ISO 27000 Foundation ISMS Fundamentals and Vocabulary Questions and Answers

Question 1

According to ISO/IEC 27000, which of the following BEST defines 'information security'?

Accepted Answer

The preservation of confidentiality, integrity, and availability of information; in addition, other properties, such as authenticity, accountability, non-repudiation, and reliability can also be involved.

Answer

ISO/IEC 27000:2018 formally defines information security as the 'preservation of confidentiality, integrity and availability of information'. It also notes that other properties can be involved. The other options describe related concepts like the goal of an ISMS or general definitions of cybersecurity, but are not the specific definition from the standard.

Question 2

A financial services company is implementing an Information Security Management System (ISMS). They are currently identifying anything that has value to the organization, including customer data, proprietary software, and servers. In the context of ISO/IEC 27000, what is the correct term for these items?

Accepted Answer

Assets

Answer

ISO/IEC 27000 defines an 'asset' as anything that has value to the organization. This includes data, software, hardware, and services. Risks are the effect of uncertainty on objectives, vulnerabilities are weaknesses, and controls are measures that modify risk.

Question 3

Which standard in the ISO 27000 family provides the overview, fundamental principles, and vocabulary for an ISMS?

Accepted Answer

ISO/IEC 27000

Answer

ISO/IEC 27000 is the foundational standard in the series. It provides an overview of information security management systems and specifies the essential vocabulary (terms and definitions) used across the entire ISO 27000 family of standards.

Question 4

What is the primary purpose of an Information Security Management System (ISMS) as described in the ISO 27000 series?

Accepted Answer

To provide a systematic approach for establishing, implementing, maintaining, and continually improving information security.

Answer

An ISMS is a systematic, risk-based approach to managing an organization's information security. It is a management framework that involves policies, processes, procedures, and controls to protect information assets, and it is based on a cycle of continual improvement (Plan-Do-Check-Act). While it helps satisfy requirements and implement controls, its primary purpose is the overall management system. Eliminating all incidents is not a realistic goal.

Question 5

A weakness in a system's security procedures, design, implementation, or internal controls that could be exploited by a threat source is known as a:

Accepted Answer

Vulnerability

Answer

ISO/IEC 27000 defines a 'vulnerability' as a weakness of an asset or control that can be exploited by one or more threats. A threat is a potential cause of an incident, and a risk is the effect of uncertainty on objectives, often expressed as a combination of the consequences of an event and the associated likelihood of occurrence.

ISO 27000 Foundation Certification Practice Test

ISO 27000 Foundation Certification Practice Test

ISO 27000 Foundation ISMS Fundamentals and Vocabulary Questions and Answers