ISO 27000 Foundation ISO 27000 Family of Standards Questions and Answers

Question 1

An information security manager is using Annex A of ISO/IEC 27001 to select appropriate controls. For a specific control, such as 'A.5.23 Information security for use of cloud services', they require more detailed implementation guidance. Which standard in the ISO 27000 family provides this detailed guidance for the controls listed in Annex A?

Accepted Answer

ISO/IEC 27002

Answer

ISO/IEC 27001 lists the controls in Annex A, but it does not provide detailed implementation guidance. ISO/IEC 27002, titled 'Information security, cybersecurity and privacy protection — Information security controls', serves as a code of practice and provides a detailed reference set of generic information security controls, including implementation guidance for each control in Annex A.

Question 2

The ISO 27001 standard is structured around the Plan-Do-Check-Act (PDCA) model for continual improvement. Which of the following clauses are primarily associated with the 'Check' phase of the cycle?

Accepted Answer

Clause 9 (Performance evaluation)

Answer

The 'Check' phase of the PDCA cycle involves monitoring and reviewing the performance of the ISMS. Clause 9, 'Performance evaluation', directly addresses this by requiring the organization to monitor, measure, analyze, and evaluate the ISMS, conduct internal audits, and perform management reviews.

Question 3

As part of an ISO 27001 implementation, the Chief Executive Officer (CEO) of an organization publicly endorses the new information security policy and ensures that sufficient budget and personnel are allocated for the ISMS project. Which specific leadership responsibility from ISO 27001 is the CEO primarily demonstrating?

Accepted Answer

Ensuring the integration of ISMS requirements into the organization’s processes and providing necessary resources.

Answer

ISO 27001 Clause 5.1 ('Leadership and commitment') requires top management to demonstrate their commitment. This includes ensuring the information security policy and objectives are established, ensuring the integration of ISMS requirements into the organization's processes, and ensuring that the resources needed for the ISMS are available. The CEO's actions directly align with these high-level responsibilities. The other options are operational tasks typically delegated to security or IT teams.

Question 4

An organization is establishing its ISMS according to ISO 27001 and is determining its 'interested parties' as required by Clause 4.2. Which of the following would be the LEAST likely to be considered a relevant interested party with requirements pertinent to the ISMS?

Accepted Answer

A competitor company operating in the same market.

Answer

Interested parties are individuals or organizations that can affect, be affected by, or perceive themselves to be affected by the organization's ISMS. Regulators, customers, and shareholders have direct requirements and expectations for the organization's information security. While a competitor is part of the business environment, they do not typically have direct, legitimate requirements *for* the organization's ISMS that need to be addressed within its framework.

Question 5

A multinational corporation has an established ISMS certified to ISO/IEC 27001. To comply with evolving global data privacy regulations, the company wants to enhance its ISMS to specifically manage and protect Personally Identifiable Information (PII). Which ISO 27000 family standard provides a framework for a Privacy Information Management System (PIMS) as an extension to an ISMS?

Accepted Answer

ISO/IEC 27701

Answer

ISO/IEC 27701 is designed as a privacy extension to ISO/IEC 27001 and ISO/IEC 27002. It specifies requirements and provides guidance for establishing, implementing, and maintaining a Privacy Information Management System (PIMS), helping organizations manage PII and comply with privacy regulations. ISO/IEC 27017 is for cloud security, 27032 for cybersecurity, and 27005 for risk management.

ISO 27000 Foundation Certification Practice Test

ISO 27000 Foundation Certification Practice Test

ISO 27000 Foundation ISO 27000 Family of Standards Questions and Answers