ISO 27001 module 1-3questions

Ace your homework & exams now with Quizwiz!

measurable information security objective?

-Decrease the average time for solving incidents by 10% -Increase the awareness raising training for 2 hours per employee annually -Increase the frequency of backup by 50% for the next year

Regarding competences, ISO 27001 requires the company to:

-Define the necessary competences of employees who are related to information security -Make sure that employees have the appropriate training and experience -Keep documented evidence that the employees really have the required competences

Risks and opportunities need to be addressed in order to:

-Ensure achievement of the ISMS outcomes -Prevent or reduce undesired effects -Achieve continual improvement

Information security awareness raising helps improve the information security in the company by:

-Helping employees understand their role and the impact they have on ISMS -Helping employees understand the consequences if they don't follow the ISMS rules

The following statements are requirements for the Information Security Policy:

-It should be documented. -It should include a commitment to continual improvement of the ISMS. -It should provide a framework for setting information security objectives

How do you decide which policies and procedures to document?

Check whether it is required by ISO 27001 Check the risk assessment results to see if there is a need for such a control Check how important the process is to you and how complex it is

Is ISO 27001 a standard that defines the technical details for information security, e.g., how to configure a firewall?

No

According ISO 27001, the risk assessment must include the following elements:

Risk evaluation Risk identification Risk analysis

A method used for implementation and maintenance of an Information Security Management System in organizations

The PDCA cycle is:

Communication rules should cover the following elements:

What should be communicated Who shall communicate With whom to communicate

Which of the following statements describes an ISMS scope?

The Information Security Management System (ISMS) applies to the provision of secure and trusted e-commerce services. The Information Security Management System (ISMS) applies to the provision of software development and implementation, outsourcing of IT services including maintenance of hardware and software, operating from the offices in London and Edinburgh.

Project team Top management Project manager

The following roles are common in the ISMS implementation process:

For effective implementation of incident management software in Company Y, the following resources should be available:

-Available person and time to conduct analysis of the most suitable software for incident management in Company Y -Responsible person for coordinating the implementation of the procedure -Available time for all employees to pass short training on how to use the incident management software for reporting incidents. -Dedicated budget for licenses for the chosen incident management software

Which of the following statements represent requirements from the ISO 27001 standard?

-Define the information security competences for all persons working for your company -Keep records as evidence of competence

How can top management demonstrate leadership and commitment to the Information Security Management System?

-Ensuring resources necessary for the ISMS -Communicating the importance of information security -Promoting continual improvement

Regarding the resources, ISO 27001 requires companies to:

-Identify the needed resources for the Information Security Management System -Ensure they are available for everyday operation -Ensure they are available for continual improvement of the ISMS

The Statement of Applicability must include

-List of all the controls from Annex A and any additional controls that might be identified in the risk treatment process -Information regarding whether the listed controls are implemented in the organization -Reason why the controls are implemented and how Justification for exclusion of those controls that are not implemented

Which of the following responsibilities and authorities are relevant for the person responsible for reporting on the performance of the ISMS to top management?

-Prepares input for management review meeting -Reviews the effectiveness of Business Continuity Plan Measures the KPIs (Key Performance Indicators)

In order to define the ISMS scope, the company should consider:

-Requirements of the interested parties -External and internal issues -Activities that are carried out by your organization and the activities performed by other organizations, such as partners, associates, or an outsourcing company; how those activities are related; and how they depend on each other.

When defining the information security objectives, the following aspects should be taken into consideration:

-They should be aligned with the Information Security Policy. -They should be measurable. -They should be updated in order to reflect the current situation of the company and its ISMS. -They should be communicated to all interested parties.

When creating a new document, you should take into consideration the following aspects:

-Writing your name in the author section on the first page of the document, as defined in the template you use -Writing it in English because that is the official language of your firm -Saving the document in the appropriate file format When finished, submitting the document for review and approval

represent assets from an information security perspective?

-people -software -paper-based information

A list of required documentation.

Scope of ISMS Information secuirty and risk treatment Information secuirty policy and objectives Statement of Applicability Risk treatment plan Risk treatment report Records of training, skills experience and qualifications Monitoring measurement results Internal audit program Results of internal audit Results of mangement review Results of corrective actions

external issues

Cultural environment The competition of the company The political situation in the country where the company operates

Identify which of the following information security controls are organizational controls:

Defining a policy on the use of cryptographic controls Documenting a clear screen policy Documenting a procedure for training employees

the risk management process

1. Define risk assessment 2.methodology conduct risk assessment 3. select risk treatment options 4. create statement of Applicability 5. create risk treatment plan

good risk treatment practices?

1. risk transfer 2. avoiding risk 3. risk acceptance

True

Achieving compliance is one of the main benefits of implementing ISO 27001:

The Statement of Applicability document should include:

All the controls from Annex A and any additional controls that might be identified in the risk treatment process

True

An Information Security Management System is a systematic approach for managing and protecting a company's information. true or false

The project manager, as one of the basic roles in the ISMS implementation process, has the following characteristics:

Coordinates the project for implementation of ISO 27001 Often is also the information security officer

After formulating a risk treatment plan, the Statement of Applicability must be documented. true or false

False

Risk analysis includes assessment of the impact the risk can have on the company and assessment of the likelihood that the identified risk can really happen. The assessment scale for the impact and the likelihood must vary between the values 1 and 10. true or false

False

Choose which of the following activities are parts of the Plan phase:

Identify information security risks Based on the results from the risk assessment, choose controls and document a Statement of applicability Document the Information Security Policy

Why is the Planning section described before the Operation section in the standard?

In order to have efficient operations, you need to plan them ahead

Flase

Information security and IT security refer to the same thing: true or false

Improving the overall information security in your company. Compliance with the ISO 27001 standard and to information security legislation. Lowering expenses Organizing your company. Providing a marketing edge.

What are the most significant benefits of implementing an Information Security Management System based on ISO 27001 in an organization?

ISO 27001 requires the identification of interested parties significant for the information security in your organization to be documented. true or false

false


Related study sets

Mesopotamia: The Land Between Two Rivers

View Set

The Real World: An Introduction to Society Chapter 3

View Set

Med-Surg Ch. 53 EAQ: Sexually Transmitted Infections

View Set

Physics I Concept Questions: Exam 1

View Set

Module 17 Check Your Understanding & Module Quiz

View Set