ISO 2700x UPDATED ACTUAL Exam
Questions and CORRECT Answers
Why should a company implement ISO27001? - CORRECT ANSWER - - Benchmark
information security
- International operations
- Competitive advantage
- Contractual obligations
Can you be ISO 27002 certified? - CORRECT ANSWER - No, because ISO 27002 is not
a management standard. What does a management standard mean? It means that such a standard
defines how to run a system. Certification is only available for ISO 27001.
It means that management has its distinct responsibilities, that objectives must be set, measured
and reviewed, that internal audits must be carried out and so on. All those elements are defined in
ISO 27001, but not in ISO 27002
What's the difference between ISO 27001 and ISO 27002? - CORRECT ANSWER - Every
standard from the ISO 27000 series is designed with a certain focus - if you want to build the
foundations of information security in your organization, and devise its framework, you should
use ISO 27001; if you want to implement controls, you should use ISO 27002; If you want to
carry out risk assessment and risk treatment, you should use ISO 27005 etc.
The difference is also in the level of detail - on average, ISO 27002 explains one control on one
whole page, while ISO 27001 dedicates only one sentence to each control.
How is ISO 27001 implemented? - CORRECT ANSWER - ISO 27001 prescribes a risk
assessment to be performed in order to identify for each control whether it is required to decrease
the risks, and if it is, to which extent it should be applied.
What are the metrics of security clauses, control objectives and controls on ISO 27001? -
CORRECT ANSWER - - 11 Security clauses, which comprise
, a. 39 main control objectives
b. 142 controls
c. 1 introductory clause which deals with risk assessment and treatment
(* 1,033 'shoulds')
What is ISO 27001 - CORRECT ANSWER - ISO/IEC 27001:2013 (ISO 27001) is the
internationally recognized standard that outlines the requirements for constructing a risk-based
framework to initiate, implement, maintain, and manage information security within an
organization.
The standard defines what an information security management system (ISMS) is, what is
required to be included within the ISMS, and how management should form, monitor, and
maintain the ISMS.
What is the ISO 27001 certification? - CORRECT ANSWER - The certification is an
independent validation that the ISMS conforms to the requirements of the ISO 27001 standard.
How long does ISO 27001 valid, and what (if anything) is required during that term? -
CORRECT ANSWER -
What is a SOC2 report? - CORRECT ANSWER - The SOC 2 examination is an
independent examination of the service organization's controls that are designed and operating
effectively (in the case of a Type 2 report) to meet the applicable criteria in ONE OR MORE (not
necessarily all) of the five Trust Services Principles and Criteria:
a. Security
b. Availability
c. Processing Integrity
d. Confidentiality
e. Privacy
When were SOC reports originated? - CORRECT ANSWER - In early 2011, the AICPA
issued its Service Organization Control (SOC) reporting framework.
Questions and CORRECT Answers
Why should a company implement ISO27001? - CORRECT ANSWER - - Benchmark
information security
- International operations
- Competitive advantage
- Contractual obligations
Can you be ISO 27002 certified? - CORRECT ANSWER - No, because ISO 27002 is not
a management standard. What does a management standard mean? It means that such a standard
defines how to run a system. Certification is only available for ISO 27001.
It means that management has its distinct responsibilities, that objectives must be set, measured
and reviewed, that internal audits must be carried out and so on. All those elements are defined in
ISO 27001, but not in ISO 27002
What's the difference between ISO 27001 and ISO 27002? - CORRECT ANSWER - Every
standard from the ISO 27000 series is designed with a certain focus - if you want to build the
foundations of information security in your organization, and devise its framework, you should
use ISO 27001; if you want to implement controls, you should use ISO 27002; If you want to
carry out risk assessment and risk treatment, you should use ISO 27005 etc.
The difference is also in the level of detail - on average, ISO 27002 explains one control on one
whole page, while ISO 27001 dedicates only one sentence to each control.
How is ISO 27001 implemented? - CORRECT ANSWER - ISO 27001 prescribes a risk
assessment to be performed in order to identify for each control whether it is required to decrease
the risks, and if it is, to which extent it should be applied.
What are the metrics of security clauses, control objectives and controls on ISO 27001? -
CORRECT ANSWER - - 11 Security clauses, which comprise
, a. 39 main control objectives
b. 142 controls
c. 1 introductory clause which deals with risk assessment and treatment
(* 1,033 'shoulds')
What is ISO 27001 - CORRECT ANSWER - ISO/IEC 27001:2013 (ISO 27001) is the
internationally recognized standard that outlines the requirements for constructing a risk-based
framework to initiate, implement, maintain, and manage information security within an
organization.
The standard defines what an information security management system (ISMS) is, what is
required to be included within the ISMS, and how management should form, monitor, and
maintain the ISMS.
What is the ISO 27001 certification? - CORRECT ANSWER - The certification is an
independent validation that the ISMS conforms to the requirements of the ISO 27001 standard.
How long does ISO 27001 valid, and what (if anything) is required during that term? -
CORRECT ANSWER -
What is a SOC2 report? - CORRECT ANSWER - The SOC 2 examination is an
independent examination of the service organization's controls that are designed and operating
effectively (in the case of a Type 2 report) to meet the applicable criteria in ONE OR MORE (not
necessarily all) of the five Trust Services Principles and Criteria:
a. Security
b. Availability
c. Processing Integrity
d. Confidentiality
e. Privacy
When were SOC reports originated? - CORRECT ANSWER - In early 2011, the AICPA
issued its Service Organization Control (SOC) reporting framework.
