Standards / Information Security
ISO/IEC 27001:2022
Information Security Management Systems
A complete reference to the standard, plus the ISTO Test of Understanding and downloadable syllabus. The world's best-known framework for information security management, helping organizations manage cyber-risk, protect information assets, and build resilience across people, policies, and technology.
70K+
certificates issued worldwide
150+
countries using ISO 27001
#1
information security standard
1. About ISO 27001
ISO/IEC 27001 is the world's best-known standard for information security management systems (ISMS). It defines requirements an ISMS must meet, providing companies of any size and from all sectors of activity with guidance for establishing, implementing, maintaining, and continually improving an information security management system. By adhering to this standard, organizations can manage the security of assets such as financial information, intellectual property, employee data, and information entrusted by third parties.
Conformity with ISO/IEC 27001 means an organization has put in place a system to manage risks related to the security of data it owns or handles, and that this system respects all the best practices and principles enshrined in the standard. Part of the broader ISO/IEC 27000 family, it integrates readily with other management system standards such as ISO 9001 through the shared Annex SL high-level structure.
Why is ISO 27001 important?
Business benefits include:
Cyber-resilience
A holistic approach across people, policies, and technology helps organizations withstand cyber-attacks and recover quickly from disruption and data breaches.
Risk management
The standard provides a systematic framework to identify, assess, and treat information security risks before they become costly incidents.
Stakeholder trust
Certification signals a genuine commitment to information security, reassuring customers, regulators, investors, and supply-chain partners that data is well protected.
Continual improvement
Regular audits and reviews encouraged by ISO 27001 enable organizations to adapt their controls to an ever-changing threat landscape and tightening regulatory requirements.
ISO 27001:2022 with the 2024 amendment
ISO/IEC 27001:2022 restructured Annex A into four control themes, and Amendment 1:2024 added climate-change considerations. Our syllabus already tracks the current requirements. Prepare against the latest edition.
2. ISTO Test of Understanding on ISO/IEC 27001:2022
This test is developed for ISO management system standards ("MSS") professionals such as middle and senior management personnel, responsible persons (as defined under clause 5.3), internal auditors, third party certification body auditors and advisors/consultants who are instrumental in the effectiveness of the MSS implementation. It is a multiple choice test designed with three outcomes:
- Certifying the candidate on their understanding of the respective standard
- Measuring the level of understanding in the eight (8) A·C·C·U·R·A·T·E Analysis domains
- Ranking a candidate's performance in a personalised analytics report
What candidates receive
Certificate of Achievement
Verifiable proof of understanding, with a unique URL.
Click to enlarge ↗
Personalised analytics report
Includes your A·C·C·U·R·A·T·E analysis across eight domains and your percentile ranking against the test population.
Click to enlarge ↗
More than just understanding
An ISTO Test focuses not only on understanding the requirements of a standard but is also designed to ensure that those who pass the test have demonstrated a knowledge of the underlying management system principles, definitions, applicability, distinguishing requirements from unspecified requirements and the standard's practical implementation.
Credibility
Employers of ISO 27001 auditors/consultants/tutors would find the ISTO TOU qualification a good benchmark in their selection process, as the ISTO TOU adds value to employees' overall performance excellence and consistency. A course tutor with an ISTO TOU credential is able to offer learners a more accurate and complete presentation of the standard.
3. Structure of the Test of Understanding
The ISTO TOU consists of multiple choice questions with four (4) possible options of which only one (1) represents the 'best' option. The ISTO TOU is a Restricted-open-book online test, however candidates are allowed to refer to an unmarked copy of the respective ISO standard which is the only permitted reference material during the test. In an online test, the standard copy will be provided in a separate window, in addition to the test window.
Four options, one best
Each question has a single best answer.
Restricted-open-book, online
Taken on the ISTO test portal.
Standard in a side window
Refer to an unmarked copy of ISO 27001, the only permitted reference.
1) Which clause of ISO/IEC 27001 specifies requirements for the information security risk assessment?
Question Panel
Difference between Level 1 Test and Level 2 Test
The Level 1 test assesses a candidate's understanding of the basic principles and requirements of an ISO management system standard (MSS). The Level 2 is a comprehensive test that covers principles, requirements, and the implementation in various scenarios and business sectors.
| Level 1 — Practitioner | Level 2 — Professional | |
|---|---|---|
| Time allowed | 120 minutes | 180 minutes |
| No. of questions | 80 | 120 |
| Pass criteriaCandidates who meet the Pass criteria will be awarded a Certificate of Achievement | 60% | 70% |
| Distinction criteriaCandidates who meet the Distinction criteria will be awarded a Certificate of Achievement with Distinction | 80% | 85% |
| A·C·C·U·R·A·T·E AnalysisAll candidates will receive a report indicating their level of understanding and relative ranking in each of the eight (8) domains in the star diagram | ✓ Report included | ✓ Report included |
Test Sections Breakdown
How the questions are distributed across each level.
SECTION 1
20 questions
Principles and definitions, applicability, clause 4.3
SECTION 2
30 questions
Management system requirements based on clauses 4, 5, 6, 9 and 10 (except clause 4.3)
SECTION 3
30 questions
Operational requirements based on clauses 7 and 8
SECTION 1
30 questions
Principles and definitions, applicability, clause 4.3
SECTION 2
30 questions
Management system requirements based on clauses 4, 5, 6, 9 and 10 (except clause 4.3)
SECTION 3
30 questions
Operational requirements based on clauses 7 and 8
SECTION 4
30 questions
Six (6) scenarios with five (5) questions each focusing on practical aspects
4. A·C·C·U·R·A·T·E Analysis
Based on ISTO's research and endorsed by the ISTO Technical Advisory Board, the level of comprehension of an ISO management system standard can be grouped into eight (8) domains of understanding.
- Acan Actual requirement in the standard related to documentation.
- CoConcept - the management principles on which the management system standard is based. This includes the sequence of activities as required in the standard.
- Cthe unique Clause reference of a specific requirement in the ISO management system standard.
- Uan Unspecified requirement in the standard (a requirement that does not exist).
- Ra certain Requirement in the Standard (i.e. the text of the requirement).
- Athe Applicability of the standard. This includes the intent of a requirement, and the scope of the standard.
- TTerms and definitions used in the standard. Generally these are defined in Clause 3 of each ISO management system standard. In the case of ISO 9001 QMS, terms and definitions are defined in the ISO 9000 standard.
- Ean Erroneous requirement in the standard related to documentation.
5. Test Description and Syllabus
Two levels, available in English and Traditional Chinese. Select a document to download.
Level 1 — Practitioner
Level 2 — Professional
6. Test Language Availability
ISO/IEC 27001:2022
Information Security Management Systems
English
English
English, Español, Français, Portuguese, 中文 (HK), 中文 (PRC), 中文 (TW)