1.

Privacy legislation such as ________ will influence how information is stored and managed
within the enterprise and how resources are deployed to ensure that it complies with this
legislation.

A. Non-Disclosure Agreement
B. Service Level Agreement
C. Data Protection Act
D. Cybersecurity & Cybercrime Act 2021
2. Information Security Governance is doing the right thing and Information Security
Management is doing things right. If we say Accountability in Governance, to which of the
following are we referring to in Management?

A. Flexibility
B. Responsibility
C. Assurance
D. Operability

3. Overcoming difficulties in creating and sustaining a security-aware culture is a challenge of

ineffective

A. Risk Management
B. Governance
C. ISMS
D. Security

4. A policy is a high-level statement of an organization’s values, goals and objectives in a

specific area, and the general approach to achieving them.

True or False?

Answer: …True……….

5. A security policy should contain statements on:

A. how the enterprise will manage information assurance

B. the compliance with legal and regulatory obligations
C. none of the above
D. all of the above
6. A standard is a set of detailed working instructions that will describe what, when, how and by
whom something should be done.

True or False?

Answer: …False……….

7. A ________ exercise should be completed before the audit or review is started and a checklist
should be developed to measure the efficacy of the assurance controls.

A. Inventory
B. Gap Assessment
C. Scoping
D. Risk Assessment

8. Once the results of an audit or review is recorded within a formal report and presented by the
reviewer to both senior management and the manager, which type of plan should be agreed
upon by both the reviewer and the senior management?

A. A governance plan
B. A security framework plan
C. A risk assessment plan
D. A corrective action plan

9. There are normally five phases in the management of an incident. Assessment, Reporting,
Investigation, Review and:

A. Planning
B. Corrective action
C. Act
D. Audit

10. A contract of employment is a very important document because it has ________.

A. Legal standing
B. Due diligence
C. Money involved
D. Disciplinary action

11. The most obvious elements of a code of conduct are the obligations placed upon employees
regarding ________________.
 A. nature of work
B. ethics and standards of the organisation
C. awareness
D. malware infection

12. There are many situations where those intending to damage an organisation or its assets use
the __________ of staff to achieve their aims.

A. Address
B. contractual details
C. social behavior
D. phone number

13. The ____________, also known as an end-user code of practice, is the document that defines
the standards for the use of organizational information and communications systems by
employees.

A. service level agreement

B. internet usage policy
C. non-disclosure agreement
D. acceptable use policy

14. Attacking and compromising the information security of an organisation is commonly termed
as?

A. System maintenance
B. System misuse
C. System upgrade
D. System down

15. To limit the dependence that an organisation has upon any one individual is called:

A. acceptable use
B. code of conduct
C. segregation of duties
 D. knowledge transfer

16. All of the following are examples of assurance services except:

A. Financial engagement
B. Compliance engagement
C. Due diligence engagement
D. Training engagement

17. Which of the following is responsible for driving the need for information assurance in an
organisation?

A. Risk Managers
B. Board Members
C. Compliance Officers
D. Internal Auditors
18. Reinforcing the Code of Conduct and ethical behavior standards for all internal auditors can
protect which of the following?

A. The business risk

B. The reputation of the Auditors
C. The Board members
D. The organization’s staffs

19. Biometrics have distinct advantages over many other forms of identification and authentication
methods because they are free with every user and very difficult to steal or lose.

True or False?

……True……………….

20. Users should only be granted _________ level of privilege to perform the role assigned to
them.

A. Excess
B. Maximum
C. Minimum
D. None of the above

21. The role of the administrator providing access control consists of which of the following:

A. Not removing user access rights when staffs leave the organisation
 B. Not modifying user access rights if they change role within the organisation
C. Enrolling new users in the system after appropriate validation of identity
D. None of the above

22. Organisations do not need their staff and any third parties accessing their information to
comply with the information assurance policies and procedures in order to reduce the
likelihood of assurance issues.

True or False?

……False………

23. Security awareness and training should be seen as which type of process?

A. One-off
B. Continuous
C. Unique
D. Single

24. Tests and reviews should be repeated at periodic intervals to look for any new issues of
technology, threats or processes that need to be addressed.

True or False?

Answer: ……True………