PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free ISO 27001 Internal Auditor Practice Questions

Pass your PECB ISO/IEC 27001 Internal Auditor exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Not published Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

Which ISO/IEC 27001:2022 clause requires the organization to evaluate the ISMS performance through monitoring, measurement, analysis, and evaluation?

A
B
C
D
to track
Same family resources

Explore More PECB Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

PECB / EXIN ISO/IEC 20000 Foundation

Practice Questions

PECB Certified Data Protection Officer (GDPR CDPO)

Practice Questions

PECB Certified DORA Lead Manager

Practice Questions

PECB Certified ISO/IEC 27001 Foundation

Practice Questions

PECB Certified ISO/IEC 27032 Lead Cybersecurity Manager

Practice Questions

PECB Certified ISO/IEC 27701 Lead Auditor (PIMS)

Practice Questions
2026 Statistics

Key Facts: ISO 27001 Internal Auditor Exam

~40 MCQ

Exam Questions

PECB

60 minutes

Time Limit

PECB

70%

Passing Score

PECB

7

ISO 19011 Audit Principles

ISO 19011:2018

93 controls

ISO 27001:2022 Annex A

ISO/IEC 27001:2022

3 years

Certification Validity

PECB

PECB ISO/IEC 27001 Internal Auditor is a closed-book MCQ exam (~40 questions, 60 minutes, 70% pass) that tests ability to plan, conduct, and report on ISMS internal audits per ISO 27001:2022 and ISO 19011:2018. It is distinct from the Lead Auditor credential, which additionally covers audit team leadership and certification audit processes.

Sample ISO 27001 Internal Auditor Practice Questions

Try these sample questions to test your ISO 27001 Internal Auditor exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which clause of ISO/IEC 27001:2022 explicitly requires an organization to conduct internal audits at planned intervals?
A.Clause 6.1
B.Clause 8.2
C.Clause 9.2
D.Clause 10.1
Explanation: Clause 9.2 of ISO/IEC 27001:2022 requires the organization to conduct internal audits at planned intervals to provide information on whether the ISMS conforms to the organization's own requirements and to ISO/IEC 27001:2022, and is effectively implemented and maintained.
2According to ISO 19011:2018, which of the following is one of the seven principles of auditing?
A.Maximizing the number of audit findings
B.Maintaining strict confidentiality at all times even from top management
C.Integrity of the auditor
D.Relying solely on documented evidence from the auditee
Explanation: ISO 19011:2018 lists seven auditing principles: integrity, fair presentation, due professional care, confidentiality, independence, evidence-based approach, and risk-based approach. Integrity means the auditor performs their work ethically, honestly, and responsibly. The other options misrepresent or contradict the standard's guidance.
3An ISMS internal auditor discovers they previously helped design a specific access-control procedure being audited. What should the auditor do?
A.Disclose the conflict to the audit programme manager and be reassigned from that section
B.Proceed with the audit since they are most knowledgeable about the procedure
C.Skip that section silently and audit other clauses
D.Complete the audit and note the conflict only in the final report
Explanation: Independence is a core audit principle per ISO 19011:2018. An auditor who helped design the control being audited lacks independence and is subject to a conflict of interest. The proper action is to disclose the conflict and be reassigned, ensuring objectivity and impartiality are maintained throughout the audit.
4What does ISO/IEC 27001:2022 Clause 4.1 require an organization to determine?
A.The list of Annex A controls to implement
B.The external and internal issues relevant to its purpose that affect its ability to achieve ISMS outcomes
C.The frequency of internal audits
D.The classification levels for information assets
Explanation: Clause 4.1 (Understanding the organization and its context) requires the organization to determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcomes of the ISMS. This context-setting activity informs the scope, risks, and objectives of the entire management system.
5According to ISO 19011:2018, what is an 'audit programme'?
A.A set of one or more audits planned for a specific time frame, directed towards a specific purpose
B.A single audit plan created for one specific audit engagement
C.The documented checklist used during an on-site audit
D.The schedule of corrective actions following an audit
Explanation: ISO 19011:2018 defines an audit programme as a set of one or more audits planned for a specific time frame and directed towards a specific purpose. It is distinct from an individual audit plan, which details the arrangements for a single audit. An audit programme may include multiple audits covering different areas or standards over time.
6When planning an ISO 27001 internal audit, the auditor must define audit criteria. Which of the following best describes 'audit criteria'?
A.The scoring rubric used to grade the auditee's overall security maturity
B.A set of policies, procedures, or requirements used as a reference against which audit evidence is compared
C.The list of questions to ask during auditee interviews
D.The risk rating assigned to each finding
Explanation: ISO 19011:2018 defines audit criteria as a set of requirements used as a reference against which audit evidence is compared. For an ISO 27001 internal audit, criteria typically include the requirements of ISO/IEC 27001:2022, the organization's own ISMS policies, procedures, and objectives. Audit evidence is then evaluated against these criteria to determine conformity or nonconformity.
7ISO/IEC 27001:2022 introduced Annex A controls organized into how many control themes, replacing the previous 14 categories?
A.4
B.3
C.6
D.8
Explanation: ISO/IEC 27001:2022 restructured Annex A from 14 categories and 114 controls (in the 2013 edition) into 4 themes: Organisational controls (37), People controls (8), Physical controls (14), and Technological controls (34) — totalling 93 controls. Internal auditors must understand this structure when verifying the Statement of Applicability and testing controls.
8During an internal audit, what is the primary purpose of the opening meeting?
A.To present the final audit report to management
B.To allow the auditee to demonstrate corrective actions from the previous audit
C.To confirm the audit scope, objectives, criteria, and methodology with the auditee
D.To review all documented procedures in detail
Explanation: ISO 19011:2018 specifies that the opening meeting is conducted to confirm the audit scope, objectives, criteria, and methodology; introduce the audit team; establish communication channels; and confirm audit logistics. It ensures that all parties have a shared understanding before the audit begins, not to present findings or review documents in depth.
9An internal auditor reviews the organization's Statement of Applicability (SoA). What must the SoA include per ISO/IEC 27001:2022?
A.The necessary controls, justification for inclusions, whether implemented, and justification for exclusions of Annex A controls
B.The full text of all 93 Annex A controls verbatim
C.A risk score for each implemented control
D.The names of staff responsible for each Annex A control
Explanation: ISO/IEC 27001:2022 Clause 6.1.3 d) requires the SoA to contain the necessary controls, justification for their inclusion (with reference to the risk treatment process), whether the controls are implemented, and justification for the exclusion of any Annex A controls. Internal auditors verify the SoA's completeness and alignment with the risk treatment plan.
10Which sampling approach is most appropriate when an internal auditor wants to ensure that every item in a population has an equal chance of being selected?
A.Judgement-based sampling
B.Systematic sampling
C.Random sampling
D.Stratified sampling
Explanation: Random sampling gives every item in the population an equal probability of being selected, making it statistically unbiased. ISO 19011:2018 Annex B discusses sampling approaches. Random sampling is appropriate when the population is homogeneous and the auditor wants representative, unbiased coverage without applying judgement to individual selections.

About the ISO 27001 Internal Auditor Exam

The PECB ISO/IEC 27001 Internal Auditor certification validates the competence to plan and conduct internal (first-party) audits of an Information Security Management System in accordance with ISO/IEC 27001:2022 requirements and ISO 19011:2018 audit guidelines.

Questions

40 scored questions

Time Limit

60 minutes

Passing Score

70%

Exam Fee

Contact PECB or accredited training partner for current pricing (PECB (Professional Evaluation and Certification Board))

ISO 27001 Internal Auditor Exam Content Outline

~25%

ISMS Fundamentals and ISO/IEC 27001:2022 Requirements

Core ISMS concepts, clause requirements (context, leadership, planning, support, operation, evaluation, improvement), Annex A (4 themes, 93 controls), and Statement of Applicability

~15%

Audit Principles — ISO 19011:2018

Seven auditing principles: integrity, fair presentation, due professional care, confidentiality, independence, evidence-based approach, and risk-based approach

~20%

Internal Audit Programme and Planning

Audit programme objectives and management, audit plan elements, scope and criteria definition, auditor selection, resource allocation, and preliminary document review

~20%

Conducting the Audit — Evidence, Sampling, and Interviews

Opening and closing meetings, evidence collection methods (interview, observation, document review), sampling approaches, checklists, and auditor judgment

~10%

Audit Findings and Nonconformities

Conformity, nonconformity (major vs minor), opportunities for improvement — classification, documentation, and supporting evidence requirements

~5%

Audit Reporting and Follow-Up

Audit report content, corrective action process (Clause 10.1), follow-up verification of effectiveness, and audit programme continual improvement

~5%

Internal vs Certification Audits

First-party, second-party, and third-party audit distinctions; independence requirements under ISO 19011 vs ISO 17021-1; certification body role

How to Pass the ISO 27001 Internal Auditor Exam

What You Need to Know

  • Passing score: 70%
  • Exam length: 40 questions
  • Time limit: 60 minutes
  • Exam fee: Contact PECB or accredited training partner for current pricing

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

ISO 27001 Internal Auditor Study Tips from Top Performers

1Master all ISO/IEC 27001:2022 clauses (4-10) and understand exactly what is required vs. what is guidance — auditors must distinguish 'shall' from 'should'
2Memorize the 7 ISO 19011:2018 audit principles and the 2018-added principle (risk-based approach) — frequently tested
3Know the difference between 'maintain' and 'retain' documented information in ISO 27001 — this determines what is a live document vs. an audit record
4Understand the three evidence collection methods (interview, observation, document review) and how they combine for comprehensive audit evidence
5Practice classifying findings as major nonconformity, minor nonconformity, or opportunity for improvement based on severity and systemic impact

Frequently Asked Questions

What is the PECB ISO/IEC 27001 Internal Auditor exam format?

The PECB ISO/IEC 27001 Internal Auditor exam is a closed-book multiple-choice examination with approximately 40 questions and a 60-minute time limit. The passing score is 70%. It tests knowledge of ISO/IEC 27001:2022 ISMS requirements and ISO 19011:2018 audit principles as applied to first-party (internal) audits.

How does the ISO 27001 Internal Auditor differ from the Lead Auditor certification?

The Internal Auditor certification focuses on conducting first-party (internal) audits within an organization, verifying ISMS conformity and effectiveness. The Lead Auditor certification adds competence for leading audit teams, managing audit programmes across multiple organizations, and conducting third-party certification audits governed by ISO/IEC 17021-1. The Lead Auditor credential is more advanced in scope and leadership requirements.

Which standards does the ISO 27001 Internal Auditor exam cover?

The exam covers ISO/IEC 27001:2022 (ISMS requirements, including all clauses and Annex A controls restructured into 4 themes and 93 controls) and ISO 19011:2018 (guidelines for auditing management systems, including the 7 audit principles, audit programme management, and conducting audits). Understanding both standards together is essential for the exam.

What does ISO 19011:2018 add beyond the 2011 version?

The 2018 edition of ISO 19011 added a seventh auditing principle — the risk-based approach — requiring audit planning and conduct to be influenced by the risks and opportunities associated with audit activities and the auditee's management system. It also expanded guidance on managing audit programmes (including programme risk) and conducting audits.

Is prior ISO 27001 implementation experience required for the Internal Auditor exam?

No formal experience prerequisite is specified by PECB. However, practical familiarity with information security concepts and management system environments is beneficial. Candidates typically attend a PECB-accredited Internal Auditor training course before the exam. Self-study using ISO/IEC 27001:2022 and ISO 19011:2018 is an alternative preparation path.

Can an employee audit their own organization's ISMS for ISO 27001?

Yes. ISO/IEC 27001:2022 Clause 9.2 does not require external auditors; internal audits can be conducted by employees or external consultants. The key requirement is that auditors must be independent of the specific activities they audit — they must not audit their own work. An employee auditing departments other than their own satisfies the independence requirement.