ISO 27001 module 1-3questions
measurable information security objective?
-Decrease the average time for solving incidents by 10% -Increase the awareness raising training for 2 hours per employee annually -Increase the frequency of backup by 50% for the next year
Regarding competences, ISO 27001 requires the company to:
-Define the necessary competences of employees who are related to information security -Make sure that employees have the appropriate training and experience -Keep documented evidence that the employees really have the required competences
Risks and opportunities need to be addressed in order to:
-Ensure achievement of the ISMS outcomes -Prevent or reduce undesired effects -Achieve continual improvement
Information security awareness raising helps improve the information security in the company by:
-Helping employees understand their role and the impact they have on ISMS -Helping employees understand the consequences if they don't follow the ISMS rules
The following statements are requirements for the Information Security Policy:
-It should be documented. -It should include a commitment to continual improvement of the ISMS. -It should provide a framework for setting information security objectives
How do you decide which policies and procedures to document?
Check whether it is required by ISO 27001 Check the risk assessment results to see if there is a need for such a control Check how important the process is to you and how complex it is
Is ISO 27001 a standard that defines the technical details for information security, e.g., how to configure a firewall?
No
According ISO 27001, the risk assessment must include the following elements:
Risk evaluation Risk identification Risk analysis
A method used for implementation and maintenance of an Information Security Management System in organizations
The PDCA cycle is:
Communication rules should cover the following elements:
What should be communicated Who shall communicate With whom to communicate
Which of the following statements describes an ISMS scope?
The Information Security Management System (ISMS) applies to the provision of secure and trusted e-commerce services. The Information Security Management System (ISMS) applies to the provision of software development and implementation, outsourcing of IT services including maintenance of hardware and software, operating from the offices in London and Edinburgh.
Project team Top management Project manager
The following roles are common in the ISMS implementation process:
For effective implementation of incident management software in Company Y, the following resources should be available:
-Available person and time to conduct analysis of the most suitable software for incident management in Company Y -Responsible person for coordinating the implementation of the procedure -Available time for all employees to pass short training on how to use the incident management software for reporting incidents. -Dedicated budget for licenses for the chosen incident management software
Which of the following statements represent requirements from the ISO 27001 standard?
-Define the information security competences for all persons working for your company -Keep records as evidence of competence
How can top management demonstrate leadership and commitment to the Information Security Management System?
-Ensuring resources necessary for the ISMS -Communicating the importance of information security -Promoting continual improvement
Regarding the resources, ISO 27001 requires companies to:
-Identify the needed resources for the Information Security Management System -Ensure they are available for everyday operation -Ensure they are available for continual improvement of the ISMS
The Statement of Applicability must include
-List of all the controls from Annex A and any additional controls that might be identified in the risk treatment process -Information regarding whether the listed controls are implemented in the organization -Reason why the controls are implemented and how Justification for exclusion of those controls that are not implemented
Which of the following responsibilities and authorities are relevant for the person responsible for reporting on the performance of the ISMS to top management?
-Prepares input for management review meeting -Reviews the effectiveness of Business Continuity Plan Measures the KPIs (Key Performance Indicators)
In order to define the ISMS scope, the company should consider:
-Requirements of the interested parties -External and internal issues -Activities that are carried out by your organization and the activities performed by other organizations, such as partners, associates, or an outsourcing company; how those activities are related; and how they depend on each other.
When defining the information security objectives, the following aspects should be taken into consideration:
-They should be aligned with the Information Security Policy. -They should be measurable. -They should be updated in order to reflect the current situation of the company and its ISMS. -They should be communicated to all interested parties.
When creating a new document, you should take into consideration the following aspects:
-Writing your name in the author section on the first page of the document, as defined in the template you use -Writing it in English because that is the official language of your firm -Saving the document in the appropriate file format When finished, submitting the document for review and approval
represent assets from an information security perspective?
-people -software -paper-based information
A list of required documentation.
Scope of ISMS Information secuirty and risk treatment Information secuirty policy and objectives Statement of Applicability Risk treatment plan Risk treatment report Records of training, skills experience and qualifications Monitoring measurement results Internal audit program Results of internal audit Results of mangement review Results of corrective actions
external issues
Cultural environment The competition of the company The political situation in the country where the company operates
Identify which of the following information security controls are organizational controls:
Defining a policy on the use of cryptographic controls Documenting a clear screen policy Documenting a procedure for training employees
the risk management process
1. Define risk assessment 2.methodology conduct risk assessment 3. select risk treatment options 4. create statement of Applicability 5. create risk treatment plan
good risk treatment practices?
1. risk transfer 2. avoiding risk 3. risk acceptance
True
Achieving compliance is one of the main benefits of implementing ISO 27001:
The Statement of Applicability document should include:
All the controls from Annex A and any additional controls that might be identified in the risk treatment process
True
An Information Security Management System is a systematic approach for managing and protecting a company's information. true or false
The project manager, as one of the basic roles in the ISMS implementation process, has the following characteristics:
Coordinates the project for implementation of ISO 27001 Often is also the information security officer
After formulating a risk treatment plan, the Statement of Applicability must be documented. true or false
False
Risk analysis includes assessment of the impact the risk can have on the company and assessment of the likelihood that the identified risk can really happen. The assessment scale for the impact and the likelihood must vary between the values 1 and 10. true or false
False
Choose which of the following activities are parts of the Plan phase:
Identify information security risks Based on the results from the risk assessment, choose controls and document a Statement of applicability Document the Information Security Policy
Why is the Planning section described before the Operation section in the standard?
In order to have efficient operations, you need to plan them ahead
Flase
Information security and IT security refer to the same thing: true or false
Improving the overall information security in your company. Compliance with the ISO 27001 standard and to information security legislation. Lowering expenses Organizing your company. Providing a marketing edge.
What are the most significant benefits of implementing an Information Security Management System based on ISO 27001 in an organization?
ISO 27001 requires the identification of interested parties significant for the information security in your organization to be documented. true or false
false