T 24v22 - E-Learning - ISO 27001 readiness information security management system version 2022

Here is a MCT (Multiple-choice test) to evaluate, before beginning, the level of your knowledge for this course. (One or more correct answers are possible). You can start again as many times you wish.

1. The ISO 27001 standard defines for an information security management system:

• The requirements (That's one of the correct answers)
• Overview and vocabulary (That's ISO 27000 - Information technology - Security techniques - Information security management systems - Overview and vocabulary)
• Reference control objectives and controls (That's one of the correct answers)
• The risk management (That's ISO 27005 - Information technology - Security techniques - Informationtion security risk management)

2. The statement of applicability (SoA) allows you to:

• Treat the risks (That's one of the correct answers)
• Determine what is part of the ISMS (That's one of the correct answers)
• Identify and keep up to date the controls to be implemented (That's one of the correct answers)
• Plan and audit the ISMS (That's one of the correct answers)
• Carry out process mapping (There is no direct link)

3. Assessing the risks allows us to:

• Identify the risks (That's one of the correct answers)
• Analyze the risks (That's one of the correct answers)
• Assess the risks (That's one of the correct answers)
• Achieve the objectives of the ISMS (It is the treatment of risks that makes it possible to achieve the objectives of the ISMS)
• Avoid risks (It is the treatment of risks that allows the avoidance of risks)

4. Staff are made aware of, among other things:

• The importance of complying with the information security policy (That's one of the correct answers)
• The importance of meeting the requirements of the ISMS (That's one of the correct answers)
• The positive effectsof individual performance (That's one of the correct answers)
• The consequences of non-compliance with ISMS policies (That's one of the correct answers)
• Everyone's contribution to improving the performance of the ISMS (That's one of the correct answers)
• The benefits of becoming an information security expert (This is neither the subject nor the objective of raising staff awareness)

5. Examples of processes that can be outsourced:

• Carry out the management review (It is neither practical nor recommended)
• Audit (That's one of the correct answers)
• Provide training (That's one of the correct answers)
• Planning the ISMS (It is neither practical nor recommended)
• Maintain equipment (That's one of the correct answers)
• Apply discipline (It is neither practical nor recommended)

6. The internal audit:

• Check staff competence (That's one of the correct answers)
• Helps to raise awareness among staff (This is not an objective of the audit, staff awareness is another activity)
• Allows disciplinary actions to be taken (This is neither an objective nor a right of the audit)
• Allows the compliance of the ISMS to be evaluated (That's one of the correct answers)
• Allows the effectiveness of the ISMS to be evaluated (That's one of the correct answers)
• Helps improve the effectiveness of the ISMS (That's one of the correct answers)

7. The treatment of nonconformities includes activities such as:

• Identifying nonconformities (That's one of the correct answers)
• Applying a correction (That's one of the correct answers)
• Determining root causes (That's one of the correct answers)
• Responding to an incident (An incident is an adverse event, while a nonconformity is a failure to meet a requirement)
• Seeking opportunities for improvement (It is only after the disappearance of nonconformities and their causes that one can think of improvement)
• Evaluating the need for corrective actions (That's one of the correct answers)

8. Response to an incident includes, among other things:

• Taking operational incidents into account (That's one of the correct answers)
• Taking into account incidents detected by users (That's one of the correct answers)
• Lessons learned (This is an activity after the incident has been closed)
• Follow-up (That's one of the correct answers)
• Classification (level of severity) (That's one of the correct answers)
• Treatment of root causes (That's one of the correct answers)

9. Staff are regularly made aware of:

• Information security risks (That's one of the correct answers)
• The level of password security (That's one of the correct answers)
• Disciplinary rules (That's one of the correct answers)
• Updates to policies and procedures (That's one of the correct answers)
• The scope of the ISMS (This is an element that changes very rarely and is not a subject of awareness)

10. Physical and environmental security can include:

• Secure areas (That's one of the correct answers)
• Delivery areas (That's one of the correct answers)
• Arrival and departure of visitors (That's one of the correct answers)
• Indication of the purpose of the rooms (That's one of the correct answers)
• External threats (That's one of the correct answers)
• Classification of information (This is part of the asset management, annex A.5.12)