FREE ISO 27000 Foundation ISO 27000 Family of Standards Questions and Answers

Question 1

An organization is implementing an Information Security Management System (ISMS) and needs detailed, practical guidance on how to implement the specific security controls listed in Annex A of ISO/IEC 27001. Which standard in the ISO 27000 family should they primarily consult for this purpose?

Accepted Answer

ISO/IEC 27002

Answer

ISO/IEC 27002 provides a reference set of generic information security controls including implementation guidance. It is designed to be used in conjunction with ISO/IEC 27001, offering detailed best practices for the controls listed in Annex A.

Question 2

A company has successfully implemented an ISMS based on ISO/IEC 27001 and now wants to extend it to cover privacy management and the processing of Personally Identifiable Information (PII), aligning with regulations like GDPR. Which standard provides the requirements and guidance for establishing a Privacy Information Management System (PIMS) as an extension to an ISMS?

Accepted Answer

ISO/IEC 27701

Answer

ISO/IEC 27701 is specifically designed as a privacy extension to ISO/IEC 27001 and ISO/IEC 27002. It specifies the requirements for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS).

Question 3

During an ISO/IEC 27001 audit, the auditor will ask for a key document that lists all controls from Annex A, indicates whether they have been implemented, and provides a justification for any exclusions. What is this mandatory document called?

Accepted Answer

Statement of Applicability (SoA)

Answer

The Statement of Applicability (SoA) is a mandatory document for ISO/IEC 27001 certification. It links the risk assessment to the implemented controls by listing all Annex A controls, justifying their inclusion or exclusion, and showing their implementation status.

Question 4

An organization is in the 'Check' phase of the Plan-Do-Check-Act (PDCA) cycle for its ISMS. Which of the following activities is most characteristic of this phase?

Accepted Answer

Monitoring and reviewing the ISMS performance against policies.

Answer

The 'Check' phase of the PDCA cycle involves monitoring, measuring, analyzing, and evaluating the performance and effectiveness of the ISMS. This includes activities like internal audits and management reviews to see if the ISMS is performing as expected.

Question 5

A risk assessment team is following the process outlined in ISO/IEC 27005. After identifying risks and analyzing their potential impact and likelihood, what is the immediate next step in the risk management process before deciding on risk treatment?

Accepted Answer

Risk Evaluation

Answer

According to the ISO/IEC 27005 risk management process, after Risk Analysis (assessing likelihood and impact), the next step is Risk Evaluation. This involves comparing the analyzed risks against the organization's pre-defined risk criteria to determine their significance and decide which risks require treatment.

ISO 27000 Foundation Certification Practice Test

ISO 27000 Foundation Certification Practice Test

FREE ISO 27000 Foundation ISO 27000 Family of Standards Questions and Answers