ISOIEC 27001 Practitioner Exam Sample Paper - April 2014 PDF

The Practitioner Examination
SX01
Scenario Booklet
This is a 2.5-hour objective test examination. This booklet contains the Project
Scenario upon which this exam paper is based. All questions are contained within
the Question Booklet.
Additional information is provided within this Scenario Booklet for a number of

questions. Where reference should be made to additional information, this is
clearly stated within the question to which it is relevant. All information provided
within a question must only be applied to that question.
Each of the 4 questions is worth 20 marks, giving a maximum of 80 marks in the

paper. The pass mark is 50% (40 marks). Within each question the syllabus area
to which the question refers is clearly stated.
The exam is to be taken with the support of only the following British Standards,
ISO/IEC 27000:2014
ISO/IEC 27001:2013
ISO/IEC 27002:2013
ISO/IEC 27003:2010
ISO/IEC 27005:2011
No material other than the Question Booklet, the Scenario Booklet, the Answer
Booklet, and the five standards are to be used. However, if required the ISO/IEC
27001 Supplementary Paper, which contains relevant parts of ISO/IEC 27003:2010
may be used.
Candidate Number: ........................................
ISO27K2012-GB--SX01-V1.1 Page 1 of 9 Document Owner - Chief Examiner

© The APM Group Ltd 2014. This paper remains the property of The APM Group (APMG). This document is not to be reproduced or re-sold without express
permission from The APM Group Ltd. 2. The APMG-International ISO/IEC 27001 logo is a Trade Mark of The APM Group Limited. The APMG-International
logo is a Trade Mark of the APM Group Ltd.
This is a blank page

Scenario
ISO/IEC 27001 – Case Study: Equitable ProductsThe organizations and people within the
scenario are fictional.
Background
Equitable Products are a food processing and supply company to supermarkets. They supply food
packaged under their own brand name to general retailers and ‘supermarket brand’ packaged goods
to supermarket chains.
In addition they have recently begun supplying frozen 'ready meal' products to a major restaurant
chain.
To support their business, Equitable Products has food processing plants at two sites. One site deals
with the processing and re-packaging of bulk foodstuffs into branded packages (own brand and
supermarket). The other site produces ready meals which are supplied as frozen products to general
retail customers and the restaurant chain.
Organization
There are three marketing divisions within the organization to service the separate retail, supermarket
and restaurant markets. Each of the marketing divisions has their own business targets, objectives
and processes.
An internal IT unit is responsible for the provision of IT services within Equitable Products.
Each division uses some specific, dedicated IT services, together with a core set of shared corporate
IT services to support their business operations. For example, the Equitable Products' IT systems now
interface directly with the supermarkets’ IT systems to enable 'just in time' re-ordering and delivery.
The restaurant chain's IT systems are also now connected to the Equitable Products' IT systems. All
the new Restaurant Ready Meal products are micro chipped with a Radio Frequency Identification
Device (RFID). All restaurant products must be consumed within five days of production. The RFID
technology enables the individual restaurants’ usage to be monitored by Equitable Products. A
production schedule is produced for the restaurant ready meal products in order to reduce wastage.
Current Status
As a result of international concern over contamination of products, Equitable Products decided that
they should take more control of their supply chain. They have recently acquired an established chain
of dairy farms which will, in the future, provide most of their fresh dairy products. This will better enable
them to track ingredients from 'field to plate'.
The other products and ingredients used in the processing plants are sourced from a variety of third
party suppliers. Wherever possible the contracts with those suppliers require the suppliers to maintain
ISO/IEC 27001 certification.
Scenario continues on the next page

Scenario continued
The diagram below shows the interaction between the various parties and Equitable
Products’ divisions.
Food Processing Division
Suppliers Bulk Foodstuffs Ready Meals

Site 1 Site 2
New Dairy Farm
Chain
Supermarket Equitable Products Restaurant

Brands Brand Ready Meals
Supermarket General
Restaurants
Chains Retailers
Diagram 1 - The interaction between the various parties and Equitable Products’
divisions
The contracts with the major supermarkets require Equitable Products to maintain ISO/IEC
27001 certification and there is an established ISMS in place. However the dairy farm
chain has never had ISO/IEC 27001 certification and needs to be brought into the scope of
certification.
Equitable Products’ corporate clients are supportive of the reasons and objectives of
acquiring the dairy farm chain. However, they require the ISO/IEC 27001 certification to be
extended to include this new business division.
Information Security Management Structure
The Equitable Products Chief Financial Officer has the role of Director of Information
Management. In this role he has been given the organizational responsibility to ensure that
ISO/IEC 27001 conformance is maintained.
The Chief Information Officer reports directly to the Director of Information Management
and has two Information Security Officers who work for him. They are responsible for
ensuring that the company and its third party suppliers maintain the required ISO/IEC
27001 certifications.
The Head of the IT Services Division also has an Information Security Specialist within his
team. The specialist is responsible for ensuring that the IT service is delivered in
accordance with ISO/IEC 27001.
Scenario continues on the next page
Scenario continued
Information Security Objectives
Information security risks must be managed effectively, collectively and proportionately in

a cost effective way. A secure and confidential working environment should also be
maintained. To achieve this, the information security objectives of Equitable Products
include the following:
a) To maintain the confidentiality, integrity and availability of corporate and

customer information
b) To maintain ISO/IEC 27001 certification
c) To ensure compliance with legal and regulatory requirements
d) To support effective and resilient processes to respond to, investigate and
recover from any information security incidents with necessary controls,
identified by formal risk assessment.
End of Scenario

Question 1: Planning and Risk Management - Additional Information
Additional Information for part question 1D
A risk assessment has been carried out on the changes needed to incorporate the dairy farm chain
into the Equitable Products’ ISMS. This has identified the following information:
● Each dairy farm site has differing information security policies to suit the type of dairy product
processed, specific authorities and special interest groups, and the site size and access
arrangements
● Equitable Products has many environmental health contacts within the Food & Livestock
Regulatory Authority (a Government authority). However, there are many more contacts required
for the dairy farm chain, such as those relating to the testing for animal diseases
● The dairy farm staff use tag readers and operational systems for the logging of each animal’s
milk produced for processing
● The staff in the dairy farm chain’s Head Office use marketing, accountancy and HR systems,
logistics and stock systems
● Many of the dairy farm chain’s Head Office staff use the IT systems from home via an internet
connection. No issues have been experienced with this setup
● In the past year there have been seven breaches of information security within the dairy farm
chain. One of these was a high profile incident involving press coverage of the short lifespan of
the dairy animals.

Question 3: Operational Systems, Measurement and Incidents - Additional Information
Additional Information for part-question 3D
USB memory stick problem
A widely recognized information security researcher and occasional trusted advisor to Equitable
Products is undertaking an independent research project. He is examining USB memory sticks
bought from individuals on internet sales sites. The devices were advertised as ‘used’ or ‘pre-owned’.
The researcher contacted Equitable Products’ Chief Information Officer to report that he has
recovered a variety of records from one device that appear to be from the organization and dated as
recently as three months ago.
The researcher informed the Chief Information Officer that he plans to publish his findings from all of
the devices in a research paper as examples of protection failures.
The Chief Information Officer has validated the identity of the researcher.

Question 4: Audit and Management Review - Additional Information
Additional Information for part-question 4B
Extract from an Audit Report
Background
A supermarket recently complained that they were not receiving the best prices available for products
supplied to them. The investigation of the complaint found that the supermarket was basing this
complaint on a price list sent to them in error. The price list, sent by email, had been prepared by a
marketing team for a special promotion. This had then been sent by a different marketing team who
had retrieved it from the shared area thinking it was the standard price list.
Scope of Audit
The Internal Audit team were asked to undertake an audit of all third party information exchanges.
Audit Findings
i) Controls that are in place with each third party have been developed on an ad hoc basis and
there is no standard terminology
ii) The division of responsibilities between Equitable Products and third parties are not always
clearly defined
iii) Email is often used to transfer sensitive information
iv) It is common to receive replies to emails sent indicating they have been received by
unintended recipients.
v) Customers have expressed concerns about acting on information received by email before
they have been able to confirm authenticity
vi) The Equitable Products’ Information Security Policy document states that it should be possible
to confirm that information sent by email has been sent by an authorized person and the correct
information has been received. This requirement is not currently being met.

SX01
Question Booklet
Candidate Number: ........................................


Syllabus areas covered:
Question 1 - Planning and Risk Management
Question 2 - Leadership and Roles
Question 3 - Operational Systems, Measurement and Incidents
Question 4 - Audit and Management Review

Question Number 1
Syllabus Area Planning and Risk Management
Syllabus Area Question Number Part Marks

Planning and Risk Management 1 A 4
Answer the following questions about establishing information security risk management for an organization as
stated in ISO/IEC 27005.
Remember to select 2 answers to each question.
1 Which 2 statements describe what should be considered when defining the evaluation criteria for risks caused
by information security events?
A The acceptable level of any financial loss.
B The importance to the business of confidentiality.
C The amount of damage caused by disruption of plans and deadlines.
D The consequences to the reputation of an organization.
E The time it will take to reduce a risk to an acceptable level.
2 Which 2 statements describe what should be considered when defining the impact criteria for risks caused by
information security events?
A The cost of missing a deadline due to an information security event.
B The importance of availability to operations.
C The amount of damage caused by breach of contract.
D The criticality of the information assets involved.
E The ratio of estimated profit to the estimated cost of the risk.
3 Which 2 statements describe what should be considered when defining the acceptance criteria for risks
caused by information security events?
A The amount of damage caused by breaches of a legal requirement.
B The escalation path used to obtain a decision on risk acceptance.
C The circumstances when senior managers can accept risks above the normal threshold.
D The information security risk management records required to be kept.
E The ratio of estimated profit to the estimated cost of the risk.
Question continues on the next page

Question continued
4 Which 2 statements identify aspects that should be considered when defining the scope and boundaries of
information security risk management process?
A The risk acceptance decision escalation paths.
B The legislation applicable to an organization.
C The estimated cost caused by a breach of contract.
D The use of the four options to treat risks.
E An organization’s business processes.

Planning and Risk Management 1 B 5
Answer the following question about the risk identification step.
An Information Security Officer has undertaken a risk assessment on the changes needed to
incorporate the dairy farm chain into the Equitable Products' ISMS.
Column 1 is a list of input data for the risk analysis activity. For each input item in Column 1, select from Column 2
the type of information it represents. Each selection from Column 2 can be used once, more than once or not at all.
Column 1 Column 2
1 Animal rights activists may attempt to disrupt operations in order to protest against the A Asset
shortened life-spans of the animals.
B Threat
2 There is rigorous physical entry security to prevent unauthorized access to the dairy
farm sites. C Existing control
3 Smart labels, also called radio frequency identification (RFID) tags, are used to identify D Vulnerability
the milk production of each animal used in the dairy farm. E Consequence
4 The latest updates have NOT been applied to the antivirus package used to protect the
dairy farm chain’s IT systems.
5 The production schedule is an output of the just-in-time re-ordering process.

Planning and Risk Management 1 C 5
A number of changes are needed to Equitable Products’ ISMS to incorporate the dairy farm chain. A risk
assessment has identified that some solutions may not comply with Equitable Products’ information
security policy. More details about the risk are given below.
Some ‘off the shelf’ IT system components are used to underpin the dairy farm chain’s ISMS. If technical
problems arise with these components, a maintenance engineer is brought in from an IT supplier. There
is no formal contractual arrangement in place between the dairy farm chain and the IT supplier. There is,
therefore, a risk that technical solutions to issues may not adhere to the information security policy for
Equitable Products. A number of possible risk treatments for this risk have been identified.
Column 1 is a list of some of the possible risk treatments. For each risk treatment in Column 1, decide if it is
relevant to the stated risk and select from Column 2 the type of risk treatment it represents.
Each question is independent and should be answered in isolation from the other questions. Each
selection from Column 2 can be used once, more than once or not at all.
Column 1 Column 2
1 All problem management and technical expertise for the dairy farm chain will be A NOT relevant to the
audited by the Equitable Products IT Services Department. This department is stated risk
responsible for ensuring that the Equitable Products' information security policy is
adhered to. B Modification
2 The Equitable Products Information Security Officers will provide awareness, C Retention
education and training on Equitable Products’ information security policy to the D Avoidance
maintenance engineers supporting the dairy farm chain’s IT systems.
E Sharing
3 A contractual agreement with the IT suppliers to the dairy farm chain will be provided,
which states the supplier’s responsibilities for maintaining information security.
4 Equitable Products will ensure that all outsourced development by the dairy farm
chain is monitored.
5 The current arrangements for technical support will remain unchanged if the dairy farm
chain’s ISMS has been free of information security incidents for the last three months.

Planning and Risk Management 1 D 6
Using the additional information provided for this question in the Scenario Booklet, answer the
following question about the risk assessment carried out on the changes needed to incorporate the
dairy farm chain into the Equitable Products' ISMS.
Lines 1 to 6 in the table below consist of an assertion statement and a reason statement. For each line identify
the appropriate option, from options A to E, that applies. Each option can be used once, more than once or not
at all.
Option Assertion Reason

A True True AND the reason explains the assertion
B True True BUT the reason does not explain the assertion
C True False
D False True
E False False
Assertion Reason
1 The effectiveness of each dairy farm site’s existing BECAUSE Detailed policies underpin an
information security policy should have been reviewed organization’s high-level information
during the risk assessment in order to determine the security policy.
changes needed to incorporate the dairy farm chain.
2 When the staff from the dairy farm chain were BECAUSE Policies for information security should be
transferred to Equitable Products, the Equitable issued only to internal employees.
Products’ information security policy should have been
published to all staff.
3 The control for the ‘contact with authorities’ in BECAUSE An organization should maintain the
Equitable Products should have been updated with the appropriate contacts with relevant
specific contacts in the Food & Livestock Regulatory authorities.
Authority needed for the dairy farm chain.
4 The terms and conditions for the dairy farm site staff BECAUSE Management has the responsibility for
transferred to Equitable Products should refer to ensuring that all employees and
information security responsibilities. contractors follow the information security
policies and procedures of the
organization.
5 The access to the dairy farm chain’s Head Office BECAUSE The control on securing application
systems over the internet should have been reviewed services on public networks requires that
as a priority. access over the internet is prevented until
the proper controls are selected.
6 The information on the dairy farm chain’s incidents will BECAUSE Information security requirements should
NOT be needed for an analysis of Equitable Products’ consider the required protection needs of
information security requirements. the assets involved.

Question Number 2
Syllabus Area Leadership and Roles

Leadership and Roles 2 A 3
Answer the following question about leadership.
Column 1 is a list of activities. For each activity in Column 1, select from Column 2 the clause heading from
ISO/IEC 27001 that requires the activity to be performed. Each selection from Column 2 can be used once, more
than once or not at all.
Column 1 Column 2
1 Supporting information security management roles. A Leadership and commitment
2 Providing a framework for setting information security B Policy
objectives. C Organizational roles, responsibilities and
authorities
3 Integrate actions to address opportunities into information
security management processes. D None of the above

Leadership and Roles 2 B 3
Answer the following questions about leadership.

1 Which characteristic is NOT required of an information security policy?
A Suitable.
B Comprehensive.
C Adequate.
D Effective.
2 Which aspect of an ISMS can vary depending upon the competencies of the persons available to an
organization?
A The scope of the ISMS.
B The documentation supporting the ISMS.
C The frequency of review of the ISMS.
D The boundaries of the ISMS.
3 According to ISO/IEC 27003, which consideration is key when defining the roles in information security
management?
A One person should be assigned to promote and co-ordinate the information security process.
B None of the roles within information security management can be shared between individuals.
C Only those employees and contractors assigned to information security have the responsibly for its
implementation.
D The audit department in an organization should be responsible for ensuring independence in the information
security organization.

Leadership and Roles 2 C 5
Using the Diagram 1 and the Information Security Management Structure section given in the Scenario,
answer the following questions about the role and responsibilities within the ISMS.
Each of the following questions includes a list of only true statements about individuals from the organization. Only
2 statements explain why, in the context of the ISO/IEC 27003 (Table B1) roles and responsibilities, the individual
is an appropriate appointment for that role.
Each question should be answered in isolation as the individual may be suitable for more than one role.
1 Which 2 statements BEST explain why the Chief Financial Officer is appropriate for the role of Director of
Information Management?
A He is keen to expand the control that Equitable Products has over its supply chain operations and can
ensure that the ISMS remains aligned with this company focus.
B He has the authority to take strategic decisions and give direction in the risk management process.
C He likes to be involved in the operational detail.
D He has sufficient knowledge to agree user requirements for the specification of the new ‘field-to-plate’
applications.
E He was one of the founders the company 11 years ago.
2 Which 2 statements BEST explain why the Information Security Officers would be appropriate for the role of an
internal auditor?
A They report to the Chief Information Officer.
B They have qualifications and experience in ISO/IEC 27001.
C They are responsible for ensuring that Equitable Products maintains the required ISO/IEC 27001
certifications.
D They have good working relationships with many of the Division Heads and suppliers so can help resolve
disputes.
E They are responsible for evaluating the reports on the monitoring of the ISMS, produced by the Head of the
IT Services Division.

Question continued
3 Which 2 statements BEST explain why the Head of the IT Services Division would be appropriate as a member
of the Information Security Planning Team?
A He is keen to expand the ‘field-to-plate’ capability and ensure that the Equitable Products is at the forefront
of technology.
B He is responsible for managing the IT Services’ operations, which will be impacted by the changes to
incorporate the dairy farm chain into the ISMS.
C He has regular liaisons with all divisions within Equitable Products so has experience of working across the
whole organization.
D He is responsible for the day-to-day management of IT Services’ operations and the monitoring of the ISMS.
E He has both the technical and business knowledge required to mediate with all management parties when
conflict arises.
4 Which 2 statements BEST explain why the Head of the Food Processing Division would be appropriate as a
member of the Information Security Committee?
A He is keen to pass on his views on the operation of an ISMS based on personal perspective.
B All of Equitable Products’ merchandise is produced by the Food Processing Division.
C He has overall responsibility for the tracking of information from the purchase of raw materials to delivery.
D He is the line manager for the Food Processing Division.
E He has the lead responsibility for the information security requirements of the ‘field-to-plate’ project.
5 Which 2 persons would be NOT be classified as stakeholders within the ISMS, according to ISO/IEC 27003?
A The CEO of a chain intending to contract with Equitable Products.
B The Chief Financial Officer of Equitable Products.
C The Facilities Manager for the site where the bulk foodstuffs are stored.
D A competitor to Equitable Products.
E Equitable Products’ internal Legal Advisor.

Leadership and Roles 2 D 4
Answer the following questions about the use of controls within the ISMS.
1 During a routine maintenance of the car park within the Equitable Products' site, contractors severed some
cables. This caused a failure of the external network connection to Equitable Products’ internet service provider
and the power to the main server.
The Director of Information Security needs to select control measures to protect against recurrence of this
incident.
Which 2 controls, if applied, would MOST likely protect against recurrence of this incident?
A Security of equipment and assets off-premises.
B Security of network services.
C Cabling security.
D Network control.
E Supporting utilities.
2 Equitable Products employ a cleaning contractor to empty their waste baskets and to clean the offices during
the evening once the employees have finished their daily work. One of the cleaners was found to be accessing
one of the computers and hard-copy lists of access passwords in the Marketing department.
The Director of Information Security needs to select control measures protect against recurrence of this incident.
Which 2 controls, if applied, would MOST likely protect against recurrence of this incident?
A Physical entry controls.
B Clear desk policy.
C Unattended user equipment.
D Working in secure areas.
E Securing offices, rooms and facilities.

Question continued
3 The Equitable Products' Sales Director has issued two of his new staff with laptops to record their sales
contacts and progress in the sales process. This information is used in the management of a sales delivery
process including key account details. Neither of the two new laptops have been installed with company
software or configured to enable connection to the network. One of the laptops has been infected by a virus.
The Director of Information Security has discovered this situation and needs to select control measures to
manage this incident.
Which 2 controls, if applied, would MOST likely address this situation?

A Controls against malware.
B Clock synchronisation.
C Network controls.
D Access control policy.
E Information backup.
4 The Head of Equitable Products’ Marketing Division has been given authorization to develop a mobile
application to allow the viewing of real-time information on the food processing operations. This application will
be installed on the smart-phones issued to all division heads and managers. During the development cycle, the
contractors managing the application development have identified additional information security functionality
that needs to be included in the application.
The Marketing Director is concerned that he selects the most appropriate controls to manage the current
variation in the application development and similar future changes.
Which 2 controls, if applied, would MOST likely address the Marketing Director’s concerns?
A System change control procedures.
B Addressing security within supplier agreements.
C Change management.
D System security testing.
E Protection of test data.

Leadership and Roles 2 E 5
A recent information security incident occurred where there was the loss of the food products
between the Equitable Products' factory and a restaurant.
The root cause of the loss of the food has been identified as a dismissed worker gaining access to the
loading bay and removing two boxes of food products from the vehicle destined for the restaurant.
Access was gained using his electronic swipe card, which he retained following his dismissal. His
vehicle was driven to the loading bay during a routine rest break.
Within the organization, the Director of Human Resources is responsible for the termination of
employment.
The Director of Information Management, as the asset owner, is responsible for the management of
access privileges for all workers within the defined and controlled secure area of the loading bay.
at all.

C True False
D False True
E False False
Assertion Reason
1 The worker’s termination of employment was BECAUSE Asset owners shall review user access rights at
NOT correctly completed by the Director of regular intervals.
Information Management.
2 The loss of food should trigger a review of the BECAUSE Knowledge gained from resolving information
termination of other dismissed worker’s security incidents shall be used to reduce the
access privileges. likelihood of future incidents.
3 It is NOT appropriate to classify the loss of BECAUSE Information security events are only classified as
the boxes of food as an information security information security incidents if there is
incident. unauthorized access to an organization’s systems
and applications.
4 It was appropriate to leave the worker’s swipe BECAUSE Reviewing user access rights shall be done at
card active after the dismissal. regular intervals.
5 Temporary removal of access privileges to BECAUSE Access privileges for all workers shall be removed
the loading bay should be made for all loading when an information security incident occurs.
bay workers after the information security
incident.

Question Number 3
Syllabus Area Operational Systems, Measurement and Incidents

Operational Systems, Measurement and Incidents 3 A 4
Answer the following questions about ISMS performance measurement, monitoring and evaluation.

1 Which 2 aspects of an organization’s ISMS are required to be evaluated?
A Evidence of the top management contribution.
B Established risk assessment criteria.
C Information security management process performance.
D Assignment of skilled resources.
E Information security process effectiveness.
2 Which 2 elements of monitoring and measurement are NOT required to be determined?
A Where the monitoring and measuring shall be performed.
B When the monitoring and measuring shall be performed.
C Why the monitoring and measuring shall be performed.
D When the results from monitoring and measurement shall be used.
E Who shall analyse and evaluate the results.
3 Which 2 methods are likely to be determined according to ISO/IEC 27001?
A Process control.
B Documentation.
C Monitoring.
D Corrective action.
E Analysis.
4 Which 2 statements describe items that the access control system must monitor as a user logs into an IT
system?
A The length of the password.
B The date the password was last changed.
C The date the user last logged in.
D The complexity of the password.
E The password characters to display on-screen.

Operational Systems, Measurement and Incidents 3 B 6
Answer the following question about an information security event.
A director has had their laptop bag stolen. Although the laptop was encrypted, the director’s bag also
contained paper documents describing commercial details and dairy farm animal welfare information.
Column 1 is a list of actions relating to the theft. Column 2 is a list of the information security incident management
controls from Annex A of ISO/IEC 27001. For each action in Column 1, select from Column 2 the security incident
management control where these actions would be applied. Each selection from Column 2 can be used once,
more than once or not at all.
Column 1 Column 2
1 The director immediately informs the local police of the theft. A Responsibilities and procedures
2 The police report that this event may have been a targeted theft by B Reporting information security
animal rights protestors. events
3 Travelling directors are immediately provided with encrypted tablet C Reporting information security
PCs to use in place of paper documents. weaknesses
4 As the stolen items included sensitive paper documents, the Chief D Assessment of and decision on
Information Officer assigns an Information Security Officer to begin information security events
formal investigation of the episode.
E Response to information security
5 The Chief Information Officer briefs site security guards, all dairy farm incidents
staff and transport contractors about the need for extra vigilance for
strangers or unexpected behaviour. F Learning from information security
incidents
6 Media handling risks are reassessed with revised probability and
impact values related to this type of event. G Collection of evidence

Operational Systems, Measurement and Incidents 3 C 6
Answer the following question related to the steps to return to normal operations.
A local power supply surge has occurred at Equitable Products’ shared IT data centre. Servers and
network equipment were protected and continued to operate. Air conditioning units were not
protected and failed.
Environmental temperatures increased rapidly, exceeding server safe operating temperatures. A

cascade of remote server monitoring alerts was raised as all servers rapidly shut themselves down in
an uncontrolled sequence.
This event has triggered a major information security incident as no shared IT services are
operational. Business operations, particularly customer’s ‘just in time’ re-ordering and delivery, are
unable to continue. The Disaster Recovery Plan mandates a return-to-service target of five hours for
this time-critical function.
at all.

C True False
D False True
E False False
Assertion Reason
1 The recovery team should attempt to restore BECAUSE During adverse conditions, physical security
normal operating temperatures rapidly without controls of designated ‘secure areas’ must always
opening the external data centre doors. remain the same as normal operating conditions.
2 Heat-damaged server disks that failed to BECAUSE Achievement of the return-to-service target is
power on again should be removed for later enabled by fitting spare components.
physical destruction.
3 Asset tags should be removed from the failed BECAUSE The asset owner must ensure that the asset
disks and transferred to the replacement inventory is maintained as a record of the assets
disks. in use.

Question continued
Assertion Reason
4 As each server is recovered, it must be BECAUSE Accurate logging of user and system events
configured to use the network time protocol. requires all system components to operate with
a synchronised time reference.
5 The recovery team should document alternative BECAUSE Compensating controls for information security
information security controls which were controls that cannot be maintained during an
implemented to achieve a five hour return to adverse situation should be documented.
service.
6 No further action needs to be taken following BECAUSE No further action is required if the processes
successful restoration of services. carried out are effective.

Operational Systems, Measurement and Incidents 3 D 4
Using the additional information provided for this question in the Scenario Booklet, answer the
following questions about managing incidents.Decide whether the actions suggested are appropriate, and
select the response that supports your decision.
1 The researcher has offered to encrypt and electronically transfer a representative sample of the recovered data
to the Chief Information Officer for validation.
Should the electronic transfer of sample files be authorized?

A No, because the transferred samples may contain malware.
B No, because the device itself should be acquired for forensic analysis as a priority.
C Yes, because encryption of the sample data before transfer will ensure confidentiality of the data.
D Yes, because encryption will prevent the transfer of malware.
2 The representative sample data from the device has been validated as publicly available information. No
personally identifiable information is included. The source of the information, (the original device owner), is still
unknown. Thinking about this event and the potential legal, regulatory and reputational risks, the Chief
Information Officer has initiated incident management.
Is it appropriate for the Chief Information Officer to report internally that the potential impact of the incident can
be contained?
A No, because the impact of the incident can only be reported following a full review of the recoverable data
on the USB memory stick.
B No, because a non-disclosure agreement with the researcher can only be used before the information is
accessed.
C Yes, because Equitable Products’ legal counsel can caution the researcher that it is an offence to publish
details about the data without having authorization.
D Yes, because information security requirements can be negotiated with the researcher and documented in
an agreement to restrict what can be published.

Question continued
3 The recovered device has an Equitable Products asset number. A full review of the recoverable data confirms
that it was used to store only publicly available information.
As there is no disclosure of confidential or sensitive information, should the incident be closed?

A No, because further investigation is needed to identify how and why control of this removable media asset
has failed.
B No, because the information should be made unrecoverable as the final action enabling the incident to be
closed.
C Yes, because control of removable media assets only applies to storage of confidential or sensitive
information.
D Yes, because there is no reputational risk from the researcher publishing that he has found publicly-
available information.
4 The last user of the device deleted the files just before losing the device at a conference. As the information had
been deleted, and the USB memory stick was cheaply replaced, she did not think that the loss needed to be
reported.
Should follow-up action with the user be taken?

A No, because the device was easily replaced at low cost without incurring the time and effort of an
investigation.
B No, because the information on the device was deleted so no important business information was lost.
C Yes, because this user’s action on more sensitive information may risk disclosure.
D Yes, because the replacement device may have contained malware.

Question Number 4
Syllabus Area Audit and Management Review

Audit and Management Review 4 A 6
Answer the following questions about internal audit and management reviews.
1 Which action is taken towards the end of an internal audit?

A Advise the Certification Board of the outcome of the internal audit.
B Identify the processes to be included in the next internal audit.
C Store and protect the internal audit results.
D Issue a certificate when the internal audit is complete and successful.
2 Which activity is performed as part of Management review?
A Eliminating the cause of non-conformance.
B Dealing with the consequences of non-conformance.
C Determining the cause of non-conformance.
D Identify opportunities for continual improvement.
3 Which action is required by the organization to prepare for an internal audit?
A Define the scope of the audit.
B Identify opportunities for continual improvement.
C Document external concerns.
D Update the ISMS.
4 When shall there be an independent review of the organization’s approach to information management security?
A At each management review.
B At each audit.
C As part of continuous improvement.
D At planned intervals.
5 In which compliance control should legal advice be taken in relation to jurisdictional borders and compliance
with relevant legislation?
A Protection of records.
B Regulation of cryptographic controls.
C Independent review of information security.
D Technical compliance review.

Question continued
6 Which topic is NOT required to be considered during a Management Review?

A The importance of the processes.
B Changes in external issues.
C Status of actions from previous reviews.
D Trends from risk assessments.

Audit and Management Review 4 B 5
Using the additional information provided for this question in the Scenario Booklet, answer the following
questions about information sharing.

1 Which 2 implementation elements from asset management controls are MOST appropriate to help avoid
incorrect price lists being sent to customers?
A Emails which include price lists should be digitally signed.
B Price lists should be labelled in accordance with a defined classification scheme.
C Owners of price lists should be accountable for their classification.
D Any information sharing agreement should include information on the classification of price lists.
E Review the marketing teams’ access rights to price sensitive data.
2 Which 2 controls should be considered when reviewing the authenticity issue to MOST appropriately address
it?
A Requirements for electronic signatures.
B Protection against the receipt of unsolicited emails.
C Access to instant messaging.
D Message verification codes.
E Protection against malware.
3 Which 2 items should be considered when developing a policy to avoid disclosure of information when
unintended recipients receive emails?
A Enforcement of password changes.
B Limiting the information contained in outputs.
C The impact that encryption has on content inspection controls.
D Message authentication codes.
E The standards to be adopted to implement encryption.
4 Which 2 responsibilities are required to be defined in an information transfer agreement about providing price
information by email to a supermarket?
A Availability of the service.
B Capacity management.
C Controlling receipt.
D User authentication management.
E Liability for data loss.

Question continued
5 The control of which 2 items should be improved to help prevent future similar occurrences of inappropriate
sharing of product pricing information by email?
A Interception.
B Non-repudiation.
C Forwarding.
D Attachments.
E Incident management.

Audit and Management Review 4 C 4
Following the recent introduction of RFID microchip tags on the restaurant cook/chill products, an audit
has recommended that a non-disclosure agreement should be signed by any third party organization
before electronic data is exchanged.
The Chief Information Officer has agreed with this proposal and decided that all non-disclosure
agreements will be reviewed every 12 months.
Decide whether the actions suggested are appropriate, and select the response that supports your decision.
1 Should public domain information about the intellectual property rights relating to the RFID tags be included in
the non-disclosure agreement for the restaurants?
A No, because non-disclosure agreements with the restaurants are required to use standard wording.
B No, because public domain information relating to intellectual property rights is NOT confidential
information.
C Yes, because non-disclosure agreements with the restaurants should include relevant information about
intellectual property.
D Yes, because the use of RFID tags by the restaurants may need to be audited.
2 Should the non-disclosure agreement for the restaurants have a duration of only one year?
A No, because a duration of three months is required to ensure changes in circumstance are not missed.
B No, because there is no need to restrict the non-disclosure agreement for a restaurant to a year.
C Yes, because some restaurants may have changed ownership within the year.
D Yes, because changes in the evolving RFID microchip technology may change the information to be
shared.
3 Should consideration be given to what the supermarket must do to avoid breaching the agreement when
drafting their non-disclosure agreement?
A No, because the supermarket can handle the information however it wishes.
B No, because if information is disclosed it is for the relevant authority to decide if it was handled properly.
C Yes, because if information is disclosed the relevant authority can only enforce an agreement if they know
how the information should have been protected.
D Yes, because the actions needed to avoid unauthorized disclosure by the supermarket should be
identified.
4 Is it appropriate for staff in the marketing division to also sign non-disclosure agreements?
A No, because non-disclosure agreements are applicable to third parties.
B No, because marketing staff need to disclose confidential information as part of their job.
C Yes, because a non-disclosure agreement may also define when information can be disclosed.
D Yes, because all interested parties should sign non-disclosure agreements.

Audit and Management Review 4 D 5
A recent management review has identified an increasing failure of some of the dairy farms to disclose
the use of antibiotics voluntarily.
It has also been recorded that a change in legislation is due to come into force in six months. This
change requires that dairy products used in processed meals supplied to schools must come from
designated herds. Such products should also be antibiotic free during the three months period prior
to milk production use.
There will be significant financial penalties for non-compliance.
It will be necessary for the information about the source, use of antibiotics and dairy products used in
such meals to be made available on a ‘field-to-plate’ application. This will be accessible via a web-site
and retained for a period of three years. A contract for the provision of the application and web-site
hosting will be signed with a specialist provider.
at all.

C True False
D False True
E False False
Assertion Reason
1 User acceptance testing of the web-site should use BECAUSE User acceptance testing in the operational
realistic data for the ’field-to-plate’ application. environment should be performed in a way
that will expose any vulnerabilities.
2 The addition of the web-site should trigger an BECAUSE Contractors should be required to report an
information security risk assessment. observed information security weaknesses
in systems or services.
3 Dairy farm supplier agreements should be reviewed BECAUSE The information to be provided should be
and updated with any new legal requirements for documented in supplier agreements to
electronic disclosure of the administration of ensure legal obligations are met.
antibiotics.
4 The need to retain the web-site data for three years BECAUSE Data retention will be documented in a
should NOT require review or change to information web-hosting provider’s agreement as a
security policies. compliance control.
5 It is appropriate for the web-site supplier agreement BECAUSE An organization’s management are
to require an independent Penetration Test of the responsible for the effectiveness of
website. information security controls.

Note: For Multiple Response (MR) questions, 1 point is
Marking Scheme scored if and only if all correct options are selected.
Otherwise 0 points are scored.
Exam Paper: GB-SX01-1.1
Question Part Type Response A B C D E F G H I

1 (PL) A MR 1 0 1 0 1 0
2 1 0 1 0 0
3 0 0 1 0 1
4 0 1 0 0 1
B MG 1 0 1 0 0 0
2 0 0 1 0 0
3 1 0 0 0 0
4 0 0 0 1 0
5 1 0 0 0 0
C MG 1 0 1 0 0 0
2 0 1 0 0 0
3 0 0 0 0 1
4 1 0 0 0 0
5 0 0 1 0 0
D AR 1 0 1 0 0 0
2 0 0 1 0 0
3 1 0 0 0 0
4 1 0 0 0 0
5 0 0 1 0 0
6 0 0 0 1 0

2 (LE) A MG 1 1 0 0 0
2 0 1 0 0
3 0 0 0 1
B CL 1 0 1 0 0
2 0 1 0 0
3 1 0 0 0
C MR 1 1 1 0 0 0
2 0 1 0 0 1
3 0 0 1 0 1
4 0 0 1 0 1
5 1 0 0 1 0
D MR 1 0 0 1 0 1
2 0 1 1 0 0
3 1 0 0 0 1
4 1 0 0 1 0
E AR 1 0 1 0 0 0
2 1 0 0 0 0
3 0 0 0 0 1
4 0 0 0 1 0
5 0 0 0 0 1
3 (OS) A MR 1 0 0 1 0 1
2 1 0 1 0 0
3 0 0 1 0 1
4 0 1 1 0 0
B MG 1 0 1 0 0 0 0 0
2 0 0 0 0 0 0 1
3 0 0 0 0 1 0 0
4 0 0 0 1 0 0 0
5 0 0 0 0 1 0 0
6 0 0 0 0 0 1 0
C AR 1 0 0 1 0 0
2 0 1 0 0 0
3 0 0 0 1 0
4 1 0 0 0 0
5 0 1 0 0 0
6 0 0 0 0 1
D CL 1 0 0 1 0
2 0 0 0 1
3 1 0 0 0
4 0 0 1 0

4 (AR) A CL 1 0 0 1 0
2 0 0 0 1
3 1 0 0 0
4 0 0 0 1
5 0 1 0 0
6 1 0 0 0
B MR 1 0 1 0 0 1
2 1 0 0 1 0
3 0 0 1 0 1
4 0 0 1 0 1
5 0 0 1 1 0
C CL 1 0 0 1 0
2 0 1 0 0
3 0 0 0 1
4 0 0 1 0
D AR 1 0 0 1 0 0
2 0 1 0 0 0
3 1 0 0 0 0
4 0 0 0 1 0
5 1 0 0 0 0
Rationale
Exam Paper: GB-SX01-1.1

Question: 1, Syllabus: PL, Part: A, Type: MR, SyllabusRef: PL0201, Level: 2
1 A Incorrect: The acceptable level of any loss of financial value should be defined within a
range of values as part of the risk acceptance criteria. (ISO 27005, 7.2.4)
B Correct: The operational and business importance on availability, confidentiality and
integrity is one of the areas that should be considered when developing the risk
evaluation criteria for evaluating an organization’s information security risks.
(ISO 27005, 7.2.2)
C Incorrect: The amount of damage caused by disruption of plans and deadlines is an area
that should be considered when defining impact criteria. (ISO 27005, 7.2.3)
D Correct: The negative consequences for goodwill and reputation are areas that should be
considered when developing the risk evaluation criteria for evaluating an
organization’s information security risks. (ISO 27005, 7.2.2)
E Incorrect: Risk acceptance criteria may include requirements for further additional
treatment, e.g. a risk may be accepted if there is approval and commitment to
take action to reduce it to an acceptable level within a defined time period. The
time it will take is not a required evaluation criteria. (ISO 27005, 7.2.4)
2 A Correct: Impact criteria should be developed and specified in terms of the degree of
damage or costs to the organization caused by an information security event
resulting in disruption to plans and deadlines. (ISO 27005, 7.2.3)
B Incorrect: The importance of availability to operations should be considered when
developing the risk evaluation criteria for evaluating an organization’s
information security risks. (ISO 27005, 7.2.2)
C Correct: Impact criteria should be developed and specified in terms of the degree of
should there be a breach of legal, regulatory or contractual requirements. (ISO
27005, 7.2.3)
D Incorrect: The criticality of the information assets involved should be considered when
developing the risk evaluation criteria for evaluating an organization’s
information security risks. (ISO 27005, 7.2.2)
E Incorrect: Risk acceptance criteria may be expressed as the ratio of estimated profit to
the estimated risk. This defines a usage of the impact assessment. (ISO 27005,
7.2.4)
3 A Incorrect: Impact criteria should be developed and specified in terms of the degree of
should there be a breach of legal, regulatory or contractual requirements. (ISO
27005, 7.2.3)
B Incorrect: The escalation path is defined as part of the organization information security
risk management responsibilities, and should NOT be considered when
developing the risk acceptance criteria. (ISO 27005, 7.4)
C Correct: Risk acceptance criteria may include multiple thresholds, with a desired target
level of risk, but provision for senior managers to accept risks above this level
under defined circumstances. (ISO 27005, 7.2.4)
D Incorrect: The information security risk management records required to be kept are part
of the management of information security risks to demonstrate adherence to
the process, and should NOT be considered when developing the risk
acceptance criteria. (ISO 27005, 7.4)
E Correct: Risk acceptance criteria may be expressed as the ratio of estimated profit to
the estimated risk. This defines a usage of the impact assessment. (ISO 27005,
7.2.4)
4 A Incorrect: The risk acceptance decision escalation paths are defined as a main role and
responsibility for an organization during the set up of the information security
management risk process. There is no requirement to consider this when
defining the scope and boundaries. (ISO 27005, 7.4)
B Correct: The legal, regulatory and contractual requirements should be considered when
defining the scope and boundaries of information security risk management.
(ISO 27005, 7.3)
C Incorrect: The estimated cost caused by a breach of contract is produced during the risk
identification when the identification of consequences of a risk is made. (ISO
27005, 8.2.6)
D Incorrect: The four options are used to treat risks once the risk assessment is satisfactory.
This is part of the information security management risk process which is
produced once the scope and boundaries of information security risk
management is known. (ISO 27005, 9.1)
E Correct: The business processes should be considered when defining the scope and
boundaries of information security risk management. (ISO 27005, 7.3)
Question: 1, Syllabus: PL, Part: B, Type: MG, SyllabusRef: PL0301, Level: 3

1 Correct [B]: A threat has the potential to harm assets (such as information, processes and
systems) and therefore the organization. Disruption by activists may affect more
than one asset. (ISO 27005, 8.2.3)
2 Correct [C]: Physical entry controls is an existing control set up in the dairy farm site. (ISO
27005, 8.2.4; ISO 27001, A.11.1.2)
3 Correct [A]: An asset is anything that has value to the organization and therefore requires
protection. The RFID tags on the cattle are a form of data medium asset. (ISO
27005, 8.2.2, B.1.2)
4 Correct [D]: Vulnerabilities that can be exploited by threats to cause harm to assets or to the
organization should be identified. An incorrectly implemented control can itself be
vulnerability. I.e. the anti-virus software is the control, but it is weak because
updates have not been applied. (ISO 27005, 8.2.5)
5 Correct [A]: An asset is anything that has value to the organization and therefore requires
protection. Business processes, whose loss or degradation make it impossible to
carry out the mission of the organization, are a primary asset. (ISO 27005, 8.2.2,
B.1.1)
Question: 1, Syllabus: PL, Part: C, Type: MG, SyllabusRef: PL0303, Level: 2

1 Correct [B]: The activity which gives rise the risk of not adhering to the EF IS policy is modified
by the activity being audited. It is NOT avoidance because the activity is still
continuing in the same way. It is NOT sharing because responsibility for the risk
has not changed. (ISO 27005, 9.2)
2 Correct [B]: The level of risk is being managed by introducing the Information security
awareness, education and training control. This is modifying the risk, although it is
unlikely that this risk treatment will result in the risk being reassessed as
acceptable. (ISO 27005, 9.2; ISO 27001, A.7.2.2)
3 Correct [E]: The level of risk is being managed by introducing the Addressing security within
supplier agreements control. This is sharing the risk with another party that can
most effectively manage the particular risk. (ISO 27005, 9.5; ISO 27001, A.15.1.2)
4 Correct [A]: The Outsourced development control is not relevant to the stated risk on problem
management of ’off the shelf’ standard components. (ISO 27001, A.14.2.7)
5 Correct [C]: A decision to take no action is a risk retention option. A decision to choose this
option will depend on risk evaluation. (ISO 27005, 9.3)
Question: 1, Syllabus: PL, Part: D, Type: AR, SyllabusRef: PL0405 PL0406 PL0407, Level: 4
1 True: During the identification of the existing True: At a lower level, the IS policy should be
controls step, a check should be made supported by topic-specific policies
to ensure that the existing controls are which further mandate the
working correctly. (ISO 27005, 8.2.4) implementation of IS controls. They are
typically structured to address the needs
of certain target groups within an
organization or to cover certain topics.
The answer is B, because the dairy farm
chains’ IS policies are reviewed to
determine if they should be removed,
replaced or stay in place as a detailed
policy. (ISO 27001, A.5.1.1; ISO 27002,
5.1.1; ISO 27005, 8.2.4)
2 True: The set of policies for information False: The policies for information security
security should be published and have a wider audience than just internal
communicated to employees and employees. Relevant external parties
relevant external parties. (ISO 27001, should be included also. (ISO 27001,
A.5.1.1) A.5.1.1)
3 True: It is correct that the contact with True: It is correct that appropriate contacts
authorities should be maintained using with relevant authorities shall be
the contact with authorities control. (ISO maintained using the contact with
27001, A.6.1.4) authorities control. (ISO 27001, A.6.1.3)
The answer is A because the rationale
explains the assertion in that both relate
to updating contacts in the relevant
authorities control.
4 True: This relates to the control on terms and True: This relates to the management
conditions of employment. The responsibilities control as management
contractual agreements with shall require all employees and
employees and contractors shall state contractors to apply information security.
their and the organization’s The answer is A, because the contracts
responsibilities for information security. are the device used to ensure that
(ISO 27001, A.7.1.2) management's responsibilities are
transferred and communicated
(delegation and binding
responsibilities). (ISO 27001, A.7.2.1)
5 True: Access to systems over a public False: Applications which are accessible via
network would be identified as key public networks require detailed risk
vulnerability during risk identification assessments and the proper selection
and reviewed during risk analysis. The of controls. There is no requirement to
IS requirements and associated prevent access until risk assessment
processes should be identified and has been completed. (ISO 27001,
integrated in the early stages of IS A14.1.2; ISO 27002, A.14.1.2)
projects as part of the information
security requirements and analysis and
specification control. (ISO 27005,
8.2.5, 8.3.2; ISO 27001, A.14.1.1; ISO
27002, A.14.1.1)
6 False: The IS requirements should be True: Information security requirements should
identified using various methods such consider the required protection needs
as deriving compliance requirements of the assets involved, in particular
from policies and regulations, threat regarding availability, confidentiality, and
modelling, incident reviews or use of integrity. (ISO 27001, A.14.1.1; ISO
vulnerability thresholds. (ISO 27001, 27002, 14.1.1)
A.14.1.1; ISO 27002, A.14.1.1)
Question: 2, Syllabus: LE, Part: A, Type: MG, SyllabusRef: LE0202 LE0203 LE0204, Level: 2
1 Correct [A]: Supporting other relevant management roles to demonstrate their leadership as it
applies to their areas of responsibility is given within the Leadership and
commitment clause. (ISO 27001, 5.1.h)
2 Correct [B]: Providing a framework for setting information security management objectives is
an activity within the Policy clause. (ISO 27001, 5.2 b)
3 Correct [D]: Integrating the actions to address risks and opportunities into an organization’s
information security management system is an activity within the Planning actions
clause to address risks and opportunities. (ISO 27001, 6.1.1.e.1)
Question: 2, Syllabus: LE, Part: B, Type: CL, SyllabusRef: LE0206 LE0207 LE0208, Level: 2
1 A Incorrect: The policies for information security shall be reviewed at planned intervals to
ensure their continuing suitability. (ISO 27001, 5.2.a, A.5.1.2)
B Correct: The policies for information security shall be appropriate to the purpose of the
organization. It is for the organization to decide the level of detail required,
therefore an ISMS is not required to be comprehensive. (ISO 27001, 5.2.a,
A.5.1.2)
C Incorrect: The policies for information security shall be reviewed at planned intervals to
ensure their adequacy. (ISO 27001, 5.2.a, A.5.1.2)
D Incorrect: The policies for information security shall be reviewed at planned intervals to
ensure their effectiveness. (ISO 27001, 5.2.c, A.5.1.2)
2 A Incorrect: The organization should ensure its staff have the required competency to deliver
the scope of the ISMS. (ISO 27001, 7.2.a and b).
B Correct: The extent of documented information determined by the organization as being
necessary for the effectiveness of the ISMS may vary due to the competence of
persons. (ISO 27001, 7.5.1(3)).
C Incorrect: The competency of staff is not a matter which is identified by the standard that
should affect the frequency of review. (ISO 27001, 9.1).
D Incorrect: The boundaries of the ISMS will determine its scope but competency of staff is
not a matter for consideration. (ISO 27001, 4.3).
3 A Correct: Management should explicitly identify the role with overall responsibility for
managing information security, usually the CISO. (ISO 27003, 5.3.2)
B Incorrect: In a smaller organization, several roles may be carried out by the same person.
(ISO 27003, 5.3.2)
C Incorrect: Each employee is equally responsible for his or her original task and for
maintaining information security in the workplace and in the organization. (ISO
27003, 5.3.2)
D Incorrect: Staff should be assigned roles and responsibilities based on the skill required to
perform the job. There is no requirement for an audit department to be involved.
(ISO 27003, 5.3.2)
Question: 2, Syllabus: LE, Part: C, Type: MR, SyllabusRef: LE0301, Level: 3
1 A Correct: Vision and strategic decision-making are responsibilities for Senior
Management. (ISO 27003, Annex B.1 – Senior Management)
B Correct: Vision and strategic decision-making are responsibilities for Senior
C Incorrect: Operational detail does not demonstrate the required characteristics of vision
and strategic decision-making. (ISO 27003, Annex B.1 – Senior Management)
D Incorrect: System development is not a responsibility of Senior Management. It is a
responsibility of the System Developer. (ISO 27003, Annex B.1 – System
Developer)
E Incorrect: Length of employment is not relevant to the responsibilities of Senior
2 A Incorrect: Reporting lines are not relevant to the responsibilities of an Auditor. (ISO 27003,
Annex B.1 – Auditor)
B Correct: Assessing the ISMS is one of the responsibilities for an Auditor. (ISO 27003,
Annex B.1 – Auditor). Having appropriate competence to assess conformance
to ISO/IEC 27001 would be needed. (ISO 27001, 7.2 b)
C Incorrect: Governance for information security is not a responsibility of an Auditor. It is a
responsibility of the Chief Information Security Officer. (ISO 27003, Annex B.1 –
Auditor / Chief Information Security Officer)
D Incorrect: Working across departments is not a responsibility of an Auditor. It is a
responsibility of the Information Security Planning Team. (ISO 27003, Annex B.1
– Auditor / Information Security Planning Team)
E Correct: Evaluating the ISMS is one of the responsibilities for an Auditor. (ISO 27003,
Annex B.1 – Auditor)
3 A Incorrect: Being keen to expand and be at the forefront of technology is not a required
characteristic for a member of the Information Security Planning Team. (ISO
27003, Annex B.1 – Senior Management)
B Incorrect: Top responsibility for an organizational function is a line management
responsibility. It is not a required characteristic for a member of the Information
Security Planning Team. (ISO 27003, Annex B.1 – Line Management)
C Correct: Working across departments is one of the responsibilities for a member of the
Information Security Planning Team. (ISO 27003, Annex B.1 – Information
Security Planning Team)
D Incorrect: Top responsibility for an organizational function is a line management
responsibility. It is not a required characteristic for a member of the Information
Security Planning Team. (ISO 27003, Annex B.1 – Line Management)
E Correct: Resolving conflict is one of the responsibilities for a member of the Information
Security Planning Team. (ISO 27003, Annex B.1 – Information Security Planning
Team)
4 A Incorrect: Previous experience and motivation of an individual are not suitable reasons for
the appointment to the Information Security Committee. (ISO 27003, Annex B.1
– Information Security Committee)
B Incorrect: Those producing the products within the company are represented by the Line
Managers. However, there is no specific reason why they should be part of the
Information Security Committee. (ISO 27003, Annex B.1 – Line Managers /
Information Security Committee)
C Correct: Handling of information assets is one of the responsibilities for a member of the
Information Security Committee. (ISO 27003, Annex B.1 – Information Security
Committee)
D Incorrect: The Line Managers are responsible for the business needs, but there is no
specific reason why they should be part of the Information Security Committee.
(ISO 27003, Annex B.1 – Line Managers / Information Security Committee)
E Correct: A leading role for the ISMS is one of the responsibilities for a member of the
Information Security Committee. Therefore, as he has the lead responsibility for
information security requirements of the ‘field-to-plate’ project it is appropriate
for him to be a member of the Information Security Committee. (ISO 27003,
Annex B.1 – Information Security Committee)
5 A Correct: The CEO of a supermarket chain which is not contracted to Equitable Products
cannot be a Stakeholder. This is because he cannot be affected by any
decisions of activities made by Equitable Products in relation to Equitable
Products information security. (ISO 27003, Annex B.1 – Stakeholders)
B Incorrect: The Chief Finance Officer is part of normal operations within the ISMS and is
considered to be a Stakeholder. (ISO 27003, Annex B.1 – Stakeholders / Local
IT or IS responsible)
C Incorrect: The persons responsible for physical security are part of normal operations and
are considered to be a Stakeholder. (ISO 27003, Annex B.1 – Stakeholders /
Physical Security)
D Correct: A competitor to Equitable Products cannot be a Stakeholder as it cannot be
affected by any decisions of activities made by Equitable Products in relation to
Equitable Products’ information security. (ISO 27003, Annex B.1 –
Stakeholders)
E Incorrect: The legal advisor is part of normal operations and is considered to be a
Stakeholder. (ISO 27003, Annex B.1 – Stakeholders / Legal Advisor)
Question: 2, Syllabus: LE, Part: D, Type: MR, SyllabusRef: LE0311 LE0312 LE0314, Level: 3
1 A Incorrect: The Security of equipment and assets off-premises control seeks to manage
portable equipment and assets that are taken off-site. (ISO 27001, A.11.2.6)
B Incorrect: The Security of network services control seeks to identify all network services for
inclusion in network service agreements. Network service agreements would not
resolve the loss of connection with the ISP as it was not caused by a failure of
either party. (ISO 27001, A.13.1.2)
C Correct: The Cabling security control seeks to protect power and communications cables
from interference or damage. This control would provide a resolution of this
incident. (ISO 27001, A.11.2.3)
D Incorrect: The control for Network control seeks to manage networks to protect information
in systems and applications. Neither of the systems or applications were
involved in this incident, so this control would not resolve this incident. (ISO
27001, A.13.1.1)
E Correct: The Supporting utilities control seeks to protect power failure and other
disruptions caused by failures in supporting utilities such as was evidenced in
the incident. This control would provide a resolution of this incident. (ISO 27001,
A.11.2.2)
2 A Incorrect: The control for Physical entry controls seeks to provide entry control to secure
areas for authorized personnel. The cleaner was an authorized person and use
of this control would prevent cleaning of this area, which is not a practical
solution. (ISO 27001, A.11.1.2)
B Correct: The Clear desk policy control seeks to provide a clean desk policy to ensure
that all papers, such as the hard-copy lists of access passwords, are not
available to unauthorised personnel. This control would provide a resolution of
this incident. (ISO 27001, A.11.2.9)
C Correct: The Unattended user equipment control seeks to protect unattended equipment,
such as the computer accessed by the cleaner. This control would provide a
resolution of this incident. (ISO 27001, A.11.2.8)
D Incorrect: The Working in secure areas control seeks to provide a procedure for working
in secure areas. Use of this control would prevent cleaning of this area, which is
not a practical solution. (ISO 27001, A.11.1.5)
E Incorrect: The Securing offices, rooms and facilities control seeks to provide physical
security for offices and rooms. Use of this control would prevent cleaning of this
area, which is not a practical solution. (ISO 27001, A.11.1.3)
3 A Correct: The Controls against malware control provides protection and recovery controls
against malware. The issued laptops have not been configured, so the
protection against malware is not implemented. This control would provide a
B Incorrect: The Clock synchronisation control seeks to ensure that clocks of information
processing systems can be synchronised within the organization. As the two
laptops are used without connection to the network, there is no need for clock
synchronisation at this stage. This control would not provide a resolution of this
incident. (ISO 27001, A.12.4.4)
C Incorrect: The control for Network controls relates to the management and controls for the
protection in network systems. As the two laptops are used without connection
to the network, this control would not provide a resolution of this incident. (ISO
27001, A.13.1.1)
D Incorrect: The Access control policy control relates to the management of access based
on business and information security requirements. The users have a business
need for access to the application on the laptop. This control would not provide a
E Correct: The Information backup control provides for backups to be taken of information
assets to protect against loss of data. The issued laptops have not been
configured, so the backup protection has not been implemented. This control
would provide a resolution of this incident by restoring the laptop to a situation
prior to the virus infection. (ISO 27001, A.12.3.1)
4 A Correct: The System change control procedures control provides for changes within the
development lifecycle to be controlled by the use of formalized procedure. This
would allow for Equitable Products and their contractors to manage the
application development project. This control would provide a resolution of this
situation. (ISO 27001, A.14.2.2)
B Incorrect: The Addressing security within supplier agreements control relates to
addressing security requirements between Equitable Products and their
suppliers in relation to the management of information. This control will not
manage the software changes or the testing process. This control would not
provide a resolution of this situation. (ISO 27001, A.15.1.2)
C Incorrect: The Change management control relates to operational changes in the
organization (Equitable Products), its business processes, information
processing facilities and systems. The application is still under development and
has not been deployed, therefore, this operational control would not apply to this
situation. This control would not provide a resolution of this situation. (ISO
27001, A.12.1.2)
D Correct: The System security testing control provides the testing of software during the
software development lifecycle. This would allow for Equitable Products and
their contractors to manage the testing process. This control would provide a
resolution of this situation. (ISO 27001, A.14.2.8)
E Incorrect: The Protection of test data control relates to the selection, protection and control
of test data. Although this control relates to test data, it does not manage the
testing of the software functionality required in the project. This control would not
provide a resolution of this situation. (ISO 27001, A.14.3.1)
Question: 2, Syllabus: LE, Part: E, Type: AR, SyllabusRef: LE0409 LE0411, Level: 4
1 True: The Director of Information True: It is correct that the access rights for all
Management had responsibility to employees and external party users to
control access privileges and they information and information processing
should have been revoked immediately facilities shall be reviewed at regular
on termination of employment. intervals. (ISO 27001, A.9.2.5).
Therefore, the termination of However, the reason the termination
employment was NOT completed was not correctly completed was
correctly. (ISO 27001, A.9.2.6) because access rights should be
removed on termination of their
employment, contract or agreement. It
should not be left until the next regular
review. (ISO 27001, A.9.2.6). The
answer is therefore B.
2 True: The loss should trigger a review of the True: Knowledge gained from analysing and
termination of other dismissed worker’s resolving information security incidents
access privileges. This will ensure a shall be used to reduce the likelihood or
similar problem has not occurred, as impact of future incidents. (ISO 27001
knowledge gained from the incident A16.1.6). The reason directly explains
should be used to reduce the likelihood the assertion because the review would
of future incidents. (ISO 27001, be held in order to learn from the
A.16.1.6) information security incident. Therefore,
the answer is A.
3 False: Loss of food should be classified as an False: Information security events are classified
information security incident because as information security incidents for any
there is a requirement to track all unauthorized access such as secure
deliveries and as such a loss will have areas. It does not only apply to an
an impact on invoicing and stock organization's systems and applications.
control. (ISO 27001, A.16.1.2) (ISO 27001, A.16.1.2)
4 False: The ability for the dismissed worker to True: Asset owners are required to review
have access rights to the loading bay access rights on a regular basis. (ISO
shall be removed immediately on 27001, A.9.2.5)
termination of their employment. (ISO
27001, A.9.2.6)
5 False: Removal of access privileges to the False: Access privileges are removed on
loading bay should be made for all termination of employment, contract or
workers would be inconsistent with the agreement. This does not happen when
allocation and use of the access an information security incident occurs.
privileges. Such an action would result (ISO 27001, A.9.2.6)
in the loading bay ceasing to operate.
(ISO 27001, A.9.2.3)
Question: 3, Syllabus: OS, Part: A, Type: MR, SyllabusRef: PL0202, Level: 2
1 A Incorrect: Evidence of top management contribution is useful to demonstrate compliance.
However, the standard does not specifically require this to be evaluated. (ISO
27001, 5.1)
B Incorrect: Established risk assessment criteria are a means of analysing and evaluating
potential risks. However, the criteria are not specifically subject to evaluation.
(ISO 27001, 6.1.2 a)
C Correct: Information security process performance is a specified measurement
requirement. (ISO 27001, 9.1 a)
D Incorrect: Assignment of suitably skilled resources to roles may be monitored and
assessed. However, this activity is not specifically required to be evaluated.
(ISO 27001, 7.2)
E Correct: Information security process effectiveness is a specified measurement
requirement. (ISO 27001, 9.1 a)
2 A Correct: The standard does NOT require organization to determine where the monitoring
and measuring shall be performed. (ISO 27001, 9.1)
B Incorrect: The organization shall determine when the monitoring and measuring shall be
performed. (ISO 27001, 9.1 c)
C Correct: The standard does NOT require organization to determine why the monitoring
and measuring shall be performed. (ISO 27001, 9.1)
D Incorrect: The organization shall determine when the results from monitoring and
measurement shall be used. (ISO 27001, 9.1 e)
E Incorrect: The organization shall determine who shall analyse and evaluate the results.
(ISO 27001, 9.1 f)
3 A Incorrect: Processes and controls need to be monitored and measured but the Monitoring,
measurement, analysis and evaluation clause does NOT require the method of
process control to be determined. (ISO 27001, 9.1 b)
B Incorrect: Documentation needs to be delivered but the Monitoring, measurement,
analysis and evaluation clause does NOT require the method of documentation
to be determined. (ISO 27001, 9.1 b)
C Correct: The Monitoring, measurement, analysis and evaluation clause requires the
method of monitoring to be determined. (ISO 27001, 9.1 b)
D Incorrect: Corrective action needs to be undertaken to correct non-conformances but the
Monitoring, measurement, analysis and evaluation clause does NOT require the
method of corrective action to be determined. (ISO 27001, 9.1 b)
E Correct: The Monitoring, measurement, analysis and evaluation clause requires the
method of analysis to be determined. (ISO 27001, 9.1 b)
4 A Incorrect: Password length is monitored by the password management system only when
the user creates or changes the password. This ensures that the resulting
password matches password quality policy rules. (ISO 27002, 9.4.3 c)
B Correct: The last change date will be used to understand if the user should be prompted
to change a temporary password (new user at first log-in) or expired password
(existing user forced to change their password as mandated by the maximum
password age policy). (ISO 27002, 9.4.3 d & e)
C Correct: The last log-in date will be used to understand if the user should be prompted to
change a temporary password (new user at first log-in). (ISO 27002, 9.4.3 d)
D Incorrect: Password complexity is monitored by the password management system only
when the user creates or changes the password. This ensures that the resulting
password matches password quality policy rules. (ISO 27002, 9.4.3 c)
E Incorrect: The access control system must NOT display passwords in clear text on the
screen. (ISO 27002, 9.4.2 i)
Question: 3, Syllabus: OS, Part: B, Type: MG, SyllabusRef: OS0316, Level: 3

1 Correct [B]: Reporting information security events: (ISO 27001, A.16.1.2; ISO 27002, 16.1.2).
This report is to the police rather than to Equitable Products’ information security
team. However, it is still an aspect of detection and reporting and it is the reporting
of the event prior to its classification as an incident.
2 Correct [G]: Collection of evidence: (ISO 27001, A.16.1.7; ISO 27002, 16.1.7). The police
report is part of the collection of information which will serve as evidence.
3 Correct [E]: Response to information security incidents: (ISO 27001, A.16.1.5; ISO 27002,
16.1.5). The lost papers are unlikely to be recovered. However, this risk treatment
is intended to deal with the immediate vulnerability of other directors travelling with
sensitive paper documents. It is an avoidance response to the vulnerability and
potential threat.
4 Correct [D]: Assessment of and decision on information security events: (ISO 27001, A.16.1.4;
ISO 27002, 16.1.4). The Information Security Officer discovers the extent of the
event. Realising the consequential impacts of losing sensitive paper documents to
activists, he informs the CIO and begins investigating this as an incident.
5 Correct [E]: Response to information security incidents: (ISO 27001, A.16.1.5; ISO 27002,
16.1.5). Communicating and reinforcing practices related to strangers and
behaviours is a reasonable response to this incident.
6 Correct [F]: Learning from information security incidents: (ISO 27001 A.16.1.6; ISO 27002,
16.1.6). Risk reassessment improves the consideration of this kind of event in
paper media handling.
Question: 3, Syllabus: OS, Part: C, Type: AR, SyllabusRef: AR0408 AR0409 AR0410, Level:
4
1 True: Normal operating temperatures should False: The organization should determine its
be restored in a manner proportionate requirements for information security
to the criticality of the situation. The and the continuity of information security
return-to-service (information management in adverse situations. (ISO
availability) target is only 5 hours. 27002, 17.1.1). The organization should
Alternative rapid temperature reduction establish, document, implement and
options should be explored first. (ISO maintain compensating controls for
27001, 6.2 c) routine IS controls that cannot be
maintained during an adverse situation.
(ISO 27002, 17.1.2 second part c). The
organization may elect to operate with a
predetermined increased risk tolerance
for a limited period.
2 True: Physical destruction of disks which True: Replacing failed hardware components
failed to power on is a reasonable from redundant stock (ISO 27002,
control to prevent unauthorized 17.2.1) is quicker and more reliable than
attempts to recover data from that attempting repairs and would support
media. (ISO 27002, 8.3.2) the organization’s return-to-service
(information availability) objective. The
assertion focuses on confidentiality of
information and this reason focuses on
information availability. Therefore, the
reason does not support the assertion
so the answer is B.
3 False: The asset register must be maintained True: The asset owner must ensure that the
with the lifecycle of each asset to asset inventory is maintained. (ISO
destruction. (ISO 27002, 8.1.1). The 27002, 8.1.2)
asset tags must remain on the failed
disks to provide identification. The
disks should be marked as
‘failed/removed’ in the asset register
and their later destruction also
recorded. This is to maintain the
integrity of the register and the
traceability of the disks up to and
including confirmation of their
destruction. Replacement disks will
have new asset tags to track their
lifecycle of use.
4 True: The clocks of all relevant information True: Network and domain system clock
processing systems within an synchronisation is fundamental to
organization or security domain should correct system operations and event
be synchronised to a single reference logging. It is an operational priority on
time source. (ISO 27002, 12.4.4) commissioning and recovery. (ISO
27002, 12.4.4). This reason supports
the asserted need for server
synchronisation to a single reference
time source, so the answer is A.
5 True: All response activities should be True: Compensating controls for information
properly logged for later analysis. (ISO security controls that cannot be
27002 16.1.5 d) maintained during an adverse situation
should be documented by the
organization as part of implementing
information security continuity. (ISO
27002 17.1.2. both points c).
Documenting compensating controls is
part of planning for business continuity
and is a separate requirement to the
documentation during an incident. The
answer is therefore B.
6 False: Knowledge gained from analysing and False: Opportunities to improve the response
resolving information security incidents should be considered. (ISO 27002,
shall be used to reduce the likelihood 16.1.6). Top management are required
or impact of future incidents. The root to review the ISMS – and the results of
cause of events should be identified this incident – to ensure its continuing
(air conditioning units not surge suitability, adequacy and effectiveness.
protected) and formally risk-assessed (ISO 27001, 9.3)
to determine options for treatment. (ISO
27001, 8.2 & 8.3). Opportunities to
improve information security should
also be considered. (ISO 27002,
16.1.6; ISO 27001, 10.1, 10.2)
Question: 3, Syllabus: OS, Part: D, Type: CL, SyllabusRef: LE0410 LE0413 LE0415, Level: 2
1 A Incorrect: Information in the Scenario Booklet states that Equitable Products IT Services
currently operate an ISMS compliant with ISO 27001. To be compliant, the ISMS
controls will already include established malware protection for all received
electronic information to mitigate this risk appropriately. (ISO 27002, 12.2.1e, g
& h)
B Incorrect: The legal entitlement of Equitable Products to collect the device for forensic
investigation needs to be established first. (ISO 27002 16.1.7). Sample data
validation will support that justification in consultation with legal counsel. (ISO
27002, 18.1.1)
C Correct: Encryption of the sample data would provide the objectives described. (ISO
27002, 13.2.1 f)
D Incorrect: Encryption can ensure that the data sent is the data received. However, if there
is malware in the original data it will not be removed by encryption. (ISO 27002
10.1.1)
2 A Incorrect: Information security events shall be reported through appropriate management
channels as quickly as possible. (ISO 27001, A16.1.2). There is no requirement
to wait until all potential impacts are known, particularly as the trusted researcher
has provided sample data that is considered representative of the nature of the
information on the device.
B Incorrect: It is usual for employees and contractors to be provided with a confidentiality or
non-disclosure agreement prior to being given access to information. (ISO
27002, 7.1.2 a). However, the agreement may be negotiated and applied to any
party at any time as the organization’s needs change. (ISO 27002, 13.2.4)
C Incorrect: The recovered sample data is publicly-available information, not commercially or
personally sensitive. There are no details of the planned scope of publication
and the researcher is a trusted advisor to the organization. It would be
premature to involve authorities unless there is tangible evidence of harmful
motive and intent enabling identification of applicable legislation. (ISO 27002,
18.1.1)
D Correct: Incident disclosure may still be avoided or contained by negotiation and
agreement with the researcher as a ‘supplier’ of incident information. (ISO
27002, 15.1.2 e & p)
3 A Correct: Attempts should be made to identify how this asset was used and by whom. This
will determine the root cause of the failure and enable correction and
improvement. (ISO 27001, 10.1 & 10.2)
B Incorrect: The information is publically available according to the applied classification
scheme. Therefore, there is no requirement for confidentiality to make the
information unrecoverable as per ISO 27001, A.8.3.1. (ISO 27002, 8.3.1)
C Incorrect: Removable media assets may be reassigned and/or re-used, changing purpose
and handling requirements as the classification of their stored information
changes. (ISO 27002, 11.2.7). Asset inventories should record the current owner
and lifecycle of use. (ISO 27002, 8.1.1)
D Incorrect: Reputational risk remains because the researcher discloses Equitable
Products’ media and information asset lifecycle management failure. (ISO
27002, 8, 11.2.5, 11.2.6 & 11.2.7)
4 A Incorrect: ‘Deleted’ information can be technically recovered in many cases. Although the
user’s action did not result in unauthorized disclosure in this specific case, the
same decision and action on a device with more sensitive information may be a
vulnerability that needs to be investigated and managed. Corrective action may
include risk awareness training to prevent further occurrence (ISO 27001, 10.1 &
7.3), or removal of technical privileges to use removable media. (ISO 27002,
8.1.3, 9.2.2)
B Incorrect: ‘Deleted’ information can be technically recovered in many cases. The user’s
action did not result in unauthorized disclosure in this specific case. However,
the same decision and action on a device with more sensitive information may
be a vulnerability that needs to be investigated and managed. Corrective action
may include risk awareness training to prevent further occurrence (ISO 27001,
10.1 & 7.3), or removal of technical privileges to use removable media. (ISO
27002, 8.1.3, 9.2.2)
C Correct: Corrective action may include risk awareness training to prevent further
occurrence (ISO 27001, 10.1 & 7.3), or removal of technical privileges to use
removable media. (ISO 27002 8.1.3, 9.2.2)
D Incorrect: Information in the Scenario Booklet states that Equitable Products' IT Services
currently operate an ISMS compliant with ISO 27001. To be compliant, the ISMS
controls will already include established malware protection for all received
electronic information to mitigate this risk appropriately. (ISO 27002, 12.2.1e, g
& h)
Question: 4, Syllabus: AR, Part: A, Type: CL, SyllabusRef: PL0204 PL0205, Level: 2
1 A Incorrect: It is not a requirement of the Standard to inform the Certification Body of the
results of internal audits. The Certification Body may require sight of the internal
audit results when external audits are performed but if required, this will be
requested later as part of the external audit. (ISO 27001, 9.2)
B Incorrect: The requirement is to identify what should be audited when setting up the audit
programme(s). There is no requirement to identify the next processes to be
audited at the end of an internal audit. (ISO 27001, 9.2 c)
C Correct: The organization shall retain documented information as evidence of the audit
programme(s) and the audit results. The audit results should be protected to
ensure they are not lost or destroyed as these are evidence to demonstrate the
meeting of the Standard. (ISO 27001, 9.2 g)
D Incorrect: A certificate is only issued when an auditor employed by certification body
performs a certification audit. Certificates are not issued for internal audits. (ISO
27001, 9.2, Supplementary Paper 4.5)
2 A Incorrect: Evaluating the need to eliminate the causes of non-conformance is part of
Improvement, not Management Review. (ISO 27001, 10.1 b)
B Incorrect: Dealing with the consequences of non-conformance is part of Improvement, not
Management Review. (ISO 27001, 10.1 a.2)
C Incorrect: Determining the cause of non-conformance is part of Improvement, not
Management Review. (ISO 27001, 10.1 b.2)
D Correct: Considering opportunities for continual improvement is part of Management
Review. (ISO 27001, 9.3 f)
3 A Correct: Defining the scope of the audit is one of the responsibilities of the organization.
(ISO27001, 9.2 d)
B Incorrect: Considering feedback on opportunities for continual improvement is part of
Management Review. (ISO 27001, 9.3 f). Identifying opportunities for continuous
improvement is not a stated responsibility within Internal Audit. (ISO 27001, 9.2)
C Incorrect: Consideration of changes in external issues is part of Management Review
(ISO27001, 9.3 b). There is no requirement to document them prior to an Internal
Audit (ISO 27001, 9.2)
D Incorrect: One purpose of an Internal Audit is to provide information on whether the ISMS
conforms to the organizations own requirements for its ISMS. (ISO 27001, 9.2).
The Internal Audit will measure against the current requirements, but there is no
obligation to update the ISMS prior to an Internal Audit.
4 A Incorrect: The organization’s approach to managing information security may be
independently reviewed as a result of information from a management review
but there is no requirement to independently review it at every management
review. (ISO 27001, 9.3, A.18.2.1)
B Incorrect: The organization’s approach to managing information security may be
independently reviewed as a result of information from an audit. However there
is no requirement to independently review it at every audit. (ISO 27001, 9.2,
A.18.2.1)
C Incorrect: Review of the organization’s approach to managing information security may
form part of continuous improvement. However, there is no requirement to
independently review it as part of continuous improvement. (ISO 27001, 10.2,
A.18.2.1)
D Correct: The organization’s approach to managing information security and its
implementation (i.e. control objectives, controls, policies, processes and
procedures for information security) shall be reviewed independently at planned
intervals or when significant changes occur. (ISO 27001, A.18.2.1)
5 A Incorrect: Records shall be protected from loss, destruction, falsification, unauthorized
access and unauthorized release, in accordance with legislator, regulatory,
contractual and business requirements. Whilst national laws may affect
implementation there is no recommendation to take legal advice. (ISO 27002,
18.1.3)
B Correct: Cryptographic controls should be used in compliance with all relevant
agreements, legislation and regulations. Legal advice should be sought to
ensure compliance and before encrypted information or cryptographic controls
are moved across jurisdictional borders. (ISO 27002, 18.1.5)
C Incorrect: An independent review of information security reviews the organization’s
approach to managing information security and its implementation. Such a
review should be carried out by individuals independent of the area under
review. (ISO 27002 18.2.1)
D Incorrect: Information systems should be regularly reviewed for compliance with the
organization’s information security policies and standards. The technical
compliance review should be carried out or supervised by competent,
authorized persons but not with legal advice. (ISO 27002, 18.2.3)
6 A Correct: It is the audit programme that takes into consideration the importance of the
processes concerned. (ISO 27001, 9.2 c)
B Incorrect: The management review shall include consideration of the changes in external
and internal issues. (ISO 27001, 9.3 b)
C Incorrect: The management review shall include consideration of the status of actions from
previous management reviews. (ISO 27001, 9.3 a)
D Incorrect: The management review shall include consideration of trends in results of risk
assessment. (ISO 27001, 9.3 e)
Question: 4, Syllabus: AR, Part: B, Type: MR, SyllabusRef: AR0308 AR0310 AR0313, Level:
3
1 A Incorrect: Digital signatures will not help to avoid incorrect information being sent but, they
may assist the verification of authenticity of a message. (ISO 27002, 10.1.1
second bullet point b). However, the issue to be addressed here was the
attachment of the wrong price list to an authentic message.
B Correct: Labelling sensitive information in accordance with a defined classification
scheme is a recommended asset management control for electronic information
exchange. This highlights that the information needs to be handled in
accordance with defined procedures. (ISO 27002, 8.2.1, 8.2.3). If the price list
had been appropriately labelled it may have drawn attention to its special status
and avoided it being sent to the wrong customer.
C Incorrect: Owners of sensitive information should be accountable for their classification,
and this is an asset management control. (ISO 27002, 8.2.1). However, this
control will not directly address the audit finding that sensitive information has
been released to unintended recipients.
D Incorrect: Agreements with other organizations that include information sharing should
include procedures to identify the classification of that information. However, this
will not control the finding that sensitive information has been released to
unintended recipients. (ISO 27002, 8.2.3 final paragraph)
E Correct: A review of access restrictions to sensitive information such as price lists (ISO
27002, 8.1.2 c) would be appropriate to identify changes or additional controls
to restrict access to special price lists to avoid them being used inappropriately.
2 A Correct: Information security considerations for electronic messaging should include
requirements for electronic signatures (ISO 27002, 13.2.3 d) which will address
the issue of authenticity.
B Incorrect: The issue relates to the authentication of messages sent. Protection against
unsolicited email received, although relevant to electronic messaging (ISO
27002, 13.2.3), is not appropriate to address the identified issue.
C Incorrect: The issue relates to the authentication of messages sent by email. The Access
to instant messaging control relates to instant messaging. Although it is relevant
to electronic messaging (ISO 27002, 13.2.3 e), it is not appropriate to address
the identified issue.
D Correct: The issue to be addressed is authenticity. The use of message authentication
codes is a cryptographic control that will address issues of authenticity. (ISO
27002, 10.1.1 second bullet point b).
E Incorrect: The issue relates to the authentication of messages sent by email. Malware
protection, although relevant to electronic messaging (ISO 27002, 12.2.1 g.2), is
not appropriate to address the identified issue.
3 A Incorrect: Enforcement of password changes is a consideration of password management
system. (ISO 27002, 9.4.3 e). However, it will not address the issue of
information being disclosed to unintended email recipients.
B Incorrect: Limiting the information contained in outputs is a consideration of the
Information access restriction control. (ISO 27002, 9.4.1 e). It may reduce the
amount of information disclosed to an unintended recipient. However, unless the
content is encrypted it will not prevent disclosure and is not part of an
encryption/cryptographic policy.
C Correct: The impact of encryption on other controls such as content inspection controls
should be considered when developing a cryptographic policy. (ISO 27002,
10.1.1 g)
D Incorrect: The issue be addressed is disclosure (confidentiality). The use of message
authentication codes is a cryptographic control that will address issues of
integrity and authenticity but is not relevant to confidentiality. (ISO 27002, 10.1.1
second bullet point b)
E Correct: The standards to be adopted should be considered when developing a
cryptographic policy. (ISO 27002, 10.1.1 f)
4 A Incorrect: Availability of the service is a consideration of electronic messaging (ISO 27002
13.2.3). It is not required to be documented in an agreement on information
transfer. (ISO 27002, 13.2.2)
B Incorrect: Capacity management is an aspect of operations security. However, it is not a
responsibility required to be defined in an information transfer agreement. (ISO
27002, 13.2.2)
C Correct: Information transfer agreements should incorporate management responsibility
for controlling receipt. (ISO 27002, 13.2.2 a)
D Incorrect: User authentication is an aspect of access control. (ISO 27002, 9.1.2 e). It is not
a responsibility required to be defined in an information transfer agreement.
(ISO 27002, 13.2.2)
E Correct: Information transfer agreements should incorporate responsibility for liability in
the event of data loss. (ISO 27002, 13.2.2 f)
5 A Incorrect: Interception was not an issue identified. Therefore procedures relating to the
interception of information, although an information transfer control, are not
relevant in this case. (ISO 27002, 13.2.1 a)
B Incorrect: Non-repudiation procedures are an issue relating to information transfer. (ISO
27002, 13.2.2 b). However, they are not relevant to the issue of inappropriate
sharing of information by email.
C Correct: Although not the cause of this incident, inappropriate forwarding of emails
(especially to external addresses) would result in a similar inappropriate
disclosure of information. (ISO 27002, 13.2.1 h)
D Correct: Procedures to be followed when using communication facilities for information
transfer should consider the procedures for protecting sensitive information that
is in the form of attachments. (ISO 27002, 13.2.1 c)
E Incorrect: Process and procedures around incident management are part of incident
management. (ISO 27002, 15.1.2 h). They are not directly part of information
transfer procedures, so incident management, of itself, will not prevent a similar
incident.
Question: 4, Syllabus: AR, Part: C, Type: CL, SyllabusRef: AR0413, Level: 4
1 A Incorrect: There may be a need for an organization to use different forms of confidentiality
or non-disclosure agreements in different circumstances. (ISO 27002, 13.2.4 OI)
B Incorrect: The information about the intellectual property rights may be public domain
information, and therefore not confidential. However, the ownership of
information, trade secrets and intellectual property, and how this relates to the
protection of confidential information should be included in a non-disclosure
agreement. (ISO 27002, 13.2.4 e)
C Correct: Ownership of information, trade secrets and intellectual property should be
included in a non-disclosure agreement. (ISO 27002, 13.2.4 e)
D Incorrect: The non-disclosure agreement should set out any rights to audit. (ISO 27002,
13.2.4 g). However, this is not the reason for including information about
ownership of ownership of information, trade secrets and intellectual property.
2 A Incorrect: A non-disclosure agreement should set out the terms for information to be
returned or destroyed at agreement cessation, This may be reviewed and
changed at any time before it expires. The fact that the information may change
is not a reason to have an agreement for a period of just three months. ((ISO
27002, 13.2.4 IG)
B Correct: A non-disclosure agreement should be for an appropriate period, and there is
no need to restrict its length. It should set out when it will be periodically
reviewed but it has no need to automatically expire when reviewed. (ISO 27002,
13.2.4 b)
C Incorrect: A non-disclosure agreement should be reviewed periodically. However, this
does not mean that a new agreement is needed unless circumstances have
changed. (ISO 27002, 13.2.4 IG)
D Incorrect: A non-disclosure agreement should have an expected duration but that may be
whatever duration is appropriate, not just a year. (ISO 27002, 13.2.4 b)
3 A Incorrect: A non-disclosure agreement should consider the responsibilities and actions of
signatories to avoid unauthorized information disclosure. (ISO 27002, 13.2.4 d)
B Incorrect: If there are any special information handling requirements then the non-
disclosure agreement should set them out. Otherwise enforcement action is only
likely to be possible after information has been disclosed. (ISO 27002, 13.2.4
IG)
C Incorrect: If the information is disclosed, the breach of any special information handling
requirements will be relevant. However, a lack of them will not preclude the
agreement being enforced. (ISO 27002, 13.2.4 IG)
D Correct: When identifying requirements for confidentiality or non-disclosure agreements,
the responsibilities and actions of signatories to avoid unauthorized information
disclosure should be considered. (ISO 27002, 13.2.4 d)
4 A Incorrect: A non-disclosure agreement is applicable to employees of an organization as
well as external parties. (ISO 27002, 13.2.4 IG)
B Incorrect: The fact that marketing staff may need to disclose confidential information is
actually a reason for having a non-disclosure agreement. An NDA can set out
the permitted use of confidential information and how it may be disclosed by
marketing staff. (ISO 27002, 13.2.4 f)
C Correct: It is good practice for employees with access to confidential information to be
required to sign a non-disclosure agreement. (ISO 27002, 7.1.2.a). An NDA can
set out permitted use of the confidential information and how it may be disclosed
by marketing staff. (ISO 27002, 13.2.4 IG, f)
D Incorrect: It is good practice for everyone with access to confidential information to be
required to sign a non-disclosure agreement (ISO 27002, 7.1.2 a). It is not
appropriate for all interested parties to sign non-disclosure agreements as
some will not have access to confidential information or will be outside the
control of the organization. (ISO 27003, Table B1)
Question: 4, Syllabus: AR, Part: D, Type: AR, SyllabusRef: AR0414 AR0418 AR0415, Level:
4
1 True: System and acceptance testing usually False: User acceptance testing should be
requires substantial volumes of realistic performed in a realistic test environment
test data. All sensitive details and to ensure that the system will not
content should be protected by removal introduce vulnerabilities to the
or modification. (ISO 27002, 14.3.1 IG, organization’s environment. (ISO 27002,
OI) 14.2.9 IG)
2 True: The organization shall perform an True: Contractors should be required to report
information risk assessment when any observed information security
significant changes are proposed or weaknesses in systems or services.
occur. (ISO 27001, 8.2) (ISO 27002, 16.1.3). Both are true but
the answer is B as the reason does not
explain why the assertion is required.
3 True: Relevant legislative, regulatory and True: Supplier agreements should describe
contractual requirements and the the information to be provided. (ISO
organizations approach to meet those 27002, 15.1.2 a). The dairy farm
requirements should be explicitly supplier agreements must be updated to
identified, documented and kept up to document any new information required
date. (ISO 27002, 18.1.1) as a result of the new regulations to
maintain compliance with ISO 27002,
15.1.2 a. The answer is therefore A.
4 False: The requirement to retain data is a True: Data retention is a control required to
policy requirement relating to comply with the regulatory obligation and
regulations and legislation and should will be documented in the supplier
therefore be recorded in the policy. agreement. (ISO 27002, 18.1.3, 15.1.2
(ISO 27002, 5.1.1 b) c)
5 True: It is appropriate to include a supplier’s True: It is the organizations management who
obligation to deliver an independent are responsible for the effectiveness of
report on the effectiveness of controls. information security controls. (ISO
(ISO 27002, 15.1.2 o) 27002, 18.2.1). Requiring the supplier to
provide an independent penetration test
report would be an appropriate method
of review. Therefore the answer is A.

ISOIEC 27001 Practitioner Exam Sample Paper - April 2014 PDF

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

ISOIEC 27001 Practitioner Exam Sample Paper - April 2014 PDF

Caricato da

Copyright:

Formati disponibili

The Practitioner Examination

Additional information is provided within this Scenario Booklet for a number of

Each of the 4 questions is worth 20 marks, giving a maximum of 80 marks in the

Candidate Number: ........................................

ISO27K2012-GB--SX01-V1.1 Page 1 of 9 Document Owner - Chief Examiner

ISO27K2012-GB--SX01-V1.1 Page 3 of 9 Document Owner - Chief Examiner

Scenario continues on the next page

ISO27K2012-GB--SX01-V1.1 Page 4 of 9 Document Owner - Chief Examiner

Food Processing Division

Suppliers Bulk Foodstuffs Ready Meals

Supermarket Equitable Products Restaurant

Information Security Management Structure

Information Security Objectives

Information security risks must be managed effectively, collectively and proportionately in

a) To maintain the confidentiality, integrity and availability of corporate and

ISO27K2012-GB--SX01-V1.1 Page 6 of 9 Document Owner - Chief Examiner

Additional Information for part question 1D

ISO27K2012-GB--SX01-V1.1 Page 7 of 9 Document Owner - Chief Examiner

Additional Information for part-question 3D

USB memory stick problem

ISO27K2012-GB--SX01-V1.1 Page 8 of 9 Document Owner - Chief Examiner

Additional Information for part-question 4B

Extract from an Audit Report

iii) Email is often used to transfer sensitive information

ISO27K2012-GB--SX01-V1.1 Page 9 of 9 Document Owner - Chief Examiner

Candidate Number: ........................................

ISO27K2012-GB--SX01-V1.1 Page 1 of 28 Document Owner - Chief Examiner

ISO27K2012-GB--SX01-V1.1 Page 2 of 28 Document Owner - Chief Examiner

Question 1 - Planning and Risk Management

Question 2 - Leadership and Roles

Question 3 - Operational Systems, Measurement and Incidents

Question 4 - Audit and Management Review

ISO27K2012-GB--SX01-V1.1 Page 3 of 28 Document Owner - Chief Examiner

Syllabus Area Question Number Part Marks

Remember to select 2 answers to each question.

Question continues on the next page

ISO27K2012-GB--SX01-V1.1 Page 4 of 28 Document Owner - Chief Examiner

ISO27K2012-GB--SX01-V1.1 Page 5 of 28 Document Owner - Chief Examiner

Answer the following question about the risk identification step.

ISO27K2012-GB--SX01-V1.1 Page 6 of 28 Document Owner - Chief Examiner

ISO27K2012-GB--SX01-V1.1 Page 7 of 28 Document Owner - Chief Examiner

Option Assertion Reason

ISO27K2012-GB--SX01-V1.1 Page 8 of 28 Document Owner - Chief Examiner

Syllabus Area Question Number Part Marks

Answer the following question about leadership.

ISO27K2012-GB--SX01-V1.1 Page 9 of 28 Document Owner - Chief Examiner

Answer the following questions about leadership.

ISO27K2012-GB--SX01-V1.1 Page 10 of 28 Document Owner - Chief Examiner

Remember to select 2 answers to each question.

Question continues on the next page

ISO27K2012-GB--SX01-V1.1 Page 11 of 28 Document Owner - Chief Examiner

ISO27K2012-GB--SX01-V1.1 Page 12 of 28 Document Owner - Chief Examiner

Remember to select 2 answers to each question.

Question continues on the next page

ISO27K2012-GB--SX01-V1.1 Page 13 of 28 Document Owner - Chief Examiner

Which 2 controls, if applied, would MOST likely address this situation?

ISO27K2012-GB--SX01-V1.1 Page 14 of 28 Document Owner - Chief Examiner

Option Assertion Reason

ISO27K2012-GB--SX01-V1.1 Page 15 of 28 Document Owner - Chief Examiner

Syllabus Area Question Number Part Marks

Remember to select 2 answers to each question.

ISO27K2012-GB--SX01-V1.1 Page 16 of 28 Document Owner - Chief Examiner

Answer the following question about an information security event.