Scenario Booklet information is€provided within this Scenario Booklet for a number of ... ISO/IEC...

The Practitioner Examination

SX01Scenario Booklet This is a 2.5-hour objective test examination. This booklet contains the Project Scenario upon which this exam paper is based. All questions are contained within the Question Booklet. Additional information is provided within this Scenario Booklet for a number of questions. Where reference should be made to additional information, this is clearly stated within the question to which it is relevant. All information provided within a question must only be applied to that question. Each of the 4 questions is worth 20 marks, giving a maximum of 80 marks in the paper. The pass mark is 50% (40 marks). Within each question the syllabus area to which the question refers is clearly stated. The exam is to be taken with the support of only the following British Standards, ISO/IEC 27000:2014 ISO/IEC 27001:2013 ISO/IEC 27002:2013 ISO/IEC 27003:2010 ISO/IEC 27005:2011 No material other than the Question Booklet, the Scenario Booklet, the Answer Booklet, and the five standards are to be used. However, if required the ISO/IEC 27001 Supplementary Paper, which contains relevant parts of ISO/IEC 27003:2010 may be used. Candidate Number: ........................................

ISO27K2012-GB--SX01-V1.1 of 9 Document Owner - Chief Examiner© The APM Group Ltd 2014. This paper remains the property of The APM Group (APMG). This document is not to be reproduced or re-sold without expresspermission from The APM Group Ltd. 2. The APMG-International ISO/IEC 27001 logo is a Trade Mark of The APM Group Limited. The APMG-International

logo is a Trade Mark of the APM Group Ltd.

This is a blank page



ScenarioISO/IEC 27001 – Case Study: Equitable ProductsThe organizations and people within the scenario are fictional.

Background

Equitable Products are a food processing and supply company to supermarkets. They supply food packaged under their own brand name to general retailers and ‘supermarket brand’ packaged goods to supermarket chains.

In addition they have recently begun supplying frozen 'ready meal' products to a major restaurant chain.

To support their business, Equitable Products has food processing plants at two sites. One site deals with the processing and re-packaging of bulk foodstuffs into branded packages (own brand and supermarket). The other site produces ready meals which are supplied as frozen products to general retail customers and the restaurant chain.

Organization

There are three marketing divisions within the organization to service the separate retail, supermarket and restaurant markets. Each of the marketing divisions has their own business targets, objectives and processes.

An internal IT unit is responsible for the provision of IT services within Equitable Products.

Each division uses some specific, dedicated IT services, together with a core set of shared corporate IT services to support their business operations. For example, the Equitable Products' IT systems now interface directly with the supermarkets’ IT systems to enable 'just in time' re-ordering and delivery.

The restaurant chain's IT systems are also now connected to the Equitable Products' IT systems. All the new Restaurant Ready Meal products are micro chipped with a Radio Frequency Identification Device (RFID). All restaurant products must be consumed within five days of production. The RFID technology enables the individual restaurants’ usage to be monitored by Equitable Products. A production schedule is produced for the restaurant ready meal products in order to reduce wastage.

Current Status

As a result of international concern over contamination of products, Equitable Products decided that they should take more control of their supply chain. They have recently acquired an established chain of dairy farms which will, in the future, provide most of their fresh dairy products. This will better enable them to track ingredients from 'field to plate'.

The other products and ingredients used in the processing plants are sourced from a variety of third party suppliers. Wherever possible the contracts with those suppliers require the suppliers to maintain ISO/IEC 27001 certification. Scenario continues on the next page



Scenario continued The diagram below shows the interaction between the various parties and Equitable Products’ divisions.

Diagram 1 - The interaction between the various parties and Equitable Products’ divisions

The contracts with the major supermarkets require Equitable Products to maintain ISO/IEC 27001 certification and there is an established ISMS in place. However the dairy farm chain has never had ISO/IEC 27001 certification and needs to be brought into the scope of certification. Equitable Products’ corporate clients are supportive of the reasons and objectives of acquiring the dairy farm chain. However, they require the ISO/IEC 27001 certification to be extended to include this new business division. Information Security Management Structure The Equitable Products Chief Financial Officer has the role of Director of Information Management. In this role he has been given the organizational responsibility to ensure that ISO/IEC 27001 conformance is maintained. The Chief Information Officer reports directly to the Director of Information Management and has two Information Security Officers who work for him. They are responsible for ensuring that the company and its third party suppliers maintain the required ISO/IEC 27001 certifications. The Head of the IT Services Division also has an Information Security Specialist within his team. The specialist is responsible for ensuring that the IT service is delivered in accordance with ISO/IEC 27001.

Food Processing Division

Bulk Foodstuffs

Site 1

Ready Meals

Site 2

General Retailers

Restaurants Supermarket

Chains

New Dairy Farm Chain

Suppliers

Supermarket Brands

Equitable Products Brand

Restaurant Ready Meals

Scenario continues on the next page ISO27K2012-GB--SX01-V1.1 of 9 Document Owner - Chief Examiner

© The APM Group Ltd 2014. This paper remains the property of The APM Group (APMG). This document is not to be reproduced or re-sold without expresspermission from The APM Group Ltd. 2. The APMG-International ISO/IEC 27001 logo is a Trade Mark of The APM Group Limited. The APMG-International


Scenario continued Information Security Objectives Information security risks must be managed effectively, collectively and proportionately in a cost effective way. A secure and confidential working environment should also be maintained. To achieve this, the information security objectives of Equitable Products include the following:

a) To maintain the confidentiality, integrity and availability of corporate and

customer information

b) To maintain ISO/IEC 27001 certification

c) To ensure compliance with legal and regulatory requirements

d) To support effective and resilient processes to respond to, investigate and

recover from any information security incidents with necessary controls,

identified by formal risk assessment.

End of Scenario



Additional Information for part question 1D A risk assessment has been carried out on the changes needed to incorporate the dairy farm chain into the Equitable Products’ ISMS. This has identified the following information:

● Each dairy farm site has differing information security policies to suit the type of dairy product processed, specific authorities and special interest groups, and the site size and access arrangements

● Equitable Products has many environmental health contacts within the Food & Livestock Regulatory Authority (a Government authority). However, there are many more contacts required for the dairy farm chain, such as those relating to the testing for animal diseases

● The dairy farm staff use tag readers and operational systems for the logging of each animal’s milk produced for processing

● The staff in the dairy farm chain’s Head Office use marketing, accountancy and HR systems, logistics and stock systems

● Many of the dairy farm chain’s Head Office staff use the IT systems from home via an internet connection. No issues have been experienced with this setup

● In the past year there have been seven breaches of information security within the dairy farm chain. One of these was a high profile incident involving press coverage of the short lifespan of the dairy animals.

Question 1: Planning and Risk Management - Additional Information



Additional Information for part-question 3D USB memory stick problem

A widely recognized information security researcher and occasional trusted advisor to Equitable Products is undertaking an independent research project. He is examining USB memory sticks bought from individuals on internet sales sites. The devices were advertised as ‘used’ or ‘pre-owned’.

The researcher contacted Equitable Products’ Chief Information Officer to report that he has recovered a variety of records from one device that appear to be from the organization and dated as recently as three months ago.

The researcher informed the Chief Information Officer that he plans to publish his findings from all of the devices in a research paper as examples of protection failures.

The Chief Information Officer has validated the identity of the researcher.

Question 3: Operational Systems, Measurement and Incidents - Additional Information



Additional Information for part-question 4B Extract from an Audit Report

Background

A supermarket recently complained that they were not receiving the best prices available for products supplied to them. The investigation of the complaint found that the supermarket was basing this complaint on a price list sent to them in error. The price list, sent by email, had been prepared by a marketing team for a special promotion. This had then been sent by a different marketing team who had retrieved it from the shared area thinking it was the standard price list.

Scope of Audit

The Internal Audit team were asked to undertake an audit of all third party information exchanges.

Audit Findings

i) Controls that are in place with each third party have been developed on an ad hoc basis and there is no standard terminology

ii) The division of responsibilities between Equitable Products and third parties are not always clearly defined

iii) Email is often used to transfer sensitive information

iv) It is common to receive replies to emails sent indicating they have been received by unintended recipients.

v) Customers have expressed concerns about acting on information received by email before they have been able to confirm authenticity

vi) The Equitable Products’ Information Security Policy document states that it should be possible to confirm that information sent by email has been sent by an authorized person and the correct information has been received. This requirement is not currently being met.

Question 4: Audit and Management Review - Additional Information




SX01

Question Booklet Candidate Number: ........................................

ISO27K2012-GB--SX01-V1.1 Page 1 of 28 Document Owner - Chief Examiner© The APM Group Ltd 2014. This paper remains the property of The APM Group (APMG). This document is not to be reproduced or re-sold without expresspermission from The APM Group Ltd. 2. The APMG-International ISO/IEC 27001 logo is a Trade Mark of The APM Group Limited. The APMG-International


Syllabus areas covered: Question 1 - Planning and Risk Management Question 2 - Leadership and Roles Question 3 - Operational Systems, Measurement and Incidents Question 4 - Audit and Management Review



Question Number 1Syllabus Area Planning and Risk Management

Syllabus Area Question Number Part MarksPlanning and Risk Management 1 A 4

Answer the following questions about establishing information security risk management for an organization as stated in ISO/IEC 27005. Remember to select 2 answers to each question.

1 Which 2 statements describe what should be considered when defining the evaluation criteria for risks caused by information security events?

A The acceptable level of any financial loss.

B The importance to the business of confidentiality.

C The amount of damage caused by disruption of plans and deadlines.

D The consequences to the reputation of an organization.

E The time it will take to reduce a risk to an acceptable level.

2 Which 2 statements describe what should be considered when defining the impact criteria for risks caused by information security events?

A The cost of missing a deadline due to an information security event.

B The importance of availability to operations.

C The amount of damage caused by breach of contract.

D The criticality of the information assets involved.

E The ratio of estimated profit to the estimated cost of the risk.

3 Which 2 statements describe what should be considered when defining the acceptance criteria for risks caused by information security events?

A The amount of damage caused by breaches of a legal requirement.

B The escalation path used to obtain a decision on risk acceptance.

C The circumstances when senior managers can accept risks above the normal threshold.

D The information security risk management records required to be kept.

E The ratio of estimated profit to the estimated cost of the risk.

Question continues on the next page



Question continued

4 Which 2 statements identify aspects that should be considered when defining the scope and boundaries of information security risk management process?

A The risk acceptance decision escalation paths.

B The legislation applicable to an organization.

C The estimated cost caused by a breach of contract.

D The use of the four options to treat risks.

E An organization’s business processes.



Syllabus Area Question Number Part MarksPlanning and Risk Management 1 B 5

Answer the following question about the risk identification step. An Information Security Officer has undertaken a risk assessment on the changes needed to incorporate the dairy farm chain into the Equitable Products' ISMS. Column 1 is a list of input data for the risk analysis activity. For each input item in Column 1, select from Column 2 the type of information it represents. Each selection from Column 2 can be used once, more than once or not at all.

Column 1 Column 2

1 Animal rights activists may attempt to disrupt operations in order to protest against the shortened life-spans of the animals.

A Asset

B Threat

C Existing control

D Vulnerability

E Consequence

2 There is rigorous physical entry security to prevent unauthorized access to the dairy farm sites.

3 Smart labels, also called radio frequency identification (RFID) tags, are used to identify the milk production of each animal used in the dairy farm.

4 The latest updates have NOT been applied to the antivirus package used to protect the dairy farm chain’s IT systems.

5 The production schedule is an output of the just-in-time re-ordering process.



Syllabus Area Question Number Part MarksPlanning and Risk Management 1 C 5

A number of changes are needed to Equitable Products’ ISMS to incorporate the dairy farm chain. A risk assessment has identified that some solutions may not comply with Equitable Products’ information security policy. More details about the risk are given below.

Some ‘off the shelf’ IT system components are used to underpin the dairy farm chain’s ISMS. If technical problems arise with these components, a maintenance engineer is brought in from an IT supplier. There is no formal contractual arrangement in place between the dairy farm chain and the IT supplier. There is, therefore, a risk that technical solutions to issues may not adhere to the information security policy for Equitable Products. A number of possible risk treatments for this risk have been identified.

Column 1 is a list of some of the possible risk treatments. For each risk treatment in Column 1, decide if it is relevant to the stated risk and select from Column 2 the type of risk treatment it represents.

Each question is independent and should be answered in isolation from the other questions. Each selection from Column 2 can be used once, more than once or not at all.

Column 1 Column 2

1 All problem management and technical expertise for the dairy farm chain will be audited by the Equitable Products IT Services Department. This department is responsible for ensuring that the Equitable Products' information security policy is adhered to.

A NOT relevant to the stated risk

B Modification

C Retention

D Avoidance

E Sharing

2 The Equitable Products Information Security Officers will provide awareness, education and training on Equitable Products’ information security policy to the maintenance engineers supporting the dairy farm chain’s IT systems.

3 A contractual agreement with the IT suppliers to the dairy farm chain will be provided, which states the supplier’s responsibilities for maintaining information security.

4 Equitable Products will ensure that all outsourced development by the dairy farm chain is monitored.

5 The current arrangements for technical support will remain unchanged if the dairy farm chain’s ISMS has been free of information security incidents for the last three months.



Syllabus Area Question Number Part MarksPlanning and Risk Management 1 D 6

Using the additional information provided for this question in the Scenario Booklet, answer the following question about the risk assessment carried out on the changes needed to incorporate the dairy farm chain into the Equitable Products' ISMS. Lines 1 to 6 in the table below consist of an assertion statement and a reason statement. For each line identify the appropriate option, from options A to E, that applies. Each option can be used once, more than once or not at all.

Option Assertion Reason

A True True AND the reason explains the assertion

B True True BUT the reason does not explain the assertion

C True False

D False True

E False False

Assertion Reason

1 The effectiveness of each dairy farm site’s existing information security policy should have been reviewed during the risk assessment in order to determine the changes needed to incorporate the dairy farm chain.

BECAUSE Detailed policies underpin an organization’s high-level information security policy.

2 When the staff from the dairy farm chain were transferred to Equitable Products, the Equitable Products’ information security policy should have been published to all staff.

BECAUSE Policies for information security should be issued only to internal employees.

3 The control for the ‘contact with authorities’ in Equitable Products should have been updated with the specific contacts in the Food & Livestock Regulatory Authority needed for the dairy farm chain.

BECAUSE An organization should maintain the appropriate contacts with relevant authorities.

4 The terms and conditions for the dairy farm site staff transferred to Equitable Products should refer to information security responsibilities.

BECAUSE Management has the responsibility for ensuring that all employees and contractors follow the information security policies and procedures of the organization.

5 The access to the dairy farm chain’s Head Office systems over the internet should have been reviewed as a priority.

BECAUSE The control on securing application services on public networks requires that access over the internet is prevented until the proper controls are selected.

6 The information on the dairy farm chain’s incidents will NOT be needed for an analysis of Equitable Products’ information security requirements.

BECAUSE Information security requirements should consider the required protection needs of the assets involved.



Question Number 2Syllabus Area Leadership and Roles

Syllabus Area Question Number Part MarksLeadership and Roles 2 A 3

Answer the following question about leadership. Column 1 is a list of activities. For each activity in Column 1, select from Column 2 the clause heading from ISO/IEC 27001 that requires the activity to be performed. Each selection from Column 2 can be used once, more than once or not at all.

Column 1 Column 2

1 Supporting information security management roles. A Leadership and commitment

B Policy

C Organizational roles, responsibilities and authorities

D None of the above

2 Providing a framework for setting information security objectives.

3 Integrate actions to address opportunities into information security management processes.



Syllabus Area Question Number Part MarksLeadership and Roles 2 B 3

Answer the following questions about leadership.

1 Which characteristic is NOT required of an information security policy?

A Suitable.

B Comprehensive.

C Adequate.

D Effective.

2 Which aspect of an ISMS can vary depending upon the competencies of the persons available to an organization?

A The scope of the ISMS.

B The documentation supporting the ISMS.

C The frequency of review of the ISMS.

D The boundaries of the ISMS.

3 According to ISO/IEC 27003, which consideration is key when defining the roles in information security management?

A One person should be assigned to promote and co-ordinate the information security process.

B None of the roles within information security management can be shared between individuals.

C Only those employees and contractors assigned to information security have the responsibly for its implementation.

D The audit department in an organization should be responsible for ensuring independence in the information security organization.



Syllabus Area Question Number Part MarksLeadership and Roles 2 C 5

Using the Diagram 1 and the Information Security Management Structure section given in the Scenario, answer the following questions about the role and responsibilities within the ISMS. Each of the following questions includes a list of only true statements about individuals from the organization. Only 2 statements explain why, in the context of the ISO/IEC 27003 (Table B1) roles and responsibilities, the individual is an appropriate appointment for that role. Each question should be answered in isolation as the individual may be suitable for more than one role. Remember to select 2 answers to each question.

1 Which 2 statements BEST explain why the Chief Financial Officer is appropriate for the role of Director of Information Management?

A He is keen to expand the control that Equitable Products has over its supply chain operations and can ensure that the ISMS remains aligned with this company focus.

B He has the authority to take strategic decisions and give direction in the risk management process.

C He likes to be involved in the operational detail.

D He has sufficient knowledge to agree user requirements for the specification of the new ‘field-to-plate’ applications.

E He was one of the founders the company 11 years ago.

2 Which 2 statements BEST explain why the Information Security Officers would be appropriate for the role of an internal auditor?

A They report to the Chief Information Officer.

B They have qualifications and experience in ISO/IEC 27001.

C They are responsible for ensuring that Equitable Products maintains the required ISO/IEC 27001 certifications.

D They have good working relationships with many of the Division Heads and suppliers so can help resolve disputes.

E They are responsible for evaluating the reports on the monitoring of the ISMS, produced by the Head of the IT Services Division.




Question continued

3 Which 2 statements BEST explain why the Head of the IT Services Division would be appropriate as a member of the Information Security Planning Team?

A He is keen to expand the ‘field-to-plate’ capability and ensure that the Equitable Products is at the forefront of technology.

B He is responsible for managing the IT Services’ operations, which will be impacted by the changes to incorporate the dairy farm chain into the ISMS.

C He has regular liaisons with all divisions within Equitable Products so has experience of working across the whole organization.

D He is responsible for the day-to-day management of IT Services’ operations and the monitoring of the ISMS.

E He has both the technical and business knowledge required to mediate with all management parties when conflict arises.

4 Which 2 statements BEST explain why the Head of the Food Processing Division would be appropriate as a member of the Information Security Committee?

A He is keen to pass on his views on the operation of an ISMS based on personal perspective.

B All of Equitable Products’ merchandise is produced by the Food Processing Division.

C He has overall responsibility for the tracking of information from the purchase of raw materials to delivery.

D He is the line manager for the Food Processing Division.

E He has the lead responsibility for the information security requirements of the ‘field-to-plate’ project.

5 Which 2 persons would be NOT be classified as stakeholders within the ISMS, according to ISO/IEC 27003?

A The CEO of a chain intending to contract with Equitable Products.

B The Chief Financial Officer of Equitable Products.

C The Facilities Manager for the site where the bulk foodstuffs are stored.

D A competitor to Equitable Products.

E Equitable Products’ internal Legal Advisor.



Syllabus Area Question Number Part MarksLeadership and Roles 2 D 4

Answer the following questions about the use of controls within the ISMS. Remember to select 2 answers to each question.

1 During a routine maintenance of the car park within the Equitable Products' site, contractors severed some cables. This caused a failure of the external network connection to Equitable Products’ internet service provider and the power to the main server.

The Director of Information Security needs to select control measures to protect against recurrence of this incident.

Which 2 controls, if applied, would MOST likely protect against recurrence of this incident?

A Security of equipment and assets off-premises.

B Security of network services.

C Cabling security.

D Network control.

E Supporting utilities.

2 Equitable Products employ a cleaning contractor to empty their waste baskets and to clean the offices during the evening once the employees have finished their daily work. One of the cleaners was found to be accessing one of the computers and hard-copy lists of access passwords in the Marketing department.

The Director of Information Security needs to select control measures protect against recurrence of this incident.

Which 2 controls, if applied, would MOST likely protect against recurrence of this incident?

A Physical entry controls.

B Clear desk policy.

C Unattended user equipment.

D Working in secure areas.

E Securing offices, rooms and facilities.




Question continued

3 The Equitable Products' Sales Director has issued two of his new staff with laptops to record their sales contacts and progress in the sales process. This information is used in the management of a sales delivery process including key account details. Neither of the two new laptops have been installed with company software or configured to enable connection to the network. One of the laptops has been infected by a virus.

The Director of Information Security has discovered this situation and needs to select control measures to manage this incident.

Which 2 controls, if applied, would MOST likely address this situation?

A Controls against malware.

B Clock synchronisation.

C Network controls.

D Access control policy.

E Information backup.

4 The Head of Equitable Products’ Marketing Division has been given authorization to develop a mobile application to allow the viewing of real-time information on the food processing operations. This application will be installed on the smart-phones issued to all division heads and managers. During the development cycle, the contractors managing the application development have identified additional information security functionality that needs to be included in the application.

The Marketing Director is concerned that he selects the most appropriate controls to manage the current variation in the application development and similar future changes.

Which 2 controls, if applied, would MOST likely address the Marketing Director’s concerns?

A System change control procedures.

B Addressing security within supplier agreements.

C Change management.

D System security testing.

E Protection of test data.



Syllabus Area Question Number Part MarksLeadership and Roles 2 E 5

A recent information security incident occurred where there was the loss of the food products between the Equitable Products' factory and a restaurant.

The root cause of the loss of the food has been identified as a dismissed worker gaining access to the loading bay and removing two boxes of food products from the vehicle destined for the restaurant. Access was gained using his electronic swipe card, which he retained following his dismissal. His vehicle was driven to the loading bay during a routine rest break.

Within the organization, the Director of Human Resources is responsible for the termination of employment.

The Director of Information Management, as the asset owner, is responsible for the management of access privileges for all workers within the defined and controlled secure area of the loading bay.

Lines 1 to 5 in the table below consist of an assertion statement and a reason statement. For each line identify the appropriate option, from options A to E, that applies. Each option can be used once, more than once or not at all.




C True False

D False True

E False False

Assertion Reason

1 The worker’s termination of employment was NOT correctly completed by the Director of Information Management.

BECAUSE Asset owners shall review user access rights at regular intervals.

2 The loss of food should trigger a review of the termination of other dismissed worker’s access privileges.

BECAUSE Knowledge gained from resolving information security incidents shall be used to reduce the likelihood of future incidents.

3 It is NOT appropriate to classify the loss of the boxes of food as an information security incident.

BECAUSE Information security events are only classified as information security incidents if there is unauthorized access to an organization’s systems and applications.

4 It was appropriate to leave the worker’s swipe card active after the dismissal.

BECAUSE Reviewing user access rights shall be done at regular intervals.

5 Temporary removal of access privileges to the loading bay should be made for all loading bay workers after the information security incident.

BECAUSE Access privileges for all workers shall be removed when an information security incident occurs.



Question Number 3Syllabus Area Operational Systems, Measurement and Incidents

Syllabus Area Question Number Part MarksOperational Systems, Measurement and Incidents 3 A 4

Answer the following questions about ISMS performance measurement, monitoring and evaluation.

Remember to select 2 answers to each question.

1 Which 2 aspects of an organization’s ISMS are required to be evaluated?

A Evidence of the top management contribution.

B Established risk assessment criteria.

C Information security management process performance.

D Assignment of skilled resources.

E Information security process effectiveness.

2 Which 2 elements of monitoring and measurement are NOT required to be determined?

A Where the monitoring and measuring shall be performed.

B When the monitoring and measuring shall be performed.

C Why the monitoring and measuring shall be performed.

D When the results from monitoring and measurement shall be used.

E Who shall analyse and evaluate the results.

3 Which 2 methods are likely to be determined according to ISO/IEC 27001?

A Process control.

B Documentation.

C Monitoring.

D Corrective action.

E Analysis.

4 Which 2 statements describe items that the access control system must monitor as a user logs into an IT system?

A The length of the password.

B The date the password was last changed.

C The date the user last logged in.

D The complexity of the password.

E The password characters to display on-screen.



Syllabus Area Question Number Part MarksOperational Systems, Measurement and Incidents 3 B 6

Answer the following question about an information security event. A director has had their laptop bag stolen. Although the laptop was encrypted, the director’s bag also contained paper documents describing commercial details and dairy farm animal welfare information. Column 1 is a list of actions relating to the theft. Column 2 is a list of the information security incident management controls from Annex A of ISO/IEC 27001. For each action in Column 1, select from Column 2 the security incident management control where these actions would be applied. Each selection from Column 2 can be used once, more than once or not at all.

Column 1 Column 2

1 The director immediately informs the local police of the theft. A Responsibilities and procedures

B Reporting information security events

C Reporting information security weaknesses

D Assessment of and decision on information security events

E Response to information security incidents

F Learning from information security incidents

G Collection of evidence

2 The police report that this event may have been a targeted theft by animal rights protestors.

3 Travelling directors are immediately provided with encrypted tablet PCs to use in place of paper documents.

4 As the stolen items included sensitive paper documents, the Chief Information Officer assigns an Information Security Officer to begin formal investigation of the episode.

5 The Chief Information Officer briefs site security guards, all dairy farm staff and transport contractors about the need for extra vigilance for strangers or unexpected behaviour.

6 Media handling risks are reassessed with revised probability and impact values related to this type of event.



Syllabus Area Question Number Part MarksOperational Systems, Measurement and Incidents 3 C 6

Answer the following question related to the steps to return to normal operations.

A local power supply surge has occurred at Equitable Products’ shared IT data centre. Servers and network equipment were protected and continued to operate. Air conditioning units were not protected and failed.

Environmental temperatures increased rapidly, exceeding server safe operating temperatures. A cascade of remote server monitoring alerts was raised as all servers rapidly shut themselves down in an uncontrolled sequence.

This event has triggered a major information security incident as no shared IT services are operational. Business operations, particularly customer’s ‘just in time’ re-ordering and delivery, are unable to continue. The Disaster Recovery Plan mandates a return-to-service target of five hours for this time-critical function.





C True False

D False True

E False False

Assertion Reason

1 The recovery team should attempt to restore normal operating temperatures rapidly without opening the external data centre doors.

BECAUSE During adverse conditions, physical security controls of designated ‘secure areas’ must always remain the same as normal operating conditions.

2 Heat-damaged server disks that failed to power on again should be removed for later physical destruction.

BECAUSE Achievement of the return-to-service target is enabled by fitting spare components.

3 Asset tags should be removed from the failed disks and transferred to the replacement disks.

BECAUSE The asset owner must ensure that the asset inventory is maintained as a record of the assets in use.




Question continued

Assertion Reason

4 As each server is recovered, it must be configured to use the network time protocol.

BECAUSE Accurate logging of user and system events requires all system components to operate with a synchronised time reference.

5 The recovery team should document alternative information security controls which were implemented to achieve a five hour return to service.

BECAUSE Compensating controls for information security controls that cannot be maintained during an adverse situation should be documented.

6 No further action needs to be taken following successful restoration of services.

BECAUSE No further action is required if the processes carried out are effective.



Syllabus Area Question Number Part MarksOperational Systems, Measurement and Incidents 3 D 4

Using the additional information provided for this question in the Scenario Booklet, answer the following questions about managing incidents.Decide whether the actions suggested are appropriate, and select the response that supports your decision.

1 The researcher has offered to encrypt and electronically transfer a representative sample of the recovered data to the Chief Information Officer for validation.

Should the electronic transfer of sample files be authorized?

A No, because the transferred samples may contain malware.

B No, because the device itself should be acquired for forensic analysis as a priority.

C Yes, because encryption of the sample data before transfer will ensure confidentiality of the data.

D Yes, because encryption will prevent the transfer of malware.

2 The representative sample data from the device has been validated as publicly available information. No personally identifiable information is included. The source of the information, (the original device owner), is still unknown. Thinking about this event and the potential legal, regulatory and reputational risks, the Chief Information Officer has initiated incident management.

Is it appropriate for the Chief Information Officer to report internally that the potential impact of the incident can be contained?

A No, because the impact of the incident can only be reported following a full review of the recoverable data on the USB memory stick.

B No, because a non-disclosure agreement with the researcher can only be used before the information is accessed.

C Yes, because Equitable Products’ legal counsel can caution the researcher that it is an offence to publish details about the data without having authorization.

D Yes, because information security requirements can be negotiated with the researcher and documented in an agreement to restrict what can be published.




Question continued

3 The recovered device has an Equitable Products asset number. A full review of the recoverable data confirms that it was used to store only publicly available information.

As there is no disclosure of confidential or sensitive information, should the incident be closed?

A No, because further investigation is needed to identify how and why control of this removable media asset has failed.

B No, because the information should be made unrecoverable as the final action enabling the incident to be closed.

C Yes, because control of removable media assets only applies to storage of confidential or sensitive information.

D Yes, because there is no reputational risk from the researcher publishing that he has found publicly-available information.

4 The last user of the device deleted the files just before losing the device at a conference. As the information had been deleted, and the USB memory stick was cheaply replaced, she did not think that the loss needed to be reported.

Should follow-up action with the user be taken?

A No, because the device was easily replaced at low cost without incurring the time and effort of an investigation.

B No, because the information on the device was deleted so no important business information was lost.

C Yes, because this user’s action on more sensitive information may risk disclosure.

D Yes, because the replacement device may have contained malware.



Question Number 4Syllabus Area Audit and Management Review

Syllabus Area Question Number Part MarksAudit and Management Review 4 A 6

Answer the following questions about internal audit and management reviews.

1 Which action is taken towards the end of an internal audit?

A Advise the Certification Board of the outcome of the internal audit.

B Identify the processes to be included in the next internal audit.

C Store and protect the internal audit results.

D Issue a certificate when the internal audit is complete and successful.

2 Which activity is performed as part of Management review?

A Eliminating the cause of non-conformance.

B Dealing with the consequences of non-conformance.

C Determining the cause of non-conformance.

D Identify opportunities for continual improvement.

3 Which action is required by the organization to prepare for an internal audit?

A Define the scope of the audit.

B Identify opportunities for continual improvement.

C Document external concerns.

D Update the ISMS.

4 When shall there be an independent review of the organization’s approach to information management security?

A At each management review.

B At each audit.

C As part of continuous improvement.

D At planned intervals.

5 In which compliance control should legal advice be taken in relation to jurisdictional borders and compliance with relevant legislation?

A Protection of records.

B Regulation of cryptographic controls.

C Independent review of information security.

D Technical compliance review.




Question continued

6 Which topic is NOT required to be considered during a Management Review?

A The importance of the processes.

B Changes in external issues.

C Status of actions from previous reviews.

D Trends from risk assessments.



Syllabus Area Question Number Part MarksAudit and Management Review 4 B 5

Using the additional information provided for this question in the Scenario Booklet, answer the following questions about information sharing.

Remember to select 2 answers to each question.

1 Which 2 implementation elements from asset management controls are MOST appropriate to help avoid incorrect price lists being sent to customers?

A Emails which include price lists should be digitally signed.

B Price lists should be labelled in accordance with a defined classification scheme.

C Owners of price lists should be accountable for their classification.

D Any information sharing agreement should include information on the classification of price lists.

E Review the marketing teams’ access rights to price sensitive data.

2 Which 2 controls should be considered when reviewing the authenticity issue to MOST appropriately address it?

A Requirements for electronic signatures.

B Protection against the receipt of unsolicited emails.

C Access to instant messaging.

D Message verification codes.

E Protection against malware.

3 Which 2 items should be considered when developing a policy to avoid disclosure of information when unintended recipients receive emails?

A Enforcement of password changes.

B Limiting the information contained in outputs.

C The impact that encryption has on content inspection controls.

D Message authentication codes.

E The standards to be adopted to implement encryption.

4 Which 2 responsibilities are required to be defined in an information transfer agreement about providing price information by email to a supermarket?

A Availability of the service.

B Capacity management.

C Controlling receipt.

D User authentication management.

E Liability for data loss.




Question continued

5 The control of which 2 items should be improved to help prevent future similar occurrences of inappropriate sharing of product pricing information by email?

A Interception.

B Non-repudiation.

C Forwarding.

D Attachments.

E Incident management.



Syllabus Area Question Number Part MarksAudit and Management Review 4 C 4

Following the recent introduction of RFID microchip tags on the restaurant cook/chill products, an audit has recommended that a non-disclosure agreement should be signed by any third party organization before electronic data is exchanged.

The Chief Information Officer has agreed with this proposal and decided that all non-disclosure agreements will be reviewed every 12 months.

Decide whether the actions suggested are appropriate, and select the response that supports your decision.

1 Should public domain information about the intellectual property rights relating to the RFID tags be included in the non-disclosure agreement for the restaurants?

A No, because non-disclosure agreements with the restaurants are required to use standard wording.

B No, because public domain information relating to intellectual property rights is NOT confidential information.

C Yes, because non-disclosure agreements with the restaurants should include relevant information about intellectual property.

D Yes, because the use of RFID tags by the restaurants may need to be audited.

2 Should the non-disclosure agreement for the restaurants have a duration of only one year?

A No, because a duration of three months is required to ensure changes in circumstance are not missed.

B No, because there is no need to restrict the non-disclosure agreement for a restaurant to a year.

C Yes, because some restaurants may have changed ownership within the year.

D Yes, because changes in the evolving RFID microchip technology may change the information to be shared.

3 Should consideration be given to what the supermarket must do to avoid breaching the agreement when drafting their non-disclosure agreement?

A No, because the supermarket can handle the information however it wishes.

B No, because if information is disclosed it is for the relevant authority to decide if it was handled properly.

C Yes, because if information is disclosed the relevant authority can only enforce an agreement if they know how the information should have been protected.

D Yes, because the actions needed to avoid unauthorized disclosure by the supermarket should be identified.

4 Is it appropriate for staff in the marketing division to also sign non-disclosure agreements?

A No, because non-disclosure agreements are applicable to third parties.

B No, because marketing staff need to disclose confidential information as part of their job.

C Yes, because a non-disclosure agreement may also define when information can be disclosed.

D Yes, because all interested parties should sign non-disclosure agreements.



Syllabus Area Question Number Part MarksAudit and Management Review 4 D 5

A recent management review has identified an increasing failure of some of the dairy farms to disclose the use of antibiotics voluntarily.

It has also been recorded that a change in legislation is due to come into force in six months. This change requires that dairy products used in processed meals supplied to schools must come from designated herds. Such products should also be antibiotic free during the three months period prior to milk production use.

There will be significant financial penalties for non-compliance.

It will be necessary for the information about the source, use of antibiotics and dairy products used in such meals to be made available on a ‘field-to-plate’ application. This will be accessible via a web-site and retained for a period of three years. A contract for the provision of the application and web-site hosting will be signed with a specialist provider.





C True False

D False True

E False False

Assertion Reason

1 User acceptance testing of the web-site should use realistic data for the ’field-to-plate’ application.

BECAUSE User acceptance testing in the operational environment should be performed in a way that will expose any vulnerabilities.

2 The addition of the web-site should trigger an information security risk assessment.

BECAUSE Contractors should be required to report an observed information security weaknesses in systems or services.

3 Dairy farm supplier agreements should be reviewed and updated with any new legal requirements for electronic disclosure of the administration of antibiotics.

BECAUSE The information to be provided should be documented in supplier agreements to ensure legal obligations are met.

4 The need to retain the web-site data for three years should NOT require review or change to information security policies.

BECAUSE Data retention will be documented in a web-hosting provider’s agreement as a compliance control.

5 It is appropriate for the web-site supplier agreement to require an independent Penetration Test of the website.

BECAUSE An organization’s management are responsible for the effectiveness of information security controls.




Marking Scheme

Note: For Multiple Response (MR) questions, 1 point is scored if and only if all correct options are selected. Otherwise 0 points are scored.

Exam Paper: GB-SX01-1.1

Question Part Type Response A B C D E F G H I

1 (PL) A MR 1 0 1 0 1 0

2 1 0 1 0 0

3 0 0 1 0 1

4 0 1 0 0 1

B MG 1 0 1 0 0 0

2 0 0 1 0 0

3 1 0 0 0 0

4 0 0 0 1 0

5 1 0 0 0 0

C MG 1 0 1 0 0 0

2 0 1 0 0 0

3 0 0 0 0 1

4 1 0 0 0 0

5 0 0 1 0 0

D AR 1 0 1 0 0 0

2 0 0 1 0 0

3 1 0 0 0 0

4 1 0 0 0 0

5 0 0 1 0 0

6 0 0 0 1 0


2 (LE) A MG 1 1 0 0 0

2 0 1 0 0

3 0 0 0 1

B CL 1 0 1 0 0

2 0 1 0 0

3 1 0 0 0

C MR 1 1 1 0 0 0

2 0 1 0 0 1

3 0 0 1 0 1

4 0 0 1 0 1

5 1 0 0 1 0

D MR 1 0 0 1 0 1

2 0 1 1 0 0

3 1 0 0 0 1

4 1 0 0 1 0

E AR 1 0 1 0 0 0

2 1 0 0 0 0

3 0 0 0 0 1

4 0 0 0 1 0

5 0 0 0 0 1


3 (OS) A MR 1 0 0 1 0 1

2 1 0 1 0 0

3 0 0 1 0 1

4 0 1 1 0 0

B MG 1 0 1 0 0 0 0 0

2 0 0 0 0 0 0 1

3 0 0 0 0 1 0 0

4 0 0 0 1 0 0 0

5 0 0 0 0 1 0 0

6 0 0 0 0 0 1 0

C AR 1 0 0 1 0 0

2 0 1 0 0 0

3 0 0 0 1 0

4 1 0 0 0 0

5 0 1 0 0 0

6 0 0 0 0 1

D CL 1 0 0 1 0

2 0 0 0 1

3 1 0 0 0

4 0 0 1 0


4 (AR) A CL 1 0 0 1 0

2 0 0 0 1

3 1 0 0 0

4 0 0 0 1

5 0 1 0 0

6 1 0 0 0

B MR 1 0 1 0 0 1

2 1 0 0 1 0

3 0 0 1 0 1

4 0 0 1 0 1

5 0 0 1 1 0

C CL 1 0 0 1 0

2 0 1 0 0

3 0 0 0 1

4 0 0 1 0

D AR 1 0 0 1 0 0

2 0 1 0 0 0

3 1 0 0 0 0

4 0 0 0 1 0

5 1 0 0 0 0


Rationale Exam Paper: GB-SX01-1.1

Question: 1, Syllabus: PL, Part: A, Type: MR, SyllabusRef: PL0201, Level: 2

1 A Incorrect: The acceptable level of any loss of financial value should be defined within a range of values as part of the risk acceptance criteria. (ISO 27005, 7.2.4)

B Correct: The operational and business importance on availability, confidentiality and integrity is one of the areas that should be considered when developing the risk evaluation criteria for evaluating an organization’s information security risks. (ISO 27005, 7.2.2)

C Incorrect: The amount of damage caused by disruption of plans and deadlines is an area that should be considered when defining impact criteria. (ISO 27005, 7.2.3)

D Correct: The negative consequences for goodwill and reputation are areas that should be considered when developing the risk evaluation criteria for evaluating an organization’s information security risks. (ISO 27005, 7.2.2)

E Incorrect: Risk acceptance criteria may include requirements for further additional treatment, e.g. a risk may be accepted if there is approval and commitment to take action to reduce it to an acceptable level within a defined time period. The time it will take is not a required evaluation criteria. (ISO 27005, 7.2.4)

2 A Correct: Impact criteria should be developed and specified in terms of the degree of damage or costs to the organization caused by an information security event resulting in disruption to plans and deadlines. (ISO 27005, 7.2.3)

B Incorrect: The importance of availability to operations should be considered when developing the risk evaluation criteria for evaluating an organization’s information security risks. (ISO 27005, 7.2.2)

C Correct: Impact criteria should be developed and specified in terms of the degree of damage or costs to the organization caused by an information security event should there be a breach of legal, regulatory or contractual requirements. (ISO 27005, 7.2.3)

D Incorrect: The criticality of the information assets involved should be considered when developing the risk evaluation criteria for evaluating an organization’s information security risks. (ISO 27005, 7.2.2)

E Incorrect: Risk acceptance criteria may be expressed as the ratio of estimated profit to the estimated risk. This defines a usage of the impact assessment. (ISO 27005, 7.2.4)

3 A Incorrect: Impact criteria should be developed and specified in terms of the degree of damage or costs to the organization caused by an information security event should there be a breach of legal, regulatory or contractual requirements. (ISO 27005, 7.2.3)

B Incorrect: The escalation path is defined as part of the organization information security risk management responsibilities, and should NOT be considered when developing the risk acceptance criteria. (ISO 27005, 7.4)

C Correct: Risk acceptance criteria may include multiple thresholds, with a desired target level of risk, but provision for senior managers to accept risks above this level under defined circumstances. (ISO 27005, 7.2.4)

D Incorrect: The information security risk management records required to be kept are part of the management of information security risks to demonstrate adherence to the process, and should NOT be considered when developing the risk acceptance criteria. (ISO 27005, 7.4)

E Correct: Risk acceptance criteria may be expressed as the ratio of estimated profit to the estimated risk. This defines a usage of the impact assessment. (ISO 27005, 7.2.4)

4 A Incorrect: The risk acceptance decision escalation paths are defined as a main role and responsibility for an organization during the set up of the information security

management risk process. There is no requirement to consider this when defining the scope and boundaries. (ISO 27005, 7.4)

B Correct: The legal, regulatory and contractual requirements should be considered when defining the scope and boundaries of information security risk management. (ISO 27005, 7.3)

C Incorrect: The estimated cost caused by a breach of contract is produced during the risk identification when the identification of consequences of a risk is made. (ISO 27005, 8.2.6)

D Incorrect: The four options are used to treat risks once the risk assessment is satisfactory. This is part of the information security management risk process which is produced once the scope and boundaries of information security risk management is known. (ISO 27005, 9.1)

E Correct: The business processes should be considered when defining the scope and boundaries of information security risk management. (ISO 27005, 7.3)

Question: 1, Syllabus: PL, Part: B, Type: MG, SyllabusRef: PL0301, Level: 3

1 Correct [B]: A threat has the potential to harm assets (such as information, processes and systems) and therefore the organization. Disruption by activists may affect more than one asset. (ISO 27005, 8.2.3)

2 Correct [C]: Physical entry controls is an existing control set up in the dairy farm site. (ISO 27005, 8.2.4; ISO 27001, A.11.1.2)

3 Correct [A]: An asset is anything that has value to the organization and therefore requires protection. The RFID tags on the cattle are a form of data medium asset. (ISO 27005, 8.2.2, B.1.2)

4 Correct [D]: Vulnerabilities that can be exploited by threats to cause harm to assets or to the organization should be identified. An incorrectly implemented control can itself be vulnerability. I.e. the anti-virus software is the control, but it is weak because updates have not been applied. (ISO 27005, 8.2.5)

5 Correct [A]: An asset is anything that has value to the organization and therefore requires protection. Business processes, whose loss or degradation make it impossible to carry out the mission of the organization, are a primary asset. (ISO 27005, 8.2.2, B.1.1)

Question: 1, Syllabus: PL, Part: C, Type: MG, SyllabusRef: PL0303, Level: 2

1 Correct [B]: The activity which gives rise the risk of not adhering to the EF IS policy is modified by the activity being audited. It is NOT avoidance because the activity is still continuing in the same way. It is NOT sharing because responsibility for the risk has not changed. (ISO 27005, 9.2)

2 Correct [B]: The level of risk is being managed by introducing the Information security awareness, education and training control. This is modifying the risk, although it is unlikely that this risk treatment will result in the risk being reassessed as acceptable. (ISO 27005, 9.2; ISO 27001, A.7.2.2)

3 Correct [E]: The level of risk is being managed by introducing the Addressing security within supplier agreements control. This is sharing the risk with another party that can most effectively manage the particular risk. (ISO 27005, 9.5; ISO 27001, A.15.1.2)

4 Correct [A]: The Outsourced development control is not relevant to the stated risk on problem management of ’off the shelf’ standard components. (ISO 27001, A.14.2.7)

5 Correct [C]: A decision to take no action is a risk retention option. A decision to choose this option will depend on risk evaluation. (ISO 27005, 9.3)

Question: 1, Syllabus: PL, Part: D, Type: AR, SyllabusRef: PL0405 PL0406 PL0407, Level: 4

1 True: During the identification of the existing controls step, a check should be made to ensure that the existing controls are working correctly. (ISO 27005, 8.2.4)

True: At a lower level, the IS policy should be supported by topic-specific policies which further mandate the implementation of IS controls. They are typically structured to address the needs of certain target groups within an organization or to cover certain topics. The answer is B, because the dairy farm chains’ IS policies are reviewed to determine if they should be removed, replaced or stay in place as a detailed policy. (ISO 27001, A.5.1.1; ISO 27002, 5.1.1; ISO 27005, 8.2.4)

2 True: The set of policies for information security should be published and communicated to employees and relevant external parties. (ISO 27001, A.5.1.1)

False: The policies for information security have a wider audience than just internal employees. Relevant external parties should be included also. (ISO 27001, A.5.1.1)

3 True: It is correct that the contact with authorities should be maintained using the contact with authorities control. (ISO 27001, A.6.1.4)

True: It is correct that appropriate contacts with relevant authorities shall be maintained using the contact with authorities control. (ISO 27001, A.6.1.3) The answer is A because the rationale explains the assertion in that both relate to updating contacts in the relevant authorities control.

4 True: This relates to the control on terms and conditions of employment. The contractual agreements with employees and contractors shall state their and the organization’s responsibilities for information security. (ISO 27001, A.7.1.2)

True: This relates to the management responsibilities control as management shall require all employees and contractors to apply information security. The answer is A, because the contracts are the device used to ensure that management's responsibilities are transferred and communicated (delegation and binding responsibilities). (ISO 27001, A.7.2.1)

5 True: Access to systems over a public network would be identified as key vulnerability during risk identification and reviewed during risk analysis. The IS requirements and associated processes should be identified and integrated in the early stages of IS projects as part of the information security requirements and analysis and specification control. (ISO 27005, 8.2.5, 8.3.2; ISO 27001, A.14.1.1; ISO 27002, A.14.1.1)

False: Applications which are accessible via public networks require detailed risk assessments and the proper selection of controls. There is no requirement to prevent access until risk assessment has been completed. (ISO 27001, A14.1.2; ISO 27002, A.14.1.2)

6 False: The IS requirements should be identified using various methods such as deriving compliance requirements from policies and regulations, threat modelling, incident reviews or use of

True: Information security requirements should consider the required protection needs of the assets involved, in particular regarding availability, confidentiality, and integrity. (ISO 27001, A.14.1.1; ISO

vulnerability thresholds. (ISO 27001, A.14.1.1; ISO 27002, A.14.1.1)

27002, 14.1.1)

Question: 2, Syllabus: LE, Part: A, Type: MG, SyllabusRef: LE0202 LE0203 LE0204, Level: 2

1 Correct [A]: Supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility is given within the Leadership and commitment clause. (ISO 27001, 5.1.h)

2 Correct [B]: Providing a framework for setting information security management objectives is an activity within the Policy clause. (ISO 27001, 5.2 b)

3 Correct [D]: Integrating the actions to address risks and opportunities into an organization’s information security management system is an activity within the Planning actions clause to address risks and opportunities. (ISO 27001, 6.1.1.e.1)

Question: 2, Syllabus: LE, Part: B, Type: CL, SyllabusRef: LE0206 LE0207 LE0208, Level: 2

1 A Incorrect: The policies for information security shall be reviewed at planned intervals to ensure their continuing suitability. (ISO 27001, 5.2.a, A.5.1.2)

B Correct: The policies for information security shall be appropriate to the purpose of the organization. It is for the organization to decide the level of detail required, therefore an ISMS is not required to be comprehensive. (ISO 27001, 5.2.a, A.5.1.2)

C Incorrect: The policies for information security shall be reviewed at planned intervals to ensure their adequacy. (ISO 27001, 5.2.a, A.5.1.2)

D Incorrect: The policies for information security shall be reviewed at planned intervals to ensure their effectiveness. (ISO 27001, 5.2.c, A.5.1.2)

2 A Incorrect: The organization should ensure its staff have the required competency to deliver the scope of the ISMS. (ISO 27001, 7.2.a and b).

B Correct: The extent of documented information determined by the organization as being necessary for the effectiveness of the ISMS may vary due to the competence of persons. (ISO 27001, 7.5.1(3)).

C Incorrect: The competency of staff is not a matter which is identified by the standard that should affect the frequency of review. (ISO 27001, 9.1).

D Incorrect: The boundaries of the ISMS will determine its scope but competency of staff is not a matter for consideration. (ISO 27001, 4.3).

3 A Correct: Management should explicitly identify the role with overall responsibility for managing information security, usually the CISO. (ISO 27003, 5.3.2)

B Incorrect: In a smaller organization, several roles may be carried out by the same person. (ISO 27003, 5.3.2)

C Incorrect: Each employee is equally responsible for his or her original task and for maintaining information security in the workplace and in the organization. (ISO 27003, 5.3.2)

D Incorrect: Staff should be assigned roles and responsibilities based on the skill required to perform the job. There is no requirement for an audit department to be involved. (ISO 27003, 5.3.2)

Question: 2, Syllabus: LE, Part: C, Type: MR, SyllabusRef: LE0301, Level: 3

1 A Correct: Vision and strategic decision-making are responsibilities for Senior Management. (ISO 27003, Annex B.1 – Senior Management)

B Correct: Vision and strategic decision-making are responsibilities for Senior Management. (ISO 27003, Annex B.1 – Senior Management)

C Incorrect: Operational detail does not demonstrate the required characteristics of vision and strategic decision-making. (ISO 27003, Annex B.1 – Senior Management)

D Incorrect: System development is not a responsibility of Senior Management. It is a responsibility of the System Developer. (ISO 27003, Annex B.1 – System Developer)

E Incorrect: Length of employment is not relevant to the responsibilities of Senior Management. (ISO 27003, Annex B.1 – Senior Management)

2 A Incorrect: Reporting lines are not relevant to the responsibilities of an Auditor. (ISO 27003, Annex B.1 – Auditor)

B Correct: Assessing the ISMS is one of the responsibilities for an Auditor. (ISO 27003, Annex B.1 – Auditor). Having appropriate competence to assess conformance to ISO/IEC 27001 would be needed. (ISO 27001, 7.2 b)

C Incorrect: Governance for information security is not a responsibility of an Auditor. It is a responsibility of the Chief Information Security Officer. (ISO 27003, Annex B.1 – Auditor / Chief Information Security Officer)

D Incorrect: Working across departments is not a responsibility of an Auditor. It is a responsibility of the Information Security Planning Team. (ISO 27003, Annex B.1 – Auditor / Information Security Planning Team)

E Correct: Evaluating the ISMS is one of the responsibilities for an Auditor. (ISO 27003, Annex B.1 – Auditor)

3 A Incorrect: Being keen to expand and be at the forefront of technology is not a required characteristic for a member of the Information Security Planning Team. (ISO 27003, Annex B.1 – Senior Management)

B Incorrect: Top responsibility for an organizational function is a line management responsibility. It is not a required characteristic for a member of the Information Security Planning Team. (ISO 27003, Annex B.1 – Line Management)

C Correct: Working across departments is one of the responsibilities for a member of the Information Security Planning Team. (ISO 27003, Annex B.1 – Information Security Planning Team)

D Incorrect: Top responsibility for an organizational function is a line management responsibility. It is not a required characteristic for a member of the Information Security Planning Team. (ISO 27003, Annex B.1 – Line Management)

E Correct: Resolving conflict is one of the responsibilities for a member of the Information Security Planning Team. (ISO 27003, Annex B.1 – Information Security Planning Team)

4 A Incorrect: Previous experience and motivation of an individual are not suitable reasons for the appointment to the Information Security Committee. (ISO 27003, Annex B.1 – Information Security Committee)

B Incorrect: Those producing the products within the company are represented by the Line Managers. However, there is no specific reason why they should be part of the Information Security Committee. (ISO 27003, Annex B.1 – Line Managers / Information Security Committee)

C Correct: Handling of information assets is one of the responsibilities for a member of the Information Security Committee. (ISO 27003, Annex B.1 – Information Security Committee)

D Incorrect: The Line Managers are responsible for the business needs, but there is no specific reason why they should be part of the Information Security Committee. (ISO 27003, Annex B.1 – Line Managers / Information Security Committee)

E Correct: A leading role for the ISMS is one of the responsibilities for a member of the Information Security Committee. Therefore, as he has the lead responsibility for information security requirements of the ‘field-to-plate’ project it is appropriate for him to be a member of the Information Security Committee. (ISO 27003, Annex B.1 – Information Security Committee)

5 A Correct: The CEO of a supermarket chain which is not contracted to Equitable Products cannot be a Stakeholder. This is because he cannot be affected by any decisions of activities made by Equitable Products in relation to Equitable Products information security. (ISO 27003, Annex B.1 – Stakeholders)

B Incorrect: The Chief Finance Officer is part of normal operations within the ISMS and is considered to be a Stakeholder. (ISO 27003, Annex B.1 – Stakeholders / Local IT or IS responsible)

C Incorrect: The persons responsible for physical security are part of normal operations and are considered to be a Stakeholder. (ISO 27003, Annex B.1 – Stakeholders / Physical Security)

D Correct: A competitor to Equitable Products cannot be a Stakeholder as it cannot be affected by any decisions of activities made by Equitable Products in relation to Equitable Products’ information security. (ISO 27003, Annex B.1 – Stakeholders)

E Incorrect: The legal advisor is part of normal operations and is considered to be a Stakeholder. (ISO 27003, Annex B.1 – Stakeholders / Legal Advisor)

Question: 2, Syllabus: LE, Part: D, Type: MR, SyllabusRef: LE0311 LE0312 LE0314, Level: 3

1 A Incorrect: The Security of equipment and assets off-premises control seeks to manage portable equipment and assets that are taken off-site. (ISO 27001, A.11.2.6)

B Incorrect: The Security of network services control seeks to identify all network services for inclusion in network service agreements. Network service agreements would not resolve the loss of connection with the ISP as it was not caused by a failure of either party. (ISO 27001, A.13.1.2)

C Correct: The Cabling security control seeks to protect power and communications cables from interference or damage. This control would provide a resolution of this incident. (ISO 27001, A.11.2.3)

D Incorrect: The control for Network control seeks to manage networks to protect information in systems and applications. Neither of the systems or applications were involved in this incident, so this control would not resolve this incident. (ISO 27001, A.13.1.1)

E Correct: The Supporting utilities control seeks to protect power failure and other disruptions caused by failures in supporting utilities such as was evidenced in the incident. This control would provide a resolution of this incident. (ISO 27001, A.11.2.2)

2 A Incorrect: The control for Physical entry controls seeks to provide entry control to secure areas for authorized personnel. The cleaner was an authorized person and use of this control would prevent cleaning of this area, which is not a practical solution. (ISO 27001, A.11.1.2)

B Correct: The Clear desk policy control seeks to provide a clean desk policy to ensure that all papers, such as the hard-copy lists of access passwords, are not available to unauthorised personnel. This control would provide a resolution of this incident. (ISO 27001, A.11.2.9)

C Correct: The Unattended user equipment control seeks to protect unattended equipment, such as the computer accessed by the cleaner. This control would provide a resolution of this incident. (ISO 27001, A.11.2.8)

D Incorrect: The Working in secure areas control seeks to provide a procedure for working in secure areas. Use of this control would prevent cleaning of this area, which is not a practical solution. (ISO 27001, A.11.1.5)

E Incorrect: The Securing offices, rooms and facilities control seeks to provide physical security for offices and rooms. Use of this control would prevent cleaning of this area, which is not a practical solution. (ISO 27001, A.11.1.3)

3 A Correct: The Controls against malware control provides protection and recovery controls against malware. The issued laptops have not been configured, so the protection against malware is not implemented. This control would provide a resolution of this incident. (ISO 27001, A.12.2.1)

B Incorrect: The Clock synchronisation control seeks to ensure that clocks of information processing systems can be synchronised within the organization. As the two laptops are used without connection to the network, there is no need for clock synchronisation at this stage. This control would not provide a resolution of this incident. (ISO 27001, A.12.4.4)

C Incorrect: The control for Network controls relates to the management and controls for the protection in network systems. As the two laptops are used without connection to the network, this control would not provide a resolution of this incident. (ISO 27001, A.13.1.1)

D Incorrect: The Access control policy control relates to the management of access based on business and information security requirements. The users have a business need for access to the application on the laptop. This control would not provide a resolution of this incident. (ISO 27001, A.9.1.1)

E Correct: The Information backup control provides for backups to be taken of information assets to protect against loss of data. The issued laptops have not been configured, so the backup protection has not been implemented. This control would provide a resolution of this incident by restoring the laptop to a situation prior to the virus infection. (ISO 27001, A.12.3.1)

4 A Correct: The System change control procedures control provides for changes within the development lifecycle to be controlled by the use of formalized procedure. This would allow for Equitable Products and their contractors to manage the application development project. This control would provide a resolution of this situation. (ISO 27001, A.14.2.2)

B Incorrect: The Addressing security within supplier agreements control relates to addressing security requirements between Equitable Products and their suppliers in relation to the management of information. This control will not manage the software changes or the testing process. This control would not provide a resolution of this situation. (ISO 27001, A.15.1.2)

C Incorrect: The Change management control relates to operational changes in the organization (Equitable Products), its business processes, information processing facilities and systems. The application is still under development and has not been deployed, therefore, this operational control would not apply to this situation. This control would not provide a resolution of this situation. (ISO 27001, A.12.1.2)

D Correct: The System security testing control provides the testing of software during the software development lifecycle. This would allow for Equitable Products and their contractors to manage the testing process. This control would provide a resolution of this situation. (ISO 27001, A.14.2.8)

E Incorrect: The Protection of test data control relates to the selection, protection and control of test data. Although this control relates to test data, it does not manage the testing of the software functionality required in the project. This control would not provide a resolution of this situation. (ISO 27001, A.14.3.1)

Question: 2, Syllabus: LE, Part: E, Type: AR, SyllabusRef: LE0409 LE0411, Level: 4

1 True: The Director of Information Management had responsibility to control access privileges and they should have been revoked immediately on termination of employment. Therefore, the termination of employment was NOT completed correctly. (ISO 27001, A.9.2.6)

True: It is correct that the access rights for all employees and external party users to information and information processing facilities shall be reviewed at regular intervals. (ISO 27001, A.9.2.5). However, the reason the termination was not correctly completed was because access rights should be removed on termination of their employment, contract or agreement. It should not be left until the next regular review. (ISO 27001, A.9.2.6). The answer is therefore B.

2 True: The loss should trigger a review of the termination of other dismissed worker’s access privileges. This will ensure a similar problem has not occurred, as knowledge gained from the incident should be used to reduce the likelihood of future incidents. (ISO 27001, A.16.1.6)

True: Knowledge gained from analysing and resolving information security incidents shall be used to reduce the likelihood or impact of future incidents. (ISO 27001 A16.1.6). The reason directly explains the assertion because the review would be held in order to learn from the information security incident. Therefore, the answer is A.

3 False: Loss of food should be classified as an information security incident because there is a requirement to track all deliveries and as such a loss will have an impact on invoicing and stock control. (ISO 27001, A.16.1.2)

False: Information security events are classified as information security incidents for any unauthorized access such as secure areas. It does not only apply to an organization's systems and applications. (ISO 27001, A.16.1.2)

4 False: The ability for the dismissed worker to have access rights to the loading bay shall be removed immediately on termination of their employment. (ISO 27001, A.9.2.6)

True: Asset owners are required to review access rights on a regular basis. (ISO 27001, A.9.2.5)

5 False: Removal of access privileges to the loading bay should be made for all workers would be inconsistent with the allocation and use of the access privileges. Such an action would result in the loading bay ceasing to operate. (ISO 27001, A.9.2.3)

False: Access privileges are removed on termination of employment, contract or agreement. This does not happen when an information security incident occurs. (ISO 27001, A.9.2.6)

Question: 3, Syllabus: OS, Part: A, Type: MR, SyllabusRef: PL0202, Level: 2

1 A Incorrect: Evidence of top management contribution is useful to demonstrate compliance. However, the standard does not specifically require this to be evaluated. (ISO 27001, 5.1)

B Incorrect: Established risk assessment criteria are a means of analysing and evaluating potential risks. However, the criteria are not specifically subject to evaluation. (ISO 27001, 6.1.2 a)

C Correct: Information security process performance is a specified measurement requirement. (ISO 27001, 9.1 a)

D Incorrect: Assignment of suitably skilled resources to roles may be monitored and assessed. However, this activity is not specifically required to be evaluated. (ISO 27001, 7.2)

E Correct: Information security process effectiveness is a specified measurement requirement. (ISO 27001, 9.1 a)

2 A Correct: The standard does NOT require organization to determine where the monitoring and measuring shall be performed. (ISO 27001, 9.1)

B Incorrect: The organization shall determine when the monitoring and measuring shall be performed. (ISO 27001, 9.1 c)

C Correct: The standard does NOT require organization to determine why the monitoring and measuring shall be performed. (ISO 27001, 9.1)

D Incorrect: The organization shall determine when the results from monitoring and measurement shall be used. (ISO 27001, 9.1 e)

E Incorrect: The organization shall determine who shall analyse and evaluate the results. (ISO 27001, 9.1 f)

3 A Incorrect: Processes and controls need to be monitored and measured but the Monitoring, measurement, analysis and evaluation clause does NOT require the method of process control to be determined. (ISO 27001, 9.1 b)

B Incorrect: Documentation needs to be delivered but the Monitoring, measurement, analysis and evaluation clause does NOT require the method of documentation to be determined. (ISO 27001, 9.1 b)

C Correct: The Monitoring, measurement, analysis and evaluation clause requires the method of monitoring to be determined. (ISO 27001, 9.1 b)

D Incorrect: Corrective action needs to be undertaken to correct non-conformances but the Monitoring, measurement, analysis and evaluation clause does NOT require the method of corrective action to be determined. (ISO 27001, 9.1 b)

E Correct: The Monitoring, measurement, analysis and evaluation clause requires the method of analysis to be determined. (ISO 27001, 9.1 b)

4 A Incorrect: Password length is monitored by the password management system only when the user creates or changes the password. This ensures that the resulting password matches password quality policy rules. (ISO 27002, 9.4.3 c)

B Correct: The last change date will be used to understand if the user should be prompted to change a temporary password (new user at first log-in) or expired password (existing user forced to change their password as mandated by the maximum password age policy). (ISO 27002, 9.4.3 d & e)

C Correct: The last log-in date will be used to understand if the user should be prompted to change a temporary password (new user at first log-in). (ISO 27002, 9.4.3 d)

D Incorrect: Password complexity is monitored by the password management system only when the user creates or changes the password. This ensures that the resulting password matches password quality policy rules. (ISO 27002, 9.4.3 c)

E Incorrect: The access control system must NOT display passwords in clear text on the

screen. (ISO 27002, 9.4.2 i)

Question: 3, Syllabus: OS, Part: B, Type: MG, SyllabusRef: OS0316, Level: 3

1 Correct [B]: Reporting information security events: (ISO 27001, A.16.1.2; ISO 27002, 16.1.2). This report is to the police rather than to Equitable Products’ information security team. However, it is still an aspect of detection and reporting and it is the reporting of the event prior to its classification as an incident.

2 Correct [G]: Collection of evidence: (ISO 27001, A.16.1.7; ISO 27002, 16.1.7). The police report is part of the collection of information which will serve as evidence.

3 Correct [E]: Response to information security incidents: (ISO 27001, A.16.1.5; ISO 27002, 16.1.5). The lost papers are unlikely to be recovered. However, this risk treatment is intended to deal with the immediate vulnerability of other directors travelling with sensitive paper documents. It is an avoidance response to the vulnerability and potential threat.

4 Correct [D]: Assessment of and decision on information security events: (ISO 27001, A.16.1.4; ISO 27002, 16.1.4). The Information Security Officer discovers the extent of the event. Realising the consequential impacts of losing sensitive paper documents to activists, he informs the CIO and begins investigating this as an incident.

5 Correct [E]: Response to information security incidents: (ISO 27001, A.16.1.5; ISO 27002, 16.1.5). Communicating and reinforcing practices related to strangers and behaviours is a reasonable response to this incident.

6 Correct [F]: Learning from information security incidents: (ISO 27001 A.16.1.6; ISO 27002, 16.1.6). Risk reassessment improves the consideration of this kind of event in paper media handling.

Question: 3, Syllabus: OS, Part: C, Type: AR, SyllabusRef: AR0408 AR0409 AR0410, Level: 4

1 True: Normal operating temperatures should be restored in a manner proportionate to the criticality of the situation. The return-to-service (information availability) target is only 5 hours. Alternative rapid temperature reduction options should be explored first. (ISO 27001, 6.2 c)

False: The organization should determine its requirements for information security and the continuity of information security management in adverse situations. (ISO 27002, 17.1.1). The organization should establish, document, implement and maintain compensating controls for routine IS controls that cannot be maintained during an adverse situation. (ISO 27002, 17.1.2 second part c). The organization may elect to operate with a predetermined increased risk tolerance for a limited period.

2 True: Physical destruction of disks which failed to power on is a reasonable control to prevent unauthorized attempts to recover data from that media. (ISO 27002, 8.3.2)

True: Replacing failed hardware components from redundant stock (ISO 27002, 17.2.1) is quicker and more reliable than attempting repairs and would support the organization’s return-to-service (information availability) objective. The assertion focuses on confidentiality of information and this reason focuses on information availability. Therefore, the reason does not support the assertion so the answer is B.

3 False: The asset register must be maintained with the lifecycle of each asset to destruction. (ISO 27002, 8.1.1). The asset tags must remain on the failed disks to provide identification. The disks should be marked as ‘failed/removed’ in the asset register and their later destruction also recorded. This is to maintain the integrity of the register and the traceability of the disks up to and including confirmation of their destruction. Replacement disks will have new asset tags to track their lifecycle of use.

True: The asset owner must ensure that the asset inventory is maintained. (ISO 27002, 8.1.2)

4 True: The clocks of all relevant information processing systems within an organization or security domain should be synchronised to a single reference time source. (ISO 27002, 12.4.4)

True: Network and domain system clock synchronisation is fundamental to correct system operations and event logging. It is an operational priority on commissioning and recovery. (ISO 27002, 12.4.4). This reason supports the asserted need for server synchronisation to a single reference time source, so the answer is A.

5 True: All response activities should be properly logged for later analysis. (ISO 27002 16.1.5 d)

True: Compensating controls for information security controls that cannot be maintained during an adverse situation should be documented by the organization as part of implementing

information security continuity. (ISO 27002 17.1.2. both points c). Documenting compensating controls is part of planning for business continuity and is a separate requirement to the documentation during an incident. The answer is therefore B.

6 False: Knowledge gained from analysing and resolving information security incidents shall be used to reduce the likelihood or impact of future incidents. The root cause of events should be identified (air conditioning units not surge protected) and formally risk-assessed to determine options for treatment. (ISO 27001, 8.2 & 8.3). Opportunities to improve information security should also be considered. (ISO 27002, 16.1.6; ISO 27001, 10.1, 10.2)

False: Opportunities to improve the response should be considered. (ISO 27002, 16.1.6). Top management are required to review the ISMS – and the results of this incident – to ensure its continuing suitability, adequacy and effectiveness. (ISO 27001, 9.3)

Question: 3, Syllabus: OS, Part: D, Type: CL, SyllabusRef: LE0410 LE0413 LE0415, Level: 2

1 A Incorrect: Information in the Scenario Booklet states that Equitable Products IT Services currently operate an ISMS compliant with ISO 27001. To be compliant, the ISMS controls will already include established malware protection for all received electronic information to mitigate this risk appropriately. (ISO 27002, 12.2.1e, g & h)

B Incorrect: The legal entitlement of Equitable Products to collect the device for forensic investigation needs to be established first. (ISO 27002 16.1.7). Sample data validation will support that justification in consultation with legal counsel. (ISO 27002, 18.1.1)

C Correct: Encryption of the sample data would provide the objectives described. (ISO 27002, 13.2.1 f)

D Incorrect: Encryption can ensure that the data sent is the data received. However, if there is malware in the original data it will not be removed by encryption. (ISO 27002 10.1.1)

2 A Incorrect: Information security events shall be reported through appropriate management channels as quickly as possible. (ISO 27001, A16.1.2). There is no requirement to wait until all potential impacts are known, particularly as the trusted researcher has provided sample data that is considered representative of the nature of the information on the device.

B Incorrect: It is usual for employees and contractors to be provided with a confidentiality or non-disclosure agreement prior to being given access to information. (ISO 27002, 7.1.2 a). However, the agreement may be negotiated and applied to any party at any time as the organization’s needs change. (ISO 27002, 13.2.4)

C Incorrect: The recovered sample data is publicly-available information, not commercially or personally sensitive. There are no details of the planned scope of publication and the researcher is a trusted advisor to the organization. It would be premature to involve authorities unless there is tangible evidence of harmful motive and intent enabling identification of applicable legislation. (ISO 27002, 18.1.1)

D Correct: Incident disclosure may still be avoided or contained by negotiation and agreement with the researcher as a ‘supplier’ of incident information. (ISO 27002, 15.1.2 e & p)

3 A Correct: Attempts should be made to identify how this asset was used and by whom. This will determine the root cause of the failure and enable correction and improvement. (ISO 27001, 10.1 & 10.2)

B Incorrect: The information is publically available according to the applied classification scheme. Therefore, there is no requirement for confidentiality to make the information unrecoverable as per ISO 27001, A.8.3.1. (ISO 27002, 8.3.1)

C Incorrect: Removable media assets may be reassigned and/or re-used, changing purpose and handling requirements as the classification of their stored information changes. (ISO 27002, 11.2.7). Asset inventories should record the current owner and lifecycle of use. (ISO 27002, 8.1.1)

D Incorrect: Reputational risk remains because the researcher discloses Equitable Products’ media and information asset lifecycle management failure. (ISO 27002, 8, 11.2.5, 11.2.6 & 11.2.7)

4 A Incorrect: ‘Deleted’ information can be technically recovered in many cases. Although the user’s action did not result in unauthorized disclosure in this specific case, the same decision and action on a device with more sensitive information may be a vulnerability that needs to be investigated and managed. Corrective action may include risk awareness training to prevent further occurrence (ISO 27001, 10.1 & 7.3), or removal of technical privileges to use removable media. (ISO 27002,

8.1.3, 9.2.2)B Incorrect: ‘Deleted’ information can be technically recovered in many cases. The user’s

action did not result in unauthorized disclosure in this specific case. However, the same decision and action on a device with more sensitive information may be a vulnerability that needs to be investigated and managed. Corrective action may include risk awareness training to prevent further occurrence (ISO 27001, 10.1 & 7.3), or removal of technical privileges to use removable media. (ISO 27002, 8.1.3, 9.2.2)

C Correct: Corrective action may include risk awareness training to prevent further occurrence (ISO 27001, 10.1 & 7.3), or removal of technical privileges to use removable media. (ISO 27002 8.1.3, 9.2.2)

D Incorrect: Information in the Scenario Booklet states that Equitable Products' IT Services currently operate an ISMS compliant with ISO 27001. To be compliant, the ISMS controls will already include established malware protection for all received electronic information to mitigate this risk appropriately. (ISO 27002, 12.2.1e, g & h)

Question: 4, Syllabus: AR, Part: A, Type: CL, SyllabusRef: PL0204 PL0205, Level: 2

1 A Incorrect: It is not a requirement of the Standard to inform the Certification Body of the results of internal audits. The Certification Body may require sight of the internal audit results when external audits are performed but if required, this will be requested later as part of the external audit. (ISO 27001, 9.2)

B Incorrect: The requirement is to identify what should be audited when setting up the audit programme(s). There is no requirement to identify the next processes to be audited at the end of an internal audit. (ISO 27001, 9.2 c)

C Correct: The organization shall retain documented information as evidence of the audit programme(s) and the audit results. The audit results should be protected to ensure they are not lost or destroyed as these are evidence to demonstrate the meeting of the Standard. (ISO 27001, 9.2 g)

D Incorrect: A certificate is only issued when an auditor employed by certification body performs a certification audit. Certificates are not issued for internal audits. (ISO 27001, 9.2, Supplementary Paper 4.5)

2 A Incorrect: Evaluating the need to eliminate the causes of non-conformance is part of Improvement, not Management Review. (ISO 27001, 10.1 b)

B Incorrect: Dealing with the consequences of non-conformance is part of Improvement, not Management Review. (ISO 27001, 10.1 a.2)

C Incorrect: Determining the cause of non-conformance is part of Improvement, not Management Review. (ISO 27001, 10.1 b.2)

D Correct: Considering opportunities for continual improvement is part of Management Review. (ISO 27001, 9.3 f)

3 A Correct: Defining the scope of the audit is one of the responsibilities of the organization. (ISO27001, 9.2 d)

B Incorrect: Considering feedback on opportunities for continual improvement is part of Management Review. (ISO 27001, 9.3 f). Identifying opportunities for continuous improvement is not a stated responsibility within Internal Audit. (ISO 27001, 9.2)

C Incorrect: Consideration of changes in external issues is part of Management Review (ISO27001, 9.3 b). There is no requirement to document them prior to an Internal Audit (ISO 27001, 9.2)

D Incorrect: One purpose of an Internal Audit is to provide information on whether the ISMS conforms to the organizations own requirements for its ISMS. (ISO 27001, 9.2). The Internal Audit will measure against the current requirements, but there is no obligation to update the ISMS prior to an Internal Audit.

4 A Incorrect: The organization’s approach to managing information security may be independently reviewed as a result of information from a management review but there is no requirement to independently review it at every management review. (ISO 27001, 9.3, A.18.2.1)

B Incorrect: The organization’s approach to managing information security may be independently reviewed as a result of information from an audit. However there is no requirement to independently review it at every audit. (ISO 27001, 9.2, A.18.2.1)

C Incorrect: Review of the organization’s approach to managing information security may form part of continuous improvement. However, there is no requirement to independently review it as part of continuous improvement. (ISO 27001, 10.2, A.18.2.1)

D Correct: The organization’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) shall be reviewed independently at planned intervals or when significant changes occur. (ISO 27001, A.18.2.1)

5 A Incorrect: Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislator, regulatory, contractual and business requirements. Whilst national laws may affect implementation there is no recommendation to take legal advice. (ISO 27002, 18.1.3)

B Correct: Cryptographic controls should be used in compliance with all relevant agreements, legislation and regulations. Legal advice should be sought to ensure compliance and before encrypted information or cryptographic controls are moved across jurisdictional borders. (ISO 27002, 18.1.5)

C Incorrect: An independent review of information security reviews the organization’s approach to managing information security and its implementation. Such a review should be carried out by individuals independent of the area under review. (ISO 27002 18.2.1)

D Incorrect: Information systems should be regularly reviewed for compliance with the organization’s information security policies and standards. The technical compliance review should be carried out or supervised by competent, authorized persons but not with legal advice. (ISO 27002, 18.2.3)

6 A Correct: It is the audit programme that takes into consideration the importance of the processes concerned. (ISO 27001, 9.2 c)

B Incorrect: The management review shall include consideration of the changes in external and internal issues. (ISO 27001, 9.3 b)

C Incorrect: The management review shall include consideration of the status of actions from previous management reviews. (ISO 27001, 9.3 a)

D Incorrect: The management review shall include consideration of trends in results of risk assessment. (ISO 27001, 9.3 e)

Question: 4, Syllabus: AR, Part: B, Type: MR, SyllabusRef: AR0308 AR0310 AR0313, Level: 3

1 A Incorrect: Digital signatures will not help to avoid incorrect information being sent but, they may assist the verification of authenticity of a message. (ISO 27002, 10.1.1 second bullet point b). However, the issue to be addressed here was the attachment of the wrong price list to an authentic message.

B Correct: Labelling sensitive information in accordance with a defined classification scheme is a recommended asset management control for electronic information exchange. This highlights that the information needs to be handled in accordance with defined procedures. (ISO 27002, 8.2.1, 8.2.3). If the price list had been appropriately labelled it may have drawn attention to its special status and avoided it being sent to the wrong customer.

C Incorrect: Owners of sensitive information should be accountable for their classification, and this is an asset management control. (ISO 27002, 8.2.1). However, this control will not directly address the audit finding that sensitive information has been released to unintended recipients.

D Incorrect: Agreements with other organizations that include information sharing should include procedures to identify the classification of that information. However, this will not control the finding that sensitive information has been released to unintended recipients. (ISO 27002, 8.2.3 final paragraph)

E Correct: A review of access restrictions to sensitive information such as price lists (ISO 27002, 8.1.2 c) would be appropriate to identify changes or additional controls to restrict access to special price lists to avoid them being used inappropriately.

2 A Correct: Information security considerations for electronic messaging should include requirements for electronic signatures (ISO 27002, 13.2.3 d) which will address the issue of authenticity.

B Incorrect: The issue relates to the authentication of messages sent. Protection against unsolicited email received, although relevant to electronic messaging (ISO 27002, 13.2.3), is not appropriate to address the identified issue.

C Incorrect: The issue relates to the authentication of messages sent by email. The Access to instant messaging control relates to instant messaging. Although it is relevant to electronic messaging (ISO 27002, 13.2.3 e), it is not appropriate to address the identified issue.

D Correct: The issue to be addressed is authenticity. The use of message authentication codes is a cryptographic control that will address issues of authenticity. (ISO 27002, 10.1.1 second bullet point b).

E Incorrect: The issue relates to the authentication of messages sent by email. Malware protection, although relevant to electronic messaging (ISO 27002, 12.2.1 g.2), is not appropriate to address the identified issue.

3 A Incorrect: Enforcement of password changes is a consideration of password management system. (ISO 27002, 9.4.3 e). However, it will not address the issue of information being disclosed to unintended email recipients.

B Incorrect: Limiting the information contained in outputs is a consideration of the Information access restriction control. (ISO 27002, 9.4.1 e). It may reduce the amount of information disclosed to an unintended recipient. However, unless the content is encrypted it will not prevent disclosure and is not part of an encryption/cryptographic policy.

C Correct: The impact of encryption on other controls such as content inspection controls should be considered when developing a cryptographic policy. (ISO 27002, 10.1.1 g)

D Incorrect: The issue be addressed is disclosure (confidentiality). The use of message authentication codes is a cryptographic control that will address issues of

integrity and authenticity but is not relevant to confidentiality. (ISO 27002, 10.1.1 second bullet point b)

E Correct: The standards to be adopted should be considered when developing a cryptographic policy. (ISO 27002, 10.1.1 f)

4 A Incorrect: Availability of the service is a consideration of electronic messaging (ISO 27002 13.2.3). It is not required to be documented in an agreement on information transfer. (ISO 27002, 13.2.2)

B Incorrect: Capacity management is an aspect of operations security. However, it is not a responsibility required to be defined in an information transfer agreement. (ISO 27002, 13.2.2)

C Correct: Information transfer agreements should incorporate management responsibility for controlling receipt. (ISO 27002, 13.2.2 a)

D Incorrect: User authentication is an aspect of access control. (ISO 27002, 9.1.2 e). It is not a responsibility required to be defined in an information transfer agreement. (ISO 27002, 13.2.2)

E Correct: Information transfer agreements should incorporate responsibility for liability in the event of data loss. (ISO 27002, 13.2.2 f)

5 A Incorrect: Interception was not an issue identified. Therefore procedures relating to the interception of information, although an information transfer control, are not relevant in this case. (ISO 27002, 13.2.1 a)

B Incorrect: Non-repudiation procedures are an issue relating to information transfer. (ISO 27002, 13.2.2 b). However, they are not relevant to the issue of inappropriate sharing of information by email.

C Correct: Although not the cause of this incident, inappropriate forwarding of emails (especially to external addresses) would result in a similar inappropriate disclosure of information. (ISO 27002, 13.2.1 h)

D Correct: Procedures to be followed when using communication facilities for information transfer should consider the procedures for protecting sensitive information that is in the form of attachments. (ISO 27002, 13.2.1 c)

E Incorrect: Process and procedures around incident management are part of incident management. (ISO 27002, 15.1.2 h). They are not directly part of information transfer procedures, so incident management, of itself, will not prevent a similar incident.

Question: 4, Syllabus: AR, Part: C, Type: CL, SyllabusRef: AR0413, Level: 4

1 A Incorrect: There may be a need for an organization to use different forms of confidentiality or non-disclosure agreements in different circumstances. (ISO 27002, 13.2.4 OI)

B Incorrect: The information about the intellectual property rights may be public domain information, and therefore not confidential. However, the ownership of information, trade secrets and intellectual property, and how this relates to the protection of confidential information should be included in a non-disclosure agreement. (ISO 27002, 13.2.4 e)

C Correct: Ownership of information, trade secrets and intellectual property should be included in a non-disclosure agreement. (ISO 27002, 13.2.4 e)

D Incorrect: The non-disclosure agreement should set out any rights to audit. (ISO 27002, 13.2.4 g). However, this is not the reason for including information about ownership of ownership of information, trade secrets and intellectual property.

2 A Incorrect: A non-disclosure agreement should set out the terms for information to be returned or destroyed at agreement cessation, This may be reviewed and changed at any time before it expires. The fact that the information may change is not a reason to have an agreement for a period of just three months. ((ISO 27002, 13.2.4 IG)

B Correct: A non-disclosure agreement should be for an appropriate period, and there is no need to restrict its length. It should set out when it will be periodically reviewed but it has no need to automatically expire when reviewed. (ISO 27002, 13.2.4 b)

C Incorrect: A non-disclosure agreement should be reviewed periodically. However, this does not mean that a new agreement is needed unless circumstances have changed. (ISO 27002, 13.2.4 IG)

D Incorrect: A non-disclosure agreement should have an expected duration but that may be whatever duration is appropriate, not just a year. (ISO 27002, 13.2.4 b)

3 A Incorrect: A non-disclosure agreement should consider the responsibilities and actions of signatories to avoid unauthorized information disclosure. (ISO 27002, 13.2.4 d)

B Incorrect: If there are any special information handling requirements then the non-disclosure agreement should set them out. Otherwise enforcement action is only likely to be possible after information has been disclosed. (ISO 27002, 13.2.4 IG)

C Incorrect: If the information is disclosed, the breach of any special information handling requirements will be relevant. However, a lack of them will not preclude the agreement being enforced. (ISO 27002, 13.2.4 IG)

D Correct: When identifying requirements for confidentiality or non-disclosure agreements, the responsibilities and actions of signatories to avoid unauthorized information disclosure should be considered. (ISO 27002, 13.2.4 d)

4 A Incorrect: A non-disclosure agreement is applicable to employees of an organization as well as external parties. (ISO 27002, 13.2.4 IG)

B Incorrect: The fact that marketing staff may need to disclose confidential information is actually a reason for having a non-disclosure agreement. An NDA can set out the permitted use of confidential information and how it may be disclosed by marketing staff. (ISO 27002, 13.2.4 f)

C Correct: It is good practice for employees with access to confidential information to be required to sign a non-disclosure agreement. (ISO 27002, 7.1.2.a). An NDA can set out permitted use of the confidential information and how it may be disclosed by marketing staff. (ISO 27002, 13.2.4 IG, f)

D Incorrect: It is good practice for everyone with access to confidential information to be required to sign a non-disclosure agreement (ISO 27002, 7.1.2 a). It is not

appropriate for all interested parties to sign non-disclosure agreements as some will not have access to confidential information or will be outside the control of the organization. (ISO 27003, Table B1)

Question: 4, Syllabus: AR, Part: D, Type: AR, SyllabusRef: AR0414 AR0418 AR0415, Level: 4

1 True: System and acceptance testing usually requires substantial volumes of realistic test data. All sensitive details and content should be protected by removal or modification. (ISO 27002, 14.3.1 IG, OI)

False: User acceptance testing should be performed in a realistic test environment to ensure that the system will not introduce vulnerabilities to the organization’s environment. (ISO 27002, 14.2.9 IG)

2 True: The organization shall perform an information risk assessment when significant changes are proposed or occur. (ISO 27001, 8.2)

True: Contractors should be required to report any observed information security weaknesses in systems or services. (ISO 27002, 16.1.3). Both are true but the answer is B as the reason does not explain why the assertion is required.

3 True: Relevant legislative, regulatory and contractual requirements and the organizations approach to meet those requirements should be explicitly identified, documented and kept up to date. (ISO 27002, 18.1.1)

True: Supplier agreements should describe the information to be provided. (ISO 27002, 15.1.2 a). The dairy farm supplier agreements must be updated to document any new information required as a result of the new regulations to maintain compliance with ISO 27002, 15.1.2 a. The answer is therefore A.

4 False: The requirement to retain data is a policy requirement relating to regulations and legislation and should therefore be recorded in the policy. (ISO 27002, 5.1.1 b)

True: Data retention is a control required to comply with the regulatory obligation and will be documented in the supplier agreement. (ISO 27002, 18.1.3, 15.1.2 c)

5 True: It is appropriate to include a supplier’s obligation to deliver an independent report on the effectiveness of controls. (ISO 27002, 15.1.2 o)

True: It is the organizations management who are responsible for the effectiveness of information security controls. (ISO 27002, 18.2.1). Requiring the supplier to provide an independent penetration test report would be an appropriate method of review. Therefore the answer is A.

Scenario Booklet information is€provided within this Scenario Booklet for a number of ... ISO/IEC...

Documents

Transcript of Scenario Booklet information is€provided within this Scenario Booklet for a number of ... ISO/IEC...