ISO 27001 Flashcards
What is the objective of classifying information?
A. Authorizing the use of an information system
B. Creating a label that indicates how confidential the information is
C. Defining different levels of sensitivity into which information may be arranged
D. Displaying on the document who is permitted access
What do employees need to know to report a security incident?
A. How to report an incident and to whom.
B. Whether the incident has occurred before and what was the resulting damage.
C. The measures that should have been taken to prevent the incident in the first place.
D. Who is responsible for the incident and whether it was intentional.
You have just started working at a large organization. You have been asked to sign a code of
conduct as well as a contract. What does the organization wish to achieve with this?
A. A code of conduct helps to prevent the misuse of IT facilities.
B. A code of conduct is a legal obligation that organizations have to meet.
C. A code of conduct prevents a virus outbreak.
D. A code of conduct gives staff guidance on how to report suspected misuses of IT facilities.
Peter works at the company Midwest Insurance. His manager, Linda, asks him to send the terms
and conditions for a life insurance policy to Rachel, a client. Who determines the value of the
information in the insurance terms and conditions document?
A. The recipient, Rachel
B. The person who drafted the insurance terms and conditions
C. The manager, Linda
D. The sender, Peter
When we are at our desk, we want the information system and the necessary information to be
available. We want to be able to work with the computer and access the network and our files.
What is the correct definition of availability?
A. The degree to which the system capacity is enough to allow all users to work with it
B. The degree to which the continuity of an organization is guaranteed
C. The degree to which an information system is available for the users
D. The total amount of time that an information system is accessible to the users
Which of these is not malicious software?
A. Phishing
B. Spyware
C. Virus
D. Worm
Some threats are caused directly by people, others have a natural cause. What is an example of
an intentional human threat?
A. Lightning strike
B. Arson
C. Flood
D. Loss of a USB stick
What is the definition of the Annual Loss Expectancy?
A. The Annual Loss Expectancy is the amount of damage that can occur as a result of an incident
during the year.
B. The Annual Loss Expectancy is the size of the damage claims resulting from not having
carried out risk analyses effectively.
C. The Annual Loss Expectancy is the average damage calculated by insurance companies for
businesses in a country.
D. The Annual Loss Expectancy is the minimum amount for which an organization must insure
itself.
What is the most important reason for applying segregation of duties?
A. Segregation of duties makes it clear who is responsible for what.
B. Segregation of duties ensures that, when a person is absent, it can be investigated whether he
or she has been committing fraud.
C. Tasks and responsibilities must be separated in order to minimize the opportunities for business assets to be misused or changed, whether the
change be unauthorized or unintentional.
D. Segregation of duties makes it easier for a person who is ready with his or her part of the work
to take time off or to take over the work of another person.
A non-human threat for computer systems is a flood. In which situation is a flood always a
relevant threat?
A. If the risk analysis has not been carried out.
B. When computer systems are kept in a cellar below ground level.
C. When the computer systems are not insured.
D. When the organization is located near a river.
Why is compliance important for the reliability of the information?
A. Compliance is another word for reliability. So, if a company indicates that it is compliant, it
means that the information is managed properly.
B. By meeting the legislative requirements and the regulations of both the government and
internal management, an organization shows that it manages its information in a sound manner.
C. When an organization employs a standard such as the ISO/IEC 27002 and uses it everywhere, it is compliant and therefore it guarantees the
reliability of its information.
D. When an organization is compliant, it meets the requirements of privacy legislation and, in
doing so, protects the reliability of its information.
ou are the owner of the courier company SpeeDelivery. On the basis of your risk analysis you
have decided to take a number of measures. You have daily backups made of the server, keep
the server room locked and install an intrusion alarm system and a sprinkler system.
Which of
these measures is a detective measure?
A. Backup tape
B. Intrusion alarm
C. Sprinkler installation
D. Access restriction to special rooms
What is the relationship between data and information?
Data is structured information.
B. Information is the meaning and value assigned to a collection of data.
Which type of malware builds a network of contaminated computers?
A. Logic Bomb
B. Storm Worm or Botnet
C. Trojan
D. Virus
You work in the office of a large company. You receive a call from a person claiming to be from
the Helpdesk. He asks you for your password. What kind of threat is this?
A. Natural threat
B. Organizational threat
C. Social Engineering
You are a consultant and are regularly hired by the Ministry of Defense to perform analyses.
Since the assignments are irregular, you outsource the administration of your business to temporary workers. You dont want the temporary workers to
have access to your reports. Which reliability aspect of the information in your reports must you protect?
A. Availability
B. Integrity
C. Confidentiality
Your company is in the news as a result of an unfortunate action by one of your employees. The
phones are ringing off the hook with customers wanting to cancel their contracts. What do we call
this type of damage?
A. Direct damage
B. Indirect damage
An airline company employee notices that she has access to one of the company’s applications
that she has not used before. Is this an information security incident?
A. Yes
B. No
Under which condition is an employer permitted to check if Internet and email services in the
workplace are being used for private purposes?
A. The employer is permitted to check this if the employee is informed after each instance of
checking.
B. The employer is permitted to check this if the employees are aware that this could happen.
C. The employer is permitted to check this if a firewall is also installed.
D. The employer is in no way permitted to check the use of IT services by employees.
You have a small office in an industrial areA. You would like to analyze the risks your company
faces. The office is in a pretty remote location; therefore, the possibility of arson is not entirely out
of the question. What is the relationship between the threat of fire and the risk of fire?
A. The risk of fire is the threat of fire multiplied by the chance that the fire may occur and the
consequences thereof.
B. The threat of fire is the risk of fire multiplied by the chance that the fire may occur and the
consequences thereof.
You work for a flexible employer who doesnt mind if you work from home or on the road. You
regularly take copies of documents with you on a USB memory stick that is not secure.
What are
the consequences for the reliability of the information if you leave your USB memory stick behind
on the train?
A. The integrity of the data on the USB memory stick is no longer guaranteed.
B. The availability of the data on the USB memory stick is no longer guaranteed.
C. The confidentiality of the data on the USB memory stick is no longer guaranteed.
What is the best way to comply with legislation and regulations for personal data protection?
A. Performing a threat analysis
B. Maintaining an incident register
C. Performing a vulnerability analysis
D. Appointing the responsibility to someone
There was a fire in a branch of the company Midwest Insurance. The fire department quickly
arrived at the scene and could extinguish the fire before it spread and burned down the entire
premises. The server, however, was destroyed in the fire. The backup tapes kept in another room had melted and many other documents were lost for good. What is an example of the indirect
damage caused by this fire?
A. Melted backup tapes
B. Burned computer systems
C. Burned documents
D. Water damage due to the fire extinguishers
