Question 1.

The property of protecting the accuracy and completeness of the goods

is: (Select the best answer)
a) Correction
b) I do not repudiate.
c) Interoperability.
d) Integrity
Answer: Integrity.
A measure that is modifying risk can be referred to as: (Select best answer)
a) Security Management Systems (ISMS)
b) Risk remediation.
c) Control.
d) Business impact analysis
Answer: Control.
Question 3. The coordinated activities to direct and control an organization in
relation to risk are known as:
a) Irrigation Estimation.
b) Risk Assessment.
c) Risk Management.
d) Risk Treatment.

Answer: Risk Management.

Question 4. Compliance is seen as satisfying requirements from a management

system perspective, while conformance is seen as satisfying requirements from a
legal perspective; that is:
a) True
b) False

Answer: True.

Question 5. Which of the following is not a requirement of ISO/IEC 27001?

(Select the best answer)
a) That the information security objectives are communicated.
b) Document the risk treatment plan.
c) That top management promotes continuous improvement.
d) Have a dedicated role as Information Security Manager.

Answer: Have the role dedicated as ...

Question 6. A physical control was implemented in a hospital's ISMS. They have

determined that their particular control must be measured and ensure that it is
measured. As workloads and schedules are constantly changing, they have not
determined a single person to do the measurement. This is in accordance with
ISO/IEC 27001:
a) True.
b) False.
Answer: True.
Question 7. A software development organization has decided to outsource its help
desk, which also handles security incident calls. The organization receives a report
from the outsourced help desk on a monthly basis containing call performance
metrics consisting of average wait time, agent idle time and average number of calls
in queue. The organization uses the report as a means to demonstrate control over
the help desk from the point of view of information security requirements. Is this
compliant with ISO/IEC 27001?
a) Correct.
b) False.

Answer: False.

Question 8. An organization has multiple locations performing data backups and

has determined that they need to document their process in order to maintain
consistency and ensure effectiveness. This document should be: (Select the best
answer).
a) Available in electronic and printed format.
b) A listing in the document master matrix.
c) Approved by the information security steering committee.
d) Available and appropriate for use, when and where needed.

Response: Available and suitable for use, .....

Question 9. The approval of the risk treatment plan and the acceptance of the
residual risk is the responsibility of: (Select the best answer)
a) Chief Information Officer.
b) Senior management.
c) Risk owner.
d) Security Director.
Answer: Risk owner.

Question 10. According to ISO/IEC 27001, a risk assessment will include: (Select the
best answer)
a) Security risk treatment options.
b) Result of control measures.
c) Possibility of occurrence of a risk.
d) IMS stakeholders.

Response: Possibility of occurrence of a risk.

Question 11. The scope of the ISMS of an organization that revolves around
providing financial services. In the information security policy, senior management
has stated its intention to operate within state and federal requirements. The rest of
the information security policy focuses on how IT will deliver financial services.
This policy: (Select the best answer)
a) It is ISO 27001 compliant.
 b) It is compliant with ISO 27001 but could be improved.
c) Non-compliant with ISO 27001.
d) Does not apply to specific lines of business.

Answer: It is compliant, but could be improved.

Question 12. A hospital's ISMS is subject to legal requirements. From a

management system perspective, the legal compliance assessment will consist of:
(Select the best answer).
a) Review a statement from the Hospital's Board of Directors stipulating that they
will maintain the legal requirements.
b) Confirm that a process is in place within the hospital to maintain compliance
with legal and regulatory requirements.
c) Contact the legal department to confirm that there are no outstanding legal
issues.
d) No further action since ISO standards handle compliance only.

Answer: Confirm that there is a process ...

Question 13. An organization that has identified regulatory requirements as an

external factor and maintaining regulatory compliance as an information security
objective will require what in its risk assessment?
a) The risk associated with not meeting contractual obligations.
b) The possibility of being caught operating outside of regulatory requirements.
c) The potential consequences associated with not meeting regulatory requirements.
d) A documented process for maintaining compliance with legal and regulatory
requirements.

Answer: The potential consequences associated ...

Question 14. A financial organization has selected its securities trading operations
as the scope of its ISMS, reviewing its information security policy does not show
where the organization is committed to complying with government security
regulations. Does this meet the requirements of ISO/IEC 27001?
a) True.
b) False.
Question 15. An organization has made its claims processing operations the scope of
its ISMS. The controls you have selected are determined in which process? (Select
the best answer).
a) Risk Treatment.
b) Security Policy.
c) Risk Assessment.
d) Management Review.

Answer: Risk Treatment.

Question 16. An organization's ISMS can be said to be effective if: (Select best
answer)
a) Management has given the IT manager absolute authority over security and has
given the IT department a limited budget.
b) The help desk has minimized its staff and is still meeting its objectives.
c) All areas of the process have been shown to have plans, set objectives and taken
actions to improve.
d) The internal audit and compliance teams have identified numerous

Answer: It has been shown that all areas of the process have ...

Question 17. A health insurance provider maintains databases of confidential client

information. The potential consequence of disclosing any customer's private
information should be addressed in: (Select the best answer)
a) Risk treatment plan.
b) The organization's mission statement.
c) Risk assessment.
d) The compliance plan.

Answer: Risk assessment.

Question 18. An organization has defined a risk assessment process. This is used
annually at its local facilities and all of its foreign locations. Does this produce
consistency and comparable results?
a) False.
b) True.

Answer: True.

Question 19. One organization consists of ten medical laboratories where patients
go for tests and are under the direction of a central headquarters. Senior
management has determined that the scope of its ISMS will be the protection of all
patient personal information and will cover the head office. Does this meet the
requirements of ISO/IEC 27001?
a) True.
b) False.

Answer: False.
Question 20. Information security objectives should be consistent with: (Select the
best answer)
a) Risk assessment methodology.
b) Information security policy.
c) The applicability statement
d) The risk treatment plan.

Answer: The information security policy.

Question 1. If significant changes occur or are proposed, the organization must:

(Select the best answer).
a) Have a management review board.
b) Conduct an information security risk assessment.
c) Review and update your information security objectives.
d) Implement controls to mitigate the new risk.

Response: Conduct a security risk assessment ....

Question 2. If one of an organization's information security objectives were to

prevent unauthorized disclosure of confidential information in the event that a
laptop were to be stolen, the controls selected to address the risk and in the
Statement of Applicability should include: (Select the best answer)
a) Protection against malware.
b) HR Security - Prior to hiring.
c) Encryption.
d) User responsibility.

Answer: Encryption.

Question 3. The scope of an audit is always the same as the scope of the
management system.
a) True.
b) False.

Answer: False.

Question 4. To maintain compliance with software licensing requirements, an

organization will employ which control? (Select the best answer).
a) A.12.1.4 - Separation of development, test and operation resources.
b) A.5.1.1 - Information security policies.
c) A.18.1.2 - Intellectual Property Rights (IPRs)
d) A.9.2.3 - Access Privilege Management.

Answer: DPI.

Question 5. The information security risk assessment should be performed: (Select

the best answer).
a) Semiannual
b) At planned intervals.
 c) Annually.
d) Only as directed by the Auditor.

Answer: At planned intervals.

Question 6. The audit report shall be distributed to:

a) The recipients defined by the audit team leader.
b) Recipients defined by the audited organization's management
c) The recipients defined in the audit procedure or plan.
d) The recipients defined by the audited organization's management representative.

Answer: The recipients defined by the audit procedure or plan.

Question 7. Which of the following factors would be considered in determining the

feasibility of an audit? (Select the best answer).
a) Intake Officer Guidelines.
b) Availability of sufficient information to plan the audit.
c) Adequate cooperation of the audit team.
d) Issues related to the audit report.

Response: Availability of information ....

Question 8. The Statement of Applicability must contain the controls necessary to

implement the chosen risk treatment option, whether implemented or not, and...
(Select the best answer)
a) A list of all assets to which controls and associated risks apply.
b) Justification for the selection of controls and exclusion of any controls
c) A list of all associated policies and procedures and the controls to which they
relate.
d) The total risk values calculated, ordered from highest to lowest.

Answer: The rationale for the selection of controls and the ...

Question 9. The auditor's working papers may include: (Select the best answer).
a) Checklist, plans and evidence collection forms.
b) Instructions for the facility to be audited
c) The auditor's code of conduct.
d) Identification, including photograph.

Answer: Checklist, plans and formats ...Question 10. The information accepted as
audit evidence should be: (Select the best answer).
a) Documented.
b) Identify at least twice.
c) Verifiable.
d) Confirmed by the guide.

Answer: Verifiable.

Question 11. One organization has made Sales operations the scope of its ISMS. A
risk assessment for an organization's sales information should include: (Select the
best answer)
 a) The risk associated with salespeople transporting sales information on their
laptops.
b) The financial value associated with the loss of confidentiality of sales
information.
c) Encryption of customer names and addresses.
d) A policy of acceptable use of company assets.

Answer: The risk associated with vendors carrying information ....

Question 12. If an organization planning to make a change to a process within the

scope of its ISMS, it should: (Select the best answer)
a) Update the ISMS policy.
b) Controlling change.
c) Update the objectives of the ISMS.
d) Calculate the costs of change.

Answer: Control the change.

Question 13. Audit objectives may include:

a) Evaluation of the effectiveness of the management system.
b) Maintenance of audit records.
c) Offering certification to a standard.
d) Selection of a team leader

Answer: Evaluation of the effectiveness of the management system.

Question 14. A large national retail chain aims to ensure that customers can access
their account information at least 98% of the time. The risk assessment should:
(Select the best answer)
a) Include the risk associated with information availability.
b) Include the risk associated with the customer's SW being developed by an
outsourced development company.
c) To be completed by the IT department as they are the custodians of customer
account files.
d) Ensure that allowing access to customers satisfies regulatory requirements.

Response: Include the risk associated with information availability.

Question 15. A person or organization requesting an audit is referred to as: (Select

the best answer).
a) Auditor.
b) Audit Team.
c) Audited.
d) Audit Client.

Answer: Audit Client.

Question 16. The term "audit finding" automatically means Nonconformity.

a) True.
b) False
Answer: False.

Question 17. When establishing an audit program for a management system, the
organization shall prioritize audit resources to address: (Select the best answer).
a) Risk.
b) Integration to business continuity plans.
c) Business Needs.
d) Market opportunities.

Answer: Risk.

Question 18. Which control in Annex A would be selected to mitigate the risk of
employees using training equipment owned by the organization for their personal
use? (Select the best answer)
a) A.18.2.2 - Compliance with safety policies and standards.
b) A.72.3 - Disciplinary Process.
c) A.8.13 - Acceptable use of assets.
d) 1.7.1.2 - Terms and conditions of employment.

Answer: A.8.1.3 - Acceptable use of assets.

Question 19. Which control could be selected to mitigate the risk associated with
upgrading software on enterprise servers? (Select the best answer)
a) A.12.1.2- Change management.
b) A.14.2.2 - Systems change control procedure.
c) A.9.4.5 - Controlling access to program source code.
d) A.12.7.1 - Information systems audit controls.

Answer: A.14.2.2 - Control procedure...

Question 20. An audit report shall include, or refer to:

a) A complete list of all employees of the audited organization.
b) A summary of the audit findings.
c) A complete and detailed description of the audit process.

d) A complete list of all documents used during the audit.

Answer: A summary of the audit findings.

Question 1. Which of the following roles is responsible for defining the policy and
objectives of the information security management system?
a) The information security committee.
b) The information security officer.
c) The Management Representative.
d) To senior management.

Answer: Top management!

Question 2. When establishing information security objectives they should be:

a) Consistent with the information security policy and Measurable.
 b) Be communicated and updated as appropriate.
c) Take into account the applicable information security requirements and the
results of risk assessment and treatment.
d) All of the above.

Answer: All of the above.

Question 3. The ownership of the information whereby it is kept inaccessible and

not disclosed to unauthorized individuals, entities or processes, is?
a) Integrity.
b) Availability.
c) Truthfulness.
d) Confidentiality.

Answer: Confidentiality.

Question 4. The information security policy, according to requirement 5.2 of

ISO/IEC 27001, must:
a) Include the role of the management representative.
b) Be appropriate to the purpose of the organization.
c) Include information security objectives to provide a framework for their
establishment.
d) Only ay b.

Answer: Only A and B!

Question 5. According to requirement 4.3 of ISO/IEC 27001, for the determination

of the scope of the information security management system, you must:
a) Consider internal and external issues pertaining to the organization.
b) Identify stakeholders and their requirements.
c) Include information security objectives
d) Only a and b.

Answer: Solo Ay B !!!!

Question 6. The current standard of the ISO information security requirements

standard is?
a) ISO/IEC 27001:2013
b) ISO/IEC 27000:2013
c) None of the above.
d) ISO/IEC 27001:2005

Answer: ISO/IEC 27001:2013

Question 7. An information security management system consists of a set of: policies,

procedures, guidelines, resources and activities associated with and collectively
managed by an organization in pursuit of the preservation of its information
assets?
a) True.
b) False
Answer: True.

Question 8. The information security risk assessment process includes:

a) The identification of information security risks
b) The assessment of information security risks
c) Information security risk analysis.
d) All of the above.

Answer: All of the above.

Question 9. For the determination of the organization's context, the ISO/IEC 27001
standard recommends the use of the methodology:
a) Pestel.
b) Porter's 5 forces.
c) SWOT.
d) None of the above, the standard does not recommend the methodology to be used
for context determination.

Answer: None of the above.

Question 10. Should the documented information of the security management

system include that required by ISO/IEC 27001 and that determined by the
organization itself?
a) True.
b) False

Answer: True.

Question 11. ISO/IEC 27001 considers the following information characteristics:

a) Quality, Utility and Accuracy.
b) Security, integrity and availability.
c) Confidentiality, Integrity and Availability.
d) None of the above.

Answer: CIA

Question 12. Whatis the purpose of identifying risks and opportunities in

information security management systems?
a) Ensure that the safety management system can achieve the intended results.
b) Prevent or reduce unwanted effects
c) Establish the context of the organization.
d) Only a and b

Answer: Only A and B !!!

Question 13. The property of the information to be accessible and usable on demand
by an authorized entity is:
a) Confidentiality of information.
b) Truthfulness of information
c) Information integrity
d) Availability of information
 e) None of the above.

Answer: Availability

Question 14. Select from the following options which are some of the requirements
of the ISO 27001 standard.
a) Leadership and Teamwork
b) Organizational Context, Leadership and Planning
c) Teamwork, Operation and Improvement
d) All of the above.

Answer: Organizational context, leadership, ...

Question 15. According to ISO/IEC the information security risk criteria to be

taken into account are:
a) Criteria for establishing a risk matrix.
b) The risk acceptance criteria and the criteria for performing information security
risk assessment.
c) Criteria for assessing the effectiveness of risk treatment
d) All of the above.

Answer: The risk acceptance criteria and the criteria to carry out the risk acceptance...
Question 16. Is the Statement of Applicability the document containing the controls
in Annex A to be implemented for the treatment of risks and those to be excluded
with their due justification?
a) True.
b) False.

Answer: True

Question 17. The competence of persons referred to in ISO/IEC 27001 requirement

7.2 includes:
a) Skills and abilities.
b) Adequate education, training or experience
c) Postgraduate studies
d) None of the above.

Answer: The education, training or exp...

Question 18. The Deming cycle, or generally referred to as the continuous

improvement cycle, is made up of which of the following stages?
a) Plan, Do, Check and Act.
b) Plan, Do, Measure and Improve.
c) Design, Implement, Measure, Improve.
d) Plan, Improve, Implement and verify.

Answer: PDCA

Question 19. Does Ownership of accuracy and completeness of information refer to

completeness?
a) False
 b) True.

Answer: True.

Question 20. A commitment that "must" be included in the information security

policy is that of continuous improvement of the information security management
system?
a) True
b) False

Answer: True.

Question 1. Should senior management conduct reviews, at specified intervals, of

the information security management system to ensure its suitability, adequacy and
continuing effectiveness?
a) NO
b) YES
Question 2. In domain A.15 of the relationship with suppliers, it is determined that:
a) Suppliers must be ISO 27001 certified.
b) There must be an information security policy in the relationship with suppliers.
c) Annual information security audits should be performed on suppliers.
d) Only a and c

Answer: There must be a security policy...

Question 3. Non-compliance with a requirement is?

a) An observation
b) An opportunity for improvement.
c) A nonconformity
d) None of the above.

Response: A nonconformity.

Question 4. In which of the following stages of human resources information

security management does domain A.7 consider the implementation of controls?
a) Prior to employment.
b) During employment.
c) On termination of employment or change in job title.
d) All of the above.

Answer: All of the above.

Question 5. Which of the following conditions are part of domain A.8 of Annex A of
ISO/IEC 27001.
a) Information assets must be identified and inventoried.
b) There is no requirement to maintain an inventory of assets.
c) Assets must have an assigned owner.
d) Only a and c

Answer: Only A and C.

Question 6. Are corrective actions used to eliminate the root cause that generated a
nonconformity?
a) NO
b) YES

Answer: Yes

Question 7. Regarding the results of the information security risk assessment, the
following should be considered:
a) Retain documented information
b) Maintain documented information
c) Apply statistical methods for evaluation and analysis.
d) Only a and b

Answers: Keep documented information.

Question 8. For the process of raising awareness among personnel about
information security, the following should be considered:
a) The implications of not complying with the management system.
b) Your contribution to the effectiveness of the information security system
c) The security policy.
d) All of the above.

Answers: All answers.

Question 9. Is it possible to declare the non-applicability of some of the controls in

Annex A of ISO/IEC 27001?
a) No
b) Yes, but justified non-applicability
c) Yes
d) None of the above.

Answer: Yes, but justifying the non-applicability.

Question 10. Domain A.13 of communications security is aimed at:

a) Ensure that data processing resources and information are protected against
malware.
b) Ensure the protection of information on networks and information processing
resources.
c) Ensure secure software development.
d) Ensure the correct and secure operation of information processing facilities.

Response: Ensure the protection of information on networks and information processing

resources.

Question 11. Annex A of ISO/IEC 27001 has 18 domains?

a) True.
b) False.

Answer: False.

Question 12. In the A.18 Compliance domain, an information security system must:
a) Conduct independent information security reviews.
b) Ensure legal compliance regarding the use of materials for which intellectual
property rights exist.
c) Comply with applicable legal requirements regarding privacy and personal data
protection.
d) All of the above.

Answer: All of the above.

Question 13. Internal audits of the information security management system should
be performed:
a) Monthly.
b) Twice a year.
c) Quarterly.
d) At planned intervals.
Answer: At planned intervals.

Question 14. Should documented information on the results of the treatment of

information security risks be kept?
a) Yes
b) No.

Answer: Yes

Question 15. Select the term associated with the definition: "a stated need or
expectation, usually implicit or mandatory".
a) Prerequisite.
b) Compliance
c) Process.
d) Confidentiality.

Answer: Requirement.

Question 16. What is the objective of the A.12 control on the safety of operations?
a) Ensure the correct and secure operation of information processing facilities.
b) Ensure security in teleworking and in the use of mobile devices.
c) Ensure the protection of test data.
d) Prevent damage or loss of information assets.

Response: Ensure the proper and secure operation of information processing facilities.

Question 17. Should responsibilities and management procedures be established to

ensure effective response to information security incidents? If yes, which control
does it indicate?
a) No
b) Yes, control A.16
c) Yes, control A.14
d) None of the above.

Answer: Yes, control A.16.

Question 18. The documented information must be controlled considering the

following aspects:
a) Storage and preservation
b) Distribution, access, retrieval and use.
c) Change Control, Retention and Disposal.
d) All of the above.

Answers: All of the above.

Question 19. Domain A.9 of Annex A of ISO/IEC 27001 refers to:

a) Physical and environmental security.
b) Security in the development and support processes.
c) Access control.
d) Cryptography.
Answer: Access control.

Question 20. Domain A.17 determines that:

a) The organization must have a disaster recovery plan.
b) The organization must have external consulting for business continuity support.
c) The organization must have a business continuity plan.
d) None of the above.

Answer: The organization must have a business continuity plan.