Question 1

What type of legislation requires a proper controlled purchase process?

Accepted Answer

D

Explanation: A proper controlled purchase process is most directly required by Intellectual Property Rights (IPR) legislation. This type of legislation, which includes copyright, patent, and trademark laws, governs the legal use of products like software, digital media, and proprietary information. A controlled purchasing process is a fundamental organizational procedure to ensure that all acquired assets are legitimate, properly licensed, and used in accordance with legal terms. This prevents the inadvertent or deliberate use of pirated software or unlicensed content, thereby ensuring compliance with IPR laws. The ISO 27001 framework explicitly addresses this in its controls, linking procedural compliance directly to IPR.

Question 2

Implement plan on a test basis - this comes under which section of PDCA

Accepted Answer

B

Explanation: The Plan-Do-Check-Act (PDCA) cycle is a model for continual improvement. The 'Do' phase is specifically concerned with the implementation and operation of the plan. This includes executing the information security policy, controls, processes, and procedures that were established during the 'Plan' phase. Implementing the plan, whether on a full-scale or a test basis (pilot), is the primary activity of the 'Do' stage. It is the practical application of the designed information security management system (ISMS).

Question 3

What type of measure involves the stopping of possible consequences of security incidents?

Accepted Answer

C

Explanation: Repressive measures are activated when a security incident is occurring or has just occurred. Their purpose is to contain or stop further consequences (e.g., isolating an infected host, blocking a malicious IP). ISO/IEC 27035 defines “containment” as limiting the impact of an incident, while ISO/IEC 27002 groups controls into preventive, detective, corrective and repressive categories. Thus, a measure whose explicit objective is to stop (i.e., repress) the possible consequences of an incident is classified as Repressive.

Question 4

CMM stands for?

Accepted Answer

C

Explanation: CMM stands for Capability Maturity Model. It is a developmental model created by the Software Engineering Institute (SEI) at Carnegie Mellon University. It was originally designed to assess and improve the software development processes of government contractors. The model describes a five-level evolutionary path of increasingly organized and systematically mature processes. Organizations can use the CMM to evaluate their process maturity and identify areas for improvement, moving from ad-hoc, chaotic processes to mature, disciplined ones.

Question 5

What is the goal of classification of information?

Accepted Answer

C

Explanation: The primary goal of information classification, as outlined in the ISO/IEC 27001 framework, is to ensure that information assets receive an appropriate level of protection. This is achieved by systematically evaluating and structuring information based on its value, legal requirements, criticality, and sensitivity to unauthorized disclosure or modification. By categorizing information (e.g., as Public, Internal, Confidential, or Restricted), an organization can apply proportional and cost-effective security controls, focusing the most robust protections on its most sensitive assets.

Question 6

An employee caught with offense of abusing the internet, such as P2P file sharing or video/audio streaming, will not receive a warning for committing such act but will directly receive an IR.

Accepted Answer

B

Explanation: The statement is false. The ISO 27001 standard, specifically through its control on the disciplinary process, mandates that an organization must define and implement a formal process to take action against individuals who violate information security policies. However, the standard does not prescribe the specific steps or severity of this process. The nature of the disciplinary action—whether it is an immediate formal incident report (IR) or a preliminary warning—is determined by the organization's own internal policies, risk appetite, the severity of the breach, and applicable legal or regulatory requirements. A graduated response, starting with a warning for minor first-time offenses, is a common and perfectly compliant approach.

Question 7

Which department maintain's contacts with law enforcement authorities, regulatory bodies, information service providers and telecommunications service providers depending on the service required.

Accepted Answer

B

Explanation: The Chief Information Security Officer (CISO) is the senior-level executive responsible for an organization's information and data security. A key part of this role involves establishing and maintaining relationships with external entities. This includes liaising with law enforcement agencies for investigating cybercrimes, communicating with regulatory bodies to ensure compliance and manage breach notifications, and coordinating with service providers to manage security services and respond to incidents. This responsibility is a core component of information security governance and incident management frameworks.

Question 8

What is social engineering?

Accepted Answer

B

Explanation: Social engineering is a term used for a broad range of malicious activities accomplished through human interactions. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information. The attacker creates a situation or pretext, such as impersonating a trusted entity, to deceive a victim into divulging confidential data like credentials or financial information. This method exploits human trust and error rather than technical system vulnerabilities. Within an ISO 27001 framework, controls like information security awareness, education, and training (A.6.3) are implemented specifically to mitigate the risks posed by social engineering attacks.

Question 9

A hacker gains access to a webserver and can view a file on the server containing credit card
numbers.
Which of the Confidentiality, Integrity, Availability (CIA) principles of the credit card file are violated?

Accepted Answer

B

Explanation: Confidentiality is the principle that ensures information is not disclosed to unauthorized individuals, entities, or processes. In the given scenario, the hacker, an unauthorized party, gained access to and viewed a file containing sensitive credit card numbers. This action is a direct violation of the confidentiality principle, as the secrecy of the data was compromised. The other principles of the CIA triad, Integrity and Availability, were not violated based on the description, which only mentions the unauthorized viewing of the data, not its modification or the denial of access to it for authorized users.

Question 10

Which threat could occur if no physical measures are taken?

Accepted Answer

C

Explanation: The question asks for a threat that could occur if no physical measures are taken. A server shutting down due to overheating is a direct consequence of a failure in physical environmental controls, such as inadequate cooling, ventilation, or temperature monitoring systems. These are fundamental components of physical security for information processing facilities as defined within the ISO 27001 framework. Unlike other options, this threat is almost exclusively mitigated by physical measures (e.g., HVAC systems, server room design) and cannot be effectively prevented by logical or administrative controls alone.

Question 11

The following are purposes of Information Security, except:

Accepted Answer

C

Explanation: The primary purpose of Information Security, as defined by frameworks like ISO/IEC 27001, is to protect information assets by preserving their confidentiality, integrity, and availability (CIA). This is achieved through a systematic risk management process. Consequently, information security directly supports ensuring business continuity, minimizing business risks, and maximizing the return on security investments by preventing costly incidents. However, the direct function of information security is protective and preservative; it is not intended to actively generate or increase business assets. While a strong security posture can enhance reputation and indirectly contribute to business growth, its core purpose is safeguarding existing value, not creating new assets.

Question 12

Information has a number of reliability aspects. Reliability is constantly being threatened. Examples
of threats are: a cable becomes loose, someone alters information by accident, data is used privately
or is falsified.
Which of these examples is a threat to integrity?

Accepted Answer

B

Explanation: Integrity, in the context of information security, refers to maintaining the accuracy and completeness of data and processing methods. It ensures that information is not altered in an unauthorized or undetected manner. The accidental alteration of data is a direct breach of this principle because the data is no longer in its correct, trustworthy state. This event compromises the reliability and correctness of the information, which is the essence of what integrity aims to protect. The other options relate to different pillars of information security: availability and confidentiality.

Question 13

Changes to the information processing facilities shall be done in controlled manner.

Accepted Answer

A

Explanation: The statement is true. The ISO/IEC 27001:2013 standard explicitly requires a controlled approach to change management to maintain information security. Control A.12.1.2 (Change Management) mandates that "Changes to the organization, business processes, information processing facilities and systems that affect information security shall be controlled." This involves using formal procedures to ensure that all changes are reviewed, authorized, tested, and documented before implementation. The goal is to minimize the risk of introducing security vulnerabilities, causing operational disruptions, or compromising the integrity of information processing facilities. This principle is a fundamental component of a robust Information Security Management System (ISMS).

Question 14

What type of system ensures a coherent Information Security organisation?

Accepted Answer

C

Explanation: An Information Security Management System (ISMS) is a systematic framework of policies, procedures, and controls for managing an organization's information security risks. As defined by standards like ISO/IEC 27001, an ISMS provides a holistic and coherent approach by integrating security into the organization's processes and overall management structure. It ensures that security efforts are consistently applied, managed, and aligned with business objectives, thereby creating a coherent security organization. This system is not just about technology but encompasses people, processes, and technology, managed through a continuous improvement cycle (Plan-Do-Check-Act).

Question 15

What is the difference between a restricted and confidential document?

Accepted Answer

B

Explanation: ISO/IEC 27002 (cl. 5.12) presents “restricted” as the highest-sensitivity label, accessible only to specifically approved persons on a strict need-to-know basis, whereas “confidential” is normally available to a wider, pre-authorised group that still requires protection but with less stringent limitation. Therefore, “Restricted – shared among named individuals” and “Confidential – shared among an authorised group” is the accurate distinction.

Free GAQM ISO27-13-001 Actual Exam Questions