ISO/IEC 27005:2022 Quiz

To provide guidelines for implementing ISO/IEC 27001 controls

To offer guidance on managing information security risks

To define cybersecurity incident response procedures

To standardize encryption algorithms

ISO/IEC 27001 (ISMS requirements)

ISO/IEC 27002 (Security controls)

ISO/IEC 27017 (Cloud security)

ISO/IEC 27031 (ICT disaster recovery)

Risk identification

Risk assessment

Risk transfer (insurance)

Risk treatment

Inherent risk is before controls, residual risk is after controls

Inherent risk is financial, residual risk is operational

Inherent risk is external, residual risk is internal

They are the same

Only quantitative methods

Only qualitative methods

A combination of qualitative and quantitative methods

No specific method is prescribed

To define the maximum budget for cybersecurity

To set the level of risk an organization is willing to accept

To measure employee awareness of risks

To determine insurance premiums

Risk avoidance (discontinuing the activity)

Risk sharing (outsourcing)

Risk acceptance (tolerating the risk)

All of the above

It ensures stakeholders understand the risks and controls

It is only needed for regulatory compliance

It replaces the need for risk assessments

It focuses only on IT department risks

Only once during ISMS implementation

Annually or when significant changes occur

Only after a security breach

Every 5 years

Statement of Applicability (SoA)

Risk Treatment Plan (RTP)

Risk Register

All of the above