Get APMG-International ISO-IEC-27001-Foundation Exam Practice Questions - Real and Updated

Answer : D

Clause 6.1.1 (Planning) states:

''The organization shall plan:

d) actions to address these risks and opportunities; and

e) how to:

integrate and implement the actions into its ISMS processes; and

evaluate the effectiveness of these actions.''

This confirms the missing words are ''evaluate the effectiveness of''. Communication (A), applying resources (B), and improving effectiveness (C) are important concepts elsewhere but not the direct requirement stated in this clause.

Answer : A

Clause 6.2 (Information security objectives) requires that objectives:

''be consistent with the information security policy''

''be measurable (if practicable)''

''take into account applicable information security requirements''

''be monitored, communicated, and updated as appropriate.''

From this, option A is correct since consistency with policy is an explicit requirement. Option B is incorrect because the standard allows objectives to be measurable ''if practicable'' (not mandatory for all). Option C is incorrect---objectives are not transferred contractually to third parties, though third-party agreements may include security requirements. Option D is incorrect because the standard requires regular review ''as appropriate,'' not a fixed annual cycle.

Thus, the verified requirement is A: They shall be consistent with the information security policy.

Answer : D

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:

Annex A, control 6.8 (Information security event reporting) specifies:

''Information security events should be reported through appropriate management channels as quickly as possible. The organization should require all employees and contractors to note and report any observed or suspected information security events.''

This wording confirms that the required reporting covers ''observed or suspected events.'' Specific event types like information disclosure (A) or unauthorized access (B) are examples but not the broad requirement. Asset disposal (C) is addressed separately under equipment lifecycle controls (Annex A.7.14).

Therefore, the verified correct answer is D: Observed or suspected events.

Answer : A

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:

In ISO/IEC 27002:2022, which provides control guidance for Annex A of ISO/IEC 27001, Clause 5.19 is titled: ''Information security in supplier relationships.''

This control requires organizations to ensure that information security is addressed in supplier agreements and relationships. It is part of the Organizational Controls theme. The other options are not control titles in Annex A:

''Responsibilities and procedures'' (B) was used in older standards like ISO/IEC 27001:2005 but no longer exists.

''Protection of documents'' (C) relates to document control but is not a specific Annex A control.

''Change control'' (D) is relevant to ITIL/ITSM but not listed as a control title in Annex A.

Therefore, the correct Annex A control title is A: Information security in supplier relationships.

Answer : A

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27000 standards:

According to ISO/IEC 27000:2018, Clause 3.74, a threat is defined as:

''Potential cause of an unwanted incident, which can result in harm to a system or organization.''

This definition directly matches option A.

Option B refers to an ''information security incident'' (ISO/IEC 27000:2018, Clause 3.32).

Option C describes a ''vulnerability'' (ISO/IEC 27000:2018, Clause 3.67).

Option D refers to ''residual risk'' (ISO/IEC 27000:2018, Clause 3.61).

The standard emphasizes that threats exploit vulnerabilities, causing incidents that can harm information confidentiality, integrity, and availability. Correctly identifying threats is critical for risk assessment (Clause 6.1.2). Thus, the correct definition per ISO/IEC 27000 is A.