Quiz: ISO 27001

1. What is the purpose of Access Control Policy?

A

Ensure personnel have access to all assets available in order to reduce down time when seeking for access approval of documents

B

Ensure personnel only have access to assets required to perform their tasks

C

Ensure physical areas are free from safety hazards

D

Ensure assets accessible by employees can also be accessed by their manager (if applicable)

2. For Password Policy, most guidelines specified are mandatory. Which of the following measures are highly recommended but optional? (Remaining options are mandatory)

A

Avoid reuse of password across different platforms

B

Use multifactor authentication for critical services

C

When possible, password should have at least 10 characters

D

When possible, passwords should be generated alphanumeric + special character based

3. For BYOD Policy, under what circumstances is an employee allowed to use their personal device for work purposes?

A

Employees are strictly prohibited from using personal device for work purposes

B

Employees are allowed to use their personal devices for work purposes, without needing to inform anyone

C

Employees are allowed to use their personal devices for work purposes, as long as they inform their manager

D

Employees are allowed to use their personal devices for work purposes, as long as they received written approval for its usage by their manager

4. For Information Classification Policy, which of the following options is the correct classification category of information?

A

External, Internal

B

Public, Internal, Company Confidential, Client Confidential

C

Company, Public

D

Public, Internal, Confidential, Restricted

5. For Information Transfer Policy, which one of the following does NOT fall under the policy?

A

Ensure regular monitoring and review of information transfer policy

B

Ensure securing incident regarding transfer of information is addressed

C

Ensure secure method is used for transferring information

D

Ensure incident management is in place to secure and address incident regarding privacy of PII

6. For Network Security Policy, which one of the following is NOT a method of securing the organisation’s network?

A

Access Control

B

Firewall

C

VPN

D

SSH

7. For Secure Code Policy, which of the following are industry standard security coding practices recognised by the policy?

a. NIST SP 800-53

b. OWASP Top 10

c. SANS Top 25

7. For Secure Code Policy, which of the following are industry standard security coding practices recognised by the policy?

A

a & b only

B

a & c only

C

b only

D

a, b & c

8. For Data Leakage Policy, what is the purpose of this specific policy?

A

Considers the unauthorised access, use, or disclosure of confidential information and intellectual property to be a serious breach of trust and a violation of this policy

B

Describe how often operational and other customer data is backed up. All original customer data on infrastructure operated by the organisation should be backed up

C

Requires all data used during testing and development processes must be masked using appropriate techniques.

9. For Monitoring Activities Policy, which of the following contains ALL the logs required?

A

Event, inbound and outbound, monitoring only, incident logs

B

Access, inbound only, monitoring & reviewing logs

C

Access, event, inbound & outbound, monitoring & reviewing logs

D

Event, inbound only, monitoring only logs

10. For Web Filtering Policy, which of the following is NOT a mentioned antivirus software to be used?

A

Kaspersky

B

McAfee

C

Norton

D

VirusTotal