People — ISO 27001 Practice Questions

Learning

Loading practice session...

Loading certificate…

Ready to learn

Sample questions — People

1. According to ISO 27001 Control 6.1, when must background verification checks on personnel be conducted?

A.Only during the recruitment process prior to employment
B.Prior to joining and on an ongoing basis throughout employment✓ Correct
C.Only when personnel are promoted to sensitive positions
D.Annually for all employees regardless of role or risk level

Explanation

Control 6.1 explicitly requires screening prior to joining AND on an ongoing basis. While promotion (option C) may trigger re-screening, it is not the only ongoing requirement. Option A misses the ongoing requirement entirely, and option D violates the proportionality principle by mandating uniform annual checks regardless of risk.

2. An organization conducts enhanced criminal background checks, credit checks, and security clearance verification for all employees including administrative staff with no access to sensitive information. As an auditor, what is the appropriate finding regarding Control 6.1?

A.Conformity because comprehensive screening demonstrates due diligence
B.Minor non-conformity because the organization should focus only on C-suite executives
C.Non-conformity because screening must be proportional to business requirements, information classification, and risks✓ Correct
D.Conformity because legal compliance always requires maximum screening depth

Explanation

This violates the 'proportional' requirement in Control 6.1. Screening depth must match information classification, business requirements, and risk assessment results. While well-intentioned, uniform maximum screening for low-risk roles wastes resources and likely infringes privacy principles by processing excessive personal data without justification.

3. Which three elements constitute the mandatory verification content ('Big Three') under Control 6.1 screening requirements?

A.Identity, criminal record, and financial history
B.Identity, qualifications, and references✓ Correct
C.Nationality, medical history, and employment history
D.Biometric data, social media activity, and political affiliations

Explanation

Control 6.1 specifically requires verification of identity (are they who they claim to be?), qualifications (can they do the job?), and references (what is their track record?). While criminal records and financial history may be included for high-risk roles, they are not the universal core requirements. Medical history and political affiliations are generally restricted by privacy laws.

4. A developer with access to confidential data is promoted to Database Administrator with access to customer PII and top-secret architectural plans. According to Control 6.1, what must the organization do regarding screening?

A.Rely on the original pre-employment screening as it remains valid indefinitely
B.Conduct re-screening appropriate to the new role's increased risk level and information classification✓ Correct
C.Wait until the next annual company-wide re-screening cycle
D.Only update the employment contract terms under Control 6.2 without additional verification

Explanation

Control 6.1 requires ongoing screening, which includes trigger-based re-screening upon significant role changes. When an employee's access level changes (especially to higher classification information), the screening level must be re-evaluated and potentially upgraded. This reflects both the 'ongoing' and 'proportional' requirements.

5. When implementing Control 6.1 screening procedures involving criminal record checks, which principle takes precedence if local jurisdiction prohibits such checks for certain roles?

A.Security always takes precedence; proceed with the checks to ensure information security
B.Legal compliance takes precedence; adhere to jurisdictional restrictions even if it reduces screening depth✓ Correct
C.Business requirements take precedence; conduct the checks if the business justifies the risk
D.Proportionality takes precedence; modify the check intensity but still conduct some form of criminal screening

Explanation

While Control 6.1 requires appropriate screening, it must be implemented in compliance with applicable laws and regulations. Legal restrictions on processing certain types of personal data (like criminal records) take precedence over the standard's requirements. The organization must find alternative controls or accept the residual risk within legal boundaries.

Practice all 96+ questions in this domain

Start free practice →

Frequently asked questions

How many ISO 27001 practice questions are there for People?↓

AnyCert has 96 ISO 27001 practice questions specifically for the People domain, each with a detailed AI-tutored explanation.

Is People heavily tested on the ISO 27001 exam?↓

People is one of the core domains in the ISO 27001 exam blueprint. Mastering this domain is essential for passing. AnyCert's practice questions cover the full scope of testable topics in this domain.

How should I study the People domain for ISO 27001?↓

Practice all 96 People questions in AnyCert, review every explanation for missed answers, and use the AI tutor to clarify any concept. Focus on understanding the reasoning behind each answer, not just memorizing the correct choice.

Sample questions — People

1. According to ISO 27001 Control 6.1, when must background verification checks on personnel be conducted?

A.Only during the recruitment process prior to employment
B.Prior to joining and on an ongoing basis throughout employment✓ Correct
C.Only when personnel are promoted to sensitive positions
D.Annually for all employees regardless of role or risk level

Explanation

A.Conformity because comprehensive screening demonstrates due diligence
B.Minor non-conformity because the organization should focus only on C-suite executives
C.Non-conformity because screening must be proportional to business requirements, information classification, and risks✓ Correct
D.Conformity because legal compliance always requires maximum screening depth

Explanation

3. Which three elements constitute the mandatory verification content ('Big Three') under Control 6.1 screening requirements?

A.Identity, criminal record, and financial history
B.Identity, qualifications, and references✓ Correct
C.Nationality, medical history, and employment history
D.Biometric data, social media activity, and political affiliations

Explanation

A.Rely on the original pre-employment screening as it remains valid indefinitely
B.Conduct re-screening appropriate to the new role's increased risk level and information classification✓ Correct
C.Wait until the next annual company-wide re-screening cycle
D.Only update the employment contract terms under Control 6.2 without additional verification

Explanation

5. When implementing Control 6.1 screening procedures involving criminal record checks, which principle takes precedence if local jurisdiction prohibits such checks for certain roles?

A.Security always takes precedence; proceed with the checks to ensure information security
B.Legal compliance takes precedence; adhere to jurisdictional restrictions even if it reduces screening depth✓ Correct
C.Business requirements take precedence; conduct the checks if the business justifies the risk
D.Proportionality takes precedence; modify the check intensity but still conduct some form of criminal screening

Explanation

Practice all 96+ questions in this domain

Start free practice →

Frequently asked questions

How many ISO 27001 practice questions are there for People?↓

AnyCert has 96 ISO 27001 practice questions specifically for the People domain, each with a detailed AI-tutored explanation.

Is People heavily tested on the ISO 27001 exam?↓

People is one of the core domains in the ISO 27001 exam blueprint. Mastering this domain is essential for passing. AnyCert's practice questions cover the full scope of testable topics in this domain.

How should I study the People domain for ISO 27001?↓