Question Paper for ISMS Implementation Training.

Objective Questions
(Please tick mark the correct answer only.)
Generic Questions for ISMS: -

Q-01) ISO/IEC 27001:2013 standard was developed by …

(a) International Organization for Standardization (b) Microsoft (c ) Google

Q-02) Which standard spells out the requirements for information security

management system ? (a) ISO/IEC 27000:2014 (b) ISO/IEC 27001:2013

( c ) ISO/IEC 27002:2013

Q-03) “The property of being accessible and usable upon demand by an authorized entity’’ is called …

(a) Confidentiality (b) Availability ( c ) Dependability

Q-04) “The property that information is not made available or disclosed to unauthorized
individuals, entities, or processes” is called …

(a) Integrity (b) Security ( c ) Confidentiality

Q-05) “Process to comprehend the nature of risk and to determine the level of risk” is called …

(a) Risk Acceptance (b) Risk Analysis ( c ) Risk Evaluation

Q-06) “A weakness of an asset or control that can be exploited by one or more threats” is called …

(a) Threat (b) Vulnerability

Q-07) The ISMS documentation shall include ‘risk treatment plan’. Is this statement true or false ?

(a) True (b) False

Q-08) Visitors’ book, audit reports and completed access authorization forms are examples of …

(a) ISMS records (b) ISMS instructions

WWW.QACSWORLD.COM
 Question Paper for ISMS Implementation Training.

Q-09) “There shall be a formal disciplinary process for employees who have committed a security breach”. True
or false ?

(a) True (b) False

Q-10) Who shall ensure that unattended user equipment has appropriate protection ?

(a) Users (b) Organization

Maximum Attainable Scores Scores Attained

20

WWW.QACSWORLD.COM
 Question Paper for ISMS Implementation Training.

no. (√) Mark the correct option.

ISMS
Q1 The principal of ISO 27001:2013 can be refers to -----
a)Information Security Management System b)Business Continuity Management System
c)Quality Management System d) Information Technology Service
Management System
Q2 External and internal issues should include -----
a)Liability b)Policy
c)Risk d)Objective
Q3 Interested parties requirement for ISMS should include --
a)Competency requirement b)Legal and regulatory requirement
c)HIRA d)Aspects and impact
Q4a When determining the scope for ISMS what should consider-----
a)5.1 b)6.1 & 6.2
c)6.8 d)4.1 & 4.2
Q4b Which one of these is exception part of audit to be shared among the audit team?
a)Knowledge of information security b)Technical knowledge of the activity to be
audited
c)Knowledge of the principal of auditing d)Knowledge of management system
Q4c The technique for assessment of external and internal parties should consider--
a) Risk Assessment Techniques b)Hazard analysis techniques
c)Aspects technique d)Impact technique
Q4d When determining the scope the organization shall consider---
a)Its activities, products and services b)Its competence
c)Its communication d)Its Documents
Q4e Issues both negative and positive can be consider in ----
a)Support b)Context of the organization
c)Operational d)Planning
Q5a Review of the policies for information security is to ensure continuing--------, adequacy and
effectiveness
a)Ability b)Monitoring
c)Suitability d)Perfectly
Q5b ISMS policy should include---
a)Operational procedure b)Structural requirement
c)Resources Requirement d)Commitment to satisfy requirement related
to information security
Q5c Performance of the ISMS reported to Top management by----
a)Quality manager b)General manager
c)Authorized person d)Technical head
Q5d ISMS policy shall be
a)Maintained as Documented information b)Available to inserted parties
c)Documented ,communicated and available to d)Display at office
inserted parties
ISMS policy should be communicated to the---

WWW.QACSWORLD.COM
 Question Paper for ISMS Implementation Training.

Q5e a)Within the organization b)Interested Parties

c)External providers d)All the above
Q6a Information security assessment can be done by---
a)By identifying and analyzing the information b)By grading of information risk

WWW.QACSWORLD.COM
 Question Paper for ISMS Implementation Training.

Risk Criteria
Q6b How a mobile devices security risk can be ensured----
a)By making mobile policy b)Adopting security measures to manage
mobile risks
c)Both a & b d) b only
Q6c Analysis the information security risks can be done by----
a)Assess the potential consequences b)Determine the level of risk
c)Assess the likelihood of the occurrence d)All the above
Q6d The objectives for ISMS shall incorporate----
a)International laws b)Results of risk assessment and treatment
c) National laws d)Competence
Q7a Human resource security prior to employment can be done by -----
a)Interviewing b)Screening and background verification
c)Information security awareness training d)Contractual agreement
Q7b Competency requirement for ISMS can be fulfilment by---
a)Knowledge of Information management b)Business management practices
terminology, principle, practices and techniques
c)Client business sector d)All the above
Q7c The criteria for selection of auditor for ISMS is----
a)1 year full time practical workplace b)Two years part time work related with
experience information technology
c)4 year full time practical workplace d)Knowledge of other ISO standard
experience
Q7d Control of ISMS documents can be done by---
a)Storage b)Control of Change version
c)Distribution, access, retrieval, use and d)Id and no.
disposition
Q7e Which of the following is a regulatory requirement for ISMS ----
a)Audit plan audit risk b)Electronic signature
c)Continual improvement d)Audit type
Q7f Information receives an appropriate level of protection can be ensured by---
a)Classification and Labelling of information b)By giving identification number
c)IT management d)Documentation
Q7g To prevent unauthorized disclosure, modification, removal or destruction of information stored
on media can be done by-----
a)Physical media transfer b)Disposal of media
c)Management of removable media d)All the above
Q8a To ensure correct and secure operations of information processing facilities by----
a)Segregation of net work services b) Separate testing and operational
environment
c)System change procedure d)Out source development
Q8b Logging and monitoring of events in ISMS can be done by-----
a)Capacity management b)Back up
c)Clock synchronization d)Information control audit
Equipment can be prevented from loss, damage or theft by----

WWW.QACSWORLD.COM
 Question Paper for ISMS Implementation Training.

Q8c a)Verification of the data prior to disposal or re b)Equipment, information or software shall
use not be taken off-site without prior
authorization
c)Clear desk and clear screen policy d)All the above
Q9a The information security performance results can consider valid when---
a)Results are comparable and reproducible b)Results obtained from internal audit audit
c)Audit done by competent person d)Third party audit
Q9b Observation and interviewing to person during the work ,seeing the results of performance,
looking to code of conduct and confidentiality during internal audit is
a)Audit facts b)Audit Finding
c)Audit evidence d)Audit conformity
Q9c Feed back on ISMS should include------
a)Decision on continual improvement b)Results of risk assessment and risk
treatment plan
c)Need to change documents d)Needs to change policy and objectives
10a When a non conformity occurs, the organization shall ----
a)Keep in form of NC b)Take any action
c)Take, evaluate, implement and review the d)Change the process
action
10b Enhancing the performance related to the use of ISMS can be archived by----
a)Non conformity b)Corrective action
c)Audit d)Continual improvement
A Security of teleworking and use of mobile devices can be ensured by
a)Handling of assets b)Review of user access rights
c)Assessment of risk introduced by using mobile d)Screening
devices
B Prior to employment for ISMS the organization shall -----
a)Screening of the candidate b)Training of the candidate
c)Awareness of the candidate d)Give responsibility
C Supplier accessible assets can be protected by---
a)Agreement with supplier with regards risk b)Regular auditing at supplier end
association with IT
c)Documentation of the Mitigating associated d)All the above
with IT
D What are the measures for cryptographic control?
a)Use of passwords b)Development of cryptographic keys
c)By limited use of information d)Use by authorized person
E ------ shall be used to prevent unauthorized physical access of Information of an organization
a)Ownership of assets b)Handling of assets
c)Physical security perimeter d)Review of the user access
F All equipment prior to disposal or reuse should be----
a)Verified for the stored media b)Checking up of the license of the software
c)Checking up calibration d)All the above

Change to the operational environment or reduce the risk of unauthorized use can be done by---

WWW.QACSWORLD.COM
 Question Paper for ISMS Implementation Training.

G a)Separating of testing and operational b)Capacity management

environment
c)Information management d)Clock synchronization
H Protection of information in network can be ensured by ----
a)Segregation and control in network b)Event logging
c)Technical vulnerability d)Control against malware

I Detection, prevention and------controls to protect against malware shall be implemented,

combined with appropriate user awareness.
a)Calibration b)Recovery
c)Information backup d)Verification
J Information security aspects of business continuity management can be achieved by -----
a)Planning—Implementing ----Verifying--- b)Planning ----Verifying---Reviewing—
Reviewing—Evaluating Evaluating—Implementing
c)Planning—Verifying-- Implementing ----- d)Planning— Reviewing ----Implementing ----
Reviewing—Evaluating Verifying-----Evaluating
K To avoid breaches of legal, statuary, regulatory or contractual obligations related to information
security can be done by----
a)Identification of applicable legislation b)Intellectual property rights
c)Protection and privacy of records d)All the above
L The best quality of evidence is gathered by ----
a)Interview b)Performing the test
c)Observation d)Checking up of records, documents and
feedback
M Annex A of ISO 27001:2013 helps in---
a)Provide guidance for reviewing of controls b)Provide guidance for the review of the
other than those in ISO 27001:2013 of implementation of the control listed in
Annex A ISO27001:2013 Annex A

O Mobile device and teleworking should be controlled by----

a)Organization control b)Organization and technical control
c)Organization, technical and system control d)Visual inspection
P Equipment’s setting and protection control is by
a)Organization and visual inspection b)Visual inspection
c)System testing and technical control d)System testing
Q Key management for cryptography is ------
a)Possible----in system testing b)Recommended – in system testing

R Event logging is controlled by---

a)Organization b)Technical
c)System testing d)All the above

S Transfer of information with external entity should be done --

a) By Verbal information b)Sighing on a paper
WWW.QACSWORLD.COM
 Question Paper for ISMS Implementation Training.

c)Can be done by any mean d)Agreement should be done between

T How to control modification to software
a)By restriction on changes to software
packages
c)Quality head can make change
organization and external parties
b)Can make change any time when required
d)Technical review can be done

U At what interval information security policies and procedures is to be revised

a)At planed interval b)when significant changes occur
c)Both a & b d)Every month
V Criteria for risk assessment is established in--
a)6.1.2 b)6.1.3
c)7.1.2 d)8.3
W Which regulatory requirement knowledge and understanding is required for ISMS auditor
a)Computer abuse b)Electronic evidence collection
c)Intellectual property and data protection and d) All the above
privacy
X Physical entry control in ISMS can be done by
a)Organization control b)Technical control
c)System control d)All the above
Y The principle of ISMS audit is/are---
a)Evidence and risk based approach b)Knowledge of standard
c)Knowledge of uncertainty d)Management system knowledge

Z Legal and contractual requirement compliance with-

a)Protection of records b)Intellectual property rights
c)Regulation of cryptographic controls d)All the above

Detailed Questions about ISMS

WWW.QACSWORLD.COM
 Question Paper for ISMS Implementation Training.

No Question Comments/Notes
1 What should be taken into
consideration while investigating
information security policy?
2 What should be taken into
consideration while investigating asset
inventory?
3 What should be taken into
consideration while investigating risk
analysis?
4 What should be taken into
consideration while investigating risk
treatment plan?
5 What should be taken into
consideration while investigating
Applicability Statement?
6 What should be taken into
consideration while investigating
Applicability Statement?
7 What should be taken into
consideration associated with ISMS
while investigating duties and
responsibilities?
8 What are the issues to be taken into
consideration while investigating the
confidentiality agreements signed with
the personnel?
9 What should be checked out at third-
party contracts?
10 What should be taken into
consideration while investigating
“Scanning” clause of Human Resources
section?
11 What should be taken into
consideration in "Return of Assets" and
"Abolition of Access Rights" clauses
while investigating Human Resources
section?
12 What should be taken into
consideration in "Support Services"
clause under the title of Physical
Security?

WWW.QACSWORLD.COM
 Question Paper for ISMS Implementation Training.

13 What are the issues to be taken into

consideration for data backup?
14 What should be controlled related with
error logs ?
15 What should be taken into
consideration related with equipment
maintenance?
16 What is practiced related with usage of
password?
17 What is practiced related with Access
Controls?
18 What should be taken into
consideration related with Business
Continuity?
19 What should auditor review during
investigating of session timeout clause?
20 What should be determined as a solid
method regarding encryption?
21 What should be taken into
consideration at software development
stages?
22 What should be taken into
consideration regarding interns?
23 What should be controlled related with
Customers Property?
24 What should be investigated regarding
R&D?
25 What should be investigated regarding
Source Code?
26 What should be investigated regarding
test stages?
27 What should be taken into consideration
while investigating information security
policy?
28 What should be taken into consideration
while investigating asset inventory?
29 What should be taken into consideration
while investigating risk analysis?
30 What should be taken into consideration
while investigating risk treatment plan?
31 What should be taken into consideration
while investigating Applicability Statement?

WWW.QACSWORLD.COM
 Question Paper for ISMS Implementation Training.

32 What should be taken into consideration

while investigating the awareness training?
33 What should be taken into consideration
associated with ISMS while investigating
duties and responsibilities?
34 What are the issues to be taken into
consideration while investigating the
confidentiality agreements signed with the
personnel?
35 What should be checked out at third-party
contracts?
36 What should be taken into consideration
while investigating “Scanning” clause of
Human Resources section?
37 What should be taken into consideration in
"Return of Assets" and "Abolition of Access
Rights" clauses while investigating Human
Resources section?

38 What should be taken into consideration in

"Support Services" clause under the title of
Physical Security?
39 What are the issues to be taken into
consideration for data backup?
40 What should be controlled related with
error logs?
41 What should be taken into consideration
related with equipment maintenance?
42 What is practiced related with usage of
password?
43 What is practiced related with Access
Controls?
44 What should be taken into consideration
related with Business Continuity?
45 What should auditor review during
investigating of session timeout clause?
46 What should be taken into consideration in
the supplier evaluations?
47 What should be considered at the clause of
information security in supplier
relationships?
48 What should be taken into consideration
regarding interns?

WWW.QACSWORLD.COM
 Question Paper for ISMS Implementation Training.

49 What should be considered in connection

with information labeling?
50 What should be considered in clause of
termination and amendment of
employment?
51 What should be considered within the
scope of the “in the course of study”
clause?
52 What should be taken into account in
clause of the pre-employment?

Maximum Attainable Scores Scores Attained

52

WWW.QACSWORLD.COM
 Question Paper for ISMS Implementation Training.

CASE STUDY FOR TRAINEE’S ( You Can choose any 2 of them )

S. No. Organization is What Scope What kind of What kind of Which controls is
Developing Software for be define objectives Risk should applicable as per
Integrated Applications should be define analyze Annexure-A
2 Government Taxation ?? ?? ?? ??
Department
3 Transport provider ?? ?? ?? ??
through transport
management system
4 Financial service provider( ?? ?? ?? ??
Banks)

All Trainees should complete minimum 2 case studies with evidences

Maximum Attainable Scores Scores Attained

71

Overall Performance % Range Grade

D
Very Poor 0 - 25
C
Poor 26 - 40
B
Average 40 - 50
B+
Good 51 - 65
A
Very Good 66 - 89
A+
Excellent 90 - 100

WWW.QACSWORLD.COM
 Question Paper for ISMS Implementation Training.

Trainee Name: -

Date:-

Review by QACS: -

Review date: -

Reviewer name: -

Overall Attainable Scores: -

Total Scores Attained: -

Result ( Pass/ Fail):

WWW.QACSWORLD.COM