Free ISO-IEC-27001-Lead-Implementer Practice Test Questions 2026

Summary:
This question asks you to distinguish between preventive controls, which stop incidents from happening, and corrective/recovery controls, which mitigate impact after an incident has occurred. The key is to identify which control does not stop the initial event but is used to recover from it.

Correct Option:

C. Information backup:
This is a corrective and recovery control, not a preventive one. While absolutely essential, backups do not stop an incident like a hack from occurring. They are a safety net that allows the organization to restore data and operations after an incident has already happened, thus mitigating the impact but not preventing the recurrence of the breach itself.

Incorrect Option:

A. Segregation of networks:
This is a preventive control. By segmenting the network (e.g., using VPNs as proposed), the company can contain and block the lateral movement of an attacker, directly preventing a recurrence of a widespread compromise.

B. Privileged access rights:
This is a preventive control. Implementing strict access control ensures that only authorized personnel can access sensitive systems like the database. This directly addresses the root cause of the incident (publicly accessible database) and prevents a recurrence by blocking unauthorized access.

Reference:
ISO/IEC 27001:2022, Annex A. The controls are categorized by their purpose. While not explicitly labeled "preventive" or "corrective," their function defines them. For example, A.8.22 (Segregation of networks) is preventive, A.7.2 (Privileged access rights) is preventive, while A.8.13 (Information backup) is explicitly a control to "restore availability and access to information following an incident," making it corrective/recovery-oriented.

Summary:
This question tests the understanding of the core information security properties: Confidentiality, Integrity, and Availability (CIA triad). The scenario describes data being accidentally deleted. The primary consequence of deletion is the loss of access to that information for both authorized users and business processes, which directly impacts its availability.

Correct Option:

A. Information is not accessible when required.
This is the correct impact. Availability means that information is accessible and usable upon demand by an authorized entity. The accidental deletion of the data from the database means it is permanently lost and cannot be accessed by anyone—customers or internal systems—when they need it, which is a direct breach of availability.

Incorrect Option:

B. Information is modified in transit.
This describes a breach of integrity, not availability. Integrity ensures that data is accurate and has not been altered in an unauthorized way. The scenario does not mention data being changed; it states the data was deleted, which is a different action with a different impact.

C. Information is not available to only authorized users.
This is an incorrect and misleading statement. If information is not available, it is unavailable to all users, both authorized and unauthorized. The core definition of availability does not distinguish between user types in this way; it is a blanket state of being accessible or not.

Reference:
ISO/IEC 27000:2018, "Information technology — Security techniques — Information security management systems — Overview and vocabulary." This standard defines the fundamental security properties. It defines availability as the "property of being accessible and usable upon demand by an authorized entity." The deletion of data directly violates this property.

Summary:
This question tests the understanding of core machine learning types. The key differentiator is whether the algorithm is given labeled data to learn from (supervised) or must find patterns and structures in unlabeled data on its own (unsupervised). The scenario describes analyzing data to find inherent groupings without any pre-defined customer categories.

Correct Option:

C. Unsupervised machine learning.
The company is using an algorithm to find hidden patterns or groupings in customer data without any pre-existing labels. The algorithm itself is identifying that certain customers are "frequent buyers" or "trend-followers" based solely on the similarity of their attributes (browsing patterns, demographics). This process of grouping similar data points is called clustering, a primary technique in unsupervised learning.

Incorrect Option:

A. Decision tree machine learning.
A decision tree is a specific algorithm, not a type of learning. It is primarily used in supervised learning for classification or regression tasks, where it learns from labeled training data to make predictions. The scenario does not mention using pre-labeled customer data to train a predictive model.

B. Supervised machine learning.
This type requires a labeled dataset where the "correct answer" (e.g., "frequent buyer" or "not a frequent buyer") is already known for many examples. The algorithm learns from these examples to predict labels for new data. Here, the company is discovering the groups from scratch, which is the opposite of using a pre-labeled dataset.

Reference:
While ISO/IEC 27001 does not cover machine learning algorithms, the concepts of data analysis and processing are foundational to information security. For authoritative definitions of these ML concepts, one would refer to standards from bodies like ISO/IEC JTC 1/SC 42, which focuses on Artificial Intelligence. For example, the foundational terminology is outlined in standards such as ISO/IEC 22989:2022, which distinguishes between supervised, unsupervised, and other learning paradigms.

Summary:
The scenario describes a key step in the risk management process: deciding which risks require treatment. The team evaluated all risks (low, medium, high) against pre-defined criteria and made a conscious decision to only treat the "high" risks. This implies a deliberate management decision to accept the "low" and "medium" risks, as they fall within the organization's risk appetite and do not warrant the cost or effort of treatment.

Correct Option:

B. Accepted other risk categories based on risk acceptance criteria.
This is correct. By explicitly deciding to treat only the high risks, TradeB has made an implicit and logical decision to accept the low and medium risks. This acceptance is based on the risk evaluation criteria they established, which defined what level of risk is acceptable to the organization. The remaining, untreated risks are therefore accepted.

Incorrect Option:

A. Evaluated other risk categories based on risk treatment criteria.
This is incorrect because the evaluation of all risks is completed before treatment decisions are made. The team has already evaluated and categorized all risks as low, medium, or high. The decision to treat only high risks is the treatment step itself, not a re-evaluation.

C. Modified other risk categories based on risk evaluation criteria.
This is incorrect and nonsensical. Risk evaluation criteria are used to assign a risk level (e.g., high, medium, low); they are not used to "modify" that level afterward. Modifying a risk level would imply the initial evaluation was flawed, which is not suggested in the scenario.

Reference:
ISO/IEC 27005:2022, "Information security, cybersecurity and privacy protection — Guidance on managing information security risks." This standard outlines the risk management process. It clearly distinguishes between risk evaluation (comparing risk levels against criteria to decide which need treatment) and risk treatment (selecting and implementing controls, which includes the option to accept risks). The decision to treat only high risks is a risk treatment decision, resulting in the acceptance of the others.

Summary:
This question tests the fundamental distinction between awareness and training within an ISMS. Awareness is about broadly informing individuals of their security responsibilities and creating a security-conscious culture. Training is more focused, aiming to equip specific individuals with the skills needed to perform security-related tasks competently. The goal of each is different.

Correct Option:

A. Training helps acquire certain skills, whereas awareness develops certain habits and behaviors.
This is the most accurate distinction. Training is practical and skill-based (e.g., teaching someone how to create a strong password). Awareness is about influencing culture and mindset to develop secure habits (e.g., reminding everyone why they must not share their password). Lisa's problem is that the "training" session was too technical; she likely needed role-specific awareness first.

Incorrect Option:

B. Training helps acquire a skill, whereas awareness helps apply it in practice.
This is incorrect because it reverses the concepts. Applying a skill in practice is the outcome of effective training. Awareness is the foundational understanding that makes an individual receptive to the training and mindful of security in their daily actions.

C. Training helps transfer a message with the intent of informing, whereas awareness helps change the behavior toward the message.
This is incorrect because it swaps the definitions. "Transferring a message to inform" is the purpose of awareness. "Changing behavior" is the goal of both, but it is more directly achieved through training that provides the necessary skills and practice.

Reference:
ISO/IEC 27001:2022, Annex A, and the supporting guidance in ISO/IEC 27002:2022, specifically control A.6.3 (Information security awareness). ISO/IEC 27002 clarifies that "awareness" is the extent to which individuals understand topics and their responsibilities, while "training" is the process of achieving and maintaining the competence necessary to perform specific security tasks. Competence implies a demonstrated ability to apply knowledge and skills.

Summary:
The requirement for retaining documented information is explicit in ISO/IEC 27001. The standard mandates that specific activities and their results are recorded to provide evidence of conformity and effective operation of the ISMS. The management review is a critical process for evaluating the ISMS's performance, and its outputs must be preserved.

Correct Option:

B. No, ISO/IEC 27001 requires organizations to document the results of management reviews.
This is correct. The standard explicitly mandates that documented information must be retained as evidence of the results of management reviews. This is non-negotiable and is required to demonstrate that top management has reviewed the ISMS and made decisions regarding its continuing suitability, adequacy, effectiveness, and alignment with the strategic direction.

Incorrect Option:

A. Yes. ISO/IEC 27001 does not require organizations to document the results of management reviews.
This is false and contradicts a clear "shall" statement in the standard. Without documented results, there is no objective evidence that the review took place or what decisions and actions were agreed upon.

C. Yes. ISO/IEC 27001 requires organizations to document the results of management reviews only if they are conducted ad hoc.
This is incorrect. The requirement to retain documented information on the results of management reviews applies to all management reviews, regardless of whether they are conducted at planned intervals or on an ad-hoc basis. The standard's requirement is absolute.

Reference:
ISO/IEC 27001:2022, Clause 9.3, "Management review." It explicitly states: "The organization shall retain documented information as evidence of the results of management reviews." This is a mandatory requirement for certification.

Summary:
ISO/IEC 27001 is based on a risk-driven approach. This means an organization is not required to implement every control in Annex A. Instead, it must determine which controls are necessary to address its specific information security risks, as identified through a formal risk assessment and documented in a risk treatment plan.

Correct Option:

B. Those included in the risk treatment plan.
This is the correct and foundational principle of ISO/IEC 27001. The organization conducts a risk assessment to identify its unique threats and vulnerabilities. The risk treatment plan is the formal document that outlines the decisions on how to treat these risks (e.g., mitigate, accept), including the selection of appropriate controls from Annex A or elsewhere. Only the controls designated in this plan are required for implementation.

Incorrect Option:

A. Those designed by the organization only.
While an organization can create its own unique controls, ISO/IEC 27001 requires that the process for selecting and implementing all controls (custom or from Annex A) be systematic and based on the risk treatment plan. It is not solely about self-designed controls.

C. Those listed in Annex A of ISO/IEC 27001, without any exception.
This is incorrect. Annex A is a list of possible controls, not a mandatory checklist. The standard requires organizations to consider these controls but only mandates the implementation of those deemed necessary through the risk assessment and treatment process. This is a core tenet of the standard's flexibility and scalability.

Reference:
ISO/IEC 27001:2022, Clause 6.1.3, "Information security risk treatment." It states that an organization must "define and implement an information security risk treatment process" and "produce a Statement of Applicability that contains the necessary controls... and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A." This makes the risk treatment plan the definitive source for required controls.

Summary:
This question requires classifying a control by its nature and function. "Reviewing all user access rights" is a process of verifying and authorizing user permissions against a policy. It is an administrative action performed by management to enforce security policies (preventive) and can also uncover existing inappropriate access (detective).

Correct Option:

A. Detective and administrative. This is the correct classification.

Administrative:
The act of reviewing and authorizing access rights is a policy-based, procedural control. It is an administrative function performed by managers or system owners to ensure compliance with the principle of least privilege.

Detective:
While the goal is preventive, the review process itself can detect instances where users have accumulated excessive privileges over time or have access that is no longer required for their role. It discovers existing policy violations.

Incorrect Option:

B. Corrective and managerial:
"Managerial" is similar to administrative, but "Corrective" is inaccurate. A review does not itself correct the access rights; it identifies what needs to be corrected. The subsequent action of modifying the rights would be the corrective step. The control described is the review, not the correction.

C. Legal and technical:
This is incorrect. The control has no inherent "legal" dimension like a contract or agreement. It is also not a "technical" control, as it is not implemented through technology (like a firewall or software). It is a manual, process-oriented administrative activity.

Reference:
ISO/IEC 27001:2022, Annex A. This activity aligns with controls in the "Organizational" and "Human Resource" categories, which are administrative in nature. Specifically, it relates to A.7.1.2 (Segregation of duties) and A.8.3 (Management of privileged access rights), which require periodic review—an administrative and detective activity—to ensure compliance.

Summary:
For an ISMS to be successfully established, implemented, maintained, and continually improved, it must be actively supported by management with the necessary means. This goes beyond just having documents; it requires tangible commitment in the form of budget, skilled people, time, and tools to operate and enhance the security processes effectively.

Correct Option:

B. Sufficient resources, such as the budget, qualified personnel, and required tools.
This is the correct and most comprehensive answer. The standard explicitly requires top management to ensure the availability of necessary resources for the ISMS. This includes financial budget, assigning competent and qualified personnel, and providing the required tools, infrastructure, and time to perform information security tasks.

Incorrect Option:

A. The appropriate transfer to operations.
This phrase describes a project management or system development lifecycle phase, not a fundamental resource allocation requirement for maintaining and improving the ISMS itself. While new controls may be transferred to operations, the ongoing system needs sustained resources.

C. The documented information required by ISO/IEC 27001.
While documenting information is a mandatory requirement, it is only one component of the ISMS. Allocating documents alone does not ensure the system's maintenance and improvement. Without the resources (people, budget) to act on those documents and run the processes, the ISMS will not be effective.

Reference:
ISO/IEC 27001:2022, Clause 5.1 (Leadership and commitment), which states that top management shall "ensure the availability of resources necessary for the establishment, implementation, maintenance and continual improvement of the information security management system." This makes the allocation of sufficient resources a direct and non-negotiable responsibility of leadership.

Summary:
This question tests the understanding of measurement terms within a management system. A performance indicator is a specific, quantifiable data point used to track the effectiveness of a process or control. It provides evidence of performance and helps in evaluating whether objectives are being met.

Correct Option:

C. Performance indicator.
The percentage (45% pass rate) is a measurable value that indicates the performance or effectiveness of the awareness and training sessions. It is a key performance indicator (KPI) for the training process, showing that the current method may be ineffective and requires improvement to achieve its intended competence objectives.

Incorrect Option:

A. Measurement objective.
This is what the organization aims to achieve. An objective would be a target, such as "95% of employees shall pass the security awareness exam." The 45% is the actual measured result, not the objective itself.

B. Attribute.
An attribute is a inherent property or characteristic of something. For example, the "date of the training" or the "name of the trainer" are attributes of the training session. The pass rate is not a simple attribute; it is a calculated metric used to gauge performance.

Reference:
ISO/IEC 27004:2016, "Information technology — Security techniques — Information security management — Monitoring, measurement, analysis and evaluation." This standard provides guidance on developing and using performance indicators to measure the effectiveness of an ISMS. A metric like a training pass rate is a classic example of a performance indicator used to evaluate the effectiveness of control A.6.3 (Information security awareness).

Summary:
The ISO/IEC 27001 standard specifies requirements for a systematic incident management process. While preparation, response, and event assessment are crucial, the standard emphasizes the importance of learning from incidents to improve the ISMS. This ensures that the organization does not just react to problems but proactively enhances its security posture over time.

Correct Option:

A. Processes for using knowledge gained from information security incidents.
This is a mandatory requirement. The incident management process must include a step for learning from incidents to drive continual improvement. This involves analyzing the root cause of incidents and using that knowledge to strengthen controls, update policies, and prevent recurrence, thereby enhancing the overall effectiveness of the ISMS.

Incorrect Option:

B. Establishment of two information security incident response teams.
The standard does not mandate a specific number of incident response teams. It requires that roles and responsibilities for incident management are assigned, but the structure (e.g., a single team, multiple teams, or a virtual team) is left for the organization to decide based on its size and needs.

C. Processes for handling information security incidents of suppliers as defined in their agreements.
While this is a good practice and often addressed through control A.5.23 (Information security for use of cloud services) and others, it is not an explicit, overarching requirement for the core incident management process itself. The primary focus of the requirement is on the organization's internal process and its improvement.

Reference:
ISO/IEC 27001:2022, Clause 8.2 (Information security incident management). It explicitly states that the organization shall "establish, implement, and maintain... processes for using the knowledge gained from information security incidents to improve the information security management system." This makes it a compulsory element.

Summary:
This scenario describes a two-factor authentication (2FA) system where a password (something you know) is combined with a one-time code (something you have). The primary security property enhanced by this control is confidentiality, as it significantly reduces the risk of unauthorized access to the bank account data, even if a password is compromised.

Correct Option:

A. FinanceX has implemented a security control that ensures the confidentiality of information.
This is correct. The multi-factor authentication process is a preventive control designed to verify the identity of a user. By ensuring that only the legitimate account holder (who possesses the registered smartphone) can gain access, the control directly protects the confidentiality of the sensitive financial information within the account from unauthorized disclosure.

Incorrect Option:

B. FinanceX has implemented an integrity control that avoids the involuntary corruption of data.
This is incorrect. Integrity controls, such as hashing or digital signatures, are designed to protect data from being altered, either maliciously or accidentally. Authentication controls like 2FA do not prevent data from being modified once a user is logged in; they only verify identity at the point of entry.

C. FinanceX has incorrectly implemented a security control that could become a vulnerability.
This is incorrect. The implementation described is a standard and recommended security practice (2FA) for protecting sensitive systems like online banking. There is no indication in the scenario of an incorrect implementation; it is presented as a functional security measure.

Reference:
ISO/IEC 27001:2022, Annex A, Control A.5.17 (Authentication information). This control requires that authentication information is managed to confirm a user's claimed identity. The use of one-time codes is a recognized and strong method for achieving this, directly supporting the confidentiality of the information the user is authorized to access.