M8: IT security management and risk assessment

Question 1

What is the main purpose of risk management in information security?

M8: IT security management and risk assessment

Answer 1

To help the organization’s leadership prioritize resources to manage risks effectively.

Question 2

What does ISO-27001 define as a risk?

M8: IT security management and risk assessment

Answer 2

The effect of uncertainty on objectives, which can be positive or negative.

Question 3

What are the five main activities in the risk management process?

M8: IT security management and risk assessment

Answer 3

• Context Establishment
• Risk assessment
• Risk treatment
• Risk acceptance
• Risk monitoring.

Question 4

What is the first step in the risk management process?

M8: IT security management and risk assessment

Answer 4

Establishing the context of the organization.

Question 5

What is risk assessment?

M8: IT security management and risk assessment

Answer 5

Identifying, analyzing, and evaluating risks based on the defined context.

Question 6

What are the four options for risk treatment?

M8: IT security management and risk assessment

Answer 6

• Modify
• Accept
• Avoid
• Share

Question 7

What is a risk treatment plan?

M8: IT security management and risk assessment

Answer 7

A plan that describes how identified risks will be managed.

Question 8

Who is responsible for risk management in an organization?

M8: IT security management and risk assessment

Answer 8

The organization’s top management and the information security committee.

Question 9

What is the role of the information security committee?

M8: IT security management and risk assessment

Answer 9

To approve and define the framework for risk management.

Question 10

What is risk acceptance?

M8: IT security management and risk assessment

Answer 10

The decision to accept the risk without further action.

Question 11

What is the purpose of risk monitoring?

M8: IT security management and risk assessment

Answer 11

To ensure that risk controls are implemented and effective.

Question 12

What is a risk matrix?

M8: IT security management and risk assessment

Answer 12

A tool to illustrate the level of risk based on likelihood and impact.

Question 13

What should be included in a risk treatment plan?

M8: IT security management and risk assessment

Answer 13

• Purpose
• Responsible person
• Resources
• Risk treatment actions
• Costs
• Timeline.

Question 14

What is the significance of risk communication?

M8: IT security management and risk assessment

Answer 14

To create awareness about the risk profile and security efforts within the organization.

Question 15

What is the importance of involving suppliers in risk management?

M8: IT security management and risk assessment

Answer 15

Suppliers have knowledge of technical solutions and controls that can affect risk

Question 16

What is the main purpose of an IT contingency policy?

M8: IT security management and risk assessment

Answer 16

To set the overall framework for an organization’s IT contingency work and implementation.

Question 17

What should be the starting point for IT contingency planning?

M8: IT security management and risk assessment

Answer 17

A risk assessment based on business needs or requirements.

Question 18

Who is responsible for approving the IT contingency policy?

M8: IT security management and risk assessment

Answer 18

The organization’s management.

Question 19

Why is it not recommended to use ‘find and replace’ to create a contingency policy?

M8: IT security management and risk assessment

Answer 19

Because the policy should be tailored to the organization’s specific needs and language.

Question 20

What is the role of external suppliers in IT contingency planning?

M8: IT security management and risk assessment

Answer 20

They should be involved if the organization outsources IT operations.

Question 21

What is the difference between a policy and a plan in IT contingency?

M8: IT security management and risk assessment

Answer 21

The policy is more long-term and less maintenance-intensive… while the plan is operational and detailed.

Question 22

What should be included in the IT contingency plan?

M8: IT security management and risk assessment

Answer 22

• Purpose
• Responsible person
• Resource effort
• Mitigation actions
• Other costs
• Timeline.

Question 23

What is the importance of having a clear classification of information?

M8: IT security management and risk assessment

Answer 23

To determine the sensitivity and required protection levels for
* Confidentiality
* Availability
* Integrity.

Question 24

What is a ‘risk owner’?

M8: IT security management and risk assessment

Answer 24

The person responsible for managing a specific risk.

Question 25

Why is it important to involve the organization’s communication unit in risk assessment planning?

M8: IT security management and risk assessment

Answer 25

To raise awareness about the organization’s risk profile and security efforts.

Question 26

What is the purpose of a risk management plan?

M8: IT security management and risk assessment

Answer 26

To describe how identified risks will be handled, including mitigation actions and timelines.

Question 27

What should be done if IT operations are outsourced?

M8: IT security management and risk assessment

Answer 27

Involve the external supplier in the risk assessment and management process.

Question 28

What is the benefit of integrating information security management with overall risk management?

M8: IT security management and risk assessment

Answer 28

It provides a more comprehensive and clear risk picture for the organization