ISO/IEC 27002 - International Standards Organization and International Electro-technical Commitee

Image description
Image description

What is information security?

Information is prominent resource and more importantly an enterprise asset that, like other important business assets, is essential to an organization’s business and consequently needs to be suitably and adequately protected. This is especially important in the increasingly interconnected business environment. As a result of this increasing interconnectivity, information is now exposed to a growing number and a wider variety of threats and vulnerabilities.

Information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post or by using electronic means, shown on films, or spoken in conversation. Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected. Information security is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities.

Information security is achieved by implementing a suitable set of controls, including policies, processes, procedures, organizational structures and software and hardware functions. These controls need to be established, implemented, monitored, reviewed and improved, where necessary, to ensure that the specific security and business objectives of the organization are met. This should be done in conjunction with other business management processes.

Why information security is needed?

Information and the supporting processes, systems, and networks are important business assets. Defining, achieving, maintaining, and improving information security may be essential to maintain competitive edge, cash flow, profitability, legal compliance, and commercial image. Organizations and their information systems and networks are faced with security threats from a wide range of sources, including computer-assisted fraud, espionage, sabotage, vandalism, fire or flood. Causes of damage such as malicious code, computer hacking, and denial of service attacks have become more common, more ambitious, and increasingly sophisticated.

Information security is important to both public and private sector businesses, and to protect critical infrastructures. In both sectors, information security will function as an enabler, e.g. to achieve egovernment or e-business, and to avoid or reduce relevant risks. The interconnection of public and private networks and the sharing of information resources increase the difficulty of achieving access control. The trend to distributed computing has also weakened the effectiveness of central, specialist control.

Many information systems have not been designed to be secure. The security that can be achieved through technical means is limited, and should be supported by appropriate management and procedures. Identifying which controls should be in place requires careful planning and attention to detail. Information security management requires, as a minimum, participation by all employees in the organization. It may also require participation from shareholders, suppliers, third parties, customers or other external parties. Specialist advice from outside organizations may also be needed.

Image description

Exam content

  1. Knowledge about the concept, importance and the reliability of information.
  2. The types of risks, threats and damages, and the available risk strategies and the security measures you can take.
  3. Insight in the security policy and organization, inclusive code of conduct, ownership, and roles and responsibilities. 
  4. How to manage security incidents.
  5. Various security measures.
  6. Physical measures such as identity passes and finger scans.
  7. Technical measures such as cryptography, and how to deal with attacks such as phishing, spam and malware.
  8. Organizational measures to take such as access management and Business Continuity Management.
  9. Awareness of the most important legislation and regulations around the world.

Exam Details

Number of multiple-choice questions: 40
Pass mark: 65% (26 out of 40)
Open book: not allowed

Invigilator / proctor: yes