to the organization) can conduct internal audits provided objectivity and impartiality are ensured (e.g., they do not audit their own work). Surveillance audits (option A) and audits of Accredited Training Organizations or Certification Bodies (options C, D) are third-party activities outside the remit of an internal practitioner under ISO/IEC 27001; the standard’s audit requirement is focused on the organization’s own internal audit programme. Therefore, conducting an internal audit (B) is the correct practitioner activity per Clause 9.2.

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27000 standards:

ISO/IEC 27000 defines:

Risk analysis : “ process to comprehend the nature of risk and to determine the level of risk ” (Clause 3.58).

Risk assessment : the overall process of risk identification, risk analysis, and risk evaluation.

Risk evaluation : compares results of risk analysis against risk criteria to determine priority.

Risk management : coordinated activities to direct and control an organization with regard to risk.

Therefore, the missing word in the given definition is “analysis” .

This is important for ISMS implementation: organizations must understand the distinctions. Risk analysis is the core technical evaluation stage, while assessment is the broader process including evaluation, and management refers to the overall governance of risks.

Thus, the correct verified answer is B: Analysis .

Clause 6.2 (Information security objectives) requires that objectives:

“be consistent with the information security policy”

“be measurable (if practicable)”

“take into account applicable information security requirements”

“be monitored, communicated, and updated as appropriate.”

From this, option A is correct since consistency with policy is an explicit requirement. Option B is incorrect because the standard allows objectives to be measurable “if practicable” (not mandatory for all). Option C is incorrect—objectives are not transferred contractually to third parties, though third-party agreements may include security requirements. Option D is incorrect because the standard requires regular review “as appropriate,” not a fixed annual cycle.

Thus, the verified requirement is A: They shall be consistent with the information security policy.

Annex A of ISO/IEC 27001:2022 is titled:

“ Reference control objectives and controls. ” It provides a reference list of information security controls , structured into 4 themes: organizational, people, physical, and technological.

The standard explicitly states in Clause 6.1.3: “ Organizations can design controls as required or identify them from any source. Annex A contains a list of possible information security controls. ” This means controls in Annex A are not mandatory (eliminating option C). Risk acceptance criteria (A) are defined in Clause 6.1.2, not Annex A. Annex A also does not provide measures for treatment effectiveness (D).

Thus, Annex A is best described as a reference list of information security controls . Correct answer: B .

Clause 4.3 (Determining the scope of the ISMS) requires consideration of:

“the external and internal issues referred to in 4.1; the requirements referred to in 4.2; and interfaces and dependencies between activities performed by the organization, and those that are performed by other organizations.”

This confirms that dependencies between activities are a required factor when defining scope. Options B (quality levels), C (lessons learned), and D (regular activities for improvement) are not scope requirements, though they may be relevant in planning or improvement processes.

Thus, the verified answer is A: Dependencies between activities performed by the organization.

Clause 10.1 (Nonconformity and corrective action) specifies:

“ The organization shall react to the nonconformity and, as applicable: take action to control and correct it; deal with the consequences; evaluate the need for action to eliminate the cause(s)… Corrective actions shall be appropriate to the effects of the nonconformities encountered. ”

This confirms option B . Option A is inaccurate—ISO requires actions appropriate to effects , not probability alone. Option C is false—policies may need updating to correct nonconformities. Option D is incorrect, as not every cause can always be eliminated; residual issues may exist.

Thus, the verified requirement is B .

ISO/IEC 27001 Clause 9.2 requires internal audits to be conducted at planned intervals, but it does not specify an annual frequency. Certification audits, under ISO/IEC 17021 rules, typically occur on a 3-year cycle with annual surveillance, not strictly “annually.” This makes statement 1 inaccurate.

Audit types are defined in ISO/IEC 19011:

First-party audits: conducted internally by or on behalf of the organization (internal audits).

Third-party audits: conducted by independent external certification bodies.

Thus, statement 2 is correct. Therefore, the accurate choice is B: Only 2 is true.

Clause 6.1.2 (d) states that during risk analysis , the organization shall:

“ assess the potential consequences that would result if the risks identified… were to materialize; ”

“ assess the realistic likelihood of the occurrence of the risks identified; ”

“ determine the levels of risk. ”

This makes it clear that the required output of risk analysis is the determined levels of risk . Risk acceptance criteria (A) are set earlier in 6.1.2(a), treatment control options (C) belong to 6.1.3, and prioritization (D) is part of risk evaluation (6.1.2 e). Therefore, the verified correct output is B: Determined levels of risk .