Professional Documents
Culture Documents
ISOIEC 27001 Practitioner Exam Sample Paper - April 2014 PDF
ISOIEC 27001 Practitioner Exam Sample Paper - April 2014 PDF
ISOIEC 27001 Practitioner Exam Sample Paper - April 2014 PDF
SX01
Scenario Booklet
This is a 2.5-hour objective test examination. This booklet contains the Project
Scenario upon which this exam paper is based. All questions are contained within
the Question Booklet.
The exam is to be taken with the support of only the following British Standards,
ISO/IEC 27000:2014
ISO/IEC 27001:2013
ISO/IEC 27002:2013
ISO/IEC 27003:2010
ISO/IEC 27005:2011
No material other than the Question Booklet, the Scenario Booklet, the Answer
Booklet, and the five standards are to be used. However, if required the ISO/IEC
27001 Supplementary Paper, which contains relevant parts of ISO/IEC 27003:2010
may be used.
Background
Equitable Products are a food processing and supply company to supermarkets. They supply food
packaged under their own brand name to general retailers and ‘supermarket brand’ packaged goods
to supermarket chains.
In addition they have recently begun supplying frozen 'ready meal' products to a major restaurant
chain.
To support their business, Equitable Products has food processing plants at two sites. One site deals
with the processing and re-packaging of bulk foodstuffs into branded packages (own brand and
supermarket). The other site produces ready meals which are supplied as frozen products to general
retail customers and the restaurant chain.
Organization
There are three marketing divisions within the organization to service the separate retail, supermarket
and restaurant markets. Each of the marketing divisions has their own business targets, objectives
and processes.
An internal IT unit is responsible for the provision of IT services within Equitable Products.
Each division uses some specific, dedicated IT services, together with a core set of shared corporate
IT services to support their business operations. For example, the Equitable Products' IT systems now
interface directly with the supermarkets’ IT systems to enable 'just in time' re-ordering and delivery.
The restaurant chain's IT systems are also now connected to the Equitable Products' IT systems. All
the new Restaurant Ready Meal products are micro chipped with a Radio Frequency Identification
Device (RFID). All restaurant products must be consumed within five days of production. The RFID
technology enables the individual restaurants’ usage to be monitored by Equitable Products. A
production schedule is produced for the restaurant ready meal products in order to reduce wastage.
Current Status
As a result of international concern over contamination of products, Equitable Products decided that
they should take more control of their supply chain. They have recently acquired an established chain
of dairy farms which will, in the future, provide most of their fresh dairy products. This will better enable
them to track ingredients from 'field to plate'.
The other products and ingredients used in the processing plants are sourced from a variety of third
party suppliers. Wherever possible the contracts with those suppliers require the suppliers to maintain
ISO/IEC 27001 certification.
The diagram below shows the interaction between the various parties and Equitable
Products’ divisions.
Supermarket General
Restaurants
Chains Retailers
Diagram 1 - The interaction between the various parties and Equitable Products’
divisions
The contracts with the major supermarkets require Equitable Products to maintain ISO/IEC
27001 certification and there is an established ISMS in place. However the dairy farm
chain has never had ISO/IEC 27001 certification and needs to be brought into the scope of
certification.
Equitable Products’ corporate clients are supportive of the reasons and objectives of
acquiring the dairy farm chain. However, they require the ISO/IEC 27001 certification to be
extended to include this new business division.
The Equitable Products Chief Financial Officer has the role of Director of Information
Management. In this role he has been given the organizational responsibility to ensure that
ISO/IEC 27001 conformance is maintained.
The Chief Information Officer reports directly to the Director of Information Management
and has two Information Security Officers who work for him. They are responsible for
ensuring that the company and its third party suppliers maintain the required ISO/IEC
27001 certifications.
The Head of the IT Services Division also has an Information Security Specialist within his
team. The specialist is responsible for ensuring that the IT service is delivered in
accordance with ISO/IEC 27001.
Scenario continues on the next page
ISO27K2012-GB--SX01-V1.1 Page 5 of 9 Document Owner - Chief Examiner
© The APM Group Ltd 2014. This paper remains the property of The APM Group (APMG). This document is not to be reproduced or re-sold without express
permission from The APM Group Ltd. 2. The APMG-International ISO/IEC 27001 logo is a Trade Mark of The APM Group Limited. The APMG-International
logo is a Trade Mark of the APM Group Ltd.
Scenario continued
End of Scenario
A risk assessment has been carried out on the changes needed to incorporate the dairy farm chain
into the Equitable Products’ ISMS. This has identified the following information:
● Each dairy farm site has differing information security policies to suit the type of dairy product
processed, specific authorities and special interest groups, and the site size and access
arrangements
● Equitable Products has many environmental health contacts within the Food & Livestock
Regulatory Authority (a Government authority). However, there are many more contacts required
for the dairy farm chain, such as those relating to the testing for animal diseases
● The dairy farm staff use tag readers and operational systems for the logging of each animal’s
milk produced for processing
● The staff in the dairy farm chain’s Head Office use marketing, accountancy and HR systems,
logistics and stock systems
● Many of the dairy farm chain’s Head Office staff use the IT systems from home via an internet
connection. No issues have been experienced with this setup
● In the past year there have been seven breaches of information security within the dairy farm
chain. One of these was a high profile incident involving press coverage of the short lifespan of
the dairy animals.
A widely recognized information security researcher and occasional trusted advisor to Equitable
Products is undertaking an independent research project. He is examining USB memory sticks
bought from individuals on internet sales sites. The devices were advertised as ‘used’ or ‘pre-owned’.
The researcher contacted Equitable Products’ Chief Information Officer to report that he has
recovered a variety of records from one device that appear to be from the organization and dated as
recently as three months ago.
The researcher informed the Chief Information Officer that he plans to publish his findings from all of
the devices in a research paper as examples of protection failures.
The Chief Information Officer has validated the identity of the researcher.
Background
A supermarket recently complained that they were not receiving the best prices available for products
supplied to them. The investigation of the complaint found that the supermarket was basing this
complaint on a price list sent to them in error. The price list, sent by email, had been prepared by a
marketing team for a special promotion. This had then been sent by a different marketing team who
had retrieved it from the shared area thinking it was the standard price list.
Scope of Audit
The Internal Audit team were asked to undertake an audit of all third party information exchanges.
Audit Findings
i) Controls that are in place with each third party have been developed on an ad hoc basis and
there is no standard terminology
ii) The division of responsibilities between Equitable Products and third parties are not always
clearly defined
iv) It is common to receive replies to emails sent indicating they have been received by
unintended recipients.
v) Customers have expressed concerns about acting on information received by email before
they have been able to confirm authenticity
vi) The Equitable Products’ Information Security Policy document states that it should be possible
to confirm that information sent by email has been sent by an authorized person and the correct
information has been received. This requirement is not currently being met.
SX01
Question Booklet
Answer the following questions about establishing information security risk management for an organization as
stated in ISO/IEC 27005.
1 Which 2 statements describe what should be considered when defining the evaluation criteria for risks caused
by information security events?
A The acceptable level of any financial loss.
B The importance to the business of confidentiality.
C The amount of damage caused by disruption of plans and deadlines.
D The consequences to the reputation of an organization.
E The time it will take to reduce a risk to an acceptable level.
2 Which 2 statements describe what should be considered when defining the impact criteria for risks caused by
information security events?
A The cost of missing a deadline due to an information security event.
B The importance of availability to operations.
C The amount of damage caused by breach of contract.
D The criticality of the information assets involved.
E The ratio of estimated profit to the estimated cost of the risk.
3 Which 2 statements describe what should be considered when defining the acceptance criteria for risks
caused by information security events?
A The amount of damage caused by breaches of a legal requirement.
B The escalation path used to obtain a decision on risk acceptance.
C The circumstances when senior managers can accept risks above the normal threshold.
D The information security risk management records required to be kept.
E The ratio of estimated profit to the estimated cost of the risk.
4 Which 2 statements identify aspects that should be considered when defining the scope and boundaries of
information security risk management process?
A The risk acceptance decision escalation paths.
B The legislation applicable to an organization.
C The estimated cost caused by a breach of contract.
D The use of the four options to treat risks.
E An organization’s business processes.
An Information Security Officer has undertaken a risk assessment on the changes needed to
incorporate the dairy farm chain into the Equitable Products' ISMS.
Column 1 is a list of input data for the risk analysis activity. For each input item in Column 1, select from Column 2
the type of information it represents. Each selection from Column 2 can be used once, more than once or not at all.
Column 1 Column 2
1 Animal rights activists may attempt to disrupt operations in order to protest against the A Asset
shortened life-spans of the animals.
B Threat
2 There is rigorous physical entry security to prevent unauthorized access to the dairy
farm sites. C Existing control
3 Smart labels, also called radio frequency identification (RFID) tags, are used to identify D Vulnerability
the milk production of each animal used in the dairy farm. E Consequence
4 The latest updates have NOT been applied to the antivirus package used to protect the
dairy farm chain’s IT systems.
5 The production schedule is an output of the just-in-time re-ordering process.
A number of changes are needed to Equitable Products’ ISMS to incorporate the dairy farm chain. A risk
assessment has identified that some solutions may not comply with Equitable Products’ information
security policy. More details about the risk are given below.
Some ‘off the shelf’ IT system components are used to underpin the dairy farm chain’s ISMS. If technical
problems arise with these components, a maintenance engineer is brought in from an IT supplier. There
is no formal contractual arrangement in place between the dairy farm chain and the IT supplier. There is,
therefore, a risk that technical solutions to issues may not adhere to the information security policy for
Equitable Products. A number of possible risk treatments for this risk have been identified.
Column 1 is a list of some of the possible risk treatments. For each risk treatment in Column 1, decide if it is
relevant to the stated risk and select from Column 2 the type of risk treatment it represents.
Each question is independent and should be answered in isolation from the other questions. Each
selection from Column 2 can be used once, more than once or not at all.
Column 1 Column 2
1 All problem management and technical expertise for the dairy farm chain will be A NOT relevant to the
audited by the Equitable Products IT Services Department. This department is stated risk
responsible for ensuring that the Equitable Products' information security policy is
adhered to. B Modification
2 The Equitable Products Information Security Officers will provide awareness, C Retention
education and training on Equitable Products’ information security policy to the D Avoidance
maintenance engineers supporting the dairy farm chain’s IT systems.
E Sharing
3 A contractual agreement with the IT suppliers to the dairy farm chain will be provided,
which states the supplier’s responsibilities for maintaining information security.
4 Equitable Products will ensure that all outsourced development by the dairy farm
chain is monitored.
5 The current arrangements for technical support will remain unchanged if the dairy farm
chain’s ISMS has been free of information security incidents for the last three months.
Using the additional information provided for this question in the Scenario Booklet, answer the
following question about the risk assessment carried out on the changes needed to incorporate the
dairy farm chain into the Equitable Products' ISMS.
Lines 1 to 6 in the table below consist of an assertion statement and a reason statement. For each line identify
the appropriate option, from options A to E, that applies. Each option can be used once, more than once or not
at all.
Column 1 is a list of activities. For each activity in Column 1, select from Column 2 the clause heading from
ISO/IEC 27001 that requires the activity to be performed. Each selection from Column 2 can be used once, more
than once or not at all.
Column 1 Column 2
1 Supporting information security management roles. A Leadership and commitment
2 Providing a framework for setting information security B Policy
objectives. C Organizational roles, responsibilities and
authorities
3 Integrate actions to address opportunities into information
security management processes. D None of the above
Using the Diagram 1 and the Information Security Management Structure section given in the Scenario,
answer the following questions about the role and responsibilities within the ISMS.
Each of the following questions includes a list of only true statements about individuals from the organization. Only
2 statements explain why, in the context of the ISO/IEC 27003 (Table B1) roles and responsibilities, the individual
is an appropriate appointment for that role.
Each question should be answered in isolation as the individual may be suitable for more than one role.
1 Which 2 statements BEST explain why the Chief Financial Officer is appropriate for the role of Director of
Information Management?
A He is keen to expand the control that Equitable Products has over its supply chain operations and can
ensure that the ISMS remains aligned with this company focus.
B He has the authority to take strategic decisions and give direction in the risk management process.
C He likes to be involved in the operational detail.
D He has sufficient knowledge to agree user requirements for the specification of the new ‘field-to-plate’
applications.
E He was one of the founders the company 11 years ago.
2 Which 2 statements BEST explain why the Information Security Officers would be appropriate for the role of an
internal auditor?
A They report to the Chief Information Officer.
B They have qualifications and experience in ISO/IEC 27001.
C They are responsible for ensuring that Equitable Products maintains the required ISO/IEC 27001
certifications.
D They have good working relationships with many of the Division Heads and suppliers so can help resolve
disputes.
E They are responsible for evaluating the reports on the monitoring of the ISMS, produced by the Head of the
IT Services Division.
3 Which 2 statements BEST explain why the Head of the IT Services Division would be appropriate as a member
of the Information Security Planning Team?
A He is keen to expand the ‘field-to-plate’ capability and ensure that the Equitable Products is at the forefront
of technology.
B He is responsible for managing the IT Services’ operations, which will be impacted by the changes to
incorporate the dairy farm chain into the ISMS.
C He has regular liaisons with all divisions within Equitable Products so has experience of working across the
whole organization.
D He is responsible for the day-to-day management of IT Services’ operations and the monitoring of the ISMS.
E He has both the technical and business knowledge required to mediate with all management parties when
conflict arises.
4 Which 2 statements BEST explain why the Head of the Food Processing Division would be appropriate as a
member of the Information Security Committee?
A He is keen to pass on his views on the operation of an ISMS based on personal perspective.
B All of Equitable Products’ merchandise is produced by the Food Processing Division.
C He has overall responsibility for the tracking of information from the purchase of raw materials to delivery.
D He is the line manager for the Food Processing Division.
E He has the lead responsibility for the information security requirements of the ‘field-to-plate’ project.
5 Which 2 persons would be NOT be classified as stakeholders within the ISMS, according to ISO/IEC 27003?
A The CEO of a chain intending to contract with Equitable Products.
B The Chief Financial Officer of Equitable Products.
C The Facilities Manager for the site where the bulk foodstuffs are stored.
D A competitor to Equitable Products.
E Equitable Products’ internal Legal Advisor.
Answer the following questions about the use of controls within the ISMS.
1 During a routine maintenance of the car park within the Equitable Products' site, contractors severed some
cables. This caused a failure of the external network connection to Equitable Products’ internet service provider
and the power to the main server.
The Director of Information Security needs to select control measures to protect against recurrence of this
incident.
Which 2 controls, if applied, would MOST likely protect against recurrence of this incident?
A Security of equipment and assets off-premises.
B Security of network services.
C Cabling security.
D Network control.
E Supporting utilities.
2 Equitable Products employ a cleaning contractor to empty their waste baskets and to clean the offices during
the evening once the employees have finished their daily work. One of the cleaners was found to be accessing
one of the computers and hard-copy lists of access passwords in the Marketing department.
The Director of Information Security needs to select control measures protect against recurrence of this incident.
Which 2 controls, if applied, would MOST likely protect against recurrence of this incident?
A Physical entry controls.
B Clear desk policy.
C Unattended user equipment.
D Working in secure areas.
E Securing offices, rooms and facilities.
3 The Equitable Products' Sales Director has issued two of his new staff with laptops to record their sales
contacts and progress in the sales process. This information is used in the management of a sales delivery
process including key account details. Neither of the two new laptops have been installed with company
software or configured to enable connection to the network. One of the laptops has been infected by a virus.
The Director of Information Security has discovered this situation and needs to select control measures to
manage this incident.
The Marketing Director is concerned that he selects the most appropriate controls to manage the current
variation in the application development and similar future changes.
Which 2 controls, if applied, would MOST likely address the Marketing Director’s concerns?
A System change control procedures.
B Addressing security within supplier agreements.
C Change management.
D System security testing.
E Protection of test data.
A recent information security incident occurred where there was the loss of the food products
between the Equitable Products' factory and a restaurant.
The root cause of the loss of the food has been identified as a dismissed worker gaining access to the
loading bay and removing two boxes of food products from the vehicle destined for the restaurant.
Access was gained using his electronic swipe card, which he retained following his dismissal. His
vehicle was driven to the loading bay during a routine rest break.
Within the organization, the Director of Human Resources is responsible for the termination of
employment.
The Director of Information Management, as the asset owner, is responsible for the management of
access privileges for all workers within the defined and controlled secure area of the loading bay.
Lines 1 to 5 in the table below consist of an assertion statement and a reason statement. For each line identify
the appropriate option, from options A to E, that applies. Each option can be used once, more than once or not
at all.
Answer the following questions about ISMS performance measurement, monitoring and evaluation.
A director has had their laptop bag stolen. Although the laptop was encrypted, the director’s bag also
contained paper documents describing commercial details and dairy farm animal welfare information.
Column 1 is a list of actions relating to the theft. Column 2 is a list of the information security incident management
controls from Annex A of ISO/IEC 27001. For each action in Column 1, select from Column 2 the security incident
management control where these actions would be applied. Each selection from Column 2 can be used once,
more than once or not at all.
Column 1 Column 2
1 The director immediately informs the local police of the theft. A Responsibilities and procedures
2 The police report that this event may have been a targeted theft by B Reporting information security
animal rights protestors. events
3 Travelling directors are immediately provided with encrypted tablet C Reporting information security
PCs to use in place of paper documents. weaknesses
4 As the stolen items included sensitive paper documents, the Chief D Assessment of and decision on
Information Officer assigns an Information Security Officer to begin information security events
formal investigation of the episode.
E Response to information security
5 The Chief Information Officer briefs site security guards, all dairy farm incidents
staff and transport contractors about the need for extra vigilance for
strangers or unexpected behaviour. F Learning from information security
incidents
6 Media handling risks are reassessed with revised probability and
impact values related to this type of event. G Collection of evidence
Answer the following question related to the steps to return to normal operations.
A local power supply surge has occurred at Equitable Products’ shared IT data centre. Servers and
network equipment were protected and continued to operate. Air conditioning units were not
protected and failed.
This event has triggered a major information security incident as no shared IT services are
operational. Business operations, particularly customer’s ‘just in time’ re-ordering and delivery, are
unable to continue. The Disaster Recovery Plan mandates a return-to-service target of five hours for
this time-critical function.
Lines 1 to 6 in the table below consist of an assertion statement and a reason statement. For each line identify
the appropriate option, from options A to E, that applies. Each option can be used once, more than once or not
at all.
Assertion Reason
4 As each server is recovered, it must be BECAUSE Accurate logging of user and system events
configured to use the network time protocol. requires all system components to operate with
a synchronised time reference.
5 The recovery team should document alternative BECAUSE Compensating controls for information security
information security controls which were controls that cannot be maintained during an
implemented to achieve a five hour return to adverse situation should be documented.
service.
6 No further action needs to be taken following BECAUSE No further action is required if the processes
successful restoration of services. carried out are effective.
Using the additional information provided for this question in the Scenario Booklet, answer the
following questions about managing incidents.Decide whether the actions suggested are appropriate, and
select the response that supports your decision.
1 The researcher has offered to encrypt and electronically transfer a representative sample of the recovered data
to the Chief Information Officer for validation.
Is it appropriate for the Chief Information Officer to report internally that the potential impact of the incident can
be contained?
A No, because the impact of the incident can only be reported following a full review of the recoverable data
on the USB memory stick.
B No, because a non-disclosure agreement with the researcher can only be used before the information is
accessed.
C Yes, because Equitable Products’ legal counsel can caution the researcher that it is an offence to publish
details about the data without having authorization.
D Yes, because information security requirements can be negotiated with the researcher and documented in
an agreement to restrict what can be published.
3 The recovered device has an Equitable Products asset number. A full review of the recoverable data confirms
that it was used to store only publicly available information.
Answer the following questions about internal audit and management reviews.
Using the additional information provided for this question in the Scenario Booklet, answer the following
questions about information sharing.
5 The control of which 2 items should be improved to help prevent future similar occurrences of inappropriate
sharing of product pricing information by email?
A Interception.
B Non-repudiation.
C Forwarding.
D Attachments.
E Incident management.
Following the recent introduction of RFID microchip tags on the restaurant cook/chill products, an audit
has recommended that a non-disclosure agreement should be signed by any third party organization
before electronic data is exchanged.
The Chief Information Officer has agreed with this proposal and decided that all non-disclosure
agreements will be reviewed every 12 months.
Decide whether the actions suggested are appropriate, and select the response that supports your decision.
1 Should public domain information about the intellectual property rights relating to the RFID tags be included in
the non-disclosure agreement for the restaurants?
A No, because non-disclosure agreements with the restaurants are required to use standard wording.
B No, because public domain information relating to intellectual property rights is NOT confidential
information.
C Yes, because non-disclosure agreements with the restaurants should include relevant information about
intellectual property.
D Yes, because the use of RFID tags by the restaurants may need to be audited.
2 Should the non-disclosure agreement for the restaurants have a duration of only one year?
A No, because a duration of three months is required to ensure changes in circumstance are not missed.
B No, because there is no need to restrict the non-disclosure agreement for a restaurant to a year.
C Yes, because some restaurants may have changed ownership within the year.
D Yes, because changes in the evolving RFID microchip technology may change the information to be
shared.
3 Should consideration be given to what the supermarket must do to avoid breaching the agreement when
drafting their non-disclosure agreement?
A No, because the supermarket can handle the information however it wishes.
B No, because if information is disclosed it is for the relevant authority to decide if it was handled properly.
C Yes, because if information is disclosed the relevant authority can only enforce an agreement if they know
how the information should have been protected.
D Yes, because the actions needed to avoid unauthorized disclosure by the supermarket should be
identified.
4 Is it appropriate for staff in the marketing division to also sign non-disclosure agreements?
A No, because non-disclosure agreements are applicable to third parties.
B No, because marketing staff need to disclose confidential information as part of their job.
C Yes, because a non-disclosure agreement may also define when information can be disclosed.
D Yes, because all interested parties should sign non-disclosure agreements.
A recent management review has identified an increasing failure of some of the dairy farms to disclose
the use of antibiotics voluntarily.
It has also been recorded that a change in legislation is due to come into force in six months. This
change requires that dairy products used in processed meals supplied to schools must come from
designated herds. Such products should also be antibiotic free during the three months period prior
to milk production use.
It will be necessary for the information about the source, use of antibiotics and dairy products used in
such meals to be made available on a ‘field-to-plate’ application. This will be accessible via a web-site
and retained for a period of three years. A contract for the provision of the application and web-site
hosting will be signed with a specialist provider.
Lines 1 to 5 in the table below consist of an assertion statement and a reason statement. For each line identify
the appropriate option, from options A to E, that applies. Each option can be used once, more than once or not
at all.
Assertion Reason
1 User acceptance testing of the web-site should use BECAUSE User acceptance testing in the operational
realistic data for the ’field-to-plate’ application. environment should be performed in a way
that will expose any vulnerabilities.
2 The addition of the web-site should trigger an BECAUSE Contractors should be required to report an
information security risk assessment. observed information security weaknesses
in systems or services.
3 Dairy farm supplier agreements should be reviewed BECAUSE The information to be provided should be
and updated with any new legal requirements for documented in supplier agreements to
electronic disclosure of the administration of ensure legal obligations are met.
antibiotics.
4 The need to retain the web-site data for three years BECAUSE Data retention will be documented in a
should NOT require review or change to information web-hosting provider’s agreement as a
security policies. compliance control.
5 It is appropriate for the web-site supplier agreement BECAUSE An organization’s management are
to require an independent Penetration Test of the responsible for the effectiveness of
website. information security controls.
Rationale
Question: 2, Syllabus: LE, Part: A, Type: MG, SyllabusRef: LE0202 LE0203 LE0204, Level: 2
1 Correct [A]: Supporting other relevant management roles to demonstrate their leadership as it
applies to their areas of responsibility is given within the Leadership and
commitment clause. (ISO 27001, 5.1.h)
2 Correct [B]: Providing a framework for setting information security management objectives is
an activity within the Policy clause. (ISO 27001, 5.2 b)
3 Correct [D]: Integrating the actions to address risks and opportunities into an organization’s
information security management system is an activity within the Planning actions
clause to address risks and opportunities. (ISO 27001, 6.1.1.e.1)
Question: 2, Syllabus: LE, Part: B, Type: CL, SyllabusRef: LE0206 LE0207 LE0208, Level: 2
1 A Incorrect: The policies for information security shall be reviewed at planned intervals to
ensure their continuing suitability. (ISO 27001, 5.2.a, A.5.1.2)
B Correct: The policies for information security shall be appropriate to the purpose of the
organization. It is for the organization to decide the level of detail required,
therefore an ISMS is not required to be comprehensive. (ISO 27001, 5.2.a,
A.5.1.2)
C Incorrect: The policies for information security shall be reviewed at planned intervals to
ensure their adequacy. (ISO 27001, 5.2.a, A.5.1.2)
D Incorrect: The policies for information security shall be reviewed at planned intervals to
ensure their effectiveness. (ISO 27001, 5.2.c, A.5.1.2)
2 A Incorrect: The organization should ensure its staff have the required competency to deliver
the scope of the ISMS. (ISO 27001, 7.2.a and b).
B Correct: The extent of documented information determined by the organization as being
necessary for the effectiveness of the ISMS may vary due to the competence of
persons. (ISO 27001, 7.5.1(3)).
C Incorrect: The competency of staff is not a matter which is identified by the standard that
should affect the frequency of review. (ISO 27001, 9.1).
D Incorrect: The boundaries of the ISMS will determine its scope but competency of staff is
not a matter for consideration. (ISO 27001, 4.3).
3 A Correct: Management should explicitly identify the role with overall responsibility for
managing information security, usually the CISO. (ISO 27003, 5.3.2)
B Incorrect: In a smaller organization, several roles may be carried out by the same person.
(ISO 27003, 5.3.2)
C Incorrect: Each employee is equally responsible for his or her original task and for
maintaining information security in the workplace and in the organization. (ISO
27003, 5.3.2)
D Incorrect: Staff should be assigned roles and responsibilities based on the skill required to
perform the job. There is no requirement for an audit department to be involved.
(ISO 27003, 5.3.2)
Question: 2, Syllabus: LE, Part: C, Type: MR, SyllabusRef: LE0301, Level: 3
1 A Correct: Vision and strategic decision-making are responsibilities for Senior
Management. (ISO 27003, Annex B.1 – Senior Management)
B Correct: Vision and strategic decision-making are responsibilities for Senior
Management. (ISO 27003, Annex B.1 – Senior Management)
C Incorrect: Operational detail does not demonstrate the required characteristics of vision
and strategic decision-making. (ISO 27003, Annex B.1 – Senior Management)
D Incorrect: System development is not a responsibility of Senior Management. It is a
responsibility of the System Developer. (ISO 27003, Annex B.1 – System
Developer)
E Incorrect: Length of employment is not relevant to the responsibilities of Senior
Management. (ISO 27003, Annex B.1 – Senior Management)
2 A Incorrect: Reporting lines are not relevant to the responsibilities of an Auditor. (ISO 27003,
Annex B.1 – Auditor)
B Correct: Assessing the ISMS is one of the responsibilities for an Auditor. (ISO 27003,
Annex B.1 – Auditor). Having appropriate competence to assess conformance
to ISO/IEC 27001 would be needed. (ISO 27001, 7.2 b)
C Incorrect: Governance for information security is not a responsibility of an Auditor. It is a
responsibility of the Chief Information Security Officer. (ISO 27003, Annex B.1 –
Auditor / Chief Information Security Officer)
D Incorrect: Working across departments is not a responsibility of an Auditor. It is a
responsibility of the Information Security Planning Team. (ISO 27003, Annex B.1
– Auditor / Information Security Planning Team)
E Correct: Evaluating the ISMS is one of the responsibilities for an Auditor. (ISO 27003,
Annex B.1 – Auditor)
3 A Incorrect: Being keen to expand and be at the forefront of technology is not a required
characteristic for a member of the Information Security Planning Team. (ISO
27003, Annex B.1 – Senior Management)
B Incorrect: Top responsibility for an organizational function is a line management
responsibility. It is not a required characteristic for a member of the Information
Security Planning Team. (ISO 27003, Annex B.1 – Line Management)
C Correct: Working across departments is one of the responsibilities for a member of the
Information Security Planning Team. (ISO 27003, Annex B.1 – Information
Security Planning Team)
D Incorrect: Top responsibility for an organizational function is a line management
responsibility. It is not a required characteristic for a member of the Information
Security Planning Team. (ISO 27003, Annex B.1 – Line Management)
E Correct: Resolving conflict is one of the responsibilities for a member of the Information
Security Planning Team. (ISO 27003, Annex B.1 – Information Security Planning
Team)
4 A Incorrect: Previous experience and motivation of an individual are not suitable reasons for
the appointment to the Information Security Committee. (ISO 27003, Annex B.1
– Information Security Committee)
B Incorrect: Those producing the products within the company are represented by the Line
Managers. However, there is no specific reason why they should be part of the
Information Security Committee. (ISO 27003, Annex B.1 – Line Managers /
Information Security Committee)
C Correct: Handling of information assets is one of the responsibilities for a member of the
Information Security Committee. (ISO 27003, Annex B.1 – Information Security
Committee)
D Incorrect: The Line Managers are responsible for the business needs, but there is no
specific reason why they should be part of the Information Security Committee.
(ISO 27003, Annex B.1 – Line Managers / Information Security Committee)
E Correct: A leading role for the ISMS is one of the responsibilities for a member of the
Information Security Committee. Therefore, as he has the lead responsibility for
information security requirements of the ‘field-to-plate’ project it is appropriate
for him to be a member of the Information Security Committee. (ISO 27003,
Annex B.1 – Information Security Committee)
5 A Correct: The CEO of a supermarket chain which is not contracted to Equitable Products
cannot be a Stakeholder. This is because he cannot be affected by any
decisions of activities made by Equitable Products in relation to Equitable
Products information security. (ISO 27003, Annex B.1 – Stakeholders)
B Incorrect: The Chief Finance Officer is part of normal operations within the ISMS and is
considered to be a Stakeholder. (ISO 27003, Annex B.1 – Stakeholders / Local
IT or IS responsible)
C Incorrect: The persons responsible for physical security are part of normal operations and
are considered to be a Stakeholder. (ISO 27003, Annex B.1 – Stakeholders /
Physical Security)
D Correct: A competitor to Equitable Products cannot be a Stakeholder as it cannot be
affected by any decisions of activities made by Equitable Products in relation to
Equitable Products’ information security. (ISO 27003, Annex B.1 –
Stakeholders)
E Incorrect: The legal advisor is part of normal operations and is considered to be a
Stakeholder. (ISO 27003, Annex B.1 – Stakeholders / Legal Advisor)
Question: 2, Syllabus: LE, Part: D, Type: MR, SyllabusRef: LE0311 LE0312 LE0314, Level: 3
1 A Incorrect: The Security of equipment and assets off-premises control seeks to manage
portable equipment and assets that are taken off-site. (ISO 27001, A.11.2.6)
B Incorrect: The Security of network services control seeks to identify all network services for
inclusion in network service agreements. Network service agreements would not
resolve the loss of connection with the ISP as it was not caused by a failure of
either party. (ISO 27001, A.13.1.2)
C Correct: The Cabling security control seeks to protect power and communications cables
from interference or damage. This control would provide a resolution of this
incident. (ISO 27001, A.11.2.3)
D Incorrect: The control for Network control seeks to manage networks to protect information
in systems and applications. Neither of the systems or applications were
involved in this incident, so this control would not resolve this incident. (ISO
27001, A.13.1.1)
E Correct: The Supporting utilities control seeks to protect power failure and other
disruptions caused by failures in supporting utilities such as was evidenced in
the incident. This control would provide a resolution of this incident. (ISO 27001,
A.11.2.2)
2 A Incorrect: The control for Physical entry controls seeks to provide entry control to secure
areas for authorized personnel. The cleaner was an authorized person and use
of this control would prevent cleaning of this area, which is not a practical
solution. (ISO 27001, A.11.1.2)
B Correct: The Clear desk policy control seeks to provide a clean desk policy to ensure
that all papers, such as the hard-copy lists of access passwords, are not
available to unauthorised personnel. This control would provide a resolution of
this incident. (ISO 27001, A.11.2.9)
C Correct: The Unattended user equipment control seeks to protect unattended equipment,
such as the computer accessed by the cleaner. This control would provide a
resolution of this incident. (ISO 27001, A.11.2.8)
D Incorrect: The Working in secure areas control seeks to provide a procedure for working
in secure areas. Use of this control would prevent cleaning of this area, which is
not a practical solution. (ISO 27001, A.11.1.5)
E Incorrect: The Securing offices, rooms and facilities control seeks to provide physical
security for offices and rooms. Use of this control would prevent cleaning of this
area, which is not a practical solution. (ISO 27001, A.11.1.3)
3 A Correct: The Controls against malware control provides protection and recovery controls
against malware. The issued laptops have not been configured, so the
protection against malware is not implemented. This control would provide a
resolution of this incident. (ISO 27001, A.12.2.1)
B Incorrect: The Clock synchronisation control seeks to ensure that clocks of information
processing systems can be synchronised within the organization. As the two
laptops are used without connection to the network, there is no need for clock
synchronisation at this stage. This control would not provide a resolution of this
incident. (ISO 27001, A.12.4.4)
C Incorrect: The control for Network controls relates to the management and controls for the
protection in network systems. As the two laptops are used without connection
to the network, this control would not provide a resolution of this incident. (ISO
27001, A.13.1.1)
D Incorrect: The Access control policy control relates to the management of access based
on business and information security requirements. The users have a business
need for access to the application on the laptop. This control would not provide a
resolution of this incident. (ISO 27001, A.9.1.1)
E Correct: The Information backup control provides for backups to be taken of information
assets to protect against loss of data. The issued laptops have not been
configured, so the backup protection has not been implemented. This control
would provide a resolution of this incident by restoring the laptop to a situation
prior to the virus infection. (ISO 27001, A.12.3.1)
4 A Correct: The System change control procedures control provides for changes within the
development lifecycle to be controlled by the use of formalized procedure. This
would allow for Equitable Products and their contractors to manage the
application development project. This control would provide a resolution of this
situation. (ISO 27001, A.14.2.2)
B Incorrect: The Addressing security within supplier agreements control relates to
addressing security requirements between Equitable Products and their
suppliers in relation to the management of information. This control will not
manage the software changes or the testing process. This control would not
provide a resolution of this situation. (ISO 27001, A.15.1.2)
C Incorrect: The Change management control relates to operational changes in the
organization (Equitable Products), its business processes, information
processing facilities and systems. The application is still under development and
has not been deployed, therefore, this operational control would not apply to this
situation. This control would not provide a resolution of this situation. (ISO
27001, A.12.1.2)
D Correct: The System security testing control provides the testing of software during the
software development lifecycle. This would allow for Equitable Products and
their contractors to manage the testing process. This control would provide a
resolution of this situation. (ISO 27001, A.14.2.8)
E Incorrect: The Protection of test data control relates to the selection, protection and control
of test data. Although this control relates to test data, it does not manage the
testing of the software functionality required in the project. This control would not
provide a resolution of this situation. (ISO 27001, A.14.3.1)
Question: 2, Syllabus: LE, Part: E, Type: AR, SyllabusRef: LE0409 LE0411, Level: 4
1 True: The Director of Information True: It is correct that the access rights for all
Management had responsibility to employees and external party users to
control access privileges and they information and information processing
should have been revoked immediately facilities shall be reviewed at regular
on termination of employment. intervals. (ISO 27001, A.9.2.5).
Therefore, the termination of However, the reason the termination
employment was NOT completed was not correctly completed was
correctly. (ISO 27001, A.9.2.6) because access rights should be
removed on termination of their
employment, contract or agreement. It
should not be left until the next regular
review. (ISO 27001, A.9.2.6). The
answer is therefore B.
2 True: The loss should trigger a review of the True: Knowledge gained from analysing and
termination of other dismissed worker’s resolving information security incidents
access privileges. This will ensure a shall be used to reduce the likelihood or
similar problem has not occurred, as impact of future incidents. (ISO 27001
knowledge gained from the incident A16.1.6). The reason directly explains
should be used to reduce the likelihood the assertion because the review would
of future incidents. (ISO 27001, be held in order to learn from the
A.16.1.6) information security incident. Therefore,
the answer is A.
3 False: Loss of food should be classified as an False: Information security events are classified
information security incident because as information security incidents for any
there is a requirement to track all unauthorized access such as secure
deliveries and as such a loss will have areas. It does not only apply to an
an impact on invoicing and stock organization's systems and applications.
control. (ISO 27001, A.16.1.2) (ISO 27001, A.16.1.2)
4 False: The ability for the dismissed worker to True: Asset owners are required to review
have access rights to the loading bay access rights on a regular basis. (ISO
shall be removed immediately on 27001, A.9.2.5)
termination of their employment. (ISO
27001, A.9.2.6)
5 False: Removal of access privileges to the False: Access privileges are removed on
loading bay should be made for all termination of employment, contract or
workers would be inconsistent with the agreement. This does not happen when
allocation and use of the access an information security incident occurs.
privileges. Such an action would result (ISO 27001, A.9.2.6)
in the loading bay ceasing to operate.
(ISO 27001, A.9.2.3)
Question: 3, Syllabus: OS, Part: A, Type: MR, SyllabusRef: PL0202, Level: 2
1 A Incorrect: Evidence of top management contribution is useful to demonstrate compliance.
However, the standard does not specifically require this to be evaluated. (ISO
27001, 5.1)
B Incorrect: Established risk assessment criteria are a means of analysing and evaluating
potential risks. However, the criteria are not specifically subject to evaluation.
(ISO 27001, 6.1.2 a)
C Correct: Information security process performance is a specified measurement
requirement. (ISO 27001, 9.1 a)
D Incorrect: Assignment of suitably skilled resources to roles may be monitored and
assessed. However, this activity is not specifically required to be evaluated.
(ISO 27001, 7.2)
E Correct: Information security process effectiveness is a specified measurement
requirement. (ISO 27001, 9.1 a)
2 A Correct: The standard does NOT require organization to determine where the monitoring
and measuring shall be performed. (ISO 27001, 9.1)
B Incorrect: The organization shall determine when the monitoring and measuring shall be
performed. (ISO 27001, 9.1 c)
C Correct: The standard does NOT require organization to determine why the monitoring
and measuring shall be performed. (ISO 27001, 9.1)
D Incorrect: The organization shall determine when the results from monitoring and
measurement shall be used. (ISO 27001, 9.1 e)
E Incorrect: The organization shall determine who shall analyse and evaluate the results.
(ISO 27001, 9.1 f)
3 A Incorrect: Processes and controls need to be monitored and measured but the Monitoring,
measurement, analysis and evaluation clause does NOT require the method of
process control to be determined. (ISO 27001, 9.1 b)
B Incorrect: Documentation needs to be delivered but the Monitoring, measurement,
analysis and evaluation clause does NOT require the method of documentation
to be determined. (ISO 27001, 9.1 b)
C Correct: The Monitoring, measurement, analysis and evaluation clause requires the
method of monitoring to be determined. (ISO 27001, 9.1 b)
D Incorrect: Corrective action needs to be undertaken to correct non-conformances but the
Monitoring, measurement, analysis and evaluation clause does NOT require the
method of corrective action to be determined. (ISO 27001, 9.1 b)
E Correct: The Monitoring, measurement, analysis and evaluation clause requires the
method of analysis to be determined. (ISO 27001, 9.1 b)
4 A Incorrect: Password length is monitored by the password management system only when
the user creates or changes the password. This ensures that the resulting
password matches password quality policy rules. (ISO 27002, 9.4.3 c)
B Correct: The last change date will be used to understand if the user should be prompted
to change a temporary password (new user at first log-in) or expired password
(existing user forced to change their password as mandated by the maximum
password age policy). (ISO 27002, 9.4.3 d & e)
C Correct: The last log-in date will be used to understand if the user should be prompted to
change a temporary password (new user at first log-in). (ISO 27002, 9.4.3 d)
D Incorrect: Password complexity is monitored by the password management system only
when the user creates or changes the password. This ensures that the resulting
password matches password quality policy rules. (ISO 27002, 9.4.3 c)
E Incorrect: The access control system must NOT display passwords in clear text on the
screen. (ISO 27002, 9.4.2 i)
Question: 4, Syllabus: AR, Part: D, Type: AR, SyllabusRef: AR0414 AR0418 AR0415, Level:
4
1 True: System and acceptance testing usually False: User acceptance testing should be
requires substantial volumes of realistic performed in a realistic test environment
test data. All sensitive details and to ensure that the system will not
content should be protected by removal introduce vulnerabilities to the
or modification. (ISO 27002, 14.3.1 IG, organization’s environment. (ISO 27002,
OI) 14.2.9 IG)
2 True: The organization shall perform an True: Contractors should be required to report
information risk assessment when any observed information security
significant changes are proposed or weaknesses in systems or services.
occur. (ISO 27001, 8.2) (ISO 27002, 16.1.3). Both are true but
the answer is B as the reason does not
explain why the assertion is required.
3 True: Relevant legislative, regulatory and True: Supplier agreements should describe
contractual requirements and the the information to be provided. (ISO
organizations approach to meet those 27002, 15.1.2 a). The dairy farm
requirements should be explicitly supplier agreements must be updated to
identified, documented and kept up to document any new information required
date. (ISO 27002, 18.1.1) as a result of the new regulations to
maintain compliance with ISO 27002,
15.1.2 a. The answer is therefore A.
4 False: The requirement to retain data is a True: Data retention is a control required to
policy requirement relating to comply with the regulatory obligation and
regulations and legislation and should will be documented in the supplier
therefore be recorded in the policy. agreement. (ISO 27002, 18.1.3, 15.1.2
(ISO 27002, 5.1.1 b) c)
5 True: It is appropriate to include a supplier’s True: It is the organizations management who
obligation to deliver an independent are responsible for the effectiveness of
report on the effectiveness of controls. information security controls. (ISO
(ISO 27002, 15.1.2 o) 27002, 18.2.1). Requiring the supplier to
provide an independent penetration test
report would be an appropriate method
of review. Therefore the answer is A.