0 Manual Rumos - I27-302 1.10 Blank Iso27kpr Tablet

ISO/IEC 27001
Practitioner
Student Workbook
(I27-302 v1.10)
>>
ISO/IEC 27001
Practitioner
(I27-302 ISO27K PR v1.10)
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
1
2

This document contains proprietary information, which is protected by copyright. All rights reserved. No part of this document
may be photocopied, reproduced or translated to another language without prior consent from Quint Wellington Redwood,
Amstelveen.
©2020: Copyright of Quint Wellington Redwood unless otherwise stated.
Quint Wellington Redwood is an accredited training Organization (ATO) with PeopleCert, APMG, EXIN, DevOps Agile Skills
Association (DASA) and LEAN IT Association (LITA).
4XLQW :HOOLQJWRQ 5HGZRRG LV OLFHQVHG E\ $;(/26 /LPLWHG DQG RɝFLDOO\ DXWKRUL]HG IRU Ζ7Ζ/®, PRINCE2®, MoP®, MSP®, MoV®,
PRINCE2 Agile®, P3O®, M_o_R® and accredited for the following AXELOS products.
IT Infrastructure Library®, PRINCE2®, MoP®, MSP®, PRINCE2 Agile®, P3O®, M_o_R®, MoV® and the Swirl Logo are [registered]
trademarks of AXELOS Limited. These trademarks are used by Quint Wellington Redwood under permission of AXELOS Limited.
All rights reserved.
Quint Wellington Redwood is licensed and accredited by APMG International and EXIN for the following products:
SIAM™, Agile Scrum Foundation,

Agile Scrum Master & Agile Scrum
3URGXFW 2ZQHU FHUWLȴFDWLRQ LV D
trademark of EXIN Holding BV.
COBIT® is a registered trademark of

the IT Systems Audit and Control
Association (ISACA).
Application Services Library ASL® and Business Information Services Library BiSL® are registered trademarks of the ASL BiSL
Foundation.
PMI®, PMP® and PMBOK® are registered trademarks of the Project Management Institute Inc.
Quint Wellington Redwood is a The PMI Registered Education

founding forerunner of the Provider logo is a registered
DevOps Agile Skills Association mark of the Project
(DASA). Management Institute, Inc.
Quint Wellington Redwood has
Quint Wellington Redwood is a been approved by PMI to issue
founding member of the LEAN IT PDUs for your courses.
Association (LITA).
3
4

03 NoƟce
07 PMI Project Management
Professionals
09 Syllabus
45 Module 1
IntroducƟon and Background
79 Module 2
Preparing for the ISMS 103 Module 3
Planning and OperaƟng the ISMS
139 Module 4
Controls 213 Sample Exams
275 Supplementary Paper

289 Glossary
317 Acronyms
321 Forms
5
6

AƩendees of this course earn Professional Development Units (PDUs) granted by the Project
Management InsƟtute (PMI®) in order to maintain their status as cerƟfied Project Management
Professional (PMP).
Please ask your instructor for the applicable Registered EducaƟon Provider (R.E.P.) ID and Course code
in order to be able to claim your PDUs aŌer compleƟng your course.
If you are interested to learn more about this program, please log on to:
hƩp://www.pmi.org/
7
8
Information Security Management
Qualification using
ISO/IEC 27001
Scheme Syllabus
For ISO/IEC 27001 Foundation,
Practitioner- Information Security Officer
and Auditor qualifications
Version 4.6 (Status: Final) Page 1 of 35 Owner: Chief Examiner

©The APM Group Limited 2020
This document is not to be reproduced or re-sold without the express permission from The APM Group Ltd
The APMG-International ISO/IEC 27001 and Swirl Device logo is a Trade Mark of The APM Group Limited
Introduction
Note: in the following text, ‘ISMS’ is used to refer to an Information Security Management
System meeting the requirements of ISO/IEC 27001:2013. ‘IS’ is used to refer to Information
Security as, for example, in IS processes.
This syllabus describes the APMG ISO/IEC 27001 Foundation, Practitioner – Information
Security Officer and Auditor certificate qualifications.
The primary purpose of the syllabus is to provide a basis for accreditation of people involved
with ISO/IEC 27001 and information security management at Foundation, Practitioner –
Information Security Officer and Auditor levels. It documents the learning outcomes for the
following ISO/IEC 27001 at these levels and describes the requirements a candidate is
expected to meet to demonstrate that these learning outcomes have been achieved at each
qualification level:
- ISO/IEC 27001 Foundation

- ISO/IEC 27001 Practitioner – Information Security Officer
- ISO/IEC 27001 Auditor
The target audience for this document is:

x Exam Board
x Exam Panel
x APMG Assessment Team
x Accredited Training Organizations
This syllabus informs the design of the exams and provides accredited training organizations
with a more detailed breakdown of what the exams will assess. Details on the exam structure
and content are documented in the ISO/IEC 27001 exam design documents.
1 Foundation Qualification
1.1 Purpose of the Foundation Qualification
The purpose of the Foundation qualification is to confirm that a candidate has sufficient
knowledge of the contents and high-level requirements of the ISO/IEC 27001 standard and
understands at a foundation level how the standard operates in a typical organization.
The Foundation qualification is designed to provide the basic knowledge of ISO/IEC 27001
required as a pre-requisite for the Practitioner – Information Security Officer qualification.
1.2 Target Audience

This qualification is aimed at those who are:
x Supporting the implementation, operation or maintenance of an ISMS within an
organization
x Required to audit an ISMS and to have a basic understanding of the standard
x Working within an organization with an ISMS, whether the organization is already
certified or is considering certification to ISO/IEC 27001
x Preparing for the ISO/IEC 27001 Practitioner – Information Security Officer qualification.
There is no pre-requisite for the Foundation qualification but an interest and/or background
in information security or service management would be an advantage.
1.3 High Level Performance Definition of a Successful Information Security

Management Foundation Candidate
The candidate should understand the scope, objectives, key terminology and high-level
requirements of the ISO/IEC 27001 standard, how it is used in an organization for information
security, together with the main elements of the certification process.

Specifically, the candidate should understand:
x The scope and purpose of ISO/IEC 27001 and how it can be used
x The key terms and definitions used in the ISO/IEC 27000 series
x The fundamental requirements for an ISMS in ISO/IEC 27001 and the need for continual
improvement
x The processes, their objectives and high-level requirements
x Applicability and scope definition requirements
x Use of controls to mitigate IS risks
x The purpose of internal audits and external certification audits, their operation and the
associated terminology
x The relationship with best practices and with other related International Standards: ISO
9001 and ISO/IEC 20000.
2 Practitioner – Information Security Officer Qualification

2.1 Purpose of the Practitioner - Information Security Officer Qualification
The purpose of the Practitioner – Information Security Officer qualification is to confirm whether
the candidate has achieved sufficient understanding of ISO/IEC 27001 and its application in a
given situation. A successful Practitioner – Information Security Officer candidate should, with
suitable direction be able to start applying the International Standard to enable the management
of information security but may not be sufficiently skilled to do this appropriately for all situations.
Their individual information security expertise, complexity of the information security
management system and the support given for the use of ISO/IEC 27001 in their work
environment will all be factors that impact what the Practitioner – Information Security Officer
can achieve.
2.2 Target Audience

This qualification is aimed at those who are:
x Internal managers and personnel working to implement, maintain and operate an ISMS
within an organization
x External consultants supporting an organization’s implementation, maintenance and
operation of an ISMS
x Internal auditors who are required to have an applied knowledge of the standard
An ISO/IEC 27001 Foundation certificate (or equivalent if accepted by APMG) is a pre-requisite

for the Practitioner – Information Security Officer qualification.
2.3 High Level Performance Definition of a Successful Information Security

Management Practitioner – Information Security Officer Candidate
Candidates must exhibit the competences required for the foundation qualification and show
that they can apply ISMS concepts to achieve the objectives and requirements of ISO/IEC
27001 and supporting standards within an organizational context.
Specifically, successful candidates should be able to: …
x Apply the principles of ISMS policy and its information security scope, objectives, and
processes within an organizational context
x Apply the principles of risk management including risk identification, analysis and
evaluation and propose appropriate treatments and controls to reduce information
security risk, support business objectives and improve information security
x Analyze and evaluate deployed risk treatments and controls to assess their
effectiveness and opportunities for continual improvement
x Analyze and evaluate the effectiveness of the ISMS through the use of internal audit and
management review to continually improve the suitability, adequacy and effectiveness of
the ISMS

x Understand, create, apply and evaluate the suitability, adequacy and effectiveness of
documented information and records required by ISO/IEC 27001
x Identify and apply appropriate corrective actions to maintain ISMS conformity with
ISO/IEC 27001
3 Auditor Qualification
3.1 Purpose of the Auditor Qualification
The purpose of the Auditor qualification is to confirm whether the candidate has achieved
sufficient understanding of ISO/IEC 27001 and ISO 19011 in their application in a given
situation. A successful Auditor candidate should be able to perform audits against ISO/IEC
27001, lead organizations through an audit program and direct audit teams in relation to the
guidance given in ISO 19011. Their individual information security expertise, understanding of
the complexity of the information security management systems and the support given for the
use of ISO/IEC 27001 in their work environment will all be factors that impact what the Auditor
can achieve.
3.2 Target Audience

This qualification is aimed at auditors who wish to understand the specific requirements of
auditing Information Security Management Systems (both internal and external resources) for
conformity with the ISO/IEC 27001 standard. Internal auditors working in an organization which
is implementing or have already ISO/IEC 27001 certification will find this course useful to
improve not only their understanding of the subject but also the application of ISO/IEC 27001
within their organization.
The Auditor qualification assumes candidates will have knowledge of the ISO/IEC 27001 and
ISO 19011 standards, and their application in a given situation. It is recommended that
candidates hold the APMG ISO/IEC 27001 Foundation level (or equivalent qualification) before
attending this course.
3.3 High Level Performance Definition of a Successful Auditor Candidate

The Candidate should understand the scope and key terminology of ISO/IEC 27001 and ISO
19011 & demonstrate knowledge of how to audit organizations to identify conformity with ISO
27001, how to audit leadership, planning and operations & to assess appropriate risk
assessment, treatments and controls to reduce information security risk. They have knowledge
of how to lead organizations through an audit program, direct audit teams in relation to the
guidance given in ISO 19011 and how to evaluate the effectiveness of applied corrective actions
to maintain ISMS conformity with ISO 27001.
Specifically, successful candidates should be able to:
x Understand terms and definitions relating to auditing requirements
x Understand how ISO 19011 and auditing requirements can be used to achieve conformity
to ISO/IEC 27001
x Apply auditing of the ISMS Leadership and Support management system requirements and
to identify, analyze and distinguish audit requirements within an ISMS to demonstrate
conformity status to ISO/IEC 27001 for a given scenario
x Apply auditing of the ISMS Planning, operation, performance evaluation and improvement
management system requirements and to identify, analyze and distinguish audit
requirements within an ISMS to demonstrate conformity status to ISO/IEC 27001 for a given
scenario
x Be able to apply an audit of the ISO/IEC 27001 Annex A controls in a scenario, as defined
in ISO/IEC 27002
x Know facts, terms and concepts about auditing an ISMS for ISO/IEC 27001 certification
and concepts relating to provide and conduct audits.
x Understand the concepts, responsibilities and requirements for auditing and preparing to
achieve certification for ISO/IEC 27001.

4 Learning Outcomes Assessment Model
A classification widely used when designing assessments for certification and education is the
Bloom’s Taxonomy of Educational Objectives. This classifies learning objectives into six
ascending learning levels, each defining a higher degree of competencies and skills. (Bloom et
al, 1956, Taxonomy of Educational Objectives).
APMG have incorporated this into a Learning Outcomes Assessment Model which is used to
provide a simple and systematic means for assessing and classifying the learning outcomes
for APMG qualifications.
This structured approach helps to ensure:
x A clear delineation in learning level content between different qualification levels

x Learning outcomes are documented consistently across different areas of the guidance
x Exam questions and papers are consistent and are created to a similar level of difficulty.
The Foundation qualification examines learning outcomes at levels 1 (knowledge) and 2

(comprehension).
The Practitioner – Information Security Officer qualification tests learning outcomes at levels 2
(comprehension), 3 (application) and 4 (analysis).
The Auditor qualification tests learning outcomes at levels 1 (knowledge), levels 2

(comprehension), 3 (application) and 4 (analysis).
ISO/IEC 27001 Learning Outcomes Assessment Model
1. 2. 3. 4.
Knowledge Comprehension Application Analysis
Generic Definition from Know key facts, Understand key Be able to apply Be able to
APMG Learning terms and concepts from key concepts analyse and
Outcomes Assessment concepts from the the standard relating to the distinguish
Model standard syllabus area for between
a given scenario appropriate and
inappropriate use
of the standard for
a given scenario
situation
Information Security Know facts, Understand the Be able to audit Be able to
Management Auditor including terms concepts, key ISMS identify, analyze
Qualification Learning and definitions, responsibilities concepts relating and distinguish
Outcome Assessment concepts, and the to achievement of between
Model principles, requirements, the requirements appropriate and
controls, roles processes and of ISO/IEC 27001 inappropriate use
and documents and ISO 19011 of ISMS methods
responsibilities needed to for a given for achieving the
from the relevant auditing scenario. requirements of
standards. management ISO/IEC 27001
systems and ISO 19011
through
assessment of
situations outlined
in given scenarios

5 Syllabus Areas
The syllabus is presented by syllabus areas. This is the unit of learning which may relate to a
chapter from the standard or several concepts commonly grouped together in a training course
module.
The following syllabus areas are identified.
Syllabus Syllabus Area Title

Area Code
OV Overview of ISO/IEC 27001 and related best practices, standards and schemes
LE Leadership and support of the ISMS
PL Planning and operation of the ISMS
CO Information security control objectives and controls
AM Auditing information management systems
AC Achieving ISO/IEC 27001 certification
6 Syllabus Presentation
For each syllabus area learning outcomes for each learning level are identified. Each learning
outcome is then supported by a description of the requirements that a candidate is expected to
meet to demonstrate that the learning outcome has been achieved at the qualification level
indicated. These are shown as syllabus topics.
This syllabus is for the Foundation, Practitioner – Information Security Officer and Auditor level
qualification.
Each of the syllabus areas is presented in a similar format as follows:
Syllabus Syllabus Area :

Practitioner -
References
Foundation
Area
Primary
Auditor
Code The ISO/IEC 27001 Auditor syllabus Area (XX) Theme [1]
ISO
AM [2]
Topic
Level
Know fact, terms and concepts relating to the syllabus area. [3]
Specifically to recall:
01 01 [6] [7] [7] [7] [8]
[4] [5]
01 02

Key to the Syllabus Area table
1 Syllabus Area Unit of learning, e.g. chapter of the reference guide or

course module.
2 Syllabus Area Code A unique character code identifying the syllabus area.
3 Learning Outcome A statement of what a candidate will be expected to know,

understand or do.
(topic header shown in
bold)
4 Level Classification of the learning outcome against the APMG

OTE Learning Outcomes Assessment Model.
5 Topic Reference Number of the topic within the learning level.
6 Topic Description Description of what is required of the candidate to

demonstrate that a learning outcome has been achieved
at the qualification level indicated
7 Foundation Shows at which qualification level the topic is assessed.

Practitioner - ISO
N.B. A topic is only assessed at one qualification level.
8 Primary Reference The main reference supporting the topic.
7 Important Points
The following points about the use of the syllabus should be noted.
It is important to note the correct editions of the reference material.
7.1 ISO/IEC 27001 Foundation Guide References

The primary references for the Foundation qualification are the International Standards:
x ISO/IEC 27001:2013 Information technology -- Security techniques -- Information
security management systems – Requirements
security management systems - Overview and vocabulary.
Other references are made to:

x Supplementary reference paper for ISO/IEC 27001 Qualification.
The Foundation level requires knowledge of the requirements in ISO/IEC 27001:2013 and the
terms, definition and concepts in ISO/IEC 27000:2018 as well as information in the
supplementary reference paper as stated in the syllabus topic. It is essential that all delegates
have access to a personal copy of ISO/IEC 27001:2013 and the Supplementary Reference
Paper during any training course. Delegates should have access to a personal copy of ISO/IEC
27000:2018 or to the information referenced from it in this syllabus. Please note that the
examination is closed book.
The references provided should be considered to be indicative rather than comprehensive, i.e.
there may be other valid references within the guidance.

For the primary reference, the relevant part of the standard is used as the major part of the
reference and this is followed by the section number used e.g. ISO/IEC 27001, 4.2 relates to
ISO/IEC 27001:2013 Clause 4.2.
The syllabus requires awareness of but does not require a detailed knowledge of other
referenced standards:
x ISO 9001:2015, Quality management systems — Requirements

x ISO/IEC 20000-1:2018, Information technology – Service management - Part 1: Service
management system requirements
x ISO/IEC 27002:2013, Information technology -- Security techniques -- Code of practice
for information security management
x ISO/IEC 27003:2017, Information technology -- Security techniques -- Information
security management systems guidance
security management – Monitoring, Measurement, Analysis and Evaluation
security risk management
x ISO/IEC 27006:2015, Information technology -- Security techniques -- Requirements for
bodies providing audit and certification of information security management systems
x ISO/IEC 27013:2015, Information technology -- Security techniques – Guidance on the
integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1.
7.2 ISO/IEC 27001 Practitioner - Information Security Officer Guide

References
All Foundation level requirements are assumed to have been met for Practitioner – Information
Security Officer level and are not directly assessed again, although Foundation level knowledge
and understanding will be used when demonstrating Practitioner application and analysis
learning outcomes.
The primary references for the Practitioner – Information Security Officer course are the
International Standards:

security management systems – Requirements
security management systems - Overview and vocabulary
for information security controls
security risk management
Reference is made to ISO/IEC 27003:2017, Information technology -- Security techniques

Information security management system implementation guidance. Candidates do not need
their own copy of this standard as the relevant information is available in the Supplementary
reference paper for ISO/IEC 27001 Qualification, Sections 5 and 6.
Syllabus topics at levels 3 and 4 provide the primary references but may also include any other
topic from the syllabus area.
It is essential that all delegates have access to a personal copy of ISO/IEC 27001:2013 and the
Supplementary Reference Paper during any training course. Delegates should have access to
a personal copy of ISO/IEC 27002:2013 and ISO/IEC 27005:2018. Please note that the
examination is open book.

7.3 ISO/IEC 27001 Auditor Guide References
The Auditor qualification assumes candidates will have knowledge of the ISO/IEC 27001 and
ISO 19011 standards, and their application in a given situation. It is recommended that
candidates hold the APMG ISO/IEC 27001 Foundation level (or equivalent qualification) before
attending this course.
The primary references for the ISO/IEC 27001 Auditor course are the International Standards:
x ISO/IEC 27001:2013 Information technology -- Security techniques -- Information security

management systems – Requirements
x ISO/IEC 27000:2018 Information technology -- Security techniques -- Information security
management systems - Overview and vocabulary
for information security management
x ISO 19011:2018 Guidelines for auditing management systems
x APMG ISO/IEC 27001 Supplementary Paper
Other references are made to the Supplementary reference paper for ISO/IEC 27001
Qualification.
It is mandatory that all delegates have access to a personal copy of these documents during
their training and at the Examination
Please note that Auditor examinations are open book. No content related individual notes in the
used standards are permitted.
Syllabus topics at levels 3 and 4 provide the primary references but may also include any other
topic from the syllabus area.
The references provided should be considered to be indicative rather than comprehensive, i.e.
there may be other valid references within the guidance.
For the primary reference, the relevant part of the standard is used as the major part of the
reference and this is followed by the section number used e.g. ISO/IEC 27001, 4.2 relates to
ISO/IEC 27001:2013 Clause 4.2.
8 Syllabus Exclusions
The syllabus does not require specific knowledge of ISMS implementation and best
management practice guidelines.

Syllabus Syllabus Area:
Practitioner - ISO
Area
References
Foundation
Primary
Auditor
Code Overview of ISO/IEC 27001 and Related Best
Practices, Standards and Schemes
OV
Topic
Level
Know facts, terms and concepts at overview level about ISO/IEC 27001 and
related best practices, standards and schemes
Specifically, to recall:
01 01 The key standards with their purpose that comprise the ISO/IEC ISO/IEC 27000,
27000 series: 5.2, 5.3 & 5.4
Title and purpose
1. ISO/IEC 27000 sections only
2. ISO/IEC 27001
3. ISO/IEC 27002 9
4. ISO/IEC 27003
5. ISO/IEC 27004
6. ISO/IEC 27005
01 02 Compatibility of ISMS with other management system standards, Supplementary

specifically ISO 9001 for quality management 9 paper, 2.1
01 03 1. Compatibility of ISMS with other management system standards, Supplementary

specifically ISO/IEC 20000-1 for service management. paper, 2.2
2. The use of ISO/IEC 27013 for guidance on integrated 9
implementation.
01 04 Definitions of the following terms: Supplementary

paper, 2.3
ISO/IEC 27000, 3
1. Asset
2. Availability
3. Confidentiality
4. Integrity 9
5. Information security
6. Information security event
7. Information security incident
8. Information security management system

Practitioner - ISO
Area
References
Foundation
Primary
Auditor
OV
01 05 Definitions of the following terms: ISO/IEC 27000, 3
1. Residual risk
2. Risk acceptance
3. Risk analysis
4. Risk assessment
5. Risk criteria 9
6. Risk evaluation
7. Risk identification
8. Risk management
9. Risk owner
10. Risk treatment
01 06 Definitions of the following terms: ISO/IEC 27000, 3
1. Consequence
2. Risk 9
3. Threat
4. Vulnerability

Practitioner - ISO
Area
References
Foundation
Primary
Auditor
OV
01 07 The names of the clauses (in Bold) and sub-clauses covered within ISO/IEC 27001,
requirements of ISO/IEC 27001: Contents
1. Context of the organization

2. Understanding the organization and its context
3. Understanding the needs and expectations of interested parties
4. Determining the scope of the information security management
system
5. Information security management system
6. Leadership
7. Leadership and commitment
8. Policy
9. Organizational roles, responsibilities and authorities
10. Planning
11. Actions to address risks and opportunities
12. Information security objectives and planning to achieve them
13. Support
14. Resources
9
15. Competence
16. Awareness
17. Communication
18. Documented information
19. Operation
20. Operational planning and control
21. Information security risk assessment
22. Information security risk treatment
23. Performance evaluation

24. Monitoring, measurement, analysis and evaluation
25. Internal audit
26. Management review
27. Improvement
28. Nonconformity and corrective action
29. Continual improvement
Annex A (normative) Reference control objectives and controls

Practitioner - ISO
Area
References
Foundation
Primary
Auditor
OV
01 08 Information about ISO/IEC 27001 qualification and certification: Supplementary

paper, 2.4
1. The APMG qualification scheme 9

2. The principles of ISO/IEC 27001 certification
There are no syllabus items at level 1 for this area 9 9
Understand how ISO/IEC 27001 and associated best practices, standards and
schemes can be used to achieve conformity to ISO/IEC 27001
Specifically, to identify:
02 01 The relationships and differences between ISO/IEC 27001 and the ISO/IEC 27000
following standards within the ISO/IEC 27000 series: 5.2, 5.3, 5.4 title
and purpose
sections only
1. ISO/IEC 27000
2. ISO/IEC 27002 9
3. ISO/IEC 27003
4. ISO/IEC 27004
5. ISO/IEC 27005
02 02 The roles of the organizations and entities involved in ISO/IEC 27001 Supplementary
Qualification and Certification Schemes paper, 2.5
1. APMG-International
2. Certification Bodies (CBs)
3. National Accreditation Bodies (NABs)
9
4. Accredited Training Organizations (ATOs)
5. Practitioners
6. Consultants
7. Internal Auditors
8. External Auditors
02 03 The benefits of implementing an ISMS ISO/IEC 27000,

9
4.7
There are no syllabus items at level 3 for this area 9 9 9

Practitioner -
References
Foundation
Area
Primary
Auditor
Code Leadership and support of the ISMS
ISO
LE
Topic
Level
Know facts and concepts relating to leadership and support of the

Information Security Management System within Clauses 4, 5 and 7 of
ISO/IEC 27001
01 01 ISO/IEC 27001,
The general requirements to manage an ISMS 4.4
9
01 02 The integration of the ISMS with the organization’s processes and ISO/IEC 27001,
0.1 para 3, 5.1 b)
management structure 9
01 03 The decisions and influencing factors for the adoption and 9 ISO/IEC 27001,
0.1, para 1
implementation of an ISMS
01 04 The requirement to understand the organization and its context 9 ISO/IEC 27001,
4.1
01 05 The requirement to understand the needs and expectations of 9 ISO/IEC 27001,

4.2
interested parties
01 06 The characteristics used to define the scope and boundaries of the 9 ISO/IEC 27001,
1, 4.3
ISMS
01 07 The contents of the ISMS policy ISO/IEC 27001,

9 5.2b), 5.2c) &
5.2d)
Understand the concepts, responsibilities, requirements and processes about
the context, leadership and support for an ISMS according to Clauses 4, 5 and
7 of ISO/IEC 27001
02 01 The basic principles of top management demonstrating leadership ISO/IEC 27001,
and commitment for the ISMS by: 5.1a), 5.1d) &
5.1e)
1. Establishing an information security policy and objectives
2. Communicating the importance of effective information security 9
management and of conforming to the ISMS requirements
3. Ensuring the ISMS achieves its intended outcomes

Practitioner -
References
Foundation
Area
Primary
Auditor
ISO
LE
02 02 Further principles of top management demonstrating leadership and ISO/IEC 27001,
commitment to ISMS processes, specifically: 5.1 b), 5.1 g) &
5.1 h)
1. Ensuring integration of ISMS requirements with the

organization’s processes (5.1 b) 9
2. Promoting continual improvement (5.1 g)
3. Supporting other management roles to demonstrate leadership
(5.1 h)
02 03 The requirements of top management for organizational roles, ISO/IEC 27001,

5.3, 5.1f)
responsibilities and authorities 9
02 04 The activities and considerations to be made when defining roles and ISO/IEC 27003
responsibilities 5.2, 5.3
9 (Supplementary
paper, 6)
02 05 The roles and their specific requirements and responsibilities required ISO/IEC 27003
for information security management and operation, along with their 5.2, 5.3
interaction within the organization 9 (Supplementary
paper, 6)
02 06 The basic principles of the requirements related to documented ISO/IEC 27001,

information within an ISMS: 7.5.1a), 7.5.1b),
7.5.3a) & 7.5.3b)
1. The documents required within an ISMS. 9
2. The control of documented information to ensure availability,
suitability and protection
02 07 The requirements for the processes and content for the appropriate ISO/IEC 27001,
7.5.1 NOTE a-c),
management of documents for the operation of an ISMS specifically:
7.5.2, 7.5.3 c-f)
end para & NOTE
1. The creation and updating of documents (7.5.1 NOTE)/ 7.5.2) 9
2. The control of documented information (7.5.3 c-f, end para &
NOTE)
02 08 The basic principles of the provision of resources and competence ISO/IEC 27001,
7.1, 7.2 & 5.1c
within an ISMS:
1. Determining and providing resources needed for the operation of

the ISMS 9
2. Determining and ensuring competence based on education,
training or experience
3. Taking necessary actions and retaining documentation as
evidence of competence

Practitioner -
References
Foundation
Area
Primary
Auditor
ISO
LE
02 09 The basic principles for awareness and communication for personnel ISO/IEC 27001,
7.3, 7.4 1st line of
working within an ISMS:
para 1 excluding
a) – e)
1. Awareness of the information security policy, contribution to the
effectiveness of the ISMS, benefits of the ISMS and implications 9
of not complying to the ISMS
2. Determining the need for internal and external communication
about the ISMS
02 10 The appropriate internal and external communications requirements ISO/IEC 27001,

7.4 a) - e)
including:
1. The subject for communication (7.4 a)

2. The timing of the communication (7.4 b) 9
3. The audience (7.4 c)
4. The communicator (7.4 d)
5. The communication process (7.4)
02 11 The requirements for appropriate boundaries and scope for an ISMS ISO/IEC 27001,
4.3
with consideration of:
ISO/IEC
27003:2017 4.2
1. External and internal issues 9 (Supplementary
paper, 5)
2. The requirements of interested parties
3. The interfaces and dependencies of activities
02 12 Appropriate information requirements for inclusion in an ISMS policy ISO/IEC 27001,

5.2 a) - g)
including:
1. The purpose of the organization (5.2 a)

2. Information security objectives or a framework for setting
9
objectives (5.2 b)
3. A commitment to satisfy applicable requirements (5.2 c)
4. A commitment to continual improvement (5.2 d)
5. Communication and availability requirements (5.2 e-g)
There are no syllabus items at level 2 for this area 9

Practitioner -
References
Foundation
Area
Primary
Auditor
ISO
LE
Apply the ISMS Leadership and Support management systems requirements
from ISO/IEC 27003, to enable the achievement of conformity to ISO/IEC
27001 for a given scenario
Specifically, to apply:
responsibilities 5.2 & 5.3
9 (Supplementary
paper, 6)
for information security management and operation, for a given 5.2 & 5.3
scenario 9 (Supplementary
paper, 6)
03 03 The concepts, responsibilities and requirements about the context, ISO/IEC 27001,
leadership and support for an ISMS according to Clauses 4, 5 and 7 4, 5 & 7
9
of ISO/IEC 27001
Apply auditing to the ISMS Leadership and Support management system

requirements to enable the achievement of an audit to ISO/IEC 27001 for a
given scenario
03 04 The concepts, responsibilities and requirements about the context for 9 ISO/IEC 27001, 4
an ISMS according to Clause 4 of ISO/IEC 27001
03 05 The concepts, responsibilities and requirements about the leadership 9 ISO/IEC 27001, 5
for an ISMS according to Clause 5 of ISO/IEC 27001 & 7.1
03 06 The concepts, responsibilities and requirements about the awareness 9 ISO/IEC 27001,
and competence support for an ISMS according to Clause 7 of 7.2 & 7.3
ISO/IEC 27001
03 07 The concepts, responsibilities and requirements about the 9 ISO/IEC 27001,

communication and documented information support for an ISMS 7.4 & 7.5
according to Clause 7 of ISO/IEC 27001
Analyze and distinguish between appropriate and inappropriate use of ISMS

Leadership and Support management systems’ requirements, as given in
ISO/IEC 27003, to maintain conformity to ISO/IEC 27001 for a given scenario
Specifically, to analyze:
responsibilities 5.2 & 5.3
9
(Supplementary
paper, 6)

Practitioner -
References
Foundation
Area
Primary
Auditor
ISO
LE
for information security management and operation, for a given 5.2 & 5.3
9
scenario (Supplementary
paper, 6)
04 03 The concepts, responsibilities and requirements about the context, ISO/IEC 27001,
leadership and support for an ISMS according to Clauses 4, 5 and 7 4, 5 & 7
9
of ISO/IEC 27001
Analyze the ISMS Leadership and Support management system requirements

to enable the achievement of an audit to ISO/IEC 27001 for a given scenario
Specifically, to analyse:
04 04 The concepts, responsibilities and requirements about the context for 9 ISO/IEC 27001, 4
an ISMS according to Clause 4 of ISO/IEC 27001
04 05 The concepts, responsibilities and requirements about the leadership 9 ISO/IEC 27001, 5
for an ISMS according to Clause 5 of ISO/IEC 27001 & 7.1
04 06 The concepts, responsibilities and requirements about the awareness 9 ISO/IEC 27001,
and competence support for an ISMS according to Clause 7 of 7.2 & 7.3
ISO/IEC 27001
04 07 The concepts, responsibilities and requirements about the 9 ISO/IEC 27001,

communication and documented information support for an ISMS 7.4 & 7.5
according to Clause 7 of ISO/IEC 27001

Practitioner -
References
Foundation
Area
Primary
Auditor
Code Planning and operation of the ISMS
ISO
PL
Topic
Level
Know facts, terms and concepts relating to the planning and operation of an
ISMS within clauses 6, 8, 9 and 10 of ISO/IEC 27001
01 01 Contents of the Statement of Applicability ISO/IEC 27001,
9 6.1.3 d)
01 02 Monitoring, measurement, analysis and evaluation: ISO/IEC 27001,

9.1 para 1, last
1. evaluating performance and the effectiveness of the ISMS para and NOTE
2. selecting methods to produce comparable and reproducible 9
results
3. documenting the results
01 03 The requirements for continual improvement of the ISMS ISO/IEC 27001,

9
10.2 & 5.1g
Understand the concepts, responsibilities, requirements and processes

relating to the planning and operation of an ISMS within clauses 6, 8, 9 and 10
of ISO/IEC 27001
02 01 Actions to address risks and opportunities: ISO/IEC 27001
6.1.1
1. Determine the risks and opportunities that need to be addressed

2. Plan actions to address these risks and opportunities 9
3. Plan how to fit the actions into the ISMS and evaluate their
effectiveness
02 02 Defining and applying the risk assessment process: ISO/IEC 27001,

6.1.2 a), b), last
para & 8.2
1. information security risk criteria
2. consistent, comparable and valid results for repeated
assessments 9
3. performing assessments at planned intervals
4. retain documented information for the process and the results of
assessments

Practitioner -
References
Foundation
Area
Primary
Auditor
ISO
PL
02 03 The general considerations, basic criteria, scope and boundaries and ISO/IEC 27005, 7
organization for establishing the context of the risk management
process, specifically the:
9
1. Risk evaluation criteria
2. Impact criteria
3. Risk acceptance criteria
02 04 Identifying the information security risks ISO/IEC 27001,

9
6.1.2 c)
02 05 The steps in risk identification, specifically: ISO/IEC 27005,
8.2 &
Annex B1 1st para.
1. Assets
2. Threats
9
3. Existing controls
4. Vulnerabilities
5. Consequences
02 06 Analyzing and evaluating the risks ISO/IEC 27001,

9
6.1.2d) & 6.1.2e)
02 07 The methodologies for risk analysis and the approach to risk ISO/IEC 27005,
evaluation, specifically the assessment of: 8.3 & 8.4
1. Consequences 9
2. Incident likelihood
3. Risk determination
02 08 Selection of the risk treatment options taking account of the risk ISO/IEC 27001,
assessment results 6.1.3a),
9
ISO/IEC 27000,
3.72
02 09 The approaches to risk treatment, specifically: ISO/IEC 27005, 9
1. Modification
2. Retention 9
3. Avoidance
4. Sharing
02 10 Selection of controls for the treatment of risks: ISO/IEC 27001,

6.1.3 b), 6.1.3c) &
6.1.3d)
1. determine necessary controls 9
2. compare controls with Annex A and justify any exclusions

Practitioner -
References
Foundation
Area
Primary
Auditor
ISO
PL
02 11 Formulating a risk treatment plan: ISO/IEC 27001,
6.1.3 e) f), last
para and 8.3
1. formulate an information security risk treatment plan
2. obtain approval from risk owner for the plan and residual risks
9
3. implement the risk treatment plan
4. retain documented information for the process and results of the
risk treatment
02 12 The approach to risk acceptance, communication and consultation ISO/IEC 27005,

9
10 & 11
02 13 The approach to risk monitoring and review, specifically: ISO/IEC 27005,
12.1 & 12.3
1. Risk factors 9
2. Risk management monitoring, review and improvement
02 14 Information security objectives: ISO/IEC 27001,

6.2 para 1, a), b),
para 3, 1st line of
1. establishing and documenting the objectives para 4 excluding f
2. the need for the objectives to be consistent with the policy and - j & 8.1 para 1 2nd
9 sentence
measurable
3. the need to plan to achieve the objectives and implement the
plan
02 15 The requirements, planning and deployment of information security ISO/IEC 27001,

objectives, specifically including: 6.2 c) - j)
1. The applicable information security requirements & the results of

the risk assessment and risk treatment (6.2 c)
9
2. Communication and updating (6.2 d-e)
3. Planning covering the subject, the resources, responsibilities,
completion timing and the evaluation method for the results
(6.2 f-j)
02 16 Operational planning and control: ISO/IEC 27001,

8.1
1. planning, implementing and controlling the processes to meet

information security requirements
2. implementing the actions to address risks and opportunities 9
3. determining and controlling outsourced processes
4. control of planned changes
5. keeping documented information as evidence

Practitioner -
References
Foundation
Area
Primary
Auditor
ISO
PL
02 17 Appropriate development steps for performance evaluation including: ISO/IEC 27001,
9.1 Para 2, a) - f),
excluding NOTE
1. What needs to be monitored and measured (9.1 a) and last para
2. When and who will monitor and measure (9.1 c-d)
9
3. The appropriate methodologies for monitoring, measurement,
analysis and evaluation (9.1 b)
4. When and who will analyze and evaluate the results (9.1 e-f)
02 18 Internal audit of an ISMS: ISO/IEC 27001,

9.2 para 1, a) b) c)
& e)
1. the need to conduct internal audits at planned intervals
2. using internal audits to check conformance to the ISMS and the
9
standard, and effectiveness of the ISMS
3. the selection of auditors to ensure objectivity
4. planning the audit programme.
02 19 The organization’s requirements for the conduct of an audit ISO/IEC 27001,

(9.2 d, f, g) 9.2 d) f) & g)
9 ISO/IEC 27003,
9.2
02 20 Management review of the ISMS: ISO/IEC 27001,

9.3 para 1, c) 1-4,
para 3
1. the need for top management to review the ISMS at planned 9
ISO/IEC 27003,
intervals for suitability, adequacy and effectiveness 9 9.3
2. consideration of feedback on performance
3. the outputs from the review
02 21 The applicable principles for the review and outputs for a ISO/IEC 27001,
management review including: 9.3 para a), b), d)
– f), last para
1. The status of actions (9.3 a)

2. Changes in external and internal issues (9.3 b)
9
3. Feedback from interested parties (9.3 d)
4. The results of risk assessment (9.3 e)
5. The status of the risk assessment and risk treatment plan (9.3 e)
6. Opportunities for improvement (9.3 f)

Practitioner -
References
Foundation
Area
Primary
Auditor
ISO
PL
02 22 Nonconformity and corrective actions: ISO/IEC 27001,
10.1
1. The actions to be taken when a non-conformity occurs

2. The need for corrective actions to be appropriate to the effects of 9
the nonconformities
3. Documented information about nonconformities and corrective
actions
Apply the risk management requirements to enable the achievement of

conformity to ISO/IEC 27001
Specifically, to use:
03 01 The risk evaluation, impact and risk acceptance criteria for ISO/IEC 27005, 7
establishing the context of the risk management process 9
03 02 The steps in risk identification, as defined in 0205 ISO/IEC 27005,

9 8.2 and Annex B1
1st para.
03 03 The approaches to Risk analysis and risk evaluation, as defined in ISO/IEC 27005,
0207 9 8.3 & 8.4
03 04 The approaches to Risk treatment, as defined in 0209 ISO/IEC 27005, 9

9

9
10 & 11
03 06 The approach to risk monitoring and review, as defined in 0213 ISO/IEC 27005,
9
12.1 & 12.3
03 07 The concepts, responsibilities, requirements and processes relating ISO/IEC 27001,
to the planning and operation of an ISMS within clauses 6, 8, 9 and 6, 8, 9 & 10
9
10 of ISO/IEC 27001
Apply auditing of the ISMS Planning, operation, performance evaluation and

improvement management system requirements to enable the achievement of
an audit to ISO/IEC 27001 for a given scenario
03 08 The risk evaluation, impact and risk acceptance criteria for 9 ISO/IEC 27001,
03 09 The concepts, responsibilities, requirements and processes relating 9 ISO/IEC 27001,

to the operational planning and control of an ISMS within Clause 8 of 8
ISO/IEC 27001

Practitioner -
References
Foundation
Area
Primary
Auditor
ISO
PL
to performance evaluation of an ISMS within Clause 9 of ISO/IEC 9
27001

to improvement of an ISMS within Clause 10 of ISO/IEC 27001 10
Analyze and distinguish between appropriate and inappropriate use of ISMS

risk management requirements throughout the lifecycle of the ISMS to
maintain conformity to ISO/IEC 27001 for a given scenario
Specifically, to analyze:
04 01 The risk evaluation, impact and risk acceptance criteria for ISO/IEC 27005, 7
04 02 The steps in risk identification, as defined in 0205 ISO/IEC 27005,

9 8.2 & Annex B1
1st para.
04 03 The approaches to Risk analysis and risk evaluation, as defined in ISO/IEC 27005,
0207 9 8.3 & 8.4
04 04 The approaches to Risk treatment, as defined in 0209 ISO/IEC 27005, 9

9

9
10 & 11
04 06 The approach to risk monitoring and review, as defined in 021 ISO/IEC 27005,
9
12.1 & 12.3
04 07 The concepts, responsibilities, requirements and processes relating ISO/IEC 27001,
to the planning and operation of an ISMS within clauses 6, 8, 9 and 6, 8, 9 & 10
9
10 of ISO/IEC 27001
Be able to identify, analyze and distinguish audit requirements within an ISMS

to demonstrate conformity status to ISO/IEC 27001 for a given scenario
Specifically, to analyze with reasons whether the requirements of ISO/IEC

27001 have been met under an audit scenario including:
04 08 The risk evaluation, impact and risk acceptance criteria for 9 ISO/IEC 27001, 6
establishing the context of the risk management process
04 09 The concepts, responsibilities, requirements and processes relating 9 ISO/IEC 27001, 8

to the operational planning and control of an ISMS within Clause 8 of
ISO/IEC 27001

Practitioner -
References
Foundation
Area
Primary
Auditor
ISO
PL
04 10 The concepts, responsibilities, requirements and processes relating 9 ISO/IEC 27001, 9
to performance evaluation of an ISMS within Clause 9 of ISO/IEC
27001

to improvement of an ISMS within Clause 10 of ISO/IEC 27001 10

Practitioner -
References
Foundation
Area
Primary
Auditor
Code Information security control objectives and controls
ISO
CO
Topic
Level
Know the topic areas for information security controls within ISO/IEC 27001
01 01 1. The structure and contents of the controls and control objectives Supplementary
listed in Annex A of ISO/IEC 27001 paper, 3.1
ISO/IEC 27000,
2. The definition of: 3.14 & 3.15
a. Control 9
b. Control objective
01 02 The names of the security control clauses for information security ISO/IEC 27001,
controls (numbers with the prefix A refer to references in Annex A of Annex A
ISO/IEC 27001):
1. A.5 - Information security policies

2. A.6 - Organization of information security
3. A.7 - Human resource security 9
4. A.8 - Asset management
5. A.9 - Access control
6. A.10 - Cryptography
7. A.11 - Physical and environmental security
01 03 The names of the security control clauses for information security ISO/IEC 27001,
controls (numbers with the prefix A refer to references in Annex A of Annex A
ISO/IEC 27001):
1. A.12 - Operations security

2. A.13 - Communications security
3. A.14 - System acquisition, development and maintenance 9
4. A.15 - Supplier relationships
5. A.16 - Information security incident management
6. A.17 - Information security aspects of business continuity
management
7. A.18 - Compliance
01 04 The name of the security category and the control objective for the ISO/IEC 27001,
security control clause ‘information security policies’ Annex A, 5.1
9
category and
objective only

Practitioner -
References
Foundation
Area
Primary
Auditor
ISO
CO
Understand the subjects covered for specific information security control
clauses within ISO/IEC 27001, with implementation parameters defined by
ISO/IEC 27002
02 01- Not used. (See 19 onwards for Foundation 02 topics)
9
04
02 05 Information security policies; scope and implementation parameters SO/IEC 27001,
9 Annex A, A.5,
ISO/IEC 27002, 5
02 06 Organization of information security; scope and implementation SO/IEC 27001,
parameters 9 Annex A, A.6,
ISO/IEC 27002, 6
02 07 Human resources security; scope and implementation parameters ISO/IEC 27001,
9 Annex A, A.7,
ISO/IEC 27002, 7
02 08 Asset management; scope and implementation parameters ISO/IEC 27001,
9 Annex A, A.8,
ISO/IEC 27002, 8
02 09 Access control; scope and implementation parameters ISO/IEC 27001,
9 Annex A, A.9,
ISO/IEC 27002, 9
02 10 Cryptography; scope and implementation parameters ISO/IEC 27001,
Annex A, A.10,
9
ISO/IEC 27002,
10
02 11 Physical and environmental security; scope and implementation ISO/IEC 27001,
parameters Annex A, A.11,
9
ISO/IEC 27002,
11
02 12 Operations security; scope and implementation parameters ISO/IEC 27001,
Annex A, A.12,
9
ISO/IEC 27002,
12
02 13 Communications security; scope and implementation parameters ISO/IEC 27001,
Annex A, A.13,
9
ISO/IEC 27002,
13
02 14 System acquisition, development and maintenance; scope and ISO/IEC 27001,
implementation parameters Annex A, A.14,
9
ISO/IEC 27002,
14
02 15 Supplier relationships; scope and implementation parameters ISO/IEC 27001,
Annex A, A.15,
9
ISO/IEC 27002,
15
02 16 Information security incident management; scope and implementation ISO/IEC 27001,
parameters Annex A, A.16,
9
ISO/IEC 27002,
16

Practitioner -
References
Foundation
Area
Primary
Auditor
ISO
CO
02 17 Information security aspects of business continuity management; ISO/IEC 27001,
scope and implementation parameters Annex A, A.17,
9
ISO/IEC 27002,
17
02 18 Compliance; scope and implementation parameters ISO/IEC 27001,
Annex A, A.18,
9
ISO/IEC 27002,
18
02 19 The control description for the control ‘policies for information ISO/IEC 27001,
security’ 9 Annex A, A.5.1.1
02 20 The control description for the control ‘review of the policies for ISO/IEC 27001,
information security’ 9 Annex A, A.5.1.2
02 21 The control objective for the security category ‘during employment’ ISO/IEC 27001,
Annex A, A.7.2,
9
category and
objective only
02 22 The control objectives for the security categories in asset ISO/IEC 27001,
management covering: Annex A, A.8.1,
A.8.2 and A.8.3,
1. Responsibility for assets categories and
9 objectives only
2. Information classification
3. Media handling
02 23 The control objectives for the security categories in access control ISO/IEC 27001,
covering: Annex A, A.9.1
and A.9.2,
9 categories and
1. Business requirements of access control objectives only
2. User access management
02 24 The control objective for the security category ‘management of ISO/IEC 27001,
information security incidents and improvements’ Annex A, A.16.1,
9
category and
objective only
02 25 The control objective for the security category ‘compliance with legal ISO/IEC 27001,
and contractual requirements’ Annex A, A.18.1,
9
category and
objective only

Practitioner -
References
Foundation
Area
Primary
Auditor
ISO
CO
Be able to identify, apply and tailor the appropriate aspects of ISO/IEC 27001
Annex A controls to a scenario, as defined in ISO/IEC 27002
Specifically, to identify how and when each of the controls should be

implemented including:
03 01- Not used
04
03 05 Information security policies SO/IEC 27001,
9 Annex A, A.5,
ISO/IEC 27002 5
03 06 Organization of information security ISO/IEC 27001,
9 Annex A, A.6,
ISO/IEC 27002 6
03 07 Human resources security ISO/IEC 27001,
9 Annex A, A.7,
ISO/IEC 27002 7
03 08 Asset management ISO/IEC 27001,
9 Annex A, A.8,
ISO/IEC 27002 8
03 09 Access control ISO/IEC 27001,
9 Annex A, A.9,
ISO/IEC 27002 9
03 10 Cryptography ISO/IEC 27001,
9 Annex A, A.10,
ISO/IEC 27002 10
03 11 Physical and environmental security ISO/IEC 27001,
9 Annex A, A.11,
ISO/IEC 27002 11
03 12 Operations security ISO/IEC 27001,
9 Annex A, A.12,
ISO/IEC 27002 12
03 13 Communications security ISO/IEC 27001,
9 Annex A, A.13,
ISO/IEC 27002 13
03 14 System acquisition, development and maintenance ISO/IEC 27001,
9 Annex A, A.14,
ISO/IEC 27002 14
03 15 Supplier relationships ISO/IEC 27001,
9 Annex A, A.15,
ISO/IEC 27002 15
03 16 Information security incident management ISO/IEC 27001,
9 Annex A, A.16,
ISO/IEC 27002 16
03 17 Information security aspects of business continuity management ISO/IEC 27001,
9 Annex A, A.17,
ISO/IEC 27002 17
03 18 Compliance ISO/IEC 27001,
9 Annex A, A.18,
ISO/IEC 27002 18

Practitioner -
References
Foundation
Area
Primary
Auditor
ISO
CO
Be able to apply an audit of ISO/IEC 27001 Annex A controls in a scenario, as
defined in ISO/IEC 27002
03 19 Information security policies 9 ISO/IEC 27001,
Annex A, A.5,
ISO/IEC 27002 5
03 20 Organization of information security 9 ISO/IEC 27001,

Annex A, A.6,
ISO/IEC 27002 6
03 21 Human resources security 9 ISO/IEC 27001,

Annex A, A.7,
ISO/IEC 27002 7
03 22 Asset management 9 ISO/IEC 27001,
Annex A, A.8,
ISO/IEC 27002 8
03 23 Access control 9 ISO/IEC 27001,

Annex A, A.9,
ISO/IEC 27002 9
03 24 Cryptography 9 ISO/IEC 27001,

Annex A, A.10,
ISO/IEC 27002 10
03 25 Physical and environmental security 9 ISO/IEC 27001,

Annex A, A.11,
ISO/IEC 27002 11
03 26 Operations security 9 ISO/IEC 27001,

Annex A, A.12,
ISO/IEC 27002 12
03 27 Communications security 9 ISO/IEC 27001,

Annex A, A.13,
ISO/IEC 27002 13
03 28 System acquisition, development and maintenance 9 ISO/IEC 27001,

Annex A, A.14,
ISO/IEC 27002 14
03 29 Supplier relationships 9 ISO/IEC 27001,

Annex A, A.15,
ISO/IEC 27002 15
03 30 Information security incident management 9 ISO/IEC 27001,

Annex A, A.16,
ISO/IEC 27002 16

Practitioner -
References
Foundation
Area
Primary
Auditor
ISO
CO
03 31 Information security aspects of business continuity management 9 ISO/IEC 27001,
Annex A, A.17,
ISO/IEC 27002 17
03 32 Compliance 9 ISO/IEC 27001,

Annex A, A.18,
ISO/IEC 27002 18
Be able to identify, analyze and distinguish between the appropriate and
inappropriate ISO/IEC 27001 Annex A controls throughout the life-cycle of a
given scenario, as defined in ISO/IEC 27002
Specifically, to analyze with reasons whether the implementation of the

ISO/IEC 27001 Annex A controls is appropriate for achieving the requirements
of ISO/IEC 27001 including:
04 01- Not used
04
04 05 Information security policies ISO/IEC 27001,
9 Annex A, A.5,
ISO/IEC 27002 5
04 06 Organization of information security ISO/IEC 27001,
9 Annex A, A.6,
ISO/IEC 27002 6
04 07 Human resources security ISO/IEC 27001,
9 Annex A, A.7,
ISO/IEC 27002 7
04 08 Asset management ISO/IEC 27001,
9 Annex A, A.8,
ISO/IEC 27002 8
04 09 Access control ISO/IEC 27001,
9 Annex A, A.9,
ISO/IEC 27002 9
04 10 Cryptography ISO/IEC 27001,
9 Annex A, A.10,
ISO/IEC 27002 10
04 11 Physical and environmental security ISO/IEC 27001,
9 Annex A, A.11,
ISO/IEC 27002 11
04 12 Operations security ISO/IEC 27001,
9 Annex A, A.12,
ISO/IEC 27002 12
04 13 Communications security ISO/IEC 27001,
9 Annex A, A.13,
ISO/IEC 27002 13
04 14 System acquisition, development and maintenance ISO/IEC 27001,
9 Annex A, A.14,
ISO/IEC 27002 14
04 15 Supplier relationships ISO/IEC 27001,
9 Annex A, A.15,
ISO/IEC 27002 15

Practitioner -
References
Foundation
Area
Primary
Auditor
ISO
CO
04 16 Information security incident management ISO/IEC 27001,
9 Annex A, A.16,
ISO/IEC 27002 16
04 17 Information security aspects of business continuity management ISO/IEC 27001,
9 Annex A, A.17,
ISO/IEC 27002 17
04 18 Compliance ISO/IEC 27001,
9 Annex A, A.18,
ISO/IEC 27002 18
Be able to identify, analyze and distinguish audit requirements within an ISMS
to demonstrate conformity status to ISO/IEC 27001 for a given scenario
Specifically, to analyze with reasons whether the requirements of ISO/IEC
27001 have been met under an audit scenario including:
04 19 Information security policies 9 ISO/IEC 27001,
Annex A, A.5,
ISO/IEC 27002 5
04 20 Organization of information security 9 ISO/IEC 27001,
Annex A, A.6,
ISO/IEC 27002 6
04 21 Human resources security 9 ISO/IEC 27001,
Annex A, A.7,
ISO/IEC 27002 7
04 22 Asset management 9 ISO/IEC 27001,
Annex A, A.8,
ISO/IEC 27002 8
04 23 Access control 9 ISO/IEC 27001,
Annex A, A.9,
ISO/IEC 27002 9
04 24 Cryptography 9 ISO/IEC 27001,
Annex A, A.10,
ISO/IEC 27002 10
04 25 Physical and environmental security 9 ISO/IEC 27001,
Annex A, A.11,
ISO/IEC 27002 11
04 26 Operations security 9 ISO/IEC 27001,
Annex A, A.12,
ISO/IEC 27002 12
04 27 Communications security 9 ISO/IEC 27001,
Annex A, A.13,
ISO/IEC 27002 13
04 28 System acquisition, development and maintenance 9 ISO/IEC 27001,
Annex A, A.14,
ISO/IEC 27002 14
04 29 Supplier relationships 9 ISO/IEC 27001,
Annex A, A.15,
ISO/IEC 27002 15
04 30 Information security incident management 9 ISO/IEC 27001,
Annex A, A.16,
ISO/IEC 27002 16
04 31 Information security aspects of business continuity management 9 ISO/IEC 27001,
Annex A, A.17,
ISO/IEC 27002 17
04 32 Compliance 9 ISO/IEC 27001,
Annex A, A.18,
ISO/IEC 27002 18
Practitioner -
References
Foundation
Area
Primary
Auditor
Code Auditing information management systems
ISO
AM
Topic
Level
Know facts and concepts relating to auditing requirements
01 01 Terms relating to establishing an audit 9 ISO 19011,
3.1 – 3.7
1. Audit
2. Combined audit
3. Joint audit
4. Audit programme
5. Audit scope
6. Audit plan
7. Audit criteria
01 02 Terms relating to audit evidence 9 ISO 19011,

3.8 – 3.11, 3.20 &
1. Objective evidence 3.21
2. Audit evidence
3. Audit findings
4. Audit conclusion
5. Conformity
6. Nonconformity
01 03 Terms relating to audit roles 9 ISO 19011,

3.12 – 17 & 3.22
1. Audit client
2. Auditee
3. Audit team
4. Auditor
5. Technical expert
6. Observer
7. Competence

Practitioner -
References
Foundation
Area
Primary
Auditor
Code Auditing information management systems
ISO
AM
01 04 Terms relating to auditing of a management system 9 ISO 19011,
3.18 – 19 & 3.23 -
1. Management system 26
2. Risk
3. Requirement
4. Process
5. Performance
6. Effectiveness

Understand how ISO 19011 and auditing requirements can be used to achieve
conformity to ISO/IEC 27001
02 01 Application of the principles of auditing 9 ISO 19011,4
02 02 The purpose and activities for an opening meeting 9 ISO 19011,6.4.3
02 03 Communication arrangements during audit 9 ISO 19011,6.4.4
02 04 Processes for determining audit information availability and access 9 ISO 19011,6.4.5
02 05 Review processes for documented information during an audit 9 ISO 19011,6.4.6
02 06 Processes for collection and verification of information 9 ISO 19011,6.4.7
02 07 Processes for the generation of audit findings using audit criteria 9 ISO 19011,6.4.8
02 08 Processes for the preparation and content of audit conclusions 9 ISO 19011,6.4.9
Processes for the conduct of closing meeting & presentation of audit 9 ISO 19011,6.4.10
02 09
findings and conclusions
02 10 Preparation and distribution of the audit report 9 ISO 19011,6.5
02 11 Determining the necessary demonstration of auditor competence 9 ISO 19011,7.2


Practitioner -
References
Foundation
Area
Primary
Auditor
Code Achieving ISO/IEC 27001 Certification
ISO
AC
Topic
Level
Know facts, terms and concepts about auditing an ISMS for ISO/IEC 27001
certification and concepts relating to provide and conduct audits.
The types of audits – initial, re-certification, surveillance, internal,

01 01 1st/2nd/3rd party Supplementary
9 9
paper, 4.1
The outcomes of an audit:

ISO 19011
1. Conformity Introduction
2. Major nonconformity
01 02 9 9
3. Minor nonconformity
4. Observation (opportunity for improvement) Supplementary
paper, 4.2
5. Outside of the audit scope

Understand the concepts, responsibilities and requirements for auditing and
preparing to achieve certification for ISO/IEC 27001.
The requirements for the conduct of audits:
Supplementary
02 01 1. Certification audits (initial and re-certification) 9 9 paper, 4.1
2. Surveillance audits
02 02 Key differences between internal, initial, re-certification and Supplementary

surveillance audits 9 9 paper, 4.1
02 03 1. The evidence used to demonstrate conformity to ISO/IEC 27001 9 Supplementary

paper, 4.3
2. The need to provide evidence for the requirements of ISO/IEC 9
27001 and the certification bodies use of ISO/IEC 27006
02 04 The organization’s preparation for and participation in a certification 9 Supplementary

audit 9 paper, 4.4
02 05 The process used by a certification body to conduct certification 9 Supplementary

audits for an ISMS 9 paper, 4.5

44

#%!!"

#%
# !!
!!"
"

$'(%%&!
"
# #
#%$!# ""! #%

"
45
46
#

)/1--. ""

" '"$!

!""#!
" #"
"
,
, ,
" $!'
#

""
"" # "&" !
%'%

/1*0-/+.(.-+ + +
/1
/
Notes:
47

!

0 $,1**+
#

" )16//0$ )16//1$ )16//2 )
16//4 #&
#
%!!!&&)#
#%%933*/+1/78858//0$ % ,&&
" " )16//0%1/02
#
# #14 1/02
' ! ,*+-#

!" ,*+-#
312*/2*0/*33.
-/#*.*
" # '(&

' )16//0(1/02 #
!
,1%-*,&+#+*&&&,1 -
Notes:
48 I27-302_1.10_ENG_QWRN_ISO27KPR

!$

!$"!

!$
#
Notes:
49
$

,14//0!##!

$!"##"*#%"*(#!(%! $!#"#
,
14//0"#!&#""$"!)####
!#"$!#(#"("#+
'###"! $!!#$# $#
"#!####((#"#%#! $!#"
,14//0
"$!#"#!"&#!)##'#+
14-2/1.0+0/. . .
14
3
Notes:
$

,25001!##!

"""#%"!)#"#%#!#,25001
!##
!"#*' %"""$"!! #(" #
!"#' #!#" #&,25001"$ !#"#!"
&#"$"#"$ !##%#!###,25001+
' #!#" #&# (*#%"* !"""#!
25-302.1+10.
.
.25 4
Notes:
51
&

-24001#%% #

!!)%!#!$ #$%!!# !#%%#%%$ %# $% #&

&$$$#$+$&!! #%&$$$ %'$!# ' #% $&#%)
%)!!)!!# !#% ##%'% $% % !(%-
24001
)* '&%! )#$%#%%$ %# $% $$$$%#%'$$
!! #%&%$ #!# '%
)* '&%%%'$$ % $ !+ %'$+! $!# $$$
% %&)!# '%$&%%)+"&)%'$$ %
#$%+#%+!!)'&% &%% #"&#)-24001
24.302/1,10/
/
/24 4
Notes:

"$ !

"$# "!!

"$
%
Notes:
53

! !
.
!#
$
$ /'1)! " ' " '
"!
! & # (/2--.
! '
" ! !! $ '
! #
! '
! # /- &" $!3- '
1-6*0- +'
% ! # ! # !
!#"!

!#
$
Notes:

'
!#

#&

%% %
$ $ !#
!"
%"
"!
!" $
!#"!

!#

Notes:
55

"
!#

$
#!

"

!#"!

!#
Notes:

$
!#
#
"

!

!#"!

!#
!
Notes:
57

+
!#
"(

,!#2.*

( -*1',*
!&

% %
!$
!#&
%!#!
!#"!

!#
"
Notes:

!$

!$"!

!$
#
The Exam – Question Types
Classic - ‘Choose one from a list’ of possible answers’. The correct response is to be selected from a list
of 3 or 4 options.
Multiple Response – ‘Choose two correct options from a list’. This test type follows exactly the same
format as the ‘Classic test type’, but more than one response is required for the answer. It is the only
test type that requires more than one response. Both responses must be correct to gain a mark.
If more or fewer than two responses are given then the answer will be void. The format 2 out of 5
options is the only format used.
Matching - ‘Link items in one list to items in a second list’. There is only one correct response to each
question item, but options from the second list may be used once, more than once or not at all.
Sequence Matching – ‘Position events in a sequence’. The activities in Column 1 have to be placed
in the sequence in which they should be performed. An option from Column 2 is selected for each
activity in Column 1.
Assertion Reason – ‘Evaluate two statements (an assertion and a Better Business Cases reason), to
determine if either, both or neither is true and, if both are true, whether the reason explains why the
assertion is true’. If either statement is false, the answer is selected from options C, D or E. If both
statements are true a third step is required: if the reason explains why the assertion is true, the answer
59

!$
is A, if it does not the answer is B. There is only one correct response to each question item, but
options can be used once, more than once or not at all.
Notes:
Copyright © AXELOS Limited 2020. Used under permission of AXELOS Limited. All rights reserved.

!$

$ '# %"$)"!"#$ $ "
")#"&#

" "#
!)

$ '#$%$ "$)$ )

"

(%$&"$ "#
!$"!

!$
#
Notes:
61

"% !

!##'$!"&!"# $"#
#&"$!#$###
"""""#
!"#$!!#

'
#!!#"
#!#%"

"%# "!!

"%
!$
Notes:

!#

%"+#$ )" )*%* , * )%(* , *. $ %"+#$)"*(%# %"+#$*"+) $
(%#
**('+ ()** , *.*%&(%(#)"* %$(%# %"+#$$
+)%$#%(*$%$%($%**""

)*" )$ $%(#* %$)+( *.&%" . () &$%## *#$*
%" .
(%(#*(, - ($ /* %$"(%")
$$&&".$ $%(#* %$)+( *.( )! ()&%$) " * )$+*%( * )
))))#$*&(%)) %$%*%,
"*( )!*(*#$*%&* %$)

!#"!

!#
#
Notes:
63

"$ !

&#+$%!)#!)*&*!,!*!)+%(*"%)'(*&
(*!!*!&%&( *!,!*/!% &#+$%
!- * (&(%&*!*!)+%(*"%)'(*&* (*!!*!&%'(&))%!%- ! &((*
*!,!*!)-!##&+(
&#+$% &#+$%
$'#$%** !)"(*$%*#% &*+%(*"%+(!%
* (*!!*!&%'(&))
*($!%- &* !%*()*'(*!)(#,%**&* !()*
(

,#+** '(&($%%* *!,%))&* &%
%()*%* %)%.'**!&%)&!%*()*'(*!) !(

!%%''#/%!%&($*!&%)+(!*/(!)"))))$%* &+(*
'(&))
"$# "!!

"$
!%
Notes:

!#

!##))!!$,$#(()($#((')$#())"#)#'($#())"#)$'!#
#).)%%'$%')$%)$#'$"$%)$#( )$ ))%%!( $%)$##*($#"$'
)#$#$'#$))!!
%)$# ((')$# ($#
'* '* )'($#-%!#()((')$#

'* '*
)'($#$(#$)-%!#)((')$#
'* !(
!( '*
!( !(

',!!#+'#)$').)$
)(!!!)$#()#'(#
)+'($#$ "#''))$#,)$*)%'$+#
!'.'))$'!'+'($#( ##!$"%#()$#
$%$*"#)(
)"$#()')()$*#'($)
"#)$'.$*"#)'&*'$' ##(*'($#)'$!('%%!
'))$# %%'$%')!.($%$*"#)"*()
%).)').#*)$'
( (((("#)"*()%'$'"
*($*()$"")$$!$(,$*!
*(#$#$(+'!%'(' #)'$*#$"!(),#$#
")$$!$( ##$)'

!#"!
!#
$
Notes:
65

!#

!#
!#

!#"!

!#
!

"
!#

#%!!"#!"$

!#"!

!#
!
Notes:
67

!#
!# ! "

!#"!

!#
!!
Notes:

!#

!#"!

!#
!"
History
The graphic provided shows that 2-pronged nature of the 27000 standard. This is historic and now an
embedded feature of the documents.
BS7799 was published in 1995 as a ‘Code of Practice’. In April 1999 it became a formal 2-part
standard. BS7799 Part 1 ‘Code of Practise for Information security Management’ and BS7799 Part 2
‘Specification for Information Security Management Systems". Part 1 provided best practise guidance;
part 2 formed the standard against which an organisation security management systems could be
assessed. BS7799 Part 1 internationalised as ISO 17999, then ISO 27002. The BS7799 Code of Practice,
Part 1, took the form of guidance and recommendations. Its foreword clearly stated that it was not to
be treated as a specification. It became internationalised as ISO17799 in December 2000 and a revised
version was issued in early 2005, it was later renamed in 2007 as ISO 27002.
ISO 27002:2005 is the international code of best practice that is increasingly applied by organizations
who are seeking a method of implementing an information security management system that will
ensure they effectively meet the wide range of regulatory and compliance demands they face today.
BS7799 Part 2 Internationalised as ISO 27001
BS7799 Part 2 was revised in 2002, with significant reordering of the controls. The British Standard
then underwent fast track internationalisation in 2005 and ISO 27001:2005 was published.
69

!#
Certifications prior to publication of ISO/IEC 27001 will be certified against BS7799-2:2002 and,
therefore, organisations will need to adapt their current projects or existing management systems
accordingly. The ISMS converter provides more information on the changes, together with a detailed
side-by-side comparison of the old and new of ISO/IEC 17799 (27002).
ISO 27001:2013 was published on the 25/09/2013 . It cancels and replaces ISO 27001:2005, and
is published by the International Organization for Standardization (ISO) and the International
Electrotechnical Commission (IEC). It is a specification for an information security management system
(ISMS). Organisations which meet the standard may be accredited by an independent accreditor.
The revised 2013 version of ISO/IEC 27002 was published in September 2013 at the same time as the
new version of ISO/IEC 27001. The title has changed from “Code of practice for information security
management” to “Code of practice for information security controls” to emphasize that one handles
with the actual security controls whereas the other handles their management
Notes:
Copyright © AXELOS Limited 2020. Used under permission of AXELOS Limited. All rights reserved.

!$

!$"!

!$
!#
Notes:
71

!$

!$"!

!$
!#
Notes:

"% !

"%# "!!

"%
"$
Notes:
73

)
!#
&*.(()%*()+'
!! /((($

*(((( **+()' #!
" *.(()%*((-

'''#
"

)),), )++))*((-
!#"!

!#
!#
Notes:

"$ !

"$# "!!

"$
"%
Notes:
75

!#

!#"!

!#
!$
Notes:

&
!#

!

!

!

" "

$'(%%&##

$'(%%&
"
"

!#"!

!#
"
Notes:
77
78

$&""#

$&
$ ""
""#
#

$'(%%&!
"
# #

$& %"$!##"!!! $&

#
79
80

!#

!#"!

!#
!
Leadership
There are many reasons why an organisation might try to become certified to 27001. If you can’t think
of a good reason, then it may not be worth doing. It is not an end in itself. Before any work starts, you
need to identify the objectives of certification. These COULD include inter alia:
• Providing assurance to clients that your organisation is committed to attaining an appropriate

level of information security
• You may believe that certification may improve your organisation's marketing potential
• You may be required to certify for regulatory reasons
• You may believe that certification will increase your organisation’s income
• Your organisation may feel that something suitable needs to be done to reduce risk, and
certification seems an obvious and very public way of dealing with the risk
• These risks could include direct losses, reputational harm or embarrassment.
• Whatever the reason(s), these form the basis of your objectives for your ISMS.
81

$)+''(

!"
)+%*')&(#('& & &

)+
*
Leadership – Top Management
There is no definition of ‘Top Management’ available. In ISO 27002:2005 6.1.1 Management

commitment to information security – Control - Management should actively support security within
the organization through clear direction, demonstrated commitment, explicit assignment, and
acknowledgment of information security responsibilities. Top management is very probably Board
Level – budget holders - managers able to make decisions that affect the ISMS – C-level management.
You’d probably want some Top Management representation on your ISMS Board (or working group, or
whatever you end up calling your highest level authority body relating to the ISMS)
%

* 03../"$$ "

"

!$
'%$& $$

"+
%$ $$ # $$ %"$( $$
", ", # ",

%$
03+1.0-/)/.--- 03
2
Top Management is most likely to be the Board or equivalent. The Board tends to be the legal ‘owner’
of corporate or organisational assets. They need to delegate authority to executives to ensure they
are empowered to operate. The CEO may well sit on the Board, but may also have an operational,
executive role. The committee structure set out on this page is for illustration purposes. Organisation
and governance for the ISMS and related matters are covered in more detail later in this slide pack.
83

!$

!$"!

!$
#
5.1 Leadership and commitment
Top management shall demonstrate leadership and commitment with respect to the information
security management system by:
1. ensuring the information security policy and the information security objectives are established
and are compatible with the strategic direction of the organization;
2. ensuring the integration of the information security management system requirements into the
organization’s processes;
3. ensuring that the resources needed for the information security management system
are available;
4. communicating the importance of effective information security management and of conforming
to the information security management system requirements;
5. ensuring that the information security management system achieves its intended outcome(s);
6. directing and supporting persons to contribute to the effectiveness of the information security
management system;

!$
7. promoting continual improvement; and

8. supporting other relevant management roles to demonstrate their leadership as it applies to their
areas of responsibility.
Notes:
85

&
"% !
%
$ "
BAU - Business As Usual
!"
! #
! " !
!

!"
"%# "!!

"%
$
5.1 Leadership and commitment
Top management shall demonstrate leadership and commitment with respect to the information
security management system by:
1. ensuring the information security policy and the information security objectives are established
and are compatible with the strategic direction of the organization;
2. ensuring the integration of the information security management system requirements into the
organization’s processes;
3. ensuring that the resources needed for the information security management system
are available;
4. communicating the importance of effective information security management and of conforming
to the information security management system requirements;
5. ensuring that the information security management system achieves its intended outcome(s);
6. directing and supporting persons to contribute to the effectiveness of the information security
management system;

&
"% !
7. promoting continual improvement; and

8. supporting other relevant management roles to demonstrate their leadership as it applies to their
areas of responsibility.
Notes:
87
#

(.1,,- ""

# &.1,,-'-* " "$!" !) '0 "!# "%

!) '0'- " " "!# "%
.1)/,.+-'-,+
+
+.1 1
Policy and Objectives
Establishing relevant security objectives is mandatory. The objectives must:
• be consistent with the information security policy

• be measurable (if practicable)
• take into account applicable information security requirements, and risk assessment and risk
treatment results
Information on the objectives must be retained
When planning how to achieve its information security objectives you must determine
• what will be done

• what resources will be required
• who will be responsible
• when it will be completed and how the results will be evaluated.

%
"$ !

%'##$
&%'##%&

!

"
"$# "!!

"$
%
Policy and Objectives
An information security policy needs to be established. It must:
• Be appropriate to the purpose of the organization

• Include information security objectives or the means to produce them and a commitment to
satisfy applicable information security requirements
• Commit to continual improvement of the ISMS
89

%
!#

#

$ !"

!#"!

!#
$
Integration into BAU
Information security is often thought of as the responsibility of IT departments or the Information

Security specialists. The standard requires ‘buy-in’ and empowerment from across the organisation.
The message from Top Management needs to be clear – and they need to ‘walk the walk’.
!

%+-))*

" ! # #
!"
! ( !
+-&,)+'*$*)' ' '

+-
*)
Resources
7.1 Resources
The organization shall determine and provide the resources needed for the establishment,
implementation, maintenance and continual improvement of the information security
management system.
91
$

(-0++,!##!

!"#-0++,### !!# "! !### ! !#
%
"#!$#$!#!"#"#$ #&$## !#$"#"
-0++./'.'-
-0++.,
-0).+-*,',+*
*
*-0 ,,
Resources – roles & responsibilities
List of exemplified Roles and Responsibilities for Information Security (Practitioner)
This table is used for the practitioner paper in the LE syllabus area. This information is taken directly
from ISO/IEC 27003:2010, table B.1. In supplementary paper.
from ISO/IEC 27003, 5.3.2. In supplementary paper.
Activity
The overall roles and responsibilities for the preliminary ISMS scope should be defined.
Input
1. Output from Activity 5.3.1 Develop the preliminary ISMS scope

2. List of stakeholders who will benefit from results of the ISMS project.
$

(-0++,!##!
Guidance
In order to execute the ISMS project, the role of an organization for the project should be determined.
The role generally is different at each organization, because of the number of people dealing with
information security. The organizational structure and resources for information security vary with the
size, type and structure of the organization. For example, in a smaller organization, several roles may
be carried out by the same person. However, management should explicitly identify the role (typically
Chief Information Security Officer, Information Security Manager or similar) with overall responsibility
for managing information security, and the staff should be assigned roles and responsibilities based on
the skill required to perform the job. This is critical to ensure that the tasks are carried out efficiently
and effectively.
The most important considerations in the definition of roles in information security management are:
1. overall responsibility for the tasks remains at the management level,

2. one person (usually the Chief Information Security Officer) is appointed to promote and co-
ordinate the information security process,
3. each employee is equally responsible for his or her original task and for maintaining information
security in the workplace and in the organization.
The roles for managing information security should work together; this may be facilitated by an
Information Security Forum, or similar body.
Collaboration with appropriate business specialists should be undertaken (and documented) at all
stages of the development, implementation, operation and maintenance of the ISMS.
Representatives from departments within the identified scope (such as risk management) are potential
ISMS implementation team members. This team should be maintained at the smallest practical size
for speed and effective use of resources. Such areas are not only those directly included in the ISMS
scope, but also the indirect divisions, such as legal, risk management and administrative departments.
Output
The deliverable is a document or table describing the roles and responsibilities with the names and
organization needed to successfully implement an ISMS.
93

#)+''(

!
&
!

!
)+$*')%("('%
%
%)+ ()
Communication
5.2 The information security policy shall:
5.3 f) be communicated within the organization;
6.2 The information security objectives shall:
d) be communicated;
7.4 Communication
The organization shall determine the need for internal and external communications relevant to the
information security management system including:
a) on what to communicate;
b) when to communicate;
c) with whom to communicate;
d) who shall communicate; and
e) the processes by which communication shall be effected.

#)+''(
5.3 Organizational roles, responsibilities and authorities Top management shall ensure that
the responsibilities and authorities for roles relevant to information security are assigned
and communicated.
A5.1.1 Policies
A7.2.3 Disciplinary Process
Notes:
95
$

+02../!##!

#"##$"! !%$"!%&"
(!%#"
!!!#!"# !#"

,!#(! !#"(""#!!#"
"!"$!##! !"""
$#!$#")"""""#"+"##$"#$ !%#'!""
02,1.0-/*/.-
-
-02 /1
ISMS Review - input
9.3 Management review
Top management shall review the organization’s information security management system at planned
intervals to ensure its continuing suitability, adequacy and effectiveness.
The management review shall include consideration of:
1. the status of actions from previous management reviews;

2. changes in external and internal issues that are relevant to the information security management
3. system;
4. feedback on the information security performance, including trends in:
• 1) nonconformities and corrective actions;
• 2) monitoring and measurement results;
• 3) audit results; and
• 4) fulfilment of information security objectives;
5. feedback from interested parties;
$

+02../!##!
6. results of risk assessment and status of risk treatment plan; and

7. opportunities for continual improvement.
The outputs of the management review shall include decisions related to continual improvement
opportunities and any needs for changes to the information security management system.
The organization shall retain documented information as evidence of the results of

management reviews.
Notes:
97
"

',/**+!!

!!!"#!!"! % !!

#$ " !"! !!# !
,/(-*,)+&+*) ) )
,/
+.
ISMS Review - output
9.3 Management review
Top management shall review the organization’s information security management system at planned
intervals to ensure its continuing suitability, adequacy and effectiveness.
The management review shall include consideration of:
1. the status of actions from previous management reviews;

2. changes in external and internal issues that are relevant to the information security management
3. system;
4. feedback on the information security performance, including trends in:
• 1) nonconformities and corrective actions;
• 2) monitoring and measurement results;
• 3) audit results; and
• 4) fulfilment of information security objectives;
5. feedback from interested parties;
"

',/**+!!
6. results of risk assessment and status of risk treatment plan; and

7. opportunities for continual improvement.
The outputs of the management review shall include decisions related to continual improvement
opportunities and any needs for changes to the information security management system.
The organization shall retain documented information as evidence of the results of

management reviews.
Notes:
99
"

).1,,-!!

$!#!$!!
"!! !&!!'"!
%
#! !!!
.1*/,.+-(-,+ + +
.1
-0
Leadership – People – competence
7.2 Competence
The organization shall:
1. determine the necessary competence of person(s) doing work under its control that affects its
information security performance;
2. ensure that these persons are competent on the basis of appropriate education, training,
or experience;
3. where applicable, take actions to acquire the necessary competence, and evaluate the
effectiveness of the actions taken; and
4. retain appropriate documented information as evidence of competence.
NOTE Applicable actions may include, for example: the provision of training to, the mentoring of, or
the reassignment of current employees; or the hiring or contracting of competent persons
"

)/2--.!!

$!#!$!!
"!! !&!!'"!
%
#! !!!
/2*0-/+.(.-+ + +
/2
.1
Leadership – Documentation
7.5 Documented information
7.5.1 General
The organization’s information security management system shall include:
1. documented information required by this International Standard; and

2. documented information determined by the organization as being necessary for the effectiveness
of
NOTE The extent of documented information for an information security management system can
differ from one organization to another due to:
1. the size of organization and its type of activities, processes, products and services;
2. the complexity of processes and their interactions; and
3. the competence of persons.
101
"

)/2--.!!
7.5.2 Creating and updating
When creating and updating documented information the organization shall ensure appropriate:
1. identification and description (e.g. a title, date, author, or reference number);

2. format (e.g. language, software version, graphics) and media (e.g. paper, electronic); and
3. review and approval for suitability and adequacy.
7.5.3 Control of documented information
Documented information required by the information security management system and by this
International Standard shall be controlled to ensure:
1. it is available and suitable for use, where and when it is needed; and
2. it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).the
information security management system.
For the control of documented information, the organization shall address the following activities,
as applicable:
3. distribution, access, retrieval and use;

4. storage and preservation, including the preservation of legibility;
5. control of changes (e.g. version control); and
6. retention and disposition.
Documented information of external origin, determined by the organization to be necessary for
the planning and operation of the information security management system, shall be identified as
appropriate, and controlled.
NOTE Access implies a decision regarding the permission to view the documented information only, or
the permission and authority to view and change the documented information, etc.

#%!!"

#%
# !!
!!"
"

$'(%%&!
"
# #

#%$!# ""! #%

"
103
104
"

&+-))*!!

!
!!
#"!
!"!
!#$
#!
+-',)+(*%*)(
(
(+- +
Planning for and operating the ISMS
6.1 Actions to address risks and opportunities
6.1.1 General
When planning for the information security management system, the organization shall consider
the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and
opportunities that need to be addressed to:
1. ensure the information security management system can achieve its intended outcome(s);
2. prevent, or reduce, undesired effects; and
3. achieve continual improvement.
The organization shall plan:
4. actions to address these risks and opportunities; and

5. how to
• integrate and implement these actions into its information security management system
processes; and
• 2) evaluate the effectiveness of these actions.
105
"

&+-))*!!
6.2 Information security objectives and plans to achieve them
The organization shall establish information security objectives at relevant functions and levels.
The information security objectives shall:
1. be consistent with the information security policy;

2. be measurable (if practicable);
3. take into account applicable information security requirements, and risk assessment and risk
treatment results;
4. be communicated; and
5. be updated as appropriate.
The organization shall retain documented information on the information security objectives.
When planning how to achieve its information security objectives, the organization shall determine:
6. what will be done;

7. what resources will be required;
8. who will be responsible;
9. when it will be completed; and
10. how the results will be evaluated.
8.3 Information security risk treatment
The organization shall implement the information security risk treatment plan.
The organization shall retain documented information of the results of the information security
risk treatment.
9.1 Monitoring, measurement, analysis and evaluation
The organization shall evaluate the information security performance and the effectiveness of the
information security management system.
The organization shall determine:
1. what needs to be monitored and measured, including information security processes

and controls;
2. the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure
valid results;
Copyright © Quint Wellington Redwood and AXELOS Limited 2020. All rights reserved. Material in this document has been sourced from ITIL® Lifecycle PublicaƟons 2011 EdiƟon. No part of this document may be
reproduced in any form without the wriƩen permission of both SPOCE and AXELOS Copyright
Limited. Permission can be2019.
© APMG Limited requested at hƩ
All rights ps://www.quintgroup.com
reserved. andunder
Material is reproduced licensing@AXELOS.com
license from APMG
"

&+-))*!!
NOTE The methods selected should produce comparable and reproducible results to be
considered valid.
3. when the monitoring and measuring shall be performed;

4. who shall monitor and measure;
5. when the results from monitoring and measurement shall be analysed and evaluated; and
6. who shall analyse and evaluate these results.
The organization shall retain appropriate documented information as evidence of the monitoring and
measurement results.
Notes:
reproduced
Copyright © in any form
APMG without
Limited 2019. the wriƩen
All rights permission
reserved. of both
Material SPOCE andunder
is reproduced AXELOS Limited.
license fromPermission
APMG can be requested at hƩps://www.quintgroup.com and licensing@AXELOS.com
107
!

%*-(()

# !
!
"

*-((),$+
*-&+(*')$)(' ' '

*-
+
Scope - Determining the scope
A scope document is required when planning to implement the standard This mandatory scope
document must list all the business processes, facilities, and technical assets, as well as the types of
information within the ISMS. Furthermore, when defining the scope of compliance, you must define
clearly the dependencies and interfaces between your organisation and external entities.
#

&+/))* ""

.%,%+!"!"$" "$"
.%,%,!"!"" "$"
.%,%-!"!" !" !!
.%,%.! "
+/',)+(*%*)(
(
(+/ -
Notes:
109

!$

!$"!

!$
#
Notes:

"% !

"%# "!!

"%
$
Notes:
111

!#

!#"!

!#
#
Notes:

"$ !

"$# "!!

"$
%
Notes:
113
!

&+-))*

$

! !
"#
+-',)+(*%*)(
(
(+- .
Notes:

"
#(*&&'
!

!

(*$)&(%'"'&% % %
(*
'&
Notes:
115

$

).0,,- !##!

##""#"
###!#"
##&"##!"
##%$!#"
##" $"

"'""#"
""""#" $"
""""##
%!"#!#

.0*/,.+-(-,+++.0 --
Risk Management – Risk Assessment
The assessment must compare the results of risk analysis with the risk criteria established earlier and
then prioritize the risks for treatment.
Documented information about the information security risk assessment process MUST be retained.
Define and apply an information security risk assessment process that:
• establishes and maintains information security risk criteria

• ensures that repeated information security risk assessments produce consistent, valid and
comparable results
• identifies the information security risks
• analyses the information security risks
• evaluates the information security risks

$
!##
, +35112 !##!
"""""#) & #

"*( ",(
"+(

!%$"""!" !#!#" ! #!
##!"-
$! "
!"$#!"!"#!

#&##!" "
#&#!" "
#&#!" "
!/"0#""""# !/"0#"""" !/"0#!#
$""" #""#
#%#"
##()#!#(!
%#(!#
##!' #!"#!' !!#" #

""#!
$# $#"'%!"
• ###!%& • """", • !#

• """"$""" #, ##( • !$ !!#" #
##( • """", #!#(
• """"$""" #, • """", • !$#!"
##
#!#( %#( !"#!
• """"$""" #, • !'#"# "
%#(
• !'#"# "
35,413.2*21...35 23
Risk Assessment – example method
Phase 1: assesses the level of business risk associated with an information system, by considering
the business consequences and impact of a loss of the confidentiality, integrity or availability of
information processed by the system.
Phase 2: identifies the likelihood of various events which could lead to a loss of confidentiality,
integrity or availability. These events are then plotted in a matrix that highlights those risks that need
prioritised attention.
Phase 3: produces an agreed plan of action for implementing required controls to mitigate the
identified risk, by considering the controls identified as being important, their priority and the work
involved in introducing them.
117

!#

!#"!

!#
"
Notes:

#(+&&'

!

(+$)&(%'"'&% % %
(+
'*
Risk Management – Risk Treatment
Define and apply an information security risk treatment process to:
• select appropriate information security risk treatment options

• determine all necessary controls are chosen and verify that no necessary controls have been
omitted (Gap Analysis)
• produce a Statement of Applicability (SOA) that contains the necessary controls and justification
for inclusion and exclusion of controls from Annex A
• formulate an information security risk treatment plan
• obtain risk owners’ approval of the information security risk treatment plan and acceptance of the
residual information security risks
Selection of risk treatment options must take account of the Risk Assessment results
• Controls determined by the Risk Assessment should be compared with those in Annex A to verify
that no necessary controls have been omitted
• The SOA must contain the necessary controls and justification for inclusions (whether they
are implemented or not) and the justification for exclusions of controls listed in Annex A of
the Standard
119

!$
• Approaches to risk treatment:

• Modification
• Retention
• Avoidance
• Sharing
• Controls can be designed specifically for an ISMS, or can be identified from any source
• Annex A contains a comprehensive list of control objectives and controls. Ensure that no necessary
controls are overlooked by using Annex as a checklist
• Although control objectives are implicit in many of the Annex A controls, these are not exhaustive
and additional control objectives and controls may be needed
Notes:
reserved. andunder
license from APMG

!$

!$"!

!$
#
Risk Treatment
Four options are available for risk treatment: risk modification, risk retention, risk avoidance and
risk sharing. Note that ISO/IEC 27001:2005 4.2.1. f) 2) uses the term “accepting risk” instead of
“risk retention”.
Options should be selected based on a number of factors , including:
• the outcome of the risk assessment

• the expected cost for implementing these options
• the expected benefits from these options.
When a large reduction in risk can be obtained with relatively low expenditure, such an option should
be implemented. Sometimes things are not so obvious and require a balanced investigation to justify
implementation.
In general, the impact of risks manifesting should be reduced to as low a level as is reasonably
practicable. Note that it is important to consider uncommon but severe risks. These can be hard to
justify in economic terms, but should they manifest, they may take down the entire organisation. An
example of the types of control developed to meet such risks is business continuity planning.
121

"% !
The four options are not mutually exclusive - a combination of options such as reducing the likelihood
of risks manifesting, reducing their impact should they occur, and sharing or retaining any residual
risks. Note that some risk treatments can address more than one risk (e.g. information security training
and awareness).
A risk treatment plan needs to be defined which identifies the priority ordering in which individual
risk treatments should be implemented and when this should happen. You can establish priority
via a number of techniques, including risk ranking and cost-benefit analysis. It is a management
responsibility to decide the balance between risk, the costs of implementing controls and the
budget assignment.
Risk assessment needs to take current controls into account. It may be the case that existing controls
appear to exceed current needs. The option of removing a control is available, as this may reduce
cost and improve the process. However, controls infrastructures can be very complex, with controls
becoming intertwined and interdependent. Removing one control may impact of the efficacy of others.
As a rule of thumb, it is often best to leave control in place unless there is a truly compelling case to
remove them.
Once the risk treatment plan has been documented, residual risk needs to be determined. This
requires a re-run of the risk assessment, taking into account the expected effects of the proposed risk
treatment. Should any residual risk still not meet risk acceptance criteria, a further risk treatment may
be necessary before risks are accepted.
Notes:
reserved. andunder
license from APMG

"% !

"%# "!!

"%
!$
Risk Treatment – Gap Analysis
Example of a Gap Analysis spreadsheet.
The objectives of a gap analysis are as follows. To:
• determine any gaps between the information security controls and related security management
practices in place, and those recommended by ISO/IEC 27001
• provide a documented record of the findings made and any recommendations
• provide a detailed action plan with delivery dates and responsibilities
The analysis process normally consists of interviews with key people within each of the areas within
the scope of the ISMS. Actions identified are recorded, with those responsible or accountable for
delivering the control identified and given their task(s).
One technique for assessing gaps is a concept called the Maturity Level Rating - The maturity levels are
rated using the Capability Maturity Model (CMM) methodology. The Capability Maturity Model was
originally used to assess the ability of the US government contractors' ability to perform a software
development project. Though the model comes from the field of software development, it is also used
as a general model to aid in business processes generally, and has been used extensively in assessing
123

!#
information security capability. CMM provides a benchmark for comparison and acts as an aid to
understanding the behaviours, practices and processes of an organisation. The five CMM levels are:
• CMM 1 (Initial) – A security risk(s) needs to be addressed, but there are no controls in place to
mitigate it (them)
• CMM 2 (Limited) – limited, often informal, undocumented controls are in place.
• CMM 3 (Defined) - Security controls are in place and formalised, but require more effective
corporate backing and implementation
• CMM 4 (Managed) - Controls are in place, documented and implemented, but require refinement
• CMM 5 (Optimized) – Controls meet all requirements of ISO 27001
Notes:
reserved. andunder
license from APMG

!#

!#"!

!#
#
Risk Treatment – SOA
Example of SOA Table
Having assessed the information security risks within the ISMS scope, you need to work out which
controls (normally taken from Annex A of the standard) apply.
You should record your decision in a table of spreadsheet as in the slide. The result should be cross-
referenced with the Gap analysis. All decisions that indicate a control is NOT applicable need to be
justified. Both the Gap Analysis and SOA documents/spreadsheets need to be maintained. They are
living documents, and form core elements of the material used as evidence during certification.
125
#

(.0,,- ""

!" " !"!# !!!!!"

" !! $&" $"!%
.0)/,.*-'-,*
*
*.0 -1
Risk Management – Risk Acceptance
ISO 27001:2013 6.1.2 and 6.1.3 apply
!

&+-))*

! #

! " $
+-',)+(*%*)(
(
(+- *.
Risk Management – Risk Communication & Consultation
Stakeholder can include shareholders, authorities (including legal and regulatory), clients, partners,
etc.– all interested parties must be listed, together with all their requirements to form one of the key
inputs to deciding the initial scope of the ISMS
Risk communication should achieve the following:
• Assurance of the outcome of the organization’s risk management

• Collect risk information
• Share the results from the risk assessment and present the risk treatment plan
• Avoid or reduce both occurrence and consequence of information security breaches due to the
lack of mutual understanding among decision makers and stakeholders
• Support decision-making
• Obtain new information security knowledge
• Co-ordinate with other parties and plan responses to reduce consequences of any incident
• Give decision makers and stakeholders a sense of responsibility about risks
• Improve awareness
127
!

%*,(()

#
"!
#
#"!
!

*,&+(*')$)(' ' '

*,
*(
Risk Management – Risk Monitoring, Review and Improvement
The information security risk management process should be continually monitored, reviewed and
improved as necessary and appropriate.
This monitoring and review activity should address (but not be limited to):
• Legal and environmental context

• Competition context
• Risk assessment approach
• Asset value and categories
• Impact criteria
• Risk evaluation criteria
• Risk acceptance criteria
• Total cost of ownership
• Necessary resources
!

%*,(()
Any agreed improvements to the process or actions necessary to improve compliance with the process
should be notified to the appropriate managers to have assurance that no risk or risk element is
overlooked or underestimated and that the necessary actions are taken and decisions are made to
provide a realistic risk understanding and ability to respond.
Notes:
reproduced
Copyright © in any form
APMG without
Limited 2019. the wriƩen
All rights permission
reserved. of both
Material SPOCE andunder
is reproduced AXELOS Limited.
license fromPermission
APMG can be requested at hƩps://www.quintgroup.com and licensing@AXELOS.com
129
!

(-/++,

# !%! ! $

%! %$"! %%
!"!
# !
# !&
# ! ! $"! &
#$"! ! '
-/).+-*,',+* * *
-/
-,
ISMS Performance Evaluation - general
ISMS Performance Evaluation needs to meet ISO 27001 9.1 Monitoring, measurement, analysis
and evaluation.
Covers 9.3 of 27001 NOTE The methods selected should produce comparable and reproducible results
to be considered valid.

!#

!#"!

!#
!!
Notes:
131

"
!#

!# $!

!#"!

!#
!"
Audit and Compliance
• Audits are mandatory and must comply with internal requirements and those of ISO 27001 9.2
Internal Audit.
• It is required that these audits are implemented effectively and the process is maintained.
• An audit programme must be planned, established, implemented and maintained. The plan must
include the frequency of audit, the methods to be used, who is responsible for it and how findings
are reported.
• Each audit must have defined criteria and be scoped appropriately
• They must be conducted to ensure objectivity and impartiality – and reporting must be made to
appropriate management
• All relevant information must be retained and documented
• Audit requirements set out clearly how this should be carried out

!$

!$"!

!$
!#
Notes:
133
"

(
(-0++,!!
"

# ')%%&*!($

! !!" ! #" !#$
%!! " !!#!!!
!! "!&
-0).+-*,',+* * *
-0
-/
Notes:
#

!
'-0++, ""

"! "$"!
" !# " !#"!
#" !#"!
#" "!# "%"$!
" !" "!
!#"! !!!!!"!""#!" !" ""
"#"! "# $"
-0(.+-),&,+) ) )
-0
-/
Management Review - general
Refer specifically to ISO27001 9.3 Management Review
135

!#

!#"!

!#
!#
Notes:
$

%
*02../!##!
$
!

"$
#!

#"$###!!##+!#')
#""('
" $"#+!#'"$#&#
!#!(#'"$"$!#"#'!%&#%#(
#!#"$"""$!"!%#"!'

$

$

02+1.0,/)/., , ,
02
03
ISMS Improvement - general
A non-conformity is the non-fulfilment of a requirement (ISO 27000 :2012 – from ISO 9000:2005)
137
138

!#

!#
!

$'(%%&!
"
# #
!#"! !#

139
140
$

,13//0!##!

&" # !"!!#"$!#(#!"&#,13//0
$!"##"$#"%!!#!#"$!#(#!$""&#
,13//0
#(* (#!# ! !#" #"13//0'#!"#
"!
#(*() "#$"#&# ! !# ! !#'
#!"#!$$##-(%"!+
13-2/1.0+0/.
.
.13 1
Notes:
141
!

',.**+

% ! #%! #% !(! !!
$ "
,.(-*,)+&+*) ) )
,.
-
Notes:

"'*%%&

'*#(%'$&!&%$
$
$'* )
Controls
• Communication of roles and responsibilities – this is essential in all subject areas and for all
relevant staff – at whatever level
• Documentation of agreed policy, processes and procedures – and this is communicated and
made accessible
• Management information needs to be gathered and managed so the ISMS can be ‘managed
by fact’
• Risk assessment is core to all aspects of control. It guides focus, priority for action, and
ultimately, investment in security. This helps practitioners distinguish between ‘appropriate and
inappropriate controls’
143

$),''(

"
! #

),%*')&(#('& & &

),
+
Controls
From 27002

'
"% !

$

%
&
'
(
)
*
+
,
$#
$$
$%
$&

$'
"%# "!!

"%
$
Notes:
145

$&""#

$& %"$!##"! ! !

$&
&
Information Security Policies
Source: ISO 27001 Table A.1 — Control objectives and controls - A.5 Information security policies -
A.5.1 Management direction for information security
A policy is a statement of intent by an organisation. It sets out:
• Aims, objectives and goals

• Roles and responsibilities
• Authority
Information security policies should address requirements created by:
• a) business strategy;
• b) regulations, legislation and contracts;
• c) the current and projected information security threat environment.
The information security policy should contain statements concerning:
• a) definition of information security, objectives and principles to guide all activities relating to
information security;

$&""#
• b) assignment of general and specific responsibilities for information security management to

defined roles;
• c) processes for handling deviations and exceptions.
Notes:
147

"$ !

"$# "!!

"$
%
Notes:

!#

!#"!

!#
$
This is an example of a ‘Policy Map’. It is not designed to be complete nor to act as an exact template.
The documents in it are hierarchical. The documents will need to be supported by documented
processes (these are not listed on the map provided). The light green 2nd level documents follow ISO
27001. This is not mandatory.
The yellow documents (sub-policies – sometimes called Standards) are examples. There will
undoubtedly be others.
There is a collection of items associated with the blue Security Organisation box. These are normally
supporting documents and/or activities that are not policies themselves, but need to be in place to
make the document set work.
The red boxes at the foot of the diagram indicate what are often called ‘baseline documents’. These
set out how various devices are set up – normally in a way to meet the requirements set out in the
policies themselves. It’s important to note that the degree of ‘volatility’ of the documents increases
as you descend down the hierarchy. Baseline documents can change very rapidly in response to new
threats. Policies tend to react to slower elements, such as changes in the law or to regulations.
149

!#
Guide to acronyms
SDLC – Systems Development LifeCycle
BCM – Business Continuity Management
JLT – Joiners, Leavers and Transfers
AUPs – Acceptable Usage Policy(s)
There are inevitable links across the map – JLT links closely to ID & Access Management. The AUPs can
include usage of various assets, including email and internet browsing. These link to other aspects of
HR, including sanctions for non-compliance (linking to the blue ‘Security Organisation’ box).
Extract from ISO 27002 :2013
At a lower level, the information security policy should be supported by topic-specific policies, which
further mandate the implementation of information security controls and are typically structured to
address the needs of certain target groups within an organization or to cover certain topics. Examples
of such policy topics include:
1. access control (see Clause 9);

2. information classification (and handling) (see 8.2);
3. physical and environmental security (see Clause 11);
4. end user oriented topics such as:
• acceptable use of assets (see 8.1.3);
• clear desk and clear screen (see 11.2.9);
• information transfer (see 13.2.1);
• mobile devices and teleworking (see 6.2);
• restrictions on software installations and use (see 12.6.2);
5. backup (see 12.3);

6. information transfer (see 13.2);
7. protection from malware (see 12.2);
8. management of technical vulnerabilities (see 12.6.1);
9. cryptographic controls (see Clause 10);
10. communications security (see Clause 13);
11. privacy and protection of personally identifiable information (see 18.1.4);
12. supplier relationships (see Clause 15).
These policies should be communicated to employees and relevant external parties in a form that is
relevant, accessible and understandable to the intended reader, e.g. in the context of an “information
security awareness, education and training programme” (see 7.2.2).

!#
Other information
The need for internal policies for information security varies across organizations. Internal policies are
especially useful in larger and more complex organizations where those defining and approving the
expected levels of control are segregated from those implementing the controls or in situations where
a policy applies to many different people or functions in the organization. Policies for information
security can be issued in a single “information security policy” document or as a set of individual but
related documents.
Notes:
151
!

&+-))*

# ! ! $
#"
+-',)+(*%*)( ( (
+-
*)
For example a security policy manual or an intranet wiki containing a coherent and internally
consistent suite of policies, standards, procedures and guidelines.
"

&+-))*!!

! "!$ !
!"!
!!#!"!!
!!#! ! !"
! "!$!!

"!
+-',)+(*%*)( ( (
+-
**
Organization for Information Security
Reference 27001 A.6 Organization of information security - A.6.1 Internal organization - Objective:
To establish a management framework to initiate and control the implementation and operation of
information security within the organization
Reference 27002 Organization of information security - 6.1 Internal organization - Objective: To

establish a management framework to initiate and control the implementation and operation of
information security within the organization.
This information is taken directly from ISO/IEC 27003, 5.3.2.
Activity
Input
1. Output from Activity 5.3.1 Develop the preliminary ISMS scope

2. List of stakeholders who will benefit from results of the ISMS project.
153

$)+''(
Guidance
for managing information security, and the staff should be assigned roles and responsibilities based on
the skill required to perform the job. This is critical to ensure that the tasks are carried out efficiently
and effectively.
1. overall responsibility for the tasks remains at the management level,

2. one person (usually the Chief Information Security Officer) is appointed to promote and co-
3. each employee is equally responsible for his or her original task and for maintaining information
Representatives from departments within the identified scope (such as risk management) are potential
ISMS implementation team members. This team should be maintained at the smallest practical size
for speed and effective use of resources. Such areas are not only those directly included in the ISMS
scope, but also the indirect divisions, such as legal, risk management and administrative departments.
Output

$)+''(

"
!
)+%*')&(#('&
&
&)+ ()
Organization for Information Security
Reference 27001 A.6 Organization of information security - A.6.2 Mobile devices and teleworking
Reference 27002 Organization of information security - 6.2 Mobile devices and teleworking
155

!#

!#"!

!#
"
Organization – Roles & responsibilities
Extract from ISO/IEC 27003 Annex B
Interaction with the organization
All parties involved should review and become very familiar with the current requirements for
protecting the organization’s assets. Participation in organizational analysis should include individuals
who possess a strong knowledge of the organization and the environment in which it operates. These
individuals should be selected to represent a broad spectrum across the organization and include:
1. senior management (e.g. COO and CFO)

2. members of the Information Security Committee
3. members of the Information Security Planning Team
4. line managers (e.g. organization unit heads)
5. process owners (i.e. representing important operational areas)
6. specialists and external consultants

!#
Information security is a wide area that affects the whole organization. As such, clearly defined
security responsibilities are essential for a successful implementation. As security related roles and
responsibilities vary, an understanding of the different roles is fundamental for understanding some of
the activities described later in this International Standard. The table below outlines security related
roles and responsibilities. It should be noted that these roles are general, and specific descriptions are
needed for each individual implementation of an ISMS.
Notes:
157

!$

!$"!

!$
#
Notes:

!$

!$"!

!$
#
Notes:
159

"% !

"%# "!!

"%
!$
Notes:
!

$)+''(

"
!"
"
)+%*')&(#('&
&
&)+ (+
Human Resource Security
Reference ISO 27001 A 7 and ISO 27002 7
161

#)+''(

!
)+$*')%("('% % %
)+
(,
Background checks can be sensitive, and need to be carried out in accordance with relevant laws,
regulations and ethics. Such checks need to be proportional to the business requirements, the
classification of the information to be accessed and the perceived risks.
Terms and conditions of employment
• Background verification checks on all candidates for employment

• Contractual agreements with employees and contractors shall state their and the organisation’s
responsibilities for information security
!

&+-))*

! #"$!
#
+-',)+(*%*)(
(
(+- *.
Everyone must act in accordance with policy and procedures
Everyone must receive appropriate Information Security awareness, education and training and be
given timely updates in regard to changes to policies and procedures that are relevant to their job
That has to be a clear, formal and communicated process that sets out actions that follow a breach of
policy – including disciplinary action
163
!

'.0,,-

! " *! +#%

&$
.0(/,.)-$-,)
)
).0 .,
Notes:
"

'-/++,!!

!$ ! )
!#%

! !(
!#%

(
!#%

-/(.+-*,&,+* * *
-/
-,
Asset Management
Reference ISO 27001 A8 and ISO 27002 8
Note the following guidance (not examinable) from ISO/IEC 27003:2010 – Clause 7
7.2 deliverables
• identification of the main processes, functions, locations, information systems and

communication networks
• information assets of the organization
• critical processes/assets classification
• information security requirements derived from the organization’s legal, regulatory, and
contractual requirements
• list of publicly known vulnerabilities that will be addressed as a result of the security requirements
• organization information security training and education requirements
165

!#
7.3 deliverables
• identified information assets of the main processes of the organization within the ISMS scope
• Information security classification of critical processes and information assets
Media handling
• To identify organizational assets and define appropriate protection responsibilities.

• To ensure that information receives an appropriate level of protection in accordance with its
importance to the organization.
• To prevent unauthorized disclosure, modification, removal or destruction of information stored
on media.
Notes:

!#

!#"!

!#
!!
Asset Management - Responsibility for assets
Assets need to be identified and an inventory drawn up and maintained. Any asset in the inventory
needs a formal owner
Acceptable Use (AU) policies need to be developed and implemented
As part of ‘acceptable use’, and in line with HR termination policy, any organisation assets possessed by
any party (employee, contractor etc) must return these assets
Ownership (ref: Security Organisation)
Legal ownership of assets – it’s the legal entities who own the assets (organisations, government
departments, charities etc)
Corporate ownership is delegated from the highest level (‘Top Management’)
Lower levels are ‘custodians’ and ‘users’
167

!#

!#"!

!#
!"
Notes:

!$

!$"!

!$
!#
Asset Management - Information classification
Classification example
169

!$

!$"!

!$
!#
Notes:

"% !

"%# "!!

"%
"$
Notes:
171

!#

!#"!

!#
!#
Access Control - Business requirements of access control
Business requirements are set out in the Information Security policy – authorised by the SC or
equivalent. The issue of user access can be problematic. One approach is to follow a tight ‘need to
know’ policy. This can be a justified interpretation of the standard. However, some think that this
can be restrictive, and follow a ‘need to restrict’ philosophy. Authority to access assets is provided
explicitly. Denial of access is the exception rather than the rule. Decisions on the approach are made at
the SC or higher.

"$ !

"$# "!!

"$
"%
Access Control - User access management
173

!#

!#"!

!#
!$
Access Control – User access management
A formal user registration and de-registration process shall be implemented to enable assignment of
access rights.
A formal user access provisioning process shall be implemented to assign or revoke access rights for all
user types to all systems and services.
The allocation and use of privileged access rights shall be restricted and controlled.
The allocation of secret authentication information shall be controlled through a formal

management process.
Asset owners shall review users’ access rights at regular intervals.
The access rights of all employees and external party users to information and information processing
facilities shall be removed upon termination of their employment, contract or agreement, or adjusted
upon change.

!&($$%

&("'$&#% %$# # #

&(
'$
Access Control – User responsibilities
In many organisations there are rules permitting password sharing. This is used to inter alia help
permit holiday cover and so forth. These are also used to help Personal Assistants access their boss’
email and files. Such rules carry risk, and have to be very specific as to what’s allowed and what is not.
Some organisations do not permit any form of password sharing, but allow actions like IT Support by
using privileged access IDs to carry out work. The scope and capability of these privileged IDs also carry
risk. They will have to be managed appropriately according to the risk. Whichever choice is made, the
choice and use of passwords is important. Systems must ensure passwords are of quality (i.e. Difficult
to guess) and the process for developing them must be interactive – involving the user.
175
!

&+-))*

!'!
# $
"! $
!
+-',)+(*%*)(
(
(+- ,*
Notes:

#(*&&'

! !$

!$

(*$)&(%'"'&% % %
(*
)(
Cryptography
Extract from 27002 10
When developing a cryptographic policy the following should be considered:
a. the management approach towards the use of cryptographic controls across the organization,
including the general principles under which business information should be protected;
b. based on a risk assessment, the required level of protection should be identified taking into
account the type, strength and quality of the encryption algorithm required;
c. the use of encryption for protection of information transported by mobile or removable media
devices or across communication lines;
d. the approach to key management, including methods to deal with the protection of
cryptographic keys and the recovery of encrypted information in the case of lost, compromised or
damaged keys;
e. roles and responsibilities, e.g. who is responsible for:
• the implementation of the policy;
• the key management, including key generation (see 10.1.2);
177
!

%,.**+
f. the standards to be adopted for effective implementation throughout the organization (which
solution is used for which business processes);
g. the impact of using encrypted information on controls that rely upon content inspection (e.g.
malware detection).
When implementing the organization’s cryptographic policy, consideration should be given to the
regulations and national restrictions that might apply to the use of cryptographic techniques in
different parts of the world and to the issues of trans-border flow of encrypted information (see
18.1.5).
A key management system should be based on an agreed set of standards, procedures and secure
methods for:
1. generating keys for different cryptographic systems and different applications;

2. issuing and obtaining public key certificates;
3. distributing keys to intended entities, including how keys should be activated when received;
4. storing keys, including how authorized users obtain access to keys;
5. changing or updating keys including rules on when keys should be changed and how this will
be done;
6. dealing with compromised keys;
7. revoking keys including how keys should be withdrawn or deactivated, e.g. when keys have been
compromised or when a user leaves an organization (in which case keys should also be archived);
8. recovering keys that are lost or corrupted;
9. backing up or archiving keys;
10. destroying keys;
11. logging and auditing of key management related activities.
!

%,.**+

#
# !
# $$ !! ( )
# &! ( "" !&!
" )
,.&-*,'+$+*'
'
',. --
Notes:
179

!$

!$"!

!$
"#
Notes:

!
!$

!$"!

!$
"#
Notes:
181

"% !

"%# "!!

"%
#$
Notes:

!#

!#"!

!#
"#
Operations Security
Documentation
Documented procedures need to cover standard IT Operations, including start-up, close-down, backup,
equipment maintenance, media handling, mail handling management and safety. The documents
should be subject to formal change management, and include instruction to cover:
• System installation and configuration

• Automated and manual information processing and handling
• Backup
• Scheduling requirements
• Error and exception handling
• Support and escalation contacts to be used in exceptional conditions
• Handling instructions for exceptional information, including sensitive output. These should include
instruction on disposal of same
• System failure restart and recovery procedures
• Audit-trail and system log information management
• Monitoring
183

!#
Change
Change procedures need to be agreed and documented. This must include descriptions of the various
roles involved.
All change requests should be recorded and a log maintained. Decisions to go ahead and ultimately
implement must be formally approved
Prior to any change a risk assessment should take place. This assessment should note if any aspect of
the change impacts on Service Level Agreements
There must be provision for implementing emergency changes – with appropriate controls to ensure
they are managed retrospectively
Every change must be managed through version control and be tested before going into production
(excepting emergency changes)
All stakeholders (including users) must be told of the change and be given the opportunity to comment
on it prior to implementation
There must be a procedure to roll-back the change in the event it fails
Once implemented, the change and its effects must be documented. This should include update of
Business Continuity Plans (BCP)
The changes must be monitored after implementation to ensure they operate as expected.
Capacity
Organisations need to identify and avoid potential bottlenecks and dependence on key assets
(including people) that might present a threat to system security or services, and plan appropriate
action. Such action can include:
• Freeing up disk space by deleting obsolete data

• Getting rid of obsolete items such as applications, systems, databases or environments
• Optimising scheduled processes, application logic and queries
• Limiting access to non-critical but resource ‘greedy’ processes
Should risk assessment indicate any systems as mission critical, a specific capacity action plan
may be required. Systems should be monitored to ensure capacity problems are dealt with before
they happen.
Capacity planning should form a core aspect of setting out future requirements, particularly when
there are protracted procurement timescales and high costs
Capacity includes people, buildings, utilities and other support elements. It is not confined to
IT systems.

!#
Testing
Separating development, testing and operational environments reduces the risk of accidental change
or unauthorized access to operational software and business data. Untested code can cause unwanted
modification of files or system environment or system failure. Development personnel have skills
that could be used malevolently if access to live systems is permitted. A regime to separate these
environment needs to be setup on a risk basis, and include inter alia:
• Defined, documented controls to manage the transfer of software from development to

operational status
• The separation of systems, processors and domains in these differing environments
• A testing environment should be used prior to systems going live
• A ban on testing in live environments
• Prevention of access to development tools and utilities from the live environment
• Different user profiles for individuals who operate in these different environments
• Prevention of the use of sensitive information (e.g. Personal data) for testing purposes
Malware
Malware prevention goes beyond technology. A range of controls is required. These include anti-
malware software (normally two or more to provide wider coverage), operating procedures,
organisation staff education, appropriately managed access control and change management. Further
controls worthy of consideration include:
• Strong governance on the use of unauthorized software and accessing potentially

malicious websites
• Regular reviews of critical systems and data and keeping up-to-date regarding the threat
landscape
• Definition of appropriate procedures and responsibilities
• Incorporating malware protection into the BC regime and ensuring protection during
emergency conditions
Always remember that anti-malware tools and processes can impact on normal operations – this
is inevitable. Communications are core: implementing procedures to verify information relating to
malware, and ensure that warning bulletins are accurate and informative; managers should ensure
that qualified sources, e.g.
Reputable journals, reliable Internet sites or suppliers producing software protecting against malware,
are used to differentiate between hoaxes and real malware; all users should be made aware of the
problem of hoaxes and what to do on receipt of them.
Backup
Backing up is essential. Procedures should ensure the successful and complete execution of backup.
185

!#
Backup arrangements must be regularly tested to ensure that they meet requirements (as defined in
policy) – especially those relating to critical systems. Such arrangements must include retention and
archive management
Adequate backup facilities should be provided to ensure that all essential information and software
can be recovered following a disaster or media failure.
Detailed controls should include:
• Accurate and complete records of the backup copies

• Documented restoration procedures
• Ensuring physical distance between original and backup copies
• Appropriate physical protection
• Cryptographic protection of sensitive backup records
The extent (e.g. full or differential backup) and frequency of backups should reflect the business
requirements of the organization, the security requirements of the information involved and the
criticality of the information to the continued operation of the organization;
Backup media should be regularly tested to ensure that they can be relied upon for emergency use
when necessary; this should be combined with a test of the restoration procedures and checked
against the restoration time required. Testing the ability to restore backed-up data should be
performed onto dedicated test media, not by overwriting the original media in case the backup or
restoration process fails and causes irreparable data damage or loss;
Protection applied to backup information should be equal to or greater than protection applied to the
original if protectively marked. Protective marking applies equally to backups. This is easy to forget.
Logging and Monitoring
Monitoring and logging tools normally generate a huge amount of data, little of which is relevant to
security management. Successful monitoring requires either a reduction in this volume, an automated
tool to deal with the volume, or a combination of the two
System logs can be sensitive, or may be required as legal evidence or as part of a compliance regime.
They need to be protected and handled to ensure they remain valid and useful. This protection can
include ensuring those administrators responsible for managing the monitored system cannot access,
change or delete the logs. An intrusion detection system managed outside of the control of these
administrators might be used to protect the logs
It’s essential that computer clocks are accurate and synchronised

!#
Event logs should include, when relevant:
• user IDs
• system activities
• dates, times and details of key events, e.g. log-on and log-off
• device identity or location if possible and system identifier
• records of successful and rejected system access attempts
• records of successful and rejected data and other resource access attempts
• changes to system configuration
• use of privileges
• use of system utilities and applications
• files accessed and the kind of access
• network addresses and protocols
• alarms raised by the access control system
• activation and de-activation of protection systems, such as anti-virus systems and intrusion
detection systems
• records of transactions executed by users in applications
Log information needs to be protected against unauthorized change, and any operational problems
with the logging facility needs to be brought to immediate attention.
Alerts should be raised if the are any alterations to the message types recorded, if log files are edited
or deleted, or if the storage capacity of the log file media is in danger of being exceeded.Log files need
to be managed in accordance with the corporate record retention policy.
Due to their enhanced capability (and inherent higher risk), privileged user accounts (System
administrators, operator etc..) need careful logging. These logs need protection from privileged users.
187

"$ !

"$# "!!

"$
#%
Operations Security
Operational Software
Ensuring the integrity of operational systems requires that upgrade is managed. Third party software
normally requires support from the vendor. Support can be withheld on ageing systems, and the risks
associated with unsupported software need to be considered.
Access to these assets needs close management and monitoring – especially access by third parties.
Update should only be performed by trained, authorised staff.
Separate live operational systems from development and test arenas– and don’t permit development
or testing tools into live environments.
Test, configure, document, log and implement in accordance with policy.
Keep a copy of the old version just in case.
Technical Vulnerability
Technical vulnerability management does not stand on its own. It requires an appropriate change
management regime and appropriate asset management

"$ !
Patch management is core to managing technical vulnerabilities. Patches are often released quickly
and quality can be suspect. Note that uninstalling patches can be problematic, so risks should be
assessed prior to installation, especially is testing is hard to complete.
The use of ISO/IEC 27031 (BC) can be beneficial.
A current and complete inventory of assets is a prerequisite for effective technical vulnerability
management. Specific information needed to support technical vulnerability management includes
the software vendor, version numbers, current state of deployment (e.g. what software is installed on
what systems) and the person(s) within the organization responsible for the software.
ISO/IEC 27031:2011 describes the concepts and principles of information and communication
technology (ICT) readiness for business continuity, and provides a framework of methods
and processes to identify and specify all aspects (such as performance criteria, design, and
implementation) for improving an organization's ICT readiness to ensure business continuity. It applies
to any organization (private, governmental, and non-governmental, irrespective of size) developing its
ICT readiness for business continuity program (IRBC), and requiring its ICT services/infrastructures to
be ready to support business operations in the event of emerging events and incidents, and related
disruptions, that could affect continuity (including security) of critical business functions. It also
enables an organization to measure performance parameters that correlate to its IRBC in a consistent
and recognized manner. The scope of ISO/IEC 27031:2011 encompasses all events and incidents
(including security related) that could have an impact on ICT infrastructure and systems. It includes and
extends the practices of information security incident handling and management and ICT readiness
planning and services.
Managing technical vulnerabilities requires speed – you have to detect the issues in time – and deal
with them quickly. The following actions should cover what’s needed:
• Roles and responsibilities require definition and agreement

• Key people should be identified and kept up-to-date
• Reaction time targets should be set
• Risks should be continually assessed
• Policies on change management, testing, logging and incident response should be adhered to. Any
technical vulnerability regime needs to align with corporate governance
• If no patch is available, alternatives need to be considered
• Deal with high risk issues first
Other controls should be considered, such as:
1. turning off services or capabilities related to the vulnerability;

2. adapting or adding access controls, e.g. firewalls, at network borders;
3. increased monitoring to detect actual attacks;
4. raising awareness of the vulnerability;
189

!#
Audit considerations
Systems audit is, by its very nature, intrusive. It has the capacity to disrupt normal business operations.
This situation must be avoided wherever possible.
Access requirements for audit need to be agreed upfront, as does the scope of the audit. This
agreement should include any special or additional processing.
Access needs to be limited – it should, wherever possible, be read-only. Where this cannot be
enforced, access should only be permitted to isolated copies of the relevant files, which should be
erased (unless needed as part of the audit evidence) once testing is complete.
All access should be monitored and logged in accordance with corporate policy.
Any testing likely to impact on business operation availability should be performed outside, wherever
possible, outside core business hours.
Notes:

!#

!#"!

!#
"$
Notes:
191

!$

!$"!

!$
#
Communications Security – Network security management
Networks shall be managed and controlled to protect information in systems and applications.
Security mechanisms, service levels and management requirements of all network services shall be
identified and included in network services agreements, whether these services are provided in-house
or outsourced.
Groups of information services, users and information systems shall be segregated on networks.
Formal transfer policies, procedures and controls shall be in place to protect the transfer of
information through the use of all types of communication facilities.
Agreements shall address the secure transfer of business information between the organization and
external parties.
Information involved in electronic messaging shall be appropriately protected.
Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for
the protection of information shall be identified, regularly reviewed and documented..

!$

!$"!

!$
#
Notes:
193

!$

!$"!

!$
#!
Notes:
"

',/**+!!

! "!%"! % !
"! # "!$
!!! # ! !
,/(-*,)+&+*) ) )
,/
.-
System Acquisition, Development and Maintenance
Security requirements of information systems
The identification and management of information security requirements should happen early in the
acquisition and/or development process. They should be identified using various sources such as:
• policies and regulations

• threat modelling
• incident reviews
Requirements must be documented and reviewed appropriately, and reflect the business value of
the information.
There is a close dependency on risk assessment (ref: ISO/IEC 27005).
Other potential sources include:
• user authentication requirements, as well as the relevant access provisioning and authorization
processes (for business users as well as for privileged or technical users)
• The protection needs of the assets involved
195
"

',/**+!!
• requirements derived from business processes e.g. Logging, monitoring, and non-repudiation
requirements
• requirements mandated by other security controls
All acquired products should be subject to formal testing – part of an agreed acquisition process. This
process should include the inclusion of security requirements in contracts as well as the criteria for
accepting products. If a product fails to meet these requirements or criteria any decision to proceed
with acquisition must be based on risk.
Systems that operate over public networks are subject to additional threats. Such systems required
thorough risk assessment and care with control selection.
Notes:
"

',/**+!!

"#!%
% !!"
#$! !!!
!! ! !$
" % ! #!#!

"! "#!
% ! "!%! !
% !!! !
,/(-*,)+&+*) ) )
,/
..
System Acquisition, Development and Maintenance
Security in development and support processes
When introducing new systems and making major changes to existing systems, a formal process
of documentation, specification, testing, quality control and managed implementation should be
followed, This process should include:
• a risk assessment
• analysis of the impact of change
• specification of required controls
• assurance that existing security and control procedures are not compromised
• the limiting of access to those people and assets necessary to perform the work
• formal agreement and approval for any change
A Secure Development policy must be developed and implemented. This must include:
• security of the development environment
197
"

',/**+!!
• guidance on applying security within the software development lifecycle, such as security in
the software development methodology and secure coding guidelines for each programming
language used
• ensuring security requirements are integrated into the design phase, and that security checkpoints
are embedded within project milestones
• the use of secure repositories, appropriate version control and suitably knowledgeable and
skilled developers
Secure programming techniques and secure coding standards should be used for new developments
and when reusing code. Developers should be trained in their use and testing and code review should
verify their use.
If development is outsourced, you should ensure that the outsource organisation complies with policy.
New systems, whether developed in-house or externally, should be tested to ensure they operate
as intended.
Test data needs to be substantial in volume, but should not contain personally identifiable information
or any other confidential information.
Any personally identifiable information should be made anonymous before use.
Notes:

#'!!"

#'$!# ""!
#'
%&
System acquisition, development and maintenance
New systems, whether developed in-house or externally, should be tested to ensure they operate
as intended.
Test data needs to be substantial in volume, but should not contain personally identifiable information
or any other confidential information.
Any personally identifiable information should be made anonymous before use.
System acceptance testing should include testing of information security requirements (see 14.1.1 and
14.1.2) and adherence to secure system development practices (see 14.2.1). The testing should also
be conducted on received components and integrated systems. Organizations can leverage automated
tools, such as code analysis tools or vulnerability scanners, and should verify the remediation of
security related defects. Testing should be performed in a realistic test environment to ensure that
the system will not introduce vulnerabilities to the organization’s environment and that the tests
are reliable.
The use of operational data containing personally identifiable information or any other confidential
information for testing purposes should be avoided. If personally identifiable information or otherwise
confidential information is used for testing purposes, all sensitive details and content should be
protected by removal or modification (see ISO/IEC 29101)
199

"& !
The following guidelines should be applied to protect operational data, when used for
testing purposes:
a. the access control procedures, which apply to operational application systems, should also apply
to test application systems;
b. there should be separate authorization each time operational information is copied to a
test environment;
c. operational information should be erased from a test environment immediately after the testing
is complete;
d. the copying and use of operational information should be logged to provide an audit trail.
Notes:

"& !

"&# "!!

"&
$%
Supplier Relationships
A risk assessment needs to be performed to determine the information security requirements relating
to any commercial agreement. These requirements, and the controls needed to meet the risks,
need to be agreed with each supplier and documented accordingly, normally within a commercial
agreement or contract
It is essential that the ‘right to audit’ is established and agreed
Changes to contracts need to be subject to risk assessment and formal change control
The decision to outsource is a commercial decision, but must include a risk assessment
Formal contracts must include
• A non-disclosure agreement based on the security requirements

• Clear definition of each party’s responsibilities, the services being provided, service levels,
liabilities, limitations on use of third parties, legal & regulatory obligations and audit rights
• Other obligations, including vetting, training (including security training) and conduct
requirements for outsource and contract staff
201
!

%*-(()

! ##!
! #" !
! #!#
*-&+(*')$)('
'
'*- ,-
Notes:

#),''(

!

),$*')%("('% % %
),
+-
Notes:
203

!$

!$"!

!$
#%
Notes:

#

(-0++, ""

!!"! # !
" "!# "&$"!
" "!# "&%!!!
!!!!"! "!# "&$"!
!!" "!# "&"!
"!# "&"!
"$
-0).+-*,',+***-0 /+
Notes:
205

!$

!$"!

!$
#
Information Security Aspects of Business Continuity Management
The organization shall determine its requirements for information security and the continuity of
information security management in adverse situations, e.g. during a crisis or disaster.
The organization shall establish, document, implement and maintain processes, procedures and
controls to ensure the required level of continuity for information security during an adverse situation.
The organization shall verify the established and implemented information security continuity controls
at regular intervals in order to ensure that they are valid and effective during adverse situations.
Information processing facilities shall be implemented with redundancy sufficient to meet

availability requirements.

&+.))*

# #
# #
#$!"! # #
+.',)+(*%*)( ( (
+.
-+
Notes:
207
!

%*-(()

" #
*-&+(*')$)('
'
'*- ,+
Notes:

!%

!%"!

!%
$#
Compliance
Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to

information security and of any security requirements.
All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach
to meet these requirements shall be explicitly identified, documented and kept up to date for each
information system and the organization.
Appropriate procedures shall be implemented to ensure compliance with legislative, regulatory

and contractual requirements related to intellectual property rights and use of proprietary
software products.
Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized
release, in accordance with legislatory, regulatory, contractual and business requirements.
Privacy and protection of personally identifiable information shall be ensured as required in relevant
legislation and regulation where applicable.
Cryptographic controls shall be used in compliance with all relevant agreements, legislation
and regulations.
209
"

&+.))*!!
The organization’s approach to managing information security and its implementation (i.e. control
objectives, controls, policies, processes and procedures for information security) shall be reviewed
independently at planned intervals or when significant changes occur.
Managers shall regularly review the compliance of information processing and procedures
within their area of responsibility with the appropriate security policies, standards and any other
security requirements.
Information systems shall be regularly reviewed for compliance with the organization’s information
security policies and standards.
Notes:
"

&+.))*!!

!! !!!""!
!!"!$!
!!
#$!! $!!
"!$!!
+.',)+(*%*)( ( (
+.
--
Notes:
211

%+/))*

!" #
" #
!"
+/&,)+'*$*)' ' '

+/
-.
Notes:
>>
SAMPLE EXAMS
213
214
The Practitioner Examination
SX01
Scenario Booklet
This is a 2.5-hour objective test examination. This booklet contains the Project Scenario
upon which this exam paper isbased. All questions are contained within the Question
Booklet.
Additional information isprovided within this Scenario Booklet for a number of questions.
Where reference should be made to additional information,this is clearly stated within the
question to which it is relevant. All information provided within a question must only be
applied to that question.
Each of the4 questions is worth 20 marks, giving a maximum of 80 marks in the paper. The
pass mark is 50% (40 marks). Within each question the syllabus area to which the
question refers is clearly stated.
The exam is to be taken with the support of only the following British Standards,
ISO/IEC 27000:2018
ISO/IEC 27001:2013
ISO/IEC 27002:2013
ISO/IEC 27003:2017
ISO/IEC 27005:2018
No material other than the Question Booklet, the Scenario Booklet, the Answer Booklet, and
the five standardsare to be used. However, if required the ISO/IEC 27001 Supplementary
Paper, which contains relevant parts of ISO/IEC 27003:2017 may be used.
Candidate Number: ........................................
ISO27K2012-GB-SX01-V1.2 Page 1 of 10 Document Owner - Chief Examiner

© The APM Group Ltd 2016. This paper remains the property of The APM Group (APMG). This document is not to be reproduced or re-sold without express permission from
The APM Group Ltd. 2. The APMG-International ISO/IEC 27001 logo is a Trade Mark of The APM Group Limited. The APMG-International logo is a Trade Mark of the APM
Group Ltd.
This is a blank page

Group Ltd.
Scenario
ISO/IEC 27001 – Case Study: Equitable ProductsThe organizations and people within the scenario
are fictional.
Background
Equitable Products are a food processing and supply company to supermarkets. They supply food
packaged under their own brand name to general retailers and ʻsupermarket brandʼ packaged goods
to supermarket chains.
In addition they have recently begun supplying frozen 'ready meal' products to a major restaurant chain.
To support their business, Equitable Products has food processing plants at two sites. One site deals
with the processing and re-packaging of bulk foodstuffs into branded packages (own brand and
supermarket). The other site produces ready meals which are supplied as frozen products to general
retail customers and the restaurant chain.
Organization
There are three marketing divisions within the organization to service the separate retail, supermarket
and restaurant markets. Each of the marketing divisions has their own business targets, objectives
and processes.
An internal IT unit is responsible for the provision of IT services within Equitable Products.
Each division uses some specific, dedicated IT services, together with a core set of shared corporate
IT services to support their business operations. For example, the Equitable Products' IT systems now
interface directly with the supermarketsʼ IT systems to enable 'just in time' re-ordering and delivery.
The restaurant chain's IT systems are also now connected to the Equitable Products' IT systems. All
the new Restaurant Ready Meal products are micro chipped with a Radio Frequency Identification
Device (RFID). All restaurant products must be consumed within five days of production. The RFID
technology enables the individual restaurantsʼ usage to be monitored by Equitable Products. A
production schedule is produced for the restaurant ready meal products in order to reduce wastage.
Current Status
As a result of international concern over contamination of products, Equitable Products decided that
they should take more control of their supply chain. They have recently acquired an established chain
of dairy farms which will, in the future, provide most of their fresh dairy products. This will better enable
them to track ingredients from 'field to plate'.
The other products and ingredients used in the processing plants are sourced from a variety of third
party suppliers. Wherever possible the contracts with those suppliers require the suppliers to maintain
ISO/IEC 27001 certification.
Scenario continues on the next page

Group Ltd.
continued

Group Ltd.
Scenario continued
The diagram below shows the interaction between the various parties and Equitable
Products’ divisions.
Food Processing Division
Suppliers Bulk Foodstuffs Ready Meals

Site 1 Site 2
New Dairy Farm
Chain
Supermarket Equitable Products Restaurant

Brands Brand Ready Meals
Supermarket General
Restaurants
Chains Retailers
Diagram 1 - The interaction between the various parties and Equitable Products’
divisions
The contracts with the major supermarkets require Equitable Products to maintain ISO/IEC
27001 certification and there is an established ISMS in place. However the dairy farm
chain has never had ISO/IEC 27001 certification and needs to be brought into the scope of
certification.
Equitable Products’ corporate clients are supportive of the reasons and objectives of
acquiring the dairy farm chain. However, they require the ISO/IEC 27001 certification to be
extended to include this new business division.
Information Security Management Structure
The Equitable Products Chief Financial Officer has the role of Director of Information
Management. In this role he has been given the organizational responsibility to ensure that
ISO/IEC 27001 conformance is maintained.
The Chief Information Officer reports directly to the Director of Information Management
and has two Information Security Officers who work for him. They are responsible for
ensuring that the company and its third party suppliers maintain the required ISO/IEC
27001 certifications.
The Head of the IT Services Division also has an Information Security Specialist within his
team. The specialist is responsible for ensuring that the IT service is delivered in
accordance with ISO/IEC 27001.
Scenario continues on the next page

Group Ltd.
Scenario continued
Information Security Objectives
Information security risks must be managed effectively, collectively and proportionately in

a cost effective way. A secure and confidential working environment should also be
maintained. To achieve this, the information security objectives of Equitable Products
include the following:
a) To maintain the confidentiality, integrity and availability of corporate and

customer information
b) To maintain ISO/IEC 27001 certification
c) To ensure compliance with legal and regulatory requirements
d) To support effective and resilient processes to respond to, investigate and
recover from any information security incidents with necessary controls,
identified by formal risk assessment.
End of Scenario

Group Ltd.
Question 1: Planning and Risk Management - Additional Information
Additional Information for part question 1D
A risk assessment has been carried out on the changes needed to incorporate the dairy farm chain
into the Equitable Productsʼ ISMS. This has identified the following information:
Each dairy farm site has differing information security policies to suit the type of dairy product
processed, specific authorities and special interest groups, and the site size and access
arrangements
Equitable Products has many environmental health contacts within the Food & Livestock Regulatory
Authority (a Government authority). However, there are many more contacts required for the dairy
farm chain, such as those relating to the testing for animal diseases
The dairy farm staff use tag readers and operational systems for the logging of each animalʼs milk
produced for processing
The staff in the dairy farm chainʼs Head Office use marketing, accountancy and HR systems,
logistics and stock systems
Many of the dairy farm chainʼs Head Office staff use the IT systems from home via an internet
connection. No issues have been experienced with this setup
In the past year there have been seven breaches of information security within the dairy farm chain.
One of these was a high profile incident involving press coverage of the short lifespan of the dairy
animals.

Group Ltd.
Question 3: Operational Systems, Measurement and Incidents - Additional Information
Additional Information for part-question 3D
USB memory stick problem
A widely recognized information security researcher and occasional trusted advisor to Equitable
Products is undertaking an independent research project. He is examining USB memory sticks bought
from individuals on internet sales sites. The devices were advertised as ʻusedʼ or ʻpre-ownedʼ.
The researcher contacted Equitable Productsʼ Chief Information Officer to report that he has recovered
a variety of records from one device that appear to be from the organization and dated as recently as
three months ago.
The researcher informed the Chief Information Officer that he plans to publish his findings from all of
the devices in a research paper as examples of protection failures.
The Chief Information Officer has validated the identity of the researcher.

Group Ltd.
Question 4: Audit and Management Review - Additional Information
Additional Information for part-question 4B
Extract from an Audit Report
Background
A supermarket recently complained that they were not receiving the best prices available for products
supplied to them. The investigation of the complaint found that the supermarket was basing this
complaint on a price list sent to them in error. The price list, sent by email, had been prepared by a
marketing team for a special promotion. This had then been sent by a different marketing team who
had retrieved it from the shared area thinking it was the standard price list.
Scope of Audit
The Internal Audit team were asked to undertake an audit of all third party information exchanges.
Audit Findings
i) Controls that are in place with each third party have been developed on an ad hoc basis and
there is no standard terminology
ii) The division of responsibilities between Equitable Products and third parties are not always
clearly defined
iii) Email is often used to transfer sensitive information
iv) It is common to receive replies to emails sent indicating they have been received by
unintended recipients.
v) Customers have expressed concerns about acting on information received by email before
they have been able to confirm authenticity
vi) The Equitable Productsʼ Information Security Policy document states that it should be possible
to confirm that information sent by email has been sent by an authorized person and the correct
information has been received. This requirement is not currently being met.

Group Ltd.

Group Ltd.
SX01
Question Booklet
Candidate Number: ........................................

Group Ltd.
Syllabus areas covered:
Question 1 - Planning and Risk Management
Question 2 - Leadership and Roles
Question 3 - Operational Systems, Measurement and Incidents
Question 4 - Audit and Management Review

Group Ltd.
Question Number 1
Syllabus Area Planning and Risk Management
Syllabus Area Question Number Part Marks

Planning and Risk Management 1 A 4
Answer the following questions about establishing information security risk management for an
organization as stated in ISO/IEC 27005.
Remember to select 2 answers to each question.

1 Which 2 statements describe what should be considered when defining the evaluation criteria
for risks caused by information security events?
A The acceptable level of any financial loss.
B The importance to the business of confidentiality.
C The amount of damage caused by disruption of plans and deadlines.
D The consequences to the reputation of an organization.
E The time it will take to reduce a risk to an acceptable level.
2 Which 2 statements describe what should be considered when defining the impact criteria for
risks caused by information security events?
A The cost of missing a deadline due to an information security event.
B The importance of availability to operations.
C The amount of damage caused by breach of contract.
D The criticality of the information assets involved.
E The ratio of estimated profit to the estimated cost of the risk.
3 Which 2 statements describe what should be considered when defining the acceptance criteria
for risks caused by information security events?
A The amount of damage caused by breaches of a legal requirement.
B The escalation path used to obtain a decision on risk acceptance.
C The circumstances when senior managers can accept risks above the normal threshold.
D The information security risk management records required to be kept.
E The ratio of estimated profit to the estimated cost of the risk.
Question continues on the next page

Group Ltd.
Question continued
4 Which 2 statements identify aspects that should be considered when defining the scope and
boundaries of information security risk management process?
A The risk acceptance decision escalation paths.
B The legislation applicable to an organization.
C The estimated cost caused by a breach of contract.
D The use of the four options to treat risks.
E An organizationʼs business processes.

Group Ltd.
Planning and Risk Management 1 B 5
Answer the following question about the risk identification step.
An Information Security Officer has undertaken a risk assessment on the changes needed to
incorporate the dairy farm chain into the Equitable Products' ISMS.
Column 1 is a list of input data for the risk analysis activity. For each input item in Column 1, select
from Column 2 the type of information it represents. Each selection from Column 2 can be used
once, more than once or not at all.
Column 1 Column 2
B 1 Animal rights activists may attempt to disrupt operations in order to A Asset
protest against the shortened life-spans of the animals.
B Threat
C 2 There is rigorous physical entry security to prevent unauthorized access
to the dairy farm sites. C Existing control
A 3 Smart labels, also called radio frequency identification (RFID) tags, are D Vulnerability
used to identify the milk production of each animal used in the dairy E Consequence
farm.
D 4 The latest updates have NOT been applied to the antivirus package
used to protect the dairy farm chainʼs IT systems.
A 5 The production schedule is an output of the just-in-time re-ordering
process.

Group Ltd.
Planning and Risk Management 1 C 5
A number of changes are needed to Equitable Productsʼ ISMS to incorporate the dairy farm
chain. A risk assessment has identified that some solutions may not comply with Equitable
Productsʼ information security policy. More details about the risk are given below.
Some ʻoff the shelfʼ IT system components are used to underpin the dairy farm chainʼs ISMS. If
technical problems arise with these components, a maintenance engineer is brought in from an
IT supplier. There is no formal contractual arrangement in place between the dairy farm chain
and the IT supplier. There is, therefore, a risk that technical solutions to issues may not adhere to
the information security policy for Equitable Products. A number of possible risk treatments for
this risk have been identified.
Column 1 is a list of some of the possible risk treatments. For each risk treatment in Column 1,
decide if it is relevant to the stated risk and select from Column 2 the type of risk treatment it
represents.
Each question is independent and should be answered in isolation from the other questions.
Each selection from Column 2 can be used once, more than once or not at all.
Column 1 Column 2
B 1 All problem management and technical expertise for the dairy farm A NOT relevant to the
chain will be audited by the Equitable Products IT Services stated risk
Department. This department is responsible for ensuring that the
B Modification
Equitable Products' information security policy is adhered to.
B 2 The Equitable Products Information Security Officers will provide C Retention
awareness, education and training on Equitable Productsʼ D Avoidance
information security policy to the maintenance engineers supporting E Sharing
the dairy farm chainʼs IT systems.
E 3 A contractual agreement with the IT suppliers to the dairy farm chain
will be provided, which states the supplierʼs responsibilities for
maintaining information security.
A 4 Equitable Products will ensure that all outsourced development by the
dairy farm chain is monitored.
C 5 The current arrangements for technical support will remain
unchanged if the dairy farm chainʼs ISMS has been free of information
security incidents for the last three months.

Group Ltd.
Planning and Risk Management 1 D 6
Using the additional information provided for this question in the Scenario Booklet,
answer the following question about the risk assessment carried out on the changes
needed to incorporate the dairy farm chain into the Equitable Products' ISMS.
Lines 1 to 6 in the table below consist of an assertion statement and a reason statement.
For each line identify the appropriate option, from options A to E, that applies. Each option
can be used once, more than once or not at all.
Option Assertion Reason
A True True AND the reason explains the assertion
B True True BUT the reason does not explain the assertion
C True False
D False True
E False False
Assertion Reason
1 The effectiveness of each dairy farm siteʼs BECAUSE Detailed policies underpin an
existing information security policy should organizationʼs high-level information A
have been reviewed during the risk security policy.
assessment in order to determine the
changes needed to incorporate the dairy farm
chain.
2 When the staff from the dairy farm chain were BECAUSE Policies for information security C
transferred to Equitable Products, the should be issued only to internal
Equitable Productsʼ information security policy employees.
should have been published to all staff.
3 The control for the ʻcontact with authoritiesʼ in BECAUSE An organization should maintain the A
Equitable Products should have been updated appropriate contacts with relevant
with the specific contacts in the Food & authorities.
Livestock Regulatory Authority needed for the
dairy farm chain.
4 The terms and conditions for the dairy farm BECAUSE Management has the responsibility for
site staff transferred to Equitable Products ensuring that all employees and A
should refer to information security contractors follow the information
responsibilities. security policies and procedures of
the organization.
5 The access to the dairy farm chainʼs Head BECAUSE The control on securing application
Office systems over the internet should have services on public networks requires C
been reviewed as a priority. that access over the internet is
prevented until the proper controls are
selected.
6 The information on the dairy farm chainʼs BECAUSE Information security requirements
incidents will NOT be needed for an analysis should consider the required D
of Equitable Productsʼ information security protection needs of the assets
requirements. involved.

Group Ltd.
Question Number 2
Syllabus Area Leadership and Roles

Leadership and Roles 2 A 3
Answer the following question about leadership.
Column 1 is a list of activities. For each activity in Column 1, select from Column 2 the clause
heading from ISO/IEC 27001 that requires the activity to be performed. Each selection from Column
2 can be used once, more than once or not at all.
Column 1 Column 2
1 Supporting information security management roles. A Leadership and commitment
2 Providing a framework for setting information security B Policy
objectives. C Organizational roles,
3 Integrate actions to address opportunities into responsibilities and authorities
information security management processes. D None of the above

Group Ltd.
Leadership and Roles 2 B 3
Answer the following questions about leadership.

1 Which characteristic is NOT required of an information security policy?
A Suitable.
B Comprehensive.
C Adequate.
D Effective.
2 Which aspect of an ISMS can vary depending upon the competencies of the persons available to
an organization?
A The scope of the ISMS.
B The documentation supporting the ISMS.
C The frequency of review of the ISMS.
D The boundaries of the ISMS.
3 According to ISO/IEC 27003, which consideration is key when defining the roles in information
security management?
A One person should be assigned to promote and co-ordinate the information security
process.
B None of the roles within information security management can be shared between
individuals.
C Only those employees and contractors assigned to information security have the
responsibly for its implementation.
D The audit department in an organization should be responsible for ensuring independence
in the information security organization.

Group Ltd.
Leadership and Roles 2 C 5
Using the Diagram 1 and the Information Security Management Structure section given in the
Scenario, answer the following questions about the role and responsibilities within the ISMS.
Each of the following questions contains a list of statements about roles, responsibilities and
authorities in the organization. Only 2 statements explain why, in this context according to ISO/IEC
27003, these statements represent the BEST justification.
Each question must be considered and answered separately.

1 Which 2 statements BEST explain, what responsibilities and powers should be assigned to the
Director of Information Management?
A Advice on the assessment and management of information security risks
B Requirements for handling information security incidents.
C Inspection and auditing of the ISMS in the financial sector
D Risk owner for all risks in the area of information systems
E Carrying out the management assessment for the information systems.
2 Which 2 statements BEST explain why the Information Security Officers would be appropriate for
the role of an internal auditor?
A They report to the Chief Information Officer.
B They have qualifications and experience in ISO/IEC 27001.
C They are responsible for ensuring that Equitable Products maintains the required ISO/IEC
27001 certifications.
D They have good working relationships with many of the Division Heads and suppliers so
can help resolve disputes.
E They are responsible for evaluating the reports on the monitoring of the ISMS, produced by
the Head of the IT Services Division.

Group Ltd.
Question continued
3 Which 2 statements BEST best explain which aspects top management should consider when
assigning roles, responsibilities and authorities?
A Top management assigns roles, responsibilities and powers.
B Responsibilities and powers for information security should be separated from other roles.
C Documented information on the allocation of roles, responsibilities and powers is only
required in the form and to the extent that the organisation deems necessary for the
effectiveness of its management system.
D Documented information about the assignment of roles, responsibilities and authorities
must be created in the form of role descriptions.
E The assignment of roles, responsibilities and powers should include reports on the
performance of the ISMS to senior management.
4 What 2 statements BEST explain the requirements for assigning roles, responsibilities and
powers to the ISMS?
A Top management shall assign and disclose responsibilities and authority for roles related
to information security.
B Top management shall not delegate the authority to assign roles, responsibilities and
powers..
C Roles, responsibilities and powers shall be treated as documented information.
D The role of the risk owner must not be combined with any other role.
E It may be appropriate to identify and assign different roles to those involved in monitoring,
measuring, analysing and evaluating.
5 Which 2 persons would be NOT be classified as stakeholders within the ISMS, according to
ISO/IEC 27003?
A The CEO of a chain intending to contract with Equitable Products.
B The Chief Financial Officer of Equitable Products.
C The Facilities Manager for the site where the bulk foodstuffs are stored.
D A competitor to Equitable Products.
E Equitable Productsʼ internal Legal Advisor.

Group Ltd.
Leadership and Roles 2 D 4
Answer the following questions about the use of controls within the ISMS.

1 During a routine maintenance of the car park within the Equitable Products' site, contractors
severed some cables. This caused a failure of the external network connection to Equitable
Productsʼ internet service provider and the power to the main server.
The Director of Information Security needs to select control measures to protect against
recurrence of this incident.
Which 2 controls, if applied, would MOST likely protect against recurrence of this incident?
A Security of equipment and assets off-premises.
B Security of network services.
C Cabling security.
D Network control.
E Supporting utilities.
2 Equitable Products employ a cleaning contractor to empty their waste baskets and to clean the
offices during the evening once the employees have finished their daily work. One of the
cleaners was found to be accessing one of the computers and hard-copy lists of access
passwords in the Marketing department.
The Director of Information Security needs to select control measures protect against
recurrence of this incident.
Which 2 controls, if applied, would MOST likely protect against recurrence of this incident?
A Physical entry controls.
B Clear desk policy.
C Unattended user equipment.
D Working in secure areas.
E Securing offices, rooms and facilities.

Group Ltd.
Question continued
3 The Equitable Products' Sales Director has issued two of his new staff with laptops to record
their sales contacts and progress in the sales process. This information is used in the
management of a sales delivery process including key account details. Neither of the two new
laptops have been installed with company software or configured to enable connection to the
network. One of the laptops has been infected by a virus.
The Director of Information Security has discovered this situation and needs to select control
measures to manage this incident.
Which 2 controls, if applied, would MOST likely address this situation?

A Controls against malware.
B Clock synchronisation.
C Network controls.
D Access control policy.
E Information backup.
4 The Head of Equitable Productsʼ Marketing Division has been given authorization to develop a
mobile application to allow the viewing of real-time information on the food processing
operations. This application will be installed on the smart-phones issued to all division heads
and managers. During the development cycle, the contractors managing the application
development have identified additional information security functionality that needs to be
included in the application.
The Marketing Director is concerned that he selects the most appropriate controls to manage
the current variation in the application development and similar future changes.
Which 2 controls, if applied, would MOST likely address the Marketing Directorʼs concerns?
A System change control procedures.
B Addressing security within supplier agreements.
C Change management.
D System security testing.
E Protection of test data.

Group Ltd.
Leadership and Roles 2 E 5
A recent information security incident occurred where there was the loss of the food
products between the Equitable Products' factory and a restaurant.
The root cause of the loss of the food has been identified as a dismissed worker gaining
access to the loading bay and removing two boxes of food products from the vehicle
destined for the restaurant. Access was gained using his electronic swipe card, which
he retained following his dismissal. His vehicle was driven to the loading bay during a
routine rest break.
Within the organization, the Director of Human Resources is responsible for the
termination of employment.
The Director of Information Management, as the asset owner, is responsible for the
management of access privileges for all workers within the defined and controlled
secure area of the loading bay.
C True False
D False True
E False False
Assertion Reason
1 The workerʼs termination of BECAUSE Asset owners shall review user access
employment was NOT correctly rights at regular intervals. A
completed by the Director of
Information Management.
2 The loss of food should trigger a review BECAUSE Knowledge gained from resolving B
of the termination of other dismissed information security incidents shall be used
workerʼs access privileges. to reduce the likelihood of future incidents.
3 It is NOT appropriate to classify the BECAUSE Information security events are only E
loss of the boxes of food as an classified as information security incidents if
information security incident. there is unauthorized access to an
organizationʼs systems and applications.
4 It was appropriate to leave the workerʼs BECAUSE Reviewing user access rights shall be done D
swipe card active after the dismissal. at regular intervals.
5 Temporary removal of access BECAUSE Access privileges for all workers shall be E
privileges to the loading bay should be removed when an information security
made for all loading bay workers after incident occurs.
the information security incident.

Group Ltd.
Question Number 3
Syllabus Area Operational Systems, Measurement and Incidents

Operational Systems, Measurement and Incidents 3 A 4
Answer the following questions about ISMS performance measurement, monitoring and evaluation.

1 Which 2 aspects of an organizationʼs ISMS are required to be evaluated?
A Evidence of the top management contribution.
B Established risk assessment criteria.
C Information security management process performance.
D Assignment of skilled resources.
E Information security process effectiveness.
2 Which 2 elements of monitoring and measurement are NOT required to be determined?
A Where the monitoring and measuring shall be performed.
B When the monitoring and measuring shall be performed.
C Why the monitoring and measuring shall be performed.
D When the results from monitoring and measurement shall be used.
E Who shall analyse and evaluate the results.
3 Which 2 methods are likely to be determined according to ISO/IEC 27001?
A Process control.
B Documentation.
C Monitoring.
D Corrective action.
E Analysis.
4 Which 2 statements describe items that the access control system must monitor as a user logs
into an IT system?
A The length of the password.
B The date the password was last changed.
C The date the user last logged in.
D The complexity of the password.
E The password characters to display on-screen.

Group Ltd.
Operational Systems, Measurement and Incidents 3 B 6
Answer the following question about an information security event.
A director has had their laptop bag stolen. Although the laptop was encrypted, the directorʼs bag
also contained paper documents describing commercial details and dairy farm animal welfare
information.
Column 1 is a list of actions relating to the theft. Column 2 is a list of the information security incident
management controls from Annex A of ISO/IEC 27001. For each action in Column 1, select from
Column 2 the security incident management control where these actions would be applied. Each
selection from Column 2 can be used once, more than once or not at all.
Column 1 Column 2
1 The director immediately informs the local police of the theft. A Responsibilities and
2 The police report that this event may have been a targeted procedures
theft by animal rights protestors. B Reporting information
security events
3 Travelling directors are immediately provided with encrypted
tablet PCs to use in place of paper documents. C Reporting information
security weaknesses
4 As the stolen items included sensitive paper documents,
the Chief Information Officer assigns an Information Security D Assessment of and decision
Officer to begin formal investigation of the episode. on information security
events
5 The Chief Information Officer briefs site security guards, all E Response to information
dairy farm staff and transport contractors about the need for security incidents
extra vigilance for strangers or unexpected behaviour.
F Learning from information
6 Media handling risks are reassessed with revised security incidents
probability and impact values related to this type of event. G Collection of evidence

Group Ltd.
Operational Systems, Measurement and Incidents 3 C 6
Answer the following question related to the steps to return to normal operations.
A local power supply surge has occurred at Equitable Productsʼ shared IT data centre.
Servers and network equipment were protected and continued to operate. Air
conditioning units were not protected and failed.
Environmental temperatures increased rapidly, exceeding server safe operating

temperatures. A cascade of remote server monitoring alerts was raised as all servers
rapidly shut themselves down in an uncontrolled sequence.
This event has triggered a major information security incident as no shared IT services
are operational. Business operations, particularly customerʼs ʻjust in timeʼ re-ordering
and delivery, are unable to continue. The Disaster Recovery Plan mandates a return-
to-service target of five hours for this time-critical function.
C True False
D False True
E False False
Assertion Reason
1 The recovery team should attempt to BECAUSE During adverse conditions, physical security
restore normal operating temperatures controls of designated ʻsecure areasʼ must C
rapidly without opening the external data always remain the same as normal
centre doors. operating conditions.
2 Heat-damaged server disks that failed BECAUSE Achievement of the return-to-service target is
to power on again should be removed enabled by fitting spare components. B
for later physical destruction.
3 Asset tags should be removed from the BECAUSE The asset owner must ensure that the asset
failed disks and transferred to the inventory is maintained as a record of the D
replacement disks. assets in use.

Group Ltd.
Question continued
Assertion Reason
4 As each server is recovered, it must be BECAUSE Accurate logging of user and system
configured to use the network time events requires all system components to A
protocol. operate with a synchronised time
reference.
5 The recovery team should document BECAUSE Compensating controls for information
alternative information security controls security controls that cannot be maintained A
which were implemented to achieve a five during an adverse situation should be
hour return to service. documented.
6 No further action needs to be taken BECAUSE No further action is required if the E
following successful restoration of processes carried out are effective.
services.

Group Ltd.
Operational Systems, Measurement and Incidents 3 D 4
Using the additional information provided for this question in the Scenario Booklet, answer the
following questions about managing incidents.Decide whether the actions suggested are
appropriate, and select the response that supports your decision.
1 The researcher has offered to encrypt and electronically transfer a representative sample of the
recovered data to the Chief Information Officer for validation.
Should the electronic transfer of sample files be authorized?

A No, because the transferred samples may contain malware.
B No, because the device itself should be acquired for forensic analysis as a priority.
C Yes, because encryption of the sample data before transfer will ensure confidentiality of the
data.
D Yes, because encryption will prevent the transfer of malware.
2 The representative sample data from the device has been validated as publicly available
information. No personally identifiable information is included. The source of the information,
(the original device owner), is still unknown. Thinking about this event and the potential legal,
regulatory and reputational risks, the Chief Information Officer has initiated incident
management.
Is it appropriate for the Chief Information Officer to report internally that the potential impact of the
incident can be contained?
A No, because the impact of the incident can only be reported following a full review of the
recoverable data on the USB memory stick.
B No, because a non-disclosure agreement with the researcher can only be used before the
information is accessed.
C Yes, because Equitable Productsʼ legal counsel can caution the researcher that it is an
offence to publish details about the data without having authorization.
D Yes, because information security requirements can be negotiated with the researcher and
documented in an agreement to restrict what can be published.

Group Ltd.
Question continued
3 The recovered device has an Equitable Products asset number. A full review of the recoverable
data confirms that it was used to store only publicly available information.
As there is no disclosure of confidential or sensitive information, should the incident be closed?

A No, because further investigation is needed to identify how and why control of this
removable media asset has failed.
B No, because the information should be made unrecoverable as the final action enabling the
incident to be closed.
C Yes, because control of removable media assets only applies to storage of confidential or
sensitive information.
D Yes, because there is no reputational risk from the researcher publishing that he has found
publicly-available information.
4 The last user of the device deleted the files just before losing the device at a conference. As the
information had been deleted, and the USB memory stick was cheaply replaced, she did not
think that the loss needed to be reported.
Should follow-up action with the user be taken?

A No, because the device was easily replaced at low cost without incurring the time and effort
of an investigation.
B No, because the information on the device was deleted so no important business
information was lost.
C Yes, because this userʼs action on more sensitive information may risk disclosure.
D Yes, because the replacement device may have contained malware.

Group Ltd.
Question Number 4
Syllabus Area Audit and Management Review

Audit and Management Review 4 A 6
Answer the following questions about internal audit and management reviews.
1 Which action is taken towards the end of an internal audit?
A Advise the Certification Board of the outcome of the internal audit.
B Identify the processes to be included in the next internal audit.
C Store and protect the internal audit results.
D Issue a certificate when the internal audit is complete and successful.
2 Which activity is performed as part of Management review?
A Eliminating the cause of non-conformance.
B Dealing with the consequences of non-conformance.
C Determining the cause of non-conformance.
D Identify opportunities for continual improvement.
3 Which action is required by the organization to prepare for an internal audit?
A Define the scope of the audit.
B Identify opportunities for continual improvement.
C Document external concerns.
D Update the ISMS.
4 When shall there be an independent review of the organizationʼs approach to information
management security?
A At each management review.
B At each audit.
C As part of continuous improvement.
D At planned intervals.
5 In which compliance control should legal advice be taken in relation to jurisdictional borders
and compliance with relevant legislation?
A Protection of records.
B Regulation of cryptographic controls.
C Independent review of information security.
D Technical compliance review.

Group Ltd.
Question continued
6 Which topic is NOT required to be considered during a Management Review?

A The importance of the processes.
B Changes in external issues.
C Status of actions from previous reviews.
D Trends from risk assessments.

Group Ltd.
Audit and Management Review 4 B 5
Using the additional information provided for this question in the Scenario Booklet, answer the
following questions about information sharing.

1 Which 2 implementation elements from asset management controls are MOST appropriate to
help avoid incorrect price lists being sent to customers?
A Emails which include price lists should be digitally signed.
B Price lists should be labelled in accordance with a defined classification scheme.
C Owners of price lists should be accountable for their classification.
D Any information sharing agreement should include information on the classification of price
lists.
E Review the marketing teamsʼ access rights to price sensitive data.
2 Which 2 controls should be considered when reviewing the authenticity issue to MOST
appropriately address it?
A Requirements for electronic signatures.
B Protection against the receipt of unsolicited emails.
C Access to instant messaging.
D Message verification codes.
E Protection against malware.
3 Which 2 items should be considered when developing a policy to avoid disclosure of
information when unintended recipients receive emails?
A Enforcement of password changes.
B Limiting the information contained in outputs.
C The impact that encryption has on content inspection controls.
D Message authentication codes.
E The standards to be adopted to implement encryption.
4 Which 2 responsibilities are required to be defined in an information transfer agreement about
providing price information by email to a supermarket?
A Availability of the service.
B Capacity management.
C Controlling receipt.
D User authentication management.
E Liability for data loss.

Group Ltd.
Question continued
5 The control of which 2 items should be improved to help prevent future similar occurrences of
inappropriate sharing of product pricing information by email?
A Interception.
B Non-repudiation.
C Forwarding.
D Attachments.
E Incident management.

Group Ltd.
Audit and Management Review 4 C 4
Following the recent introduction of RFID microchip tags on the restaurant cook/chill products, an
audit has recommended that a non-disclosure agreement should be signed by any third party
organization before electronic data is exchanged.
The Chief Information Officer has agreed with this proposal and decided that all non-disclosure
agreements will be reviewed every 12 months.
Decide whether the actions suggested are appropriate, and select the response that supports your
decision.
1 Should public domain information about the intellectual property rights relating to the RFID tags
be included in the non-disclosure agreement for the restaurants?
A No, because non-disclosure agreements with the restaurants are required to use standard
wording.
B No, because public domain information relating to intellectual property rights is NOT
confidential information.
C Yes, because non-disclosure agreements with the restaurants should include relevant
information about intellectual property.
D Yes, because the use of RFID tags by the restaurants may need to be audited.
2 Should the non-disclosure agreement for the restaurants have a duration of only one year?
A No, because a duration of three months is required to ensure changes in circumstance are
not missed.
B No, because there is no need to restrict the non-disclosure agreement for a restaurant to a
year.
C Yes, because some restaurants may have changed ownership within the year.
D Yes, because changes in the evolving RFID microchip technology may change the
information to be shared.
3 Should consideration be given to what the supermarket must do to avoid breaching the
agreement when drafting their non-disclosure agreement?
A No, because the supermarket can handle the information however it wishes.
B No, because if information is disclosed it is for the relevant authority to decide if it was
handled properly.
C Yes, because if information is disclosed the relevant authority can only enforce an
agreement if they know how the information should have been protected.
D Yes, because the actions needed to avoid unauthorized disclosure by the supermarket
should be identified.
4 Is it appropriate for staff in the marketing division to also sign non-disclosure agreements?
A No, because non-disclosure agreements are applicable to third parties.
B No, because marketing staff need to disclose confidential information as part of their job.
C Yes, because a non-disclosure agreement may also define when information can be
disclosed.
D Yes, because all interested parties should sign non-disclosure agreements.

Group Ltd.
Audit and Management Review 4 D 5
A recent management review has identified an increasing failure of some of the dairy
farms to disclose the use of antibiotics voluntarily.
It has also been recorded that a change in legislation is due to come into force in six
months. This change requires that dairy products used in processed meals supplied to
schools must come from designated herds. Such products should also be antibiotic free
during the three months period prior to milk production use.
There will be significant financial penalties for non-compliance.
It will be necessary for the information about the source, use of antibiotics and dairy
products used in such meals to be made available on a ʻfield-to-plateʼ application. This
will be accessible via a web-site and retained for a period of three years. A contract for
the provision of the application and web-site hosting will be signed with a specialist
provider.
C True False
D False True
E False False
Assertion Reason
1 User acceptance testing of the web-site BECAUSE User acceptance testing in the C
should use realistic data for the ʼfield-to-plateʼ operational environment should be
application. performed in a way that will expose any
vulnerabilities.
2 The addition of the web-site should trigger an BECAUSE Contractors should be required to B
information security risk assessment. report an observed information security
weaknesses in systems or services.
3 Dairy farm supplier agreements should be BECAUSE The information to be provided should A
reviewed and updated with any new legal be documented in supplier
requirements for electronic disclosure of the agreements to ensure legal
administration of antibiotics. obligations are met.
4 The need to retain the web-site data for three BECAUSE Data retention will be documented in a D
years should NOT require review or change web-hosting providerʼs agreement as
to information security policies. a compliance control.
5 It is appropriate for the web-site supplier BECAUSE An organizationʼs management are A
agreement to require an independent responsible for the effectiveness of
Penetration Test of the website. information security controls.

Group Ltd.
Marking Scheme
Exam Paper: GB-SX01-1.2
Note: For Multiple Response (MR) questions, 1 point is scored if and only if all correct
options are selected. Otherwise 0 points are scored.

Group Ltd.

Group Ltd.
Question Part Type Response A B C D E F G H I
1 (PL) A MR 1 0 1 0 1 0
2 1 0 1 0 0
3 0 0 1 0 1
4 0 1 0 0 1
B MG 1 0 1 0 0 0
2 0 0 1 0 0
3 1 0 0 0 0
4 0 0 0 1 0
5 1 0 0 0 0
C MG 1 0 1 0 0 0
2 0 1 0 0 0
3 0 0 0 0 1
4 1 0 0 0 0
5 0 0 1 0 0
D AR 1 0 1 0 0 0
2 0 0 1 0 0
3 1 0 0 0 0
4 1 0 0 0 0
5 0 0 1 0 0
6 0 0 0 1 0

2 (LE) A MG 1 1 0 0 0
2 0 1 0 0
3 0 0 0 1
B CL 1 0 1 0 0
2 0 1 0 0
3 1 0 0 0
C MR 1 1 1 0 0 0
2 0 1 0 0 1
3 0 0 1 0 1
4 0 0 1 0 1
5 1 0 0 1 0
D MR 1 0 0 1 0 1
2 0 1 1 0 0
3 1 0 0 0 1
4 1 0 0 1 0
E AR 1 0 1 0 0 0
2 1 0 0 0 0
3 0 0 0 0 1
4 0 0 0 1 0
5 0 0 0 0 1

Group Ltd.
3 (OS) A MR 1 0 0 1 0 1
2 1 0 1 0 0
3 0 0 1 0 1
4 0 1 1 0 0
B MG 1 0 1 0 0 0 0 0
2 0 0 0 0 0 0 1
3 0 0 0 0 1 0 0
4 0 0 0 1 0 0 0
5 0 0 0 0 1 0 0
6 0 0 0 0 0 1 0
C AR 1 0 0 1 0 0
2 0 1 0 0 0
3 0 0 0 1 0
4 1 0 0 0 0
5 0 1 0 0 0
6 0 0 0 0 1
D CL 1 0 0 1 0
2 0 0 0 1
3 1 0 0 0
4 0 0 1 0

4 (AR) A CL 1 0 0 1 0
2 0 0 0 1
3 1 0 0 0
4 0 0 0 1
5 0 1 0 0
6 1 0 0 0
B MR 1 0 1 0 0 1
2 1 0 0 1 0
3 0 0 1 0 1
4 0 0 1 0 1
5 0 0 1 1 0
C CL 1 0 0 1 0
2 0 1 0 0
3 0 0 0 1
4 0 0 1 0
D AR 1 0 0 1 0 0
2 0 1 0 0 0
3 1 0 0 0 0
4 0 0 0 1 0
5 1 0 0 0 0

Group Ltd.
Rationale
Exam Paper: GB-SX01-1.2

Group Ltd.

Group Ltd.
Question: 1, Syllabus: PL, Part: A, Type: MR, SyllabusRef: PL0201, Level: 2
1 A Incorrect: The acceptable level of any loss of financial value should be defined within a range of values as part of the risk acceptance criteria.
(ISO 27005, 7.2.4)
B Correct: The operational and business importance on availability, confidentiality and integrity is one of the areas that should be considered when
developing the risk evaluation criteria for evaluating an organizationʼs information security risks. (ISO 27005, 7.2.2)
C Incorrect: The amount of damage caused by disruption of plans and deadlines is an area that should be considered when defining impact
criteria. (ISO 27005, 7.2.3)
D Correct: The negative consequences for goodwill and reputation are areas that should be considered when developing the risk evaluation
criteria for evaluating an organizationʼs information security risks. (ISO 27005, 7.2.2)
E Incorrect: Risk acceptance criteria may include requirements for further additional treatment, e.g. a risk may be accepted if there is approval and
commitment to take action to reduce it to an acceptable level within a defined time period. The time it will take is not a required
evaluation criteria. (ISO 27005, 7.2.4)
2 A Correct: Impact criteria should be developed and specified in terms of the degree of damage or costs to the organization caused by an
information security event resulting in disruption to plans and deadlines. (ISO 27005, 7.2.3)
B Incorrect: The importance of availability to operations should be considered when developing the risk evaluation criteria for evaluating an
organizationʼs information security risks. (ISO 27005, 7.2.2)
C Correct: Impact criteria should be developed and specified in terms of the degree of damage or costs to the organization caused by an
information security event should there be a breach of legal, regulatory or contractual requirements. (ISO 27005, 7.2.3)
D Incorrect: The criticality of the information assets involved should be considered when developing the risk evaluation criteria for evaluating an
organizationʼs information security risks. (ISO 27005, 7.2.2)
E Incorrect: Risk acceptance criteria may be expressed as the ratio of estimated profit to the estimated risk. This defines a usage of the impact
assessment. (ISO 27005, 7.2.4)
3 A Incorrect: Impact criteria should be developed and specified in terms of the degree of damage or costs to the organization caused by an
information security event should there be a breach of legal, regulatory or contractual requirements. (ISO 27005, 7.2.3)
B Incorrect: The escalation path is defined as part of the organization information security risk management responsibilities, and should NOT be
considered when developing the risk acceptance criteria. (ISO 27005, 7.4)
C Correct: Risk acceptance criteria may include multiple thresholds, with a desired target level of risk, but provision for senior managers to
accept risks above this level under defined circumstances. (ISO 27005, 7.2.4)
D Incorrect: The information security risk management records required to be kept are part of the management of information security risks to
demonstrate adherence to the process, and should NOT be considered when developing the risk acceptance criteria. (ISO 27005, 7.4)
E Correct: Risk acceptance criteria may be expressed as the ratio of estimated profit to the estimated risk. This defines a usage of the impact
assessment. (ISO 27005, 7.2.4)
4 A Incorrect: The risk acceptance decision escalation paths are defined as a main role and responsibility for an organization during the set up of
the information security management risk process. There is no requirement to consider this when defining the scope and boundaries.
(ISO 27005, 7.4)
B Correct: The legal, regulatory and contractual requirements should be considered when defining the scope and boundaries of information
security risk management. (ISO 27005, 7.3)
C Incorrect: The estimated cost caused by a breach of contract is produced during the risk identification when the identification of consequences of
a risk is made. (ISO 27005, 8.2.6)
D Incorrect: The four options are used to treat risks once the risk assessment is satisfactory. This is part of the information security management
risk process which is produced once the scope and boundaries of information security risk management is known. (ISO 27005, 9.1)
E Correct: The business processes should be considered when defining the scope and boundaries of information security risk management.
(ISO 27005, 7.3)

Group Ltd.
Question: 1, Syllabus: PL, Part: B, Type: MG, SyllabusRef: PL0301, Level: 3
1 Correct [B]: A threat has the potential to harm assets (such as information, processes and systems) and therefore the organization. Disruption by
activists may affect more than one asset. (ISO 27005, 8.2.3)
2 Correct [C]: Physical entry controls is an existing control set up in the dairy farm site. (ISO 27005, 8.2.4; ISO 27001, A.11.1.2)
3 Correct [A]: An asset is anything that has value to the organization and therefore requires protection. The RFID tags on the cattle are a form of data
medium asset. (ISO 27005, 8.2.2, B.1.2)
4 Correct [D]: Vulnerabilities that can be exploited by threats to cause harm to assets or to the organization should be identified. An incorrectly
implemented control can itself be vulnerability. I.e. the anti-virus software is the control, but it is weak because updates have not been
applied. (ISO 27005, 8.2.5)
5 Correct [A]: An asset is anything that has value to the organization and therefore requires protection. Business processes, whose loss or degradation
make it impossible to carry out the mission of the organization, are a primary asset. (ISO 27005, 8.2.2, B.1.1)

Group Ltd.
Question: 1, Syllabus: PL, Part: C, Type: MG, SyllabusRef: PL0303, Level: 2
1 Correct [B]: The activity which gives rise the risk of not adhering to the EF IS policy is modified by the activity being audited. It is NOT avoidance
because the activity is still continuing in the same way. It is NOT sharing because responsibility for the risk has not changed. (ISO 27005,
9.2)
2 Correct [B]: The level of risk is being managed by introducing the Information security awareness, education and training control. This is modifying
the risk, although it is unlikely that this risk treatment will result in the risk being reassessed as acceptable. (ISO 27005, 9.2; ISO 27001,
A.7.2.2)
3 Correct [E]: The level of risk is being managed by introducing the Addressing security within supplier agreements control. This is sharing the risk
with another party that can most effectively manage the particular risk. (ISO 27005, 9.5; ISO 27001, A.15.1.2)
4 Correct [A]: The Outsourced development control is not relevant to the stated risk on problem management of ʼoff the shelfʼ standard components. (ISO
27001, A.14.2.7)
5 Correct [C]: A decision to take no action is a risk retention option. A decision to choose this option will depend on risk evaluation. (ISO 27005, 9.3)

Group Ltd.
Question: 1, Syllabus: PL, Part: D, Type: AR, SyllabusRef: PL0405 PL0406 PL0407, Level: 4
1 True: During the identification of the existing controls step, a check True: At a lower level, the IS policy should be supported by topic-specific
should be made to ensure that the existing controls are working policies which further mandate the implementation of IS controls.
correctly. (ISO 27005, 8.2.4) They are typically structured to address the needs of certain target
groups within an organization or to cover certain topics. The answer
is B, because the dairy farm chainsʼ IS policies are reviewed to
determine if they should be removed, replaced or stay in place as a
detailed policy. (ISO 27001, A.5.1.1; ISO 27002, 5.1.1; ISO 27005,
8.2.4)
2 True: The set of policies for information security should be published False: The policies for information security have a wider audience than just
and communicated to employees and relevant external parties. internal employees. Relevant external parties should be included
(ISO 27001, A.5.1.1) also. (ISO 27001, A.5.1.1)
3 True: It is correct that the contact with authorities should be maintained True: It is correct that appropriate contacts with relevant authorities shall
using the contact with authorities control. (ISO 27001, A.6.1.4) be maintained using the contact with authorities control. (ISO 27001,
A.6.1.3) The answer is A because the rationale explains the
assertion in that both relate to updating contacts in the relevant
authorities control.
4 True: This relates to the control on terms and conditions of employment. True: This relates to the management responsibilities control as
The contractual agreements with employees and contractors shall management shall require all employees and contractors to apply
state their and the organizationʼs responsibilities for information information security. The answer is A, because the contracts are the
security. (ISO 27001, A.7.1.2) device used to ensure that management's responsibilities are
transferred and communicated (delegation and binding
responsibilities). (ISO 27001, A.7.2.1)
5 True: Access to systems over a public network would be identified as key False: Applications which are accessible via public networks require
vulnerability during risk identification and reviewed during risk detailed risk assessments and the proper selection of controls.
analysis. The IS requirements and associated processes should There is no requirement to prevent access until risk assessment
be identified and integrated in the early stages of IS projects as has been completed. (ISO 27001, A14.1.2; ISO 27002, A.14.1.2)
part of the information security requirements and analysis and
specification control. (ISO 27005, 8.2.5, 8.3.2; ISO 27001,
A.14.1.1; ISO 27002, A.14.1.1)
6 False: The IS requirements should be identified using various methods True: Information security requirements should consider the required
such as deriving compliance requirements from policies and protection needs of the assets involved, in particular regarding
regulations, threat modelling, incident reviews or use of availability, confidentiality, and integrity. (ISO 27001, A.14.1.1; ISO
vulnerability thresholds. (ISO 27001, A.14.1.1; ISO 27002, 27002, 14.1.1)
A.14.1.1)

Group Ltd.
Question: 2, Syllabus: LE, Part: A, Type: MG, SyllabusRef: LE0202 LE0203 LE0204, Level: 2
1 Correct [A]: Supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility is given within
the Leadership and commitment clause. (ISO 27001, 5.1.h)
2 Correct [B]: Providing a framework for setting information security management objectives is an activity within the Policy clause. (ISO 27001, 5.2 b)
3 Correct [D]: Integrating the actions to address risks and opportunities into an organizationʼs information security management system is an activity
within the Planning actions clause to address risks and opportunities. (ISO 27001, 6.1.1.e.1)

Group Ltd.
Question: 2, Syllabus: LE, Part: B, Type: CL, SyllabusRef: LE0206 LE0207 LE0208, Level: 2
1 A Incorrect: The policies for information security shall be reviewed at planned intervals to ensure their continuing suitability. (ISO 27001, 5.2.a,
A.5.1.2)
B Correct: The policies for information security shall be appropriate to the purpose of the organization. It is for the organization to decide the
level of detail required, therefore an ISMS is not required to be comprehensive. (ISO 27001, 5.2.a, A.5.1.2)
C Incorrect: The policies for information security shall be reviewed at planned intervals to ensure their adequacy. (ISO 27001, 5.2.a, A.5.1.2)
D Incorrect: The policies for information security shall be reviewed at planned intervals to ensure their effectiveness. (ISO 27001, 5.2.c, A.5.1.2)
2 A Incorrect: The organization should ensure its staff have the required competency to deliver the scope of the ISMS. (ISO 27001, 7.2.a and b).
B Correct: The extent of documented information determined by the organization as being necessary for the effectiveness of the ISMS may vary
due to the competence of persons. (ISO 27001, 7.5.1(3)).
C Incorrect: The competency of staff is not a matter which is identified by the standard that should affect the frequency of review. (ISO 27001, 9.1).
D Incorrect: The boundaries of the ISMS will determine its scope but competency of staff is not a matter for consideration. (ISO 27001, 4.3).
3 A Correct: Responsibilities and authorities related to information security activities should be assigned. Activities include "coordinating the
establishment, implementation, maintenance, performance reporting, and improvement of the ISMS”, usually the CISO. (ISO 27003,
5.3)
B Incorrect: Beyond the roles specifically related to information security, relevant information security responsibilities and authorities should be
included within other roles. (ISO 27003, 5.3)
C Incorrect: Ensure that employees and contractors are aware of and fulfil their information security responsibilities. (ISO 27001, A.7.1)
D Incorrect: Top management should approve major roles, responsibilities and authorities of the ISMS. There is no requirement for an audit
department to be involved. (ISO 27003, 5.3)

Group Ltd.
Question: 2, Syllabus: LE, Part: C, Type: MR, SyllabusRef: LE0301, Level: 3
1 A Correct: Advising on information security risk assessment and treatment. (ISO 27003, 5.3.b)
B Correct: Managing information security incidents. (ISO 27003, 5.3.e)
C Incorrect: Select auditors and conduct audits that ensure objectivity and the impartiality of the audit process. (ISO 27001, 9.2.e)
D Incorrect: The information security risk assessment process identify the risk owners associated with these risks, i.e. identify and appoint persons
with the appropriate authority and responsibility for managing identified risks. (ISO 27003, 6.1.2)
E Incorrect: Top management is ultimately responsible for management review, with inputs from all levels in the organization. (ISO 27003, 9.3)
2 A Incorrect: Reporting lines are not relevant to the responsibilities of an Auditor. (ISO 27003, Annex B.1 – Auditor)
B Correct: Assessing the ISMS is one of the responsibilities for an Auditor.(ISO 27003, 9.2). Having appropriate competence to assess
conformance to ISO/IEC 27001 would be needed. (ISO 27001, 7.2 b)
C Incorrect: Governance for information security is not a responsibility of an Auditor. An internal audit can identify nonconformities, risks and
opportunities. Nonconformities are managed according to requirements in ISO 27001, 10.1 (ISO 27003, 9.2)
D Incorrect: Working across departments is not a responsibility of an Auditor. (ISO 27003, 9.2)
E Correct: Evaluating the ISMS is one of the responsibilities for an Auditor. (ISO 27003, 9.2)
3 A Incorrect: Top management does not need to assign all roles, responsibilities and authorities. (ISO 27003, 5.3)
B Incorrect: Relevant information security responsibilities and authorities should be included within other roles. (ISO 27003, 5.3)
C Correct: Documented information on this activity and its outcome is mandatory only in the form and to the extent the organization determines as
necessary for the effectiveness of its management system. (ISO 27003, 5.3)
D Incorrect: Documented information on this activity and its outcome is mandatory only in the form and to the extent the organization determines as
necessary for the effectiveness of its management system. (ISO 27003, 5.3)
E Correct: Top management shall assign the responsibility and authority for the reporting on the performance of the information security
management system to top management. (ISO 27001, 5.3)
4 A Incorrect: Top management shall ensure that the responsibilities and authorities for roles relevant to information security are assigned and
communicated. (ISO 27001, 5.3)
B Incorrect: Top management does not need to assign all roles, responsibilities and authorities, but it should adequately delegate authority to do
this. (ISO 27003, 9.3)
C Correct: Examples of documented information that can be determined by the organization to be necessary for ensuring effectiveness of its ISMS
are the roles, responsibilities and authorities. (ISO 27003, 7.5.1)
D Incorrect: Beyond the roles specifically related to information security, relevant information security responsibilities and authorities should be
included within other roles. For example, information security responsibilities can be incorporated in the roles of: ... risk owners;. (ISO
27003, 9.3)
E Correct: It can be appropriate to identify and assign distinctive roles to those participating in the monitoring, measurement, analysis and
evaluation. (ISO 27003, 9.1)
5 A Correct: The CEO of a supermarket chain which is not contracted to Equitable Products cannot be a interested party. This is because he
cannot be affected by any decisions of activities made by Equitable Products in relation to Equitable Products information security.
(ISO 27003, 4.2)
B Incorrect: The Chief Finance Officer is part of normal operations within the ISMS and is considered to be an interested party. (ISO 27003, 4.2)
C Incorrect: The persons responsible for physical security are part of normal operations and are considered to be an interested party. (ISO 27003,
4.2)
D Correct: A competitor to Equitable Products cannot be an interested party as it cannot be affected by any decisions of activities made by
Equitable Products in relation to Equitable Productsʼ information security. (ISO 27003, 4.2)
E Incorrect: The legal advisor is part of normal operations and is considered to be an interested party. (ISO 27003, 4.2)

Group Ltd.
Question: 2, Syllabus: LE, Part: D, Type: MR, SyllabusRef: LE0311 LE0312 LE0314, Level: 3
1 A Incorrect: The Security of equipment and assets off-premises control seeks to manage portable equipment and assets that are taken off-site.
(ISO 27001, A.11.2.6)
B Incorrect: The Security of network services control seeks to identify all network services for inclusion in network service agreements. Network
service agreements would not resolve the loss of connection with the ISP as it was not caused by a failure of either party. (ISO 27001,
A.13.1.2)
C Correct: The Cabling security control seeks to protect power and communications cables from interference or damage. This control would
provide a resolution of this incident. (ISO 27001, A.11.2.3)
D Incorrect: The control for Network control seeks to manage networks to protect information in systems and applications. Neither of the systems
or applications were involved in this incident, so this control would not resolve this incident. (ISO 27001, A.13.1.1)
E Correct: The Supporting utilities control seeks to protect power failure and other disruptions caused by failures in supporting utilities such as
was evidenced in the incident. This control would provide a resolution of this incident. (ISO 27001, A.11.2.2)
2 A Incorrect: The control for Physical entry controls seeks to provide entry control to secure areas for authorized personnel. The cleaner was an
authorized person and use of this control would prevent cleaning of this area, which is not a practical solution. (ISO 27001, A.11.1.2)
B Correct: The Clear desk policy control seeks to provide a clean desk policy to ensure that all papers, such as the hard-copy lists of access
passwords, are not available to unauthorised personnel. This control would provide a resolution of this incident. (ISO 27001, A.11.2.9)
C Correct: The Unattended user equipment control seeks to protect unattended equipment, such as the computer accessed by the cleaner. This
control would provide a resolution of this incident. (ISO 27001, A.11.2.8)
D Incorrect: The Working in secure areas control seeks to provide a procedure for working in secure areas. Use of this control would prevent
cleaning of this area, which is not a practical solution. (ISO 27001, A.11.1.5)
E Incorrect: The Securing offices, rooms and facilities control seeks to provide physical security for offices and rooms. Use of this control would
prevent cleaning of this area, which is not a practical solution. (ISO 27001, A.11.1.3)
3 A Correct: The Controls against malware control provides protection and recovery controls against malware. The issued laptops have not been
configured, so the protection against malware is not implemented. This control would provide a resolution of this incident. (ISO 27001,
A.12.2.1)
B Incorrect: The Clock synchronisation control seeks to ensure that clocks of information processing systems can be synchronised within the
organization. As the two laptops are used without connection to the network, there is no need for clock synchronisation at this stage.
This control would not provide a resolution of this incident. (ISO 27001, A.12.4.4)
C Incorrect: The control for Network controls relates to the management and controls for the protection in network systems. As the two laptops are
used without connection to the network, this control would not provide a resolution of this incident. (ISO 27001, A.13.1.1)
D Incorrect: The Access control policy control relates to the management of access based on business and information security requirements.
The users have a business need for access to the application on the laptop. This control would not provide a resolution of this incident.
(ISO 27001, A.9.1.1)
E Correct: The Information backup control provides for backups to be taken of information assets to protect against loss of data. The issued
laptops have not been configured, so the backup protection has not been implemented. This control would provide a resolution of this
incident by restoring the laptop to a situation prior to the virus infection. (ISO 27001, A.12.3.1)
4 A Correct: The System change control procedures control provides for changes within the development lifecycle to be controlled by the use of
formalized procedure. This would allow for Equitable Products and their contractors to manage the application development project.
This control would provide a resolution of this situation. (ISO 27001, A.14.2.2)
B Incorrect: The Addressing security within supplier agreements control relates to addressing security requirements between Equitable Products
and their suppliers in relation to the management of information. This control will not manage the software changes or the testing
process. This control would not provide a resolution of this situation. (ISO 27001, A.15.1.2)
C Incorrect: The Change management control relates to operational changes in the organization (Equitable Products), its business processes,
information processing facilities and systems. The application is still under development and has not been deployed, therefore, this
operational control would not apply to this situation. This control would not provide a resolution of this situation. (ISO 27001, A.12.1.2)
D Correct: The System security testing control provides the testing of software during the software development lifecycle. This would allow for
Equitable Products and their contractors to manage the testing process. This control would provide a resolution of this situation. (ISO
27001, A.14.2.8)
E Incorrect: The Protection of test data control relates to the selection, protection and control of test data. Although this control relates to test data,
it does not manage the testing of the software functionality required in the project. This control would not provide a resolution of this
situation. (ISO 27001, A.14.3.1)

Group Ltd.
Question: 2, Syllabus: LE, Part: E, Type: AR, SyllabusRef: LE0409 LE0411, Level: 4
1 True: The Director of Information Management had responsibility to True: It is correct that the access rights for all employees and external
control access privileges and they should have been revoked party users to information and information processing facilities shall
immediately on termination of employment. Therefore, the be reviewed at regular intervals. (ISO 27001, A.9.2.5). However, the
termination of employment was NOT completed correctly. (ISO reason the termination was not correctly completed was because
27001, A.9.2.6) access rights should be removed on termination of their
employment, contract or agreement. It should not be left until the next
regular review. (ISO 27001, A.9.2.6). The answer is therefore B.
2 True: The loss should trigger a review of the termination of other True: Knowledge gained from analysing and resolving information
dismissed workerʼs access privileges. This will ensure a similar security incidents shall be used to reduce the likelihood or impact of
problem has not occurred, as knowledge gained from the incident future incidents. (ISO 27001 A16.1.6). The reason directly explains
should be used to reduce the likelihood of future incidents. (ISO the assertion because the review would be held in order to learn
27001, A.16.1.6) from the information security incident. Therefore, the answer is A.
3 False: Loss of food should be classified as an information security False: Information security events are classified as information security
incident because there is a requirement to track all deliveries and incidents for any unauthorized access such as secure areas. It does
as such a loss will have an impact on invoicing and stock control. not only apply to an organization's systems and applications. (ISO
(ISO 27001, A.16.1.2) 27001, A.16.1.2)
4 False: The ability for the dismissed worker to have access rights to the True: Asset owners are required to review access rights on a regular
loading bay shall be removed immediately on termination of their basis. (ISO 27001, A.9.2.5)
employment. (ISO 27001, A.9.2.6)
5 False: Removal of access privileges to the loading bay should be made False: Access privileges are removed on termination of employment,
for all workers would be inconsistent with the allocation and use of contract or agreement. This does not happen when an information
the access privileges. Such an action would result in the loading security incident occurs. (ISO 27001, A.9.2.6)
bay ceasing to operate. (ISO 27001, A.9.2.3)

Group Ltd.
Question: 3, Syllabus: OS, Part: A, Type: MR, SyllabusRef: PL0202, Level: 2
1 A Incorrect: Evidence of top management contribution is useful to demonstrate compliance. However, the standard does not specifically require
this to be evaluated. (ISO 27001, 5.1)
B Incorrect: Established risk assessment criteria are a means of analysing and evaluating potential risks. However, the criteria are not specifically
subject to evaluation. (ISO 27001, 6.1.2 a)
C Correct: Information security process performance is a specified measurement requirement. (ISO 27001, 9.1 a)
D Incorrect: Assignment of suitably skilled resources to roles may be monitored and assessed. However, this activity is not specifically required to
be evaluated. (ISO 27001, 7.2)
E Correct: Information security process effectiveness is a specified measurement requirement. (ISO 27001, 9.1 a)
2 A Correct: The standard does NOT require organization to determine where the monitoring and measuring shall be performed. (ISO 27001, 9.1)
B Incorrect: The organization shall determine when the monitoring and measuring shall be performed. (ISO 27001, 9.1 c)
C Correct: The standard does NOT require organization to determine why the monitoring and measuring shall be performed. (ISO 27001, 9.1)
D Incorrect: The organization shall determine when the results from monitoring and measurement shall be used. (ISO 27001, 9.1 e)
E Incorrect: The organization shall determine who shall analyse and evaluate the results. (ISO 27001, 9.1 f)
3 A Incorrect: Processes and controls need to be monitored and measured but the Monitoring, measurement, analysis and evaluation clause does
NOT require the method of process control to be determined. (ISO 27001, 9.1 b)
B Incorrect: Documentation needs to be delivered but the Monitoring, measurement, analysis and evaluation clause does NOT require the method
of documentation to be determined. (ISO 27001, 9.1 b)
C Correct: The Monitoring, measurement, analysis and evaluation clause requires the method of monitoring to be determined. (ISO 27001, 9.1 b)
D Incorrect: Corrective action needs to be undertaken to correct non-conformances but the Monitoring, measurement, analysis and evaluation
clause does NOT require the method of corrective action to be determined. (ISO 27001, 9.1 b)
E Correct: The Monitoring, measurement, analysis and evaluation clause requires the method of analysis to be determined. (ISO 27001, 9.1 b)
4 A Incorrect: Password length is monitored by the password management system only when the user creates or changes the password. This
ensures that the resulting password matches password quality policy rules. (ISO 27002, 9.4.3 c)
B Correct: The last change date will be used to understand if the user should be prompted to change a temporary password (new user at first
log-in) or expired password (existing user forced to change their password as mandated by the maximum password age policy). (ISO
27002, 9.4.3 d & e)
C Correct: The last log-in date will be used to understand if the user should be prompted to change a temporary password (new user at first
log-in). (ISO 27002, 9.4.3 d)
D Incorrect: Password complexity is monitored by the password management system only when the user creates or changes the password. This
ensures that the resulting password matches password quality policy rules. (ISO 27002, 9.4.3 c)
E Incorrect: The access control system must NOT display passwords in clear text on the screen. (ISO 27002, 9.4.2 i)

Group Ltd.
Question: 3, Syllabus: OS, Part: B, Type: MG, SyllabusRef: OS0316, Level: 3
1 Correct [B]: Reporting information security events: (ISO 27001, A.16.1.2; ISO 27002, 16.1.2). This report is to the police rather than to Equitable
Productsʼ information security team. However, it is still an aspect of detection and reporting and it is the reporting of the event prior to its
classification as an incident.
2 Correct [G]: Collection of evidence: (ISO 27001, A.16.1.7; ISO 27002, 16.1.7). The police report is part of the collection of information which will serve
as evidence.
3 Correct [E]: Response to information security incidents: (ISO 27001, A.16.1.5; ISO 27002, 16.1.5). The lost papers are unlikely to be recovered.
However, this risk treatment is intended to deal with the immediate vulnerability of other directors travelling with sensitive paper
documents. It is an avoidance response to the vulnerability and potential threat.
4 Correct [D]: Assessment of and decision on information security events: (ISO 27001, A.16.1.4; ISO 27002, 16.1.4). The Information Security Officer
discovers the extent of the event. Realising the consequential impacts of losing sensitive paper documents to activists, he informs the CIO
and begins investigating this as an incident.
5 Correct [E]: Response to information security incidents: (ISO 27001, A.16.1.5; ISO 27002, 16.1.5). Communicating and reinforcing practices related
to strangers and behaviours is a reasonable response to this incident.
6 Correct [F]: Learning from information security incidents: (ISO 27001 A.16.1.6; ISO 27002, 16.1.6). Risk reassessment improves the consideration of
this kind of event in paper media handling.

Group Ltd.
Question: 3, Syllabus: OS, Part: C, Type: AR, SyllabusRef: AR0408 AR0409 AR0410, Level: 4
1 True: Normal operating temperatures should be restored in a manner False: The organization should determine its requirements for information
proportionate to the criticality of the situation. The return- security and the continuity of information security management in
to-service (information availability) target is only 5 hours. adverse situations. (ISO 27002, 17.1.1). The organization should
Alternative rapid temperature reduction options should be explored establish, document, implement and maintain compensating controls
first. (ISO 27001, 6.2 c) for routine IS controls that cannot be maintained during an adverse
situation. (ISO 27002, 17.1.2 second part c). The organization may
elect to operate with a predetermined increased risk tolerance for a
limited period.
2 True: Physical destruction of disks which failed to power on is a True: Replacing failed hardware components from redundant stock (ISO
reasonable control to prevent unauthorized attempts to recover 27002, 17.2.1) is quicker and more reliable than attempting repairs
data from that media. (ISO 27002, 8.3.2) and would support the organizationʼs return-to-service (information
availability) objective. The assertion focuses on confidentiality of
information and this reason focuses on information availability.
Therefore, the reason does not support the assertion so the answer
is B.
3 False: The asset register must be maintained with the lifecycle of each True: The asset owner must ensure that the asset inventory is maintained.
asset to destruction. (ISO 27002, 8.1.1). The asset tags must (ISO 27002, 8.1.2)
remain on the failed disks to provide identification. The disks
should be marked as ʻfailed/removedʼ in the asset register and
their later destruction also recorded. This is to maintain the
integrity of the register and the traceability of the disks up to and
including confirmation of their destruction. Replacement disks will
have new asset tags to track their lifecycle of use.
4 True: The clocks of all relevant information processing systems within True: Network and domain system clock synchronisation is fundamental to
an organization or security domain should be synchronised to a correct system operations and event logging. It is an operational
single reference time source. (ISO 27002, 12.4.4) priority on commissioning and recovery. (ISO 27002, 12.4.4). This
reason supports the asserted need for server synchronisation to a
single reference time source, so the answer is A.
5 True: All response activities should be properly logged for later True: Compensating controls for information security controls that cannot
analysis. (ISO 27002 16.1.5 d) be maintained during an adverse situation should be documented by
the organization as part of implementing information security
continuity. (ISO 27002 17.1.2. both points c). Documenting
compensating controls is part of planning for business continuity
and is a separate requirement to the documentation during an
incident. The answer is therefore B.
6 False: Knowledge gained from analysing and resolving information False: Opportunities to improve the response should be considered. (ISO
security incidents shall be used to reduce the likelihood or impact 27002, 16.1.6). Top management are required to review the ISMS –
of future incidents. The root cause of events should be identified and the results of this incident – to ensure its continuing suitability,
(air conditioning units not surge protected) and formally adequacy and effectiveness. (ISO 27001, 9.3)
risk-assessed to determine options for treatment. (ISO 27001, 8.2
& 8.3). Opportunities to improve information security should also
be considered. (ISO 27002, 16.1.6; ISO 27001, 10.1, 10.2)

Group Ltd.
Question: 3, Syllabus: OS, Part: D, Type: CL, SyllabusRef: LE0410 LE0413 LE0415, Level: 2
1 A Incorrect: Information in the Scenario Booklet states that Equitable Products IT Services currently operate an ISMS compliant with ISO 27001.
To be compliant, the ISMS controls will already include established malware protection for all received electronic information to
mitigate this risk appropriately. (ISO 27002, 12.2.1e, g & h)
B Incorrect: The legal entitlement of Equitable Products to collect the device for forensic investigation needs to be established first. (ISO 27002
16.1.7). Sample data validation will support that justification in consultation with legal counsel. (ISO 27002, 18.1.1)
C Correct: Encryption of the sample data would provide the objectives described. (ISO 27002, 13.2.1 f)
D Incorrect: Encryption can ensure that the data sent is the data received. However, if there is malware in the original data it will not be removed by
encryption. (ISO 27002 10.1.1)
2 A Incorrect: Information security events shall be reported through appropriate management channels as quickly as possible. (ISO 27001, A16.1.2).
There is no requirement to wait until all potential impacts are known, particularly as the trusted researcher has provided sample data
that is considered representative of the nature of the information on the device.
B Incorrect: It is usual for employees and contractors to be provided with a confidentiality or non-disclosure agreement prior to being given access
to information. (ISO 27002, 7.1.2 a). However, the agreement may be negotiated and applied to any party at any time as the
organizationʼs needs change. (ISO 27002, 13.2.4)
C Incorrect: The recovered sample data is publicly-available information, not commercially or personally sensitive. There are no details of the
planned scope of publication and the researcher is a trusted advisor to the organization. It would be premature to involve authorities
unless there is tangible evidence of harmful motive and intent enabling identification of applicable legislation. (ISO 27002, 18.1.1)
D Correct: Incident disclosure may still be avoided or contained by negotiation and agreement with the researcher as a ʻsupplierʼ of incident
information. (ISO 27002, 15.1.2 e & p)
3 A Correct: Attempts should be made to identify how this asset was used and by whom. This will determine the root cause of the failure and enable
correction and improvement. (ISO 27001, 10.1 & 10.2)
B Incorrect: The information is publically available according to the applied classification scheme. Therefore, there is no requirement for
confidentiality to make the information unrecoverable as per ISO 27001, A.8.3.1. (ISO 27002, 8.3.1)
C Incorrect: Removable media assets may be reassigned and/or re-used, changing purpose and handling requirements as the classification of
their stored information changes. (ISO 27002, 11.2.7). Asset inventories should record the current owner and lifecycle of use. (ISO
27002, 8.1.1)
D Incorrect: Reputational risk remains because the researcher discloses Equitable Productsʼ media and information asset lifecycle management
failure. (ISO 27002, 8, 11.2.5, 11.2.6 & 11.2.7)
4 A Incorrect: ʻDeletedʼ information can be technically recovered in many cases. Although the userʼs action did not result in unauthorized disclosure
in this specific case, the same decision and action on a device with more sensitive information may be a vulnerability that needs to be
investigated and managed. Corrective action may include risk awareness training to prevent further occurrence (ISO 27001, 10.1 &
7.3), or removal of technical privileges to use removable media. (ISO 27002, 8.1.3, 9.2.2)
B Incorrect: ʻDeletedʼ information can be technically recovered in many cases. The userʼs action did not result in unauthorized disclosure in this
specific case. However, the same decision and action on a device with more sensitive information may be a vulnerability that needs to
be investigated and managed. Corrective action may include risk awareness training to prevent further occurrence (ISO 27001, 10.1 &
7.3), or removal of technical privileges to use removable media. (ISO 27002, 8.1.3, 9.2.2)
C Correct: Corrective action may include risk awareness training to prevent further occurrence (ISO 27001, 10.1 & 7.3), or removal of technical
privileges to use removable media. (ISO 27002 8.1.3, 9.2.2)
D Incorrect: Information in the Scenario Booklet states that Equitable Products' IT Services currently operate an ISMS compliant with ISO 27001.
To be compliant, the ISMS controls will already include established malware protection for all received electronic information to
mitigate this risk appropriately. (ISO 27002, 12.2.1e, g & h)

Group Ltd.
Question: 4, Syllabus: AR, Part: A, Type: CL, SyllabusRef: PL0204 PL0205, Level: 2
1 A Incorrect: It is not a requirement of the Standard to inform the Certification Body of the results of internal audits. The Certification Body may
require sight of the internal audit results when external audits are performed but if required, this will be requested later as part of the
external audit. (ISO 27001, 9.2)
B Incorrect: The requirement is to identify what should be audited when setting up the audit programme(s). There is no requirement to identify the
next processes to be audited at the end of an internal audit. (ISO 27001, 9.2 c)
C Correct: The organization shall retain documented information as evidence of the audit programme(s) and the audit results. The audit results
should be protected to ensure they are not lost or destroyed as these are evidence to demonstrate the meeting of the Standard. (ISO
27001, 9.2 g)
D Incorrect: A certificate is only issued when an auditor employed by certification body performs a certification audit. Certificates are not issued for
internal audits. (ISO 27001, 9.2, Supplementary Paper 4.5)
2 A Incorrect: Evaluating the need to eliminate the causes of non-conformance is part of Improvement, not Management Review. (ISO 27001, 10.1 b)
B Incorrect: Dealing with the consequences of non-conformance is part of Improvement, not Management Review. (ISO 27001, 10.1 a.2)
C Incorrect: Determining the cause of non-conformance is part of Improvement, not Management Review. (ISO 27001, 10.1 b.2)
D Correct: Considering opportunities for continual improvement is part of Management Review. (ISO 27001, 9.3 f)
3 A Correct: Defining the scope of the audit is one of the responsibilities of the organization. (ISO27001, 9.2 d)
B Incorrect: Considering feedback on opportunities for continual improvement is part of Management Review. (ISO 27001, 9.3 f). Identifying
opportunities for continuous improvement is not a stated responsibility within Internal Audit. (ISO 27001, 9.2)
C Incorrect: Consideration of changes in external issues is part of Management Review (ISO27001, 9.3 b). There is no requirement to document
them prior to an Internal Audit (ISO 27001, 9.2)
D Incorrect: One purpose of an Internal Audit is to provide information on whether the ISMS conforms to the organizations own requirements for its
ISMS. (ISO 27001, 9.2). The Internal Audit will measure against the current requirements, but there is no obligation to update the
ISMS prior to an Internal Audit.
4 A Incorrect: The organizationʼs approach to managing information security may be independently reviewed as a result of information from a
management review but there is no requirement to independently review it at every management review. (ISO 27001, 9.3, A.18.2.1)
B Incorrect: The organizationʼs approach to managing information security may be independently reviewed as a result of information from an audit.
However there is no requirement to independently review it at every audit. (ISO 27001, 9.2, A.18.2.1)
C Incorrect: Review of the organizationʼs approach to managing information security may form part of continuous improvement. However, there is
no requirement to independently review it as part of continuous improvement. (ISO 27001, 10.2, A.18.2.1)
D Correct: The organizationʼs approach to managing information security and its implementation (i.e. control objectives, controls, policies,
processes and procedures for information security) shall be reviewed independently at planned intervals or when significant changes
occur. (ISO 27001, A.18.2.1)
5 A Incorrect: Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with
legislator, regulatory, contractual and business requirements. Whilst national laws may affect implementation there is no
recommendation to take legal advice. (ISO 27002, 18.1.3)
B Correct: Cryptographic controls should be used in compliance with all relevant agreements, legislation and regulations. Legal advice should
be sought to ensure compliance and before encrypted information or cryptographic controls are moved across jurisdictional borders.
(ISO 27002, 18.1.5)
C Incorrect: An independent review of information security reviews the organizationʼs approach to managing information security and its
implementation. Such a review should be carried out by individuals independent of the area under review. (ISO 27002 18.2.1)
D Incorrect: Information systems should be regularly reviewed for compliance with the organizationʼs information security policies and standards.
The technical compliance review should be carried out or supervised by competent, authorized persons but not with legal advice. (ISO
27002, 18.2.3)
6 A Correct: It is the audit programme that takes into consideration the importance of the processes concerned. (ISO 27001, 9.2 c)
B Incorrect: The management review shall include consideration of the changes in external and internal issues. (ISO 27001, 9.3 b)
C Incorrect: The management review shall include consideration of the status of actions from previous management reviews. (ISO 27001, 9.3 a)
D Incorrect: The management review shall include consideration of trends in results of risk assessment. (ISO 27001, 9.3 e)

Group Ltd.
Question: 4, Syllabus: AR, Part: B, Type: MR, SyllabusRef: AR0308 AR0310 AR0313, Level: 3
1 A Incorrect: Digital signatures will not help to avoid incorrect information being sent but, they may assist the verification of authenticity of a
message. (ISO 27002, 10.1.1 second bullet point b). However, the issue to be addressed here was the attachment of the wrong price
list to an authentic message.
B Correct: Labelling sensitive information in accordance with a defined classification scheme is a recommended asset management control for
electronic information exchange. This highlights that the information needs to be handled in accordance with defined procedures.
(ISO 27002, 8.2.1, 8.2.3). If the price list had been appropriately labelled it may have drawn attention to its special status and avoided it
being sent to the wrong customer.
C Incorrect: Owners of sensitive information should be accountable for their classification, and this is an asset management control. (ISO 27002,
8.2.1). However, this control will not directly address the audit finding that sensitive information has been released to unintended
recipients.
D Incorrect: Agreements with other organizations that include information sharing should include procedures to identify the classification of that
information. However, this will not control the finding that sensitive information has been released to unintended recipients. (ISO
27002, 8.2.3 final paragraph)
E Correct: A review of access restrictions to sensitive information such as price lists (ISO 27002, 8.1.2 c) would be appropriate to identify
changes or additional controls to restrict access to special price lists to avoid them being used inappropriately.
2 A Correct: Information security considerations for electronic messaging should include requirements for electronic signatures (ISO 27002,
13.2.3 d) which will address the issue of authenticity.
B Incorrect: The issue relates to the authentication of messages sent. Protection against unsolicited email received, although relevant to
electronic messaging (ISO 27002, 13.2.3), is not appropriate to address the identified issue.
C Incorrect: The issue relates to the authentication of messages sent by email. The Access to instant messaging control relates to instant
messaging. Although it is relevant to electronic messaging (ISO 27002, 13.2.3 e), it is not appropriate to address the identified issue.
D Correct: The issue to be addressed is authenticity. The use of message authentication codes is a cryptographic control that will address issues
of authenticity. (ISO 27002, 10.1.1 second bullet point b).
E Incorrect: The issue relates to the authentication of messages sent by email. Malware protection, although relevant to electronic messaging
(ISO 27002, 12.2.1 g.2), is not appropriate to address the identified issue.
3 A Incorrect: Enforcement of password changes is a consideration of password management system. (ISO 27002, 9.4.3 e). However, it will not
address the issue of information being disclosed to unintended email recipients.
B Incorrect: Limiting the information contained in outputs is a consideration of the Information access restriction control. (ISO 27002, 9.4.1 e). It
may reduce the amount of information disclosed to an unintended recipient. However, unless the content is encrypted it will not prevent
disclosure and is not part of an encryption/cryptographic policy.
C Correct: The impact of encryption on other controls such as content inspection controls should be considered when developing a cryptographic
policy. (ISO 27002, 10.1.1 g)
D Incorrect: The issue be addressed is disclosure (confidentiality). The use of message authentication codes is a cryptographic control that will
address issues of integrity and authenticity but is not relevant to confidentiality. (ISO 27002, 10.1.1 second bullet point b)
E Correct: The standards to be adopted should be considered when developing a cryptographic policy. (ISO 27002, 10.1.1 f)
4 A Incorrect: Availability of the service is a consideration of electronic messaging (ISO 27002 13.2.3). It is not required to be documented in an
agreement on information transfer. (ISO 27002, 13.2.2)
B Incorrect: Capacity management is an aspect of operations security. However, it is not a responsibility required to be defined in an information
transfer agreement. (ISO 27002, 13.2.2)
C Correct: Information transfer agreements should incorporate management responsibility for controlling receipt. (ISO 27002, 13.2.2 a)
D Incorrect: User authentication is an aspect of access control. (ISO 27002, 9.1.2 e). It is not a responsibility required to be defined in an
information transfer agreement. (ISO 27002, 13.2.2)
E Correct: Information transfer agreements should incorporate responsibility for liability in the event of data loss. (ISO 27002, 13.2.2 f)
5 A Incorrect: Interception was not an issue identified. Therefore procedures relating to the interception of information, although an information
transfer control, are not relevant in this case. (ISO 27002, 13.2.1 a)
B Incorrect: Non-repudiation procedures are an issue relating to information transfer. (ISO 27002, 13.2.2 b). However, they are not relevant to the
issue of inappropriate sharing of information by email.
C Correct: Although not the cause of this incident, inappropriate forwarding of emails (especially to external addresses) would result in a similar
inappropriate disclosure of information. (ISO 27002, 13.2.1 h)
D Correct: Procedures to be followed when using communication facilities for information transfer should consider the procedures for protecting
sensitive information that is in the form of attachments. (ISO 27002, 13.2.1 c)
E Incorrect: Process and procedures around incident management are part of incident management. (ISO 27002, 15.1.2 h). They are not directly
part of information transfer procedures, so incident management, of itself, will not prevent a similar incident.

Group Ltd.
Question: 4, Syllabus: AR, Part: C, Type: CL, SyllabusRef: AR0413, Level: 4
1 A Incorrect: There may be a need for an organization to use different forms of confidentiality or non-disclosure agreements in different
circumstances. (ISO 27002, 13.2.4 OI)
B Incorrect: The information about the intellectual property rights may be public domain information, and therefore not confidential. However, the
ownership of information, trade secrets and intellectual property, and how this relates to the protection of confidential information
should be included in a non-disclosure agreement. (ISO 27002, 13.2.4 e)
C Correct: Ownership of information, trade secrets and intellectual property should be included in a non-disclosure agreement. (ISO 27002,
13.2.4 e)
D Incorrect: The non-disclosure agreement should set out any rights to audit. (ISO 27002, 13.2.4 g). However, this is not the reason for including
information about ownership of ownership of information, trade secrets and intellectual property.
2 A Incorrect: A non-disclosure agreement should set out the terms for information to be returned or destroyed at agreement cessation, This may be
reviewed and changed at any time before it expires. The fact that the information may change is not a reason to have an agreement for
a period of just three months. ((ISO 27002, 13.2.4 IG)
B Correct: A non-disclosure agreement should be for an appropriate period, and there is no need to restrict its length. It should set out when it
will be periodically reviewed but it has no need to automatically expire when reviewed. (ISO 27002, 13.2.4 b)
C Incorrect: A non-disclosure agreement should be reviewed periodically. However, this does not mean that a new agreement is needed unless
circumstances have changed. (ISO 27002, 13.2.4 IG)
D Incorrect: A non-disclosure agreement should have an expected duration but that may be whatever duration is appropriate, not just a year. (ISO
27002, 13.2.4 b)
3 A Incorrect: A non-disclosure agreement should consider the responsibilities and actions of signatories to avoid unauthorized information
disclosure. (ISO 27002, 13.2.4 d)
B Incorrect: If there are any special information handling requirements then the non-disclosure agreement should set them out. Otherwise
enforcement action is only likely to be possible after information has been disclosed. (ISO 27002, 13.2.4 IG)
C Incorrect: If the information is disclosed, the breach of any special information handling requirements will be relevant. However, a lack of them
will not preclude the agreement being enforced. (ISO 27002, 13.2.4 IG)
D Correct: When identifying requirements for confidentiality or non-disclosure agreements, the responsibilities and actions of signatories to
avoid unauthorized information disclosure should be considered. (ISO 27002, 13.2.4 d)
4 A Incorrect: A non-disclosure agreement is applicable to employees of an organization as well as external parties. (ISO 27002, 13.2.4 IG)
B Incorrect: The fact that marketing staff may need to disclose confidential information is actually a reason for having a non-disclosure agreement.
An NDA can set out the permitted use of confidential information and how it may be disclosed by marketing staff. (ISO 27002, 13.2.4 f)
C Correct: It is good practice for employees with access to confidential information to be required to sign a non-disclosure agreement. (ISO
27002, 7.1.2.a). An NDA can set out permitted use of the confidential information and how it may be disclosed by marketing staff. (ISO
27002, 13.2.4 IG, f)
D Incorrect: It is good practice for everyone with access to confidential information to be required to sign a non-disclosure agreement (ISO 27002,
7.1.2 a). It is not appropriate for all interested parties to sign non-disclosure agreements as some will not have access to confidential
information or will be outside the control of the organization.

Group Ltd.
Question: 4, Syllabus: AR, Part: D, Type: AR, SyllabusRef: AR0414 AR0418 AR0415, Level: 4
1 True: System and acceptance testing usually requires substantial False: User acceptance testing should be performed in a realistic test
volumes of realistic test data. All sensitive details and content environment to ensure that the system will not introduce
should be protected by removal or modification. (ISO 27002, 14.3.1 vulnerabilities to the organizationʼs environment. (ISO 27002, 14.2.9
IG, OI) IG)
2 True: The organization shall perform an information risk assessment True: Contractors should be required to report any observed information
when significant changes are proposed or occur. (ISO 27001, 8.2) security weaknesses in systems or services. (ISO 27002, 16.1.3).
Both are true but the answer is B as the reason does not explain why
the assertion is required.
3 True: Relevant legislative, regulatory and contractual requirements and True: Supplier agreements should describe the information to be provided.
the organizations approach to meet those requirements should be (ISO 27002, 15.1.2 a). The dairy farm supplier agreements must be
explicitly identified, documented and kept up to date. (ISO 27002, updated to document any new information required as a result of the
18.1.1) new regulations to maintain compliance with ISO 27002, 15.1.2 a.
The answer is therefore A.
4 False: The requirement to retain data is a policy requirement relating to True: Data retention is a control required to comply with the regulatory
regulations and legislation and should therefore be recorded in obligation and will be documented in the supplier agreement. (ISO
the policy. (ISO 27002, 5.1.1 b) 27002, 18.1.3, 15.1.2 c)
5 True: It is appropriate to include a supplierʼs obligation to deliver an True: It is the organizations management who are responsible for the
independent report on the effectiveness of controls. (ISO 27002, effectiveness of information security controls. (ISO 27002, 18.2.1).
15.1.2 o) Requiring the supplier to provide an independent penetration test
report would be an appropriate method of review. Therefore the
answer is A.

Group Ltd.
274
>>
SUPPLEMENTARY
PAPER
275
276
Information Security Management
Qualification using
ISO/IEC 27001
Supplementary reference paper

for ISO/IEC 27001 Foundation and Practitioner
qualifications
April 2014
Version 2.0 Page 1 of 11 Owner: Chief Examiner

© The APM Group Ltd 2014.
This document is not to be reproduced or re-sold without express permission from The APM Group Ltd.
Document History
Version Date Updates made Issued by
1.0 28 Nov 2012 1st issue Andrew Marlow
2.0 20 March 2014 1. Updated for the 2013 edition Andrew Marlow
of ISO/IEC 27001, 27002 and
the 2014 edition of ISO/IEC
27000
2. Updated to fit with the revised

ISO/IEC 27001 Foundation
syllabus V2.0
3. Updated to fit with the newly

launched ISO/IEC 27001
Practitioner qualification
Permission to reproduce extracts from ISO/IEC 27000:2014, ISO/IEC 27000:2012 &

ISO/IEC 27003:2010 is granted by BSI. British Standards can be obtained in PDF or hard
copy formats from the BSI online shop: www.bsigroup.com/Shop or by contacting BSI
Customer Services for hardcopies only: Tel: +44 (0)20 8996 9001, Email:
cservices@bsigroup.com.

1 Introduction
Note: in the following text, ‘ISMS’ refers to an information security management system for ISO/IEC
27001.
This supplementary reference paper includes information which is referenced in the syllabus
document for the Foundation and Practitioner ISO/IEC 27001 qualifications. This information is
supplementary to and needs to be read in conjunction with other reference material which is defined
in the syllabus for the qualification.
The target audience for this document is:
x APMG exam panel

x APMG exam board
x APMG assessment team
x Accredited Training Organizations (ATOs)
x Delegates of the ISO/IEC 27001 Foundation and Practitioner qualifications
2 Overview - supplementary information

2.1 Compatibility of ISMS with other management system standards, specifically ISO
9001 for quality management (Foundation OV0102)
ISO/IEC 27013 provides information as follows:
x Many organizations achieve certification to both ISO 9001 and ISO/IEC 27001
x It is possible to develop an integrated management system for both standards
2.2 Compatibility of ISMS with other management system standards, specifically

ISO/IEC 20000-1 for service management (Foundation OV0103)
ISO/IEC 27013 provides information as follows:
x Many organizations achieve certification to both ISO/IEC 27001 and ISO/IEC 20000-1
x It is possible to develop an integrated management system for both standards
x It is important to note that the information security management process in ISO/IEC 20000-1 is a
subset of ISO/IEC 27001. It also contains some requirements that are not in ISO/IEC 27001
x There are some differences in terminology and the handling of information security incidents
x ISO/IEC 27013 provides guidance on the integration of ISO/IEC 27001 and ISO/IEC 20000-1
2.3 Definitions (Foundation OV0104 and general usage in the practitioner paper)
The following terms and definitions from ISO/IEC 27000:2012 are useful as they are not defined in
ISO/IEC 27000:2014:
Asset - Anything that has value to the organization
NOTE: There are many types of assets, including:

a) Information;
b) Software, such as a computer program;
c) Physical, such as computer;
d) Services;
e) People, and their qualifications, skills, and experience; and
f) Intangibles, such as reputation and image.

Information security management system
ISMS - Part of the overall management system, based on a business risk approach, to establish,
implement, operate, monitor, review, maintain and improve information security
NOTE: The management system includes organizational structure, policies, planning activities,
responsibilities, practices, procedures, processes and resources.
2.4 The APMG qualification scheme and the principles of ISO/IEC 27001 certification
schemes (Foundation OV0108)
Source of information: ITSMF pocket guide, Planning and achieving ISO/IEC 20000 certification. The
same principles apply to ISO/IEC 27001.
x Qualification schemes are for individuals. A qualification scheme provides the syllabus and
examinations for ATOs and delegates. This qualification will cover details of the APMG scheme.
The APMG qualification scheme has examinations at Foundation and Practitioner level. There are
also other schemes operated by other organizations.
x Certification schemes are for organizations. There are several ISO/IEC 27001 certification
schemes around the world. The certification schemes allow organizations to be certified to
ISO/IEC 27001 after being independently assessed by a CB (Certification Body) for meeting all of
the requirements of ISO/IEC 27001.
x According to ISO/IEC 17021, external audits for certification have 2 stages:
o Document review, on-site or remote
o On-site audit
2.5 The roles and responsibilities of the organizations and entities involved in ISO/IEC
27001 Qualification and Certification Schemes (FoundationOV0202)
Source of information: ITSMF pocket guide, Planning and achieving ISO/IEC 20000 certification. The
same principles apply to ISO/IEC 27001.
a) APMG International
x Owns, manages and operates the APMG International ISO/IEC 27001 qualification scheme
worldwide
x Accredits ATOs for the qualification scheme
b) Certification Bodies (CBs)

x Employ auditors who carry out formal assessments against ISO/IEC 27001 for organizations
wishing to achieve certification under a certification scheme
x The CB is registered under certification schemes to demonstrate auditor independence and
competence in ISMS
x CBs check and approve applications for audit and scope definitions for organizations
x CBs issue certificates to organizations who have been assessed as meeting the requirements of
ISO/IEC 27001
x CBs may not provide guidance and consultancy to organizations where they are also acting as
auditors
x CBs can perform a readiness assessment to look at readiness for certification
x CBs can provide training. This is usually in topics such as internal auditing or lead auditor but can
also cover an overview of ISO/IEC 27001

c) National Accreditation Bodies (NABs)
x NABs oversee the operation of Certification Bodies in their geography and ensure that they meet
requirements of relevant national and international standards
x To be accredited, CBs must be accredited by their NAB to confirm their competence as a
certification body. They will then be known as an Accredited Certification Body (ACB)
d) Accredited Training Organizations (ATOs)

x The ATO, its trainers and courses are accredited by APMG under the APMG qualification scheme
to provide training based on ISO/IEC 27001
x ATOs are subject to regular audit under the qualification scheme by APMG
e) Practitioner
x Practitioner is a generic term for individuals involved in carrying out aspects of the many activities
in information security management. They can be involved in the planning, design, transition and
operation of an ISMS that satisfies the requirements of ISO/IEC 27001. Examples are manager
for an ISO/IEC 27001 implementation project, process owner, asset manager
f) Consultant
x Consultants are external experts who assist organizations in their development and improvement
of an ISMS and achievements of certification to ISO/IEC 27001
g) Internal Auditor
x Auditors within an organization are known as internal auditors
x Internal auditors conduct audits of the ISMS within their own organization
x Internal auditors must demonstrate objectivity and impartiality (usually done by not auditing their
own work)
x Practitioners and consultants may act as an internal auditor on behalf of an organization
x Internal auditors speak to the organization’s staff and may additionally speak to customers,
suppliers and internal groups to gather evidence
h) External Auditor
x Conduct formal audits on behalf of a CB
x CB auditors will only speak to the organization’s staff, or other parties within the ISMS scope
acting on behalf of the organization, to gather evidence, not to suppliers or other staff external to
the scope of the ISMS
x Practitioners and consultants may act as an external auditor on behalf of a CB but may not audit
their own work

3 Information security controls – supplementary information
3.1 The structure and contents of the controls and control objectives listed in Annex
A of ISO/IEC 27001 (Foundation CO0101)
ISO/IEC 27002, 4 states that ‘ISO/IEC 27001 contains 14 security control clauses collectively
containing a total of 35 main security categories and 144 controls’.
(Note that the introduction to Annex A in ISO/IEC 27001 refers to Clause 6.1.3. To be exact, 6.1.3 is a
sub-sub-clause).
There are 14 security control clauses.
Each security control clause is split into one or more security categories, each with a control objective.
Each security category is split into one or more controls which have a name and a description.
As an example, A.5 from ISO/IEC 27001 is shown with the names of each item in BOLD CAPITAL.
A.5 Information security policies. SECURITY CONTROL CLAUSE

A.5.1 Management direction for information security. SECURITY CATEGORY
Objective: To provide management direction and support for information security in accordance with
business requirements and relevant laws and regulations. CONTROL OBJECTIVE
A.5.1.1 Policies for information security Control
CONTROL NAME
A set of policies for information security shall be
defined, approved by management, published and
communicated to employees and relevant external
parties.
CONTROL DESCRIPTION
A.5.1.2 Review of the policies for Control

information security
CONTROL NAME The policies for information security shall be
reviewed at planned intervals or if significant
changes occur to ensure its continuing suitability,
adequacy and effectiveness.
CONTROL DESCRIPTION
4 Achieving ISO/IEC 27001 Certification – supplementary information

4.1 The types of audits (Foundation AC0101, AC0201, AC0202)
The sources of information are ISO 19011, ISO/IEC 17000 and ISO/IEC 17021.
Type of Audit Description

Initial Conducted by a CB to do the first assessment of conformity against ISO/IEC 27001.
certification In typical certification schemes, the certificate issued following a successful
audit outcome lasts for 3 years.
Re-certification Conducted by a CB after 3 years to do a further full assessment of conformity

audit against ISO/IEC 27001 in typical certification schemes, In typical certification
schemes, the certificate issued following a successful outcome lasts for 3 years.

Type of Audit Description
Surveillance Conducted by a CB and carried out at least annually to assess and ensure
audit continued conformity. It ensures that representative areas of the management
system are monitored on a regular basis. This is a shorter audit than the initial and
re-certification audits.
It focuses on improvements, internal audits, management review, complaints,
operational control, effectiveness of the ISMS against information security
objectives, areas of major change and any weaknesses identified during the
previous audit
Internal audit See first party audit below. An internal audit will meet the requirements of Clause
9.2 for ISO/IEC 27001
First party Audit using the organization’s own resources, or external consultants acting on their
audit behalf, usually referred to as an internal audit
Second party Audit by a person or organization that has a user interest in the organization e.g.
audit customer
Third party Audit by a conformity assessment organization usually referred to as a certification

audit body. They are independent of and have no user interest in the organization
4.2 The outcomes of an audit (Foundation AC0102)

The outcomes, from ISO/IEC 17021, are identified by external and internal auditors.
a) Conformity
x Defined term in ISO/IEC 27000 as ‘fulfilment of a requirement’
x The requirements of ISO/IEC 27001 have been met
b) Nonconformity
x Defined term in ISO/IEC 27000 as ‘non-fulfilment of a requirement’
x Nonconformities can be graded into minor and major
x A major nonconformity is a failure to fulfill one or more requirements of ISO/IEC 27001 or a
situation that raises significant doubt about the ability of the organization’s management system to
achieve its intended outputs. For example, management reviews are not held
x All other nonconformities are minor. For example, two documents are found with the wrong
version number but all other documents are correct
x Nonconformities are recorded against a specific requirement in ISO/IEC 27001 and must have
supporting evidence
c) Observation
x A conformity to the standard where there is an opportunity for improvement
x An observation is a recommendation for improvement but does not have to be auctioned
d) Outside of the audit scope

x An area which is not in the scope of the standard and therefore does not need to be audited

4.3 The evidence used to demonstrate conformity to ISO/IEC 27001 (Foundation
AC0203)
The main audit evidence is in the form of documented information which is required in ISO/IEC
27001, 7.5. Documented information is defined in ISO/IEC 27000, 2.23 as:
Documented information
Information required to be controlled and maintained by an organization (2.57) and the medium on
which it is contained
Note 1 to entry: Documented information can be in any format and media and from any source.
Note 2 to entry: Documented information can refer to
— the management system (2.46), including related processes (2.61);
— information created in order for the organization to operate (documentation);
— evidence of results achieved (records).
Audit evidence may be qualitative or quantitative (see ISO 19011) and must be verifiable. Some audit
evidence may be collected by sampling.
Conformity must be shown to the requirements in ISO/IEC 27001:2013. In addition, for ISMS, there
are requirements for certification in ISO/IEC 27006 which is aimed at CBs.
4.4 The organization’s preparation for and participation in a certification audit

(Foundation AC0204)
Based on ISO/IEC 17021, the organization’s preparation for a certification audit covers the following
activities:
x Agree applicability and scope with the auditor

x Agree dates with auditor
x Ensure locations and relevant staff are available
x Prepare logistics – rooms, security access for the auditor, who will accompany the auditor at all
stages etc.
x Prepare all documentation (documents and any requested records) for the stage 1 audit (unlikely
to be needed for a surveillance audit)
x Ensure all records are readily available for the stage 2 audit
x Prepare staff for the audit
x Participate in the audit
x Undertake follow-up activities
x Maintain conformity including ensuring that internal audits, management reviews and
improvements take place
x Consider extending scope which can be done at a surveillance or re-certification audit
4.5 The process used by an accredited certification body to conduct certification

audits for ISMS (Foundation AC0205)
Based on ISO/IEC 17021, the auditor will:
x Initiate the audit by validating the applicability and scope, planning the locations to be visited,
roles to be interviewed and number of days
x Agree dates in advance with organization

x Undertake stage 1 audit - document review
x Prepare on-site audit, taking into account findings of document review as well as scope
x Undertake stage 2 audit on-site. Methods of collecting evidence are interview, observation of
activities and review of records.
x CB auditors will only speak to the organization’s staff or other parties in the scope of the ISMS
and acting on behalf of the organization. (Note that internal auditors may additionally want to
speak to customers, suppliers and internal groups to gather evidence)
x Present audit findings along with dates for follow up on any nonconformities
o Major nonconformities means the audit is failed and will need to be rescheduled
o Minor nonconformities need an agreed action plan
x Prepare, approve and distribute the audit report
x Complete the audit and issuing of certificate if successful
x Conduct audit follow-up to review nonconformity actions
5 List of exemplified Roles and Responsibilities for Information Security

(PractitionerLE0205, LE0302, LE0402)
from ISO/IEC 27003:2010, Table B.1
Table B.1 — List of exemplified Roles and Responsibilities for Information Security
Role Brief Description of Responsibility
Senior Management (e.g. COO, For vision, strategic decisions and coordinates activities to
CEO,CSO and CFO) direct and control the organization.
Line Managers Has the top responsibility for organizational functions.
Chief Information Security Officer Has the overall responsibility and governance for
information security ensuring the correct handling of
information assets.
Information Security Committee Handling the information assets and has a leading role for
(member of) the ISMS in the organization.
Information Security Planning Team During operations while the ISMS is being established. The
(member of) planning team works across departments and resolves
conflicts until the ISMS is established.
Stakeholder In the context of the other roles’ descriptions concerning

information security, the stakeholder is primarily here
defined as persons/bodies outside the normal operations –
such as the board, owners (both in terms of organizational
owners if the organization is part of a group or a
government organization, and/or direct owners such as
shareholders in a private organization). Other examples of
stakeholders could be affiliated companies, clients,
suppliers or more public organizations such as
governmental financial control agencies or relevant stock
exchange, if the organization is listed.
System administrator The system administrator is responsible for an IT system.
IT Manager The manager of all IT resources (e.g. IT department

Manager).
Role Brief Description of Responsibility
Physical Security The person responsible for the physical security, e.g.
buildings etc., often referred to as a Facility Manager.
Risk Management The person/persons responsible for the organization’s risk

management framework including risk evaluation, risk
treatment and risk monitoring.
Legal Advisor Many information security risks have legal aspects and the
legal advisor is responsible for taking these into
consideration.
Human Resources The person/persons with overall responsibility for the staff.
Archive All organizations have archives containing vital information

that needs to be stored for the long term. The information
may be located on multiple types of media and a specific
person should be responsible for the security of this
storage.
Personal Data If required by national law, there may be a person

responsible for being the contact for data inspection board
or similar official organization that oversees personal
integrity and privacy issues.
System developer If an organization develops their own information systems,

someone has the responsibility for this development.
Specialist / Expert The specialists and experts responsible for some

operations in an organization should be referred to in terms
of their intention about ISMS matters as it relates to use in
their specific fields.
External Consultant External consultants can give advice based on their

macroscopic points of view of an organization and industry
experience. However, consultants may not have the depth
knowledge of the organization and operations of the
organization.
Employee / Staff / User Each employee is equally responsible for maintaining

information security in the workplace and in his/her
environment.
Auditor The auditor is responsible for assessing and evaluating the

ISMS.
Trainer The trainer implements training and awareness programs.
Local IT or IS responsible In a larger organization there is often somebody in the local

organization that has local responsibility for IT matters, and
possibly for information security as well.
Champion (Influential Person) This is not a responsible role as such, but in a larger
organization it may be of great help in the implementing
stage to have people who have a deep knowledge about
the implementation of an ISMS and can support the
understanding and reasons behind the implementation.
They may influence the opinion in a positive way and may
also be called “Ambassadors”.

6 Define roles & responsibilities for the preliminary ISMS scope
(PractitionerLE0204, LE0301, LE0401)
This section is used for the Practitioner paper in the LE syllabus area. This information is taken
directly from ISO/IEC 27003, 5.3.2.
Activity
Input
a) Output from Activity 5.3.1 Develop the preliminary ISMS scope
b) List of stakeholders who will benefit from results of the ISMS project.
Guidance
for managing information security, and the staff should be assigned roles and responsibilities based
on the skill required to perform the job. This is critical to ensure that the tasks are carried out
efficiently and effectively.
a) Overall responsibility for the tasks remains at the management level,

b) One person (usually the Chief Information Security Officer) is appointed to promote and co-
c) Each employee is equally responsible for his or her original task and for maintaining information
Representatives from departments within the identified scope (such as risk management) are
potential ISMS implementation team members. This team should be maintained at the smallest
practical size for speed and effective use of resources. Such areas are not only those directly
included in the ISMS scope, but also the indirect divisions, such as legal, risk management and
administrative departments.
Output

288
>>
GLOSSARY
289
290

Term Definition
Overhead that, by means of absorption rates, is included in costs of specific

products or saleable services, in a given period of time. Under or over-
Absorbed
absorbed overhead. The difference between overhead cost incurred and
overhead
overhead cost absorbed: it may be split into its two constituent parts for
control purposes
A principle whereby fixed as well as variable costs are allotted to cost units
Absorption and total overheads are absorbed according to activity level. The term may
costing be applied where production costs only, or costs of all functions are so
allotted.
Defined actions, allocated to recovery teams and individuals, within a phase

Action lists
of a plan These are supported by reference data.
The first phase of a business continuity plan in which initial emergency

Alert phase
procedures and damage assessments are activated.
Allocated cost A cost that can be directly identified with a business unit
The process which estimates the resource requirements to support a

Application
proposed application change or new application, to ensure that it meets its
Sizing
required service levels.
Apportioned A cost that is shared by a number of business units (an indirect cost). This
cost cost must be shared out between these units on an equitable basis.
Component of a business process. Assets can include people,

Asset accommodation, computer systems, networks, paper records, fax machines,
etc.
Asset
The management of Assets
Management
The processes by which an organization can verify the accuracy and

Assurance
completeness of its BCM.
Attribute Characteristic of a CI held on the CMDB.
A test to ensure a certain function or process is functioning according to

Audit
the descriptions.
291

Term Definition
Ability of a component or service to perform its required function at a

stated instant or over a stated period of time. It is usually expressed as
Availability
the availability ratio, i.e. the proportion of time that the service is actually
available for use by the Customers within the agreed service hours.
The process that optimizes the capability of the IT infrastructure and

Availability
supporting organization to deliver a cost effective and sustained level of
Management
availability that enables the business to satisfy its business objectives.
Baseline Snapshot of the state of a CI (CMDB) and related CI’s at a point in time.
BCM activity An action or series of actions as part of a BCM process.
The complete set of activities and processes necessary to manage

BCM Lifecycle
business continuity - divided into four stages.
A set of activities with defined deliverables forming a discrete part of the

BCM process
BCM lifecycle.
The process of predicting and controlling the spending of money within

Budgeting the enterprise and consists of a periodic negotiation cycle to set budgets
(usually annual) and the day-to-day monitoring of the current budgets.
The final stage in producing a usable configuration. The process involves

taking one of more input Configuration Items and processing them (building
Build
them) to create one or more output Configuration Items e.g. software
compile and load.
Business This sub-process is responsible for ensuring that the future business
Capacity requirements for IT services are considered, planned and implemented in a
Management timely fashion.
Business
A business unit within an organization, e.g. a department, division, branch.
function
A group of business activities undertaken by an organization in pursuit

of a common goal. Typical business processes include receiving orders,
marketing services, selling products, delivering services, distributing
Business products, invoicing for services, accounting for money received. A business
process process will usually depend upon several business functions for support,
e.g. IT, personnel, accommodation. A business process will rarely operate in
isolation, i.e., other business processes will depend on it and it will depend
on other processes.

Term Definition
Business
The desired time within which business processes should be recovered, and
recovery
the minimum staff, assets and services required within this time.
objective
Business A template business recovery plan (or set of plans) produced to allow the
recovery plan structure and proposed contents to be agreed before the detailed business
framework recovery plan is produced.
Business Documents describing the roles, responsibilities and actions necessary to

recovery plans resume business processes following a business disruption.
Business A defined group of personnel with a defined role and subordinate range of
recovery team actions to facilitate recovery of a business function or process
Business Relationship Management has developed which deals primarily

Business
with managing the relationships between Customers and IT Service
Relationship
Providers, and also with the communication that takes place between the
Management
two.
A segment of the business entity by which both revenues are received and
Business unit expenditure are caused or controlled, such revenues and expenditure being
used to evaluate segmental performance.
Call A contact with the Service Desk
Capacity A Database that will hold the information needed by all the sub-processes
Database, CDB within Capacity Management.
The process that is responsible for ensuring that IT processing and storage
Capacity
capacity matches the evolving demands of the business in the most cost-
Management
effective and timely manner.
Capacity Process to provide plans and reports to meet current and future business
Planning workloads.
Typically those applying to the physical (substantial) assets of the

organization. Traditionally this was the accommodation and machinery
necessary to produce the enterprise’s product. Capital Costs are the
Capital Costs
purchase or major enhancement of fixed assets, for example computer
equipment (building and plant and are often also referred to as ‘one-off’
costs.
293

Term Definition
The process of evaluating proposed investment in specific fixed assets and

Capital the benefits to be obtained from their acquisition. The techniques used in
investment the evaluation can be summarized as non-discounting methods (i.e. simple
appraisal pay-back), return on capital employed and discounted cash flow methods
(i.e. yield, net present value and discounted pay-back).
Many organizations choose to identify major expenditure as Capital,

whether there is a substantial asset or not, to reduce the impact on
Capitalization the current financial year of such expenditure and this is referred to as
‘Capitalization’. The most common item for this to be applied to is software,
whether developed in-house or purchased.
Classification of a group of Configuration Items, Change documents or

Category
problems.

Category
problems.

Category
problems.

Category
problems.
Process of controlling Changes to the infrastructure or any aspect of

Change services, in a controlled manner, enabling approved Changes with minimum
disruption.
Management
The addition, modification or removal of approved, supported or baselined

Change hardware, network, software, application, environment, system, desktop
build or associated documentation.
A group of people who can give expert advice to Change Management

Change on the implementation of Changes. This board is likely to be made up of
Advisory Board representatives from all areas within IT and representatives from business
units.
Change
Advisory Board A group of people who can give expert advice to Change Management on
Emergency the implementation of Changes in emergency situations.
Committee

Term Definition
Change A group that is given the authority to approve Change, e.g. by the project
authority board. Sometimes referred to as the Configuration Board.
The procedure to ensure that all Changes are controlled, including the
Change control submission, analysis, decision making, approval, implementation and post
implementation of the Change.
Change
Request for Change, Change control form, Change order, Change record.
document
Auditable information that records, for example, what was done, when it
Change history
was done, by whom and why.
A log of Requests for Change raised during the project, showing

information on each Change, its evaluation what decisions have been
Change log
made and its current status, e.g. Raised, Reviewed, Approved, Implemented,
Closed.
Change Process of controlling changes to the infrastructure or services with

Management minimum disruption.
A record containing details of which CI’s are affected by an authorized

Change record
Change (planned or implemented) and how.
Channel is the physical connection from CPU to an I/O device, usually a

Channel
controller, or indeed another CPU.
Chargeable
Business work units to which charges can be attached
Unit
The process of establishing charges in respect of business units, and

Charging
raising the relevant invoices for recovery from customers.
CI Level The detail level of a CI
Process of formally grouping Configuration Items by type, e.g. software,

Classification
hardware, documentation, environment, application.
Process of formally identifying Changes by type e.g. project scope change

Classification
request, validation change request, infrastructure change request.
Process of formally identifying incidents, problems and known errors by

Classification
origin, symptoms and cause.
295

Term Definition
Process of formally identifying incidents, problems and known errors by

Classification
origin, symptoms and cause.
Closure When the Customer is satisfied that an incident has been resolved.
Cold stand-by See 'Gradual Recovery'
Command,
control and The processes by which an organization retains overall co-ordination of its
communica- recovery effort during invocation of business recovery plans.
tions
Configuration of a product or system established at a specific point in time,

which captures both the structure and details of the product or system, and
enables that product or system to be rebuilt at a later date.
Configuration
A snapshot or a position, which is recorded. Although the position may be
Baseline
updated later, the baseline remains unchanged and available as a reference
of the original state and as a comparison against the current position
(PRINCE 2).
Activities comprising the control of Changes to Configuration Items after

formally establishing its configuration documents. It includes the evaluation,
Configuration
co-ordination, approval or rejection of Changes. The implementation of
control
Changes includes changes, deviations and waivers that impact on the
configuration.
Configuration Documents that define requirements, system design, build, production, and
documentation verification for a configuration item.
Activities that determine the product structure, the selection of

Configuration Items, and the documentation of the Configuration Item's
physical and functional characteristics including interfaces and subsequent
Configuration
Changes. It includes the allocation if identification characters or numbers
identification
to the Configuration Items and their documents. It also includes the unique
numbering of configuration control forms associated with Changes and
Problems.
Component of an infrastructure - or an item, such as a Request for Change,

associated with an infrastructure - which is (or is to be) under the control
Configuration
of Configuration Management. CI’s may vary widely in complexity, size
item (CI)
and type - from an entire system (including all hardware, software and
documentation) to a single module or a minor hardware component.

Term Definition
Configuration A database, which contains all relevant details of each CI and details of the
Management important relationships between CI’s.
Database
(CMDB)
Configuration A software product providing automatic support for Change, Configuration

Management or version control.
Tool (CM Tool)
The process of identifying and defining the Configuration Items in a system,

Configuration recording and reporting the status of Configuration Items and Requests for
Management Change, and verifying the completeness and correctness of configuration
items.
Configuration Document setting out the organization and procedures for the
Management Configuration Management of a specific product, project, system, support
plan group or service.
Configuration
A hierarchy of all the CI’s that comprise a configuration.
Structure
Contingency Plan detailing actions and procedures to followed in the event of a major
Plan disaster.
Planning to address unwanted occurrences that may happen at a later time.

Contingency
Traditionally, the term has been used to refer to planning for the recovery of
Planning
IT systems rather than entire business processes.
Document between two bodies (i.e. with external suppliers) with separate
Contract
legal existence.
Document between two bodies (i.e. with external suppliers) with separate
Contract
legal existence.
The amount of expenditure (actual or notional) incurred on, or attributable

Cost
to, a specific activity or business unit.
IT is budgeted and there is soft charging for specific services; it is

Cost center
concerned with input and output costs.
297

Term Definition
Ensuring that there is a proper balance between the quality of service on

Cost the one side and expenditure on the other. Any investment that increases
effectiveness the costs of providing IT services should always result in enhancement to
service quality or quantity.
The term used in this module to describe the procedures, tasks and
Cost
deliverables that are needed to fulfill an organization’s costing and charging
management
requirements.
The cost unit is a functional cost unit which establishes standard cost per
Cost unit workload element of activity, based on calculated activity ratios converted to
cost ratios,
The process of identifying the costs of the business and of breaking them
Costing
down and relating them to the various activities of the organization.
Crisis The processes by which an organization manages the wider impact of a

management disaster, such as adverse media coverage.
Crisis The processes by which an organization manages the wider impact of a

management disaster, such as adverse media coverage.
Recipient of the service; usually the Customer management has

Customer responsibility for the cost of the service, either directly through charging or
indirectly in terms of demonstrable business need.
Definitive The area for the secure storage of definitive hardware spares. These are
Hardware spare components and assemblies that are maintained at the same level as
Store, DHS the comparative systems within the live environment.
The library in which the definitive authorized versions of all software CI’s
are stored and protected. It is a physical library or storage repository where
master copies of software versions are placed. This one logical storage
Definitive
area may in reality consist of one or more physical software libraries or file
Software
stores. They should be separate from development and test file store areas.
Library (DSL)
The DSL may also include a physical store to hold master copies of bought-
in software, e.g. fireproof safe. Only authorized software should be accepted
into the DSL, strictly controlled by Change and Release Management.
The DSL exists not directly because of the needs of the Configuration
Management process, but as a common base for the Release Management
and Configuration Management processes.

Term Definition
A Delta, or partial, Release is one that includes only those CI’s within the
Release unit that have actually changed or are new since the last full or
Delta Release. For example, if the Release unit is the program, a Delta
Delta Release
Release contains only those modules that have changed, or are new, since
the last full release of the program or the last Delta Release of the modules
- see also ‘Full Release’.
Demand
See Business Capacity Management
Management
The reliance, either direct or indirect, of one process or activity upon

Dependency
another.
Depreciation is the loss in value of an asset due to its use and/or the
passage of time, The annual depreciation charge in accounts represents the
amount of capital assets need up in the accounting period. It is charged in
the cost accounts to ensure that the cost of capital equipment is reflected
Depreciation
in the unit costs of the services provided using the equipment. There are
various methods of calculating depreciation for the period, but the Treasury
usually recommends the use of current cost asset validation as the basis
for the depreciation charge.
Charging business customers different rates for the same work, typically to
Differential
dampen demand or to generate revenue for spare capacity. This can also
charging
be used to encourage off-peak or nighttime running.
A cost, which is incurred for, and can he traced in full to a product, service,
Direct cost cost center or department. This is an allocated cost. Direct costs are direct
materials, direct wages and direct expenses.
Disaster
A series of processes that focus only upon the recovery processes,
recovery
principally in response to physical disasters that are contained within BCM.
planning
An evaluation of the future net cash flows generated by a capital project

by discounting them to their present-day value. The two methods most
Discounted commonly used are: a) yield method, for which the calculation determines
cash flow the internal rate of return (IRR) in the form of a percentage b) net present
value (NPV) method, in which the discount rate is chosen and the answer is
a sum of money.
299

Term Definition
Discounting is the offering to business customers of reduced rates for the

Discounting
use of off-peak resources (see also Surcharging).
Downtime The time an agreed service is not available
Downtime The time an agreed service is not available
Elapsed Time Time from the start of an incident, whilst the incident is not yet resolved
Elements of The constituent parts of costs according to the factors upon which
cost expenditure is incurred with materials, labor and expenses.
Emergency A release that is urgently implemented. Mostly because of an outstanding

Release incident
End-User See ‘User’.
A collection of hardware, software, network communications and

procedures that work together to provide a discrete type of computer
Environment service. There may be one or more environments on a physical platform e.g.
test, production. An environment has unique features and characteristics
that dictate how they are administered in similar, yet diverse manners.
Error control covers the processes involved in progressing Known Errors

until they are eliminated by the successful implementation of a Change
Error Control under the control of the Change Management process. The objective of
error control is to be aware of errors, to monitor them and to eliminate them
when feasible and cost-justifiable.
Expert User See ‘Super User’.
One of the measures against which a delivered IT service is compared,

External Target
expressed in terms of the customer's business.
Fault tree
Technique to analyze the availability of a system.
analysis
Financial Management is the sound stewardship of the monetary resources

Financial
of the enterprise. It supports the enterprise in planning and executing its
Management
business objectives and requires consistent application throughout the
for IT Services
enterprise to achieve maximum efficiency and minimum conflict.

Term Definition
The financial year is an accounting period covering 12 consecutive months.

Financial year In the public sector this financial year will generally coincide with the fiscal
year, which runs from 1 April to 31 March.
Often, departments and (specialist) support groups other than the Service
First Line Desk are referred to as second- or third-line support groups, having more
Support specialist skills, time or other resources to solve Incidents. In this respect,
the Service Desk would be first-line support.
First Line Desk are referred to as second- or third-line support groups, having more
Fortress
IT site made as disaster-proof as possible.
approach
Contains details of all the Changes approved for implementation and

their proposed implementation dates. It should be agreed with the
Forward Customers and the business, Service Level Management, the Service
Schedule of Desk and Availability Management. Once agreed, the Service Desk should
Changes communicate to the User community at large any planned additional
downtime arising from implementing the Changes, using the most effective
methods available.
Full absorption A principle where fixed and variable costs are allocated to cost units and
costing overhead costs are absorbed according to activity levels.
Full cost is the total cost of all the resources used in supplying a service
i.e. the sum of the direct costs of producing the output a proportional share
of overhead costs and any selling and distribution expenses. Both cash
Full cost
costs and notional (non-cash) costs should be included, including the cost
of capital. Calculated as a total cost of ownership, including depreciation /
planned renewal)
All components of the Release unit are built, tested, distributed and
Full Release
implemented together - see also ‘Delta Release’.
Functional
Escalation or Referral to more or other knowledge.
Escalation
301

Term Definition
Previously called 'Cold stand-by', this is applicable to organizations that do

not need immediate restoration of business processes and can function
for a period of up to 72 hours, or longer, without a re-establishment of full
Gradual
IT facilities. This may include the provision of empty accommodation fully
Recovery
equipped with power, environmental controls and local network cabling
infrastructure, telecommunications connections, and available in a disaster
situation for an organization to install its own computer equipment.
Descriptive of a situation where, within an organization, actual funds are

Hard charging transferred from the customer to the IT directorate in payment for the
delivery of IT services.
Service Desk The single point of contact within the IT directorate for users of IT services.
Hierarchical
Escalation to a higher hierarchical layer.
Escalation
Hot stand-by See 'Immediate Recovery'.
Previously called 'Hot stand-by', provides for the immediate restoration of

services following any irrecoverable incident. It is important to distinguish
Immediate between the previous definition of ‘hot standby’ and ‘immediate recovery’.
Recovery Hot standby typically referred to availability of services within a short
timescale such as 2 or 4 hours whereas immediate recovery implies the
instant availability of services.
Measure of the business criticality of a Change. Often equal to the extend

Impact to which a Change can lead to distortion of agreed or expected service
levels.
Measure of the business criticality of an Incident. Often equal to the extend

Impact
to which an Incident leads to distortion of agreed or expected service levels.
Measure of the business criticality of a Problem. Often equal to the

Impact extend to which the Problem will benefit the business once implemented
successfully.

Term Definition
The identification of critical business processes, and the potential damage

or loss that may be caused to the organization resulting from a disruption
to those processes. Business impact analysis identifies the form the loss or
damage will take; how that degree of damage or loss is likely to escalate
Impact analysis with time following an incident; the minimum staffing, facilities and services
needed to enable business processes to continue to operate at a minimum
acceptable level; and the time within which they should be recovered. The
time within which full recovery of the business processes is to be achieved
is also identified.
Description of the type of impact on the business that could follow a

Impact business disruption. Will usually be related to a business process and will
scenario always refer to a period of time, e.g. customer services will be unable to
operate for two days.
Any event which is not part of the standard operation of a service and
Incident which causes, or may cause, an interruption to, or a reduction in, the quality
of that service.
Incident Life All activities from the moment an incident happens to the moment an
Cycle incident is closed.
The process that seeks to restore normal service operation as quickly as

possible and that minimizes the adverse impact on business operations,
Incident
thus ensuring that the best possible levels of service quality and availability
Management
are maintained. ‘Normal service operation’ is defined here as service
operation within Service Level Agreement (SLA) limits.
An indirect cost is a cost incurred in the course of making a product

providing a service or running a cost center or department, but which
cannot be traced directly and in full to the product, service or department,
Indirect cost
because it has been incurred for a number of cost centers or cost units.
These costs are apportioned to cost cost/cost units. Indirect costs are also
referred to as overheads.
Intelligent The purchaser (as distinct from the provider) of services. The term is often
customer used in relation to the outsourcing of IT/IS.
Previously called 'Warm stand-by', will typically involve the reestablishment

Intermediate of the critical systems and services within a 24 to 72 hour period, and
Recovery will be used by organizations that need to recover IT facilities within a
predetermined time to prevent impacts to the business process.
303

Term Definition
One of the measures against which supporting processes for the IT service
Internal target are compared. Usually expressed in technical terms relating directly to the
underpinning service being measured.
Invocation
(of business Putting business recovery plans into operation after a business disruption.
recovery plans)
Invocation
Putting stand-by arrangements into operation as part of business recovery
(of stand by
activities.
arrangements)
Invocation and
The second phase of a business recovery plan.
recovery phase
Guidelines and assurance of processes and procedure standards for quality

ISO 9000
assurance systems.
The set of processes that enable the IT organization to fully account for the
way its money is spent (particularly the ability to identify costs by customer,
IT Accounting
by service, by activity). It usually involves ledgers and should be overseen
by someone trained in Accountancy.
IT Customer
Relationship See Business Relationship Management.
Management
That part of an organization charged with developing and delivering the IT

IT directorate
services.
IT All means needed to deliver a service, e.g. hardware, software, environment,

Infrastructure documents.
The process to support the overall Business Continuity Management

IT Service process by ensuring that the required IT technical and services facilities
Continuity (including computer systems, networks, applications, telecommunications,
Management technical support and service desk) can be recovered within required, and
agreed, business timescales.
Services are the deliverables of the IT Services section as perceived by

IT Services the customers; the services do not consist merely of making computer
resources available for customers to use.

Term Definition
An Incident or Problem for which the root cause is known and for which a
temporary Work-around or a permanent alternative has been identified. If
Known Error
a business case exists, an RFC will be raised, but, in any event, it remains a
Known Error unless it is permanently fixed by a Change.
A series of states, connected by allowable transitions. The lifecycle

Lifecycle represents an approval process for Configuration Items, Incident Reports,
Problem Reports and Change documents.



Live Build
(Part of) the computer system used to build software releases for live use.
Environment
Live
(Part of) computer system used to run software in live use.
environment
Ability of component or service to return to a state in which the desired

Maintainability
functionality will be provided again.
The variable cost of producing one extra unit of product or service. That
Marginal cost is, the cost which would have been avoided if the unit/service was not
produced/provided.
See IPW™. The degree to which BCM activities and processes have
Maturity level/
become standard business practice within an organization. See the IPW
Milestone
Stadia Model (www.quintgroup.com).
Mean Time
Average time between restoration of service following an incident and
Between
another incident occurring.
Failures
305

Term Definition
Mean Time
Between
Average time between incident occurrence.
System
Incidents
Mean Time To average downtime between an incident occurring and restoration of

Repair service/the system.
An activity to predict the behavior of computer systems under a given

Modeling
volume and variety of work.
The registration and guarding of the utilization of each resource and service
on an on-going basis to ensure the optimum use of the hardware and
Monitoring
software resources, that all agreed service levels can be achieved, and that
business volumes are as expected.
Those resulting from the day-to-day running of the IT Services section, e.g.
Operational staff costs, hardware maintenance and electricity, and relate to repeating
Costs payments whose effects can be measured within a short timeframe, usually
the less than the 12-month financial year.
Operational
An internal agreement covering the delivery of services, which support the
level
IT directorate in their delivery of services.
agreement
The value of a benefit sacrificed in favor of an alternative course of action.

Opportunity
That is the cost of using resources in a particular operation expressed
cost (or true
in terms of foregoing the benefit that could be derived from the best
cost)
alternative use of those resources.
The process by which functions performed by the organization are

Outsourcing
contracted out for operation, on the organization’s behalf, by third parties.
Overheads The total of indirect materials, wages and expenses.
Package
A number of release units packaged together.
release
Alternative title for the BSI publication 'A Code of Practice for IT Service
PD0005
Management'.

Term Definition
Percentage utilization describes the amount of time that a hardware device

Percentage
is busy over a given period of time. For example, lf the CPU is busy for
utilization
1800 seconds in one-hour period, its utilization is said to be 50%.
Performance The process that ensures that technical resources in the infrastructure
Management provide the best possible value for money.
Post
Implementation A review to see if the change achieved what it should achieve.
Review, PIR
Post
A review to see if the change that should solve the problem, actually did
Implementation
solve the problem.
Review, PIR
Pricing The policy that determines how chargeable units are priced.
The total cost of direct materials, direct labor and direct expenses. The
term prime cost is commonly restricted to direct production costs only and
Prime cost
so does not customarily include direct costs of marketing or research and
development.
PRINCE2 The standard UK government method for project management.
Sequence in which an Incident or Problem needs to be resolved, based on

Priority
impact and urgency.
Sequence in which an Incident or Problem needs to be resolved, based on

Priority
impact and urgency.
Proactive
Problem The process that tries to prevent incidents from happening.
Management
Problem Unknown underlying cause of one or more Incidents.
The Problem control process is concerned with handling Problems in an

Problem efficient and effective way. The aim of Problem control is to identify the root
Control cause, such as the CIs that are at fault, and to provide the Service Desk
with information and advice on Work-arounds when available.
307

Term Definition
The process that wants to minimize the adverse impact of Incidents

Problem and Problems on the business that are caused by errors within the IT
Management Infrastructure, and to prevent recurrence of Incidents related to these
errors.
A connected series of actions, activities, performed by agents, detailed

Procedure
enough to make clear to an agent what he/she has to do.
A connected series of actions, activities, Changes etc, performed by agents

Process
with the intent of satisfying a purpose or achieving a goal.
Process The process of planning and regulating, with the objective of performing the
Control process in an effective and efficient way.
Profit center IT is run as a business with profit objectives.
Reciprocal 2 organizations running on compatible infrastructure provide each other

Arrangement with IT resources in an emergency.
The ability of a system to recover. This term combines maintainability,

Recoverability
serviceability and resilience.
Information that supports the plans and action lists, such as names and
Reference data
addresses or inventories, which is indexed within the plan.
Registration The initial and on-going recording of a CI.
Registration The initial and on-going recording of a call.
A collection of new and/or changed CI’s, which are tested and introduced
Release
into the live environment together.
Release The process that management releases, both the technical and the non
Management technical aspects.
Release
The policy that determines how releases should be numbered.
numbering
The number of a release.
The policy that determines how releases must be treated. It encompasses

Release Policy
size, numbering and frequency.
Release unit The level at which software of a given type is normally released.

Term Definition
Ability of component to deliver desired functionality for a given period of

Reliability
time and under certain conditions.
Form, or screen, used to record details of a request for a change to any

Request for
CI within an infrastructure or to procedures and items associated with the
Change (RFC)
infrastructure.
Ability of service to keep running where one or more components have

Resilience
failed.
Resolution Action, which will resolve an Incident. This may be a Work-around.
The focus in this sub-process is the management of the individual

Resource components of the IT infrastructure. It is responsible for ensuring that
Capacity all components within the IT infrastructure that have finite resource are
Management monitored and measured, and that the collected data is recorded, analyzed
and reported.
This term is used to describe the amount of machine resource that a given
Resource cost task will consume. This resource is usually expressed in seconds for the
CPU or the number of I/Os for a disk or tape device.
Resource Process that ensures that adequate resources are available and functional
Management at the required time.
Resource profile describes the total resource costs, which are consumed by
Resource
an individual online transaction, batch job or program. It is usually expressed
profile
in terms of CPU seconds, number of I/Os and memory usage.
Resource unit may be calculated on a standard cost basis to identify the

expected (standard) cost for using a particular resource. Because computer
Resource unit
resources come in many shapes and forms, units have to be established by
costs
logical groupings. Examples are; a) CPU Time or instructions, b) disk I/Os,
c) print lines, d) communication transactions.
The term resources refers to the means the IT Services section needs
to provide the customers with the required services. The resources
Resources
are typically computer and related equipment, software, facilities or
organizational (people).
Restoration of The moment a customer has confirmed that the service can be used again
Service after an incident or a contingency.
309

Term Definition
Restoration of The moment a customer has confirmed that the service can be used again
Service after an incident or a contingency.
Return to The phase within a business recovery plan which re-establishes normal
normal phase operations.
Also called running cost, value diminishes with usage, such as paper or
Revenue Cost
salaries. Usually a variable cost.
A measure of the exposure to which an organization may be subjected. This

Risk is a combination of the likelihood of a business disruption occurring and the
possible loss that may result from such business disruption.
A measure of the exposure to which an organization may be subjected. This

Risk is a combination of the likelihood of a business disruption occurring and the
possible loss that may result from such business disruption.
The identification and valuation of assets and threats; the assessment of

Risk Analysis
vulnerabilities and risks by considering the threats to assets.
The identification and valuation of assets and threats; the assessment of

Risk Analysis
vulnerabilities and risks by considering the threats to assets.
Risk The management of risks to assets: the selection and use of

Management countermeasures.
Risk The management of risks to assets: the selection and use of

Management countermeasures.
Risk reduction Measures taken to reduce the likelihood or consequences of a business

measure disruption occurring (as opposed to planning to recover after a disruption).
Risk reduction Measures taken to reduce the likelihood or consequences of a business

measure disruption occurring (as opposed to planning to recover after a disruption).
Role A set of responsibilities, activities and authorizations.
The moment or period that a (set of) system(s) is implemented. This term is
Rollout
usually used when multiple systems are implemented on different moments.

Term Definition
Second Line Desk are referred to as second- or third-line support groups, having more
Second Line Desk are referred to as second- or third-line support groups, having more
Security Confidentiality, Integrity and Availability of CI’s.
Security
The measure to which an organization aware of it’s security situation.
Awareness
Security Incidents that threaten the security of an organization, e.g. viruses, hacker
Incidents attacks, etc.
Security Incidents that threaten the security of an organization, e.g. viruses, hacker
Incidents attacks, etc.
Security Level The level to which an organization has been secured.
Security The process that is responsible for the design and activation of all security
Management measures needed to reach the desired security level.
Security
The section in the SLA which describes the needed security level.
Section
Security
The section in the SLA which describes the needed security level.
Section
A decision to bear the losses that could result from a disruption to the
Self-insurance
business as opposed to taking insurance cover on the risk.
Service The actual service levels delivered by the IT directorate to a customer within
achievement a defined lime-span.
311

Term Definition
The focus of this sub-process is the management of the performance of

the IT services used by the customers. It is responsible for ensuring that
Service
the performance of all services, as detailed in the targets in the SLAs and
Capacity
SLRs is monitored and measured, and that the collected data is recorded,
Management
analyzed and reported. Process that determines resource profiles needed to
process current and future business workloads.
Service catalog Written statement of IT services, default levels and options.
Service hours Hours to which the service is available.
Service
A formal project undertaken within an organization to identify and introduce
improvement
measurable improvements within a specified work area or, work process.
program
Service Level Written agreement between a service provider and the Customer(s) that
Agreement documents agreed service levels for a service.
Service level The process of defining, agreeing, documenting and managing the levels of
management customer IT service, that are required and cost justified.
Service Level Requirements, expressed by the customer that are inputs into negotiations
Requirement towards SLA.
Service
Third-party organization supplying services or products to customers.
provider
Service quality The written plan and specification of internal targets designed to guarantee
plan the agreed service levels.
Service
Every Incident not being a failure in the IT Infrastructure.
Request
Service
Hours/times to which service is available.
Window
Service
Hours/times to which service is available.
Window
Contractual term used to define the support received from an external

Serviceability
supplier.

Term Definition
Services are the deliverables of the IT Services section as perceived by

Services the customers; the services do not consist merely of making computer
resources available for customers to use.
Simulation modeling, as the name implies, employs a program, which

simulates computer processing by describing in detail the path of a job or
Simulation transaction. It can give extremely accurate results. Unfortunately, it demands
modeling a great deal of time and effort from the modeler. It is most beneficial in
extremely large or time critical systems where the margin for error is very
small.
Single point of
A component that will cause unavailability to a service when it fails.
failure
Software
Configuration As ‘Configuration Item’, excluding hardware and services.
Item (SCI)
Software used to support the application such as operating system,

Software
database management system, development tools, compilers, and
Environment
application software.
A controlled collection of SCI’s designated to keep those with like status

Software
and type together and segregated from unlike, to aid in development,
Library
operation and maintenance.
Software work is a generic term devised to represent a common base on

which all calculations for workload usage and IT resource capacity are then
Software work
based. A unit of software work for I/O type equipment equals the number
unit
of bytes transferred; and for central processors it is based on the product of
power and cpu-time.
Specifies in detail what the customer wants (external) and what

Specsheet consequences this has for the service provider (internal) such as required
resources and skills.
313

Term Definition
A pre-determined calculation of how many costs should be under specified

working conditions. It is built up from an assessment of the value of cost
elements and correlates technical specifications and the quantification
of materials, labor and other costs to the prices and/or wages expected
Standard cost
to apply during the period in which the standard cost is intended to be
used. Its main purposes are to provide bases for control through variance
accounting, for the valuation of work in progress and for fixing selling
prices.
Standard A technique, which uses standards for costs and revenues for the purposes
costing of control through variance analysis.
Arrangements to have available assets, which have been identified, as

Stand-by replacements should primary assets be unavailable following a business
arrangements disruption. Typically, these include accommodation, IT systems and
networks, telecommunications and sometimes people.
Status
Process that records the state of CI’s at a given time.
accounting
Storage occupancy is a defined measurement unit that is used for storage

Storage
type equipment to measure usage. The unit value equals the number of
occupancy
bytes stored.
In some organizations it is common to use ‘expert’ Users (commonly

known as Super or Expert Users) to deal with first-line support problems
Super User and queries. This is typically in specific application areas, or geographical
locations, where there is not the requirement for full-time support staff. This
valuable resource however needs to be carefully coordinated and utilized.
Support hours Hours/times to which support is available.
Surcharging is charging business users a premium rate for using resources

Surcharging
at peak times.
An integrated composite that consists of one or more of the processes,

System hardware, software, facilities and people, that provides a capability to satisfy
a stated need or objective.
Test Build (Part of) the computer system used to build software releases for
Environment operational acceptance testing.

Term Definition
Test (Part of) the computer system used to run software releases for operational
environment acceptance testing.
Third Line Desk are referred to as second- or third-line support groups, having more
An event that could happen and that would degrade the functioning of a
Threat
component or a service.
An event that could happen and that would degrade the functioning of a
Threat
component or a service.
Underpinning A contract with an external supplier covering delivery of services that

contract support the IT directorate in their delivery of services.
Unit costs are costs distributed over individual component usage to

establish the unit cost. For example, it can be assumed, that if a box of
Unit costs paper with 1000 sheets costs £10, then obviously one sheet costs 1p.
Similarly if a CPU costs £lm a year and it is used to process 1,000 jobs that
year, each job costs on average £1,000.
Measure of the business criticality of an Incident or Problem based on the

Urgency
impact and on the business needs of the Customer.
Measure of the business criticality of an Incident or Problem based on the

Urgency
impact and on the business needs of the Customer.
A change that due to business criticality of an Incident has to be

Urgent Change
implemented urgently.
User The person who uses the service on a day-to-day basis.
Utility cost
A cost center for the provision of support services to other cost centers.
center (UCC)
A variance is the difference between planned, budgeted, or standard cost

and actual cost (or revenues). Variance analysis is an analysis of the factors,
Variance
which have caused the difference between the pre-determined standards
analysis
and the actual results. Variances can be developed specifically related to
the operations carried out in addition to those mentioned above.
Variant CI with the same functionality as another CI but different in some small way.
315

Term Definition
Verification Process that ensures the CMDB and physical CI’s are synchronized.
An identified instance of a Configuration Item within a product breakdown

structure or configuration structure for the purpose of tracking and auditing
Version change history. Also used for software Configuration Items to define a
specific identification released in development for drafting, review or
modification, test or production.
An identified instance of a Configuration Item within a product breakdown

structure or configuration structure for the purpose of tracking and auditing
Version change history. Also used for software Configuration Items to define a
specific identification released in development for drafting, review or
modification, test or production.
Version
A version number; version date; or version date and time stamp.
Identifier
Vulnerability The measure to which a component or a service will be affected by a threat.
Vulnerability The measure to which a component or a service will be affected by a threat.
Warm stand-by See 'Intermediate Recovery'.
Waterline The lowest level of detail relevant to the customer.
Method of avoiding an Incident or Problem, either from a temporary fix or

Work-around from a technique that means the Customer is not reliant on a particular
aspect of the service that is known to have a problem.
Workload
See Service Capacity Management.
Management
Workloads in the context of Capacity Management Modeling, are a set

of forecasts which detail the estimated resource usage over an agreed
Workloads planning horizons. Workloads generally represent discrete business
applications and can be further sub-divided into types of work (interactive,
timesharing, batch).
>>
ACRONYMS
317
318

Term Definition
BCM Business Continuity Management
BRM See Business Relationship Management
CAB See Change Advisory Board
CAB/EC See Change Advisory Board Emergency Committee
CDB See Capacity Database
CFIA Component Failure Impact Analysis
CI See Configuration Item
CMDB See Configuration Management Database
CRAMM OGC Risk Analysis and Management Method
DHS See Definitive Hardware Store
DSL See Definitive Software Library
FSC See Forward Schedule of Changes
FTA See Fault Tree Analysis
The convergence of Information Technology, Telecommunications and Data

ICT
Networking Technologies into a single technology
Implementation of a process Oriented Workflow, a process model created

by Quint Wellington Redwood and Dutch Telecom (KPN). The model has
IPW™ existed since 1993. An extension to the model is IPW Stadia Model which
describes maturities, how to measure them and how to realize them, for the
different ITIL processes. See www.quintgroup.com for a full English article
Information Systems Examination Board (UK), which administers and

ISEB awards IT qualifications including Foundation Certificate in IT Service
Management
The CCTA IT Infrastructure Library - a set of guides on the management

ITIL
and provision of operational IT services
ItSMF IT Service Management Forum, ITIL User Group
319

Term Definition
MTBF See Mean Time Between Failure
MTBSI See Mean Time Between System Incidents
MTTR See Mean Time To Repair
OLA See Operational Level Agreement
PIR See Post Implementation Review
RFC See Request for Change
SCI See Software Configuration Item
SLA See Service Level Agreement
SLM See Service Level Management
SLR See Service Level Requirements
SPOF See Single Point of Failure
UC See Underpinning Contract or Contract
UCC See Utility Cost Center
>>
FORMS
I27-302_1.10_ENG_QWRN_ISO27KPR 321
322

First Name: __________________________________________________________________

Last Name: __________________________________________________________________
Birth Date: __________________________________________________________________
Date: ________________________________________________________________________
Workshop:___________________________________________________________________
Instructor 1: _________________________________________________________________
Instructor 2: _________________________________________________________________
Strongly
Question (Please check only Strongly Dis-
Agree Neutral Dis-
one box) Agree agree
agree
The content presented in this
course was at the right level.
The content of this course met the
stated objectives.
The labs and exercises reinforced
skills taught in the course.
The labs and exercises were realis-
tic and reinforced how I might use
the knowledge or skills on the job.
My instructor communicated the
content of the course effectively.
My instructor was willing to provide
assistance at my level of need.
This course was worth my time.
This course met my expectations.

I will use the skills and knowledge
gained in the course.
How effective, for you, were the Very Not

Effective Neutral
following methods Effective Effective
Handling the theory
Group sessions and discussions
Simulations and lab exercises
Comments:
323

Are there any unclear topics? Which ones? Why? ________________________________

_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
Do you have any comments related to the hand-outs, simulation material, quality
of the
presentation and/or the course locations? ______________________________________
_____________________________________________________________________________
_____________________________________________________________________________
In your opinion, what did the instructor do well? ________________________________

_____________________________________________________________________________
_____________________________________________________________________________
In what areas could your instructor improve? ___________________________________

_____________________________________________________________________________
_____________________________________________________________________________
What is one thing that would improve this education experience? ________________
_____________________________________________________________________________
_____________________________________________________________________________
What is one thing that should not be changed? _________________________________

_____________________________________________________________________________
_____________________________________________________________________________
What other comments do you have? (Please use additional paper if needed) _______
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
Thank you for your time!
324

0 Manual Rumos - I27-302 1.10 Blank Iso27kpr Tablet

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

0 Manual Rumos - I27-302 1.10 Blank Iso27kpr Tablet

Uploaded by

Copyright:

Available Formats

ISO/IEC 27001

©2020: Copyright of Quint Wellington Redwood unless otherwise stated.

SIAM™, Agile Scrum Foundation,

COBIT® is a registered trademark of

Quint Wellington Redwood is a The PMI Registered Education

275 Supplementary Paper

Version 4.6 (Status: Final) Page 1 of 35 Owner: Chief Examiner

- ISO/IEC 27001 Foundation

The target audience for this document is:

1.2 Target Audience

1.3 High Level Performance Definition of a Successful Information Security

Version 4.6 (Status: Final) Page 2 of 35 Owner: Chief Examiner

2 Practitioner – Information Security Officer Qualification

2.2 Target Audience

An ISO/IEC 27001 Foundation certificate (or equivalent if accepted by APMG) is a pre-requisite

2.3 High Level Performance Definition of a Successful Information Security

Specifically, successful candidates should be able to: …

Version 4.6 (Status: Final) Page 3 of 35 Owner: Chief Examiner

3.2 Target Audience

3.3 High Level Performance Definition of a Successful Auditor Candidate

Version 4.6 (Status: Final) Page 4 of 35 Owner: Chief Examiner

This structured approach helps to ensure:

x A clear delineation in learning level content between different qualification levels

The Foundation qualification examines learning outcomes at levels 1 (knowledge) and 2

The Auditor qualification tests learning outcomes at levels 1 (knowledge), levels 2

ISO/IEC 27001 Learning Outcomes Assessment Model

Version 4.6 (Status: Final) Page 5 of 35 Owner: Chief Examiner

The following syllabus areas are identified.

Syllabus Syllabus Area Title

Each of the syllabus areas is presented in a similar format as follows:

Syllabus Syllabus Area :

Version 4.6 (Status: Final) Page 6 of 35 Owner: Chief Examiner

1 Syllabus Area Unit of learning, e.g. chapter of the reference guide or

3 Learning Outcome A statement of what a candidate will be expected to know,

4 Level Classification of the learning outcome against the APMG

5 Topic Reference Number of the topic within the learning level.

6 Topic Description Description of what is required of the candidate to

7 Foundation Shows at which qualification level the topic is assessed.

8 Primary Reference The main reference supporting the topic.

It is important to note the correct editions of the reference material.

7.1 ISO/IEC 27001 Foundation Guide References

Other references are made to:

Version 4.6 (Status: Final) Page 7 of 35 Owner: Chief Examiner

x ISO 9001:2015, Quality management systems — Requirements

7.2 ISO/IEC 27001 Practitioner - Information Security Officer Guide

x ISO/IEC 27001:2013 Information technology -- Security techniques -- Information

Reference is made to ISO/IEC 27003:2017, Information technology -- Security techniques

Version 4.6 (Status: Final) Page 8 of 35 Owner: Chief Examiner

x ISO/IEC 27001:2013 Information technology -- Security techniques -- Information security

Version 4.6 (Status: Final) Page 9 of 35 Owner: Chief Examiner

01 02 Compatibility of ISMS with other management system standards, Supplementary

01 03 1. Compatibility of ISMS with other management system standards, Supplementary

01 04 Definitions of the following terms: Supplementary

Version 4.6 (Status: Final) Page 10 of 35 Owner: Chief Examiner

01 05 Definitions of the following terms: ISO/IEC 27000, 3

01 06 Definitions of the following terms: ISO/IEC 27000, 3

Version 4.6 (Status: Final) Page 11 of 35 Owner: Chief Examiner

1. Context of the organization

23. Performance evaluation

Annex A (normative) Reference control objectives and controls

Version 4.6 (Status: Final) Page 12 of 35 Owner: Chief Examiner

01 08 Information about ISO/IEC 27001 qualification and certification: Supplementary

1. The APMG qualification scheme 9