Main

Question 1

What is the primary goal of ISO/IEC 27001?

Answer 1

To establish, implement, maintain, and continuously improve an Information Security Management System (ISMS) that protects the confidentiality, integrity, and availability of information.

Question 2

Is ISO/IEC 27001 certifiable?

Answer 2

Yes — organizations can be officially certified through accredited audits.

Question 3

Which three core principles does ISO 27001 protect?

Answer 3

Confidentiality, Integrity, and Availability (CIA).

Question 4

What type of approach does ISO 27001 use to manage information security?

Answer 4

A risk-based approach — identifying, assessing, and treating information security risks systematically.

Question 5

What are the main phases of implementing an ISMS?

Answer 5

Establish → Implement → Operate → Monitor → Review → Maintain → Improve.

Question 6

What does “Annex A” of ISO 27001 provide?

Answer 6

A list of security controls (93 in the 2022 version) covering organizational, people, physical, and technological domains.

Question 7

Which other ISO standard gives detailed guidance on Annex A controls?

Answer 7

A: ISO/IEC 27002.

Question 8

What is the PDCA model in ISO 27001?

Answer 8

Plan-Do-Check-Act — the continual improvement cycle for managing and refining the ISMS.

Question 9

What documents are required under ISO 27001?

Answer 9

Scope statement, information security policy, risk assessment and treatment plan, Statement of Applicability (SoA), internal audit results, and management review records.

Question 10

Who oversees ISO/IEC 27001 globally?

Answer 10

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

Question 11

What is the purpose of ISO/IEC 27002?

Answer 11

To provide guidance and best practices for implementing the security controls listed in ISO/IEC 27001’s Annex A.

Question 12

Is ISO/IEC 27002 a certifiable standard?

Answer 12

No — it’s advisory, meant to support ISO/IEC 27001 implementation.

Question 13

What are the four control categories in ISO/IEC 27002:2022?

Answer 13

Organizational, People, Physical, and Technological.

Question 14

How many controls are included in the 2022 version of ISO/IEC 27002?

Answer 14

93 controls, organized into four control themes.

Question 15

What are examples of Organizational controls?

Answer 15

Information security policies, supplier security, risk management, and project security.

Question 16

What are examples of People controls?

Answer 16

Background screening, awareness training, and user responsibilities.

Question 17

What are examples of Technological controls?

Answer 17

Access control, cryptography, logging, and malware protection.

Question 17

What are examples of Physical controls?

Answer 17

Securing facilities, equipment protection, and access control to physical areas.

Question 18

What is the relationship between ISO 27002 and NIST SP 800-53?

Answer 18

Both provide security control catalogs, but ISO 27002 is global, while NIST SP 800-53 is primarily U.S. federal.

Question 19

What is ISO/IEC 27035 about?

Answer 19

It defines the framework and process for detecting, reporting, assessing, and responding to information security incidents.

Question 19

How does ISO/IEC 27002 help implement ISO 27001?

Answer 19

It provides implementation guidance for each control listed in ISO 27001’s Annex A.

Question 20

What are the key stages of the ISO/IEC 27035 incident lifecycle?

Answer 20

Preparation → Detection & Reporting → Assessment → Response → Lessons Learned.

Question 21

What is the goal of incident assessment?

Answer 21

To determine whether an event is an actual security incident and assess its impact and urgency.

Question 21

What does ISO/IEC 27035 emphasize after resolving incidents?

Answer 21

Lessons learned — identifying root causes and improving processes.

Question 22

What is an “information security event”?

Answer 22

An observable occurrence that may indicate a potential security incident.

Question 23

Why is preparation crucial in ISO 27035?

Answer 23

It ensures predefined roles, responsibilities, and communication plans are ready before an incident occurs.

Question 24

How does ISO/IEC 27035 support ISO/IEC 27001?

Answer 24

It provides a framework for fulfilling the incident management control within the ISMS.

Question 25

What is the difference between a security event and a security incident?

Answer 25

An event is an observation, while an incident is a confirmed breach or threat to information security.

Question 25

What tools and techniques support ISO 27035 implementation?

Answer 25

Incident response playbooks, log monitoring systems, and communication protocols.

Question 26

Which NIST publication aligns closely with ISO 27035?

Answer 26

NIST SP 800-61 — Computer Security Incident Handling Guide.

Question 27

How does ISO 27005 define “risk”?

Answer 27

The effect of uncertainty on objectives, typically expressed as a combination of impact and likelihood.

Question 27

What is ISO/IEC 27005 focused on?

Answer 27

Providing a structured approach to information security risk management in support of ISO 27001.

Question 28

What are the key stages of the ISO 27005 risk management process?

Answer 28

Context establishment → Risk assessment → Risk treatment → Risk acceptance → Risk communication → Risk monitoring and review.

Question 29

What does “risk treatment” involve?

Answer 29

Selecting and implementing controls to reduce risks to acceptable levels.

Question 29

What are the components of risk assessment in ISO 27005?

Answer 29

Identification, analysis, and evaluation of risks.

Question 30

How does ISO 27005 relate to ISO 31000?

Answer 30

It aligns with ISO 31000’s general risk management principles but focuses on information security.

Question 31

Which NIST publication parallels ISO 27005?

Answer 31

NIST SP 800-30 — Guide for Conducting Risk Assessments.

Question 32

What is the purpose of a risk register in ISO 27005?

Answer 32

To document and track identified risks, their treatment, and their status over time.

Question 33

What is the main objective of NIST SP 800-30?

Answer 33

To provide a structured methodology for assessing information system risks.

Question 33

What is “residual risk”?

Answer 33

The risk that remains after controls are applied.

Question 34

Why is continual monitoring important in ISO 27005?

Answer 34

Because threats, vulnerabilities, and business objectives evolve, requiring ongoing reassessment.

Question 35

What are the three main steps in NIST SP 800-30?

Answer 35

Prepare → Conduct Assessment → Communicate & Maintain Assessment.

Question 36

What is a “vulnerability”?

Answer 36

A weakness in an information system that can be exploited by a threat.

Question 36

What does “threat” mean in NIST SP 800-30?

Answer 36

Any circumstance or event with the potential to adversely affect operations, assets, or individuals.

Question 37

What is the formula for risk according to NIST SP 800-30?

Answer 37

Risk = Likelihood × Impact.

Question 38

What are the two main outputs of a risk assessment?

Answer 38

Risk register and recommendations for mitigation.

Question 39

How does NIST SP 800-30 relate to the NIST RMF (SP 800-37)?

Answer 39

It provides the risk assessment process used within the RMF.

Question 40

How often should risk assessments be conducted?

Answer 40

Q: How often should risk assessments be conducted? A: Regularly and whenever major changes occur in the system or environment.

Question 41

What are “risk factors” in NIST SP 800-30?

Answer 41

Conditions that affect the likelihood or impact of a threat exploiting a vulnerability.

Question 42

What is the key outcome of NIST SP 800-30?

Answer 42

A prioritized list of risks with appropriate mitigation strategies.

Question 43

What is the purpose of NIST SP 800-53?

Answer 43

To provide a catalog of security and privacy controls for U.S. federal information systems.

Question 44

What framework does NIST SP 800-53 support?

Answer 44

The NIST Risk Management Framework (RMF).

Question 45

What are the main families of controls in NIST SP 800-53?

Answer 45

20 families, including Access Control, Audit and Accountability, Incident Response, and System Protection.

Question 46

How are controls structured in NIST SP 800-53?

Answer 46

Each control includes a control identifier, name, control statement, and supplemental guidance.

Question 47

What is the latest revision of NIST SP 800-53?

Answer 47

Revision 5, which includes integrated privacy controls.

Question 48

What are the three control baselines in SP 800-53?

Answer 48

Low, Moderate, and High, based on system impact level.

Question 49

How does NIST SP 800-53 relate to ISO/IEC 27002?

Answer 49

Both are catalogs of controls; SP 800-53 is U.S. federal, 27002 is international.

Question 50

What new focus area was added in Revision 5?

Answer 50

Supply chain risk management (SCRM).

Question 51

What is the purpose of control tailoring?

Answer 51

To adjust baseline controls to suit specific system requirements and risk levels.

Question 52

How is NIST SP 800-53 implemented in practice?

Answer 52

Through the RMF steps: Categorize, Select, Implement, Assess, Authorize, Monitor.

Question 53

What is Cyber Essentials?

Answer 53

A UK government-backed scheme that provides baseline cybersecurity requirements for organizations.

Question 54

What are its five key technical controls?

Answer 54

Firewalls, Secure Configuration, User Access Control, Malware Protection, and Patch Management.

Question 55

What is the purpose of Cyber Essentials certification?

Answer 55

To demonstrate an organization’s commitment to basic cybersecurity hygiene.

Question 56

What are the two certification levels?

Answer 56

Cyber Essentials (self-assessed) and Cyber Essentials Plus (externally verified).

Question 57

Who manages the Cyber Essentials scheme?

Answer 57

The UK National Cyber Security Centre (NCSC) and IASME Consortium.

Question 58

Is Cyber Essentials mandatory?

Answer 58

It’s voluntary for most, but required for some UK government contracts.

Question 59

What does Cyber Essentials primarily protect against?

Answer 59

Common internet-based threats like phishing, malware, and unauthorized access.

Question 60

How often must certification be renewed?

Answer 60

Annually.

Question 61

How does Cyber Essentials compare to ISO 27001?

Answer 61

Cyber Essentials is simpler and covers basic controls; ISO 27001 is comprehensive and risk-based.

Question 62

Why is Cyber Essentials valuable for small businesses?

Answer 62

It provides a low-cost, practical baseline for improving security and building trust with customers.