Organizational — ISO 27001 Practice Questions

Learning

Loading practice session...

Loading certificate…

Ready to learn

Sample questions — Organizational

1. According to ISO 27001, who is required to approve the high-level Information Security Policy (ISMS Policy) to satisfy the requirements of Clause 5.2?

A.The Chief Information Security Officer (CISO)
B.Top Management (e.g., Board of Directors or CEO)✓ Correct
C.The IT Director or Head of IT Operations
D.Management, which may be delegated to the Security Manager

Explanation

Clause 5.2 specifically requires Top Management (Board/CEO) to approve the high-level ISMS Policy. The CISO or IT Director may approve topic-specific policies under Annex A 5.1, but only Top Management can approve the singular ISMS Policy.

2. Under Annex A 5.1, who is authorized to approve topic-specific information security policies (e.g., Access Control Policy, Cryptographic Policy)?

A.Only the Board of Directors to ensure accountability
B.Top Management, as required for all security documentation
C.Management, which may include the CISO or relevant senior managers✓ Correct
D.All employees must vote to approve policies that affect their work

Explanation

Annex A 5.1 requires topic-specific policies to be approved by Management, which can be delegated to roles such as the CISO or IT Director. This differs from Clause 5.2, which mandates Top Management approval for the high-level ISMS Policy.

3. An organization publishes its information security policies on the corporate intranet and requires all employees to attend annual security awareness training that covers policy content. What requirement of Annex A 5.1 is still likely not being met?

A.The requirement for policies to be aligned with business strategy
B.The requirement for documented evidence of acknowledgement of understanding✓ Correct
C.The requirement for policies to be reviewed at planned intervals
D.The requirement for Top Management to establish the ISMS Policy

Explanation

Annex A 5.1 requires not just communication (publishing on intranet) or awareness (training), but documented acknowledgement that personnel have received, read, and understood the policies. This typically requires signed confirmation (physical or digital), distinguishing it from general awareness training under Annex A 6.3.

4. An organization reviewed its information security policies after three years, justifying the delay by stating 'no significant changes occurred in our operating environment.' An auditor would likely find this non-compliant with Annex A 5.1 for which reason?

A.Policies must be reviewed annually regardless of environmental changes
B.The organization failed to define and adhere to planned review intervals✓ Correct
C.Significant changes are the only valid trigger for policy review
D.Reviews must be conducted by external parties to ensure objectivity

Explanation

Annex A 5.1 requires reviews at 'planned intervals' (which must be defined by the organization, typically annually) and when significant changes occur. Simply waiting for changes is insufficient; the organization must have a defined schedule. While three years might be acceptable if formally justified as the planned interval, the justification 'no changes occurred' indicates an ad-hoc approach rather than a planned interval.

5. In the 'Governance Pyramid' model for ISO 27001 documentation, which document resides at the Peak (Level 1) and serves as the 'constitution' for the ISMS?

A.The Access Control Policy detailing user provisioning rules
B.The Clear Desk and Clear Screen Policy
C.The Information Security Policy (ISMS Policy) stating management intent✓ Correct
D.The Procedure for Incident Response

Explanation

The Peak of the pyramid (Clause 5.2) is the singular, high-level Information Security Policy approved by Top Management. Topic-specific policies like Access Control or Clear Desk reside at Layer 2 (Annex A 5.1), while Procedures reside at Layer 3.

Practice all 433+ questions in this domain

Start free practice →

Frequently asked questions

How many ISO 27001 practice questions are there for Organizational?↓

AnyCert has 433 ISO 27001 practice questions specifically for the Organizational domain, each with a detailed AI-tutored explanation.

Is Organizational heavily tested on the ISO 27001 exam?↓

Organizational is one of the core domains in the ISO 27001 exam blueprint. Mastering this domain is essential for passing. AnyCert's practice questions cover the full scope of testable topics in this domain.

How should I study the Organizational domain for ISO 27001?↓

Practice all 433 Organizational questions in AnyCert, review every explanation for missed answers, and use the AI tutor to clarify any concept. Focus on understanding the reasoning behind each answer, not just memorizing the correct choice.

Sample questions — Organizational

1. According to ISO 27001, who is required to approve the high-level Information Security Policy (ISMS Policy) to satisfy the requirements of Clause 5.2?

A.The Chief Information Security Officer (CISO)
B.Top Management (e.g., Board of Directors or CEO)✓ Correct
C.The IT Director or Head of IT Operations
D.Management, which may be delegated to the Security Manager

Explanation

2. Under Annex A 5.1, who is authorized to approve topic-specific information security policies (e.g., Access Control Policy, Cryptographic Policy)?

A.Only the Board of Directors to ensure accountability
B.Top Management, as required for all security documentation
C.Management, which may include the CISO or relevant senior managers✓ Correct
D.All employees must vote to approve policies that affect their work

Explanation

A.The requirement for policies to be aligned with business strategy
B.The requirement for documented evidence of acknowledgement of understanding✓ Correct
C.The requirement for policies to be reviewed at planned intervals
D.The requirement for Top Management to establish the ISMS Policy

Explanation

A.Policies must be reviewed annually regardless of environmental changes
B.The organization failed to define and adhere to planned review intervals✓ Correct
C.Significant changes are the only valid trigger for policy review
D.Reviews must be conducted by external parties to ensure objectivity

Explanation

5. In the 'Governance Pyramid' model for ISO 27001 documentation, which document resides at the Peak (Level 1) and serves as the 'constitution' for the ISMS?

A.The Access Control Policy detailing user provisioning rules
B.The Clear Desk and Clear Screen Policy
C.The Information Security Policy (ISMS Policy) stating management intent✓ Correct
D.The Procedure for Incident Response

Explanation

Practice all 433+ questions in this domain

Start free practice →

Frequently asked questions

How many ISO 27001 practice questions are there for Organizational?↓

AnyCert has 433 ISO 27001 practice questions specifically for the Organizational domain, each with a detailed AI-tutored explanation.

Is Organizational heavily tested on the ISO 27001 exam?↓

How should I study the Organizational domain for ISO 27001?↓