View ISO-IEC-27001-Lead-Auditor Exam Questions

Q: 1

Which two of the following options for information are not required for audit planning of a certification audit?

Options

Discussion

AlexL Mar 17, 2026 4:54 pm

What if the certification scope included reviewing financial controls or leadership qualifications? Would E or C then become required for audit planning, or does ISO 27001 always exclude those specifics by design?

Cameron H. Feb 28, 2026 4:20 pm

CE tbh, info about financials or MS rep’s experience aren’t actually needed for ISO 27001 audit planning-the focus is on ISMS scope and controls, not staff bios or company money. Pretty sure that’s the logic but happy to hear other views.

MethodicalAnalyst3369 Mar 18, 2026 4:22 am

I don't see why the org's financials or the MS rep's background would matter for ISO 27001 audit planning. They don't impact scope or required evidence. So, C and E make sense here imo. Disagree?

Morgan Mar 14, 2026 7:56 am

Pretty sure the question is just after what you don't need for initial audit prep, so C and E fit. The rep's work experience (C) and financials (E) aren't standard inputs according to ISO 27001. Docs, sampling plan, checklists are core. I could be missing some nuance but this lines up with my study notes.

PracticalAnalyst5352 Mar 1, 2026 5:44 pm

C/E? Not totally sure but management rep's experience and financials aren't part of audit prep requirements. Someone confirm?

Alex O. Mar 9, 2026 5:21 pm

Probably C and E, that matches what shows up in official guides. Saw a similar question in an official practice test.

Maya Mar 9, 2026 12:34 pm

Actually, D and E. Audit checklist isn't mandatory for planning and financials are out of scope.

Adam H. Mar 8, 2026 10:46 am

I don’t think it’s CE. D and E.

PreciseSec232 Mar 16, 2026 6:03 pm

Honestly, I'd probably say D and E. Audit checklist (D) feels more like an optional tool than a strict must-have for planning, and org financials (E) definitely aren't needed. Not sure if I'm missing something in ISO 27001 specifics though.

Ishaan Mar 5, 2026 2:17 am

CE tbh, D is tempting but info on rep experience and financials isn't needed for ISO 27001 audit planning.

Be respectful. No spam.

Q: 2

Scenario 3: NightCore is a multinational technology company based in the United States that focuses on e-commerce, cloud computing, digital streaming, and artificial intelligence. After having an information security management system (ISMS) implemented for over 8 months, they contracted a certification body to conduct a third party audit in order to get certified against ISO/IEC 27001. The certification body set up a team of seven auditors. Jack, the most experienced auditor, was assigned as the audit team leader. Over the years, he received many well known certifications, such as the ISO/IEC 27001 Lead Auditor, CISA, CISSP, and CISM. Jack conducted thorough analyses on each phase of the ISMS audit, by studying and evaluating every information security requirement and control that was implemented by NightCore. During stage 2 audit. Jack detected several nonconformities. After comparing the number of purchased invoices for software licenses with the software inventory, Jack found out that the company has been using the illegal versions of a software for many computers. He decided to ask for an explanation from the top management about this nonconformity and see whether they were aware about this. His next step was to audit NightCore's IT Department. The top management assigned Tom, NightCore's system administrator, to act as a guide and accompany Jack and the audit team toward the inner workings of their system and their digital assets infrastructure. While interviewing a member of the Department of Finance, the auditors discovered that the company had recently made some unusual large transactions to one of their consultants. After gathering all the necessary details regarding the transactions. Jack decided to directly interview the top management. When discussing about the first nonconformity, the top management told Jack that they willingly decided to use a copied software over the original one since it was cheaper. Jack explained to the top management of NightCore that using illegal versions of software is against the requirements of ISO/IEC 27001 and the national laws and regulations. However, they seemed to be fine with it. Several months after the audit, Jack sold some of NightCore's information that he collected during the audit for a huge amount of money to competitors of NightCore. Based on this scenario, answer the following question: What type of audit evidence has Jack collected when he identified the first nonconformity regarding the software? Refer to scenario 3.

Options

Discussion

Reese Mar 17, 2026 4:36 pm

Makes sense to pick C here. Jack compared the exact number of purchased licenses to what's installed, so that's classic mathematical evidence-he used quantifiable data, not just analysis or conversation. I think that's what ISO/IEC 27001 expects, right? Open to other takes.

Jamie U. Mar 2, 2026 11:16 am

C, similar question popped up in a recent mock. Numbers from invoices and inventory checks point to mathematical evidence here. Makes sense?

Meera P. Mar 9, 2026 10:14 am

C fits best. Jack literally matched the number of software licenses bought (from invoices) to the number in use, which is straight up mathematical evidence in audit terms. He wasn't just analyzing or interviewing, he was counting and comparing real numbers. Pretty sure that's what ISO/IEC 27001 means by this, but let me know if you think differently!

Layla M. Mar 4, 2026 6:46 am

Call it A. Comparing invoices and inventories looks like analysis, not just pure math. Analytical evidence makes sense here, I think.

Kevin G. Feb 28, 2026 1:29 am

I don't think it's A. Comparing license invoices with software inventory is pure numbers, so that's C (mathematical evidence). Analytical evidence would be more about interpreting patterns or trends, but Jack's just matching counts here. This kind of question trips people up sometimes!

Alex U. Mar 13, 2026 7:06 pm

A . The way I read it, Jack analyzed the invoices and software inventory, so that's more about analytical evidence. He didn't just count, he evaluated and interpreted the info. Not 100% though, could see why people go with C.

Ivy E. Mar 14, 2026 8:23 am

Option A based on what I've seen in the official guide and some practice sets.

Reese E. Feb 28, 2026 5:38 am

Probably C. Jack literally compared invoice counts to installed software, so that's a numbers game-definitely mathematical evidence per ISO audit lingo. Analytical would imply deeper pattern analysis, but here it's just checking totals. Pretty confident, unless I'm missing something obvious?

Adam I. Mar 6, 2026 7:43 pm

A seems more like a trap, since counting invoices vs installed software is strictly numbers-C fits better in this scenario.

Vikram Y. Mar 5, 2026 6:00 am

Not A, C. Jack directly compared the count of licenses from invoices against the actual software inventory, which is straight up numerical and quantifiable-classic mathematical evidence in ISO auditing. Analytical would be more about patterns or trends, but here it's all about those hard numbers. Pretty sure about C, though let me know if you see it different.

Be respectful. No spam.

Q: 3

Which two of the following statements are true?

Options

Discussion

QuickReviewer8612 Mar 8, 2026 6:35 pm

I don't think it's C. Auditors just review the organization's processes, not the actual compliance status, so A and B fit best. C is a bit of a trap since auditors aren't certifying legal compliance directly, pretty sure about that.

IvyF Mar 1, 2026 7:47 am

I think AB, since C is a trap. Auditors check the process, not directly certify compliance status. Someone double-check me if I'm off.

Sara V. Mar 12, 2026 3:10 pm

AB tbh, C's a trap since auditors don't actually certify legal compliance in ISO 27001 context.

Jordan L. Feb 28, 2026 7:50 am

Hmm, I'm kinda torn between AB and C here. Process review is definitely in the auditor's wheelhouse, but sometimes the wording makes C seem right too. So maybe AB, but not 100% sure.

Alex Mar 11, 2026 8:13 am

Probably AB here. Auditors check processes and how orgs stay updated with legal changes, but they don't directly verify full legal compliance status themselves. C isn't right for certification audits in ISO 27001 if I'm remembering the PECB Lead Auditor materials correctly. If anyone has a different source, let me know!

Riley P. Mar 4, 2026 8:09 pm

Option AB, saw similar in official practice. Auditors focus on processes and awareness, not the actual compliance verdict.

Chris I. Mar 11, 2026 8:06 am

Option AB. Checking processes and how orgs stay aware of law changes, not certifying compliance status.

Quinn K. Mar 16, 2026 1:03 pm

Makes sense to pick AB here. Auditors look at how the org manages legal requirements and keeps up with changes (A, B), but they're not confirming compliance status directly like in C. Seen similar wording in training materials. If others see it differently, let me know.

SaraR Feb 28, 2026 11:48 pm

C/AB? Still not totally sure. Auditors for ISO 27001 mainly check if there's a process in place for legal requirements and awareness (A and B), but they don't directly verify compliance status (that's usually on the org, not the auditor). I think AB is safer here, but that C wording always throws me off.

Luke H. Mar 2, 2026 7:34 pm

Yeah, it's AB for me. Auditors check processes and awareness, not actual legal compliance status like in C.

Be respectful. No spam.

Q: 4

Phishing is what type of Information Security Incident?

Options

Q: 5

In the context of a third-party certification audit, confidentiality is an issue in an audit programme. Select two options which correctly state the function of confidentiality in an audit

Options

Discussion

Jason Mar 13, 2026 3:44 am

Probably C and D here since the question asks about actual functions of confidentiality. C is the audit principle, D covers recorded info needing auditee approval. Not totally sure E fits this context, but open to other takes!

Vikram Mar 10, 2026 7:38 am

C/D? Saw a similar question in a recent exam report, these two came up as the right combo.

Nathan H. Mar 14, 2026 9:12 am

C/D? Audit principle (C) is straight from ISO guidance and D makes sense because you always need permission if recording during audits. E feels less about confidentiality than these two. Pretty sure about this, correct me if I missed something.

Mason L. Feb 27, 2026 11:25 am

C/D? I see why people mention E, but confidentiality as an audit principle (C) and needing auditee permission for recordings (D) both come up in ISO 19011. Not totally sure if C is always enforced, but these fit best for function of confidentiality. Disagree?

Ajay Mar 16, 2026 7:58 pm

Confidentiality is a core audit principle, so C fits. Auditors need permission before recording or taking photos, making D the other good pick. Pretty sure about these based on ISO guidelines.

Sofia Q. Mar 15, 2026 7:34 am

C/D tbh, pretty sure those are correct. C is the audit principle and D covers respecting confidentiality when recording. E looks tempting but isn't a primary function of confidentiality here. Let me know if you disagree.

Meera W. Mar 4, 2026 10:45 pm

Its C and D for me, saw similar advice in the official ISO 27001 lead auditor guide and a couple practice exams. Not totally confident because E keeps coming up, so open to corrections.

Zoe Feb 26, 2026 7:22 pm

C and E tbh. I picked E since using audit info for personal competence sounded connected to confidentiality, as long as nothing sensitive is shared. Not 100% certain, maybe a bit of a trap but C feels safe.

Layla T. Mar 1, 2026 4:56 pm

Maybe C and E for this one.

SamO Mar 12, 2026 9:20 am

C and D tbh

Be respectful. No spam.

Q: 6

You ask the IT Manager why the organisation still uses the mobile app while personal data encryption and pseudonymization tests failed. Also, whether the Service Manager is authorized to approve the test. The IT Manager explains the test results should be approved by him according to the software security management procedure. The reason why the encryption and pseudonymization functions failed is that these functions heavily slowed down the system and service performance. An extra 150% of resources are needed to cover this. The Service Manager agreed that access control is good enough and acceptable. That's why the Service Manager signed the approval. You sample one of the medical staff's mobile and found that ABC's healthcare mobile app, version 1.01 is installed. You found that version 1.01 has no test record. The IT Manager explains that because of frequent ransomware attacks, the outsourced mobile app development company gave a free minor update on the tested software, performed an emergency release of the updated software, and gave a verbal guarantee that there will be no impact on any security functions. Based on his 20 years of information security experience, there is no need to re- test. You are preparing the audit findings Select two options that are correct.

Options

Discussion

Ava P. Mar 3, 2026 1:15 pm

B and C, no question. Both are nonconformities here per the scenario details.

Chloe Mar 16, 2026 5:44 pm

Probably B and C. Letting the Service Manager approve test results when it's not in line with the process is a classic nonconformity (B), and skipping proper change control for the emergency app update hits C dead on. I don't think D fits as much here, it's more an improvement point than a real NC. If someone thinks otherwise, chime in.

SkepticalAnalyst3278 Mar 15, 2026 9:15 am

B C tbh, but if the update had been formally documented and tested before rollout, C wouldn’t really apply. Pretty sure exam expects B/C for this exact wording.

Jamie L. Feb 28, 2026 12:18 am

Hard to say, B and C. Both are nonconformities, since approval didn't follow procedure (B) and the version change wasn’t properly controlled (C). Saw something similar in an exam report. Pretty sure this is what ISO expects, but let me know if you disagree.

Karan Mar 16, 2026 9:19 am

C or B. Had something like this in a mock and both failure to control changes (C) and not following the approval procedure (B) are clear nonconformities. Service Manager isn’t authorized, plus rolling out untested app version breaks clause 8.1. Pretty sure these two fit best but open to other takes.

Jamie L. Mar 2, 2026 6:13 am

BC imo, I had almost exactly this scenario in a mock. Both controls not followed so both are NCs.

Priya Mar 7, 2026 9:21 am

Option B and C here. Both nonconformities pop out, since procedures weren't followed for approvals and proper change control wasn't done with the emergency release. Pretty standard ISO 27001 misses in real audits. If you read it another way let me know, but that's how I see it.

Ishaan T. Mar 17, 2026 9:13 pm

C/D? Struggling to pick, both seem like valid audit findings here. Anyone else waffling between those two?

Nina S. Mar 4, 2026 12:50 am

D . The situation with picking a vendor just because of free services smells like an opportunity for improvement, especially with ISO 27001 wanting you to focus on risk and provider qualification (A.5.21). Not sure it's as critical as the nonconformities in B or C, but I could see the auditor flagging D if procurement process wasn't strong. Anyone else think D should be flagged here?

Kevin I. Mar 16, 2026 12:19 pm

Option B and C, but not 100% sure. Both show up as nonconformities in the official guide and practice tests for similar scenarios, especially when no proper change control or approval is followed. Anyone see a case for F instead?

Be respectful. No spam.

Correct Answer:

Explanation

According to ISO 27001:2022 Annex A Control 8.30, the organisation shall ensure that externally

provided processes, products or services that are relevant to the information security management

system are controlled. This includes developing and entering into licensing agreements that cover

code ownership and intellectual property rights, and implementing appropriate contractual

requirements related to secure design and coding in accordance with Annex A 8.25 and 8.2912

In this case, the organisation and the developer have performed security tests that failed, which

indicates that the secure design and coding requirements of Annex A 8.29 were not met. The IT

Manager explains that the encryption and pseudonymization functions failed because they slowed

down the system and service performance, and that an extra 150% of resources are needed to cover

this. However, this does not justify the acceptance of the test results by the Service Manager, who is

not authorised to approve the test according to the software security management procedure. The

Service Manager should have consulted with the IT Manager, who is the owner of the process, and

followed the procedure for handling nonconformities and corrective actions. The Service Manager’s

decision to continue the service based on access control alone exposes the organisation to the risk of

compromising the confidentiality, integrity, and availability of personal data processed by the mobile

app. Therefore, there is a nonconformity (NC) with clause 8.1, control A.8.30.

According to ISO 27001:2022 Clause 8.1, the organisation shall plan, implement and control the

processes needed to meet information security requirements, and to implement the actions

determined in Clause 6.1. The organisation shall also control planned changes and review the

consequences of unintended changes, taking action to mitigate any adverse effects, as necessary12

In this case, the organisation has not controlled the planned change of the mobile app from version

1.0 to version 1.01, which was a minor update provided by the outsourced developer in response to

frequent ransomware attacks. The IT Manager explains that the developer performed an emergency

release of the updated software, and gave a verbal guarantee that there will be no impact on any

security functions. However, this is not sufficient to ensure that the change is properly assessed,

tested, documented, and approved before deployment. The IT Manager should have followed the

change management process and procedure, and verified that the updated software meets the

security requirements and does not introduce any new vulnerabilities or risks. The IT Manager’s

reliance on his 20 years of information security experience and the developer’s verbal guarantee is

not a valid basis for skipping the re-testing of the software. Therefore, there is a nonconformity (NC)

with clause 8.1.

Reference:

1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and

IRCA Certified Training 1 2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2

Q: 7

Which of the following is not a type of Information Security attack?

Options

Discussion

DirectOps9390 Mar 2, 2026 1:34 pm

Option B. Similar question came up on official practice test, so check the course handbook too.

Neha J. Mar 9, 2026 1:16 am

B came up almost word-for-word in my practice set and it was the right pick there too.

SharpOps718 Mar 18, 2026 1:30 pm

Doesn't the definition of "attack" here only cover things with intent, meaning B wouldn't qualify?

Mason A. Feb 27, 2026 11:21 am

B stands out here since vehicular incidents relate to accidents or physical events, not intentional info sec attacks. The other options can be linked back to things like unauthorized access or exploiting vulnerabilities, which ISO 27001 recognizes as attack types. Pretty sure that's why B's correct, unless they're using another definition for "attack" in the question. Agree?

Sanjay U. Mar 11, 2026 4:30 pm

Not seeing how B fits as an info security attack. B

MayaY Mar 16, 2026 8:38 am

Its D. Had something like this in a mock and picked Privacy Incidents since I thought technical and legal could be exploited, but not sure if that was right looking back.

Morgan P. Mar 13, 2026 9:35 pm

Yeah, it's B here. Vehicular incidents just aren't classified as info security attacks.

Kevin Mar 6, 2026 1:49 pm

I don’t think it’s D. B fits here since vehicular incidents aren’t classified as info sec attacks, they’re usually physical accidents instead of deliberate actions against information systems. Pretty sure on this but let me know if I missed something.

Cameron Z. Mar 12, 2026 8:49 pm

Seriously tired of trick questions like this, but it's D tbh.

Aaron S. Mar 8, 2026 8:58 am

B makes the most sense since vehicular incidents aren't really considered info sec attacks, they're more like physical accidents. The others can be linked to security breaches or intentional acts. Pretty sure it's B here but open to other views.

Be respectful. No spam.

Q: 8

You are an ISMS auditor conducting a third-party surveillance audit of a telecom's provider. You are in the equipment staging room where network switches are pre-programmed before being despatched to clients. You note that recently there has been a significant increase in the number of switches failing their initial configuration test and being returned for reprogramming. You ask the Chief Tester why and she says, 'It's a result of the recent ISMS upgrade'. Before the upgrade each technician had their own hard copy work instructions. Now, the eight members of my team have to share two laptops to access the clients' configuration instructions online. These delays put pressure on the technicians, resulting in more mistakes being made'. Based solely on the information above, which clause of ISO to raise a nonconformity against' Select one.

Options

Discussion

SteadyReviewer3871 Mar 8, 2026 6:31 am

A , I think the trap is going B since it's a process issue but if docs are hard to access that's still a doc control problem in 7.5.

Riley E. Mar 5, 2026 2:07 am

B , I remember similar questions in official guides. Operational planning and control breakdown, fits clause 8.1 best from what I’ve seen.

Ishaan D. Mar 16, 2026 5:01 am

Makes sense to flag B here. It’s mainly a breakdown in operational planning and control since the new process created bottlenecks, so technicians can’t do their tasks efficiently. Pretty sure that’s what clause 8.1 is for, but open if I’m missing something.

QuickLead1022 Mar 1, 2026 1:10 am

Its B here. This is about not controlling operational processes well after the ISMS upgrade, not about missing documents. I think some go for A since access is hard, but clause 8.1 fits better for process issues.

Parker Mar 2, 2026 5:28 pm

B tbh, saw a similar situation in a practice test and it was about process control not just documentation.

Sanjay Mar 17, 2026 12:24 pm

C or D? I think B actually fits better, since this is about operational planning and controls not working right (technicians pressured, mistakes happening). Not missing instructions, just bad workflow. Pretty sure it’s B here but open to arguments.

Ethan X. Mar 6, 2026 3:16 pm

I see what you mean but I'd pick A. If they can't easily get the instructions, that's documented info availability.

Sara Mar 18, 2026 6:38 pm

B tbh, saw something similar in practice and clause 8.1 fits best but could see why A comes up too.

Nora P. Mar 12, 2026 6:48 pm

Its B, but kinda get why folks say A since it's about accessing instructions.

Sean O. Mar 6, 2026 9:41 am

A or B? Had something like this in a mock and picked A for documented information since instructions access was limited, not missing. Pretty sure it's about documentation but could be wrong.

Be respectful. No spam.

Correct Answer:

Explanation

According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing,

maintaining and continually improving an information security management system (ISMS), clause

8.1 requires an organization to plan, implement and control its processes needed to meet ISMS

requirements2. This includes determining what needs to be done, how it will be done, who will do it,

when it will be done, what resources are required, how performance will be evaluated, etc2.

Therefore, if an ISMS auditor conducting a third-party surveillance audit of a telecom’s provider

notes that there has been a significant increase in the number of switches failing their initial

configuration test and being returned for reprogramming due to a recent ISMS upgrade that reduced

access to work instructions, this indicates a nonconformity against clause 8.1 of ISO/IEC

27001:2022. The organization has failed to plan and control its operational processes effectively to

ensure information security and quality2. The other options are not correct clauses to raise a

nonconformity against based solely on this information. For example, clause 7.5 deals with

documented information required by ISMS or determined by an organization as necessary for its

effectiveness2, but it does not specify how many copies or formats of work instructions should be

available; clause 10.2 deals with nonconformity and corrective action as a response to an identified

problem or incident2, but it does not address how to prevent or avoid such problems or incidents in

operational processes; clause 7.3 deals with awareness of ISMS policy, objectives, roles and

responsibilities among persons doing work under an organization’s control2, but it does not relate to

how work instructions are accessed or followed; clause 7.2 deals with competence of persons doing

work under an organization’s control that affects its ISMS performance2, but it does not imply that

lack of competence is caused by insufficient work instructions; clause 7.4 deals with communication

about ISMS among internal and external interested parties2, but it does not cover how operational

information is communicated within an organization. Reference: ISO/IEC 27001:2022 - Information

technology – Security techniques – Information security management systems – Requirements

Q: 9

Which two of the following are examples of audit methods that 'do' involve human interaction?

Options

Discussion

Mia D. Mar 1, 2026 10:34 pm

C and D tbh, saw similar phrasing in the official practice test and it was those two. Double-check with the guide though.

Reese T. Mar 6, 2026 1:09 am

C tbh. Analyzing data by remotely accessing a server (C) seems to involve human interaction because someone has to actually perform the access and might coordinate with the auditee. A feels a bit more passive, so I didn't pick it. Looks like I might be mixing up observation with interaction though. Am I missing something subtle here?

Karan X. Mar 3, 2026 7:21 pm

Nice, clear question setup. B.

Anita D. Feb 28, 2026 7:57 am

Kinda surprised nobody's mentioned C yet. So I think it's C and D that actually have human interaction.

Ethan I. Mar 16, 2026 6:25 am

Not sure, but C and D seem like the ones with human interaction.

Maya K. Feb 28, 2026 4:10 am

It's AB. Reviewing documents or responses provided by people (A and B) fits the ISO's definition of human interaction because the auditor is working directly with input from the auditee, even if it's not live conversation. Options C, D, and E are all about remote observation or data analysis, no real human exchange there. Pretty sure that's how the standard treats it, but open if I'm missing something subtle.

Reese N. Mar 5, 2026 7:57 am

AB tbh, both options are about working with information that comes directly from people, not just systems or sensors. Written responses and document reviews still count as human interaction in audit terms. Not 100 percent sure if everyone would agree on that, though.

PreciseLead3128 Mar 1, 2026 12:13 am

B and C

Owen W. Feb 27, 2026 3:16 pm

Bit of a nitpick but if we read "human interaction" to include reviewing written responses, then A and B both fit. If they'd asked for verbal interaction only, B might be questionable. Pretty sure it's AB as per most exam practice, unless they're super strict about only live convo.

JordanA Mar 15, 2026 1:48 pm

A and B

Be respectful. No spam.

Q: 10

What is the difference between a restricted and confidential document?

Options

Discussion

Casey L. Mar 15, 2026 3:16 pm

Makes sense to pick B here. Restricted is usually for specific named individuals, while confidential lets a defined group access it. Seen similar classification in my audits, but let me know if anyone has seen it swapped.

Mia O. Mar 2, 2026 11:46 pm

It's B, these ISO/IEC labels are always so inconsistent between vendors, but exam reports keep flagging B as correct.

Riley H. Mar 16, 2026 5:08 am

A is wrong, B. Restricted is usually for named people, confidential is group based. ISO/IEC 27001 seems to define them that way.

Ben X. Mar 13, 2026 10:37 am

Looks like B is correct, since 'restricted' is for named individuals and 'confidential' covers an authorized group. That's what ISO/IEC 27001 usually means by those classifications. I think that's the best fit unless the context defines them differently.

SeasonedCandidate7068 Mar 14, 2026 7:39 am

Jack S. Mar 17, 2026 12:33 am

Its A, had something like this in a mock.

SaraW Mar 5, 2026 4:06 pm

Doesn’t "confidential" sometimes mean org-wide in some companies, though? That’d make C valid depending on policy.

Drew K. Mar 8, 2026 7:20 am

Wish they'd standardize these labels across vendors. Why not C if confidential is org-wide?

Grace F. Mar 12, 2026 9:51 pm

Actually, I don’t think A is right here. It’s B because "restricted" is for specific named individuals, while "confidential" can go to a whole authorized group. Seen this split in other ISO 27001 practice questions too and C is a bit of a trap since it suggests broader org access than confidential really allows. Let me know if anyone's seen different terminology on their course.

Luna Mar 14, 2026 6:22 pm

Yeah, restricted is only for named individuals, while confidential is for a defined group-so B. That matches how ISO 27001 usually sets the labels. Pretty sure that's what most guides say but let me know if you disagree.

Be respectful. No spam.

Question 1 of 20 · Page 1 / 2

Premium Access Includes

✓ Quiz Simulator
✓ Exam Mode
✓ Progress Tracking
✓ Question Saving
✓ Flash Cards
✓ Drag & Drops
✓ 3 Months Access
✓ PDF Downloads

Get Premium Access

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE