A financial services firm is planning its ISMS implementation. The project manager has created a detailed project plan but has not formally defined the criteria for accepting residual risks after treatment. During a project kickoff meeting with senior management, this omission is noted. Which negative outcome is MOST likely to occur as a direct result of this oversight?
A rapidly growing logistics company is implementing an ISMS. The implementation team is debating how to structure the management of documented information. One proposal is to use a decentralized approach where each department manages its own documents using various local tools. What is the PRIMARY risk associated with this approach in the context of ISO/IEC 27001?
A healthcare provider has established an ISMS certified to ISO/IEC 27001. During an internal audit, it was discovered that the results of monitoring information security controls are collected and stored, but there is no documented process for who analyzes this data or how often. This represents a failure to meet the requirements of which clause?
When defining the ISMS scope, an organization has decided to exclude its research and development (R&D) department, which handles highly sensitive intellectual property. The justification provided is that the R&D network is physically segregated. Which statement accurately describes the validity of this exclusion according to ISO/IEC 27001?
A manufacturing company's ISMS management review meeting concludes without any documented decisions or action items related to improving the ISMS. The meeting minutes only contain a summary of the discussed inputs. This practice fails to meet a key requirement of which ISO/IEC 27001 clause?
A university is implementing an ISMS and is developing its information security awareness program. Which of the following activities are essential components of an effective awareness program as required by ISO/IEC 27001? (Select THREE)
A lead implementer for a software development company is preparing for the Stage 1 certification audit. What is the PRIMARY purpose of this audit?
True or False: According to ISO/IEC 27001, the Statement of Applicability (SoA) must include a justification for all controls listed in Annex A, explaining why each has been implemented.
An organization has identified a significant risk related to data leakage via removable media. The risk treatment plan specifies the implementation of a technical control to block all USB ports. After six months, an internal audit finds that while the control is in place, several key employees have been granted permanent exceptions without a documented risk acceptance from management. This situation indicates a failure in which process?
A lead implementer is using the following chart to present the status of risk treatment activities to management. Based on the chart, which risk requires IMMEDIATE attention from the risk owners? ```mermaid gantt title ISMS Risk Treatment Plan Status (as of 2024-06-15) dateFormat YYYY-MM-DD section Risk Mitigation Activities R-01: Implement MFA :done, r1, 2024-05-01, 2024-05-30 R-02: Encrypt Laptops :active, r2, 2024-05-15, 30d R-03: Phishing Training :crit, r3, 2024-06-01, 14d R-04: Update Firewall Rules : r4, after r3, 7d ```