Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

27005 Day 1 > Section 4 Information security risk management program > Flashcards

Section 4 Information security risk management program Flashcards

1
Q

Risk Management

A

processes for managing risk on an ongoing basis, in order to monitor and keep it at a level na acceptable sa organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Understanding the Fundamentals:

How would you differentiate between risk management and risk assessment in simple terms?

A

Risk management is the continuous process of handling risks to maintain an acceptable level, while risk assessment is the specific activity of identifying, analyzing, and evaluating risks at a given moment.

Risk Management:
Definition: Continuous process.
Objective: Handling risks.
Purpose: Maintain an acceptable level of risk.

Risk Assessment:
Definition: Specific activity.
Activities: Identifying, analyzing, and evaluating risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Risk Management Programs

A

Demonstrate Leadership and commitment
Assign responsibilities
Define the responsibilities
Ensure accountability
Establish a risk management policy
Establish a risk management process
Provide the resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How to Demonstrate Leadership and commitment

A

Implement and customize RIsk Management Framework

Pag bibigay ng statement or policy

Ensure resources are allocated

Pag assign ng authority, responsibility and accountability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Who is accountable for managing risk?

A

Top Management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Who is accountable for overseeing risk management?

A

oversight bodies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Internal Interested Parties

A
  1. Top Management
  2. Financial Department
  3. HR
  4. InfoSec Manager
  5. IT technician
  6. Legal Department
  7. Public Relations Department
  8. Internal Auditor
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

They are the ones most directly
affected by the risks to intangible assets, such as reputation, brand recognition, and trademarks.

A

Top Management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Who is typically responsible for the risk management program in an organization?

A

Risk Manager

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Why is it important for the person responsible for the risk management program to be familiar with all aspects of the organization’s operations?

a. It’s a legal requirement
b. To enhance communication with stakeholders
c. To show off their knowledge
d. To increase workload

A

b. To enhance communication with stakeholders

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

The core elements of the risk management process defined by ISO 31000 and ISO/IEC 27005 are:

A

Establishing the context
Risk assessment (comprising risk identification, risk analysis, and risk evaluation)
Risk treatment
Monitoring and review
Communication and consultation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is? ISO/IEC 27005, clause 3.2.3 Risk assessment

A

Overall process of risk identification, risk analysis and risk evaluation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

True or Flase
Infosec Risk Management Cycles
the risk assessment and risk treatment should be updated on a regular basis and based on changes

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

When is the strategic cycle typically conducted in risk management?

a. Only when minor changes occur
b. At shorter time intervals
c. At longer time intervals or when major changes occur
d. On a daily basis

A

c. At longer time intervals or when major changes occur

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What does the operational cycle focus on in the risk management process?

a. Only major changes
b. Short-term risks
c. Environmental objectives
d. Long-term goals

A

b. Short-term risks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the primary focus of the strategic cycle in the risk management process?

a. Short-term goals
b. Detailed risk assessments
c. Achieving organizational objectives
d. Daily operational activities

A

c. Achieving organizational objectives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

How often should the operational cycle be conducted?

A

c. Depending on detailed risks and changes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

In which cycle can there be many risk assessments with different contexts and scope?

a. Only in the strategic cycle
b. Only in the operational cycle
c. Both in the strategic and operational cycles
d. In neither cycle

A

c. Both in the strategic and operational cycles

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Who is responsible for following up on the implementation of risk management recommendations?

The HR
The risk manager
The top management

A

The risk manager

The risk manager is responsible, among others, for ensuring the follow-up of the implementation of recommendations.

20
Q

Who is responsible for ensuring that resources are allocated for risk management?
The top management
The risk manager
The internal auditor

A

Top management is responsible for ensuring that the necessary resources are allocated to managing risk.

21
Q

Which of the following is considered as a resource for risk management?
Documented processes and procedures
People and skills
Both A and B

A

Both A and B

Top management and oversight bodies should ensure allocation of appropriate resources for risk management, including, among others, people, skills, experience, competence, documented processes and procedures, and information and knowledge management systems.

22
Q

What is the primary goal of risk management?
a. Identifying risks
b. Analyzing risks
c. Managing risks on an ongoing basis
d. Evaluating risks at a certain point in time

A

c. Managing risks on an ongoing basis

23
Q

How is risk assessment defined?
a. A permanent program in the organization
b. A set of processes for managing risk
c. The process of identifying, analyzing, and evaluating risks
d. Monitoring and keeping risks at an acceptable level

A

c. The process of identifying, analyzing, and evaluating risks

24
Q

Is risk management a permanent program in the organization?
a. Yes, always
b. No, only at certain times
c. It depends on the organization
d. Only during major changes

A

a. Yes, always

25
Q

approves risks, holds overall responsibility.

A

Top management

26
Q

Department that analyzes costs, manages financial resources.

A

Financial Dept.

27
Q

Department that identifies training needs, contributes to risk awareness.

A

HR

28
Q

Who proposes controls for risk management.

A

InfoSec Manager

29
Q

Who implements technical solutions for daily operations.

A

IT technician

29
Q

Department that identifies requirements for compliance (legal, regulatory, and contractual) and its analysis

A

Legal Dept.

30
Q

Who validates impacts on organization’s reputation, manages external communications.

A

Public Relations (PR)

31
Q

Who validates security control compliance.

A

Internal auditor

32
Q

They are the ones most directly
affected by the risks to intangible assets, such as reputation, brand recognition, and trademarks.

A

Top Management

33
Q

Who is typically responsible for the risk management program in an organization?

a. CEO
b. Risk Manager
c. IT Manager
d. Marketing Manager

A

b. Risk Manager

34
Q

Why is it considered a good practice to assign the risk management role to the risk manager?

a. To increase workload
b. Because it’s a legal requirement
c. The risk manager is familiar with all aspects of the organization’s operations
d. It’s a temporary role

A

c. The risk manager is familiar with all aspects of the organization’s operations

35
Q

With whom should the risk manager interact effectively?

a. Only with business managers
b. Only with support services staff
c. Both business managers and support services staff
d. Only with the CEO

A

c. Both business managers and support services staff

36
Q

Why should the person responsible for risk management be familiar with all aspects of the organization’s operations?

a. It’s a legal requirement
b. To increase workload
c. To effectively manage risks in different areas
d. Only for strategic planning

A

c. To effectively manage risks in different areas

37
Q

Can one person perform risk assessments that cover only a specific area or department of the organization?

A

Yes
Performing risk assessments for a specific area or department of the organization by one person is often feasible due to the relatively focused scope and limited complexity associated with such assessments

38
Q

Who are considered interested parties (key players) in the context of risk assessments?

a. Only team members
b. External consultants
c. Only top management
d. Individuals or groups affected by the assessment outcomes

A

d. Individuals or groups affected by the assessment outcomes

39
Q

ISO/IEC 27005, clause 3.2.3 Risk assessment

A

Overall process of risk identification, risk analysis and risk evaluation

40
Q

A risk manager should be appointed to ensure proper coordination of risk management by:

A
  • Planning activities,
  • Supervising the risk management team
  • Drafting risk assessment report
  • Managing communication and awareness of risk with interested parties
  • Follow up on the implementation of recommendations
41
Q
A
42
Q

What are the core elements of the risk management process defined by ISO 31000 and ISO/IEC 27005 are:

A

Establishing the context
Risk assessment (comprising risk identification, risk analysis, and risk evaluation)
Risk treatment
Monitoring and review
Communication and consultation

43
Q

What should top management and oversight bodies demonstrate to convey their commitment to risk management according to ISO 27005?

A

They should demonstrate and articulate their continual commitment through a policy, a statement, or other forms that clearly convey the organization’s objectives and commitment to risk management.

44
Q

According to ISO 27005, how should risk assessment and risk management be updated, and into what cycles can updates be divided?

A

They should be updated on a regular basis and based on changes. Updates can be divided into two cycles: strategic cycles and operational cycles.

45
Q

How does the timing differ between the strategic and operational cycles in ISO 27005 risk management?

A

The strategic cycle is conducted at longer intervals or when major changes occur, while the operational cycle is shorter and depends on detailed risks identified and assessed, as well as related risk treatment.

46
Q

What is the primary focus of the strategic cycle compared to the operational cycle in ISO 27005 risk management?

A

The strategic cycle applies to the environment where the organization aims to achieve its objectives, while the operational cycle applies to all risk assessments within the context of the risk management process.

27005 Day 1 (5 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions