Question 1

What needs to be decided prior to considering the treatment of risks?

Accepted Answer

A

Explanation: According to the information security risk management process defined in ISO/IEC 27001, an organization must first establish its risk criteria, which includes the criteria for risk acceptance. These criteria define the level of risk the organization is willing to tolerate. Only after a risk has been identified, analyzed, and evaluated against these pre-defined acceptance criteria can a decision be made on whether treatment is necessary. This foundational step ensures that decisions about risk treatment are consistent, objective, and aligned with the organization's strategic goals and risk appetite. Without these criteria, there is no basis for making informed decisions on how to handle identified risks.

Question 2

Zoning is a security control to separate physical areas with different security levels. Zones with higher
security levels can be secured by more controls. The facility manager of a conference center is
responsible for security.
What combination of business functions should be combined into one security zone?

Accepted Answer

C

Explanation: The principle of physical security zoning is to group areas with similar security requirements and access levels. A lobby and a public restaurant are both public-facing areas, designed for open access by visitors, clients, and the general public. They share a similar, low-security profile where the primary controls are focused on reception and general monitoring. Combining them into a single "public" or "unrestricted" zone is a logical and efficient application of the zoning principle, as it effectively isolates these open areas from more sensitive, restricted parts of the facility.

Question 3

What is the best way to start setting the information security controls?

Accepted Answer

C

Explanation: The most effective and standard way to begin setting information security controls is by establishing a security baseline. A baseline defines a consistent, mandatory minimum level of security that applies to all systems and components across the organization. This approach ensures a uniform security posture and simplifies management and auditing. Once the baseline is implemented, a risk analysis can be performed to identify specific threats and vulnerabilities that may require additional controls beyond the baseline standard. This structured methodology is a fundamental principle in established information security management frameworks.

Question 4

A company's webshop offers prospects and customers the possibility to search the catalog and place
orders around the clock. In order to satisfy the needs of both customer and business several
requirements
have
to
be met. One of the criteria is data classification.
What is the most important classification aspect of the unit price of an object in a 24h webshop?

Accepted Answer

B

Explanation: The integrity of the unit price is the most critical classification aspect. Integrity ensures that the price data is accurate, complete, and has not been altered without authorization. An incorrect price, whether due to error or malicious attack, can lead to significant financial losses for the company (e.g., selling products at a fraction of their cost) or a complete loss of sales and customer trust (if priced too high). While availability is crucial for a 24-hour service, the consequences of an integrity failure for financial data are typically more severe and damaging to the business's viability than a temporary loss of availability.

Question 5

The information security architect of a large service provider advocates an open design of the security architecture, as opposed to a secret design. What is her main argument for this choice?

Accepted Answer

C

Explanation: The main argument for an open security design is rooted in Kerckhoffs's Principle, a fundamental concept in cryptography and security engineering. This principle posits that a system's security should not rely on the secrecy of its design or implementation (i.e., security by obscurity). Instead, an open design allows for rigorous and extensive public scrutiny by a wide community of security researchers, academics, and ethical hackers. This broad, independent peer review process is far more effective at identifying and rectifying potential vulnerabilities than a small, internal team could ever be. The resulting architecture is more robust because its strength has been proven through transparent, extensive testing.

Question 6

An employee has worked on the organizational risk assessment. The goal of the assessment is not to
bring residual risks to zero, but to bring the residual risks in line with an organization's risk appetite.
When has the risk assessment program accomplished its primary goal?

Accepted Answer

C

Explanation: The primary goal of a risk assessment program is to provide decision-makers with the necessary information to make informed choices about managing risk. The process is not complete after analysis or control implementation, but only when a formal decision has been made about the residual risks. When authorized management formally accepts the remaining risks, it signifies that these risks are now aligned with the organization's tolerance and appetite. This act of acceptance is the culmination of the risk management cycle, confirming that the level of risk is acceptable in the context of the organization's strategic goals.

Question 7

A protocol to investigate fraud by employees is being designed. Which measure can be part of this protocol?

Accepted Answer

B

Explanation: An internal fraud investigation protocol must adhere to legal and privacy regulations. A workstation is company property, and employees generally have a reduced expectation of privacy when using it, especially when a clear Acceptable Use Policy is in place. This policy should state that company assets are subject to monitoring and investigation for legitimate business purposes, including security incident response. Therefore, investigating the contents of a company-owned workstation is a standard, legally defensible measure within a corporate investigation. This approach respects the critical legal distinction between corporate assets and an employee's personal property and communications.

Question 8

A security manager just finished the final copy of a risk assessment. This assessment contains a list of
identified risks and she has to determine how to treat these risks.
What is the best option for the treatment of risks?

Accepted Answer

B

Explanation: Following a risk assessment, the next critical step in the risk management process is risk evaluation. This involves comparing the identified risks against pre-established risk criteria to determine their significance. These criteria define the organization's risk appetite and the threshold for what level of risk is acceptable. This evaluation is fundamental because it dictates the appropriate treatment strategy. Without clear acceptance criteria, decisions to mitigate, transfer, avoid, or accept risk would be arbitrary and inconsistent, undermining the entire risk management effort.

Question 9

In a company a personalized smart card is used for both physical and logical access control. What is the main purpose of the person’s picture on the smart card?

Accepted Answer

A

Explanation: The primary purpose of a person's picture on a smart card is for visual authentication. When the card is presented for access, a human, such as a security guard, can visually compare the photograph on the card to the person presenting it. This process verifies that the individual is the legitimate owner of the card, thereby authenticating their identity. This is a crucial step in preventing unauthorized use of lost or stolen cards, particularly for physical access control where a human guard is present.

Question 10

When should information security controls be considered?

Accepted Answer

A

Explanation: The selection of information security controls is a fundamental part of the risk treatment phase. According to the information security risk management process defined in standards like ISO/IEC 27001, risk treatment logically follows risk assessment. An organization must first complete the risk assessment—which involves identifying, analyzing, and evaluating risks—to understand its specific threat landscape and vulnerabilities. Only with this comprehensive understanding can appropriate and cost-effective controls be selected to mitigate the identified risks to an acceptable level. Choosing controls before or during the assessment would be premature and not based on a formal evaluation of risk.

Free Exin ISMP Actual Exam Questions