A. A document presenting results to be achieved in information security

B. Intentions and direction of an organization about information security, as formally expressed by its top management

C. A high level document that affects the whole organization and defines security roles and responsibilities

D. A set of information security procedures that work together to address risks

1

2

3

4

A. Identification, Evaluation, Analysis, Treatment

B. Identification, Analysis, Evaluation

C. Identification, Response, Evaluation

D. Identification, Analysis, Evaluation, Treatment

A. To provide assurance of the outcome of the organization’s risk management

B. To obtain new information security knowledge

C. To address risk owners’ security concerns

D. To ensure that residual risks are explicitly accepted by top management

A. A consequence extent of damage to the organization’s objectives resulting from a risk while an impact is an adverse change to the level of business objectives achieved. Both are mainly negative

B. A consequence is the outcome of an event affecting objectives while an impact is an adverse change to the level of business objectives achieved. Both are usually negative

C. A consequence is an adverse change to the level of business objectives achieved and is mainly negative while an impact is the outcome of an event affecting objectives and can be as positive as negative

D. A consequence is the extent of damage to the organization’s objectives resulting from a risk while an impact is an adverse change to the level of business objectives achieved. Both can be positive or negative

A. Email policy

B. Network topology

C. Network access policy

D. Information transfer agreement

A. Always

B. When the related area contains either sensitive or critical information and information processing facilities

C. When the related area contains sensitive information and information processing facilities

D. When the related area contains critical information and information processing facilities