You are an experienced ISMS audit team leader. You are providing an introduction to ISO/IEC 27001:2022 to a class of Quality Management System Auditors who are seeking to retrain to enable them to carry out information security management system audits. You ask them which of the following characteristics of information does an information security management system seek to preserve? Which three answers should they provide?
Correct Answer: E,F,G
Explanation These three characteristics are the fundamental properties of information security, as defined by the ISO/IEC 27000 standard, which provides the overview and vocabulary of information security, cybersecurity, and privacy protection12. They are also the basis for the information security objectives and controls of the ISO/IEC 27001 standard, which specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system34. The definitions of these characteristics are as follows12: *Availability: The property of being accessible and usable upon demand by an authorized entity. *Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes. *Integrity: The property of safeguarding the accuracy and completeness of information and processing methods. The other characteristics listed in the question, such as clarity, accessibility, completeness, importance, and efficiency, are not directly related to information security, although they may be relevant for other aspects of information management, such as quality, usability, or performance. References: = 1: ISO/IEC 27000:2022 Information technology - Security techniques - Information security, cybersecurity and privacy protection - Overview and vocabulary, clause 32: ISO/IEC 27000:2022 (en), Information security, cybersecurity and privacy protection - Overview and vocabulary13: ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, clause 6.24: ISO/IEC 27001:2022 (en), Information security, cybersecurity and privacy protection - Information security management systems - Requirements1
Question 292
A property of Information that has the ability to prove occurrence of a claimed event.
Correct Answer: B
Explanation A property of information that has the ability to prove occurrence of a claimed event is integrity. Integrity is one of the three main objectives of information security, along with confidentiality and availability. Integrity ensures that information and systems are not corrupted, modified, or deleted by unauthorized actions or events. Integrity also implies that information and systems can be verified and validated as authentic and accurate. Electronic chain letters are not a property of information, but a type of spam or hoax message that may contain malicious or misleading content. Availability means that service should be accessible at the required time and usable only by the authorized entity. Accessibility is not a property of information, but a characteristic of usability that refers to how easy it is for users to access and interact with information and systems. References: : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 24. : [ISO/IEC 27001 Brochures | PECB], page 4. : [ISO/IEC 27001 LEAD AUDITOR - PECB], page 13.
Question 293
How are data and information related?
Correct Answer: C
Data and information are related concepts, but they are not the same. Data are simply facts or figures that represent raw facts or figures and form the basis of information. Information is data that has been given value through analysis, interpretation, or compilation in a meaningful form. When meaning and value are assigned to data, it becomes information that can be used for decision making, problem solving, or communication. Therefore, the correct answer is C. Reference: ISO/IEC 27000:2022, clause 3.7; Data vs Information - Difference and Comparison | Diffen.
Question 294
__________ is a software used or created by hackers to disrupt computer operation, gather sensitive information, or gain access to private computer systems.
Correct Answer: D
Malware is a software used or created by hackers to disrupt computer operation, gather sensitive information, or gain access to private computer systems. Malware is a general term that covers various types of malicious software, such as viruses, worms, trojans, ransomware, spyware, adware, etc. Malware can cause serious damage to the organization's information assets and reputation, and may lead to legal or regulatory consequences. Therefore, the organization should implement appropriate controls to prevent, detect and remove malware, as specified in ISO/IEC 27001:2022 clause 12.2.1. Reference: [CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course], ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, What is malware?
Question 295
What is the difference between a restricted and confidential document?
