ISMP Online Practice Questions and Answers

Security monitoring is an important control measure to make sure that the required security level is maintained. In order to realize 24/7 availability of the service, this service is outsourced to a partner in the cloud.

What should be an important control in the contract?

A. The network communication channel is secured by using encryption.

B. The third party is certified against ISO/IEC 27001.

C. The third party is certified for adhering to privacy protection controls.

D. Your IT auditor has the right to audit the external party's service management processes.

What needs to be decided prior to considering the treatment of risks?

A. Criteria for determining whether or not the risk can be accepted

B. How to apply appropriate controls to reduce the risks

C. Mitigation plans

D. The development of own guidelines

The Board of Directors of an organization is accountable for obtaining adequate assurance. Who should be responsible for coordinating the information security awareness campaigns?

A. The Board of Directors

B. The operational manager

C. The security manager

D. The user

In a company a personalized smart card is used for both physical and logical access control. What is the main purpose of the person's picture on the smart card?

A. To authenticate the owner of the card

B. To authorize the owner of the card

C. To identify the role of the card owner

D. To verify the iris of the card owner

An employee has worked on the organizational risk assessment. The goal of the assessment is not to bring residual risks to zero, but to bring the residual risks in line with an organization's risk appetite.

When has the risk assessment program accomplished its primary goal?

A. Once the controls are implemented

B. Once the transference of the risk is complete

C. When decision makers have been informed of uncontrolled risks and proper authority groups decide to leave the risks in place

D. When the risk analysis is completed

The handling of security incidents is done by the incident management process under guidelines of information security management. These guidelines call for several types of mitigation plans.

Which mitigation plan covers short-term recovery after a security incident has occurred?

A. The Business Continuity Plan (BCP)

B. The disaster recovery plan

C. The incident response plan

D. The risk treatment plan

A security manager just finished the final copy of a risk assessment. This assessment contains a list of identified risks and she has to determine how to treat these risks.

What is the best option for the treatment of risks?

A. Begin risk remediation immediately as the organization is currently at risk

B. Decide the criteria for determining if the risk can be accepted

C. Design appropriate controls to reduce the risk

D. Remediate the risk regardless of cost

An information security officer is asked to write a retention policy for a financial system. She is aware of the fact that some data must be kept for a long time and other data must be deleted.

Where should she look for guidelines first?

A. In company policies

B. In finance management procedures

C. In legislation

Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are key terms in business continuity management (BCM). Reducing loss of data is one of the focus areas of a BCM policy.

What requirement is in the data recovery policy to realize minimal data loss?

A. Maximize RPO

B. Reduce RPO

C. Reduce RTO

D. Reduce the time between RTO and RPO

The ambition of the security manager is to certify the organization against ISO/IEC 27001. What is an activity in the certification program?

A. Formulate the security requirements in the outsourcing contracts

B. Implement the security baselines in Secure Systems Development Life Cycle (SecSDLC)

C. Perform a risk assessment of the secure internet connectivity architecture of the datacenter

D. Produce a Statement of Applicability based on risk assessments