Question 1

A manufacturing company is using MEHARI to assess the risks to its industrial control systems. The team is at the initial stage of the process. What should be the primary focus at this stage according to MEHARI, and how does it contribute to the risk assessment process?

Options :

A : Determining the security objectives and identifying the scope, including the assets and processes of the industrial control systems.

B : Directly implementing security controls based on industry best practices.

C : Conducting a financial analysis to estimate potential losses from security incidents.

D : Outsourcing risk assessment to an external cybersecurity firm.

Answer: A

Question 2

A multinational corporation is implementing an information security risk management process and needs to assign risk ownership for the risk of data breaches in its European operations. Considering the organizational structure, who should be designated as the risk owner for this specific risk?

Options :

A : The Data Protection Officer (DPO) for the European region.

B : The Chief Information Security Officer (CISO) at the corporate headquarters.

C : The General Manager of European operations.

D : The IT Manager of the European branch.

Answer: A

Question 3

An organization has recently experienced a data breach. The risk manager must develop a communication plan to inform internal and external stakeholders about the breach and the steps being taken to mitigate its impact. What should be a key consideration in this communication plan?

Options :

A : Providing timely, accurate, and transparent information about the breach and mitigation efforts.

B : Limiting information to avoid legal liability.

C : Focusing solely on external communication to maintain the organization-s public image.

D : Delaying communication until a complete investigation is conducted.

Answer: A

Question 4

A financial institution is implementing the MEHARI method for its online banking services. The team is in the first phase of MEHARI. What should be the primary focus at this stage, and how does it contribute to the overall risk management process?

Options :

A : Outsourcing risk assessment to a cybersecurity firm.

B : Conducting a financial analysis to estimate potential losses from security incidents.

C : Identifying the scope of the risk management process, including the assets, processes, and security requirements of the online banking services.

D : Directly implementing security controls based on general best practices.

Answer: C

Question 5

An online retailer is assessing the risk of a distributed denial of service (DDoS) attack during its major sale event. In ISO/IEC 27005 terms, what would 'consequence' refer to in this risk assessment?

Options :

A : The probability of a DDoS attack occurring during the sale event.

B : The technical methods used by attackers to initiate a DDoS attack.

C : The cost of implementing additional security measures to prevent DDoS attacks.

D : The impact on sales and customer trust if a DDoS attack occurs.

Answer: D