ISO 42001 LA / Free Practice

ISO 42001 Lead Auditor Free Practice Questions.

Ten free questions from the ISO 42001 Lead Auditor bank, each tagged with the trap pattern it tests. Reveal the answer to see the cited clause and a plain-English rationale.

No card needed to read the answers below. Trial only required to access the full adaptive bank.

Q01 T-01 AI impact vs AI risk assessment

Per ISO/IEC 42001:2023, an organisation determines that a recruitment-screening AI may affect candidates who do not interact with the organisation directly. Which assessment is the appropriate vehicle to document this concern?

  1. A. The organisation's privacy impact assessment, separate from the AIMS
  2. B. The Risk Treatment Plan (Clause 6.1.3) once treatment options are selected
  3. C. AI system impact assessment (Clause 6.1.4) - because the concern is about effects on individuals and groups
  4. D. AI risk assessment (Clause 6.1.2) - because all 42001 concerns flow through the risk register
Show my answer

Correct answer: C

ISO/IEC 42001:2023 separates two distinct artefacts: AI risk assessment (Clause 6.1.2) addresses risks to the organisation's own AI objectives, and AI system impact assessment (Clause 6.1.4) addresses impacts on individuals, groups, and societies. Effects on candidates external to the organisation belong in the impact assessment. Option B is the textbook T-01 trap - sending the concern to the risk register when impact assessment is the correct artefact. Option C bypasses the AIMS, which is incorrect when AI is in scope. Option D mis-orders the artefact chain.

ISO/IEC 42001:2023, Clauses 6.1.2 and 6.1.4

Q02 T-02 AIMS scope vs AI system scope

An organisation is defining its ISO/IEC 42001 AIMS scope. They operate three AI systems: a chatbot, a fraud detector, and an internal HR-screening tool. Which statement correctly distinguishes AIMS scope from AI system scope?

  1. A. The AIMS scope (Clause 4.3) defines the organisational boundary of the management system; each AI system has its own scope describing purpose, inputs, outputs and operational context
  2. B. The AIMS scope IS the list of AI systems in scope - they are the same artefact
  3. C. Individual AI systems do not need separate scoping once the AIMS scope is defined
  4. D. Each AI system's scope must match the AIMS scope exactly to maintain conformance
Show my answer

Correct answer: A

ISO/IEC 42001:2023 Clause 4.3 defines the AIMS scope - the organisational and functional boundary of the management system. Each AI system within scope has its own context-of-use scope describing what it does, the data it processes, and where it operates. Option B is the T-02 trap: collapsing two distinct scoping decisions into one. Options C and D either remove the system-level scope or force it to match the AIMS scope - both corrupt the standard's two-level model.

ISO/IEC 42001:2023, Clause 4.3

Q03 T-03 AI roles vs generic management roles

ISO/IEC 42001:2023 introduces specific role concepts to AIMS governance. An auditor reviewing role assignments should expect to see explicit assignment of:

  1. A. Risk owners for AI risks and parties responsible for AI impact assessment, alongside the generic top-management role under Clause 5.1
  2. B. Only the generic top-management role from Clause 5.1, as 42001 inherits roles from 27001 without addition
  3. C. The Information Security Officer role, repurposed to cover AI governance
  4. D. Three independent AI ethics officers, one per AI system in scope
Show my answer

Correct answer: A

ISO/IEC 42001:2023 introduces AI-specific responsibilities - risk owners for AI risks under Clause 6.1.3, and parties responsible for AI impact assessment under Clause 6.1.4 - in addition to generic management-system roles, because AI governance touches both technical and societal concerns that the standard treats distinctly. Option B is the T-03 trap: claiming 42001 inherits 27001 roles verbatim understates the AI-specific structure. Option C wrongly repurposes a 27001 role. Option D invents a structural rule (one ethics officer per system) the standard does not prescribe.

ISO/IEC 42001:2023, Clauses 5.3 and 6.1

Q04 T-01 AI impact vs AI risk assessment

An ISO/IEC 42001 implementer is preparing to onboard a new AI system into the AIMS. Per the standard, which assessment(s) must be completed before the AI system is deployed into operation?

  1. A. Only the AI system impact assessment - the risk assessment is performed at the AIMS level, not the system level
  2. B. Both the AI risk assessment AND the AI system impact assessment, because they address distinct concerns and neither substitutes for the other
  3. C. Only the AI risk assessment - the impact assessment is required only for AI systems with consumer-facing outputs
  4. D. Neither at deployment - both are performed during the first management review after operation begins
Show my answer

Correct answer: B

ISO/IEC 42001:2023 requires both assessments. Clause 6.1.2 risk assessment covers risks to the organisation's AI objectives; Clause 6.1.4 impact assessment covers impacts on individuals, groups, and societies. The two are distinct artefacts and neither substitutes for the other (T-01 trap). Option B introduces a consumer-facing carve-out the standard does not contain. Option C wrongly disaggregates the two assessments by level. Option D defers both, contradicting the planning-before-operation logic of Clauses 6 and 8.

ISO/IEC 42001:2023, Clauses 6.1.2 and 6.1.4

Q05 T-02 AIMS scope vs AI system scope

Mid-cycle, the organisation decommissions one of three AI systems within its AIMS scope. Per ISO/IEC 42001:2023, the appropriate response is:

  1. A. Update the AI system inventory and the relevant AI system impact assessments; the AIMS scope itself only changes if decommissioning materially alters the organisational boundary
  2. B. Take no documented action - the AIMS scope is set at certification and does not change
  3. C. Update the AIMS scope statement to remove the decommissioned system
  4. D. Trigger a full AIMS recertification because scope has changed
Show my answer

Correct answer: A

ISO/IEC 42001:2023 Clause 4.3 sets the AIMS scope at the organisational and functional level. Removing one AI system from operation is a change to the AI system inventory (a Clause 7.5 documented-information matter) and to the impact and risk assessments for that system, but it does not automatically alter the AIMS scope unless the organisational boundary is materially affected. Option B is the T-02 trap: confusing the AIMS scope with the inventory of AI systems within it. Option C overreacts; Option D under-reacts.

ISO/IEC 42001:2023, Clauses 4.3 and 7.5

Q06 T-03 AI roles vs generic management roles

Per ISO/IEC 42001:2023, who has formal responsibility for approving residual AI risks after treatment?

  1. A. The certification body's lead auditor, before issuing the certificate
  2. B. The AI system's product manager, because they own the system's outputs
  3. C. The risk owner identified in the AI risk assessment, mirroring the 27001 model where risk-owner approval is distinct from top-management leadership
  4. D. Top management, because the AI policy under Clause 5.2 is a top-management artefact
Show my answer

Correct answer: C

ISO/IEC 42001:2023 mirrors ISO/IEC 27001's split: the risk owner approves residual AI risks (a per-risk responsibility), while top management owns leadership commitment and the AI policy (a system-wide responsibility under Clause 5). Option A keeps these distinct. Option B is the T-03 trap: collapsing risk-owner approval into top-management responsibility because 'AI policy is top-management'. Option C invents a product-manager role for residual-risk approval. Option D mis-frames the auditor's role - certification bodies review for conformance, they do not approve risk decisions.

ISO/IEC 42001:2023, Clauses 6.1.3, 5.1 and 5.2

Q07 T-01 AI impact vs AI risk assessment

Per ISO/IEC 42001:2023 Clause 6.1.4, an AI system impact assessment should address:

  1. A. Compliance impact under privacy regulations only
  2. B. Potential consequences of the AI system for individuals, groups of individuals, and societies, in identified contexts of use
  3. C. The likelihood and severity of organisational risks the AI system creates
  4. D. Financial impact to the organisation if the AI system underperforms or fails
Show my answer

Correct answer: B

Clause 6.1.4 directs the impact assessment at consequences for individuals, groups, and societies, in identified contexts of use. This is the differentiator from the AI risk assessment (Clause 6.1.2), which addresses organisational risk. Option B re-frames the impact assessment as financial-to-organisation, which is risk territory. Option C is verbatim risk-assessment language - the T-01 swap. Option D narrows impact to one compliance domain when the standard scopes broader societal impact.

ISO/IEC 42001:2023, Clause 6.1.4

Q08 T-02 AIMS scope vs AI system scope

An organisation operates an AI system trained on third-party data and now runs inference on customer inputs. Per ISO/IEC 42001:2023 (with ISO/IEC 23894:2023 guidance), the AI system scope should cover:

  1. A. Only the inference phase, because training was completed by a third party and is out of scope
  2. B. Only the training phase, because that is where the model's behaviour is determined
  3. C. Both the training phase (including the third-party data source) and the inference phase across the AI lifecycle the organisation operates
  4. D. Only the deployed model artefacts, not the data pipelines around them
Show my answer

Correct answer: C

ISO/IEC 42001:2023 (with ISO/IEC 23894:2023 guidance) treats the AI system scope as covering the AI lifecycle the organisation operates: design, development, deployment, operation. A model trained externally then deployed internally is still in scope for the phases the organisation is responsible for, training-data lineage included. Option B is the T-02 trap: confining system scope to the operational moment and excluding the training source the organisation relies on. Option C is the inverse mistake. Option D is too narrow.

ISO/IEC 42001:2023 with ISO/IEC 23894:2023 (AI lifecycle guidance)

Q09 T-03 AI roles vs generic management roles

A new AI governance role appears in an organisation's AIMS documentation: 'AI Ethics Officer'. Per ISO/IEC 42001:2023, how should this role be evaluated by the auditor?

  1. A. The role is equivalent to the ISO/IEC 27001 Information Security Officer and inherits its responsibilities
  2. B. The role is mandatory under Clause 5.3 and the auditor should raise a nonconformity if absent
  3. C. The standard does not prescribe an AI Ethics Officer specifically; verify the role's responsibilities map to standard roles (risk owners, impact owners, top management) and that gaps or duplications are documented
  4. D. The role is informative only and out of audit scope
Show my answer

Correct answer: C

ISO/IEC 42001:2023 names role concepts (risk owners, impact owners, top management) but does not prescribe specific job titles. Organisations frequently invent AI Ethics Officer roles; the auditor's job is to map declared roles to the standard's role concepts, not to require or reject specific titles. Option A captures this. Option B over-applies the standard (T-03 trap: inventing a mandatory role the standard does not name). Option C wrongly imports a 27001 role. Option D removes the role from audit scope, which is incorrect once the organisation has assigned responsibilities to it.

ISO/IEC 42001:2023, Clause 5.3

Q10 T-01 AI impact vs AI risk assessment

An ISO/IEC 42001 auditor reviews the organisation's risk register and notes that 'societal harm severity' is being used as a factor in the risk-scoring formula. Per the standard, this is:

  1. A. Correct practice - risk-scoring should incorporate all factors that affect the organisation's risk exposure
  2. B. Required - risk-scoring under 42001 must include societal harm to be conformant
  3. C. A mis-mapping - societal harm severity belongs in the AI system impact assessment (Clause 6.1.4), not the risk assessment (Clause 6.1.2); flag the conflation
  4. D. Optional - 42001 does not specify the inputs to risk-scoring
Show my answer

Correct answer: C

Clause 6.1.2 risk assessment addresses risks to the organisation's AI objectives; Clause 6.1.4 impact assessment addresses consequences for individuals, groups, and societies. The two are distinct artefacts with distinct scoring rationales. Mixing societal harm severity into the organisational risk-scoring formula is the T-01 confusion at scoring level - it makes the risk register do work that belongs in the impact register. Option B sanctions the conflation. Option C dismisses the structural distinction. Option D inverts the standard's separation.

ISO/IEC 42001:2023, Clauses 6.1.2 and 6.1.4

ISO 42001 mock exam

These ten questions are a sample, not a full mock. A complete ISO 42001 mock exam runs to the real format - for the PECB Lead Auditor sitting that is 80 multiple-choice questions in three hours, open book, with a 70% pass mark. The format differs slightly across CQI/IRCA, Exemplar Global and TRECCERT, but the ISO/IEC 42001:2023 content does not.

Mindset Prep's full bank includes a timed mock mode so you can rehearse pacing and stamina under exam conditions, then review every missed clause. There are no official 42001 past papers, so each question is grounded in a cited clause and SME-verified rather than scraped from a dump.

ISO 42001 sample questions

The questions above are genuine ISO 42001 Lead Auditor sample questions, free to read with no sign-up. Reveal each answer to see the correct option, the exact clause it rests on, and a plain-English rationale.

Each sample is tagged with the trap pattern it tests, so you can see the specific distinctions the exam probes - AI impact versus AI risk assessment, AIMS scope versus AI system scope, and AI-specific roles versus generic management roles.

Work through all ten, then continue into the full adaptive bank, which widens coverage across every AIMS clause and schedules review on the patterns you find hardest.

You've seen ten. The bank holds 250+ questions.

Each one tagged with the trap pattern it tests, scheduled by an adaptive engine that targets only your weak clauses. 3-day free trial, card upfront, one-click cancel.

Start 3-day free trial