ISMS QUESTIONS

1. What is the primary purpose of an Information Security Management System

(ISMS) according to ISO 27001?
2. How does ISO 27001 differ from ISO 27002 in terms of information security
controls?
3. Explain the concept of control objectives in the context of an ISMS.
4. How do control objectives relate to the overall information security risk
management process?
5. Provide examples of different control objectives for the confidentiality, integrity,
and availability (CIA) of information.
6. What is the role of Annex A in the ISO 27001 standard?
7. How many control categories are there in the current version of Annex A (as of
April 2024)?
8. Briefly describe the four main themes covered by the controls in Annex A.
9. How should an organization choose the most appropriate controls from Annex A
for their specific needs?
10. What factors should be considered when implementing controls from Annex A?
11. Explain the concept of a Statement of Applicability (SoA) in relation to ISO 27001
controls.
12. (Control 1) Considering A.6.1.1 - Access to operational systems, what specific
control activities could be implemented to achieve this objective?
13. (Control 2) Considering A.8.2.2 - Security awareness and training, how can an
organization measure the effectiveness of its security awareness training
program?
14. Imagine you are working for a small e-commerce company. What control
objectives and Annex A controls would be most critical for their information
security?
15. How might the control objectives and chosen controls differ for a large
healthcare organization compared to a financial services company?
16. How can an organization use a risk assessment to determine the required
control level for each control in Annex A (e.g., high, medium, low)?
17. Explain how the selection of controls from Annex A should be documented and
justified based on the risk assessment.
18. Provide examples of specific controls from Annex A that could be used to assess
vendor security practices.