1|Page
IBITGQ - ISO Certified ISMS Lead Implementer (CIS LI)
Certification Exam (3 Sets) | Latest Verified Questions and
Detailed Answers
OVERVIEW DESCRIPTION:
The IBITGQ – ISO Certified ISMS Lead Implementer (CIS LI) certification is an advanced, ISO
17024-certificated credential that validates a professional's expert knowledge and practical skills
to lead the implementation of an Information Security Management System (ISMS) in
accordance with the ISO/IEC 27001:2022 standard. The exam rigorously assesses a candidate's
ability to apply the Plan-Do-Check-Act (PDCA) cycle across all key domains, from establishing
the organizational context and performing risk assessments to implementing Annex A controls,
managing documentation, and driving continual improvement through internal audits and
management reviews. Successful candidates demonstrate the competence to manage the entire
ISMS project lifecycle and prepare an organization for successful certification.
SET 1
QUESTION 1
As the Lead Implementer, you are defining the ISMS scope. According to Clause 4.3,
what is the most critical factor you must consider to ensure the scope is accurate and
defensible?
A) The budget allocated by the finance department for certification.
B) The external and internal issues, interested party requirements, and interfaces and
dependencies between the activities performed by the organization and those
performed by other organizations.
C) The personal preference of the IT manager regarding which departments to include.
D) The number of security controls from Annex A that the organization wishes to
implement.
CORRECT ANSWER: B
EXPERT RATIONALE: Clause 4.3 explicitly requires that the ISMS scope be determined
by considering the external and internal issues (4.1), interested party requirements
,2|Page
(4.2), and the interfaces and dependencies with other organizations, ensuring the
scope is aligned with the organization's context.
QUESTION 2
During the risk assessment process (Clause 6.1.2), you have identified a risk where the
assessed likelihood is "Low" but the potential impact is "Catastrophic." According to
risk management principles, how should this risk be treated in your risk evaluation?
A) Ignore the risk because the likelihood is low.
B) Immediately apply for a cyber insurance policy and consider the risk treated.
C) Evaluate it against your established risk criteria to determine if it exceeds the
organization's risk appetite and requires treatment.
D) Re-assess the impact to a lower level to make it acceptable.
CORRECT ANSWER: C
EXPERT RATIONALE: Risk evaluation involves comparing the results of risk analysis
with the established risk criteria to determine which risks require treatment. A
"Catastrophic" impact, even with low likelihood, may exceed the organization's risk
appetite and must be prioritized accordingly.
QUESTION 3
You are presenting the new ISMS policy framework to top management. To comply
with Clause 5.2, what is the most critical element that the Information Security Policy
must contain?
A) A detailed step-by-step guide for firewall configuration.
B) The organization's logo printed at the top of every page.
C) A framework for setting information security objectives and a commitment to
continual improvement.
D) A list of all 93 Annex A controls and a checkbox for each.
CORRECT ANSWER: C
EXPERT RATIONALE: Clause 5.2 requires top management to establish an information
security policy that provides a framework for setting objectives and includes a
,3|Page
commitment to continual improvement of the ISMS. Detailed technical configurations
are covered by lower-level documentation.
QUESTION 4
An organization has successfully implemented an ISMS and passed the Stage 2
certification audit. What must the organization do to maintain its certification status
according to the audit cycle?
A) Do nothing until the triennial recertification audit.
B) Undergo annual surveillance audits and a recertification audit every three years.
C) Submit a new Statement of Applicability to the certification body every month.
D) Re-publish all information security policies on a quarterly basis.
CORRECT ANSWER: B
EXPERT RATIONALE: Maintaining ISO 27001 certification requires undergoing periodic
surveillance audits (typically annually) to ensure ongoing compliance and a full
recertification audit every three years to renew the certification.
QUESTION 5
According to Clause 7.4, what is a key requirement regarding communication within
the ISMS?
A) All communication must be encrypted using AES-256.
B) The organization must determine the need for internal and external communications
relevant to the ISMS, including what, when, with whom, and how to communicate.
C) Communication is only required during the internal audit phase.
D) Only the top management team is allowed to communicate information security
matters.
CORRECT ANSWER: B
EXPERT RATIONALE: Clause 7.4 requires organizations to determine the need for both
internal and external communications relevant to the ISMS, establishing clear
processes for what will be communicated, when, to whom, and by whom, ensuring
effective stakeholder engagement.
, 4|Page
QUESTION 6
When establishing a risk treatment plan (Clause 6.1.3), which document serves as the
primary reference for selecting appropriate controls based on the risk assessment
results?
A) The Business Continuity Plan.
B) The Information Security Policy.
C) The Statement of Applicability (SoA).
D) The organization's internal audit schedule.
CORRECT ANSWER: C
EXPERT RATIONALE: The Statement of Applicability (SoA) is the key document that lists
the controls selected from Annex A (and any others) and justifies their inclusion or
exclusion based on the risk assessment and treatment process.
QUESTION 7
During an internal audit, you discover that a critical server does not have up-to-date
antivirus software installed. According to Clause 10.1, what must be your immediate
course of action?
A) Ignore the finding because the server is still functioning.
B) Formally report this as a nonconformity and initiate corrective action to address the
nonconformity and its cause.
C) Wait for the external auditors to find it.
D) Immediately change the audit schedule to avoid this area.
CORRECT ANSWER: B
EXPERT RATIONALE: Clause 10.1 requires that when a nonconformity occurs, the
organization must react to it, take action to control and correct it, and deal with the
consequences, which is the foundation of the corrective action process.
QUESTION 8
An organization is transitioning from ISO 27001:2013 to the 2022 version. What is a
major structural change in Annex A that the Lead Implementer must account for in the
IBITGQ - ISO Certified ISMS Lead Implementer (CIS LI)
Certification Exam (3 Sets) | Latest Verified Questions and
Detailed Answers
OVERVIEW DESCRIPTION:
The IBITGQ – ISO Certified ISMS Lead Implementer (CIS LI) certification is an advanced, ISO
17024-certificated credential that validates a professional's expert knowledge and practical skills
to lead the implementation of an Information Security Management System (ISMS) in
accordance with the ISO/IEC 27001:2022 standard. The exam rigorously assesses a candidate's
ability to apply the Plan-Do-Check-Act (PDCA) cycle across all key domains, from establishing
the organizational context and performing risk assessments to implementing Annex A controls,
managing documentation, and driving continual improvement through internal audits and
management reviews. Successful candidates demonstrate the competence to manage the entire
ISMS project lifecycle and prepare an organization for successful certification.
SET 1
QUESTION 1
As the Lead Implementer, you are defining the ISMS scope. According to Clause 4.3,
what is the most critical factor you must consider to ensure the scope is accurate and
defensible?
A) The budget allocated by the finance department for certification.
B) The external and internal issues, interested party requirements, and interfaces and
dependencies between the activities performed by the organization and those
performed by other organizations.
C) The personal preference of the IT manager regarding which departments to include.
D) The number of security controls from Annex A that the organization wishes to
implement.
CORRECT ANSWER: B
EXPERT RATIONALE: Clause 4.3 explicitly requires that the ISMS scope be determined
by considering the external and internal issues (4.1), interested party requirements
,2|Page
(4.2), and the interfaces and dependencies with other organizations, ensuring the
scope is aligned with the organization's context.
QUESTION 2
During the risk assessment process (Clause 6.1.2), you have identified a risk where the
assessed likelihood is "Low" but the potential impact is "Catastrophic." According to
risk management principles, how should this risk be treated in your risk evaluation?
A) Ignore the risk because the likelihood is low.
B) Immediately apply for a cyber insurance policy and consider the risk treated.
C) Evaluate it against your established risk criteria to determine if it exceeds the
organization's risk appetite and requires treatment.
D) Re-assess the impact to a lower level to make it acceptable.
CORRECT ANSWER: C
EXPERT RATIONALE: Risk evaluation involves comparing the results of risk analysis
with the established risk criteria to determine which risks require treatment. A
"Catastrophic" impact, even with low likelihood, may exceed the organization's risk
appetite and must be prioritized accordingly.
QUESTION 3
You are presenting the new ISMS policy framework to top management. To comply
with Clause 5.2, what is the most critical element that the Information Security Policy
must contain?
A) A detailed step-by-step guide for firewall configuration.
B) The organization's logo printed at the top of every page.
C) A framework for setting information security objectives and a commitment to
continual improvement.
D) A list of all 93 Annex A controls and a checkbox for each.
CORRECT ANSWER: C
EXPERT RATIONALE: Clause 5.2 requires top management to establish an information
security policy that provides a framework for setting objectives and includes a
,3|Page
commitment to continual improvement of the ISMS. Detailed technical configurations
are covered by lower-level documentation.
QUESTION 4
An organization has successfully implemented an ISMS and passed the Stage 2
certification audit. What must the organization do to maintain its certification status
according to the audit cycle?
A) Do nothing until the triennial recertification audit.
B) Undergo annual surveillance audits and a recertification audit every three years.
C) Submit a new Statement of Applicability to the certification body every month.
D) Re-publish all information security policies on a quarterly basis.
CORRECT ANSWER: B
EXPERT RATIONALE: Maintaining ISO 27001 certification requires undergoing periodic
surveillance audits (typically annually) to ensure ongoing compliance and a full
recertification audit every three years to renew the certification.
QUESTION 5
According to Clause 7.4, what is a key requirement regarding communication within
the ISMS?
A) All communication must be encrypted using AES-256.
B) The organization must determine the need for internal and external communications
relevant to the ISMS, including what, when, with whom, and how to communicate.
C) Communication is only required during the internal audit phase.
D) Only the top management team is allowed to communicate information security
matters.
CORRECT ANSWER: B
EXPERT RATIONALE: Clause 7.4 requires organizations to determine the need for both
internal and external communications relevant to the ISMS, establishing clear
processes for what will be communicated, when, to whom, and by whom, ensuring
effective stakeholder engagement.
, 4|Page
QUESTION 6
When establishing a risk treatment plan (Clause 6.1.3), which document serves as the
primary reference for selecting appropriate controls based on the risk assessment
results?
A) The Business Continuity Plan.
B) The Information Security Policy.
C) The Statement of Applicability (SoA).
D) The organization's internal audit schedule.
CORRECT ANSWER: C
EXPERT RATIONALE: The Statement of Applicability (SoA) is the key document that lists
the controls selected from Annex A (and any others) and justifies their inclusion or
exclusion based on the risk assessment and treatment process.
QUESTION 7
During an internal audit, you discover that a critical server does not have up-to-date
antivirus software installed. According to Clause 10.1, what must be your immediate
course of action?
A) Ignore the finding because the server is still functioning.
B) Formally report this as a nonconformity and initiate corrective action to address the
nonconformity and its cause.
C) Wait for the external auditors to find it.
D) Immediately change the audit schedule to avoid this area.
CORRECT ANSWER: B
EXPERT RATIONALE: Clause 10.1 requires that when a nonconformity occurs, the
organization must react to it, take action to control and correct it, and deal with the
consequences, which is the foundation of the corrective action process.
QUESTION 8
An organization is transitioning from ISO 27001:2013 to the 2022 version. What is a
major structural change in Annex A that the Lead Implementer must account for in the
