An Information Security Management System (ISMS), as defined by the ISO/IEC 27000 family of standards, is the formal system for guaranteeing the coherence of information security. It provides a systematic, risk-based approach to establish, implement, operate, monitor, review, maintain, and improve an organization's information security. This framework of policies, procedures, and controls ensures that security efforts are consistent, comprehensive, and aligned with the organization's strategic objectives, thus creating a coherent security posture.

B. A rootkit is a type of malicious software designed to enable unauthorized access to a computer system; it is a security threat, not a management system.

C. These are specific compliance requirements for a subset of information, not the overarching management system that ensures coherence for all information security within an organization.

D. ITSM focuses on the management and delivery of IT services to meet business needs, while an ISMS is specifically focused on managing and protecting information assets.

1. ISO/IEC 27000:2018, Information technology — Security techniques — Information security management systems — Overview and vocabulary.

Section 3.29: Defines an Information Security Management System (ISMS) as "part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security." This definition highlights its role as a comprehensive, coherent system.

2. Calder, A., & Watkins, S. (2019). IT Governance: An International Guide to Data Security and ISO 27001/ISO 27002 (7th ed.). Kogan Page.

Chapter 8, "What is an ISMS?": This chapter explains that an ISMS is a "systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process." This systematic nature ensures coherence.

3. University of Oslo (UiO), Center for Information Technology (USIT). (n.d.). Information Security Management System (ISMS) at UiO.

The documentation describes the ISMS as the "framework of policies, processes, tasks, and technologies that help protect UiO's information assets." This illustrates how a university implements an ISMS to ensure coherent security practices across the institution.

The information security risk management process consists of distinct phases. Risk analysis is the phase focused on identifying and understanding risks. Its objectives include identifying assets and their value, determining relevant threats and vulnerabilities, and analyzing the potential impact to provide a basis for decision-making. This analysis allows for a cost-benefit evaluation of potential security measures.

However, the implementation of countermeasures (also known as controls or safeguards) is not an objective of risk analysis. Instead, it belongs to the subsequent risk treatment phase, where decisions are made and actions are taken to modify the identified risks.

A. Identifying assets and their value is a fundamental starting point for risk analysis; you cannot protect what you don't know you have or what its value is.

C. A primary goal of risk analysis is to provide the quantitative or qualitative data needed to balance the cost of controls against the potential loss from an incident.

D. The identification of threats that could exploit vulnerabilities is a core activity within the risk analysis process to understand how harm could occur.

1. ISO/IEC 27005:2022 - Information security, cybersecurity and privacy protection — Guidance on managing information security risks.

Clause 8, "Information security risk assessment process," details the objectives of risk analysis, which include risk identification (Clause 8.2) and risk analysis (Clause 8.3). These clauses cover identifying assets, threats, vulnerabilities, and determining the level of risk.

Clause 9, "Information security risk treatment," is defined as a separate process that follows risk assessment. Clause 9.1 states, "The purpose of information security risk treatment is to select and implement controls to manage information security risks." This clearly separates the implementation of countermeasures from the analysis phase.

2. Humphreys, E. (2016). Information Security Management Systems: A Novel, High-Level Framework. In: Implementing the ISO/IEC 27001:2013 ISMS Standard. Artech House.

In Chapter 5, "Risk Management," the author distinguishes between risk assessment (the process of identifying, analyzing, and evaluating risk) and risk treatment (the process of selecting and implementing measures to modify risk). This aligns with the separation of analysis from implementation.

3. Fenz, S., & Ekelhart, A. (2011). Formalizing Information Security Risk Management. In Availability, Reliability, and Security in Information Systems and HCI (pp. 35-49). Springer, Berlin, Heidelberg.

The authors present a formal model of the risk management process based on ISO 27005. On page 38, Figure 1 illustrates the workflow, showing that "Risk Treatment" (which includes control implementation) is a distinct step that occurs only after "Risk Analysis" and "Risk Evaluation" are completed. (DOI: https://doi.org/10.1007/978-3-642-23338-83)

The primary purpose of regularly testing and updating a disaster recovery plan (DRP) is to ensure its continued adequacy and effectiveness. Organizations are dynamic; their technologies, business processes, personnel, and risk landscapes evolve. A plan that is not tested and updated can quickly become obsolete. Regular testing validates that the planned procedures, technical measures, and assigned responsibilities will function as intended during an actual disruption. This process identifies gaps, outdated information, and flawed assumptions, allowing the organization to remediate them and ensure the plan remains a viable tool for recovery. This aligns directly with the information security continuity principles in ISO/IEC 27001.

B. A disaster recovery plan is designed for significant disruptive events, not for the "registration of daily occurring faults," which falls under routine operational incident management.

C. While verifying backup availability is a critical part of DRP testing, it is only one component. The overall goal is to ensure the entire plan's adequacy, not just a single technical control for one team.

1. ISO/IEC 27001:2013, Information technology — Security techniques — Information security management systems — Requirements.

Reference: Annex A, Control A.17.1.3, "Verify, review and evaluate information security continuity."

Quote/Paraphrase: This control explicitly states that information security continuity controls should be "verified regularly in order to ensure that they are up to date and effective." This directly supports the need to test to ensure measures are adequate (effective).

2. ISO/IEC 22301:2019, Security and resilience — Business continuity management systems — Requirements.

Reference: Section 8.5, "Programme of exercising and testing."

Quote/Paraphrase: The standard specifies that an organization shall establish and implement a programme of exercising and testing to "validate the effectiveness of its business continuity strategies and solutions" and "evaluate business continuity capabilities." This process of validation and evaluation is precisely to ensure the plan is adequate.

3. Herbane, B. (2010). The evolution of business continuity management: A historical review of practices and drivers. Disaster Prevention and Management, 19(1), 43-56.

Reference: Page 51.

DOI: https://doi.org/10.1108/09653561011022159

Quote/Paraphrase: The publication emphasizes that testing and exercising are crucial to "validate the plan's viability" and "identify weaknesses before a real disaster strikes." This validation process is fundamental to confirming that the planned measures are adequate.

An Information Security Management System (ISMS) is a systematic framework of policies, procedures, and controls for managing an organization's information security risks. As defined by standards like ISO/IEC 27001, an ISMS provides a holistic and coherent approach by integrating security into the organization's processes and overall management structure. It ensures that security efforts are consistently applied, managed, and aligned with business objectives, thereby creating a coherent security organization. This system is not just about technology but encompasses people, processes, and technology, managed through a continuous improvement cycle (Plan-Do-Check-Act).

A. Federal Information Security Management Act (FISMA) is a specific US federal law mandating security practices for federal agencies, not a general type of management system.

B. Information Technology Service Management System (ITSM) focuses on the delivery of IT services to users, not primarily on the organization-wide management of information security.

D. Information Exchange Data System (IEDS) is a term for a technical system used for data transfer, not a recognized management framework for organizational security.

1. ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements. Section 0.1, "General," states that the adoption of an ISMS is a strategic decision to manage information security risks and that the standard specifies requirements to establish, implement, maintain, and continually improve this system.

2. Humphreys, E. (2016). Implementing the ISO/IEC 27001:2013 ISMS Standard. Artech House. In Chapter 1, "What is an ISMS?", it is explained that an ISMS provides the "coherent set of policies, processes, and systems for managing risks to its information assets" (p. 3).

3. Von Solms, B., & Von Solms, R. (2004). The 10 deadly sins of information security management. Computers & Security, 23(5), 371-376. https://doi.org/10.1016/j.cose.2004.05.002. The paper advocates for a holistic ISMS to overcome fragmented and incoherent security approaches, treating information security as a management issue.

The statement is false. The ISO 27001 standard, specifically through its Annex A controls, mandates that an organization establish a formal disciplinary process for employees who commit information security breaches (Control A.7.3). However, the standard does not prescribe the specific steps or severity of this process. The actual response to an offense, such as internet abuse, is determined by the organization's own internal policies, local laws, and contractual agreements. An organization might choose to implement a strict policy with no warnings, but it is not a requirement of the standard. Therefore, it is incorrect to state that an employee will directly receive formal action without a warning, as this depends entirely on the specific organization's documented disciplinary procedure.

A. True: This is incorrect because ISO 27001 provides a framework, not a rigid set of rules for disciplinary action. The standard requires a process to be in place but allows organizations the flexibility to define the specific sanctions appropriate for their context and legal environment.

1. ISO/IEC 27001:2013, Information technology — Security techniques — Information security management systems — Requirements.

Annex A, Control A.7.3 Disciplinary process: The control objective states, "To ensure that employees and contractors are aware of their information security responsibilities." The control itself requires: "There shall be a formal disciplinary process for employees who have committed an information security breach." This clause mandates the existence of a process but does not specify its content or actions.

2. ISO/IEC 27002:2013, Information technology — Security techniques — Code of practice for information security controls.

Section 7.3 Disciplinary process (Implementation guidance): This section provides guidance on implementing control A.7.3. It states, "The formal disciplinary process should ensure correct and fair treatment for employees who are suspected of committing breaches." This emphasis on "fair treatment" implies that a graduated response (e.g., a warning for a first or minor offense) is a valid and often necessary part of the process, contradicting the absolute statement in the question.

3. Humphreys, E. (2016). Implementing the ISO/IEC 27001:2013 ISMS Standard. Artech House.

Chapter 10, Human Resource Security: This text explains that while the standard requires a formal disciplinary process, "the process itself will be determined by the organization’s HR policies and procedures, and will need to take account of employment law." This confirms that the specific actions taken are organization-dependent and not dictated by the ISO standard itself.

A technical security measure, also known as a logical control, is a safeguard implemented through hardware, software, or firmware. Encryption is a quintessential example of a technical control; it uses cryptographic algorithms executed by software or specialized hardware to transform data into an unreadable format, thereby protecting its confidentiality and integrity. The other options fall under administrative, procedural, or physical control categories, which are distinct from technical measures that operate directly on information systems and data.

B. Security policy: This is an administrative control that establishes management's intent, expectations, and direction for information security. It is a document, not a technology.

C. Safe storage of backups: This is primarily a physical and procedural control concerning the protection of backup media in a secure location (e.g., a fireproof safe or off-site facility).

D. User role profiles: This is an administrative control that defines the access permissions and responsibilities for different job functions. The profile itself is a policy construct.

1. ISO/IEC 27001:2022 - Information security, cybersecurity and privacy protection — Information security management systems — Requirements.

Annex A, Clause 8 (Technological controls): This section lists controls implemented via technology. Control A.8.24 Use of cryptography directly corresponds to encryption.

Annex A, Clause 5 (Organizational controls): This section lists administrative controls. Control A.5.1 Policies for information security and A.5.15 Access control correspond to security policies and the definition of user roles, respectively.

Annex A, Clause 7 (Physical controls): This section lists physical controls. Control A.7.10 Storage media addresses the physical protection of media, which is central to the "safe storage of backups."

2. Peltier, T. R. (2013). Information Security Fundamentals (2nd ed.). CRC Press.

Chapter 4, "Security Management Concepts and Principles," pp. 55-57: This university-level textbook clearly distinguishes between three classes of security controls: administrative, technical (logical), and physical. It explicitly categorizes encryption as a technical control and policies/procedures as administrative controls.

3. Stallings, W., & Brown, L. (2018). Computer Security: Principles and Practice (4th ed.). Pearson.

Chapter 1, "Overview," Section 1.4, "Computer Security Challenges": This text, widely used in university computer science curricula, classifies security controls. It places cryptography and access control mechanisms (the software part) under technical controls, while policies, procedures, and personnel management are classified as administrative or management controls.

The statement is true. The ISO/IEC 27001:2013 standard explicitly requires a controlled approach to change management to maintain information security. Control A.12.1.2 (Change Management) mandates that "Changes to the organization, business processes, information processing facilities and systems that affect information security shall be controlled." This involves using formal procedures to ensure that all changes are reviewed, authorized, tested, and documented before implementation. The goal is to minimize the risk of introducing security vulnerabilities, causing operational disruptions, or compromising the integrity of information processing facilities. This principle is a fundamental component of a robust Information Security Management System (ISMS).

B. False: This is incorrect. Uncontrolled changes are a primary source of security incidents and system instability, directly contradicting the risk management objectives of the ISO 27001 standard.

1. International Organization for Standardization (ISO). (2013). ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements. Geneva, Switzerland: ISO/IEC.

Reference: Annex A, Control A.12.1.2, states the control objective is "To ensure that changes to information processing facilities and systems are controlled."

Reference: Annex A, Control A.14.2.2, "System change control procedures," further reinforces this by requiring that "Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures."

2. Humphreys, E. (2016). Implementing the ISO/IEC 27001:2013 ISMS Standard. Artech House.

Reference: Chapter 12, Section "A.12.1.2 Change management," discusses the necessity of formal change control processes for all changes to production environments, including facilities, systems, and applications, to prevent adverse impacts on security. (Note: This book is widely used as courseware in university programs on information security management).

3. von Solms, R., & von Solms, B. (2018). Cybersecurity and information security – what’s the difference? The VIRTE-Journal, 1, 1-16.

Reference: This academic journal article, in its discussion of implementing comprehensive information security frameworks like ISO 27001, emphasizes that operational controls such as change management are critical for maintaining the security posture established by the ISMS (p. 11).

The Plan-Do-Check-Act (PDCA) cycle is a model for continual improvement. The 'Do' phase is specifically concerned with the implementation and operation of the plan. This includes executing the information security policy, controls, processes, and procedures that were established during the 'Plan' phase. Implementing the plan, whether on a full-scale or a test basis (pilot), is the primary activity of the 'Do' stage. It is the practical application of the designed information security management system (ISMS).

A. Plan: This phase involves risk assessment and the creation of the ISMS plan and objectives; it precedes implementation.

C. Act: This phase focuses on taking corrective and preventive actions based on the results of the 'Check' phase to continually improve the ISMS.

D. Check: This phase involves monitoring, measuring, and reviewing the performance and effectiveness of the implemented plan against the established objectives.

1. ISO/IEC 27001:2013, Information technology — Security techniques — Information security management systems — Requirements.

Section 0.2, "Plan-Do-Check-Act model": This section maps the clauses of the standard to the PDCA cycle. Clause 8, "Operation," is aligned with the 'Do' phase.

Clause 8.1, "Operational planning and control": This clause explicitly states, "The organization shall plan, implement and control the processes needed to meet information security requirements..." This confirms that implementation is the core of the 'Do' phase.

2. Calder, A., & Watkins, S. G. (2015). IT Governance: An International Guide to Data Security and ISO 27001/ISO 27002 (6th ed.). Kogan Page Publishers.

Chapter 9, "The PDCA cycle," p. 108: The text describes the 'Do' phase as where "you implement your ISMS plan." It includes implementing controls, processes, and policies defined in the planning stage.

3. Humphreys, E. (2016). Implementing the ISO/IEC 27001:2013 ISMS Standard. Artech House.

Chapter 4, "The PDCA Process," Section 4.3, "Do": This section details that the 'Do' phase involves the implementation of the risk treatment plan and the controls selected during the 'Plan' phase. It is the execution stage of the ISMS project.

The primary purpose of Information Security, as defined by frameworks like ISO/IEC 27001, is to protect information assets by preserving their confidentiality, integrity, and availability (CIA). This is achieved through a systematic risk management process. Consequently, information security directly supports ensuring business continuity, minimizing business risks, and maximizing the return on security investments by preventing costly incidents. However, the direct function of information security is protective and preservative; it is not intended to actively generate or increase business assets. While a strong security posture can enhance reputation and indirectly contribute to business growth, its core purpose is safeguarding existing value, not creating new assets.

A. Information security ensures the availability and integrity of critical information and systems, which is a fundamental prerequisite for effective business continuity management.

B. The entire ISO 27001 standard is centered on a risk management framework to identify, assess, and treat information security risks, thereby minimizing overall business risk.

D. By preventing financial and operational losses from security breaches, information security expenditures are justified as a means to protect revenue and maximize return on investment.

1. ISO/IEC 27001:2022 - Information security, cybersecurity and privacy protection — Information security management systems — Requirements. Section 0.1, "General," states, "This document specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system... The adoption of an ISMS is a strategic decision for an organization. The ISMS preserves the confidentiality, integrity and availability of information by applying a risk management process..." This directly supports the purpose of minimizing risk.

2. ISO/IEC 27001:2022, Annex A, Control 5.30, "ICT readiness for business continuity." The objective of this control is "to ensure the availability of the organization’s information and other associated assets during disruption." This explicitly links information security to the purpose of ensuring business continuity.

3. Humphreys, E. (2016). Implementing the ISO/IEC 27001:2013 ISMS Standard. Artech House. In Chapter 2, "The Business Case," the text discusses how information security is justified through business benefits, including "reducing the costs associated with information security incidents" and "improving the return on investment," which aligns with maximizing ROI and minimizing risk.

4. Brotby, K. (2009). Information Security Governance: A Practical Development and Implementation Guide. Wiley. Chapter 1, "The Business of Information Security," explains that security's role is to enable the business by managing risk to an acceptable level, which allows the business to operate effectively and achieve its objectives, rather than being a function that generates assets.

The question describes the security service of non-repudiation, which is the ability to prove that a specific action or event has taken place, preventing the originator from denying it. While non-repudiation is not an option, it is fundamentally dependent on the property of integrity. Integrity is the property of maintaining the accuracy and completeness of data. To prove an event occurred (non-repudiation), the evidence for that event (e.g., system logs, transaction records, digital signatures) must be reliable and unaltered. If the integrity of the evidence is compromised, it cannot be used as proof. Therefore, integrity is the foundational property that enables the proof of a claimed event.

A. Electronic chain letters: This is a type of unsolicited message or social engineering tactic, not a fundamental security property of information.

C. Availability: This property ensures that information is accessible and usable upon demand by an authorized entity; it does not relate to proving past events.

D. Accessibility: This is a characteristic related to availability, focusing on the ease of use and access, not a core security principle for proving events.

1. ISO/IEC 27000:2018, Information technology — Security techniques — Information security management systems — Overview and vocabulary.

Section 3.36 defines non-repudiation as the "ability to prove the occurrence of a claimed event or action and its originating entities," which directly matches the question's phrasing.

Section 3.28 defines integrity as the "property of accuracy and completeness." The standard implicitly links these, as the proof required for non-repudiation depends on the integrity of the underlying data.

2. Al-Hassan, A., & Al-Said, N. (2019). A Review of Information Security Goals. International Journal of Computer Science and Network Security, 19(1), 131-136.

Page 133, Section 2.5: This academic review states, "Non-repudiation is a service that is used to provide proof of the integrity and origin of data. Both the sender and receiver of a message can get a proof that the message was actually sent and received." This source explicitly connects the service of non-repudiation with the foundational requirement of integrity.

3. Pfleeger, C. P., Pfleeger, S. L., & Margulies, J. (2015). Security in Computing (5th ed.). Pearson Education.

Chapter 1, Section 1.2.2, "Integrity": The text explains that integrity includes the correctness of data and its origin. It discusses how mechanisms that ensure integrity are also used to provide authenticity and accountability, which are prerequisites for non-repudiation. This establishes integrity as the necessary foundation.