ISO27001 UPDATED Exam Questions and
CORRECT Answers
Residual Risk - CORRECT ANSWER - Residual risk is any risk that remains after
management has decided to implement controls
Risk - CORRECT ANSWER - Consequence of uncertainty on objectives
Asset example catagories - CORRECT ANSWER - Information (customer data)
Hardware (servers, routers)
Software (database)
People (Employees)
Locations (offices, data center locations)
Vulnerabillity - CORRECT ANSWER - Lack of safeguard or weakness of an asset or
group of assets that can be exploited by a threat
What is an ISMS - CORRECT ANSWER - A systematic approach for establishing,
implementing, operating, monitoring, reviewing, maintaining and improving an organization's
information security to achieve business objectives
4 Levels in awareness/communication pyramid - CORRECT ANSWER - 1) ISMS Design
(IS policy)
2) Processes/Procedures (password standard)
3) Work instructions (blank JIRA ticket)
4) Records (filled out JIRA ticket)
What goes into your scope? - CORRECT ANSWER - Assets
People
, Exclusions with justifications
Organizational structure
Technology
Locations
Internal context factors - CORRECT ANSWER - Governance
Roles & responsibilities
Stakeholders
Culture
External context factors - CORRECT ANSWER - Social
Political
Financial
Natural
Reasons we would accept a risk - CORRECT ANSWER - Asset to be decommissioned
Legal obligation to do so
Cost to implement controls to bring risk down is too high
Risk is already below/at an acceptable level
6 stages in the information risk management lifestyle - CORRECT ANSWER - Scope
Acceptance levels
Acceptance criteria
Risk Analysis
Risk Treatment
Risk Monitoring
What does ISO/IEC27002 consist of? - CORRECT ANSWER - 114 specific controls
CORRECT Answers
Residual Risk - CORRECT ANSWER - Residual risk is any risk that remains after
management has decided to implement controls
Risk - CORRECT ANSWER - Consequence of uncertainty on objectives
Asset example catagories - CORRECT ANSWER - Information (customer data)
Hardware (servers, routers)
Software (database)
People (Employees)
Locations (offices, data center locations)
Vulnerabillity - CORRECT ANSWER - Lack of safeguard or weakness of an asset or
group of assets that can be exploited by a threat
What is an ISMS - CORRECT ANSWER - A systematic approach for establishing,
implementing, operating, monitoring, reviewing, maintaining and improving an organization's
information security to achieve business objectives
4 Levels in awareness/communication pyramid - CORRECT ANSWER - 1) ISMS Design
(IS policy)
2) Processes/Procedures (password standard)
3) Work instructions (blank JIRA ticket)
4) Records (filled out JIRA ticket)
What goes into your scope? - CORRECT ANSWER - Assets
People
, Exclusions with justifications
Organizational structure
Technology
Locations
Internal context factors - CORRECT ANSWER - Governance
Roles & responsibilities
Stakeholders
Culture
External context factors - CORRECT ANSWER - Social
Political
Financial
Natural
Reasons we would accept a risk - CORRECT ANSWER - Asset to be decommissioned
Legal obligation to do so
Cost to implement controls to bring risk down is too high
Risk is already below/at an acceptable level
6 stages in the information risk management lifestyle - CORRECT ANSWER - Scope
Acceptance levels
Acceptance criteria
Risk Analysis
Risk Treatment
Risk Monitoring
What does ISO/IEC27002 consist of? - CORRECT ANSWER - 114 specific controls
