Lead Auditor 27001

Question 1

Information is what kind of asset?

Answer 1

Strategic

Question 2

Property of accuracy and completeness. CIA triad

Answer 2

Integrity

Question 3

CIA Triad

Answer 3

Confidential
Integrity
Availability

Question 4

A hacker compromising a message someone sends to another is what CIA?

Answer 4

Integrity, accuracy of message was corrupted

Question 5

When someone sends a message and they can no longer claim they didn’t is what?

Answer 5

Non repudiation

Question 6

Property is the entity it claims to be

Answer 6

Authenticity

Question 7

Example of authentic and non repudiation

Answer 7

Digital signature

Question 8

Use a framework of resources to achieve an organization’s objectives

Answer 8

Management systems

Question 9

Management system components

Answer 9

Quality management
Scope
Organization
Process
Policies
Records

Question 10

PDCA cycle

Answer 10

In the quality management:
Plan
Do
Check
Act

Question 11

Management system used to ensure the information security of its information assets

Answer 11

ISMS

In sec man sys

Question 12

Item of value to an org is a primary asset

Answer 12

False, information asset

Primary is business process

Question 13

Stand. That specifies requirements for estáb implementation and manage. And continual improving of ISMS

Answer 13

ISO 27001

Question 14

Catalog of security and privacy controls for all U.S. federal information systems

Answer 14

Nist 800-53

Question 15

Framework for governance and manage of enterprise IT

Answer 15

Cobit 2019

Question 16

Only normative standards like 27001 can be audited

Answer 16

True

Question 18

Nist framework is what 5?

Answer 18

Identify
Protect
Detect
Respond
Recover

6th is governance

Question 20

Standard that contains guidelines for implementing security controls

Answer 20

27002

Question 21

Clause 7.5

Answer 21

Documented information

Question 22

Which clause requires org to include documented information in the ISMS as directly required by 27001 and org for effectiveness of the ISMS

Answer 22

7.5

Question 23

Documentation life cycle

Answer 23

Créate
Store
Use
Archive
Dispose

Question 24

12 step method

Answer 24

Management support
Scope of ISMS
Gap Analysis
Information security policy
Competence assurance
Asset inventory
Risk management methodology
Risk assessment
Risk treatment
Performance evaluation
Improvement
Certification audit

Question 25

Determines whether a project is worth it

Answer 25

Business case

Question 26

Raci matrix

Answer 26

Responsible Accountable Consulted Informed

Question 27

Most important reason to obtain support by top management for an ISO 27001 implementation project

Answer 27

Guarantee sufficient resources and budget for the implementation

Question 28

Responsibility specifically for top management in ISO 27001

Answer 28

Approving information security policy

Question 29

True or false, multiple roles can be assigned accountability role within an activity

Answer 29

False

Question 31

Name a standard that is normative and can be certified

Answer 31

27001

Question 32

A procedures describing how to configure a server is an example of?

Answer 32

Document

Question 34

3 purposes of context analysis

Answer 34

Scope of isms Risk and opportunities Adaptation

Question 35

Pestel

Answer 35

Political Economical Social Technological Environmental Legal

Question 37

4.4

Answer 37

Org estab implements and maintains continuous improvement of ISMS

Question 38

Only 2 process required in ISO 27001

Answer 38

Risk assessment Risk treatment

Question 39

This has to be available as documented information due to requirements of ISO 27001

Answer 39

Scope of ISMS

Question 40

A customer requiring an org to have compliance with privacy regulations is defined as what?

Answer 40

Interested party

Question 41

Who is accountable for approving scope of ISMS?

Answer 41

Top management

Question 42

Org establishes information security objectives and plans to achieve them at relevant functions and levels

Answer 42

6.2

Question 43

Info sec objectives

Answer 43

Strategic goals Is policy Confidential Integrity Availability

Question 44

Smart goals

Answer 44

Specific Measure able Achieve able Relevant Timebound

Question 47

Management systeme used to ensure the information security of its information assets

Answer 47

ISMS

Question 49

Primary assets are an item of value to the org

Answer 49

False, information assets Primary is business processes and activities information Supporting assets- enable primary assets

Question 50

4 tabs to track assets

Answer 50

Classification Type Category Owner

Question 52

This consists of leadership, org structure and process that ensure enterprises IT sustains and extends the enterprise strategies and objectives

Answer 52

IT governance

Question 53

3 benefits of IT governance

Answer 53

Benefits realization Risk optimization Resource optimization

Question 54

Resource optimization treats risks to meet an org risk acceptance criteria

Answer 54

False, risk optimization -Resource optimization is the provision of necessary resources and training for efficient tech use Benefits realization is IT creates value aligned with org values and measure for success and eliminate low value initiatives

Question 57

Name 5 mandatory documents

Answer 57

-Scope of isms -info sec policy -info sec risk assess process -info sec risk treat process -statement of applicable -evidence of competence -evidence for process carried out -results of info sec risk assess -results of info sec risk treat -result of monitor and measure -audit programme -audit results -results of manage review -nature of nonconformity and sub actions taken -results of corrective action

Question 58

Why do iso 27001 projects mostly fail?

Answer 58

Lack of planning

Question 59

Give me the 12 step method

Answer 59

-managed support -scope of isms -gap analysis -info sec policy -competence assurance -asset inventory -risk management method -risk assessment -risk treat -performance evaluation -improvement -certification audit

Question 60

Setting foundation, top management fully on board

Answer 60

Step 1 management support

Question 61

What is covered by scope and what isn’t

Answer 61

2 scope of ISMS

Question 62

Step 3 gap analysis

Answer 62

Determine where you want to be and where you are now

Question 63

Security objectives

Answer 63

Info sec policy

Question 64

Everyone knowing what is expected from them and how they can contribute

Answer 64

5 competence assurance

Question 65

Categorize assets, need clear inventory of what needs protected

Answer 65

6 asset inventory

Question 66

Defining risk

Answer 66

7 risk management method

Question 67

Utilizing a risk register

Answer 67

8 risk assessment

Question 68

Based off risk assessment results, largest and time consuming of steps

Answer 68

9 risk treat

Question 69

Reevaluate performance, kpi’s etc

Answer 69

10 performance evaluation

Question 70

Corrections from results to improve isms

Answer 70

11 improvement

Question 71

Seeking certification

Answer 71

12 certification audit

Question 72

ISO 27001 implementation project categories

Answer 72

-welcome -Normative reference -citations -deliverables -project information -Gantt Chart

Question 73

Highlights the benefits of implementing ISO 27001

Answer 73

Business case

Question 74

5.1 leadership and commitment and 5.3 org roles, responsibilities and authorities are relevant to which step?

Answer 74

Step 1 Management support

Question 75

Which Clause has top management demonstrate leadership and commitment with respect to ISMS?

Answer 75

5.1 leadership and commitment

Question 76

Clause that has top management ensure responsibility and authorities for roles relevant to info sec are assigned and communicated throughout the org

Answer 76

5.3 org roles responsibility and authorities

Question 77

First step of scope of ISMS,

Answer 77

Context analysis process

Question 78

What are the relevant clauses for the scope of isms?

Answer 78

4.1 understanding the organization and it’s context 4.2 understanding the needs and expectations of interested parties 4.3 determine the scope of isms 5.31 legal,statutory, regulatory and contractual requirements

Question 79

Org determines external and internal issues relevant to its purpose and affecting its ability to achieve the intended outcomes of the isms

Answer 79

4.1 understanding the org and it’s context

Question 80

3 purposes of context analysis

Answer 80

Scope of isms Risk and opportunities Adaptation,adapt to org changes

Question 81

Political, economic, social, tech, environmental and legal are what issues to an isms?

Answer 81

External

Question 82

Culture, objectives, org structure, supply chain, processes, infrastructure, it, reports are what issues to an isms?

Answer 82

Internal

Question 83

Org determines interested parties relevant to ISMS and their requirements relevant to information security

Answer 83

4.2 understanding the needs and expectations of interested parties

Question 84

Person or org affected by or perceived itself to be affected by a decision or activity

Answer 84

Interested party (stakeholder)

Question 85

What type of stakeholders are legislators, customers, suppliers, competitors, investors, police, public, adversaries

Answer 85

External

Question 86

3 requirements of interested parties

Answer 86

Government-compliance with privacy regulations Key customers- ISO 27001 Workers council- protection of employee data

Question 87

This clause identifies, considers and documents control, purpose and implementation of the scope of an isms

Answer 87

5.31 legal, stat, regulatory and contractual requirements

Question 88

Types of compliance requirements

Answer 88

Legal, regulatory, statutory and contractual

Question 89

What clause has the org determine the boundaries and applicability of the ISMS to establish its scope?

Answer 89

4.3 determining scope of isms

Question 90

This defines where and what the isms is applicable and where for what it is not

Answer 90

Scope

Question 91

Org establishes, maintains and improves isms continuously

Answer 91

4.4 information security management system

Question 92

Where you are at and where you wasn’t your isms to be

Answer 92

Gap analysis

Question 93

Step 4, highlights importance of isms,

Answer 93

Information security policy

Question 94

Clauses 5.2 policy 6.2 info sec obj 7.4 communication A.5.1 info sec policies Are associated with which step?

Answer 94

Step 4 info sec policy

Question 95

Org establishes info sec obj and plans to achieve them at relevant functions and levels

Answer 95

Clause 6.2 info sec objective

Question 96

What are the objectives for info sec?

Answer 96

Confidential Integrity Availability

Question 97

This acronym is for goals in your isms

Answer 97

Specific Measurable Achievable Relevant Timely

Question 98

This clause has top management establish an information security policy

Answer 98

Clause 5.2 Policy

Question 99

Which clause has the org determine the needs for internal and external communications related to isms?

Answer 99

7.4 communications

Question 100

Step for for setting up an ISMS

Answer 100

Competence assurance

Question 101

What clauses are in step 5?

Answer 101

7.2 competence 7.3 awareness A.6.3 info sec aware Edu and training

Question 102

Part of support clause, org determines the competence of persons needed for info sec performance and ensures that the persons are competent

Answer 102

7.2 competence

Question 103

Clause that states the persons doing work under the org control are made aware of the info Dec policy, their contribution to the effectiveness of the ISMS, benefits of the improved info sec performance and implications of not conforming to the requirements of the isms

Answer 103

7.3 awareness

Question 104

This clause has Org and relevant parties should provide appropriate info sec aware, edu, and training to their personnel, and update them regularly on the info sec policies relevant to their job function

Answer 104

A.6.3 info sec aware, edu and training

Question 105

Step 6 for isms

Answer 105

Inventory asset

Question 106

Relevant clauses for step 6?

Answer 106

A.5.9 inventory of information and other associated assets A.5.12 classification of information A.5.13 labeling of information

Question 107

This clause is an inventory of info and other associated assets, including owners, should be developed and maintained

Answer 107

A.5.9 inventory of information and other associated assets

Question 108

A crm, system admin and a sales team are what kind of assets?

Answer 108

Primary

Question 109

A router is what type of asset?

Answer 109

Supporting

Question 110

This control has info should be classified according to info sec needs of the org based on confidentiality, integrity, availability and relevant interested party requirements

Answer 110

A.5.12 classification of information control

Question 111

Control is an appropriate procedures for info labeling should be developed and implemented in accordance with the information classification scheme adopted by an organization

Answer 111

A.5.13 labeling of information

Question 112

Step 7

Answer 112

Risk management methodology

Question 113

Which clauses are relevant to step 7

Answer 113

6.1 actions to address risk opportunities Annex A info sec controls

Question 114

Establish context, risk identification, risk analysis, risk evaluation, risk treatment, risk monitoring and review is what?

Answer 114

Risk management process

Question 115

This clause is relevant to outcomes of ISMS and info security risks

Answer 115

6.1 actions to address risks and opportunities

Question 116

This clause has the org define and apply an info security risk assessment process

Answer 116

6.1.2 info security risk assessment

Question 117

AV

Answer 117

Asset value

Question 118

EF

Answer 118

Exposure factor

Question 119

This clause the org defines and applies an info security risk treatment process

Answer 119

6.1.3 info security risk treatment

Question 120

Give me 4 security controls

Answer 120

Deter Reduce Detect Reduce

Question 121

Step 8

Answer 121

Risk Assessment

Question 122

Relevant clauses for step 8

Answer 122

8.2 info sec risk assessment

Question 123

This clause has the org perform info security risk assessments and retains documented info on results

Answer 123

8.2 info sec risk assessment

Question 124

Step 9

Answer 124

Risk treatment

Question 125

Clauses for step 9

Answer 125

8.3 info sec risk treat

Question 126

This clause has the org implement the info sec risk treat plan and retains documented info on the results of the info sec treat

Answer 126

8.3 info sec risk treat

Question 127

These are measures to reduce risk

Answer 127

Controls

Question 128

Info sec controls reference

Answer 128

Annex A

Question 129

This clause has the org determine and provide resources for establishing, implementing, maintaining and continually improve the isms

Answer 129

7.1 resources

Question 130

Which Annex A clause is policies for information security?

Answer 130

A.5.1

Question 131

Which Annex A clause is info sec roles and responsibilities?

Answer 131

A.5.2

Question 132

Which Annex A clause is segregation of duties?

Answer 132

A.5.3

Question 133

Which Annex A clause is management responsibility

Answer 133

A.5.4

Question 134

Which Annex A clause is contact with authorities?

Answer 134

A.5.5

Question 135

Which Annex A clause is contact with special interest groups?

Answer 135

A.5.6

Question 136

Which Annex A clause is threat intelligence?

Answer 136

A.5.7

Question 137

Which Annex A clause is info sec in project management?

Answer 137

A.5.8

Question 138

Which Annex A clause is inventory of info and other associated assets?

Answer 138

A.5.9

Question 139

A.5.10

Answer 139

Acceptable use of information and other associated assets

Question 140

A.5.11

Answer 140

Return of assets

Question 141

A.5.12

Answer 141

Classification of information

Question 142

A.5.13

Answer 142

Labeling of information

Question 143

A.5.14

Answer 143

Information transfer

Question 144

A.5.9

Answer 144

Inventory of info and other associated assets

Question 145

A.5.10

Answer 145

Acceptable use of info and other associated assets

Question 146

A.5.11

Answer 146

Return of assets

Question 147

A.5.12

Answer 147

Classification of info

Question 148

A.5.13

Answer 148

Label of info

Question 149

A.5.14

Answer 149

Info transfer

Question 150

A.5.15

Answer 150

Access control

Question 151

A.5.16

Answer 151

Identity management

Question 152

A.5.17

Answer 152

Auth info

Question 153

A.5.18

Answer 153

Access rights

Question 154

A.5.19

Answer 154

Info sec in supplier agreement

Question 155

A.5.20

Answer 155

Addressing info sec within supplier agreement

Question 156

A.5.21

Answer 156

Manage info sec in the info and comm tech

Question 157

A.5.22

Answer 157

Monitoring, review and change management of supplier services

Question 158

A.5.23

Answer 158

Info sec for use of cloud services

Question 159

A.5.24

Answer 159

Info sec incident management planning and preparation

Question 160

assessment and decision on info sec events

Answer 160

A.5.25

Question 161

Which Annex A is response to info security incidents

Answer 161

A.5.26

Question 162

Which Annex A is learning from info sec

Answer 162

A.5.27

Question 163

Which Annex A is collection of evidence

Answer 163

A.5.28

Question 164

Which Annex A is info sec during disruption

Answer 164

A.5.29

Question 165

Which Annex A is ICT readiness for business continuity

Answer 165

A.5.30

Question 166

A.5.31

Answer 166

Legal statutory regulations and contracts require

Question 167

A.5.32

Answer 167

Intellectual property of rights

Question 168

A.5.33 protection of records T or F

Answer 168

True

Question 169

A.5.34

Answer 169

Privacy and protection of PII

Question 170

A.5.35

Answer 170

Independent review of info sec

Question 171

A.5.36 compliance with policies rules and standards. For information sec T or F

Answer 171

True

Question 172

A.5.37

Answer 172

Document operating procedures

Question 173

A.6.1

Answer 173

Screening

Question 174

A.6.2

Answer 174

Terms and condition of employment

Question 175

A.6.3

Answer 175

Info sec aware edu and training

Question 176

A.6.4

Answer 176

Disciplinary process

Question 177

A.6.5

Answer 177

Responsibilities after term or change of employment

Question 178

A.6.6

Answer 178

Confidential or non disclosure agreements

Question 179

A.6.7

Answer 179

Remote working

Question 180

A.6.8

Answer 180

Info sec event reporting

Question 181

A.7.1

Answer 181

Physical security perimeters

Question 182

A.7.2

Answer 182

Physical entry

Question 183

A.7.3

Answer 183

Securing offices rooms and facilities

Question 184

A.7.4

Answer 184

Physical security monitoring

Question 185

A.7.5

Answer 185

Protecting against physical and environmental trends

Question 186

A.7.6

Answer 186

Working in secure areas

Question 187

A.7.7

Answer 187

Clear desk and clear screen

Question 188

A.7.8

Answer 188

Equipment sitting and protection

Question 189

A.7.9

Answer 189

Security of assets off premise

Question 190

A.7.10

Answer 190

Storage media

Question 191

A.7.11

Answer 191

Supporting utilities

Question 192

A.7.12

Answer 192

Cabling security

Question 193

A.7.13

Answer 193

Equipment maintenance

Question 194

A.7.14

Answer 194

Secure disposal or reuse of equipment

Question 195

A.8. 1

Answer 195

User end point devices

Question 196

A.8.2

Answer 196

Privileged access rights

Question 197

A.8.3

Answer 197

Info access restrictions

Question 198

A.8.4

Answer 198

Access to source code

Question 199

A.8..5

Answer 199

Secure authentication

Question 200

A.8.6

Answer 200

Capacity management

Question 201

A.8.7

Answer 201

Protection against malware

Question 202

A.8.8

Answer 202

Management of tech vulnerabilities

Question 203

A.8.9

Answer 203

Config management

Question 204

A.8.10

Answer 204

Info deletion

Question 205

A.8.11

Answer 205

Data masking

Question 206

A.8.13

Answer 206

Info back up

Question 207

A.8.14

Answer 207

Redundancy of info processing facilities

Question 208

A.8.15

Answer 208

Logging

Question 209

A.8.16

Answer 209

Monitoring activities

Question 210

A.8.17 clock synchronization true or false

Answer 210

True

Question 211

A.8.18

Answer 211

Use of privilege utility programs

Question 212

A.8.19

Answer 212

Installation of software on operating systems

Question 213

A.8.20

Answer 213

Network security

Question 214

A.8.21

Answer 214

Security of network services

Question 215

A.8.22

Answer 215

Segregation of networks

Question 216

A.8.23

Answer 216

Web filtering

Question 217

A.8.24

Answer 217

Use of cryptography

Question 218

A.8.25

Answer 218

Secure develop life cycle

Question 219

A.8.26

Answer 219

Application security requirements

Question 220

A.8.27

Answer 220

Secure system architecture and engineering principles

Question 221

A.8.28

Answer 221

Secure coding

Question 222

A.8.29

Answer 222

Security testing in dev and acceptance

Question 223

A.8.30

Answer 223

Outsourced dev

Question 224

A.8.31

Answer 224

Separation of dev test and production environments

Question 225

A.8.32

Answer 225

Change management

Question 226

A.8.33

Answer 226

Test information

Question 227

A.8.34

Answer 227

Protection of info systems during audit testing

Question 228

Step 10

Answer 228

Performance evaluation

Question 229

Clauses associated with step 10

Answer 229

-9.1 monitor measure analysis evaluation -9.2 internal audit -9.3 management review

Question 230

Step 11

Answer 230

Improvement

Question 231

Clauses for step 11?

Answer 231

10.1 continual improvement 10.2 nonconformity and corrective action

Question 232

10.1

Answer 232

Continual improvement

Question 233

10.2

Answer 233

nonconformity and corrective action

Question 234

Step 12

Answer 234

Certification audit

Question 235

Nonconformity

Answer 235

Non fufilment of a requirement

Question 236

Step 12

Answer 236

Certification audit