PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free EXIN ISMP Practice Questions

Pass your EXIN Information Security Management Professional (ISO/IEC 27001) — ISMP exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Not published Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

An employee's unattended workstation in an open-plan office displays sensitive client data on the screen. Which ISO/IEC 27002:2022 control directly addresses this risk?

A
B
C
D
to track
Same family resources

Explore More EXIN Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

EXIN Certified Data Centre Professional (CDCP)

Practice Questions1 video1 blog

EXIN Information Security Foundation (ISO/IEC 27001) ISFS

Practice Questions

EXIN Privacy and Data Protection Foundation (PDPF)

Practice Questions

EXIN Privacy and Data Protection Practitioner (PDPP)

Practice Questions

EXIN VeriSM Essentials

Practice Questions

EXIN VeriSM Foundation

Practice Questions

More From This Family

Videos and articles for deeper review.

VideoFREE EXIN CDCP Exam Guide 2026: Certified Data Centre ProfessionalArticleFREE EXIN CDCP Exam Guide 2026: Certified Data Centre Professional15 min read
2026 Statistics

Key Facts: EXIN ISMP Exam

30 MCQ / 90 min

Exam Format

EXIN

65% (20/30)

Passing Score

EXIN

60%

Controls Domain Weight

EXIN

93 controls

ISO 27002:2022 Annex A

ISO/IEC 27002:2022

11 new

New Controls in 2022 Edition

ISO/IEC 27002:2022

Closed-book

Exam Style

EXIN

The EXIN Information Security Management Professional (ISMP) is a 30-question, 90-minute closed-book exam requiring 65% (20/30) to pass. It tests three domains: information security perspectives (10%), risk management (30%), and ISO/IEC 27002:2022 controls across organisational, technical, and physical categories (60%).

Sample EXIN ISMP Practice Questions

Try these sample questions to test your EXIN ISMP exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1From a business perspective, which primary driver typically motivates an organisation to implement an Information Security Management System (ISMS)?
A.Protecting the confidentiality, integrity, and availability of information assets to maintain business continuity and trust
B.Reducing the workload of the IT helpdesk
C.Automating all manual security processes
D.Eliminating the need for external security audits
Explanation: The business perspective on an ISMS centres on protecting information assets to sustain operations, maintain stakeholder trust, and meet legal/regulatory obligations. Confidentiality, integrity, and availability (CIA) together form the foundation of information security and are the primary business drivers for ISMS adoption.
2A customer perspective on information security is primarily concerned with which of the following?
A.Ensuring that the organisation's products and services reliably protect customer data and meet agreed service levels
B.Reducing capital expenditure on security hardware
C.Obtaining ISO 27001 certification within a fixed budget
D.Publishing the organisation's security policy on its public website
Explanation: From the customer perspective, information security assurance is about trust — customers need confidence that their data is handled safely, that services remain available, and that commitments in service-level agreements are honoured. This perspective shapes requirements organisations must address when designing their ISMS.
3When an organisation relies on a third-party cloud provider for hosting critical applications, which information security perspective becomes most relevant for managing that relationship?
A.Business perspective
B.Customer perspective
C.Regulatory perspective
D.Supplier perspective
Explanation: The supplier (or service provider) perspective addresses how organisations manage information security obligations when work is outsourced or services are procured externally. ISO/IEC 27001 Annex A control 5.19 (Information security in supplier relationships) and 5.20 (Addressing information security within supplier agreements) are specifically designed to manage third-party risks.
4Which ISO/IEC 27001:2022 clause requires an organisation to determine the external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its ISMS?
A.Clause 4.1 — Understanding the organisation and its context
B.Clause 6.1 — Actions to address risks and opportunities
C.Clause 5.1 — Leadership and commitment
D.Clause 9.1 — Monitoring, measurement, analysis and evaluation
Explanation: ISO/IEC 27001:2022 Clause 4.1 requires organisations to determine external (e.g., regulatory environment, competitive landscape) and internal (e.g., culture, organisational structure) issues relevant to their ISMS. This contextual understanding feeds directly into risk assessment and ISMS scoping decisions.
5During an information security risk assessment, a security manager calculates that a particular server has an asset value of €500,000, a single loss expectancy (SLE) of €100,000, and the threat is expected to occur twice per year. What is the Annual Loss Expectancy (ALE)?
A.€50,000
B.€100,000
C.€500,000
D.€200,000
Explanation: ALE = SLE × ARO (Annualised Rate of Occurrence). Here ALE = €100,000 × 2 = €200,000. This quantitative measure helps prioritise risk treatment by comparing the cost of a control against the potential annual loss it mitigates.
6Which term describes the probability that a given threat will exploit an existing vulnerability within a specific time period?
A.Likelihood
B.Risk appetite
C.Residual risk
D.Impact
Explanation: In risk analysis, likelihood (also called probability) refers to the chance that a threat will successfully exploit a vulnerability. Together with impact, likelihood is one of the two components used to calculate risk level. ISO/IEC 27005 uses likelihood as a core parameter in information security risk assessment.
7An organisation completes its risk assessment and identifies risks that exceed the accepted risk level. Which document formally records the controls chosen to address these risks and the justification for including or excluding each Annex A control?
A.Information Security Policy
B.Risk Treatment Plan
C.Statement of Applicability (SoA)
D.Business Continuity Plan
Explanation: The Statement of Applicability (SoA) is a mandatory ISO/IEC 27001 document (Clause 6.1.3) that lists all Annex A controls, states whether each is applicable, and justifies exclusions. It is the primary link between the risk assessment and control implementation within the ISMS.
8After implementing all planned information security controls, a residual risk remains that exceeds the organisation's risk acceptance criteria. Which risk treatment option should the information security manager recommend?
A.Risk acceptance — document the decision and obtain management sign-off
B.Risk avoidance — immediately discontinue the business activity
C.Risk transfer — purchase cyber insurance to cover the residual risk
D.Additional risk mitigation — implement further controls to reduce the residual risk
Explanation: When residual risk still exceeds acceptance criteria after controls are applied, the correct response under ISO/IEC 27001 is to implement additional controls to further reduce the risk before it can be formally accepted. Simply accepting risk above the threshold without further treatment is non-compliant.
9Which of the four risk treatment options involves an organisation shifting the financial consequences of a risk to a third party, such as an insurer?
A.Risk mitigation
B.Risk avoidance
C.Risk acceptance
D.Risk transfer
Explanation: Risk transfer (also called risk sharing) involves passing the financial or operational burden of a risk to another party — typically through cyber insurance or contractual liability clauses. The risk itself is not eliminated, but the potential financial impact is shared or shifted.
10An organisation uses a qualitative risk analysis approach. Which scale is most typical for expressing both likelihood and impact in this method?
A.Monetary values calculated from asset valuations and threat frequencies
B.Percentage probabilities derived from actuarial tables
C.Descriptive scales such as Low / Medium / High / Very High
D.Binary values: 0 (not applicable) or 1 (applicable)
Explanation: Qualitative risk analysis uses descriptive scales (e.g., Low, Medium, High) rather than precise monetary or probabilistic figures. This approach is faster and sufficient for most ISMS risk assessments, particularly where reliable statistical data is unavailable. The resulting risk level (e.g., High impact × High likelihood = High risk) guides prioritisation.

About the EXIN ISMP Exam

An intermediate-level information security certification validating expertise in implementing, evaluating, and reporting on an information security programme based on ISO/IEC 27001:2022 and ISO/IEC 27002:2022.

Questions

30 scored questions

Time Limit

90 minutes

Passing Score

65% (20/30)

Exam Fee

Contact EXIN or an accredited provider for current pricing (EXIN)

EXIN ISMP Exam Content Outline

10%

Information Security Perspectives

Business, customer, and supplier perspectives; ISMS drivers and stakeholder requirements

30%

Risk Management

Risk analysis and assessment, selecting controls, residual risk treatment, ISO 27001 risk management clauses

60%

Information Security Controls

Organisational, technical, and physical controls from ISO/IEC 27002:2022; all 93 Annex A controls including 11 new 2022 additions

How to Pass the EXIN ISMP Exam

What You Need to Know

  • Passing score: 65% (20/30)
  • Exam length: 30 questions
  • Time limit: 90 minutes
  • Exam fee: Contact EXIN or an accredited provider for current pricing

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

EXIN ISMP Study Tips from Top Performers

1Focus 60% of your study time on ISO/IEC 27002:2022 controls — know the purpose of each of the 93 Annex A controls and which category they belong to
2Memorise the 11 new controls added in ISO/IEC 27002:2022: 5.7 Threat intelligence, 5.23 Cloud services, 5.30 ICT readiness for BCM, 7.4 Physical security monitoring, 8.9 Configuration management, 8.10 Information deletion, 8.11 Data masking, 8.12 DLP, 8.16 Monitoring activities, 8.23 Web filtering, 8.28 Secure coding
3For risk management questions, remember the sequence: Identify → Analyse (likelihood × impact) → Evaluate (vs acceptance criteria) → Treat
4Know the purpose of the Statement of Applicability (SoA) — it lists all 93 controls with applicability justification and is mandatory under ISO 27001 Clause 6.1.3
5For perspective questions, identify which stakeholder (business/customer/supplier) is most directly affected before selecting your answer

Frequently Asked Questions

What is the EXIN ISMP exam format?

The EXIN ISMP (Information Security Management Professional) exam consists of 30 multiple-choice questions with a 90-minute time limit. It is a closed-book exam — no notes or reference materials are permitted. You need 20 correct answers (65%) to pass. The exam is based on ISO/IEC 27001:2022 and ISO/IEC 27002:2022.

What are the three ISMP exam domains and their weightings?

The EXIN ISMP exam covers three domains: Information Security Perspectives (business/customer/supplier) at 10%; Risk Management (analysis, control selection, residual risk) at 30%; and Information Security Controls (organisational, technical, and physical from ISO/IEC 27002:2022) at 60%. Controls dominate — two-thirds of the exam tests your knowledge of the 93 Annex A controls.

What is the difference between EXIN ISFS and EXIN ISMP?

EXIN ISFS (Information Security Foundation) is an entry-level exam with 40 questions covering basic information security concepts, threats, and measures based on ISO/IEC 27001. EXIN ISMP (Information Security Management Professional) is the intermediate-level exam for practitioners who implement and manage an ISMS, with a deeper focus on ISO/IEC 27002:2022 controls and risk management. ISFS is typically a prerequisite for ISMP.

Which version of ISO/IEC 27002 does the EXIN ISMP exam use?

The EXIN ISMP exam is aligned to ISO/IEC 27002:2022, which reorganised controls into four categories (Organisational, People, Physical, Technological) with a total of 93 controls, including 11 new controls added in 2022 such as Data leakage prevention (8.12), Web filtering (8.23), Secure coding (8.28), and Threat intelligence (5.7).

What are the four risk treatment options tested in the EXIN ISMP exam?

The four risk treatment options are: Risk mitigation (implementing controls to reduce likelihood or impact), Risk transfer (shifting financial consequences to a third party such as an insurer), Risk avoidance (stopping the activity that creates the risk), and Risk acceptance (formally deciding to live with the risk when it falls within acceptance criteria). These are core to both the ISO/IEC 27001 risk treatment process and the ISMP exam's risk management domain.

How many questions test information security controls in the EXIN ISMP exam?

With controls weighted at 60% of the 30-question exam, approximately 18 questions focus on ISO/IEC 27002:2022 organisational, technical, and physical controls. This makes knowledge of the 93 Annex A controls — especially the 11 new 2022 controls — critical for passing. Prioritise understanding what each control requires, not just its number.