ISO 27000 Foundation Risk Assessment and Treatment Questions and Answers

Question 1

A retail company has completed its risk assessment and identified a significant risk related to its online payment processing system. The potential financial loss from a data breach is calculated to be extremely high. The company decides to engage a third-party, PCI-DSS certified payment gateway to handle all transactions, thereby shifting the responsibility for securing cardholder data. According to ISO 27001, which risk treatment option does this action represent?

Accepted Answer

Risk sharing

Answer

This scenario describes risk sharing, also known as risk transfer. The company is transferring the risk associated with payment card processing to a third-party vendor. Risk modification would involve implementing controls to reduce the risk, risk retention would be accepting the risk, and risk avoidance would mean stopping the activity causing the risk (e.g., ceasing online sales).

Question 2

An organization is in the process of conducting an information security risk assessment. The team first identifies potential risk scenarios and then analyzes the attack vectors and likelihood of those scenarios materializing. According to ISO/IEC 27005, this method of risk identification is best described as which approach?

Accepted Answer

Event-based

Answer

ISO/IEC 27005 proposes two main approaches to risk identification: asset-based and event-based. The event-based approach focuses on identifying risks by considering various realistic attack scenarios or failure events and analyzing how they could occur. This contrasts with the asset-based approach, which starts by identifying assets, then threats and vulnerabilities related to those assets.

Question 3

In the context of an ISO 27001 ISMS, what is the primary responsibility of a 'Risk Owner'?

Accepted Answer

To approve the risk treatment plan and accept the residual risk for a specific risk.

Answer

The Risk Owner is the individual accountable for a specific risk. Their key responsibilities include approving the chosen risk treatment plan and formally accepting the level of risk that remains after controls are applied (residual risk). While they oversee the risk, they may not be the one technically implementing controls (IT Manager) or managing the asset day-to-day (Asset Owner).

Question 4

Which of the following BEST describes the purpose of the Statement of Applicability (SoA) in the risk treatment process?

Accepted Answer

To document which controls from Annex A are implemented and to justify any exclusions.

Answer

The Statement of Applicability (SoA) is a mandatory ISO 27001 document that lists all 93 controls from Annex A. For each control, it must state whether it is applicable, justify its inclusion or exclusion, and note its implementation status. It serves as the primary link between the risk assessment/treatment and the implemented controls.

Question 5

During a risk evaluation phase, an organization compares the estimated levels of risk against criteria they have predefined. What is the primary goal of this activity?

Accepted Answer

To make decisions on which risks require treatment.

Answer

The risk evaluation step involves comparing the results of the risk analysis (the calculated risk levels) with the organization's predefined risk acceptance criteria. This comparison is crucial for deciding which risks are unacceptably high and therefore need to be treated, and which risks are low enough to be accepted without further action.

ISO 27000 Foundation Certification Practice Test

ISO 27000 Foundation Certification Practice Test

ISO 27000 Foundation Risk Assessment and Treatment Questions and Answers