매달, 우리는 1000명 이상의 사람들이 시험 준비를 잘하고 시험을 잘 통과할 수 있도록 도와줍니다.
ISO/IEC 27001 (2022) Foundation Exam 온라인 연습
최종 업데이트 시간: 2025년10월10일
당신은 온라인 연습 문제를 통해 PECB ISO-IEC-27001 Foundation 시험지식에 대해 자신이 어떻게 알고 있는지 파악한 후 시험 참가 신청 여부를 결정할 수 있다.
시험을 100% 합격하고 시험 준비 시간을 35% 절약하기를 바라며 ISO-IEC-27001 Foundation 덤프 (최신 실제 시험 문제)를 사용 선택하여 현재 최신 50개의 시험 문제와 답을 포함하십시오.
정답:
Explanation:
Clause 6.1.3 (c) requires organizations to:
“compare the controls determined in 6.1.3 b) with those in Annex A and verify that no necessary control has been omitted; and prepare a Statement of Applicability.” It also requires organizations to select risk treatment options considering “the organization’s risk acceptance criteria.”
This shows that risk acceptance criteria are a fundamental factor when selecting risk treatment options.
Options C and D are incorrect because Annex A and ISO/IEC 27002 are reference sets, not the sole sources of controls ― organizations can design their own. Criteria for performing risk assessments (B) are part of 6.1.2 (risk assessment process), not risk treatment.
Thus, the correct requirement is A: Criteria for accepting identified risks.
정답:
Explanation:
Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:
In ISO/IEC 27002:2022, which provides control guidance for Annex A of ISO/IEC 27001, Clause 5.19 is
titled: “Information security in supplier relationships.”
This control requires organizations to ensure that information security is addressed in supplier agreements and relationships. It is part of the Organizational Controls theme. The other options are not control titles in Annex A:
“Responsibilities and procedures” (B) was used in older standards like ISO/IEC 27001:2005 but no longer exists.
“Protection of documents” (C) relates to document control but is not a specific Annex A control.
“Change control” (D) is relevant to ITIL/ITSM but not listed as a control title in Annex A.
Therefore, the correct Annex A control title is A: Information security in supplier relationships.
정답:
Explanation:
Clause 6.1.3 (d) requires that the organization “produce a Statement of Applicability that contains the necessary controls (see Annex A), and justification for inclusions, whether they are implemented or not, and the justification for exclusions.”
This is the defining requirement of the SoA: it documents which Annex A controls are relevant, which are implemented, and the justification for inclusion/exclusion. While the ISMS scope (A) is documented in Clause 4.3, and risk evaluation criteria (C) are defined in Clause 6.1.2, these do not belong in the SoA. The SoA does not describe the full risk assessment approach (B); that is part of the risk assessment methodology. Therefore, the mandatory requirement for the SoA is justification for including (or excluding) each information security control.
정답:
Explanation:
Clause 5.1 (Leadership and Commitment) requires top management to demonstrate leadership by:
“ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization;”
“ensuring the integration of the ISMS requirements into the organization’s processes;” “ensuring that the resources needed for the ISMS are available;”
Among the options, the one explicitly mandated is ensuring that information security objectives are established. Risk assessments (C) and implementing audit actions (D) are responsibilities of management but not the direct leadership evidence required in Clause 5.1. Communicating interested party feedback (A) is relevant but not specifically cited as leadership evidence. Thus, the verified answer is B.
정답:
Explanation:
ISO/IEC 27013 provides specific guidance on the integration of ISO/IEC 27001 (Information Security Management) and ISO/IEC 20000-1 (IT Service Management). It offers practical advice for organizations seeking a unified management system approach. While ISO/IEC 27003 (A) provides guidance on ISMS implementation, it does not address integration. ISO 9001 (C) is the Quality Management Standard and can be integrated, but the specific standard designed for integrating 27001 with ITSM is ISO/IEC 27013.
Therefore, the correct answer is B: ISO/IEC 27013, as it is explicitly published for this purpose.
정답:
Explanation:
Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:
Annex A.5.1 (Policies for information security) clearly specifies:
“Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties…”
This means the communication obligation is not limited to top management (A) or only ISMS staff (B), nor does it stop at employees only (C). Instead, ISO/IEC 27001/27002 mandate a broader scope: all relevant personnel and relevant interested parties must be informed. This ensures both internal stakeholders (employees, contractors, temporary staff) and external interested parties (suppliers, partners, regulators, customers, etc.) receive the right policy communications where applicable. Therefore, the correct and verified answer is D.
정답:
Explanation:
Clause 7.5 (Documented Information) specifies that organizations must maintain documentation necessary for the effectiveness of the ISMS. Additionally, Clause 9.3 (Management Review) requires “records of decisions related to continual improvement opportunities” as an output of management review. This is a core requirement and forms part of the documented information that must be retained and controlled. Third-party materials (B), budgets (C), and cross-reference statements to other ISO standards (D) are not required by ISO/IEC 27001. Only documents that directly
demonstrate compliance, decision-making, and continual improvement are mandated. Therefore, the verified minimum required documentation includes records of management review decisions related to continual improvement, confirming Answer A.
정답:
Explanation:
Certification audits are carried out by Certification Bodies (CBs), not the organization itself. ISO/IEC 27001 requires external certification audits to be independent, impartial, and objective. According to ISO/IEC 27006 (Requirements for bodies providing audit and certification of ISMS), the Certification Body determines the audit duration and number of audit days based on factors such as organizational size, complexity, scope, and risk environment. This ensures consistency across organizations and prevents manipulation by the auditee. ISO/IEC 27001 Clause 9.2 and 9.3 address internal audit and management review, but the determination of certification audit days is outside the organization’s control; it rests solely with the accredited Certification Body auditors. Thus, Answer B is correct, as the CB’s external auditor formally calculates and assigns the audit
정답:
Explanation:
Clause 6.1.1 (Planning) states:
“The organization shall plan:
d) actions to address these risks and opportunities; and e) how to:
integrate and implement the actions into its ISMS processes; and evaluate the effectiveness of these actions.”
This confirms the missing words are “evaluate the effectiveness of”. Communication (A), applying resources (B), and improving effectiveness (C) are important concepts elsewhere but not the direct requirement stated in this clause.
정답:
Explanation:
Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:
Annex A in ISO/IEC 27001 refers directly to ISO/IEC 27002 for control guidance. In ISO/IEC 27002:2022, Clause 6.8 is titled:
“Information security event reporting C Information security events should be reported through appropriate management channels as quickly as possible.”
This control ensures breaches, incidents, or suspected issues are reported for action. The other options (B, C, D) are not the exact titles in Annex
A. The official title is Information security event reporting, confirming Answer A.
정답:
Explanation:
Clause 4.2 of ISO/IEC 27001:2022 states:
“The organization shall determine: a) interested parties that are relevant to the information security management system; b) the relevant requirements of these interested parties; c) which of these requirements will be addressed through the ISMS.”
This confirms that the missing word is requirements. Neither number, structure, nor influence are specified in the standard.
정답:
Explanation:
Clause 6.1.2 (d) states that during risk analysis, the organization shall:
“assess the potential consequences that would result if the risks identified… were to materialize;” “assess the realistic likelihood of the occurrence of the risks identified;” “determine the levels of risk.”
This makes it clear that the required output of risk analysis is the determined levels of risk. Risk acceptance criteria (A) are set earlier in 6.1.2(a), treatment control options (C) belong to 6.1.3, and prioritization (D) is part of risk evaluation (6.1.2 e). Therefore, the verified correct output is B: Determined levels of risk.
정답:
Explanation:
The requirements for internal audit are explicitly placed in Clause 9.2 (Performance Evaluation) of ISO/IEC 27001:2022.
The standard requires:
“The organization shall conduct internal audits at planned intervals to provide information on whether the information security management system… conforms to the organization’s own requirements… and to the requirements of this document.” (9.2.1)
“The organization shall plan, establish, implement and maintain an audit programme(s)…” (9.2.2)
This clause clearly falls under Performance Evaluation (Clause 9), not Planning (Clause 6), Operation (Clause 8), or Improvement (Clause 10). Therefore, the correct answer is C.
정답:
Explanation:
ISO/IEC 27001 mandates internal audits (Clause 9.2) and continual improvement (Clause 10.1) but does not define the specific audit term “observation.” However, the audit framework in 9.2 requires an audit programme and impartial auditors, and management review inputs include “feedback on the information security performance including trends in… audit results” and “opportunities for continual improvement.” The companion implementation guidance (ISO/IEC 27002) reinforces the concept of opportunities for improvement in the review of policies: “The reviews should include assessing opportunities for improvement and the need for changes to the approach to information security…” In practical ISO audit usage (aligned with ISO 19011 guidance referenced in the Study Guide), an observation is a recorded conformity where improvement is advisable―commonly termed an Opportunity for Improvement (OFI). The Study Guide’s internal audit section emphasizes running an audit programme to identify “potential areas of weakness or non-compliance,” supporting the notion of recording improvement opportunities alongside nonconformities. Therefore, within ISO/IEC 27001 audit practice, the best-fit definition is B: a conformity where there is an opportunity for improvement.
정답:
Explanation:
Clause 6.1.2 defines the mandatory elements of risk assessment. Under risk identification, the standard requires: “identifies the information security risks: 1) apply the information security risk assessment process to identify risks…; and 2) identify the risk owners.” By contrast, considering likelihood and determining levels of risk (options B and D) are part of risk analysis (6.1.2 d) “assess the realistic likelihood…”; “determine the levels of risk”), and prioritization for treatment (option C) is part of risk evaluation (6.1.2 e) “prioritize the analysed risks for risk treatment”). Therefore, the specific activity that belongs to risk identification is to identify the risk owners. This sequencing is prescribed to ensure each risk has a designated owner responsible for decisions on treatment and acceptance downstream.