Standards for ISM

Question 1

What four things should organisations do about information?

Answer 1

Collect, process and store info; recognise info, processes and people are important assets; face a range of risks that affect info; and address these risks

Question 2

As risks and the effectiveness of controls change, what must organisations do?

Answer 2

Monitor effectiveness of controls and procedures; identify emerging risks; and implement and improvise controls

Question 3

What is an ISMS?

Answer 3

ISMS are the policies and guidelines in an organisation for protecting its important assets

Question 4

What is Management in an infosec context?

Answer 4

Management is the activities to direct, control and improve the organisation

Question 5

What is ISM?

Answer 5

ISM is making or using security policies, procedures and guidelines

Question 6

What is a process?

Answer 6

A process is the transformation of inputs to outputs

Question 7

What is the process approach?

Answer 7

The process approach is the use of a set of processes and the interaction between these processes

Question 8

Security requirements can be identified by analysing what?

Answer 8

Information assets and their value; needs for information processing; and legal, regulatory and contractual requirements

Question 9

Assessing risks will require analysing what?

Answer 9

Threats to and vulnerabilities in assets; likelihood of threat materialising; and potential impact of any incident on assets

Question 10

Possible options for risk treatment include what?

Answer 10

Applying appropriate controls to reduce risk; accept the risk; avoid risk by not allowing those actions; share the risk with other parties

Question 11

What should happen before controls are selected and implemented?

Answer 11

Information security requirements should be identified; risks should be determined and assessed; and decisions should be made for the treatment of risks

Question 12

How does an organisation maintain and improve an ISMS?

Answer 12

By monitoring and assessing performance, and reporting results to management

Question 13

What is the aim of continual improvement?

Answer 13

To increase the probability of preserving CIA

Question 14

What is the aim of ISO/IEC 27001?

Answer 14

To set down standardised requirements

Question 15

What is the context clause of ISO/IEC 27001?

Answer 15

The organisation should determine external and internal issues that affect its ability to maintain security

Question 16

What should the organisation consider when determining the scope of their ISMS?

Answer 16

External and internal issues, requirements of interested parties, and interfaces and dependencies between activities performed by the organisation

Question 17

What is the leadership clause of ISO/IEC 27001?

Answer 17

Leadership and commitment, policy and organisational roles

Question 18

What is the planning clause of ISO/IEC 27001?

Answer 18

Actions to address risks, and security objectives and planning to meet them

Question 19

What five things should a risk assessment process do?

Answer 19

Establish risk criteria; ensure that repeated assessments create consistent results; identify the risks; analyse the risks; and evaluate the risks

Question 20

In risk assessment, what does it mean to identify risks?

Answer 20

Apply the risk assessment process to find risks associated with CIA, and identify the risk owners

Question 21

In risk assessment, what does it mean to analyse risks?

Answer 21

Assess the potential consequences, the likelihood, and therefore the level of risk

Question 22

In risk assessment, what does it mean to evaluate risks?

Answer 22

Compare the results of risk analysis with risk criteria, prioritise the different risks

Question 23

What is awareness in an information security context?

Answer 23

Persons doing work under the company should be aware of the information security policy and all of its underlying principles

Question 24

When creating and updating documentation, what should be ensured?

Answer 24

Identification and descriptions, format, and review and approval

Question 25

When should organisations perform security risk assessments?

Answer 25

At planned intervals or when significant changes are made