Fatskills
Practice. Master. Repeat.
Study Guide: ISO 27001 Controls: Quick Decision Quiz
Source: https://www.fatskills.com/information-security/chapter/iso-27001-controls-quick-decision-quiz

ISO 27001 Controls: Quick Decision Quiz

By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.

⏱️ ~4 min read

This quiz helps you and your team make fast decisions about which ISO 27001 controls apply to your organization. For each scenario, choose the best answer, then check the rationale.

Question 1: A New Employee Joins

Scenario: You just hired a new software engineer. They need access to GitHub, AWS, and Google Workspace. What's your first step?

A) Give them access immediately so they can start coding.
B) Send an email to IT asking them to "set up the new person."
C) Verify their role, determine the minimum access needed, and provision based on approved request.

Correct Answer: C
Why: ISO 27001 requires controlled user access management (Annex A.9.2). Access should be granted based on a formal process, with approval from the system owner, and follow the principle of least privilege . Just handing out access or sending vague emails creates audit gaps.

Question 2: A Vendor Proposal

Scenario: Your marketing team wants to use a new email automation tool that will store customer email addresses. What do you do?

A) Let marketing try it out; if they like it, we'll figure out compliance later.
B) Block it completely—no new vendors allowed.
C) Assess the vendor's security posture, review their SOC 2 or ISO 27001 report, and document the decision.

Correct Answer: C
Why: Supplier relationships are covered in Annex A.15 . You must ensure that third parties handling your information meet security requirements. This means due diligence before onboarding, not after .

Question 3: A Security Incident

Scenario: An employee reports that they accidentally clicked a phishing link and entered their password. What's your immediate action?

A) Tell them to change their password and move on.
B) Ignore it—nothing bad happened.
C) Follow your incident response plan: contain, investigate, report, and learn.

Correct Answer: C
Why: Annex A.16 requires management of information security incidents . A defined process ensures consistent handling, communication, and improvement. Without it, you risk missing critical steps and failing the audit .

Question 4: Annual Policy Review

Scenario: It's been a year since you wrote your security policies. They're sitting in a Google Drive folder. What now?

A) Nothing—they're fine as-is.
B) Review them for accuracy, update for any changes, and get management approval.
C) Write new policies from scratch.

Correct Answer: B
Why: Annex A.5 requires policies to be reviewed at planned intervals to ensure ongoing suitability and effectiveness . Stale policies are a common audit finding .

Question 5: Asset Inventory

Scenario: Your CTO asks for a list of all company devices, software, and data. You:

A) Guess. You probably know most of it.
B) Ask each team to email you what they use.
C) Maintain an up-to-date asset inventory that identifies owners, classification, and location.

Correct Answer: C
Why: Annex A.8 requires responsibility for assets, including identification and appropriate protection . You can't protect what you don't know exists.

Question 6: Encryption at Rest

Scenario: Your database contains customer information. You're unsure if it's encrypted on disk. You:

A) Assume your cloud provider handles it (they probably do).
B) Check your configuration, confirm encryption is enabled, and document it.
C) Don't worry—encryption isn't required.

Correct Answer: B
Why: Annex A.10 covers cryptography . While your provider may enable encryption by default, you are responsible for confirming and managing it appropriately. Assumptions lead to audit failures.

Question 7: Business Continuity

Scenario: A regional internet outage takes down your primary cloud region for six hours. Your team panics. After recovery, you:

A) Hope it never happens again.
B) Blame the cloud provider.
C) Develop a business continuity plan that addresses disruptions and test it periodically.

Correct Answer: C
Why: Annex A.17 addresses information security aspects of business continuity management . You need plans for disruptions, not just hope .

Scoring Your ISO 27001 Readiness

  • Mostly C's: You're on the right track. You understand the control mindset.

  • Mostly A's or B's: You're operating on assumptions and informal processes. These are exactly the gaps that auditors find.

The Bottom Line: ISO 27001 is about demonstrating that you consistently follow good practices. Every decision should leave a trace—approvals, reviews, logs, and documentation 


⚡ Recently practiced quizzes in this class
Certified Information Security Manager (CISM) Test Prep Questions CISM Certified Information Security Manager Acronyms CISM: Certified Information Security Manager Certified Encryption Specialist Information Security Associate Exam - SkillFront Exam Questions Information Cyber Security (ICS) Practice Test Information Security C724 Information Systems Management - WGU GIAC

 
If you liked Fatskills, consider supporting us by checking out The Life Manuals You Never Got.

🌈  Our mission is to help improve your scores in any subject and exam withonline quizzes, practice tests, study guides, & advice for students. Since 2018.
About | Explore | User Guide | Topics | Subjects | Doubt Solver | Career Aptitude Test | Answers | Free Tools | What Should We Know?
Privacy | Terms |
Without work one finishes nothing. - Ralph Waldo Emerson
© 2026 Fatskills.com

All trademarks, logos and brand names are the property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, trademarks and brands does not imply endorsement.