exin ISMP Exam Questions

Questions for the ISMP were updated on : Nov 21 ,2025

Page 1 out of 2. Viewing questions 1-15 out of 30

Question 1

What is the best way to start setting the information security controls?

  • A. Implement the security measures as prescribed by a risk analysis tool
  • B. Resort back to the default factory standards
  • C. Use a standard security baseline
Answer:

C

User Votes:
A
50%
B
50%
C
50%
Discussions
vote your answer:
A
B
C
0 / 1000

Question 2

Security monitoring is an important control measure to make sure that the required security level is
maintained. In order to realize 24/7 availability of the service, this service is outsourced to a partner
in the cloud.
What should be an important control in the contract?

  • A. The network communication channel is secured by using encryption.
  • B. The third party is certified against ISO/IEC 27001.
  • C. The third party is certified for adhering to privacy protection controls.
  • D. Your IT auditor has the right to audit the external party's service management processes.
Answer:

D

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 3

What needs to be decided prior to considering the treatment of risks?

  • A. Criteria for determining whether or not the risk can be accepted
  • B. How to apply appropriate controls to reduce the risks
  • C. Mitigation plans
  • D. The development of own guidelines
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 4

The information security manager is writing the Information Security Management System (ISMS)
documentation. The controls that are to be implemented must be described in one of the phases of
the
Plan-Do-
Check-Act (PDCA) cycle of the ISMS.
In which phase should these controls be described?

  • A. Plan
  • B. Do
  • C. Check
  • D. Act
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 5

The ambition of the security manager is to certify the organization against ISO/IEC 27001.
What is an activity in the certification program?

  • A. Formulate the security requirements in the outsourcing contracts
  • B. Implement the security baselines in Secure Systems Development Life Cycle (SecSDLC)
  • C. Perform a risk assessment of the secure internet connectivity architecture of the datacenter
  • D. Produce a Statement of Applicability based on risk assessments
Answer:

D

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 6

The Board of Directors of an organization is accountable for obtaining adequate assurance.
Who should be responsible for coordinating the information security awareness campaigns?

  • A. The Board of Directors
  • B. The operational manager
  • C. The security manager
  • D. The user
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 7

A protocol to investigate fraud by employees is being designed.
Which measure can be part of this protocol?

  • A. Seize and investigate the private laptop of the employee
  • B. Investigate the contents of the workstation of the employee
  • C. Investigate the private mailbox of the employee
  • D. Put a phone tap on the employee's business phone
Answer:

B

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 8

What is a risk treatment strategy?

  • A. Mobile updates
  • B. Risk acceptance
  • C. Risk exclusion
  • D. Software installation
Answer:

B

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 9

An experienced security manager is well aware of the risks related to communication over the
internet. She also knows that Public Key Infrastructure (PKI) can be used to keep e-mails between
employees confidential.
Which is the main risk of PKI?

  • A. The Certificate Authority (CA) is hacked.
  • B. The certificate is invalid because it is on a Certificate Revocation List.
  • C. The users lose their public keys.
  • D. The HR department wants to be a Registration Authority (RA).
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 10

A security manager for a large company has the task to achieve physical protection for corporate
data stores.
Through which control can physical protection be achieved?

  • A. Having visitors sign in and out of the corporate datacenter
  • B. Using a firewall to prevent access to the network infrastructure
  • C. Using access control lists to prevent logical access to organizational infrastructure
  • D. Using key access controls for employees needing access
Answer:

D

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 11

An information security officer is asked to write a retention policy for a financial system. She is aware
of the fact that some data must be kept for a long time and other data must be deleted.
Where should she look for guidelines first?

  • A. In company policies
  • B. In finance management procedures
  • C. In legislation
Answer:

C

User Votes:
A
50%
B
50%
C
50%
Discussions
vote your answer:
A
B
C
0 / 1000

Question 12

The handling of security incidents is done by the incident management process under guidelines of
information security management. These guidelines call for several types of mitigation plans.
Which mitigation plan covers short-term recovery after a security incident has occurred?

  • A. The Business Continuity Plan (BCP)
  • B. The disaster recovery plan
  • C. The incident response plan
  • D. The risk treatment plan
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 13

Who should be asked to check compliance with the information security policy throughout the
company?

  • A. Internal audit department
  • B. External forensics investigators
  • C. The same company that checks the yearly financial statement
Answer:

B

User Votes:
A
50%
B
50%
C
50%
Discussions
vote your answer:
A
B
C
0 / 1000

Question 14

The security manager of a global company has decided that a risk assessment needs to be completed
across the company.
What is the primary objective of the risk assessment?

  • A. Identify, quantify and prioritize each of the business-critical assets residing on the corporate infrastructure
  • B. Identify, quantify and prioritize risks against criteria for risk acceptance
  • C. Identify, quantify and prioritize the scope of this risk assessment
  • D. Identify, quantify and prioritize which controls are going to be used to mitigate risk
Answer:

B

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 15

Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are key terms in business
continuity management (BCM). Reducing loss of data is one of the focus areas of a BCM policy.
What requirement is in the data recovery policy to realize minimal data loss?

  • A. Maximize RPO
  • B. Reduce RPO
  • C. Reduce RTO
  • D. Reduce the time between RTO and RPO
Answer:

B

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000
To page 2