BCS CISMP EXAM STUDY SHEET 2026 FULL
SOLUTION GUARANTEED TO PASS
⫸ Which of the following is not an acceptable risk treatment option?
a) Ignore the risk because it is negligible
b) Accept the risk because it is within the organisation's risk appetite
c) Put controls in place to mitigate the risk
d) Avoid the risk because it is too great. Answer: A
⫸ What is the content of ISO 27000?. Answer: Overview and
Vocabulary
⫸ What is the content of ISO 27001?. Answer: Requirements
⫸ What is the content of ISO 27002?. Answer: Code of practice for
InfoSec controls
⫸ What is the content of ISO 27005?. Answer: Risk Management
⫸ Which of the following is not a principle of data processing under
GDPR?
,a) No transfer of data outside the EEA without adequate level of
protection
b) Purpose limitation
c) Data minimisation
d) Storage limitation. Answer: A
⫸ Which of the following is true when monitoring employees at
work?
a) Employees have no right to privacy when using the employer's IT
systems
b) It is essential for employees to be informed of any monitoring and
to consent to being monitored
c) Employees should be informed of any monitoring unless covert
monitoring is justified
d) A privacy impact assessment should only be carried out when
covert monitoring is being considered. Answer: C
⫸ Which is not an example of special category data under GDPR?
a) Your medical records held at your GP's surgery
b) Your bank account details including transactions and balances on
your account
c) Union membership details
d) Membership of the local branch of the Humanist Society. Answer:
B
, ⫸ Which statement regarding transfers of data outside the EEA is not
true?
a) Privacy Shield provides a mechanism for a company in any country
outside the EAA to offer assurances that personal data of EU subjects
can be safely transferred to and processed by that company
b) Privacy Shield replaced the earlier Safe Harbor agreement which
was ruled invalid by the European Court of Justice in 2015
c) Privacy Shield is a voluntary program to which US companies can
sign up to demonstrate compliance with EU data protection standards
when processing EU citizens' personal data
d) EU citizens' personal data can be transferred freely to countries for
which the EU has made an Adequacy Decision on the basis that that
country offers levels of protection for personal data equivalent to
those offered within the EU. Answer: A
⫸ Which of the following statements about policies is true?
a) The company's Information Security Policy is a Tier 1 policy and
the Acceptable Use Policy is a Tier 2 policy
b) The HR Security Policy is a Tier 3 policy and the company's
Information Security Policy is a Tier 1 policy
c) The Asset Management Policy is a Tier 1 policy and the company's
Information Security Policy is also a Tier 1 policy
d) The Asset Management Policy is a Tier 2 policy and the Acceptable
Use Policy is a Tier 3 policy. Answer: D
SOLUTION GUARANTEED TO PASS
⫸ Which of the following is not an acceptable risk treatment option?
a) Ignore the risk because it is negligible
b) Accept the risk because it is within the organisation's risk appetite
c) Put controls in place to mitigate the risk
d) Avoid the risk because it is too great. Answer: A
⫸ What is the content of ISO 27000?. Answer: Overview and
Vocabulary
⫸ What is the content of ISO 27001?. Answer: Requirements
⫸ What is the content of ISO 27002?. Answer: Code of practice for
InfoSec controls
⫸ What is the content of ISO 27005?. Answer: Risk Management
⫸ Which of the following is not a principle of data processing under
GDPR?
,a) No transfer of data outside the EEA without adequate level of
protection
b) Purpose limitation
c) Data minimisation
d) Storage limitation. Answer: A
⫸ Which of the following is true when monitoring employees at
work?
a) Employees have no right to privacy when using the employer's IT
systems
b) It is essential for employees to be informed of any monitoring and
to consent to being monitored
c) Employees should be informed of any monitoring unless covert
monitoring is justified
d) A privacy impact assessment should only be carried out when
covert monitoring is being considered. Answer: C
⫸ Which is not an example of special category data under GDPR?
a) Your medical records held at your GP's surgery
b) Your bank account details including transactions and balances on
your account
c) Union membership details
d) Membership of the local branch of the Humanist Society. Answer:
B
, ⫸ Which statement regarding transfers of data outside the EEA is not
true?
a) Privacy Shield provides a mechanism for a company in any country
outside the EAA to offer assurances that personal data of EU subjects
can be safely transferred to and processed by that company
b) Privacy Shield replaced the earlier Safe Harbor agreement which
was ruled invalid by the European Court of Justice in 2015
c) Privacy Shield is a voluntary program to which US companies can
sign up to demonstrate compliance with EU data protection standards
when processing EU citizens' personal data
d) EU citizens' personal data can be transferred freely to countries for
which the EU has made an Adequacy Decision on the basis that that
country offers levels of protection for personal data equivalent to
those offered within the EU. Answer: A
⫸ Which of the following statements about policies is true?
a) The company's Information Security Policy is a Tier 1 policy and
the Acceptable Use Policy is a Tier 2 policy
b) The HR Security Policy is a Tier 3 policy and the company's
Information Security Policy is a Tier 1 policy
c) The Asset Management Policy is a Tier 1 policy and the company's
Information Security Policy is also a Tier 1 policy
d) The Asset Management Policy is a Tier 2 policy and the Acceptable
Use Policy is a Tier 3 policy. Answer: D
