You can stand up a Statement of Applicability in your sleep. You have walked organisations through risk treatment a half-dozen times. The exam should be straightforward - and yet, every year, experienced implementers fail it.
This guide is the prep plan that closes the gap for the experienced practitioner sitting Lead Implementer. It applies whether you are sitting with PECB, CQI/IRCA, Exemplar Global or TRECCERT (the four personnel certifiers), or training via BSI, TUV or DNV whose courses are typically CQI/IRCA-accredited. The exam format differs slightly between providers but the underlying knowledge - ISO/IEC 27001:2022, ISO/IEC 27003:2017 implementation guidance, and ISO/IEC 27005:2022 risk-management guidance - is identical.
(PECB)
limit
pre-tab
controls
What you are actually being tested on
Lead Implementer exams test three things, in roughly equal measure:
- Standard requirements - clause-by-clause recall of what 27001:2022 actually mandates, and how it maps to ISO/IEC 27003 implementation guidance.
- Implementation lifecycle judgement - given a scenario, can you tell where in the build the organisation is, and what comes next.
- Risk and control judgement - can you read a risk-treatment scenario and choose the artefact, the control, and the option (accept / mitigate / transfer / avoid) that the standard says applies.
Almost everyone walks in knowing the content. Almost no-one walks in knowing how the exam will misuse the content to test whether they really know it.
The three traps that catch most candidates
Across the candidates we have coached, the same three trap patterns account for the majority of avoidable losses.
LI-specific
SoA vs Risk Treatment Plan
This is the single most-asked artefact-swap question on Lead Implementer exams. Two artefacts you write in real life. Two artefacts every exam swaps in the wrong options.
Clause 6.1.3.d
Statement of Applicability
Annex A controls list. Mandatory under 27001. Says which Annex A controls are IN scope and justifies inclusions AND exclusions.
Clause 6.1.3.e
Risk Treatment Plan
Says HOW the selected risks will be treated, by whom, by when. Operational artefact, distinct from the SoA.
The exam will hand you a scenario - “the organisation has just completed its risk assessment. What comes next?” - and the wrong answers will swap the two. Knowing them is not the same as ranking them under time pressure. Drill the distinction until your eye stops being fooled.
LI-specific
Implementation phase vs operation phase
You read a scenario and your brain answers for where YOU would be if you were doing this work. The exam is asking where the candidate-implementer SHOULD be according to the standard’s lifecycle. Those two are not always the same.
A scenario that says “the organisation has just completed the Statement of Applicability” places you somewhere specific in Planning (clause 6). A scenario that mentions “after the controls have been implemented” places you in Operation (clause 8). Wrong-option answers will sit one phase off.
LI-specific
Risk treatment verb swap
Four risk-treatment options. The classical wording most courses teach is “accept, transfer, mitigate, avoid”; ISO/IEC 27005:2022 itself uses “modify, retain, avoid, share”. Whichever vocabulary your course uses, every Lead Implementer exam swaps the verbs subtly in the wrong options - “transfer” where “mitigate” is correct, “retain” where “modify” is correct - and a fast reader misses it. Mindset Prep tags every variant of this pattern in the question bank and resurfaces it until the wrong verb visibly jumps off the page.
There is a fourth, related trap: confusing inclusion criteria with treatment options. A control being IN the SoA does not tell you how the underlying risk is treated; the treatment option is its own artefact decision. Practise reading questions where one is in question and the other is in good shape.
ISO 27003 depth - and why most candidates underdo it
Lead Implementer exams lean heavily on ISO/IEC 27003 for the implementation lifecycle content. Most candidates underdo it because the course materials focus on 27001 itself.
27003 hotspots
Scan 27003 for the box-level guidance.
The exam will hand you a scenario whose right answer sits in one of the implementation-guidance boxes that sit alongside each 27001 clause, not in the 27001 clause itself.
The 27003 content that comes up most:
- Establishing the ISMS - context analysis, scope-setting, leadership commitment.
- Risk and applicability - risk assessment method, risk treatment, SoA structure.
- ISMS operation - awareness, communication, documented information control, operational planning, monitoring.
- Continual improvement - nonconformity, corrective action, management review inputs and outputs.
Open-book strategy
Most Lead Implementer exams (PECB in particular) are open-book. The same rules apply as on any open-book exam: open-book means you can verify, not learn.
Two LI specifics
Pre-tab three. Tab Annex A by family, not by number.
ISO/IEC 27001:2022, ISO/IEC 27003:2017, ISO/IEC 27005:2022. Number-tab the main-body clauses + the matching 27003 sections + the 27005 risk-management chapters.
The Annex A control numbering changed in the 2022 revision; tabbing by family (Organisational, People, Physical, Technological) makes lookup faster under stress than tabbing by 5.X / 6.X / 7.X / 8.X numbers.
Time management
A 12-question, 3-hour PECB exam gives you 15 minutes per question with no buffer. Real timing:
identify phase
clause ref
verbs
question
The biggest time sink for Lead Implementer candidates is over-reading. Implementers tend to read every scenario as if they were going to build it; you are not. Read enough to identify what the exam is asking, write, move on.
The 2-to-4-week plan
If you are 2 weeks out:
- Days 1-4: Go through your course material end-to-end - the slides, handouts, exercises from the five-day course. Most candidates need ~4 focused days for this. Focus on clauses 6 (planning - all of it), 7.5 (documented information), 8 (operation), 9.2 (internal audit), 10.2 (nonconformity). Cross-reference each clause to its 27003 box.
- Days 5-8: Active retrieval only. Drop the re-reading. Practice questions with rationales in Mindset Prep. Focus on artefact-pair questions (SoA vs RTP, risk assessment vs risk register).
- Days 9-11: One full mock under timed conditions. Score yourself honestly. Note every phase-confusion and every treatment-verb slip.
- Days 12-13: Targeted re-read of the course-material sections + clauses + 27003 boxes you got wrong. Drill the trap patterns Mindset Prep surfaced in the mock.
- Day 14: Light review, light exercise, early sleep. Do not study the night before.
If you are 4 weeks out, double the active-retrieval phase and add a second mock exam. Resist the temptation to re-read 27001 cover-to-cover - the lowest-ROI prep activity available to you.
The single biggest failure pattern
After hundreds of Lead Implementer candidates, the most common failure pattern is over-trust in real-world experience. Experienced implementers walk in confident that “they would handle it this way at work” and lose marks because the standard says otherwise.
The exam does not test what YOU would do. It tests what the STANDARD says to do. Active practice with tagged trap patterns - knowing which trap each wrong answer uses - is what fixes the gap between the two.
Where to start
Try the 10 free ISO 27001 Lead Implementer practice questions. Each is tagged with the trap pattern it tests and the exact 27001 or 27003 clause it draws from. If three or more catch you out, the full adaptive bank (260+ 27001 LI questions, alongside the 27001 LA + 42001 LA + 42001 LI banks) is the next logical step. The 3-day free trial gets you in.