Week 1

Question 1

What are the three key elements of Information Security Management (ISM)?

Answer 1

-Information Risk Management
-Information Security Management System (ISMS)
-Standards and Best Practices (e.g., ISO 27000 series)

Question 2

Define the CIA triad in information security.

Answer 2

-Confidentiality: Protecting information from unauthorized access.
-Integrity: Ensuring information is accurate and unaltered.
-Availability: Ensuring information is accessible when needed.

Question 3

What is the difference between a threat and a vulnerability?

Answer 3

-Threat: A potential cause of an incident (e.g., hacker, natural disaster).
-Vulnerability: A weakness that can be exploited by a threat (e.g., unpatched software).

Question 4

Name the four risk management controls.

Answer 4

-Eliminate (risk avoidance)
-Reduce (risk reduction)
-Transfer (risk transfer)
-Accept (risk acceptance)

Question 5

What is the purpose of an ISMS?

Answer 5

An ISMS (Information Security Management System) is designed to protect a company’s important information by managing risks like hacking, leaks, or loss.

In simple terms:
It keeps information safe by setting rules, processes, and checks to prevent problems.

Question 6

What are the key characteristics of ISO 27001?

Answer 6

-Asset-focused
-Risk-driven
-Process-oriented (continuous improvement)

Question 7

What is the relationship between ISO 27001 and ISO 27002?

Answer 7

ISO 27001 is the standard that tells you what you must do to set up an Information Security Management System (ISMS).

ISO 27002 is a guide that gives you ideas and details on how you can do it.

In short:
👉 ISO 27001 = what you need to do
👉 ISO 27002 = how you can do it

ISO 27001 says you must control who can access important data, and ISO 27002 suggests how you can do that, like using passwords, ID cards, or fingerprint scanners.

Question 8

What is the focus of ISO 27004?

Answer 8

Measuring the effectiveness of ISMS processes and controls (e.g., log analysis, incident statistics, training records).

Question 9

What are the four steps in the ISO 27005 risk management process?

Answer 9

Risk Identification
Risk Analysis
Risk Evaluation
Risk Treatment

Question 10

What are three criticisms of ISO 27001?

Answer 10

-Seen as a “checkbox exercise” without real security improvement.
-Scope can be limited to avoid broader security issues.
-Some requirements are vague, leading to subjective implementation.

Question 11

Name two companies with ISO 27001 certification.

Answer 11

Amazon Web Services (AWS)
(Example: Microsoft, IBM, or others mentioned in class)

Question 12

Name 3 security metrics.

Answer 12

• % of patched devices
• Number of intrusion attempts
• Time to detect, respond, and recover from threats (MTTD, MTTR, etc.)
• Phishing success rate
• Cost per security incident
• Results of staff training
• Virus scan results

Question 13

Outline what is covered in each of the standards in the 27000 series and explain their importance.
27001
27002
27004
27005

Answer 13

27001- ISMS requirements
What it covers: Rules for setting up and running an information security system (ISMS).
Why it matters: It’s the main standard for keeping information safe and getting certified.
27002- Security controls
What it covers: A list of best practices and controls to protect information.
Why it matters: Helps you choose and apply the right security measures.
27004- Measuring ISMS
What it covers: How to measure and check if your ISMS is working well.
Why it matters: Helps you track performance and make improvements.
27005- Risk management
What it covers: Steps to identify and manage security risks.
Why it matters: Helps you focus on the biggest threats and reduce harm.