The structure of ISO 27001

1. Scope Scope of the Standard (Applicable to all Types of Organizations)

2. Normative References
3. Terms and Definitions

Both are Standard referred to ISO 2700 where terms and definitions are given

4. Context of the Organization

It need to standard the below process
Internal Issues (External Issue 1 External Issue 2 External Issue 3 External Issue 4)
 Defining the ISMS Scope.
5. Leadership top Management Responsibilities and setting the roles and responsibilities for ISMS
& defines Contents of the top-level Information Security Policy
6. Planning Requirements for Risk Assessment, Risk Treatment Statement of Applicability, Risk
Treatment Plan and Setting Information Security Objectives
7. Support Requirements for Availability of Resources Competences, Awareness, Communication,
and Control of Documents of records.
8. Operation Requirements for regular reassessment for risks implementation of controls and
other processes need to protect the information
9. Performance Evaluation Requirements for Monitoring, Measurement Analysis, Evaluation,
Internal Audit & Management Review.
10. Improvement Requirement for Nonconformities, Corrections & Corrective actions and continual
improvement.
Annex A Reference Control Objectives and Controls provides A Catalogue of 114 controls
grouped in 14 sections.

Information security principles

For the following security controls, choose on which of the three information
security principles (confidentiality, integrity, and availability) they have the
biggest impact:

Availability
 Backup of information In cases when information is deleted or corrupted for some reason, the
information is no longer available to the organization. The backup enables the information
availability.
Integrity
Anti-virus software A virus is software that can corrupt the information by modifying it. Installing
anti-virus programs protects the integrity of the information.
Confidentiality
Safe box Locking paper-based documents in a safe box enables protecting the confidentiality of
the information in the document.
Defined:
1. Information is an asset which has value to organization and needs to be protected.
2. Information can have various forms and stored on different media (Like digital or Paper)
3. Information Security is Ensuring as Confidentiality, Integrity and Availability of Information

Confidentiality is assurance of data privacy allows authorized persons and access the
information.

Integrity assurance that only authorized person will be able to modify the data meaning
Protecting the accuracy and completeness of the information.

Availability assurance of the timely and reliable access to data and services for authorized
users.
Example:
Confidentiality
 Integrity

Availability

Introduction to the Information Security

Management System
Q: Identify which of the following information security controls are
organizational controls:

Defining a policy on the use of cryptographic controls

Implementing cryptographic controls
Documenting a clear screen policy
Training employees how to use cryptographic controls
Signing a confidentiality agreement with suppliers
Documenting a procedure for training employees
Implementing a domain password policy
Identify which of the following information security controls are organizational controls:
1. Defining a policy on the use of cryptographic controls Correct!
2. Implementing cryptographic controls Incorrect! Implementing cryptographic controls
is a technical control.
3. Documenting a clear screen policy Correct!
4. Training employees how to use cryptographic controls Incorrect!Training is an HR
control.
 5. Signing a confidentiality agreement with suppliers Incorrect! A confidentiality
agreement is a legal control.
6. Documenting a procedure for training employees Correct!
7. Implementing a domain password policy Incorrect! Implementing domain policies is
a technical control.

ISMS is a systematic approach for managing and

protecting companys Information.
ISMS contents as Policies and Procedures to set
the information security rules and Technical and
other types of controls.
What type of security controls implement in the
company decides based on the requirements of
interested party on result of risk assessments
based on management decision.

For Each Risk different types of controls will be

implemented.
How to decrease the risk for the information?
Procedure that you cannot leave the laptop in the
car and also protect your laptop with a password.
Encrypt your disk and you need to ask your
employee a statement that obliges employee to
pay all the damage for incident happened.
Finally we need to train our employees use this
procedures make your employee aware of such
risks.
Conclusion Information Security controls are
never only technical /IT related, they should be
combination of different types of controls.

Implementing ISO 27001 requirements

1. Choose which of the following activities are parts of the Plan phase are:
Identify information security risks
Conduct internal audit
Based on the results from the risk assessment, choose controls and document a
Statement of applicability
Document the Information Security Policy
Implement improvements

Choose which of the following activities are parts of the Plan phase are:
1. Identify information security risks Correct!
2. Conduct internal audit Incorrect! The internal audit is an activity from the Check phase.
3. Based on the results from the risk assessment, choose controls and document a
Statement of applicability Correct!
4. Document the Information Security Policy Correct!
5. Implement improvements Incorrect! The improvement initiatives are part of the Act phase.
Module 1 - Introduction to ISO 27001
Practice exam
Information security and IT security refer to the same thing:
1. True Incorrect! Information security is wider than IT security, and includes protection of
different kinds of information, not just information stored and transmitted over IT networks.
2. False Correct!

An Information Security Management System is a systematic approach for managing and protecting
a companys information.
1. True Correct!
2. False Incorrect! ISMS is a framework for systematic mitigation of security risks related to the
information.

The PDCA cycle is:

1. A method used for management review Incorrect! PDCA is a method used for
implementation and maintenance of an Information Security Management System in organizations.
2. An international standard Incorrect! PDCA is a concept, not a standard.
3. A method used for implementation and maintenance of an Information Security
Management System in organizations Correct!
4. A tool for conducting risk assessment Incorrect! PDCA is not related to risk assessment.

The following roles are common in the ISMS implementation process:

1. Project team Correct! They are the persons who, under coordination of the project manager,
will be included in documenting and implementing the information security controls, will help
organize other people, give advice, lead the change, etc.
2. Project accountant Incorrect! Such role is not critical for the ISMS implementation process.
3. Top management Correct! The top management must support the process by showing
commitment, setting objectives, making decisions, and most importantly providing relevant
resources such as assigning the right people to dedicate enough time for the implementation
process, dedicating budget, etc.
4. Project manager Correct! This is the person who will coordinate the implementation process.
5. Project evaluator Incorrect! Such role is not critical for the ISMS implementation process.
Achieving compliance is one of the main benefits of implementing ISO 27001:
1. True Correct!
2. False Incorrect! ISO 27001 provides methodology that helps companies comply with the
relevant regulations regarding data protection, privacy, IT governance, etc.
Module 2 - The planning phase