What should the correct answers be?

DRAG DROP

You have just completed a scheduled information security audit of your organisation when the IT Manager approaches you and asks for your assistance in the revision of the company’s risk management process.

He is attempting to update the current documentation to make it easier for other managers to understand, however, it is clear from your discussion he is confusing several key terms.

You ask him to match each of the descriptions with the appropriate risk term.

What should the correct answers be?

Answer:

Explanation:

The correct answers for matching each of the descriptions with the appropriate risk term are:

The strategy chosen to respond to a specific information security risk: This is a definition of information security risk treatment. According to ISO/IEC 27000:2022, information security risk treatment is “the process of selecting and implementing measures to modify the information security risk” Section 3.33.

The effect of uncertainty on information security objectives: This is a definition of information security risk. According to ISO/IEC 27000:2022, information security risk is “the effect of uncertainty on information security objectives” Section 3.32.

The requirements against which information security risks are evaluated: This is a definition of information security risk criteria. According to ISO/IEC 27000:2022, information security risk criteria are “the terms of reference by which the significance of information security risks is assessed” Section 3.31.

A definition of the overall level of information security risk that is considered to be tolerable: This is a definition of information security risk acceptance criteria.

According to ISO/IEC 27000:2022, information security risk acceptance criteria are “the level of information security risk that is acceptable” Section 3.30.