ISO 27000 Foundation Risk Assessment and Treatment Questions and Answers

Question 1

A retail company has completed its risk assessment and identified a significant risk related to its online payment processing system.
The potential financial loss from a data breach is calculated to be extremely high.
The company decides to engage a third-party, PCI-DSS certified payment gateway to handle all transactions, thereby shifting the responsibility for securing cardholder data.
According to ISO 27001, which risk treatment option does this action represent?

Accepted Answer

Risk sharing

Answer

Risk modification

Answer

Risk retention

Answer

Risk avoidance

Question 2

An organization is in the process of conducting an information security risk assessment. The team first identifies potential risk scenarios and then analyzes the attack vectors and likelihood of those scenarios materializing. According to ISO/IEC 27005, this method of risk identification is best described as which approach?

Accepted Answer

Event-based

Answer

Asset-based

Answer

Vulnerability-based

Answer

Impact-based

Question 3

In the context of an ISO 27001 ISMS, what is the primary responsibility of a 'Risk Owner'?

Accepted Answer

To approve the risk treatment plan and accept the residual risk for a specific risk.

Answer

To technically implement the security controls for all identified risks.

Answer

To manage the day-to-day operation of the information assets associated with a risk.

Answer

To conduct the annual audit of the risk management process.

Question 4

Which of the following BEST describes the purpose of the Statement of Applicability (SoA) in the risk treatment process?

Accepted Answer

To document which controls from Annex A are implemented and to justify any exclusions.

Answer

To list all identified risks, their likelihood, impact, and assigned risk owner.

Answer

To provide a detailed implementation plan, including timelines and resources, for applying new security controls.

Answer

To define the criteria for how the organization will evaluate and accept information security risks.

Question 5

During a risk evaluation phase, an organization compares the estimated levels of risk against criteria they have predefined. What is the primary goal of this activity?

Accepted Answer

To make decisions on which risks require treatment.

Answer

To identify all possible threats and vulnerabilities to the organization's assets.

Answer

To assign ownership for each of the identified risks.

Answer

To select the most cost-effective security controls from Annex A.

Question 6

A manufacturing company determines that the risk of a power outage disrupting its production line is unacceptably high. They decide to implement an Uninterruptible Power Supply (UPS) and a backup generator. This action is an example of which risk treatment option?

Accepted Answer

Risk modification

Answer

Risk retention

Answer

Risk avoidance

Answer

Risk sharing