ISO27001 Risk Management Quiz

Questions and Answers

IG1 organizations prioritize the implementation of cybersecurity measures into four Implementation Groups (IGs)

False

IG2 organizations may have regulatory compliance burdens

True

IG3 organizations address the availability of services and the confidentiality and integrity of sensitive data

True

IG1 organizations can withstand short interruptions of service

False

IG2 organizations are small to medium-sized with limited IT and cybersecurity expertise

False

IG3 organizations implement sub-controls aimed to thwart general attacks and work with small or home office COTS hardware and software

False

IG1 organizations store and process sensitive client or company information

True

IG2 organizations employ security experts specializing in different cybersecurity facets

False

IG3 organizations prioritize and detail the risk mitigation actions

True

IG1 organizations aim to reduce the impact of zero-day attacks

False

IG2 organizations must abate targeted attacks and reduce the impact of zero-day attacks

True

IG3 organizations define high-level risk mitigation actions and set maturity targets for the next 3 years based on industry benchmarks

True

True or false: The head of Sales & Marketing at Toreon has 15+ years of Security Experience.

False

True or false: Toreon's mission includes training individuals in 'Building Cyber capacity'.

True

True or false: Toreon Consulting focuses on 4 impact areas and 4 power houses.

False

True or false: Toreon creates Information Security Strategy aligned to the business and activates it everywhere.

True

High-level description of the actions to take to mitigate the risk associated with finding A is usually the result of a clear risk assessment process

True

One can choose to set a target maturity over 3 years Governance 2,40 2,11 2,11 2,25 2,40 Technical 2,10 1,50 1,75 1,95 2,20

False

The Cybersecurity strategy example deliverables are 2, 3, 4, and 1 in that order

False

Cybersecurity is too big a task to be handled by one person and should be divided and conquered

True

The Managed Security Office Framework involves Client Security Office, Security Office Essential, and Security & Compliance Projects

True

The Foundation Strong foundation principle for SOaaS includes Pentest, CIS assessment, Business Threat Model, and Security Office Portal

True

In Phase 1: Product/Market Fit, the security objectives include gaining overall security maturity

False

In Phase 2: Repeatable, Scalable & Profitable Growth, the business objectives include exponential growth and market development

True

In Phase 3: Aggressive Scaling, the business objectives include sustaining market leadership & growth

True

The number of Example Deliverables in 'HOW TO DEVELOP A PROPER CYBER SECURITY STRATEGY' is 4

True

The number of persons typically involved in the Security Office includes CISO / SPOC, Security Architect, and Sidekick

False

The Cyber Security & Start & ScaleUps GUEST CLASS – SECURITY TRENDS & SECURITY MANAGEMENT Tech Scale-Up Phases are Conserve cash, Invest Aggressively, Search for product/Market Fit, and Scaling the Business

True

An ISMS is a systematic approach for managing an organization's information security, based on risk assessment and the organization's risk acceptance levels.

True

ISO27001 focuses on security controls and risk assessments, while ISO27002 provides guidelines for implementing security controls.

True

ISO27001:2017 includes context, leadership, planning, support, operation, performance evaluation, and improvement.

True

Cyber Compliance is not an essential barrier for trade in the context of security trends and security management.

False

Cybersecurity industry faces a significant lack of resources, with 1205 vacancies in Belgium and a 16% vacancy rate.

True

To define a tailored security strategy and roadmap, business objectives, security trends, and maturity levels need not be considered.

False

Cybersecurity presents opportunities, such as avoidance of direct damage, customer and investor confidence, and product differentiation.

True

Challenges in cybersecurity include the 'Fog of More' and the need for a business-driven, optimized ROSI (Return on Security Investment).

True

Pillars of a security strategy include governance, organizational risks, technical maturity, and security requirements.

True

Developing a cybersecurity strategy involves only selecting a standard/framework, without increasing technical security countermeasures, and prioritizing based on current maturity levels and budget constraints.

False

Risk management is not a crucial aspect of ISO27001:2017, and risks need not be managed at different levels and occasions.

False

A threat is a potential cause of an unwanted incident, and risk management involves comprehensive risk assessments, updates, and assessments during significant changes.

True

True or false: Cybersecurity consists of four layers: technology, people, processes, and economics.

False

True or false: CISOs/Security Officers primarily act as operational leaders in cybersecurity.

False

True or false: Ransomware attacks involve targeted infection of systems and demand payment in exchange for restoring access to data.

False

True or false: Living-off-the-land attacks use untrusted system tools to conduct attacks, making them harder to detect.

False

True or false: Mobile and IoT devices are not targeted by malvertising and malware.

False

True or false: A zero-day vulnerability is a software weakness known to those who should mitigate it, allowing hackers to exploit it before a fix is available.

False

True or false: The cybersecurity landscape is not subject to an ever-growing number of laws, regulations, and standards.

False

True or false: Cybercrime does not operate like a business, with a supply chain, middlemen, and distribution channels.

False

True or false: Spear phishing is a non-targeted form of email scam.

False

True or false: The estimated cost of cybercrime reached $6 trillion in 2021.

True

True or false: Hackers' average return on investment (ROI) per attack is less than $4,500.

True

True or false: Spear phishing and ransomware are not common cybersecurity threats.

False

Risk management for CI/CD servers, such as JIRA and Confluence, involves assessing and protecting critical information assets.

True

ISO27001:2017 outlines 114 controls in 14 clauses and 35 control categories for effective risk management, including controls for information security policies, human resource security, and access control.

True

The NIST Cyber Security Framework (CSF) provides guidelines for developing a cyber security strategy, with easy-to-understand categories and maturity levels for risk management.

True

Continuous diagnostics and mitigation, automation, and measurements and metrics are essential components of an effective cyber security strategy, according to the NIST CSF.

True

The CIS Controls (V7.1) are recommended for the Technical Track, offering a prioritized set of actions that are community-supported, implementable, scalable, and compliant with industry and government security requirements.

True

The 5 critical tenets of an effective cyber defense system, according to the NIST CSF, include offense informs defense, prioritization, measurements and metrics, and continuous diagnostics and mitigation.

True

Example assets include Active Directory Servers, with different risk profiles, RTOs (Recovery Time Objectives), and RPOs (Recovery Point Objectives).

True

NIST validates cyber security programs and offers certifications for individuals as NIST CSF Practitioners.

True

ISO27002:2017 and other standards provide additional controls and guidelines for operational security governance, procedural guidelines, and technical controls.

True

The NIST CSF focuses on options for both the Governance and Technical tracks, including the use of community support networks and prioritized controls for effective cyber defense systems.

True

The CIS Controls (V7.1) are recommended for the Technical Track, offering a prioritized set of actions that are community-supported, implementable, scalable, and compliant with industry and government security requirements.

True

NIST validates cyber security programs and offers certifications for individuals as NIST CSF Practitioners.

True

Study Notes

• Cyber Compliance is an essential barrier for trade in the context of security trends and security management.

• Cybersecurity industry faces a significant lack of resources, with 1205 vacancies in Belgium and a 16% vacancy rate.

• To define a tailored security strategy and roadmap, consider business objectives, security trends, and maturity levels.

• Cybersecurity presents opportunities, such as avoidance of direct damage, customer and investor confidence, and product differentiation.

• Challenges in cybersecurity include the "Fog of More" and the need for a business-driven, optimized ROSI (Return on Security Investment).

• Pillars of a security strategy include governance, organizational risks, technical maturity, and security requirements.

• Developing a cybersecurity strategy involves selecting a standard/framework, increasing technical security countermeasures, and prioritizing based on current maturity levels and budget constraints.

• An ISMS (Information Security Management System) is a systematic approach for managing an organization's information security, based on risk assessment and the organization's risk acceptance levels.

• ISO27k is a family of standards with two main standards: ISO27001 focuses on security controls and risk assessments, while ISO27002 provides guidelines for implementing security controls.

• ISO27001:2017 includes context, leadership, planning, support, operation, performance evaluation, and improvement.

• Risk management is a crucial aspect of ISO27001:2017, and risks must be managed at different levels and occasions.

• A threat is a potential cause of an unwanted incident, and risk management involves comprehensive risk assessments, updates, and assessments during significant changes.

• Risk is defined as the potential harm or threat to an organization, determined by the impact and probability. (ISO31000, ISO27001:2017)

• Risk management for CI/CD servers, such as JIRA and Confluence, involves assessing and protecting critical information assets.

• Example assets include Active Directory Servers, with different risk profiles, RTOs (Recovery Time Objectives), and RPOs (Recovery Point Objectives).

• ISO27001:2017 outlines 114 controls in 14 clauses and 35 control categories for effective risk management, including controls for information security policies, human resource security, and access control.

• The NIST Cyber Security Framework (CSF) provides guidelines for developing a cyber security strategy, with easy-to-understand categories and maturity levels for risk management.

• The NIST CSF focuses on options for both the Governance and Technical tracks, including the use of community support networks and prioritized controls for effective cyber defense systems.

• Continuous diagnostics and mitigation, automation, and measurements and metrics are essential components of an effective cyber security strategy, according to the NIST CSF.

• ISO27002:2017 and other standards provide additional controls and guidelines for operational security governance, procedural guidelines, and technical controls.

• NIST validates cyber security programs and offers certifications for individuals as NIST CSF Practitioners.

• The CIS Controls (V7.1) are recommended for the Technical Track, offering a prioritized set of actions that are community-supported, implementable, scalable, and compliant with industry and government security requirements.

• The 5 critical tenets of an effective cyber defense system, according to the NIST CSF, include offense informs defense, prioritization, measurements and metrics, and continuous diagnostics and mitigation.

Description

Test your knowledge of ISO27001 risk management with this quiz. Explore topics such as risk assessment, CI/CD servers, business impact assessment, and recovery objectives.