Questionmark Perception
Oct 23 2021 |
Logged in as : candidate
Change font size

Introduction

Introduction

This is the EXIN Information Security Management Professional based on ISO/IEC 27001 (ISMP.EN) sample exam. The Rules and Regulations for EXIN’s examinations apply to this exam.

This exam consists of 30 multiple-choice questions. Each multiple-choice question has a number of possible answers, of which only one is correct.

The maximum number of points that can be obtained for this exam is 30. Each correct answer is worth 1 point. You need 20 points or more to pass the exam.

The time allowed for this exam is 90 minutes.

Good luck!





Copyright © EXIN Holding B.V. 2020. All rights reserved.
EXIN® is a registered trademark.

Question

1  of 30
Which is a key element of security strategy development?

Question

2  of 30
One of the challenges of the IT security manager for a rather conservative organization is to teach IT management that in order to provide an effective information security program for the organization a change in thought as to what IT security is and what it encompasses is necessary.

What is the IT security manager trying to teach management?

Question

3  of 30
One of the business managers is really concerned that any sort of IT security program is going to be too intrusive for the business to continue to thrive and be innovative.

Which statement best describes what should be told to the manager?

Question

4  of 30
The security manager is responsible for defining the security controls for a company. The company is selecting a supplier to host the web-facing ordering system.

What should be the most important aspect the security manager looks for?

Question

5  of 30
Security controls are defined based on the security classification of a data element.

Who is responsible for the security classification of a data element?

Question

6  of 30
Which risk assessment approach uses categories instead of actual numbers to determine risks?

Question

7  of 30
Information security management is currently being implemented in the company “Internet Booksellers”. The project leader for the information security project understands that the risk identification process requires him to list organizational assets arranged in order of importance and he is working with the financial manager to develop this list. The weight of importance is based on the following criteria: impact on revenue (30%), impact on profitability (40%) and impact on public image (30%).

The Financial manager has come up with four important information assets:
  • Supplier orders (outbound)
  • Customer order via SSL (inbound)
  • Supplier fulfillment advice (inbound)
  • Customer service request via e-mail (inbound)

What asset ranks the highest based on the impact criteria?

Question

8  of 30
What needs to be decided prior to considering the treatment of risks?

Question

9  of 30
A large transportation company has adopted the standard for information security (ISO/IEC 27001:2013) and needs to set up controls for its software development department which they will outsource. An external consultant has been appointed to make sure that security controls consistent with the code of practice will be implemented over the complete supply chain for software development in the new outsourced situation.

What control should be put in place to guarantee availability of the source code should one of the partners in the supply chain go out of business?

Question

10  of 30
The security manager for a company has just been tasked with leading the organization’s first ever risk assessment effort. The security manager is in the process of implementing controls to mitigate the identified risks. She has taken into account the organizational feasibility and the political feasibility using the organizational objectives and applicable legislation and regulations.

Which item also needs to be accounted for when taking into account the operational feasibility?

Question

11  of 30
The scope of risk management is not limited to the organizational processes alone. It should also be embedded in the project management methodology. An information security risk assessment, for example, should be conducted at an early stage of each project. When implementing project risk management, it is necessary to consider the scope of this project.

What should be included in the scope of project risk management for standard projects?

Question

12  of 30
What is the popular name of the ISO/IEC 15408 about security architecture models?

Question

13  of 30
An operations manager wants some advice about opening a second datacenter as a hot standby location.

What would the information security officer advise her to do?

Question

14  of 30
A security team has just finished an organizational risk assessment and is now discussing controls to mitigate the risks. As part of that effort, programs and technical controls have been considered.

What is the third category of access controls that needs to be considered?

Question

15  of 30
After doing a risk assessment and establishing a proper set of controls that comply with an organization’s risk appetite, a consultant's job is just about complete. The consultant understands that the reality is that no set of controls can achieve complete security.

What needs to be completed in order to strengthen security even more?

Question

16  of 30
The information security officer of the company has just been notified of a pending management review of the information security policy.

What is an input to this management review?

Question

17  of 30
The information security officer for a global company has just received a management review of the information security policy.

What should this output include?

Question

18  of 30
The maintenance of an information security program requires a continuous process. This requires inputs from the many different factors that will influence its success.

Which is an input influence that would require the process to change?

Question

19  of 30
A large part of an information security team’s responsibility is to monitor and detect incidents.

What is the strongest indicator of an incident?

Question

20  of 30
Whose responsibility is it to coordinate an organization’s security awareness campaign?

Question

21  of 30
Last year an organization became stricter regarding security controls for its employees. Before implementing additional controls, the information security officer wants to know the mindset of the employees towards information security controls.

How does she get an impression quickly?

Question

22  of 30
What is the main advantage of using an open design of the security architecture?

Question

23  of 30
Which security item is designed to take large collections of network-related traffic that can indicate a denial-of-service attack?

Question

24  of 30
The CEO of a company started using her tablet pc and wants the security manager to facilitate her in using business mail and calendar on the tablet. The security manager understands this desire to allow the possibility to Bring Your Own Device (BYOD).

What controls (besides an awareness training) should the security manager propose to prevent data loss in case of theft or loss of the personal device?

Question

25  of 30
Which statement about security architecture is most correct?

Question

26  of 30
Zoning is a security control to separate physical areas with different security levels. Zones with higher security levels can be secured by more controls. The security manager of a hotel is responsible for security and is considering different zones for the hotel.

What combination of business functions should be combined into one security zone?

Question

27  of 30
Knowing that physical security controls are a very important part of an information security program, the information security team is asked to design and then implement a security perimeter for a department that is setting up some new data systems.

According to ISO/IEC 27001, which is the most important guideline that needs to be considered when establishing this perimeter?

Question

28  of 30
The human resource manager for an organization asked what she could do as a quick win in the area of employment and hiring to help strengthen the organization’s data security program according to ISO/IEC 27001.

What should the advice be?

Question

29  of 30
The business continuity manager asks for input for the contingency plan.

Which should be his first activity?

Question

30  of 30
One key component to integrate into an organization’s information security program is a robust business continuity program. In support of this, a security consultant has been asked to list out the key information security requirements for such a program.

What is his first concern in business continuity management from an information security point of view?