Section 5 Flashcards
What crucial step should an organization take before attempting to assess its information security risks, according to ISO 27005?
The organization should gather information concerning the internal and external context, its interested parties, and their requirements. This step is essential before any attempt is made to assess information security risks or any other risks that can affect the intended outcome of the Information Security Management System (ISMS).
Who is responsible for setting and regularly reviewing the Risk Appetite?
Risk Appetite should be set and regularly reviewed by top management.
What crucial step should an organization take to reliably identify risks?
The organization should gather information concerning the internal and external context, its interested parties, and their requirements.
What is the purpose of a SWOT analysis
SWOT analysis is used to conduct a
thorough analysis of an organization’s strengths, weaknesses, opportunities, and threats. The analysis is done with the aim of determining where the organization should invest its resources (take advantage of opportunities, reduce weakness, face threats, etc.).
Strengths and weaknesses seek to assess the internal issues, while opportunities and threats are used to assess the external issues of an organization.
In SWOT analysis, how are strengths, weaknesses, opportunities, and threats typically categorized in terms of assessing organizational issues?
Strengths and weaknesses seek to assess the internal issues, while opportunities and threats are used to assess the external issues of an organization.
What does a PEST analysis allow organizations to analyze?
A PEST analysis allows organizations to analyze market forces and opportunities in the areas of political, economic, social, and technological factors. Some authors include additional categories such as environmental and legal.
What does Porter’s Five Forces analysis examine?
Porter’s Five Forces analysis examines the competitiveness level of an organization by assessing five factors within an industry: the intensity of rivalry among competitors, the bargaining power of customers, the threat of potential entrants in the market, the bargaining power of suppliers, and the threats of alternative products or services.
why is it important for an organization to consider interested parties that are opposed to its objectives in risk management?
The organization should consider all internal and external risk sources, including interested parties opposed to its objectives. Understanding these parties is highly relevant because it allows the organization to anticipate conflicts with its objectives. For example, an attacker desires weak security levels, so the organization, in response, implements strong security measures to mitigate this risk and ensure the interests of the ISMS are protected.
When analyzing the internal context of an organization, what structures should be identified?
The structures comprising various bodies and relations within the organization, including hierarchical and functional structures. This involves identifying segregation of duties, responsibilities, authorities, and communication, as well as functions outsourced to subcontractors.
What are the two main types of organizational structure outlined by ISO 27005?
The divisional structure, where each division is under the authority of a division director responsible for strategic, administrative, and operational decisions within that unit.
The functional structure, where functional authority is exercised over proceedings, including planning and decision-making.
What are the three levels distinguished within an organization’s structure, as per ISO 27005?
The strategic level, responsible for policies and strategies.
The steering level, responsible for the coordination and management of activities.
The operational level, responsible for operations and support activities.
Why is it important for the risk manager to understand the organization’s activities and the type of products and services it offers?
Understanding the organization’s activities and offerings is crucial as they significantly impact its business model and may expose it to special risks such as information security risks, liabilities, and fines.
What is the significance of the term “interested parties” in ISO/IEC 27005, and how are they defined in the context of information security risk management?
In ISO/IEC 27005, interested parties encompass both internal and external stakeholders with interests in the process of information security risk management. The information security risk management team must initially identify all interested parties and their concerns about risk management. Subsequently, the team should define the expected roles, responsibilities, and levels of participation for these parties in the project, ensuring consensus during the planning stage of their involvement.
What is the importance of defining the scope and boundaries related to the information security risk management process, according to ISO/IEC 27005?
The organization must define the scope and boundaries to ensure that all relevant assets are considered in the risk management program. Defining boundaries helps identify and protect against risks that may arise through these boundaries.
