Page |1
ISA 3300 Chapter 5 Questions and Correct
Answers/ Latest Update / Already Graded
Small organizations spend more per user on security than medium or
large sized organizations.
True
False
Ans: True
Legal assessment for the implementation of the information security
program is almost always done by the information security or IT
department.
True
False
Ans: False
Threats from insiders are more likely in a small organization than a
large one.
All rights reserved © 2025/ 2026 |
, Page |2
True
False
Ans: False
Which of the following is NOT a part of an information security
program?
a. technologies used by an organization to manage the risks to its
information assets
b. activities used by an organization to manage the risks to its
information assets
c. personnel used by an organization to manage the risks to its
information assets
d. All of these are part of an information security program.
Ans: d. All of these are parts of an information security
program.
Which of the following variable is the most influential in determining
how to structure an information security program?
a. security capital budget
All rights reserved © 2025/ 2026 |
, Page |3
b. competitive environment
c. online exposure of organization
d. organizational culture
Ans: d. Organizational culture
Which of the following functions includes identifying the sources of risk
and may include offering advice on controls that can reduce risk?
a. risk treatment
b. risk assessment
c. systems testing
d. vulnerability assessment
Ans: b. risk assessment
Which of the following is true about security staffing, budget, and
needs of a medium sized organization?
a. It has a larger dedicated (full-time) security staff than a small
organization.
b. It has a larger security budget (as percent of IT budget) than a small
organization.
All rights reserved © 2025/ 2026 |
ISA 3300 Chapter 5 Questions and Correct
Answers/ Latest Update / Already Graded
Small organizations spend more per user on security than medium or
large sized organizations.
True
False
Ans: True
Legal assessment for the implementation of the information security
program is almost always done by the information security or IT
department.
True
False
Ans: False
Threats from insiders are more likely in a small organization than a
large one.
All rights reserved © 2025/ 2026 |
, Page |2
True
False
Ans: False
Which of the following is NOT a part of an information security
program?
a. technologies used by an organization to manage the risks to its
information assets
b. activities used by an organization to manage the risks to its
information assets
c. personnel used by an organization to manage the risks to its
information assets
d. All of these are part of an information security program.
Ans: d. All of these are parts of an information security
program.
Which of the following variable is the most influential in determining
how to structure an information security program?
a. security capital budget
All rights reserved © 2025/ 2026 |
, Page |3
b. competitive environment
c. online exposure of organization
d. organizational culture
Ans: d. Organizational culture
Which of the following functions includes identifying the sources of risk
and may include offering advice on controls that can reduce risk?
a. risk treatment
b. risk assessment
c. systems testing
d. vulnerability assessment
Ans: b. risk assessment
Which of the following is true about security staffing, budget, and
needs of a medium sized organization?
a. It has a larger dedicated (full-time) security staff than a small
organization.
b. It has a larger security budget (as percent of IT budget) than a small
organization.
All rights reserved © 2025/ 2026 |
