FREE ISO 27000 Foundation Certification Prior Knowledge Questions and Answers
What does "fulfillment of a requirement" mean in ISO 27001:2013?
In ISO 27001:2013, the term "fulfillment of a requirement" refers to the concept of demonstrating conformity or compliance with the specified requirements of the standard. It means that an organization has implemented and operates its Information Security Management System (ISMS) in accordance with the requirements outlined in ISO 27001.
Conformity in this context implies that the organization's ISMS aligns with the necessary policies, procedures, controls, and processes defined in the standard. It involves ensuring that the ISMS is established, implemented, maintained, and continually improved to meet the objectives and requirements of ISO 27001.
The management system's scope must be kept up to date as written information.
According to the ISO 27001:2013 standard, the scope of the Information Security Management System (ISMS) needs to be maintained as documented information. This requirement is outlined in Clause 4.3 - Determining the scope of the information security management system.
Maintaining the scope as documented information means that the organization should define and document the boundaries, extent, and applicability of its ISMS. This includes specifying the organizational units, processes, assets, and locations covered by the ISMS.
Which does not fall under senior management's purview?
In the context of ISO 27001:2013, the role of a management representative is not explicitly mentioned as a top management responsibility. While the standard requires top management to fulfill various responsibilities, such as promoting continual improvement and establishing an information security policy, the appointment of a management representative is not specifically mentioned as one of their responsibilities.
However, it is important to note that organizations may choose to appoint a management representative or delegate specific responsibilities related to the implementation and management of the Information Security Management System (ISMS). This appointment can help ensure effective communication, coordination, and oversight of the ISMS implementation activities. But the specific appointment of a management representative is not mandated by the ISO 27001:2013 standard itself.
Therefore, the correct answer is that "Appoint a management representative" is not listed as a top management responsibility in ISO 27001:2013.
Where in the standard is a reference to controls and control goals to be found?
In the ISO/IEC 27001:2013 standard, Annex A provides a comprehensive list of control objectives and controls that organizations can consider for implementing an effective Information Security Management System (ISMS). Annex A is an integral part of the standard and contains a set of 114 controls grouped into 14 control categories.
These controls cover various aspects of information security, including organizational security, human resource security, physical and environmental security, communications security, access control, and more. Each control objective is accompanied by a corresponding control specification that provides guidance on how to implement and measure the effectiveness of the control.
Which of the following must be documented (in Clause 6) according to ISO 27001:2013?
In ISO 27001:2013, Clause 6 specifically addresses the "Planning" requirements for an Information Security Management System (ISMS). According to this clause, organizations are required to document their risk assessment process.
The risk assessment process involves identifying, analyzing, and evaluating information security risks to determine the level of risk and potential impact on the organization's assets and objectives. This documentation typically includes the methodology used, criteria for assessing risks, risk assessment results, and any relevant supporting information.
"The only emphasis of ISO 27001:2013 is the protection of personal information."
ISO 27001:2013 is not solely focused on the protection of personal information. It is a comprehensive international standard for information security management systems (ISMS) that provides a framework for managing and protecting all types of information within an organization, not just personal information.
ISO 27001:2013 is not solely focused on the protection of personal information. It is a comprehensive international standard for information security management systems (ISMS) that provides a framework for managing and protecting all types of information within an organization, not just personal information.
What must the company create?
As part of implementing an Information Security Management System (ISMS) according to ISO 27001:2013, the organization is required to produce a Statement of Applicability (SoA). The SoA is a documented statement that identifies the controls from Annex A of the standard that are applicable to the organization's specific context.
The SoA provides a clear and concise overview of the control objectives and controls selected by the organization based on its risk assessment and risk treatment processes. It outlines which controls are implemented, partially implemented, or not applicable, along with the justification for each decision.