All Modules Flashcards
Owns information security, approves the policy?
Management
Are responsible for their own processes, risks and countermeasures
Departments
Has a role with respect to the organisation’s information security stance
Everyone
Coordinates tasks to deliver project
Project Team
Identify and evaluate risks
Risk assessors
Coordinate controls to mitigate risks and accept residual risk.
Risk owners
Set of interrelated or interacting activities that use inputs to deliver an intended result
process
Specified way to carry out an activity or a process
Procedure (can be documented or not)
Document stating results achieved or providing evidence of activities performed
Record
Mandatory requirements of what does need to be documented in ISO 27001
- Scope (4.3)
- Information security policy (5.2 e)
- Information security risk assessment process (6.1.2)
- Statement of Applicability.
- Information security objectives. (6.2)
- Evidence of competence (7.2)
- Results of information security risk assessments (8.2)
- Results of information security risk treatment (8.3)
- Evidence of the information security performance monitoring and measurement results (9.1)
- Internal audit programme(s) and the audit results (9.2.2)
Action taken to eliminate the cause of a nonconformity.
Corrective action
Immediate action to eliminate a detected nonconformity
Correction
Size and complexity of an ISMS should be customised to the organisation?
True or false
True
Management system documentation should include the company names of the service providers?
True or False
False
Documents go through five stages as part of their lifecycle
True or False
True
Written
Reviewed and reworked
Approved
Distributed
Archived
Processes can be split into as many different documents as needed
True or False?
True
Documents should require more than one person to authorise amendments.
True or False
False
You should wait to publish management system documents just before an audit
True or False
False
Publish as soon as signed off
Every process and procedure should include who does what, where and when.
True or False
True
What are the parts of the RACI matrix?
Responsible
Accountable
Consulted
Informed
The RACI matrix applies to all processes
Policies and objectives should be consistent with organisational objectives
True or False
True
The management system should be integrated into business processes.
True or False
True
Policies should never be shared with people outside the organisation
True or False
False
The scope doesn’t need to include remote workers.
True or False
False
CEO support is crucial to having an effective ISMS.
True or False
True
The information security policy must include information security objectives.
True or False
True
Which of these should be determined in the scope? (select all that apply.)
A - Supplers
B - Outsourced functions or processes
C - External and Internal issues for the organisation and its context.
D - Requirements of interested parties.
B C D
SMART
The four options for risk decision are?
Terminate
Tolerate
Treat
Transfer
ISMS Principals (9)
1 Awareness
2 Assignment of responsibility
3 Incorporating management commitment and the interests of stakeholders
4 Enhancing societal values
5 Controls proportional to risks
6 Security as an essential element of networks and systems
7 Active prevention and detection of incidents
8 Comprehensive approach to information security management
9 continual reassessment and improvement
Standard
A specification to which something can conform
