Is this a good practice?

Scenario 1

The risk assessment process was led by Henry, Bontton’s risk manager. The first step that Henry took was identifying the company’s assets. Afterward, Henry created various potential incident scenarios. One of the main concerns regarding the use of the application was the possibility of being targeted by cyber attackers, as a great number of organizations were experiencing cyberattacks during that time. After analyzing the identified risks, Henry evaluated them and concluded that new controls must be implemented if the company wants to use the application. Among others, he stated that training should be provided to personnel regarding the use of the application and that awareness sessions should be conducted regarding the importance of protecting customers’ personal data. Lastly, Henry communicated the risk assessment results to the top management. They decided that the application will be used only after treating the identified risks. Based on the scenario above, answer the following question:

Bontton established a risk management process based on ISO/IEC 27005, to systematically manage information security threats.

Is this a good practice?
A . Yes, ISO/IEC 27005 provides guidelines for information security risk management that enable organizations to systematically manage information security threats
B . Yes, ISO/IEC 27005 provides guidelines to systematically manage all types of threats that organizations may face
C . No, ISO/IEC 27005 cannot be used to manage information security threats in the food sector

View Answer

Answer: A

Explanation:

ISO/IEC 27005 is the standard that provides guidelines for information security risk management, which supports the requirements of an Information Security Management System (ISMS) as specified in ISO/IEC 2700 1. In the scenario provided, Bontton established a risk management process to identify, analyze, evaluate, and treat information security risks, which is in alignment with the guidelines set out in ISO/IEC 27005. The standard emphasizes a systematic approach to identifying assets, identifying threats and vulnerabilities, assessing risks, and implementing appropriate risk treatment measures, such as training and awareness sessions. Thus, option A is correct, as it accurately reflects the purpose and application of ISO/IEC 27005 in managing information security threats. Option B is incorrect because ISO/IEC 27005 specifically addresses information security threats, not all types of threats, and option C is incorrect because ISO/IEC 27005 is applicable to any sector, including the food industry, as long as it concerns information security risks.