ISO 27000 Foundation Certification Cheat Sheet 2026
The 30 highest-yield ISO 27000 Foundation Certification facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.
60 questions
60 min time limit
65% to pass
- Which clause of ISO/IEC 27001 deals with remedial action? → 10.1
- Who is responsible for defining the scope of the ISMS in ISO 27001? → Top management
- An organization's server room lacks a fire suppression system. According to the vocabulary of ISO 27000, this deficiency is best described as a(n): → Vulnerability
- According to ISO 27001, who holds ultimate accountability for the ISMS? → Top management
- What is the relationship between information security incident management and business continuity planning? → Major security incidents may trigger business continuity plans, making them complementary
- What is meant by 'continual improvement' in the context of ISO 27001 governance? → Recurring activities to enhance ISMS performance and effectiveness over time
- What has to be done as part of the monitoring, measuring, analysis, and evaluation process? → Evaluate the effectiveness of the ISMS
- Where in the standard is a reference to controls and control goals to be found? → Annex A
- What is the purpose of assigning information security roles and responsibilities in ISO 27001? → To ensure accountability and clarity in protecting information assets
- What is a vulnerability as defined in the ISO 27000 vocabulary? → A weakness of an asset or control that can be exploited by one or more threats
- In the context of an ISO 27001 ISMS, what is the primary responsibility of a 'Risk Owner'? → To approve the risk treatment plan and accept the residual risk for a specific risk.
- Which of the following must be documented (in Clause 6) according to ISO 27001:2013? → Risk assessment
- What must be included in an information security policy according to ISO 27001? → Objectives and a commitment to satisfying applicable requirements
- What are the three core components of the CIA triad, as defined in ISO/IEC 27000, that an ISMS is designed to preserve? → Confidentiality, Integrity, and Availability
- Which task must be completed while analyzing risks? → Determine the likelihood of the occurrence of the risks
- Which benefit does running an information security management system NOT provide? → Eliminate all information security vulnerabilities in the organization
- Which clause of ISO/IEC 27001 deals with operational planning and control? → 8.1
- How frequently does ISO 27001 require information security objectives to be reviewed? → At planned intervals and when significant changes occur
- What does "fulfillment of a requirement" mean in ISO 27001:2013? → Conformity
- "The only emphasis of ISO 27001:2013 is the protection of personal information." → False
- What is the significance of the 'Statement of Applicability' (SoA) in governance terms? → It records which Annex A controls are applicable and justifies inclusions and exclusions
- Which of the following BEST describes the relationship between ISO/IEC 27001 and ISO/IEC 27002? → ISO/IEC 27002 defines the audit process, while ISO/IEC 27001 lists the auditable controls.
- According to ISO 27000, what is an information security event? → An identified occurrence indicating a possible breach of information security policy
- According to ISO 27001, which of the following is the primary purpose of monitoring, measurement, analysis, and evaluation of the ISMS? → To evaluate information security performance and the effectiveness of the ISMS.
- According to ISO 27000, what is a 'threat' in information security? → A potential cause of an unwanted incident that may result in harm to assets
- Which ISO standard specifically provides guidance on information security incident management? → ISO 27035
- What is the PRIMARY purpose of the 'Act' phase within the ISMS PDCA cycle? → To address nonconformities and make continual improvements to the ISMS.
- What is the primary role of a Computer Security Incident Response Team (CSIRT)? → To coordinate and manage the organization's response to information security incidents
- Which activity DOES NOT fall under a certifying body's mandates and obligations? → Advise how to fill the gaps found during a readiness assessment
- A weakness in a system's security procedures, design, implementation, or internal controls that could be exploited by a threat source is known as a: → Vulnerability
Turn these facts into recall: