Pre-Course Questionnaire

ISMS Auditor / Lead Auditor Training Course

Pre-Course Questionnaire (Exercise 1)

The purpose of this questionnaire is to enable participants to understand and
appreciate the ISMS concepts and ISO/ IEC 27001:2005.
You are expected to go through the attached ISMS Pre-course Supplementary
Material, ISO 27001 (your own copy) and ISO/IEC 27002 (your own copy) or any
other supplementary material available with/ accessible to you and write your
responses to these questions on paper. Your responses will be discussed and
collected during the Lead Auditor Program.

Note:
1. Participants are required to bring completed Exercise 1, before start of
the course. This is mandatory to ensure fulfilment of course objectives.
2. It is expected that you have your own copy of ISO/IEC 27001:2005.
However one copy of ISO/IEC 27001 will be provided for use during
the course also.

--------------------------------------------------------------------------------------------------Name:

ISMS LA course date:

Course Venue
------------------------------------------------------------------------------------------------1. What is ISMS and which type of organizations require ISMS. Justify

your response.
_________________________________________________________
_________________________________________________________
_________________________________________________________
_________________________________________________________
_________________________________________________________
_________________________________________________________
_________________________________________________________
_________________________________________________________
_________________________________________________________

Version5.0

Page 1 of 7

2011 STQC Directorate, DeitY, Govt. of India

This questionnaire is the property of STQC and cannot be copied without the written permission of STQC

Pre-Course Questionnaire
ISMS Auditor / Lead Auditor Training Course

2. Identify two information assets in each of these scenario:

1. Where Availability is more important than integrity

and

confidentiality;
2. Where Integrity is more important than Availability and
confidentiality; and
3. Where Confidentiality is more important than Availability and

Integrity. .
_________________________________________________________
_________________________________________________________
_________________________________________________________
_________________________________________________________
_________________________________________________________
_______________________________________________________
3. What is the purpose of ISO 27001:2005? And how it is related with

ISO/IEC 27002:2005 (earlier ISO 17799)

_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
4. What is P-D-C-A? How this concept has been applied in establishing

and managing ISMS in ISO 27001.

_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________

Version5.0

Page 2 of 7

2011 STQC Directorate, DeitY, Govt. of India

This questionnaire is the property of STQC and cannot be copied without the written permission of STQC

Pre-Course Questionnaire
ISMS Auditor / Lead Auditor Training Course

5. What is the difference between control objectives and controls as

defined in the annexure-A of ISO 27001?

_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________

6. Risk assessment and selection of suitable security controls are inter-

related. Do you agree? Elaborate.

_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
7. Write examples of 2 vulnerabilities, 2 threats and the associated

security safeguards required to reduce the risks in a general office

environment.
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
__________________________________________________
8.

Why ISMS audits are required to be carried out?

_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________

Version5.0

Page 3 of 7

2011 STQC Directorate, DeitY, Govt. of India

This questionnaire is the property of STQC and cannot be copied without the written permission of STQC

Pre-Course Questionnaire
ISMS Auditor / Lead Auditor Training Course

9.

What is Statement of Applicability (SOA)? Why it is required?

_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________

_______________________________________________________
10.

What is the aim of non-disclosure/confidentiality agreements? Who

all in your view should sign NDA within the organisation?
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________

11. What is an Acceptable Use Policy? Why it is required?

_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________

12. As part of Access Control Policy design, what is better approach

permit all unless restricted or restrict all unless permitted?

Elaborate.
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
Version5.0

Page 4 of 7

2011 STQC Directorate, DeitY, Govt. of India

This questionnaire is the property of STQC and cannot be copied without the written permission of STQC

Pre-Course Questionnaire
ISMS Auditor / Lead Auditor Training Course

13. What is the purpose of segregation of duties? Give one example of

segregation of duty.
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________

_______________________________________________________
_______________________________________________________
_______________________________________________________
14.

Write 5 examples of security incidents encountered by you/known

to you.
_______________________________________________________
_______________________________________________________
_______________________________________________________

_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________

15. Why Business Continuity Management is essential for the successful

implementation of ISMS.
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
Version5.0

Page 5 of 7

2011 STQC Directorate, DeitY, Govt. of India

This questionnaire is the property of STQC and cannot be copied without the written permission of STQC

PDF to Wor