ISO 27001 Internal Auditor Practice Test 2026 – Complete Exam Prep

The activity that does not belong in the Plan phase of ISO 27001 is the implementation of a risk treatment plan. The Plan phase primarily focuses on establishing the foundation for the information security management system (ISMS). It involves determining the context of the organization, setting the scope of the ISMS, conducting a risk assessment, designing the risk treatment process, and selecting appropriate controls.

Choosing controls based on a risk assessment, documenting the information security policy, and creating a Statement of Applicability are all vital activities that help define how the organization will approach and manage its information security risks. Documenting a risk treatment plan is indeed part of the planning process, but the actual implementation of that plan is part of the Do phase, which follows the planning stage. Therefore, the implementation activity should not be included in the Plan phase as per the framework established by ISO 27001.