Free GAQM ISO-27005-LRM Exam Questions

Question 1

A software development company is implementing a new project management system, introducing new information security risks. The risk manager is tasked with documenting these risks. What should be included in the risk documentation to effectively support risk management decision-making?

A : Comprehensive information on each identified risk, including its nature, potential impact, likelihood, and proposed mitigation strategies.

B : A list of all software developers and their qualifications.

C : Detailed descriptions of the new project management system’s features.

D : General industry trends in software development without specific reference to the company’s risks.

Answer: A

Question 2

A software development company is implementing a new project management system, introducing new information security risks. The risk manager is tasked with documenting these risks. What should be included in the risk documentation to effectively support risk management decision-making?

A : Comprehensive information on each identified risk, including its nature, potential impact, likelihood, and proposed mitigation strategies.

B : A list of all software developers and their qualifications.

C : Detailed descriptions of the new project management system’s features.

D : General industry trends in software development without specific reference to the company’s risks.

Answer: A

Question 3

A university is upgrading its learning management system (LMS), which contains student information and academic records. Who should be designated as the risk owner for the LMS upgrade project, and what would be their primary task?

A : The registrar, responsible for maintaining academic records.

B : The data protection officer (DPO), responsible for student data privacy.

C : The IT director, responsible for the technical aspects of the upgrade.

D : The Chief Information Officer (CIO), responsible for the overall IT strategy.

Answer: D

Question 4

An educational institution is adopting the NIST RMF for its student information system. They are in the process of authorizing the system for operation. What is the significance of this authorization step in the NIST RMF, and what should it involve for the student information system?

A : Authorization is a one-time process of approving the budget for implementing security controls.

B : The authorization step is a formal declaration by a senior official accepting the risk of operating the system based on the assessment of the security controls and the overall risk to the institution.

C : The step involves authorizing users to access the system based on their roles.

D : Authorization is solely focused on ensuring legal compliance with data protection laws.

Answer: B

Question 5

A software development firm adopts risk management practices to identify and address security vulnerabilities in its products. What is a primary advantage of this approach as per ISO 27005?

A : It ensures the firm will never face any software vulnerabilities in the future.

B : It completely removes the need for testing and quality assurance processes.

C : It allows the firm to avoid responsibility for any security issues that may arise in its products.

D : It facilitates early identification and remediation of vulnerabilities, improving product quality and customer satisfaction.

Answer: D