APMG-International ISO-IEC-27001-Foundation Exam With Confidence Using Practice Dumps

Clause 6.1.1 (Planning) states:

“The organization shall plan:

d) actions to address these risks and opportunities; and

e) how to:

integrate and implement the actions into its ISMS processes; and

evaluate the effectiveness of these actions.”

This confirms the missing words are“evaluate the effectiveness of”. Communication (A), applying resources (B), and improving effectiveness (C) are important concepts elsewhere but not the direct requirement stated in this clause.

Clause 10.2 (Continual Improvement) specifies that the organization must“continually improve the suitability, adequacy and effectiveness of the information security management system.”

This makes it clear that three attributes are explicitly required to be addressed:

Suitability: ensuring the ISMS continues to meet organizational needs in changing contexts.

Adequacy: ensuring the ISMS covers the necessary scope and provides sufficient control coverage.

Effectiveness: ensuring the ISMS achieves intended outcomes in protecting information security.

The word“importance”is not part of the continual improvement requirement. Importance is implicit in prioritization of risks and actions, but it is not a required continual improvement attribute in ISO/IEC 27001. Therefore, optionD: Importanceis the correct choice as it is not specified.

This distinction reinforces that continual improvement is not about subjective importance, but about systematic enhancement of the ISMS’ssuitability, adequacy, and effectiveness.

Clause 6.2 (Information security objectives) requires that objectives:

“be consistent with the information security policy”

“be measurable (if practicable)”

“take into account applicable information security requirements”

“be monitored, communicated, and updated as appropriate.”

From this, option A is correct since consistency with policy is an explicit requirement. Option B is incorrect because the standard allows objectives to be measurable “if practicable” (not mandatory for all). Option C is incorrect—objectives are not transferred contractually to third parties, though third-party agreements may include security requirements. Option D is incorrect because the standard requires regular review “as appropriate,” not a fixed annual cycle.

Thus, the verified requirement isA: They shall be consistent with the information security policy.