ISO 27000 Foundation Certification Cheat Sheet 2026

The 30 highest-yield ISO 27000 Foundation Certification facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.

60 questions
60 min time limit
65% to pass
  1. Which clause of ISO/IEC 27001 deals with remedial action? 10.1
  2. Who is responsible for defining the scope of the ISMS in ISO 27001? Top management
  3. An organization's server room lacks a fire suppression system. According to the vocabulary of ISO 27000, this deficiency is best described as a(n): Vulnerability
  4. According to ISO 27001, who holds ultimate accountability for the ISMS? Top management
  5. What is the relationship between information security incident management and business continuity planning? Major security incidents may trigger business continuity plans, making them complementary
  6. What is meant by 'continual improvement' in the context of ISO 27001 governance? Recurring activities to enhance ISMS performance and effectiveness over time
  7. What has to be done as part of the monitoring, measuring, analysis, and evaluation process? Evaluate the effectiveness of the ISMS
  8. Where in the standard is a reference to controls and control goals to be found? Annex A
  9. What is the purpose of assigning information security roles and responsibilities in ISO 27001? To ensure accountability and clarity in protecting information assets
  10. What is a vulnerability as defined in the ISO 27000 vocabulary? A weakness of an asset or control that can be exploited by one or more threats
  11. In the context of an ISO 27001 ISMS, what is the primary responsibility of a 'Risk Owner'? To approve the risk treatment plan and accept the residual risk for a specific risk.
  12. Which of the following must be documented (in Clause 6) according to ISO 27001:2013? Risk assessment
  13. What must be included in an information security policy according to ISO 27001? Objectives and a commitment to satisfying applicable requirements
  14. What are the three core components of the CIA triad, as defined in ISO/IEC 27000, that an ISMS is designed to preserve? Confidentiality, Integrity, and Availability
  15. Which task must be completed while analyzing risks? Determine the likelihood of the occurrence of the risks
  16. Which benefit does running an information security management system NOT provide? Eliminate all information security vulnerabilities in the organization
  17. Which clause of ISO/IEC 27001 deals with operational planning and control? 8.1
  18. How frequently does ISO 27001 require information security objectives to be reviewed? At planned intervals and when significant changes occur
  19. What does "fulfillment of a requirement" mean in ISO 27001:2013? Conformity
  20. "The only emphasis of ISO 27001:2013 is the protection of personal information." False
  21. What is the significance of the 'Statement of Applicability' (SoA) in governance terms? It records which Annex A controls are applicable and justifies inclusions and exclusions
  22. Which of the following BEST describes the relationship between ISO/IEC 27001 and ISO/IEC 27002? ISO/IEC 27002 defines the audit process, while ISO/IEC 27001 lists the auditable controls.
  23. According to ISO 27000, what is an information security event? An identified occurrence indicating a possible breach of information security policy
  24. According to ISO 27001, which of the following is the primary purpose of monitoring, measurement, analysis, and evaluation of the ISMS? To evaluate information security performance and the effectiveness of the ISMS.
  25. According to ISO 27000, what is a 'threat' in information security? A potential cause of an unwanted incident that may result in harm to assets
  26. Which ISO standard specifically provides guidance on information security incident management? ISO 27035
  27. What is the PRIMARY purpose of the 'Act' phase within the ISMS PDCA cycle? To address nonconformities and make continual improvements to the ISMS.
  28. What is the primary role of a Computer Security Incident Response Team (CSIRT)? To coordinate and manage the organization's response to information security incidents
  29. Which activity DOES NOT fall under a certifying body's mandates and obligations? Advise how to fill the gaps found during a readiness assessment
  30. A weakness in a system's security procedures, design, implementation, or internal controls that could be exploited by a threat source is known as a: Vulnerability