1. Threats exploit vulnerabilities to damage or destroy assets

1. Controls protect assets by reducing threats

1. Risk is a function of vulnerabilities that harm assets

1. Integrity and availability

1. Confidentiality and integrity

1. Confidentiality and availability

1. ISMS scope should be available as documented information

1. ISMS scope should ensure continual improvement

1. ISMS scope should be compatible with the strategic orientation of the organization

Content and format

Dates and signatures

Alignment with policies

1. Yes, any risk assessment methodology that provides accurate and reliable results is acceptable

1. Yes, only if the risk assessment methodology is aligned with recognized risk assessment methodologies

1. No, when implementing an ISMS, the risk assessment methodology provided by

   ISO/IEC 27001 should be used

1. The organization regularly provides security awareness and training sessions for its employees

1. The organization always reviews the security policy after the integration of a new division to the organization

1. The organization conducts regular user access reviews to verify that only authorized employees have access to confidential information

Independence

Confidentiality

Fair presentation