ISO/IEC 27001 - Information Security Foundation Exam

Question 1

In order to take out a fire insurance, an organization must determine the value of the data that it manages. Which factor is NOT important for determining the value of data for an organization?

A) The amount of storage required for the data
B) The degree to which missing data can be recovered
C) The indispensability of data for the business processes
D) The importance of the processes that use the data

Answer 1

A) The amount of storage required for the data

A) Correct. The value of data is not determined by technical factors (such as storage) but by the significance it has to the users. (Literature: A, Chapter 4.10.4)
B) Incorrect. Missing, incomplete or incorrect data that can be easily recovered is less valuable than data that is difficult or impossible to recover.
C) Incorrect. The indispensability of data for business processes in part determines the value.
D) Incorrect. Data critical to important business processes is therefore valuable.

Question 2

Besides integrity and confidentiality, what is the third reliability aspect of information?

A) Accuracy
B) Availability
C) Completeness
D) Value

Answer 2

B) Availability

A) Incorrect. The three reliability aspects of information are availability, integrity, and confidentiality.
B) Correct. The three reliability aspects of information are availability, integrity, and confidentiality.
(Literature: A, Chapter 3.3)
C) Incorrect. The three reliability aspects of information are availability, integrity, and confidentiality.
D) Incorrect. The three reliability aspects of information are availability, integrity, and confidentiality.

Question 3

An organization has a network printer in the hallway of the company. Many employees do not pick up their printouts immediately and leave them on the printer. What is the consequence of this to the reliability of the information?

A) The availability of the information is no longer guaranteed.
B) The confidentiality of the information is no longer guaranteed.
C) The integrity of the information is no longer guaranteed.

Answer 3

B) The confidentiality of the information is no longer guaranteed.

A) Incorrect. The information is still available in the system that was used to create and print it.
B) Correct. The information can end up with, or be read by persons who should not have access to this
information. (Literature: A, Chapter 3.4)
C) Incorrect. The integrity of the information on the prints is still guaranteed, for it is on paper.

Question 4

A database contains a few million transactions of a phone company. An invoice for a customer has been generated and sent. What does this invoice contain for the customer?

A) Data
B) Information
C) Data and information

Answer 4

B) Information

A) Incorrect. The database contains data, however when an invoice is generated and send to a recipient it becomes information for the recipient.
B) Correct. The invoice contains valuable data for the recipient, it has a meaning therefore it is information. (Literature: A, Chapter 4.10.5)
C) Incorrect. The invoice contains information for the recipient and not data.

Question 5

What is the BEST description of the focus of information management?

A) Allowing business activities and processes to continue without interruption
B) Ensuring that the value of information is identified and exploited
C) Preventing unauthorized persons from having access to automated systems
D) Understanding how information flows through an organization

Answer 5

B) Ensuring that the value of information is identified and exploited

A) Incorrect. This statement relates to business continuity management (BCM). The purpose of BCM is to prevent business activities from being disrupted, to protect critical processes against the consequences of far-reaching disruptions in information systems, and to allow for speedy recovery.
B) Correct. Information management describes the means by which an organization efficiently plans, collects, organizes, uses, controls, disseminates and disposes of its information, and through which it ensures that the value of that information is identified and exploited to the fullest extent. (Literature: A, Chapter 4.11)
C) Incorrect. This is the focus of access management, which ensures that unauthorized persons or processes do not have access to automated systems, databases, and programs.
D) Incorrect. This is the focus of information analysis. Information analysis provides a clear picture of how an organization handles information – how the information flows through the organization.

Question 6

A database system has not had the latest security patches applied to it and was hacked. The hackers were able to access the data and delete it. What information security concept describes the lack of security patching?

A) Impact
B) Risk
C) Threat
D) Vulnerability

Answer 6

D) Vulnerability

A) Incorrect. Impact is the effect an event has on the organization or its information.
B) Incorrect. A risk is the combination of the likelihood and impact of an event happening.
C) Incorrect. An example of a threat is an external entity trying to exploit a vulnerability; in this case, the hackers form the threat.
D) Correct. An example of a vulnerability is a lack of protection. (Literature: A, Chapter 3.10)

Question 7

An administration office is determining the dangers to which it is exposed. What is a possible event that can have a disruptive effect on the reliability of information called?

A) A dependency
B) A risk
C) A threat
D) A vulnerability

Answer 7

C) A threat

A) Incorrect. A dependency is not an event.
B) Incorrect. A risk is the average expected damage over a period of time as a result of one or more threats leading to disruption.
C) Correct. A threat is a possible event that can have a disruptive effect on the reliability of information. (Literature: A, Chapter 3.9)
D) Incorrect. Vulnerability is the degree to which an object is susceptible to a threat.

Question 8

What is a purpose of risk management?

A) To determine the probability that a certain risk will occur
B) To direct and control an organization with regard to risk
C) To investigate the damage caused by possible security incidents
D) To outline the threats to which IT resources are exposed

Answer 8

B) To direct and control an organization with regard to risk

A) Incorrect. This is part of risk analysis.
B) Correct. Risk management are the coordinated activities to direct and control an organization with
regard to risk. (Literature: A, Chapter 3.13)
C) Incorrect. This is part of risk analysis.
D) Incorrect. This is part of risk analysis

Question 9

Which is a human threat?

A) A leak causes a failure of the electricity supply.
B) A USB stick passes on a virus to a network.
C) There is too much dust in the server room.

Answer 9

B) A USB stick passes on a virus to a network.

A) Incorrect. A leak is not a human threat, but a non-human threat.
B) Correct. A USB stick is always inserted by a person. Thus, if by doing so a virus enters the network,
then it is a human threat. (Literature: A, Chapter 3.16)
C) Incorrect. Dust is not a human threat, but a non-human threat.

Question 10

A well-executed risk analysis provides a great deal of useful information. A risk analysis has four main objectives. What is NOT one of the four main objectives of a risk analysis?

A) Determine relevant vulnerabilities and threats
B) Establish a balance between the costs of an incident and the costs of a measure
C) Identify assets and their value
D) Implement measures and controls

Answer 10

D) Implement measures and controls

A) Incorrect. This is one of the main objectives of a risk analysis.
B) Incorrect. This is one of the main objectives of a risk analysis.
C) Incorrect. This is one of the main objectives of a risk analysis.
D) Correct. This is not an objective of a risk analysis. (Literature: A, Chapter 3.13.3)

Question 11

There was a fire in a branch of the company Midwest Insurance. The fire department quickly arrived at the scene and could extinguish the fire before it spread and burned down the entire premises. The server, however, was destroyed in the fire. The backup tapes kept in another room had melted and many other documents were lost. What indirect damage is caused by this fire?

A) Burned computer systems
B) Burned documents
C) Melted back-up tapes
D) Water damage

Answer 11

D) Water damage

A) Incorrect. Burned computer systems are direct damage caused by the fire.
B) Incorrect. Burned documents are direct damage caused by the fire.
C) Incorrect. Melted back-up tapes are direct damage caused by the fire.
D) Correct. Water damage due to the fire extinguishers is indirect damage caused by the fire. This is a side effect of putting out the fire, which is aimed at minimizing the damage caused by the fire. (Literature: A, Chapter 3.17)

Question 12

An office is situated in an industrial area. The company next to the office works with flammable materials. What is the relationship between the threat of fire and the risk of fire?

A) The threat of fire comes from the company next to the office, which poses a risk of fire by working with flammable materials in a vulnerable industrial area.
B) The threat of fire comes from the flammable materials, which poses a risk of fire to the office if the office has the vulnerability of not being fire-proof.
C) The threat of fire comes from the probability that the office will suffer damage because of the risk of fire the flammable materials pose.
D) The threat of fire comes from the vulnerable office in the industrial area, which is working close to a company that poses a risk of fire.

Answer 12

B) The threat of fire comes from the flammable materials, which poses a risk of fire to the office if the office has the vulnerability of not being fire-proof.

A) Incorrect. The threat is the flammable materials, not the company. The flammable materials are not a risk.
B) Correct. The relationship is as explained in the answer. (Literature: A, Chapter 3.8, 3.9 and 3.10)
C) Incorrect. The probability that the office will suffer damage is a risk, not a threat. The flammable
materials are a threat, not a risk.
D) Incorrect. The office is a vulnerability, not a threat.

Question 13

A fire breaks out in a branch office of a health insurance company. The employees are transferred to neighboring branches to continue their work. Where in the incident cycle is moving to a stand-by arrangement found?

A) Between the damage and recovery stages
B) Between the incident and damage stages
C) Between the recovery and threat stages
D) Between the threat and incident stages

Answer 13

B) Between the incident and damage stages

A) Incorrect. Damage and recovery are limited by the stand-by arrangement.
B) Correct. A stand-by arrangement is a corrective measure that is initiated in order to limit the damage.
(Literature: A, Chapter 16.5)
C) Incorrect. The recovery stage takes place after putting a stand-by arrangement into operation.
D) Incorrect. Carrying out a stand-by arrangement without an incident is very expensive.

Question 14

How is the purpose of information security policy BEST described?

A) An information security policy documents the analysis of risks and the search for countermeasures.
B) An information security policy gives direction and support to the organization regarding information security.
C) An information security policy makes the security plan concrete by providing it with the necessary details.
D) An information security policy provides insight into threats and the possible consequences.

Answer 14

B) An information security policy gives direction and support to the organization regarding information securitY.

A) Incorrect. The analysis of risks and the search for countermeasures is the purpose of risk analysis and risk management.
B) Correct. With the security policy, management provides direction and support regarding information security. (Literature: A, Chapter 5.1.1)
C) Incorrect. The security plan makes the information security policy concrete. The plan includes which measures have been chosen, who is responsible for what, the guidelines for the implementation of measures, etc.
D) Incorrect. The purpose of a threat analysis is to provide insight into threats and the possible consequences.

Question 15

An employee from an insurance company discovers that the expiration date of a policy has been changed without his knowledge. He is the only person authorized to do this. He reports this security incident to the helpdesk. The helpdesk worker records the following information regarding this incident:
- date and time
- description of the incident
- possible consequences of the incident
What important information about the incident is missing here?

A) The name of the person reporting the incident
B) The name of the software package
C) The names of the informed people
D) The PC number

Answer 15

A) The name of the person reporting the incident

A) Correct. When reporting an incident, the name of the reporter must be recorded at a minimum. (Literature: A, Chapter 16.2)
B) Incorrect. This is additional information that may be added later.
C) Incorrect. This is additional information that may be added later.
D) Incorrect. This is additional information that may be added later.

Question 16

Juliana is the owner of a courier company. She employs a few people who, while waiting to make a delivery, can carry out other tasks. She notices, however, that they use this time to send and read their private e-mail and surf the internet. In legal terms, in which way can the use of the internet and e-mail best be regulated?

A) By blocking all websites
B) By drafting a code of conduct
C) By implementing privacy regulations
D) By installing a virus scanner

Answer 16

B) By drafting a code of conduct

A) Incorrect. Blocking all websites regulates the use of internet only. It cannot regulate time spent on private use. This is a technical measure.
B) Correct. In a code of conduct, the use of internet and e-mail can be documented which websites may or may not be visited and to which extent private use is permitted. These are internal regulations. (Literature: A, Chapter 7)
C) Incorrect. Privacy regulations only regulate the use of personal data of personnel and customers, not the use of internet and e-mail.
D) Incorrect. A virus scanner checks incoming e-mail and internet connections on malicious software. It does not regulate the use of internet and e-mail. It is a technical measure.

Question 17

Which system guarantees the coherence of information security in the organization?

A) Information Security Management System (ISMS)
B) Intrusion detection system (IDS)
C) Rootkit
D) Security regulations for special information

Answer 17

A) Information Security Management System (ISMS)

A) Correct. The ISMS includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes, and resources. This creates coherence in the organization. (Literature: A, Chapter 3.1)
B) Incorrect. An IDS monitors the network traffic and host activities but does not create coherence.
C) Incorrect. A rootkit is a malicious set of software tools often used by a third party (usually a hacker)
after having gained access to a system.
D) Incorrect. This is a governmental set of rules how to handle special information.

Question 18

A security incident regarding a web server is reported to a help desk employee. His colleague has more experience with web servers, so he transfers the case to her. Which term describes this transfer?

A) Functional escalation
B) Hierarchical escalation
C) Privilege escalation

Answer 18

A) Functional escalation

A) Correct. If the helpdesk employee is not able to deal with the incident personally, the incident can be reported to someone with more expertise who may be able to resolve the problem. This is called a functional (horizontal) escalation (Literature: A, Chapter 16.1)
B) Incorrect. This is called a functional (horizontal) escalation. Hierarchical escalation is when a task is transferred to someone with more authority.
C) Incorrect. Privilege escalation is a step after gaining access to a computer system. This is typically a step during a hack or penetration test.

Question 19

Who is responsible for the translation of the business strategy and objectives to security strategy and objectives?

A) Chief information security officer (CISO)
B) General management
C) Information security officer (ISO)
D) Information security policy officer

Answer 19

A) Chief information security officer (CISO)

A) Correct. The CISO is at the highest management level of the organization and develops the general security strategy for the entire business. (Literature: A, Chapter 6.1)
B) Incorrect. General management defines the strategy that is input for the CISO to define the general security strategy.
C) Incorrect. The ISO develops the information security policy of a business unit based on the company policy and ensures that it is observed.
D) Incorrect. The information security policy officer is responsible to maintain policy that is derived from the security strategy.

Question 20

What is a repressive measure in case of a fire?

A) Putting out a fire after it has been detected
B) Repairing damage caused by the fire
C) Taking out a fire insurance

Answer 20

A) Putting out a fire after it has been detected

A) Correct. This repressive measure minimizes the damage caused by the fire. (Literature: A, Chapter 3.15.4)
B) Incorrect. This is not a repressive measure. It does not minimize the damage caused by the fire.
C) Incorrect. Taking out an insurance protects against the financial consequences of a fire and is risk
insurance.

Question 21

What is the goal of classification of information?

A) Applying labels to make the information easier to recognize
B) Creating a manual on how to handle mobile devices
C) Structuring information according to its sensitivity

Answer 21

C) Structuring information according to its sensitivity

A) Incorrect. Applying labels to information is designation, a special form of categorizing information which follows on the classification of information.
B) Incorrect. Creating a manual has to do with user guidelines and is not classification of information.
C) Correct. Classification of information is used to define the different levels of sensitivity into which
information can be structured. (Literature: A, Chapter 8.5)

Question 22

Which threat can occur as a result of the absence of a physical measure?

A) A confidential document is left in the printer.
B) A server shuts down because of overheating.
C) A user can view the files belonging to another user.
D) Hackers can freely enter the computer network.

Answer 22

B) A server shuts down because of overheating.

A) Incorrect. A security policy should cover the rules how to handle confidential documents. All employees should be aware of this policy and practice the rules. This is an organizational measure.
B) Correct. Physical security measures take care of the protection of equipment through climate control (air conditioning, air humidity). (Literature: A, Chapter 11.2)
C) Incorrect. Logical access control is a technical measure which prevents unauthorized access to documents of another user.
D) Incorrect. Preventing hackers to enter the computer or network is a technical measure.

Question 23

A computer room is protected by a pass reader. Only the system management department has a pass. What type of security measure is this?

A) A corrective security measure
B) A physical security measure
C) A logical security measure
D) A repressive security measure

Answer 23

B) A physical security measure

A) Incorrect. A corrective security measure is a recovery measure. This pass reader system does not recover the impact of an incident.
B) Correct. This is a physical security measure. (Literature: A, Chapter 11.1.2)
C) Incorrect. A logical security measure controls the access to software and information, not the physical access to rooms.
D) Incorrect. A repressive security measure is intended to minimize the consequences of a disruption.

Question 24

The back-ups of the central server are kept in the same locked room as the server. What risk does the organization most likely face?

A) If the server crashes, it will take a long time before the server is operational again.
B) In the event of a fire, it is impossible to get the system back to its former state.
C) No one is responsible for these back-ups.
D) Unauthorized persons have easy access to the back-ups.

Answer 24

B) In the event of a fire, it is impossible to get the system back to its former state.

A) Incorrect. On the contrary, this would help to make the system operational more quickly.
B) Correct. The chance that the back-ups may also be destroyed in a fire is very high. (Literature: A,
Chapter 3.6 and 11.2.1)
C) Incorrect. The responsibility has nothing to do with the storage location.
D) Incorrect. The server room should be locked.

Question 25

What is ‘establishing whether someone’s identity is correct’ called?

A) Authentication
B) Authorization
C) Identification

Answer 25

A) Authentication

A) Correct. Establishing whether someone’s identity is correct is called authentication. (Literature: A, Chapter 9.2)
B) Incorrect. Authorization is the process of giving access rights for a computer or network.
C) Incorrect. Identification is the process of making an identity known.

Question 26

What sort of security does a public key infrastructure (PKI) offer?

A) A PKI verifies which person or system belongs to a specific public key.
B) A PKI ensures that backups of company data are made on a regular basis.
C) A PKI shows customers that a web-based business is secure.

Answer 26

A) A PKI verifies which person or system belongs to a specific public key.

A) Correct. A characteristic of a PKI is that through agreements, procedures and an organization structure, it provides guarantees regarding which person or system belongs to a specific public key. (Literature: A, Chapter 10.2.3)
B) Incorrect. A PKI does not ensure making backups.
C) Incorrect. A PKI provides guarantees regarding which person or system belongs to a specific public key.

Question 27

In the IT department of a medium-sized company, confidential information has come into the wrong hands several times. This has hurt the image of the company. Therefore, the company is looking into organizational security measures to protect laptops at the company. What is the first step that should be taken?

A) Appoint additional security employees
B) Encrypt storage devices and hard disks of laptops
C) Formulate a policy regarding mobile devices
D) Set up an access control policy

Answer 27

C) Formulate a policy regarding mobile devices

A) Incorrect. This might be a good solution in the end, but it is not a good thing to start with.
B) Incorrect. Encrypting the hard disks of laptops and storage devices is a technical measure. This can be carried out based on an organizational measure.
C) Correct. This policy is an organizational measure. (Literature: A, Chapter 6.2)
D) Incorrect. Access control policy is an organizational measure, which only covers the access to buildings or IT-systems. It does not solve the problem.

Question 28

What is the most important reason for applying segregation of duties?

A) To create joint responsibility by all employees for the mistakes they make
B) To ensure that employees do the same work at the same time
C) To make clear who is responsible for what tasks and activities
D) To minimize the misuse of business assets or the chance of unauthorized or unintended changes

Answer 28

D) To minimize the misuse of business assets or the chance of unauthorized or unintended changes

A) Incorrect. Segregation of duties separates tasks and responsibilities. It does not make a group of people jointly responsible.
B) Incorrect. Segregation of duties is used to avoid the chance of unauthorized or unintended changes, or the misuse of the organization’s assets. It does not define when activities should be performed.
C) Incorrect. The segregation of duties is used to avoid the chance of unauthorized or unintended changes, or the misuse of the organization’s assets. Its objective is not to make clear who is responsible for what.
D) Correct. Duties must be segregated to avoid the chance of unauthorized or unintended changes, or the misuse of the organization’s assets. (Literature: A, Chapter 6.1.1)

Question 29

Which measure is a preventive measure?

A) Installing a logging system that enables changes in a system to be recognized
B) Putting all sensitive information in a safe after working hours
C) Shutting down all internet traffic after a hacker has gained access to the company systems

Answer 29

B) Putting all sensitive information in a safe after working hours

A) Incorrect. A logging system indicates an incident and helps research what happened after it happened, which is a detective measure.
B) Correct. A safe is a preventive measure, which avoids damage to the information stored in the safe. (Literature: A, Chapter 3.15.2)
C) Incorrect. Shutting down all internet traffic is a repressive measure aimed at limiting an incident.

Question 30

Which type of malware builds a network of contaminated computers?

A) Logic bomb
B) Spyware
C) Worm
D) Trojan

Answer 30

C) Worm

A) Incorrect. A logic bomb is a piece of code that is built into a software system. This code will then carry out a function when specific conditions are met. This is not always used for malicious purposes.
B) Incorrect. Spyware is a computer program that collects information on the computer user and sends this information to another party.
C) Correct. This is what a Worm does. (Literature: A, Chapter 12.5.7)
D) Incorrect. A trojan is a program which, in addition to the function that it appears to perform, purposely conducts secondary activities, unnoticed by the computer user, which can harm the integrity of the infected system.

Question 31

Within an organization the security officer detects that a workstation of an employee is infected with malicious software. The malicious software was installed due to a targeted phishing attack. Which action is the most beneficial to prevent such incidents in the future?

A) Implement mandatory access control (MAC) technology
B) Start a security awareness program
C) Update the firewall rules
D) Update the signatures of the spam filter

Answer 31

B) Start a security awareness program

A) Incorrect. MAC addresses access control. This does not prevent a user from being persuaded to execute some actions as a result from the targeted attack.
B) Correct. The underlying vulnerability of this threat is the unawareness of the user. Users are persuaded in these kinds of attacks to execute some code that violates the policy. Addressing these kinds of attacks in a security awareness program will reduce the chance of reoccurrence in the future. (Literature: A, Chapter 12.4.3)
C) Incorrect. A firewall may be able to block traffic that resulted from the installation of the malicious software, but it does not prevent the threat from reoccurring.
D) Incorrect. The targeted attack does not necessarily have to make use of e-mail. The attacker can also use social media, or even the phone to contact the victim.

Question 32

What is the purpose of a disaster recovery plan (DRP)?

A) To identify the vulnerability underlying a disaster
B) To minimize the consequences in case of a disaster
C) To reduce the possibility of a disaster to occur
D) To restore the situation back to how this was before the disaster

Answer 32

B) To minimize the consequences in case of a disaster

A) Incorrect. The DRP is aimed at minimizing the consequences of a disaster. The DRP has nothing to do with identifying vulnerabilities.
B) Correct. The DRP is aimed at minimizing the consequences of a disaster. (Literature: A, Chapter 17.2)
C) Incorrect. The DRP is aimed at limiting the consequences of a disaster and has nothing to do with
reducing the possibility of a disaster occurring.
D) Incorrect. This is the objective of a business continuity plan (BCP).

Question 33

In physical security, multiple protection rings can be applied in which different measures can be taken. What is not a protection ring?

A) Building ring
B) Middle ring
C) Object ring
D) Outer ring

Answer 33

B) Middle ring

A) Incorrect. The building is a ring that deals with access to the premises.
B) Correct. There are four protection rings: outer ring, building, workspaces and object. (Literature: A,
Chapter 11.1.1)
C) Incorrect. The object ring is a valid zone and deals with the asset that is to be protected.
D) Incorrect. The outer ring is a valid zone and deals with the area around the premises.

Question 34

Measures taken to safeguard an information system from attacks.
Of which concept is this the definition?

A) Risk analysis
B) Risk management
C) Security controls

Answer 34

C) Security controls

A) Incorrect. Risk analysis is the process of defining and analyzing the dangers to individuals, businesses and government agencies posed by potential natural and human-caused adverse events.
B) Incorrect. Risk management is the process of planning, organizing, leading, and controlling the activities of an organization to minimize the effect of risk on an organization’s capital and earnings.
C) Correct. Security controls are measures taken to safeguard an information system from attacks against the confidentiality, integrity, and availability (CIA) of the information system. (Literature: A, Chapter 3.14.1 and Appendix A)

Question 35

What is a characteristic of a security measure?

A) It describes a process for handling incidents.
B) It exposes an organization to possible damage.
C) It is put in place to mitigate against a potential risk.
D) It indicates the effect of uncertainty on objectives.

Answer 35

C) It is put in place to mitigate against a potential risk.

A) Incorrect. This is a characteristic of information security incident management.
B) Incorrect. This is a characteristic of a vulnerability, which is a weakness of an asset or group of assets
that can be exploited by one or more threats.
C) Correct. A countermeasure is put into place to mitigate against the potential risk. It may be a software configuration, a hardware device, or procedure that eliminates a vulnerability or reduces the likelihood that a threat agent will be able to exploit a vulnerability. (Literature: A, Chapter 3.12)
D) Incorrect. This is another explanation of a risk.

Question 36

A data center uses an uninterruptible power supply (UPS) but has no power generator. What is the risk associated with this setup for the availability of the data center?

A) The main power may not come up again automatically when restored, because this needs a power generator.
B) The main power outage may last for longer than a few minutes or hours, which will cause unavailability of power.
C) The UPS may run out of diesel and stop functioning after a couple of days, so its lifespan is limited.
D) The UPS must be powered by the power generator after a few hours, so only provides limited
protection.

Answer 36

B) The main power outage may last for longer than a few minutes or hours, which will cause unavailability of power.

A) Incorrect. A power generator is not used to trigger the main power supply.
B) Correct. A UPS only protects for temporary power outages and surges, whereas a power generator protects for longer-duration outages. (Literature: A, Chapter 11.2.2)
C) Incorrect. Diesel is used to power the generator; a UPS is powered by batteries.
D) Incorrect. The UPS will only work for a short period of time but is not powered by the generator – the
generator simply takes over from the UPS.

Question 37

Under which condition is an employer permitted to check if internet and e-mail services in the workplace are being used for private purposes?

A) If a firewall is also installed.
B) If the employee is informed after each instance of checking.
C) If the employee is aware that this could happen.

Answer 37

C) If the employee is aware that this could happen.

A) Incorrect. A firewall protects against external intruders. This is not influencing the right of the employer to monitor the use of IT services.
B) Incorrect. The employee does not have to be informed after each check.
C) Correct. The employees must know that the employer has the right to monitor the use of IT services.
(Literature: A, Chapter 7 and 18.2)

Question 38

Which standard or regulation is also known as the ’code of practice for information security controls’?

A) ISO/IEC 27001
B) ISO/IEC 27002
C) Payment Card Industry (PCI) compliance
D) Sarbanes-Oxley act

Answer 38

B) ISO/IEC 27002

A) Incorrect. This ISO standard is the standard for the Information Security Management System (ISMS).
B) Correct. This standard is also known as the code of practice for information security controls.
(Literature: A, Chapter 18.1.4)
C) Incorrect. PCI compliance is a general standard for companies that process information of payment cards.
D) Incorrect. The American Sarbanes-Oxley Act is a US federal law that sets standards for all US public boards.

Question 39

Legislation and regulations are important for the reliability of the information used within the organization. What is the first step that an organization must take to become compliant?

A) Conducting a risk analysis to find out which legislation and regulations apply
B) Creating an acceptable use policy to make personnel aware of what they must do
C) Planning the compliance audits in advance in accordance with the PDCA cycle
D) Writing a policy that indicates which local laws and regulations must be followed

Answer 39

D) Writing a policy that indicates which local laws and regulations must be followed

A) Incorrect. A risk analysis is carried out to find risks and define measures amongst other things. It is not used to find applicable legislation and regulations.
B) Incorrect. This step can only take place after knowing applicable law and regulations and incorporating these in a policy.
C) Incorrect. Audits to measure compliance can only be planned after is known what law and regulations are mandatory.
D) Correct. The first step for an organization is to produce a policy in which it declares that it must comply with the national and local legislation and regulations. (Literature: A, Chapter 18.1.1)

Question 40

Which legislation may have an impact on information security requirements for all companies dealing with European Union (EU) residents?

A) European Convention on Human Rights (ECHR)
B) ISO/IEC 27001
C) NIST Cybersecurity Framework
D) Payment Card Industry Data Security Standard (PCI-DSS)

Answer 40

A) European Convention on Human Rights (ECHR)

A) Correct. All EU member states are signatories of the ECHR. (Literature: A, Chapter 18.1.4)
B) Incorrect. Only organizations wanting to certify their information security management system (ISMS)
need to conform to the requirements of ISO/IEC 27001.
C) Incorrect. NIST standards are only required for US Federal agencies and their suppliers.
D) Incorrect. Only organizations processing credit card data need to comply with PCI-DSS.

Question 41

Which is a key element of security strategy development?

A) Description of how the services are being supported
B) Policy should not conflict with the law of the country it is being implemented in
C) Relevant control objectives
D) Return on Investment (ROI)

Answer 41

C) Relevant control objectives

A) Incorrect. This answer does not pertain to defining overall security strategy and is more focused on the Service Level Agreement (SLA).
B) Incorrect. This answer does not pertain to defining overall security strategy and is more a part of policy development.
C) Correct. Having relevant control objectives is a key element to the development of security strategy. (Literature: A, Slide 059)
D) Incorrect. This answer does not pertain to defining overall security strategy and is more a part of financial forecasting and budgeting.

Question 42

One of the challenges of the IT security manager for a rather conservative organization is to teach IT management that in order to provide an effective information security program for the organization a change in thought as to what IT security is and what it encompasses is necessary. What is the IT security manager trying to teach management?

A) By focusing on the protection of the IT infrastructure and not getting sidetracked, it can ensure that proper focus is given where it is most critical.
B) Information security increasingly requires attention from more than just IT as not only the technology matters but also public acceptance of the use of technology.
C) Information security needs to operate within the bounds of the organizational IT group and limit their interaction with other organizational groups.

Answer 42

B) Information security increasingly requires attention from more than just IT as not only the technology matters but also public acceptance of the use of technology.

A) Incorrect. This is a very small subset of an information security program. It does not educate IT management that it takes an extended view to run and manage an effective information security program. Information security increasingly requires attention from more than just IT.
B) Correct. Security requires more than just the attention of IT within an organization. (Literature: A, Slide 015)
C) Incorrect. This does not teach IT-management that it takes an extended view to run and manage an effective information security program. Information security increasingly requires attention from more than just IT.

Question 43

One of the business managers is really concerned that any sort of IT security program is going to be too intrusive for the business to continue to thrive and be innovative. Which statement best describes what should be told to the manager?

A) Information security exists to serve the interests of the organization and only the level of security that
is appropriate for the value of the information is implemented.
B) Information security is a means to safeguard information and mitigate all the data risks within the organization.
C) While information security can be a bit intrusive it is for the best of the organization and all corporate information needs to be locked down tight or dire consequences can be faced.

Answer 43

A) Information security exists to serve the interests of the organization and only the level of security that
is appropriate for the value of the information is implemented.

A) Correct. Choices are made regarding which data to protect and which level of protection that data needs. (Literature: A, Slide 015)
B) Incorrect. This answer states that all risks will be mitigated. Only subsets of corporate data truly need to be protected.
C) Incorrect. This answer states that all organizational data needs to be protected, which is not true.

Question 44

The security manager is responsible for defining the security controls for a company. The company is selecting a supplier to host the web-facing ordering system. What should be the most important aspect the security manager looks for?

A) A standard for due care
B) A standard for due diligence
C) Benchmarking
D) Best security practices

Answer 44

D) Best security practices

A) Incorrect. A standard for due care symbolizes a minimum level of security.
B) Incorrect. Due diligence means that the supplier meets a standard requirement. This is not necessarily
the standard.
C) Incorrect. Benchmarking is a technique used to compare organizations with similar business/maturity/markets.
D) Correct. Best security practices are the best in class for a given industry or line of work. This is what the security manager will be looking for in a supplier. (Literature: A, Slide 015)

Question 45

Security controls are defined based on the security classification of a data element. Who is responsible for the security classification of a data element?

A) The Board of Directors, that runs the company
B) The data custodian, who manages the use of the data
C) The process owner, who governs the process
D) The system owner, who safeguards the information system

Answer 45

C) The process owner, who governs the process

A) Incorrect. The Board is overall accountable for any business process, but the responsibility for exercising all duties is delegated.
B) Incorrect. A custodian is responsible for defining and managing the requirements towards any data element as far as it concerns compliancy to laws and regulations, but also for use of data by different parties and processes in the form of data contracts.
C) Correct. Any data element is an object of control of a business process. The process owner is the only person who can identify if a data element is critical within the organization. (Literature: A, Slide 042)
D) Incorrect. The system owner is responsible for implementing the controls as required by the defined CIA (confidentiality, integrity, availability) classification.

Question 46

Which risk assessment approach uses categories instead of actual numbers to determine risks?

A) Evaluative
B) Qualitative
C) Quantitative

Answer 46

B) Qualitative

A) Incorrect. This is not a standard risk methodology or approach.
B) Correct. Qualitative is a well-accepted risk methodology that does not use pure numbers and relies
somewhat on the experience of the security professional. (Literature: A, Slide 041)
C) Incorrect. Quantitative is the risk methodology that uses actual numbers.

Question 47

Information security management is currently being implemented in the company “Internet Booksellers”. The project leader for the information security project understands that the risk identification process requires him to list organizational assets arranged in order of importance and he is working with the financial manager to develop this list. The weight of importance is based on the following criteria: impact on revenue (30%), impact on profitability (40%) and impact on public image (30%).
The Financial manager has come up with four important information assets:
• Supplier orders (outbound)
• Customer order via SSL (inbound)
• Supplier fulfillment advice (inbound)
• Customer service request via e-mail (inbound) What asset ranks the highest based on the impact criteria?

A) Supplier orders (outbound)
B) Customer order via SSL (inbound)
C) Supplier fulfillment advice (inbound)
D) Customer service request via e-mail (inbound)

Answer 47

B) Customer order via SSL (inbound)

A) Incorrect. When supplier orders cannot be sent out it will have a high impact on the possibility to create revenue and make profit. However, it will cause customer orders to be delayed. Some customers may move their purchase to a competitor. This will also impact on profitability and public image. Normally revenue and profit will still be realized.
B) Correct. When a customer is not able to order online, he/she will immediately order from another source. The impact on revenue, profitability and public image will be maximal. (Literature: A, Slide 029)
C) Incorrect. When supplier delivery on call orders cannot be sent out it will have a high impact on the possibility to create revenue and make profit. However, it will cause customer orders to be delayed. Some customers may move their purchase to a competitor. This will also impact on profitability and public image. Eventually revenue and profit will be realized.
D) Incorrect. When customer service request cannot be fulfilled it will have a high impact on public image. The impact on revenue and profitability will be significantly lower than compared to elements of the logistics process failing.

Question 48

What needs to be decided prior to considering the treatment of risks?

A) How to apply appropriate controls to reduce the risks
B) Operational requirements and constraints
C) Requirements and constraints of national and international legislation and regulations
D) Quantifying risks

Answer 48

D) Quantifying risks

A) Incorrect. This is one of the four possible options for treatment of risks and is not something that needs to be decided prior to considering the treatment of risks.
B) Incorrect. This is one of the five items that need to be taken into account when designing controls and is not in the same ISO table as the correct answer.
C) Incorrect. This is one of the five items that need to be taken into account when designing controls and is not in the same ISO table as the correct answer.
D) Correct. If these criteria are in place, risks that are within the bounds of the organization’s work appetite can be ignored. Thereby it is not necessary to spend time focusing on items that are not considered a risk by the organization or by regulation. (Literature: A, Slide 030 and Slide 041)

Question 49

A large transportation company has adopted the standard for information security (ISO/IEC 27001:2013) and needs to set up controls for its software development department which they will outsource. An external consultant has been appointed to make sure that security controls consistent with the code of practice will be implemented over the complete supply chain for software development in the new outsourced situation.
What control should be put in place to guarantee availability of the source code should one of the partners in the supply chain go out of business?

A) Acceptance testing
B) Effective documentation
C) Escrow arrangements
D) Licensing agreements

Answer 49

C) Escrow arrangements

A) Incorrect. Acceptance testing is a mechanism to ensure that the deliverables of the development process meet the quality criteria of the customer. The customer gets no access to the source code.
B) Incorrect. Effective documentation is a general requirement for all controls. Source code is not part of documentation accessible to the customer.
C) Correct. Escrow arrangements will ensure that software source code is stored at a neutral site. The source code is accessible to the customer when certain criteria are met, for example if the supplier goes into receivership. (Literature: A, Slide 043)
D) Incorrect. Licensing agreements only ensure code ownership and intellectual property rights. They cannot guarantee access to the source code for the customer should the supplier go out of business.

Question 50

The security manager for a company has just been tasked with leading the organization’s first ever risk assessment effort. The security manager is in the process of implementing controls to mitigate the identified risks. She has taken into account the organizational feasibility and the political feasibility using the organizational objectives and applicable legislation and regulations.
Which item also needs to be accounted for when taking into account the operational feasibility?

A) Risk mitigation
B) Operational constraints
C) Prioritization of risks
D) Transfer of risks

Answer 50

B) Operational constraints

A) Incorrect. Risk mitigation is the objective of what needs to be accomplished with controls but is not one of the items that needs to be taken into account when implementing the designed controls.
B) Correct. Organizational objectives, operational constraints and applicable legislation and regulation need to be accounted for when implementing risk controls. (Literature: A, Slide 032)
C) Incorrect. The step of the prioritization of risks takes place prior to the design and implementation of controls.
D) Incorrect. The transfer of risk is a control to be implemented. It is not something that needs to be taken into account when implementing a control.

Question 51

The scope of risk management is not limited to the organizational processes alone. It should also be embedded in the project management methodology. An information security risk assessment, for example, should be conducted at an early stage of each project. When implementing project risk management, it is necessary to consider the scope of this project.
What should be included in the scope of project risk management for standard projects?

A) Because a project organization is only a small part of the organization, it is only necessary to include a simple identification and rating mechanism for the threats and risks specifically related to the project.
B) It is should include processes necessary to assess, manage and reduce the impact of occurrences as it would be with an information security project.
C) It is necessary to prepare for the maximum risk level and therefore implement important sub- processes like risk identification, quantification, response development and response control.

Answer 51

A) Because a project organization is only a small part of the organization, it is only necessary to include a simple identification and rating mechanism for the threats and risks specifically related to the project.

A) Correct. Generally, this scope should be sufficient for most projects. That said, it is necessary to allow for larger and more critical projects so there should also be a process to escalate to a more detailed risk management processes for larger/more comprehensive enterprise projects. Therefore, it is necessary to implement a generic scope like is done for the organization as a whole. (Literature: A, Slide 046)
B) Incorrect. Project risk management is very similar to normal risk management. The generic scope should therefore be similar. On many occasions a simple approach will only be necessary, identifying and rating only those threats specifically facing the project.
C) Incorrect. Implementation of all possible sub-processes is only applicable to high-risk project scenarios like security projects or in mission critical environments. Only in those environments it should be the generic approach.

Question 52

What is the popular name of the ISO/IEC 15408 about security architecture models?

A) Graham-Denning model
B) Rainbow series – the “orange book”
C) Common criteria

Answer 52

C) Common criteria

A) Incorrect. The Graham-Denning access control model describes eight primitive protection rights. This is a good model, but not the methodology meant here.
B) Incorrect. The “orange book” is considered the cornerstone of the Rainbow series. The Trusted Computer System Evaluation Criteria (TCSEC) is a DoD (Department of Defense) standard that defines the criteria for assessing the access controls in a computer system. This standard is part of a larger series of standards collectively referred to as the Rainbow series.
C) Correct. The common criteria for information technology security evaluation (often called the common criteria or CC) is the international standard ISO/IEC 15408 for computer security certification. (Literature: A, Slide 125)

Question 53

An operations manager wants some advice about opening a second datacenter as a hot standby location.
What would the information security officer advise her to do?

A) Make sure that the location has a different physical risk profile than the primary location (airplanes, water)
B) Make sure that network and power supply are made redundant and, preferable, from different providers
C) Make sure that physical access is only granted to specific operators
D) Make sure that the company will not be a victim of the Patriot Act legislation

Answer 53

A) Make sure that the location has a different physical risk profile than the primary location (airplanes, water)

A) Correct. Since it is a backup location, it would be wise to make sure that is has a different risk profile. (Literature: A, Slide 043)
B) Incorrect. This is only part of the risk profile.
C) Incorrect. This is a general security control.
D) Incorrect. This is not a physical security risk. It is a legislation problem.

Question 54

A security team has just finished an organizational risk assessment and is now discussing controls to mitigate the risks. As part of that effort, programs and technical controls have been considered.
What is the third category of access controls that needs to be considered?

A) Costs
B) Policies
C) Transferences

Answer 54

B) Policies

A) Incorrect. The three categories of access controls are technical controls, programs and policies.
B) Correct. The three categories of access controls are technical controls, programs and policies.
(Literature: A, Slide 099)
C) Incorrect. The three categories of access controls are technical controls, programs and policies.

Question 55

After doing a risk assessment and establishing a proper set of controls that comply with an organization’s risk appetite, a consultant’s job is just about complete. The consultant understands that the reality is that no set of controls can achieve complete security.
What needs to be completed in order to strengthen security even more?

A) An internal audit needs to take place in order to provide assurance that the right risk decisions have been made.
B) Management action should be implemented to monitor, evaluate and improve the effectiveness of the security policies and controls to support the organization’s aims.
C) The business units must continue to perform risk self-assessments annually.
D) Transference of the residual risks must take place.

Answer 55

B) Management action should be implemented to monitor, evaluate and improve the effectiveness of the security policies and controls to support the organization’s aims.

A) Incorrect. An audit is not a mandatory step to make sure that correct risk decisions were made. While an audit can be done if there is a lack of confidence in the person(s) deciding on the mitigating controls.
B) Correct. This is a basic step in many best practice methodologies (for example Plan Do Check Act) that must be completed in order to assure that systemic improvement and ongoing evaluation is a critical item in maintaining adequate policies and controls. (Literature: A, Slide 057 and Slide 060)
C) Incorrect. Self-assessments are a good idea but are only as good as the people doing the assessment.
D) Incorrect. This is a control and the question states that the controls have already been established.

Question 56

The information security officer of the company has just been notified of a pending management review of the information security policy.
What is an input to this management review?

A) Improvement of control objectives and controls
B) Improvement of the management approach to information security
C) Resource needs

Answer 56

C) Resource needs

A) Incorrect. This is output from the management review.
B) Incorrect. This is output from the management review.
C) Correct. This is input to the management review. (Literature: A, Slide 057)

Question 57

The information security officer for a global company has just received a management review of the information security policy.
What should this output include?

A) Feedback from interested parties
B) Improvement of control objectives and controls
C) Status of preventive and corrective actions

Answer 57

B) Improvement of control objectives and controls

A) Incorrect. This is input to a management review of the information security policy.
B) Correct. This should be included in the output. (Literature: A, Slide 057)
C) Incorrect. This is input to a management review of the information security policy.

Question 58

The maintenance of an information security program requires a continuous process. This requires inputs from the many different factors that will influence its success.
Which is an input influence that would require the process to change?

A) Policy
B) Risk assessment
C) Security plan

Answer 58

B) Risk assessment

A) Incorrect. Policy is an output of the program. It is not an input.
B) Correct. Risk assessment is a change in input which requires adaption of the process. (Literature: A,
Slide 030)
C) Incorrect. The security plan is an output of the program. It is not an input.

Question 59

A large part of an information security team’s responsibility is to monitor and detect incidents. What is the strongest indicator of an incident?

A) Activities at unexpected times
B) Activities by dormant accounts
C) Notification from Intrusion Detection System (IDS)
D) The presence of new accounts

Answer 59

B) Activities by dormant accounts

A) Incorrect. This is associated with probable indicators, not definite ones.
B) Correct. If any of these dormant accounts start activities, an incident is quite certain to have occurred.
(Literature: A, Slide 126)
C) Incorrect. This is associated with probable indicators, not definite ones.
D) Incorrect. This is associated with probable indicators, not definite ones.

Question 60

Whose responsibility is it to coordinate an organization’s security awareness campaign?

A) Everyone in the organization
B) Information security management
C) The IT-department
D) The secretary of the CIO

Answer 60

B) Information security management

A) Incorrect. While everyone in the organization is responsible for organizational security, they are not responsible for coordinating the organization’s security awareness program.
B) Correct. Information security management is responsible for coordinating the security awareness campaign. (Literature: A, Slide 085)
C) Incorrect. While the IT department needs to promote and be aware of security issues and concerns, they are not responsible for coordinating the organization’s security awareness campaign.
D) Incorrect. He/she may be responsible for promoting and championing awareness but is not directly responsible for coordinating the organization’s security awareness program.

Question 61

Last year an organization became stricter regarding security controls for its employees. Before implementing additional controls, the information security officer wants to know the mindset of the employees towards information security controls. How does she get an impression quickly?

A) She checks the internet data stream.
B) She checks to determine if there are viruses on the network.
C) She walks about the office after normal business hours.

Answer 61

C) She walks about the office after normal business hours.

A) Incorrect. This only gives information about how the internet is being used, not about the general mindset of employees.
B) Incorrect. This is a technical measure and gives no information about the mindset of the employees.
C) Correct. When she walks about the office after normal business hours, she will see how employees
handle sensitive information. (Literature: A, Slide 085)

Question 62

What is the main advantage of using an open design of the security architecture?
A) Open designs are easy to set up.
B) Open designs are tested a lot.
C) Open designs have a lot of extra features.

Answer 62

B) Open designs are tested a lot.

A) Incorrect. Open designs are not set up easier than secret designs.
B) Correct. Open designs are tested extensively, and moreover secret designs never stay secret.
(Literature: A, Slide 124)
C) Incorrect. Open designs do not necessarily have more features than secret designs.

Question 63

Which security item is designed to take large collections of network-related traffic that can indicate a denial-of-service attack?

A) Firewall
B) Host-Based Intrusion Detection and Prevention System (Host-Based IDPS)
C) Network-Based Intrusion Detection and Prevention System (Network-Based IDPS)
D) Virtual Private Network (VPN)

Answer 63

C) Network-Based Intrusion Detection and Prevention System (Network-Based IDPS)

A) Incorrect. This is a security tool but does not collect large amounts of network traffic.
B) Incorrect. This focuses on host-based data traffic collection and not network-based.
C) Correct. The Network-Based IDPS is used to gather and collect data flows across an organization’s network in order to see if abnormal events are indicative of an active attack such as a denial-of- service would be. (Literature: A, Slide 116)
D) Incorrect. This is a network infrastructure access device.

Question 64

The CEO of a company started using her tablet pc and wants the security manager to facilitate her in using business mail and calendar on the tablet. The security manager understands this desire to allow the possibility to Bring Your Own Device (BYOD).
What controls (besides an awareness training) should the security manager propose to prevent data loss in case of theft or loss of the personal device?

A) Encrypt the local storage and network connections
B) Implement strong authentication using tokens with one-time passwords
C) Investigate her requirements and do not grant the wish until stable integration of business functions on private devices is possible
D) Install anti-malware and a firewall to prevent infection

Answer 64

A) Encrypt the local storage and network connections

A) Correct. In case of loss or theft at least corporate data are safe. (Literature: A, Slide 099 and Slide
120)
B) Incorrect. This only allows secure login to the corporate network.
C) Incorrect. It may be wise, but the CEO cannot be overlooked.
D) Incorrect. In case of theft or loss the data are still accessible to third parties.

Question 65

Which statement about security architecture is most correct?

A) Security architecture follows strategy.
B) Security architecture is secondary.
C) Security architecture completely defines implementation rules.

Answer 65

A) Security architecture follows strategy.

A) Correct. Security architecture follows information security strategy. (Literature: A, Slide 123)
B) Incorrect. Security architecture is strategic and therefore not secondary.
C) Incorrect. Security architecture is higher-level design than this and does not completely define the implementation rules.

Question 66

Zoning is a security control to separate physical areas with different security levels. Zones with higher security levels can be secured by more controls. The security manager of a hotel is responsible for security and is considering different zones for the hotel.
What combination of business functions should be combined into one security zone?

A) Boardroom and general office space
B) Fitness area and storage facility
C) Hotel rooms and public bar
D) Public restaurant and lobby

Answer 66

D) Public restaurant and lobby

A) Incorrect. The boardroom could contain valuable strategic and thus confidential information that may not be accessible to regular personnel.
B) Incorrect. The storage facility should be available for (some) staff only, whereas the fitness area is accessible for all guests and staff.
C) Incorrect. The hotel rooms and bar must be separated. The public bar can be used by everyone and the hotel rooms are only for paying guests.
D) Correct. Both these locations can be used by anybody. (Literature: A, Slide 080)

Question 67

Knowing that physical security controls are a very important part of an information security program, the information security team is asked to design and then implement a security perimeter for a department that is setting up some new data systems.
According to ISO/IEC 27001, which is the most important guideline that needs to be considered when establishing this perimeter?

A) A two-person support model
B) Cameras and alarms must be installed
C) System logging and monitoring
D) The strength of the perimeter should depend on the classification of the data being protected

Answer 67

D) The strength of the perimeter should depend on the classification of the data being protected

A) Incorrect. This is a good physical control, but it is not the most important control and it is not a guideline.
B) Incorrect. This is a good physical control, but it is not the most important control and it is not a guideline.
C) Incorrect. This is a good control, but it is not the most important control and it is not a perimeter control.
D) Correct. Every decision an information security team makes should be data centric and the decisions should be based on the classification of the data involved. (Literature: A, Slide 082)

Question 68

The human resource manager for an organization asked what she could do as a quick win in the area of employment and hiring to help strengthen the organization’s data security program according to ISO/IEC 27001. What should the advice be?

A) Do background checks
B) Implement security policy
C) Place revolving gates at the entrance

Answer 68

A) Do background checks

A) Correct. One best practice is to conduct background checks on prospective employees. This simple step greatly strengthens the overall security of organizational data. (Literature: A, Slide 063 and Slide 084)
B) Incorrect. This is a good idea but is not a quick win. It would be a long-term strategy.
C) Incorrect. This is a physical control and does not help in the area of employment and hiring.

Question 69

The business continuity manager asks for input for the contingency plan. Which should be his first activity?

A) Define the scope
B) Identify critical business functions
C) Test the plan

Answer 69

B) Identify critical business functions

A) Incorrect. Scope is a pillar of project management and not a cornerstone for contingency planning as the scope is driven by the results of the Business Impact Analysis (BIA).
B) Correct. The main thing that must be completed in order to have a contingency plan is for the business to define their critical business functions and systems and document these. (Literature: A, Slide 074)
C) Incorrect. Testing of the contingency plan is extremely important and needs to take place at least annually, however it is not the first activity.

Question 70

One key component to integrate into an organization’s information security program is a robust business continuity program. In support of this, a security consultant has been asked to list out the key information security requirements for such a program. What is his first concern in business continuity management from an information security point of view?

A) Ensuring the safety of personnel and the protection of information processing facilities
B) Identifying events that can cause interruptions to the organization’s finances, followed by a risk
assessment
C) Linking the different risk aspects together into a holistic plan to be endorsed by management to implement the strategy
D) Identifying the consequences of disasters, system down time, security failures, loss of service and inclusive risks to ensure that business systems are available

Answer 70

A) Ensuring the safety of personnel and the protection of information processing facilities

A) Correct. This is a key element of business continuity management from an information security point of view. (Literature: A, Slide 089)
B) Incorrect. This is part of business continuity and risk assessment: identifying events (or sequence of events) that can cause interruptions to the organizations business processes.
C) Incorrect. This is part of business continuity and risk assessment which should be carried out with full involvement from owners of business resources and processes.
D) Incorrect. This is part of business continuity and risk assessment: identifying events (or sequence of events) that can cause interruptions to the organizations business processes.