Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 101/144 The purpose of risk identification is to define the organization’s objectives and analyze the key business factors so as to achieve the desired goal and effectively deal with the threats it faces.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 102/144 ISO/IEC 27005, clause 7.2.1 Identifying and describing information security risks In an event-based approach, the underlying concept is that risks can be identified and assessed through an evaluation of events and consequences. Events and consequences can often be determined by a discovery of the concerns of top management, risk owners and the requirements identified in determining the context of the organization (ISO/IEC 27001:2022, Clause 4). Interviews with top management and those people in the organization who have a responsibility for a business process can assist in identifying not only the relevant events and consequences, but also the risk owners. An event-based approach can establish high level or strategic scenarios without spending a considerable amount of time in identification of assets on a detailed level. This allows the organization to focus its risk treatment efforts on the critical risks. Evaluation of events using this approach can make use of historical data where risks remain unchanging for long periods, and allows the interested parties involved to reach their objectives. However, in the case of risks for which historical data are not available or reliable, the advice based on knowledge and experience of experts or investigation of risk sources can assist evaluation. With an asset-based approach, the underlying concept is that risks can be identified and assessed through an inspection of assets, threats and vulnerabilities. An asset is anything that has value to the organization and therefore requires protection. Assets should be identified, taking into account that an information system consists of activities, processes and information to be protected. The assets can be identified as the primary and the supporting assets according to their type and priority, highlighting their dependencies, as well as their interactions with their risk sources and the organization’s interested parties. A threat exploits a vulnerability of an asset to compromise the confidentially, integrity and/or availability of corresponding information. If all valid combinations of assets, threats and vulnerabilities can be enumerated within the scope of the ISMS, then, in theory, all the risks would be identified. For further steps of risk assessment, a list of assets associated with information and information-processing facilities should be drawn up. The asset-based approach can identify asset-specific threats and vulnerabilities and allows the organization to determine specific risk treatment on a detailed level.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 103/144 ISO/IEC 27005, clause 7.2.2 Identifying risk owners (cont’d) Implementation guidance: Top management, the security committee, process owners, functional owners, department managers and asset owners can be the risk owners. An organization should use the organizational risk assessment process (if established) regarding identifying risk owners, otherwise it should define criteria for identifying risk owners. Such criteria should take into consideration that risk owners: are accountable and have the authority for managing the risks they own, i.e. they should have a position in the organization that allows them to actually exercise this authority; understand the issues at hand, and are in a position to make informed decisions (e.g. regarding how to treat the risks). The level of risk and to what asset the risk should apply can serve as the basis for identifying risk owners. The allocation should take place as part of the risk assessment process.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 104/144 ISO/IEC 27005, clause 7.3.2 Assessing potential consequences (cont’d) Output: A list of potential consequences related to risk scenarios with their consequences related toassets or events, depending on the approach applied. ISO/IEC 27005, clause 7.3.3 Assessing likelihood (cont’d) Output: A list of events or risk scenarios complemented by likelihoods that these occur. ISO/IEC 27005, clause 7.3.4 Determining the levels of risk (cont’d) Output: A list of risks with level values assigned. ISO/IEC 27005, clause 7.4.1 Comparing the results of risk analysis with the risk criteria A list of suggestions for decisions on additional actions regarding the management of risks.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 105/144
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 106/144
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 107/144 ISO/IEC 27005, clause 8.2 Selecting appropriate information security risk treatment options Several options for risk treatment include: risk avoidance, by deciding not to start or continue with the activity that gives rise to the risk; risk modification, by changing the likelihood of the occurrence of an event or a consequence or changing the severity of the consequence; risk retention, by informed choice; risk sharing, by splitting responsibilities with other parties, either internally or externally (e.g. sharing the consequences via insurance); EXAMPLE 1 An example of risk avoidance is an office location situated in a flood-zone, where there is the potential of a flood and resultant damages to the office and restrictions to the availability of and/or access to the office. The relevant physical controls can prove insufficient to reduce this risk, in which case, the treatment option of risk avoidance can be the best available option. This can involve closing or stopping operation of that office. EXAMPLE 2 Another example of risk avoidance is choosing not to collect certain information from individuals so that it is not necessary for the organization to manage, store and transmit the information in its information systems.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 108/144 The organization should apply appropriate controls to: Be compliant with legal, regulatory, and contractual obligations Reduce the likelihood of threats and vulnerabilities Reduce impacts if risks occur Prevent or detect, react, and correct undesired event Information security controls must be selected and set in place in order to meet the requirements identified by risk assessment and risk treatment processes. Information security controls reference defined in Annex A can be used as a source of controls (as an integral part of the process). However, additional information security controls can be selected from other sources, including from the organization itself. ISO/IEC 27005, clause 8.3 Determining all controls that are necessary to implement the information security risk treatment options (cont’d) The utility of categorizing controls as preventive, detective and corrective lies in their use, to ensure the construction of risk treatment plans are resilient to control failures. Provided there is an appropriate mix of preventive, detective and corrective controls: detective controls should mitigate risk if the preventive controls fail; corrective controls should mitigate risk if the detective controls fail; preventive controls should reduce the likelihood that the corrective controls should ever have to be used. When utilizing controls, organizations should first decide if it is possible to detect the occurrence of an event. If that is the case, detective controls should be implemented. If it is not possible to detect an event, detective controls can be ineffective, with no way of telling whether a preventive control is working.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 109/144
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 110/144
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 111/144
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 112/144 Organizations should firstly conduct a risk assessment in order to identify the need for security controls. After identifying them, organizations should next select controls from the most effective ones, which could be a single control or a combination of them. Organizations must include the selected controls in their Statement of Applicability, in which the controls inclusion is justified and explained. Apart from standards, organizations can select controls from other sources that may be applicable to their context. Examples of these sources can be COBIT, PCI DSS, HIPAA (US), NIST SP 800-53 (US), etc. In some particular contexts, other sources can be beneficial for organizations selecting controls. In general contexts, ISO/IEC 27001’s Annex A alone may be sufficient to address all risk scenarios that organizations have identified. It is worth mentioning that selecting the majority of security controls from ISO/IEC 27001’s Annex A is not mandatory. The standard requires only that a cross-check is made in order to see whether any control that has been excluded from Annex A might in fact have value to the organization’s context and its ISMS. Organizations should take into account the costs and benefits when selecting security controls. They should need to balance in between selecting a control that is necessary for them and selecting a control which may not address a real need at all. In conclusion, organizations should select controls that are applicable to their ISMS and are aligned with their activities and perceived risks, and not vice versa. The Statement of Applicability (SoA) must include all the implemented controls and all planned-but-not-yetimplemented controls, irrespective of their sources, and must also record any controls from Annex A of ISO/IEC 27001, which the organization decided to exclude. There must be a justification for the inclusion or exclusion of each control. The requirement to justify exclusions from Annex A exists to ensure that the organization reviews at least one generally recognized set of controls as a form of “sanity check” against any valuable or worthwhile controls being overlooked.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 113/144 Other examples of justifications related to selected controls: ISO/IEC 27001, Annex A 5.29 Information security during disruption The organization shall plan how to maintain information security at an appropriate level during disruption. Justification of the selection: Ensuring the availability of information in a timely manner when an interruption or power outage affects critical business processes ISO/IEC 27001, Annex A 8.32 Change management Changes to information processing facilities and information systems shall be subject to change management procedures. Justification of the selection: Ensuring the confidentiality, integrity, and availability of information and means of processing information belonging to the organization when there are changes to systems and information processing methods
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 114/144 There are many reasons why organizations may exclude some particular security controls. The following are some examples: ISO/IEC 27001, Annex A 6.1 Screening Background verification checks on all candidates to become personnel shall be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks. Justification of the exclusion: In compliance with the collective agreement with the employees, no security checks will be made. ISO/IEC 27001, Annex A 6.7 Remote working Security measures shall be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises. Justification of the exclusion: Remote working is prohibited in the organization. Important notes: In most cases, an organization may declare a security control applicable and explain what it covers and its limitations. If we take the example of screening (Annex A 6.1), the control does not force the organization to use all the necessary means to conduct a thorough investigation for every person: criminal record validation, verification of qualifications, etc. An organization could simply ask for only two references from each candidate. The organization should, however, be able to justify the steps it takes, particularly when the usage of the control is minimal. An organization should not declare a control as not applicable if no justification for its exclusion exists. It is not possible to exclude a control for business or convenience reasons. If an organization chooses not to implement a control which is applicable, it must declare that the organization decides to accept the risks of not implementing it. The control is thus documented as applicable but not implemented.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 115/144 ISO/IEC 27001 does not specify the Statement of Applicability form. The standard simply requires the establishment of a security controls list, the ones selected and the ones not selected, and the reasons behind their selection or exclusion and the actions undertaken to meet the selected security controls. The additional controls put in place must also appear in the Statement of Applicability. It is considered as a good practice to include in the Statement of Applicability: the title or function of the responsible person per control and the list of documents or records related to it. The model proposed by PECB includes the following sections: 1. Control: In this column, the security control of Annex A is indicated. 2. Applicable: In this column, it is indicated whether the security control is applicable or not. 3. Description: In this column, the security control is described shortly and how it is implemented in the organization. A simple way to do this is to use the method of the “5 W’s and 1 H” (Who, What, When, Where, Why, How). It should be noted that the “why” is addressed in the column “Justification.” For example: A security policy information (What), approved by management (Who) is effective since May 21, 2019 (When). A copy was sent (How) to all employees and interested parties (Who). The official version is available on the Intranet (Where). 4. Justification: In this column, the reasons why a security control was included or excluded are provided. 5. Documentation: Documentation indicates documents (policies and procedures) or records related to the particular security control. 6. Responsible: The owner of the control is the responsible person. The name and position of the person responsible for the control are to be included in the document. If the security control is not applicable, please indicate the person that is able to justify why it is not applicable in order to facilitate the work of auditors (internal and external) and know who to address for information during the subsequent revisions of the Statement of Applicability.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 116/144
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 117/144 Once the decisions on the risk treatment options have been taken, activities to implement these decisions must be planned. Activities should be classified based on priority. The necessary resources must be allocated to the treatment plan. The priority actions are usually determined to ensure that activities are focused on the greatest risk, although other processes can influence the prioritized actions, such as the need to demonstrate results to the top management of the organization or the need for quick profits.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 118/144 The notion of residual risk can be defined as the risk that remains after the implementation of controls aiming to treat and reduce the inherent risk, and can be summed up as follows: Residual risk = Inherent risk - Treated risk There are always residual risks after the implementation of a risk treatment plan. The value of risk reduction following risk treatment should be evaluated, calculated, and documented. Residual risk can be difficult to evaluate, but an estimation should at least be made to ensure that the value of residual risks respects the risk acceptance criteria of the organization. Furthermore, the organization must make sure to set in place residual risk surveillance mechanisms. At any stage, the residual risk should be accepted by the top management for the ISMS to remain in conformity. If the residual risk remains unacceptable after the implementation of controls, a decision must be made on the way to further treat the risk. One option is to identify other risk treatment options, such as risk transfer (insurance or externalizing) to reduce the risk to an acceptable level. Another option is to accept the risk knowingly and objectively. Even if it is good practice to tolerate no risks for which the level is above the risk criteria defined by the organization, it is not always possible to reduce all risks to an acceptable level. In all circumstances, residual risks must be understood and accepted by risk owners.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 119/144 ISO/IEC 27001, clause 6.2 Information security objectives and planning to achieve them (cont’d) The organization shall retain documented information on the information security objectives. When planning how to achieve its information security objectives, the organization shall determine: h)what will be done; i)what resources will be required; j)who will be responsible; k)when it will be completed; and l)how the results will be evaluated.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 120/144
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 121/144 ISO/IEC 27001, clause 7.1 Resources The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the information security management system. ISO/IEC 27001, clause 7.2 Competence The organization shall: a. determine the necessary competence of person(s) doing work under its control that affects its information security performance; b. ensure that these persons are competent on the basis of appropriate education, training, or experience; c. where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; and d. retain appropriate documented information as evidence of competence. NOTE Applicable actions can include, for example: the provision of training to, the mentoring of, or the reassignment of current employees; or the hiring or contracting of competent persons. ISO/IEC 27001, clause 7.3 Awareness Persons doing work under the organization’s control shall be aware of: a. the information security policy; b. their contribution to the effectiveness of the information security management system, including the benefits of improved information security performance; and c. the implications of not conforming with the information security management system requirements.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 122/144 ISO/IEC 27001, clause 7.4 Communication The organization shall determine the need for internal and external communications relevant to the information security management system including: a. on what to communicate; b. when to communicate; c. with whom to communicate; d. how to communicate. ISO/IEC 27001, clause 7.5.1 General The organization’s information security management system shall include: a. documented information required by this document; and b. documented information determined by the organization as being necessary for the effectiveness of the information security management system. NOTE The extent of documented information for an information security management system can differ from one organization to another due to: 1. the size of organization and its type of activities, processes, products and services; 2. the complexity of processes and their interactions; and 3. the competence of persons.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 123/144 ISO/IEC 27001, clause 7.5.2 Creating and updating When creating and updating documented information the organization shall ensure appropriate: a. identification and description (e.g. a title, date, author, or reference number); b. format (e.g. language, software version, graphics) and media (e.g. paper, electronic); and c. review and approval for suitability and adequacy. ISO/IEC 27001, clause 7.5.3 Control of documented information Documented information required by the information security management system and by this document shall be controlled to ensure: a. it is available and suitable for use, where and when it is needed; and b. it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity). For the control of documented information, the organization shall address the following activities, as applicable: c.distribution, access, retrieval and use; d.storage and preservation, including the preservation of legibility; e.control of changes (e.g. version control); and f.retention and disposition. Documented information of external origin, determined by the organization to be necessary for the planning and operation of the information security management system, shall be identified as appropriate, and controlled. NOTE Access can imply a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information, etc.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 124/144
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 125/144 ISO/IEC 27001, clause 8.2 Information security risk assessment The organization shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established in 6.1.2 a). The organization shall retain documented information of the results of the information security risk assessments. ISO/IEC 27001, clause 8.3 Information security risk treatment The organization shall implement the information security risk treatment plan. The organization shall retain documented information of the results of the information security risk treatment.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 126/144
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 127/144 ISO/IEC 27001, clause 9.1 Monitoring, measurement, analysis and evaluation The organization shall determine: a. what needs to be monitored and measured, including information security processes and controls; b. the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results. The methods selected should produce comparable and reproducible results to be considered valid; c. when the monitoring and measuring shall be performed; d. who shall monitor and measure; e. when the results from monitoring and measurement shall be analysed and evaluated; f. who shall analyse and evaluate these results. Documented information shall be available as evidence of the results. The organization shall evaluate the information security performance and the effectiveness of the information security management system.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 128/144 ISO/IEC 27001, clause 9.2.2 Internal audit programme The organization shall plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. When establishing the internal audit programme(s), the organization shall consider the importance of the processes concerned and the results of previous audits. The organization shall: a. define the audit criteria and scope for each audit; b. select auditors and conduct audits that ensure objectivity and the impartiality of the audit process; c. ensure that the results of the audits are reported to relevant management; Documented information shall be available as evidence of the implementation of the audit programme(s) and the audit results. The objective of internal audits is to assess the extent to which an organization has fulfilled the requirements of the standard. Conducting internal audits regularly allows for the continual assessment of the effectiveness of the ISMS and the identification of opportunities for improvement. The organization must establish an internal audit program to determine if the ISMS has achieved the defined objectives, continues to conform to the requirements of the standard, as well to other internal, legal, regulatory, and contractual requirements, and is kept up to date in an efficient manner. Note: The implementation and management of an internal audit program will be explained on Day4.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 129/144 ISO/IEC 27001, clause 9.3.3 Management review results The results of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system. Documented information shall be available as evidence of the results of management reviews. Management reviews allow the management of the organization to periodically review the level of performance (relevance, effectiveness, and efficiency) of the management system in place. These reviews allow the organization to adapt or refocus quickly the management system towards internal or external changes. A management review should be organized at least once a year. Management reviews must be recorded. Records of these reviews should be distributed to all review participants and to relevant interested parties.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 130/144
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 131/144
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 132/144
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 133/144 A corrective action is an action taken to eliminate the root causes of a nonconformity or of any other undesirable existing event and to prevent its recurrence. A corrective action is, thus, a term that includes the reaction to a problem, to security incidents, to gaps in reaching objectives, to nonconformities, etc. The corrective action process should include: 1. Identification and documentation of the nonconformity: The initial step in the process is to define and document the nonconformity and analyze its impacts on the organization. 2. Analysis of the root causes: This step involves determining the source of the problem and analyzing the root causes. 3. Evaluation of options: A list of possible corrective actions is developed and action plans are evaluated. At this stage, if the problem is significant or if the likelihood of recurrence is high, temporary corrective actions can be set in place. 4. Selection of solutions: One or more corrective actions are selected to correct the situation and improvement objectives are determined. The selected solution must correct the problem and should also be able to avoid a recurrence. 5. Implementation of corrective actions: The approved corrective action plan is implemented and all the actions described in the plan are documented. 6. Corrective actions follow-up: The organization must verify that the new corrective controls are in place and effective. The follow-up is usually performed by the person responsible for the project and the audit department. 7. Review of corrective actions: To perform a review of the effectiveness of the corrective actions, we periodically evaluate whether the organization is accomplishing its security objectives, based upon the defined corrective actions and whether those actions remain effective over time.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 134/144 A preventive action is any action taken to eliminate the causes of a nonconformity or any other potentially undesirable event and to prevent their occurrence in the future. An organization should aim to strike a cost-effectiveness balance between the implementation of corrective and preventive actions. By establishing a continual risk management process, the organization is, usually, more likely to detect a change in the risk factors that concern the organization because risks are not static. Threats, vulnerabilities, probability, or consequences can change abruptly. Consequently, constant monitoring is necessary to detect these changes and take preventive actions before a risk occurs. The organization can ensure, for example, that the following are monitored: New assets that have been included in the ISMS Modifications to the value of assets, for example, because of the evolution in operational needs New threats (internal or external) identified that have not been evaluated New vulnerabilities identified that have not been evaluated Identified vulnerabilities to determine those exposed to new threats Security incidents The preventive actions process is similar to the corrective actions process: identifying a potential problem, evaluating solutions, choosing solutions, implementing preventive actions, following up, and reviewing preventive actions.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 135/144 When documenting the results of the corrective actions taken, organizations should ensure that: Actions are described in a clear and concise manner. Accurate dates as to when the corrective actions were completed are stated. The descriptions of actions taken are sufficiently detailed, with proper evidence supporting the claims that the corrective action has been performed in the way that it was described. Other specific policies, documents, and procedures are accurately referenced.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 136/144 1. What is one of the main purposes of implementing an ISMS? A. To determine the information security objectives B. To define the information security requirements C. To reduce information security risks 2. Which of the statements below regarding the ISMS scope is correct? A. Any inclusions made in the ISMS scope should be justified B. A key process is not considered part of organizational boundaries C. The ISMS scope must be available as documented information 3. Who is responsible for establishing the information security policy according to ISO/IEC 27001? A. The top management B. Internal interested parties C. The information security manager 4. What criteria should be considered when selecting a risk assessment methodology? A. New technologies B. Costs and availability of supporting software tools C. Risk treatment plan 5. An organization has decided to move its information-processing facilities to a place where the risk of flooding is low. What option of risk treatment is this? A. Risk avoidance B. Risk evaluation C. Risk sharing
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 137/144 6.Why should an organization draft a Statement of Applicability? A. To document the justifications for the inclusion and exclusion of Annex A controls B. To ensure that the ISMS is aligned with the mission of the organization C. To ensure compliance with industry best practices 7.The risk that remains after risk treatment is known as: A. Inherent risk B. Treated risk C. Residual risk
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 138/144 Section summary: The Statement of Applicability is a document required by ISO/IEC 27001 which must include all the implemented security controls with justifications for their inclusion. The organization will have to continually monitor and review the ISMS in order to be compliant with clause 9 of ISO/IEC 27001. The continual improvement of the ISMS means that the organization continually improves the suitability, adequacy, and effectiveness of its ISMS.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 139/144 Webos is a software company that offers custom web-based IT solutions for banks and financial institutions. They are focused on developing personalized and flexible banking software. Hence, their services include processing sensitive data. Recently, one of their main partners required an update of the software they got from Webos because their current version was vulnerable to external attacks. Webos provided an updated version that included migrating to the Windows Azure SQL database to solve the encryption, authentication, and high availability problems. However, the solution did not work and Webos’s partner terminated their contract. The project failed due to problems with the segregation of duties in Webos. Their only software development team leader, Julia Robinson, was on maternity leave and her duties and responsibilities were assigned to an inexperienced team member. To increase the security of their services and regain customer confidence, Webos decided to initiate major changes, including the implementation of an ISMS. They decided to improve their existing maintenance and support services and conduct technical investigations for any security incident reported by their partners. In addition, they decided to segregate the duties of the software development team in order to avoid similar situations in the future. Based on the scenario above, answer the following questions: 1. Which option below presents a vulnerability in Webos’s client system? A. The updated version of the software B. The database encryption problems C. The maternity leave of the software development team leader 2. Webos’s project failed due to the lack of segregation of duties during the maternity leave of the software development team leader. Which of the following is a threat that can impact Webos in this situation? A. Failure to produce management reports B. Insufficient software testing C. Unauthorized use of the system
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 140/144 3.Webos conducted technical investigations after its partners reported security incidents. What is the aim of implementing this security control? A. To control software operations B. To report the occurrence of an error or omission C. To correct the problems and prevent their recurrence 4.By segregating the duties of the software development team, Webos implemented: A. A managerial control B. An administrative control C. A legal control 5.Migration to the Windows Azure SQL database would solve the availability problems by reducing the _____________. A. Disruption of operations B. Invasion of privacy of users C. Leak of sensitive information
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 141/144
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 142/144 Homework 1: Reasons to adopt ISO/IEC 27001 Upon reading the section in the case study named “Company background,” determine and explain the three most significant advantages that BankIT Solutions would gain by implementing an information security management system based on ISO/IEC 27001. In addition, explain how the organization can measure these advantages by means of metrics. What are some potential risks in case BankIT Solutions decides not to comply with ISO/IEC 27001? Homework 2: Selection of controls For each risk identified in exercise 1, select the appropriate controls (by providing the correct clause or control number) which allow BankIT to modify, share, or avoid the risk. Refer to the matrix of the exercise sheet. Homework 3: Information security controls Determine how you would verify the organization’s conformity to the following controls of Annex A of ISO/IEC 27001. State at least two actions that you would take to verify that the organization conforms to each control. 1. Policies for information security (Annex A 5.1) 2. Access rights (Annex A 5.18) 3. Protection against malware (Annex A 8.7) 4. Information backup (Annex A 8.13)
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 143/144
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 144/144