Real ISO 27001:2022 interview questions for GRC analyst, ISMS manager, and security consultant roles — with strong-answer skeletons.
Walk me through the ISO 27001 ISMS structure.
Anchor on the 10 main clauses: 1–3 are normative, 4 context, 5 leadership, 6 planning (incl. risk assessment), 7 support, 8 operation (incl. risk treatment + SoA), 9 performance evaluation (internal audit, mgmt review), 10 continual improvement. Annex A holds the 93 controls in 4 themes. Mention PDCA explicitly.
What changed between ISO 27001:2013 and 27001:2022?
Annex A restructure: 114 → 93 controls grouped into 4 themes (organisational, people, physical, technological); 11 new controls (threat intel, cloud security, ICT readiness for BCM, data masking, info deletion, etc.). Main clauses had minor wording updates aligning with ISO Harmonised Structure.
Explain the Statement of Applicability.
SoA documents which Annex A controls apply, justifies inclusions/exclusions, references where each is implemented. Output of risk treatment, mandatory deliverable for certification. Auditor opens with it.
How does ISO 27001 risk assessment differ from NIST?
ISO is process-prescriptive (you must have a risk methodology) but methodology-agnostic. NIST CSF/800-30 prescribes specific quantitative/qualitative methods. ISO leaves you to choose but requires consistency and reproducibility.
Walk me through a Stage 1 vs Stage 2 audit.
Stage 1: documentation review + readiness check; auditor confirms ISMS exists, scope makes sense, mandatory docs present. Stage 2: operational effectiveness audit; auditor samples controls in action, interviews staff, tests evidence. Major nonconformities at Stage 2 block certification.
How do you handle a major nonconformity raised during a surveillance audit?
Acknowledge, contain, root-cause (5-whys), corrective action plan with owner + date, evidence of effectiveness; submit within auditor-agreed window (typically 30–90 days). Track in nonconformity register.
What is the difference between 'corrective' and 'preventive' action in 27001:2022?
27001:2022 removed the term 'preventive action' (now covered under risk-based thinking and clause 6.1 Actions to address risks). Corrective action = response to actual nonconformity.
How would you scope an ISMS for a SaaS startup?
Start narrow: the production SaaS platform + supporting teams (engineering, security, infra, customer success). Exclude marketing site, parent company HR. Justify scope vs business risk + customer requirements. Document scope in the ISMS scope statement.
Explain Annex A control 8.23 (web filtering).
New in 2022. Requires controls to prevent access to malicious or inappropriate external websites — typically DNS filtering, secure web gateway, or browser-isolation. Justified via threat model + risk assessment.
How does ISO 27001 interact with GDPR?
Complementary, not substitute. 27001 builds an ISMS; 27701 extends it to a PIMS aligned with GDPR. Many UK orgs run 27001 + 27701 together as their privacy programme baseline.
What internal audit frequency is required?
Clause 9.2 requires planned intervals — typically annual full audit, plus topic-based rolling audits across the year. Document an internal audit programme.
Tell me about a time you failed an ISO 27001 audit finding.
Behavioural. Acknowledge, root cause, action you owned, evidence of effectiveness. Avoid blame; demonstrate continual improvement mindset.
1–2 weeks if you already work in GRC; 4–6 weeks if converting from another security discipline. Read the standard cover-to-cover at least once.
No, but you should be able to discuss any control by reference and explain its intent.
Predominantly process-focused. Technical questions are scenario-based (e.g. 'how would you evidence A.8.5 secure authentication?').
Strongly preferred for senior GRC roles; nice-to-have for junior. Many hiring managers will fund the cert post-hire.
Run AI-graded mock interviews with panel personas and structured feedback.