ISO 27001 LI / Free Practice

ISO 27001 Lead Implementer Free Practice Questions.

Ten free questions from the ISO 27001 Lead Implementer bank, each tagged with the trap pattern it tests. Reveal the answer to see the cited clause and a plain-English rationale.

No card needed to read the answers below. Trial only required to access the full adaptive bank.

Q01 T-01 SoA vs Risk Treatment Plan

During an ISMS implementation, the team has completed the risk treatment decisions and is preparing the next two artefacts. Per ISO/IEC 27001:2022, which statement correctly distinguishes the Statement of Applicability (SoA) from the Risk Treatment Plan (RTP)?

  1. A. The SoA justifies inclusion or exclusion of each Annex A control; the RTP specifies who does what, by when, and with what resources to implement the treatment
  2. B. The SoA is signed by top management; the RTP is signed by the risk owner only
  3. C. The SoA lists residual risks above the risk acceptance criteria; the RTP lists controls selected from Annex A
  4. D. The SoA replaces the RTP for organisations that adopt the full Annex A control set
Show my answer

Correct answer: A

ISO/IEC 27001:2022 Clause 6.1.3 d) defines the SoA as the document justifying inclusions and exclusions of Annex A controls. Clause 6.1.3 e) defines the RTP as the plan to implement the treatment - who, what, when, with what resources. Option B swaps the content of the two artefacts (a textbook SoA-vs-RTP trap). Option C invents a signing rule the standard does not prescribe. Option D contradicts 6.1.3 d) - the SoA is required regardless of how many Annex A controls are selected.

ISO/IEC 27001:2022, Clauses 6.1.3 d) and 6.1.3 e)

Q02 T-03 Risk treatment verb swap

An organisation purchases cyber-insurance to cover the financial impact of a successful ransomware attack. Per ISO/IEC 27005:2022, this treatment is best categorised as:

  1. A. Risk retention (acceptance)
  2. B. Risk modification (mitigation)
  3. C. Risk sharing (transfer)
  4. D. Risk avoidance
Show my answer

Correct answer: C

ISO/IEC 27005:2022 Clause 8.5 lists four risk treatment options. Cyber-insurance shifts the financial consequence of an event to a third party, which is risk sharing (formerly 'transfer'). Mitigation (Option B) means applying controls that reduce likelihood or impact - insurance does not change the underlying control posture. Acceptance (C) means doing nothing further - insurance is a positive action. Avoidance (D) means ceasing the activity. The transfer-vs-mitigate confusion is exam-grade because both colloquially 'reduce the impact on us'.

ISO/IEC 27005:2022, Clause 8.5

Q03 T-02 Implementation vs operation phase

Six months after ISMS certification, the organisation conducts its second internal audit and identifies that one Annex A control is not being applied consistently. The Lead Implementer asks whether this should be treated as an implementation gap or an operation-phase nonconformity. The correct framing is:

  1. A. Implementation gap, raised under Clause 6.1.3 - the control was inadequately implemented and needs redesign
  2. B. Both - the gap proves the implementation was incomplete and the operation is failing
  3. C. Operation-phase nonconformity, raised under Clause 10.2 - the ISMS is operational, so any control gap is now an operational issue
  4. D. Neither - inconsistent application is normal in the first year of operation
Show my answer

Correct answer: C

Once the ISMS is certified and operational, control gaps fall under Clause 10.2 (Nonconformity and corrective action). The ISMS has transitioned from implementation (Clause 6) to operation (Clause 8) and is now governed by performance evaluation (Clause 9) and improvement (Clause 10). Option B is the implementation-vs-operation phase trap: it sends the team back to the wrong clause. Option C makes both apply, which is incorrect after the phase transition. Option D dismisses the nonconformity entirely.

ISO/IEC 27001:2022, Clause 10.2 (Nonconformity and corrective action)

Q04 T-01 SoA vs Risk Treatment Plan

In the ISMS implementation sequence, which order correctly reflects ISO/IEC 27001:2022 Clause 6?

  1. A. Risk Treatment Plan -> risk assessment -> SoA -> risk treatment decisions -> implementation
  2. B. SoA -> risk assessment -> risk treatment decisions -> Risk Treatment Plan -> implementation
  3. C. Risk assessment -> SoA -> risk treatment decisions -> Risk Treatment Plan -> implementation
  4. D. Risk assessment -> risk treatment decisions -> SoA -> Risk Treatment Plan -> implementation
Show my answer

Correct answer: D

Clauses 6.1.2 (risk assessment) and 6.1.3 a) to c) (selecting treatment options, determining controls, comparing to Annex A) come first. Then 6.1.3 d) (SoA) and 6.1.3 e) (RTP) are produced. Implementation follows under Clause 8. Option B places the SoA before treatment decisions, which is impossible because the SoA documents those decisions. Option C makes the SoA the starting point, contradicting the risk-driven approach. Option D inverts the entire logic.

ISO/IEC 27001:2022, Clause 6.1.3

Q05 T-03 Risk treatment verb swap

An organisation identifies a high risk from operating a legacy mainframe with no vendor patch support. Management decides to migrate off the mainframe within six months. Per ISO/IEC 27005:2022, this treatment is:

  1. A. Risk acceptance - management has acknowledged the risk and chosen to proceed for six months
  2. B. Risk avoidance - the activity creating the risk will be ceased
  3. C. Risk modification - migration is a control that reduces the impact
  4. D. Risk sharing - the migration shifts the risk to the new platform vendor
Show my answer

Correct answer: B

ISO/IEC 27005:2022 Clause 8.5 defines risk avoidance as ceasing the activity that gives rise to the risk. Migrating off the mainframe is exactly that. Option B confuses 'temporary continued operation while migrating' with formal risk acceptance - acceptance means the risk stays. Option C labels migration as 'control modification', but migration removes the risk source rather than reducing it. Option D mis-frames the new platform: the original mainframe risk is eliminated, not transferred (the new platform has different risks that need their own assessment).

ISO/IEC 27005:2022, Clause 8.5

Q06 T-02 Implementation vs operation phase

Per ISO/IEC 27003:2017 guidance on ISO/IEC 27001 Clause 6, which activity is part of the implementation phase rather than the operation phase?

  1. A. Producing the Statement of Applicability and Risk Treatment Plan
  2. B. Investigating a security incident and applying corrective action
  3. C. Conducting the management review of ISMS performance
  4. D. Reviewing the Information Security Policy on the published cycle
Show my answer

Correct answer: A

Producing the SoA and RTP sits in Clause 6 (Planning), which is the implementation phase. Options B, C, and D all belong to operation, performance evaluation, or improvement (Clauses 9 and 10) - the running ISMS, not the initial build. Implementation-vs-operation confusion is the T-02 trap: candidates put operational artefacts in the build phase or vice versa.

ISO/IEC 27001:2022, Clause 6.1.3 (with ISO/IEC 27003:2017 guidance)

Q07 T-01 SoA vs Risk Treatment Plan

Per ISO/IEC 27001:2022 Clause 6.1.3 d), the Statement of Applicability shall contain:

  1. A. The full list of Annex A controls, ranked by residual risk after treatment
  2. B. The necessary controls, the justification for their inclusion, whether each is implemented, and the justification for excluding any Annex A control
  3. C. The audit programme, the audit findings from the most recent internal audit, and the corrective actions
  4. D. The risk treatment plan, the residual risks, and the management approvals for acceptance
Show my answer

Correct answer: B

Clause 6.1.3 d) lists exactly the four items in Option A: necessary controls, justifications for inclusion, implementation status, and justifications for any Annex A exclusions. Option B mis-frames the SoA as a risk-ranked list. Option C describes RTP content (Clause 6.1.3 e) and acceptance approvals) - the classic SoA-vs-RTP swap. Option D describes audit artefacts, which belong to Clause 9.2.

ISO/IEC 27001:2022, Clause 6.1.3 d)

Q08 T-01 SoA vs Risk Treatment Plan

An organisation has documented its risk acceptance criteria as 'risks with a residual rating of medium or below are acceptable to top management'. After treatment, a particular risk has a residual rating of 'high'. Per ISO/IEC 27001:2022, the appropriate next step is:

  1. A. Apply risk avoidance and cease the underlying activity
  2. B. Update the Risk Treatment Plan with additional controls, OR seek formal risk owner approval to retain the residual risk above criteria
  3. C. Document the residual risk in the SoA so it appears in the audit trail
  4. D. Update the risk acceptance criteria to permit high residual risks for this case
Show my answer

Correct answer: B

Clause 6.1.3 f) requires formal risk owner approval where residual risk falls outside the documented acceptance criteria, OR further treatment to bring it within criteria. Option A captures both legitimate paths. Option B changes the criteria to suit one risk, which corrupts the acceptance framework. Option C uses the SoA as a residual-risk register, which is the classic SoA-vs-RTP confusion - residuals belong in the risk register, not the SoA. Option D forces avoidance when acceptance with explicit approval is also valid.

ISO/IEC 27001:2022, Clause 6.1.3 f)

Q09 T-02 Implementation vs operation phase

Per ISO/IEC 27001:2022 Clause 10.2, when a nonconformity is identified during ISMS operation, the organisation shall:

  1. A. Treat it as an implementation gap and return to Clause 6 to redesign the affected control
  2. B. Defer corrective action until the next surveillance audit so the certification body can verify it
  3. C. Document the nonconformity in the SoA and re-issue at the next management review
  4. D. React, evaluate the need to eliminate the cause, implement actions, review effectiveness, and update the ISMS if necessary
Show my answer

Correct answer: D

Clause 10.2 prescribes a five-step sequence: react, evaluate the cause, implement actions, review effectiveness, update the ISMS if needed. Option A matches that. Option B uses the SoA as a corrective-action register (wrong artefact). Option C is the implementation-vs-operation phase trap: a nonconformity during operation is handled in Clause 10.2, not by returning to Clause 6. Option D delays corrective action beyond what the standard permits and mis-frames the certification body's role.

ISO/IEC 27001:2022, Clause 10.2

Q10 T-01 SoA vs Risk Treatment Plan

Per ISO/IEC 27001:2022 Clause 6.1.3 f), who must formally approve the residual information security risks at the end of the risk treatment process?

  1. A. The internal auditor, under Clause 9.2
  2. B. The risk owner, under Clause 6.1.3 f)
  3. C. Top management, under Clause 5.1
  4. D. The certification body, before initial certification
Show my answer

Correct answer: B

Clause 6.1.3 f) explicitly assigns residual-risk approval to the risk owner. Option B confuses risk-owner approval with top-management leadership commitment, which is a separate Clause 5.1 obligation. Option C invokes the internal auditor, who reviews but does not approve. Option D mis-frames the certification body: they review for conformance, not approve risk decisions. The 'who approves what' confusion is a SoA-vs-RTP-adjacent trap because candidates also conflate it with the management approvals around the RTP.

ISO/IEC 27001:2022, Clause 6.1.3 f)

You've seen ten. The bank holds 250+ questions.

Each one tagged with the trap pattern it tests, scheduled by an adaptive engine that targets only your weak clauses. 3-day free trial, card upfront, one-click cancel.

Start 3-day free trial