Ten free questions from the ISO 27001 Lead Auditor bank, each tagged with the trap pattern it tests. Reveal the answer to see the cited clause and a plain-English rationale.
No card needed to read the answers below. Trial only required to access the full adaptive bank.
Q01T-01 Evidence vs finding
During the on-site phase of a Stage 2 certification audit, the team collects access-control logs showing five attempts to disable MFA in the preceding month. According to ISO 19011:2018, this information is best described as:
A. Audit evidence that has not yet been evaluated against criteria
B. An audit finding that should be raised at the closing meeting
C. A nonconformity under ISO/IEC 17021-1
D. An audit conclusion supporting the certification decision
+Show my answer
+
Correct answer: A
ISO 19011:2018 Clause 3 (Terms and definitions) defines audit evidence as records, statements of fact or other information that are relevant to the audit criteria and verifiable. Evaluation against criteria is what turns evidence into a finding; only consideration of all findings produces a conclusion. The log entries here are raw evidence, not yet evaluated. The other options jump one or more stages ahead - the classic evidence-vs-finding swap exam-writers reuse.
ISO 19011:2018, Clause 3 (Terms and definitions)
Q02T-02 Shall vs should
ISO/IEC 27001:2022 Clause 6.1.3 d) addresses the Statement of Applicability (SoA). Which option most accurately reflects the standard's wording?
A. The organisation may produce a SoA when an external party requires it
B. The organisation should produce a SoA aligned with Annex A
C. The organisation must produce a SoA only after the risk treatment plan is approved
D. The organisation shall produce a SoA that justifies inclusions and exclusions of Annex A controls
+Show my answer
+
Correct answer: D
Clause 6.1.3 d) uses 'shall'. The SoA is mandatory in any ISMS conforming to ISO/IEC 27001:2022, and it must justify both inclusions and exclusions of Annex A controls. The other options soften the requirement to 'should' or 'may', or add a triggering condition the standard does not contain. Exam-style wrong options routinely swap 'shall' for a softer modal verb because the eye slides past the change under time pressure.
ISO/IEC 27001:2022, Clause 6.1.3 d)
Q03T-03 Competence vs independence
An audit team leader is assigned to a client where she worked three years ago in a junior risk role. According to ISO/IEC 17021-1:2015, the most appropriate response is to:
A. Disclose the prior engagement to the certification body and reassign if impartiality cannot be safeguarded
B. Proceed because three years exceeds the cooling-off period for junior staff
C. Proceed but limit the audit to ISMS Clauses 4 to 7 and assign Annex A to a different auditor
D. Decline because demonstrated sector competence creates an independence conflict
+Show my answer
+
Correct answer: A
ISO/IEC 17021-1:2015 Clause 5.2 requires the certification body to identify and manage impartiality risks. The standard prescribes specific cooling-off periods for prior consultancy or internal-audit relationships, but prior employment in a non-consulting junior role falls under the broader impartiality-risk identification requirement and is evaluated case-by-case. Option B fabricates a junior-staff cooling-off rule. Option C is the classic competence-vs-independence swap: sector competence does not by itself disqualify; the relationship does. Option D is a workaround the standard does not sanction.
ISO/IEC 17021-1:2015, Clause 5.2
Q04T-01 Evidence vs finding
After interviews and document review, the auditor concludes that the organisation's risk treatment plan does not address two risks rated 'high' in the assessment. Under ISO 19011:2018 and ISO/IEC 27001:2022, this is most precisely described as:
A. An audit finding that may or may not be a nonconformity, pending evaluation
B. A nonconformity against Clause 6.1.3 of ISO/IEC 27001:2022
C. Audit evidence requiring further investigation
D. An opportunity for improvement to be noted in the report
+Show my answer
+
Correct answer: B
When evaluated evidence shows a 'shall' requirement is not met, the finding is a nonconformity (ISO 19011:2018 Clause 3 Terms and definitions; ISO/IEC 27001:2022 Clause 10.2). Option B drags it back to the pending-evaluation stage that has already passed in the stem. Option C drags it back further to raw evidence - the classic T-01 swap. Option D downgrades a clause breach to an OFI, which understates the issue when a mandatory clause is in scope.
ISO/IEC 27001:2022, Clause 10.2 (Nonconformity and corrective action)
Q05T-02 Shall vs should
ISO/IEC 27001:2022 Clause 9.2 addresses internal audit. Which statement is correct?
A. Internal audits may be replaced by external surveillance audits where a certified ISMS is in scope
B. The organisation shall conduct internal audits at planned intervals against its own ISMS requirements and the standard
C. Internal audits must follow ISO 19011:2018 exactly, including the audit programme structure
D. The organisation should conduct internal audits at least annually as a recommended practice
+Show my answer
+
Correct answer: B
Clause 9.2 uses 'shall' and requires audits at planned intervals against both the organisation's own ISMS requirements and the standard. Option B softens to 'should' and adds an interval ('annually') that the standard does not specify. Option C is wrong - surveillance does not replace internal audit. Option D overstates ISO 19011, which is a guidance document whose verbs are 'should', not 'shall'.
ISO/IEC 27001:2022, Clause 9.2
Q06T-03 Competence vs independence
An audit team is being assembled for a Stage 2 audit of a fintech ISMS. The most senior auditor available holds an information-security qualification and has twelve years of financial-services security experience, but she conducted internal ISMS audits for the same fintech's parent company three years ago. According to ISO 19011:2018 and ISO/IEC 17021-1:2015, the most accurate framing of her status is:
A. Both competence and independence are established by the twelve years of financial-services experience
B. Her competence is in question because financial-services audits require additional sector-specific qualifications regardless of experience
C. Her independence is not in question because three years exceeds the impartiality cooling-off window for internal-audit work, so the only remaining concern is competence
D. Her competence is established by qualification and experience; her independence with respect to this specific client is a separate question for the certification body to evaluate
+Show my answer
+
Correct answer: D
ISO 19011:2018 Clause 7 treats competence (knowledge, skills, attributes, experience) as one axis, and ISO/IEC 17021-1:2015 Clause 5.2 treats impartiality and independence as a separate, per-engagement axis. Option A keeps the two axes distinct, which is what the standards require. Option B inverts the relationship and invents a fixed cooling-off length for internal-audit work. Option C collapses both axes into one - the classic competence-vs-independence trap. Option D mis-frames the competence question; sector experience is exactly what 19011 Clause 7 counts as competence evidence.
ISO 19011:2018, Clause 7 + ISO/IEC 17021-1:2015, Clause 5.2
Q07T-01 Evidence vs finding
After the audit team completes evaluation of all findings, they prepare a single statement summarising whether the management system fulfils the audit criteria. Per ISO 19011:2018, this statement is the:
A. Audit finding
B. Audit conclusion
C. Audit observation
D. Audit report
+Show my answer
+
Correct answer: B
ISO 19011:2018 Clause 3 (Terms and definitions) defines the audit conclusion as the outcome of an audit after consideration of the audit objectives and all audit findings. Option B is a single finding, not the summary. Option C is the deliverable that contains the conclusion, not the conclusion itself. Option D is an informal observation that did not meet finding criteria. The evidence-vs-finding trap extends to any step of the vocabulary chain: evidence to finding to conclusion to report.
ISO 19011:2018, Clause 3 (Terms and definitions)
Q08T-02 Shall vs should
ISO/IEC 27001:2022 Clause 7.5 covers documented information. Which statement is correct?
A. Documented information must follow ISO 30301:2019 records-management requirements
B. The ISMS should include all Annex A control documentation regardless of applicability
C. The ISMS shall include documented information required by the standard and that determined by the organisation as necessary
D. Documented information may be omitted where the organisation can demonstrate equivalent oral practices
+Show my answer
+
Correct answer: C
Clause 7.5.1 uses 'shall' and requires both the documentation explicitly mandated by the standard AND any further documentation the organisation determines is necessary. Option B both softens the verb from 'shall' to 'should' and overreaches by requiring documentation for all Annex A controls regardless of SoA selection (Annex A applicability is governed by Clause 6.1.3, not by 7.5). Option C contradicts the standard outright. Option D imports ISO 30301:2019, which is unrelated to 27001 conformance.
ISO/IEC 27001:2022, Clause 7.5.1
Q09T-03 Competence vs independence
An auditor evaluator is reviewing a new lead-auditor candidate who has completed Lead Auditor training, holds an ISO/IEC 27001 implementer certification, and has audited three ISMSes as a team member. Under ISO 19011:2018 Clause 7, the candidate's status is best described as:
A. Competence is conditional on completing one further audit as team leader before lead-auditor sign-off
B. Competence is demonstrated for lead auditor; impartiality of any specific assignment is a separate evaluation
C. Both competence and independence are demonstrated together by the training certificate
D. Independence is the deciding factor; training and experience are secondary to absence of conflict
+Show my answer
+
Correct answer: B
ISO 19011:2018 Clause 7 treats auditor competence (knowledge, skills, attributes, experience) as a distinct concept from independence and impartiality, which are evaluated per assignment. Option A correctly separates them. Option B invents an experience-count rule the standard does not specify. Option C subordinates competence to independence; the standard treats them as parallel. Option D collapses them into one - the classic competence-vs-independence trap.
ISO 19011:2018, Clause 7 (Competence and evaluation of auditors)
Q10T-01 Evidence vs finding
During an interview, a system administrator states that backups are tested monthly. The auditor records the statement. To convert this into objective audit evidence under ISO 19011:2018, the auditor most appropriately:
A. Notes the statement and raises a nonconformity if records cannot later be located
B. Records the verbal statement and treats it as evidence sufficient for the finding
C. Requests records of recent backup-test results that the administrator can produce on the spot
D. Asks two other staff the same question and accepts a majority answer
+Show my answer
+
Correct answer: C
ISO 19011:2018 Clause 3 (Terms and definitions) requires audit evidence to be verifiable. An unverified verbal statement is not yet objective evidence; corroborating records turn it into one. Option B accepts unverified hearsay - exactly what the standard excludes. Option C uses social proof rather than verification. Option D jumps to a nonconformity without giving the auditee a reasonable opportunity to produce the evidence on the day.
ISO 19011:2018, Clause 3 (Terms and definitions)
You've seen ten. The bank holds 300+ questions.
Each one tagged with the trap pattern it tests, scheduled by an adaptive engine that targets only your weak clauses. 3-day free trial, card upfront, one-click cancel.