ISO 27001 (ISMS) Interview Questions & Answers
ISO/IEC 27001 is a well known standard in industry to secure and manage IT resources from malicious attacks. This blog list out some interview questions that may be asked while interview for candidates where ISO 27001 is one of the requisite field.
Q. What is ISO/IEC 27001?
Ans: ISO/IEC 27001 is an international standard widely adopted by different countries to secure IT assets by providing security controls based on industry best practices. 27001 is published by ISO and the International Electrotechnical Commission (IEC). This standard provides recommendations for implementing an Information Security Management System (ISMS) irrespective of the size of an organization.
Q. What is a full name of ISO 27001?
Ans: Full name is "ISO/IEC 27001:2013-Information technology — Security techniques — Information security management systems — Requirements".
Q. What is content of ISO 27001?
Ans: ISO/IEC 27001 standard includes 13 objectives. It provides recommendations and guidance on structure, risk assessment, and access control policy, security related to staff, and compliance.
Q. Which standard guides on Risk Management?
Ans: Two standards ISO 27005 (Information technology — Security techniques — Information security risk management) and ISO 31000 (Risk management — Principles and guidelines) available related to risk management.
Q. What is Information Control Management System (ISMS)?
Ans: An ISMS is a collection of following items to secure information assets from any type of attack that fails CIA principle.
- Policies
- Procedures
- Guidelines
- Associated Resources and Activities
Q. What are the objectives for implementation of ISO 27001?
Ans: Below are the list of objectives for implementation of ISO 27001:
- assurance to secure assets against threats
- provoding framework for providing risks
- improve controls on environment
- provide legal and regulatory compliance
Q. What are the differences between ISO 27001 and GDPR?
Ans:
| Subject Area | ISO 27001 | GDPR |
| Area covered | Confidentiality, Integrity and Availability | Privacy (mainly personal data) |
| Objective | helps in securing information assets (but not limited to personal data) | secure personal data |
| Requirement Type | not legal | legal |
| Fine | no provision available on monetary penalties in case of non-compliance | hefty monetary fine imposed in Eurapean countries on non-compliance |
Q. Explain ISMS family of standards.
Ans:
| Type of Standard | Standard (ISO) |
| Vocabulary Standard | 27000-Information technology — Security techniques — Information security management systems — Overview and vocabulary |
| Requirement Standards | 27001-Information security management 27006-Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems 27009-Information security, cybersecurity and privacy protection — Sector-specific application of ISO/IEC 27001 — Requirements |
| Guidelines Standards | 27002-Information security, cybersecurity and privacy protection — Information security controls 27003-Information technology — Security techniques — Information security management systems — Guidance 27004-Information technology — Security techniques — Information security management — Monitoring, measurement, analysis and evaluation 27005-Information technology — Security techniques — Information security risk management 27007-Information security, cybersecurity and privacy protection — Guidelines for information security management systems auditing 27008-Information technology — Security techniques — Guidelines for the assessment of information security controls 27013-Information security, cybersecurity and privacy protection — Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 27014-Information security, cybersecurity and privacy protection — Governance of information security 27016-Information technology — Security techniques — Information security management — Organizational economics 27021-Information technology — Security techniques — Competence requirements for information security management systems professionals |
| Sector Specific Guidelines Satndards | 27010-Information technology — Security techniques — Information security management for inter-sector and inter-organizational communications 27011-Information technology — Security techniques — Code of practice for Information security controls based on ISO/IEC 27002 for telecommunications organizations 27017-Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services 27018-Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors 17019-Information technology — Security techniques — Information security controls for the energy utility industry |
Subscribe us to receive more such articles updates in your email.
If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!
Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.
