Which two of the following statements are true?

• A.The benefits of implementing an ISMS primarily result from a reduction in information security risks
• B.The benefit of certifying an ISMS is to obtain contracts from governmental institutions
• C.The purpose of an ISMS is to apply a risk management process for preserving information security
• D.The purpose of an ISMS is to demonstrate compliance with regulatory requirements

Comment: *

Name: *

Email: *

Verification: *

Which option below about the ISMS scope is correct?

• A.ISMS scope should be available as documented information
• B.ISMS scope should ensure continual improvement
• C.ISMS scope should be compatible with the strategic orientation of the organization

Comment: *

Name: *

Email: *

Verification: *

Which of the following does an Asset Register contain? (Choose two)

• A.Process ID
• B.Asset Type
• C.Asset Owner
• D.Asset Modifier

Comment: *

Name: *

Email: *

Verification: *

You have just completed a scheduled information security audit of your organisation when the IT Manager approaches you and asks for your assistance in the revision of the company's risk management process.
He is attempting to update the current documentation to make it easier for other managers to understand, however, it is clear from your discussion he is confusing several key terms.
You ask him to match each of the descriptions with the appropriate risk term. What should the correct answers be?

Correct Answer:

Explanation
The correct answers for matching each of the descriptions with the appropriate risk term are:
The strategy chosen to respond to a specific information security risk: This is a definition of information security risk treatment. According to ISO/IEC 27000:2022, information security risk treatment is "the process of selecting and implementing measures to modify the information security risk" Section 3.33.
The effect of uncertainty on information security objectives: This is a definition of information security risk. According to ISO/IEC 27000:2022, information security risk is "the effect of uncertainty on information security objectives" Section 3.32.
The requirements against which information security risks are evaluated: This is a definition of information security risk criteria. According to ISO/IEC 27000:2022, information security risk criteria are "the terms of reference by which the significance of information security risks is assessed" Section
3.31.
A definition of the overall level of information security risk that is considered to be tolerable: This is a definition of information security risk acceptance criteria. According to ISO/IEC 27000:2022, information security risk acceptance criteria are "the level of information security risk that is acceptable" Section 3.30.

Comment: *

Name: *

Email: *

Verification: *

Four types of Data Classification (Choose two)

• A.Restricted Data, Confidential Data
• B.Project Data, Highly Confidential Data
• C.Financial Data, Highly Confidential Data
• D.Unrestricted Data, Highly Confidential Data

Comment: *

Name: *

Email: *

Verification: *