What did Henry identify in this case?

ISO-IEC-27005 Risk Manager 0 Comments

Scenario 1

The risk assessment process was led by Henry, Bontton’s risk manager. The first step that Henry took was identifying the company’s assets. Afterward, Henry created various potential incident scenarios. One of the main concerns regarding the use of the application was the possibility of being targeted by cyber attackers, as a great number of organizations were experiencing cyberattacks during that time. After analyzing the identified risks, Henry evaluated them and concluded that new controls must be implemented if the company wants to use the application. Among others, he stated that training should be provided to personnel regarding the use of the application and that awareness sessions should be conducted regarding the importance of protecting customers’ personal data. Lastly, Henry communicated the risk assessment results to the top management. They decided that the application will be used only after treating the identified risks.

Henry concluded that one of the main concerns regarding the use of the application for online ordering was cyberattacks .

What did Henry identify in this case? Refer to scenario 1.
A . A threat
B . The vulnerabilities of an asset
C . The consequences of a potential security incident

Answer: A

Explanation:

In this scenario, Henry identifies "cyberattacks" as one of the main concerns related to the use of the application for online ordering. According to ISO/IEC 27005, a "threat" is any potential cause of an unwanted incident that may result in harm to a system or organization. In this context, cyberattacks are considered a threat because they represent a potential cause that could compromise the security of the application. Henry’s identification of cyberattacks as a primary concern aligns with recognizing a specific threat that could exploit vulnerabilities within the system.

Reference: ISO/IEC 27005:2018, Clause 8.3, "Threat identification," which provides guidance on identifying threats that could affect the organization’s information assets.

ISO/IEC 27001:2013, Clause 6. 1. 2, "Information Security Risk Assessment," where identifying threats is part of the risk assessment process.

These answers are verified based on the standards’ definitions and guidelines, providing a comprehensive understanding of how ISO/IEC 27005 is used within the context of ISO/IEC 2700 1.

Latest ISO-IEC-27005 Risk Manager Dumps Valid Version with 60 Q&As

Latest And Valid Q&A | Instant Download | Once Fail, Full Refund

Instant Download ISO-IEC-27005 Risk Manager PDF     ISO-IEC-27005 Risk Manager Questions Online Training
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments