01. In physical security, multiple protection rings can be applied in which different measures can be taken. What is not a protection ring?
a) Building ring
b) Middle ring
c) Secure room ring
d) Outer ring
02. Who is responsible for the translation of the business strategy and objectives to security strategy and objectives?
a) Chief information security officer (CISO)
b) General management
c) Information security officer (ISO)
d) Information security policy officer
03. Sara has been tasked with ensuring that the organization complies with personal data legislation. What is the first thing she should do?
a) Appoint a person responsible for supporting managers in adhering to the policy
b) Issue a ban on collecting and storing personal information
c) Make employees responsible for submitting their personal data
d) Translate the personal data protection legislation into a privacy policy
04. An organization must understand the risks it is facing before it can take appropriate measures. What should be understood to determine risk?
a) The likelihood of something happening and its consequences to the organization
b) The most common dangers and how to mitigate these as defined in best practices
c) The threats an organization faces and how vulnerable the organization is to them
d) The unplanned events an organization faces and what to do in case of such an event
05. How is the purpose of an information security policy best described?
a) An information security policy documents the analysis of risks and the search for appropriate controls.
b) An information security policy gives direction and support to the organization regarding information security.
c) An information security policy makes the security plan concrete by providing it with the necessary details.
d) An information security policy provides insight into threats and the possible consequences.
06. What is the difference between data and information?
a) Data can be any facts or figures. Information is data that has meaning.
b) Data consists of unstructured figures. Information consists of structured figures.
c) Data does not require security. Information requires security.
d) Data has no value. Information, which is processed data, has value.
07. A database system does not have the latest security patches applied to it and was hacked. The hackers were able to access the data and delete it. What information security concept describes the lack of security patches?
a) Impact
b) Risk
c) Threat
d) Vulnerability
08. Besides integrity and confidentiality, what is the third reliability aspect of information?
a) Accuracy
b) Availability
c) Completeness
d) Value
09. What is the focus of information management?
a) Allowing business activities and processes to continue without interruption
b) Preventing unauthorized persons from having access to automated systems
c) Ensuring that the value of information is identified and exploited
d) Understanding how information flows through an organization
10. When an employee detects an incident, to whom should it typically be reported first?
a) The help desk
b) The information security manager (ISM)
c) The information security officer (ISO)
d) The manager
The purpose of this Sample Question Set is to provide you with information about the EXIN Information Security Foundation based on ISO IEC 27001 (ISFS) exam. These sample questions will make you very familiar with both the type and the difficulty level of the questions on the ISFS certification test. To get familiar with real exam environment, we suggest you try our Sample EXIN ISFS Certification Practice Exam. This sample practice exam gives you the feeling of reality and is a clue to the questions asked in the actual EXIN Information Security Foundation based on ISO IEC 27001 certification exam.