Priya Dogra – Certification | Jobs | Internships
Related Articles
Apply Now: Information Security Associate Exam Answers – SkillFront Exam
Information Security Associate Certification Answers
QUESTION 1: Which of the following contains references to expected business continuity planning practices that organizations must implement?
- ISO 27005:2008, section 8
- ISO 27001:2005, annex A
- ISO 17799:2008,section 1
- ISO 27002:2005, section 10
QUESTION 2: Which sections are included in the ISO/IEC 27001?
- Operation: it contains a bit more detail about assessing and treating information risks, managing changes, and documenting things
- Introduction: the standard describes a process for systematically managing information risks
- Planning: outlines the process to identify, analyze, and plan to treat information risks and clarify information security objectives.
- All the choices above.
QUESTION 3: What are the requirements for the SoA (Statement of Applicability)?
- It must not be explicitly defined.
- It is a mandatory requirement.
- It should contain the risk treatment options.
- All the choices above.
QUESTION 4: Taking organizational security measures is inseparably linked with all other measures that have to be taken. What is the name of the system that guarantees the coherence of information security in the organization? (1)
- Information Security Management System (ISMS)
- Security regulations for special information for the government
- Rootkit
- None of the choices above
QUESTION 5: Which steps can be included in the Phase Model for ISMS Scope Definition and SoA Awareness Campaigns? (4)
- Raising Awareness
- Assessing requirements
- Evaluating effectiveness
- All the choices above.
QUESTION 6: When determining the scope of the information security management system, which one is a FALSE consideration?
- The requirements shall be considered.
- The external and internal issues shall be considered.
- The scope shall not be available as documented information.
- The interfaces and dependencies between activities performed by the organization and those that are performed by other organizations.
QUESTION 7: Which department of the organization is responsible for the establishment of the information security policy?
- Top management.
- Marketing department.
- Human Ressource department.
- IT department.
QUESTION 8: Which points shall the Information Security Policy contain?
- Including a commitment to satisfy applicable requirements related to information security.
- Including a commitment to continual improvement of the information security management system.
- Including information security objectives or providing the framework for setting information security objectives.
- All the choices above.
QUESTION 9: Why do organizations have an information security policy?
- To give direction to how information security is set up within an organization.
- To ensure that everyone knows who is responsible for carrying out the backup procedures.
- To demonstrate the operation of the Plan-Do-Check-Act cycle within an organization.
- To ensure that staff does not break any laws.
QUESTION 10: Which step is NOT included in the Information Risk Assessment Process?
- Identifying information security risks.
- Formulate an information security risk treatment plan.
- Analyze information security risks.
- Evaluate information security risks.
QUESTION 11: A properly implemented risk analysis provides a considerable amount of useful information. A risk analysis has four main objectives. Which one is NOT one of the four main objectives of risk analysis?
- Determining relevant vulnerabilities and threats.
- Identifying assets and their value.
- Determining the costs of threats.
- Establishing a balance between the costs of an incident and the costs of a security measure.
QUESTION 12: When an organization processes information in a confidential nature and is legally obliged to implement the highest-level security measures, what type of a risk management strategy does it need to use?
- Risk neutral.
- Risk bearing.
- Risk avoiding.
- All of the choices above.
QUESTION 13: Which steps does an information risk treatment include?
- Select appropriate information security risk treatment options, taking account of the risk assessment results.
- Formulate an information security risk treatment plan.
- Determine all necessary controls to implement the information security risk treatment option chosen.
- All the choices above.
QUESTION 14: Which is NOT one of the characteristics of an information security objective?
- To be measurable.
- To be constant and not be updated as appropriate.
- To be consistent with the information security policy.
- To be communicated.
QUESTION 15: Which step is essential so that an organization can achieve its information security objectives?
- Who will be responsible.
- What resources will be required.
- What will be done.
- All the choices above.
QUESTION 16: What should be included in the operational planning and control documents?
- The organization shall keep documented information to have confidence that the processes have been carried as planned.
- The organization shall ensure that outsourced processes are determined and controlled.
- The organization shall control planned changes and review the consequences of unintended changes.
- All the choices above.
QUESTION 17: What is NOT a risk treatment option based on ISO/IEC 27001?
- Risk Avoidance.
- Risk Awareness.
- Risk Reduction.
- Risk Transfer.
QUESTION 18: What should an organization document as evidence of the monitoring and measurement of information security?
- Who shall monitor and measure.
- What needs to be monitored and measured, including information security processes and controls.
- When the monitoring and measuring shall be performed.
- All the choices above.
QUESTION 19: Which answer is NOT an objective to the internal audits that the organization shall conduct at planned intervals?
- The organization shall define the audit criteria and scope for each audit.
- The organization shall plan, establish, and maintain an audit program.
- The organization shall select auditors and conduct audits that ensure partiality and subjectivity of the audit process.
- The organization shall ensure that the results of the audits are reported to the relevant management.
QUESTION 20: What should the review of the organization’s information security management system include?
- Changes in external and internal issues, which are relevant to the information security management system.
- Nonconformities and corrective actions.
- Opportunities for continual improvement.
- All the choices above.
QUESTION 21: What is NOT the right course of action for the organization when a nonconformity occurs?
- The information security management system should remain unchanged.
- The organization should evaluate the need for action to eliminate the causes of nonconformity.
- The organization should review the effectiveness of any corrective action taken.
- The organization should take action to control and correct it and deal with the consequences.
QUESTION 22: What is the benefit of certified compliance with ISO/IEC 27001 by a respected certification body?
- It demonstrates that it is a quality organization.
- The certificate has marketing potential and brand value.
- It demonstrates that the organization takes information security management seriously.
- All the choices above.
QUESTION 23: When an audit program in the organization must be planned and implemented, which aspects should be considered?
- Roles and responsibilities within the teams.
- Frequency of audits.
- Planning requirements for the audits.
- All the choices above.
QUESTION 24: Who is responsible for the internal ISMS audits, plans, and manages the audits?
- ISMS officer/CISO.
- CEO of the organization.
- External audit team.
- None of the choices above.
QUESTION 25: Which is the sub-process that is included in the cyclical process of the audit program?
- Planning specific audit activities.
- Defining general audit criteria.
- Reviewing and improvement of the audit activities by the management.
- All the choices above.
QUESTION 26: Why is the ISO Step-By-Step Implementation Guide so crucial for the organization?
- In this checklist, you have the main steps to implement ISO 27001 easy in your organization.
- If you follow this Guide, the organization can achieve the ISO 27001 certification.
- The Guide shows the organization Step-By-Step an easy way to implement the ISO 27001.
- All the choices above.
QUESTION 27: What is the primary goal of writing an Information Security Policy?
- It should be very detailed.
- It should define advanced requirements for information security in the organization.
- The management should define what it wants to achieve and how to control it.
- None of the choices above.
QUESTION 28: What is the purpose of performing the Risk Assessment & Risk Treatment?
- By implementing the risk assessment, the point is to get a comprehensive picture of the internal and external dangers to the organization’s information.
- The purpose of the risk treatment process is to decrease the risks that are not acceptable.
- A Risk Assessment Report is essential, which documents all the steps taken during the risk assessment and risk treatment process.
- All the choices above.
QUESTION 29: When an organization implements an ISO/IEC 27001 compliance program, what is NOT one of the required tasks?
- They must, for example, configure the firewall in the organization.
- They must know what is going on in the ISMS and make some crucial decisions.
- The management must ensure that everyone performs their duties.
- The management must ensure that the ISMS is achieving the desired results.
QUESTION 30: What are the typical duties of the security leadership role?
- Setting the strategic objective, building the security road-map, allocating budget, and human resources.
- Defining the security program’s context, including aligning the program to business objectives and ensuring appropriate stakeholders have been considered.
- Developing, tracking, and reporting security Key performance indicators (KPIs) to relevant stakeholders.
- All the choices above.
