Week 1

Question 1

What is Information Security Management (ISM)?

Answer 1

It defines and manages controls to protect the confidentiality, integrity, and availability (CIA) of assets from threats and vulnerabilities.

Question 2

What are the key standards in the ISO 27000 series?

Answer 2

-ISO 27001 (ISMS requirements)
-ISO 27002 (security controls guidance)
-ISO 27005 (incident management).

Question 3

What is an Information Security Management System (ISMS)?

Answer 3

A business risk-based system that manages information security through policies, procedures, and controls.

Question 4

What are the three core elements of the CIA triad in ISM?

Answer 4

Confidentiality, Integrity, Availability.

Question 5

Define the term “Asset” in information security.

Answer 5

Anything valuable to an organization, such as information, infrastructure, or software.

Question 6

What is a threat?

Answer 6

A potential cause of an incident that may harm the organization.

Question 7

What is a vulnerability?

Answer 7

A weakness that can be exploited by a threat.

Question 8

What are the four risk treatment options?

Answer 8

-Eliminate (avoid)
-Reduce (mitigate)
-Transfer
-Accept.

Question 9

What are “Authentication” and “Authorization”?

Answer 9

-Authentication verifies identity
-Authorization grants permission to access resources.

Question 10

What is the purpose of an audit in ISM?

Answer 10

To evaluate compliance with security requirements.

Question 11

What are the characteristics of ISO 27001?

Answer 11

Asset-focused, risk-driven, and process-oriented.

Question 12

What is the purpose of ISO 27001?

Answer 12

To establish, implement, maintain, and improve an ISMS.

Question 13

What types of information should be protected under ISO 27001?

Answer 13

Printed, electronic, verbal, visual, web-based, and intangible (e.g., expertise).

Question 14

What is the process approach in ISO 27001?

Answer 14

Security management is a continuous cycle that adapts to emerging threats.

Question 15

What are some sources of security requirements?

Answer 15

Business needs, organizational factors, legal/regulatory compliance, stakeholder expectations.

Question 16

What are the four related ISO standards and their focus?

Answer 16

SO 27001: ISMS requirements
ISO 27002: Security controls
ISO 27004: Performance measurement
ISO 27005: Risk management

Question 17

What does ISO 27002 provide?

Answer 17

A list of 114 security controls across 14 clauses with implementation guidelines.

Question 18

Give an example of ISO 27002 Clause 9 – Access Control.

Answer 18

9.1.1 Access Control Policy: Define/enforce policies;
9.1.2: Restrict access to authorized users.

Question 19

What is ISO 27004 about?

Answer 19

Measuring the effectiveness of ISMS through performance indicators like log analysis, incident stats, and audit results.

Question 20

What are key cybersecurity metrics used in ISO 27004?

Answer 20

-Unpatched devices, intrusion attempts
-Mean Time to Detect (MTTD)
-Mean Time to Contain (MTTC)
-Days to Patch.

Question 21

What is the focus of ISO 27005?

Answer 21

Asset-driven security risk management through preparation, identification, analysis, evaluation, and treatment.

Question 22

Name one criticism of ISO 27001.

Answer 22

It’s sometimes used as a checkbox exercise for certification rather than genuine security improvement.