Section 2 Standards and regulatory frameworks

Question 1

ISO/IEC 27005

pertains to?
guidance on?

Answer 1

Information Security, cybersecurity and privacy protection - Guidance on managing information security risk.

Question 2

ISO/IEC 31000:2018

Answer 2

• This standard provides GUIDELINES for managing risk face by organizations in ANY industry or sector
• Applicable to ANY type of risk
• Org. cannot obtain this certification

Question 3

What is ISO?

Answer 3

International Organization for Standardization

Published as International Standards

Question 4

ISO/IEC 27005

Answer 4

Guidlines for managing information security risks, in accordance with the requirements of ISO/IEC 27001.

Question 5

ISO/IEC 27001

Answer 5

Specifies requirements for ISMS

Requirements for establishing, implementing, maintaining, and continuall

Question 6

ISO/IEC 27000

Answer 6

General Overview of ISMS
Terms and Definition for ISMS

Question 7

BS 7799

Establish?
Government of?

Answer 7

• Establish and Implement ISMS
• UK government
• Department of Trade and Industry (DTI)

Question 8

27001

verb?
can organizationobtain this certification?

Answer 8

• “shall”
• all organization (type, size, industry)
• can obtain certification

Question 9

How do you preserve the CIA of Information?

Answer 9

ISMS preserves CIA by applying Risk Management

Question 10

ISO/IEC 27005

Complying to?
expressed with the verb?
Can organizations obtain this certification?

Answer 10

• Complying to 27001
• Guidlines for conducting Information Security Risk Management
• verb “should”
• Orgnizations cannot obtain certification against this standard

Question 11

How many clauses and Annex?
ISO/IEC 27005

Answer 11

• 10 clauses
• Annex A
• Clauses 1- 4: general information on standrad
• Clause 5: introduces the information security risk management process and cycle
• Clause 6 to 10: elaborates information security risk management activities
• Annex A: examples for RA process

Question 12

Risk Management Activities
outlined in clause 7-10

Answer 12

Input
Action
Trigger
Output
Guidance

Question 13

Input
Action
Trigger
Output
Guidance

Answer 13

Input - Identification of requirements to perform the activity
Action - describes the activity
Trigger - guidance on when to start
Output - information after performing the activity
Guidance - guidnace on performing the activity, keyword and key concept

Question 14

ISO 31000

what is ISO 31000?
applicable to what risk?
organization can be certified with ISO 31000?

Answer 14

• guidelines for managing risk
• applicable to any type of risk, regardless of its nature or consiquences
• Organization? No

Question 15

Purpose of RMF?

Answer 15

Assist orgnization in integrating Risk Management

Question 16

IEC 31010

What is IEC 31010?
Can organization obtain this?

Answer 16

• Selection and Application of techniques in assessing risk
• Organizations cannot obtain this

Question 17

Relationship of ISO/IEC 27005 and ISO 31000

Answer 17

• 27005 - Framework on Risk Management applied to Information Security
• 31000 - Generic Framework

Question 18

Purpose of Risk Management

Answer 18

creation and protection of value