Standards for ISM Flashcards

1
Q

What four things should organisations do about information?

A

Collect, process and store info; recognise info, processes and people are important assets; face a range of risks that affect info; and address these risks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

As risks and the effectiveness of controls change, what must organisations do?

A

Monitor effectiveness of controls and procedures; identify emerging risks; and implement and improvise controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is an ISMS?

A

ISMS are the policies and guidelines in an organisation for protecting its important assets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is Management in an infosec context?

A

Management is the activities to direct, control and improve the organisation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is ISM?

A

ISM is making or using security policies, procedures and guidelines

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is a process?

A

A process is the transformation of inputs to outputs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the process approach?

A

The process approach is the use of a set of processes and the interaction between these processes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Security requirements can be identified by analysing what?

A

Information assets and their value; needs for information processing; and legal, regulatory and contractual requirements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Assessing risks will require analysing what?

A

Threats to and vulnerabilities in assets; likelihood of threat materialising; and potential impact of any incident on assets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Possible options for risk treatment include what?

A

Applying appropriate controls to reduce risk; accept the risk; avoid risk by not allowing those actions; share the risk with other parties

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What should happen before controls are selected and implemented?

A

Information security requirements should be identified; risks should be determined and assessed; and decisions should be made for the treatment of risks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How does an organisation maintain and improve an ISMS?

A

By monitoring and assessing performance, and reporting results to management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the aim of continual improvement?

A

To increase the probability of preserving CIA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the aim of ISO/IEC 27001?

A

To set down standardised requirements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the context clause of ISO/IEC 27001?

A

The organisation should determine external and internal issues that affect its ability to maintain security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What should the organisation consider when determining the scope of their ISMS?

A

External and internal issues, requirements of interested parties, and interfaces and dependencies between activities performed by the organisation

17
Q

What is the leadership clause of ISO/IEC 27001?

A

Leadership and commitment, policy and organisational roles

18
Q

What is the planning clause of ISO/IEC 27001?

A

Actions to address risks, and security objectives and planning to meet them

19
Q

What five things should a risk assessment process do?

A

Establish risk criteria; ensure that repeated assessments create consistent results; identify the risks; analyse the risks; and evaluate the risks

20
Q

In risk assessment, what does it mean to identify risks?

A

Apply the risk assessment process to find risks associated with CIA, and identify the risk owners

21
Q

In risk assessment, what does it mean to analyse risks?

A

Assess the potential consequences, the likelihood, and therefore the level of risk

22
Q

In risk assessment, what does it mean to evaluate risks?

A

Compare the results of risk analysis with risk criteria, prioritise the different risks

23
Q

What is awareness in an information security context?

A

Persons doing work under the company should be aware of the information security policy and all of its underlying principles

24
Q

When creating and updating documentation, what should be ensured?

A

Identification and descriptions, format, and review and approval

25
Q

When should organisations perform security risk assessments?

A

At planned intervals or when significant changes are made