ISO27001 UPDATED ACTUAL Exam
Questions and CORRECT Answers
Information security manual - CORRECT ANSWER - This is not required by the standard
ISO27001. Clause 7.5 - This clause deals with the documented information that needs to be
included. It states that we need to document all information within the norm and anything the
organization believes is required for an effective information security plan. A manual is not
required; however, an organization can have a manual if they decide it is critical for the success
of the information security system.
Does the leader of the company need to approve the risk methodology? - CORRECT
ANSWER - (6.1.2 - planning) - No, the risk methodology merely needs to accomplish all
of the requirements of a risk methodology. However, the level of risks should be approved by the
higher administration of the enterprise. A company may put forward an internal policy from the
top down that all risks for information security will need to follow their risk paradigm.
There should be a procedure for internal audit - CORRECT ANSWER - 9.2 - Internal
Audit describes what the organization needs to do.
Accessibility of the information security policy - CORRECT ANSWER - 5.2 Policy - the
policy needs to be available as documented information, communicated internally in the
company, and be available for all interested stakeholders where appropriate
The risk analysis should take into account the stakeholders, their necesities and expectations,
which are described where - CORRECT ANSWER - 6.1 (Planning) describes how the
organization needs to take into account the issues referred to in numeral 4.1 and 4.2. 4.1 deals
with identifying the internal and external stakeholders which are pertinent or affect the ability to
achieve an effective information security management system. 4.2 defines the their necessities
and expectations. Examples of internal stakeholders are employees, syndicates, associations,
board of directors. Example of external stakeholders are regulators, government, external
suppliers, clients / customers, public opinions (such as organizations for world peace or
pollution).
The scope of an information security management system should also take into account external
and internal stakeholders - CORRECT ANSWER - True. 4.3. The organization should
Questions and CORRECT Answers
Information security manual - CORRECT ANSWER - This is not required by the standard
ISO27001. Clause 7.5 - This clause deals with the documented information that needs to be
included. It states that we need to document all information within the norm and anything the
organization believes is required for an effective information security plan. A manual is not
required; however, an organization can have a manual if they decide it is critical for the success
of the information security system.
Does the leader of the company need to approve the risk methodology? - CORRECT
ANSWER - (6.1.2 - planning) - No, the risk methodology merely needs to accomplish all
of the requirements of a risk methodology. However, the level of risks should be approved by the
higher administration of the enterprise. A company may put forward an internal policy from the
top down that all risks for information security will need to follow their risk paradigm.
There should be a procedure for internal audit - CORRECT ANSWER - 9.2 - Internal
Audit describes what the organization needs to do.
Accessibility of the information security policy - CORRECT ANSWER - 5.2 Policy - the
policy needs to be available as documented information, communicated internally in the
company, and be available for all interested stakeholders where appropriate
The risk analysis should take into account the stakeholders, their necesities and expectations,
which are described where - CORRECT ANSWER - 6.1 (Planning) describes how the
organization needs to take into account the issues referred to in numeral 4.1 and 4.2. 4.1 deals
with identifying the internal and external stakeholders which are pertinent or affect the ability to
achieve an effective information security management system. 4.2 defines the their necessities
and expectations. Examples of internal stakeholders are employees, syndicates, associations,
board of directors. Example of external stakeholders are regulators, government, external
suppliers, clients / customers, public opinions (such as organizations for world peace or
pollution).
The scope of an information security management system should also take into account external
and internal stakeholders - CORRECT ANSWER - True. 4.3. The organization should
