Question 1

Which two of the following phrases would apply to "act" in relation to the Plan-Do-Check-Act cycle for a business process?

Options :

A : Auditing processes

B : Planning changes

C : Measuring objectives

D : Resetting objectives

E : Achieving improvements

F : Verifying training

Answer: D,E

Question 2

Which of the following does an Asset Register contain? (Choose two)

Options :

A : Asset Type

B : Asset Owner

C : Asset Modifier

D : Process ID

Answer: A,B

Question 3

You are carrying out your first third-party ISMS surveillance audit as an Audit Team Leader. You are

presently in

the auditee's data centre with another member of your audit team.

You are currently in a large room that is subdivided into several smaller rooms, each of which has a numeric

combination lock and swipe card reader on the door. You notice two external contractors using a swipe card

and

combination number provided by the centre's reception desk to gain access to a client's suite to carry out

authorised electrical repairs.

You go to reception and ask to see the door access record for the client's suite. This indicates only one card

was

swiped. You ask the receptionist and they reply, "yes it's a common problem. We ask everyone to swipe their

cards but with contractors especially, one tends to swipe and the rest simply 'tailgate' their way in" but we know who they are from the reception sign-in.

Based on the scenario above which one of the following actions would you now take?

Options :

A :

Raise an opportunity for improvement to have a large sign in reception reminding everyone requiring access must use their swipe card at all times

B :

Determine whether any additional effective arrangements are in place to verify individual access to secure areas e.g. CCTV

C :

Raise a nonconformity against control A.7.1 'security perimiters' as a secure area is not adequately protected

D :

Raise a nonconformity against control A.7.6 'working in secure areas' as security measures for working in secure areas have not been defined

E :

Raise a nonconformity against control A.5.20 'addressing information security in supplier relationships' as information security requirements have not been agreed upon with the supplier

F :

Raise an opportunity for improvement that contractors must be accompanied at all times when accessing secure facilities

Answer: B

Question 4

A couple of years ago you started your company which has now grown from 1 to 20 employees. Your

company’s information is worth more and more and gone are the days when you could keep control yourself.

You are aware that you have to take measures, but what should they be? You hire a consultant who advises

you to start with a qualitative risk analysis.

What is a qualitative risk analysis?

Options :

A : This analysis follows a precise statistical probability calculation in order to calculate exact loss caused by damage.

B : This analysis is based on scenarios and situations and produces a subjective view of the possible threats.

Answer: B

Question 5

What is the standard definition of ISMS?

Options :

A : Is an information security systematic approach to achieve business objectives for implementation, establishing, reviewing,operating and maintaining organization-s reputation.

B : A company wide business objectives to achieve information security awareness for establishing, implementing, operating, monitoring, reviewing, maintaining and improving

C : A project-based approach to achieve business objectives for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization’s information security

D : A systematic approach for establishing, implementing, operating,monitoring, reviewing, maintaining and improving an organization’s information security to achieve business objectives.

Answer: D