Professional Documents
Culture Documents
Simulator - CertiProf ISO 27001 Foundation
Simulator - CertiProf ISO 27001 Foundation
Answer: True.
Answer: False.
Question 9. The approval of the risk treatment plan and the acceptance of the
residual risk is the responsibility of: (Select the best answer)
a) Chief Information Officer.
b) Senior management.
c) Risk owner.
d) Security Director.
Answer: Risk owner.
Question 10. According to ISO/IEC 27001, a risk assessment will include: (Select the
best answer)
a) Security risk treatment options.
b) Result of control measures.
c) Possibility of occurrence of a risk.
d) IMS stakeholders.
Question 11. The scope of the ISMS of an organization that revolves around
providing financial services. In the information security policy, senior management
has stated its intention to operate within state and federal requirements. The rest of
the information security policy focuses on how IT will deliver financial services.
This policy: (Select the best answer)
a) It is ISO 27001 compliant.
b) It is compliant with ISO 27001 but could be improved.
c) Non-compliant with ISO 27001.
d) Does not apply to specific lines of business.
Question 14. A financial organization has selected its securities trading operations
as the scope of its ISMS, reviewing its information security policy does not show
where the organization is committed to complying with government security
regulations. Does this meet the requirements of ISO/IEC 27001?
a) True.
b) False.
Question 15. An organization has made its claims processing operations the scope of
its ISMS. The controls you have selected are determined in which process? (Select
the best answer).
a) Risk Treatment.
b) Security Policy.
c) Risk Assessment.
d) Management Review.
Question 16. An organization's ISMS can be said to be effective if: (Select best
answer)
a) Management has given the IT manager absolute authority over security and has
given the IT department a limited budget.
b) The help desk has minimized its staff and is still meeting its objectives.
c) All areas of the process have been shown to have plans, set objectives and taken
actions to improve.
d) The internal audit and compliance teams have identified numerous
Answer: It has been shown that all areas of the process have ...
Question 18. An organization has defined a risk assessment process. This is used
annually at its local facilities and all of its foreign locations. Does this produce
consistency and comparable results?
a) False.
b) True.
Answer: True.
Question 19. One organization consists of ten medical laboratories where patients
go for tests and are under the direction of a central headquarters. Senior
management has determined that the scope of its ISMS will be the protection of all
patient personal information and will cover the head office. Does this meet the
requirements of ISO/IEC 27001?
a) True.
b) False.
Answer: False.
Question 20. Information security objectives should be consistent with: (Select the
best answer)
a) Risk assessment methodology.
b) Information security policy.
c) The applicability statement
d) The risk treatment plan.
Answer: Encryption.
Question 3. The scope of an audit is always the same as the scope of the
management system.
a) True.
b) False.
Answer: False.
Answer: DPI.
Answer: The rationale for the selection of controls and the ...
Question 9. The auditor's working papers may include: (Select the best answer).
a) Checklist, plans and evidence collection forms.
b) Instructions for the facility to be audited
c) The auditor's code of conduct.
d) Identification, including photograph.
Answer: Checklist, plans and formats ...Question 10. The information accepted as
audit evidence should be: (Select the best answer).
a) Documented.
b) Identify at least twice.
c) Verifiable.
d) Confirmed by the guide.
Answer: Verifiable.
Question 11. One organization has made Sales operations the scope of its ISMS. A
risk assessment for an organization's sales information should include: (Select the
best answer)
a) The risk associated with salespeople transporting sales information on their
laptops.
b) The financial value associated with the loss of confidentiality of sales
information.
c) Encryption of customer names and addresses.
d) A policy of acceptable use of company assets.
Question 14. A large national retail chain aims to ensure that customers can access
their account information at least 98% of the time. The risk assessment should:
(Select the best answer)
a) Include the risk associated with information availability.
b) Include the risk associated with the customer's SW being developed by an
outsourced development company.
c) To be completed by the IT department as they are the custodians of customer
account files.
d) Ensure that allowing access to customers satisfies regulatory requirements.
Question 17. When establishing an audit program for a management system, the
organization shall prioritize audit resources to address: (Select the best answer).
a) Risk.
b) Integration to business continuity plans.
c) Business Needs.
d) Market opportunities.
Answer: Risk.
Question 18. Which control in Annex A would be selected to mitigate the risk of
employees using training equipment owned by the organization for their personal
use? (Select the best answer)
a) A.18.2.2 - Compliance with safety policies and standards.
b) A.72.3 - Disciplinary Process.
c) A.8.13 - Acceptable use of assets.
d) 1.7.1.2 - Terms and conditions of employment.
Question 19. Which control could be selected to mitigate the risk associated with
upgrading software on enterprise servers? (Select the best answer)
a) A.12.1.2- Change management.
b) A.14.2.2 - Systems change control procedure.
c) A.9.4.5 - Controlling access to program source code.
d) A.12.7.1 - Information systems audit controls.
Question 1. Which of the following roles is responsible for defining the policy and
objectives of the information security management system?
a) The information security committee.
b) The information security officer.
c) The Management Representative.
d) To senior management.
Answer: Confidentiality.
Question 9. For the determination of the organization's context, the ISO/IEC 27001
standard recommends the use of the methodology:
a) Pestel.
b) Porter's 5 forces.
c) SWOT.
d) None of the above, the standard does not recommend the methodology to be used
for context determination.
Answer: True.
Answer: CIA
Question 13. The property of the information to be accessible and usable on demand
by an authorized entity is:
a) Confidentiality of information.
b) Truthfulness of information
c) Information integrity
d) Availability of information
e) None of the above.
Answer: Availability
Question 14. Select from the following options which are some of the requirements
of the ISO 27001 standard.
a) Leadership and Teamwork
b) Organizational Context, Leadership and Planning
c) Teamwork, Operation and Improvement
d) All of the above.
Answer: The risk acceptance criteria and the criteria to carry out the risk acceptance...
Question 16. Is the Statement of Applicability the document containing the controls
in Annex A to be implemented for the treatment of risks and those to be excluded
with their due justification?
a) True.
b) False.
Answer: True
Answer: PDCA
Answer: True.
Answer: True.
Response: A nonconformity.
Question 5. Which of the following conditions are part of domain A.8 of Annex A of
ISO/IEC 27001.
a) Information assets must be identified and inventoried.
b) There is no requirement to maintain an inventory of assets.
c) Assets must have an assigned owner.
d) Only a and c
Question 6. Are corrective actions used to eliminate the root cause that generated a
nonconformity?
a) NO
b) YES
Answer: Yes
Question 7. Regarding the results of the information security risk assessment, the
following should be considered:
a) Retain documented information
b) Maintain documented information
c) Apply statistical methods for evaluation and analysis.
d) Only a and b
Answer: False.
Question 12. In the A.18 Compliance domain, an information security system must:
a) Conduct independent information security reviews.
b) Ensure legal compliance regarding the use of materials for which intellectual
property rights exist.
c) Comply with applicable legal requirements regarding privacy and personal data
protection.
d) All of the above.
Question 13. Internal audits of the information security management system should
be performed:
a) Monthly.
b) Twice a year.
c) Quarterly.
d) At planned intervals.
Answer: At planned intervals.
Answer: Yes
Question 15. Select the term associated with the definition: "a stated need or
expectation, usually implicit or mandatory".
a) Prerequisite.
b) Compliance
c) Process.
d) Confidentiality.
Answer: Requirement.
Question 16. What is the objective of the A.12 control on the safety of operations?
a) Ensure the correct and secure operation of information processing facilities.
b) Ensure security in teleworking and in the use of mobile devices.
c) Ensure the protection of test data.
d) Prevent damage or loss of information assets.
Response: Ensure the proper and secure operation of information processing facilities.