Preparation Guide

Information Security
Foundation based on
ISO/IEC 27002
Edition March 2014

Copyright 2014 EXIN

All rights reserved. No part of this publication may be published, reproduced, copied
or stored in a data processing system or circulated in any form by print, photo print,
microfilm or any other means without written permission by EXIN.

Preparation Guide Information Security Foundation based on ISO/IEC 27002

(ISFS.EN)

Content
1.
2.
3.
4.

Overview
Exam requirements
List of basic concepts
Literature

4
7
11
14

Preparation Guide EXIN Information Security Foundation

based on ISO/IEC 27002 (ISFS.EN)

33

1. Overview
EXIN Information Security Foundation based on ISO/IEC 27002 (ISFS.EN)
Summary
Preparation Guides are designed to help training providers develop courses and
course material that meet with EXIN requirements.
The main objective of the Preparation Guide is to identify the exam subjects, the
exam requirements and specifications, and the target group to support the
development of new, high quality courses.
Information security is the protection of information from a wide range of threats in
order to ensure business continuity, minimize business risk, and maximize return
on investments and business opportunities. (ISO/IEC 27002 definition)
Information security is gaining importance in the Information Technology (I T) world.
Globalization of the economy is leading to an ever-increasing exchange of
information between organizations (their employees, customers and suppliers) and
an explosion in the use of networked computers and computing devices.
The international standard, the Code of Practice for Information Security ISO/IEC
27002:2013 is a widely respected and referenced standard and provides a
framework for the organization and management of an information security
program. Implementing a program based on this standard will serve an organization
well in its goal of meeting many of the requirements faced in todays complex
operating environment. A strong understanding of this standard is important to the
personal development of every information security professional.
In EXINs Information Security modules the following definition is used: Information
Security deals with the definition, implementation, maintenance, compliance and
evaluation of a coherent set of controls (measures) which safeguard the availability ,
integrity and confidentiality of the (manual and automated) information supply.
In the module EXIN Information Security Foundation based on ISO/IEC 27002, the
basic concepts of information security and their relationships are tested. One of the
objectives of this module is to raise the awareness that information is valuable and
vulnerable, and to learn which measures are necessary to protect information.
The subjects of this module are:
Information and security: the concept, the value, the importance and the
reliability of information;
Threats and risks: the concepts of threat and risk and the relationship with the
reliability of information;
Approach and organization: the security policy and security organization
including the components of the security organization and management of
(security) incidents;

Preparation Guide EXIN Information Security Foundation

based on ISO/IEC 27002 (ISFS.EN)

44

 Measures: the importance of security measures including physical, technical

and organizational measures
and
Legislation and regulations: the importance and impact of legislation and
regulations

Context
Qualification program

The Certificate EXIN Information Security Foundation based on ISO/IEC 27002 is

part of the qualification program Information Security. The module is followed up by
the Certificates EXIN Information Security Management Advanced based on
ISO/IEC 27002 and EXIN Information Security Management Expert based on
ISO/IEC 27002.

Preparation Guide EXIN Information Security Foundation

based on ISO/IEC 27002 (ISFS.EN)

55

Target group
The examination for EXIN Information Security Foundation based on ISO/IEC 27002
is intended for everyone in the organization who is processing information. The module
is also suitable for entrepreneurs of small independent businesses for whom some
basic knowledge of information security is necessary.
This module can be a good start for new information security professionals.
Prerequisites
none
Examination type
Computer based multiple-choice questions
Indication study load
60 hours
In-course assessment
Not applicable
Time allotted for examination
60 minutes
Examination details
Number of questions:
Pass mark:
Open book/notes:
Electronic equipment permitted:

40
65% (26 of 40)
no
no

Sample questions
To prepare for your examination you can download a sample exam at
http://www.exin.com.

Training
Group size
The maximum number of course participants is 25.

(This does not count for online- or computer based training.)

Contact hours
The minimum number of contact hours for the course is 7. This number includes group
assignments, exam preparation and short coffee breaks. Not included are: homework,
the logistics related to the exam session, the exam session and lunch breaks.
Training provider
A list of accredited training providers may be found on EXINs website
http://www.exin.com.

Preparation Guide EXIN Information Security Foundation

based on ISO/IEC 27002 (ISFS.EN)

66

2. Exam requirements
The exam requirements are specified in the exam specifications. The following
table lists the topics of the module (exam requirements). The weight of the di fferent
topics in the exam is expressed as a percentage of the total.
Exam requirement

Exam specification

Weight
(%)

1 Information and security

10
1.1 The concept of information
1.2 Value of information
1.3 Reliability aspects

2.5
2.5
5

2.1 Threats and risks

2.2 Relationships between threats,
risks and the reliability of
information

15
15

2 Threats and risks

30

3 Approach and organization

10
3.1 Security policy and security
organization
3.2 Components
3.3 Incident management

2.5

4.1 Importance of measures

4.2 Physical security measures
4.3 Technical measures
4.4 Organizational measures

10
10
10
10

2.5
5

4 Measures

40

5 Legislation and regulation

10
5.1 Legislation and regulations

Total

10
100

Preparation Guide EXIN Information Security Foundation

based on ISO/IEC 27002 (ISFS.EN)

77

Exam specifications
1.

Information and security (10%)

1.1

The concept of information (2.5%)

The candidate understands the concept information.
The candidate is able to:
1.1.1 Explain the difference between data and information
1.1.2 Describe the storage medium that forms part of the basic infrastructure

1.2

Value of information (2.5%)

The candidate understands the value of information for organizations.
The candidate is able to:
1.2.1 Describe the value of data/information for organizations
1.2.2 Describe how the value of data/information can influence organizations
1.2.3 Explain how applied information security concepts protect the value of
data/information

1.3

Reliability aspects (5%)

The candidate knows the reliability aspects (confidentiality, integ rity,
availability) of information.
The candidate is able to:
1.3.1 Name the reliability aspects of information
1.3.2 Describe the reliability aspects of information

2.

Threats and risks (30%)

2.1

Threat and risk (15%)

The candidate understands the concepts of threat and risk.
The candidate is able to:
2.1.1 Explain the concepts threat, risk and risk analysis
2.1.2 Explain the relationship between a threat and a risk
2.1.3 Describe various types of threats
2.1.4 Describe various types of damage
2.1.5 Describe various risk strategies

2.2

Relationships between threats, risks and the reliability of information. (15%)

The candidate understands the relationship between threats, risks and the
reliability of information.
The candidate is able to:
2.2.1 Recognize examples of the various types of threats
2.2.2 Describe the effects that the various types of threats have on
information and the processing of information

Preparation Guide EXIN Information Security Foundation

based on ISO/IEC 27002 (ISFS.EN)

88

3.

Approach and organization (10%)

3.1

Security policy and security organization (2.5%)

The candidate has knowledge of the concepts security policy and security
organization.
The candidate is able to:
3.1.1 Outline the objectives and the content of a security policy
3.1.2 Outline the objectives and the content of a security organization

3.2

Components (2.5%)
The candidate knows the various components of the security organization.
The candidate is able to:
3.2.1 Explain the importance of a code of conduct
3.2.2 Explain the importance of ownership
3.2.3 Name the most important roles in the information security organization

3.3

Incident Management (5%)

The candidate understands the importance of incident management and
escalation.
The candidate is able to:
3.3.1 Summarize how security incidents are reported and what information is
required
3.3.2 Give examples of security incidents
3.3.3 Explain the consequences of not reporting security incidents
3.3.4 Explain what an escalation entails (functionally and hierarchically)
3.3.5 Describe the effects of escalation within the organization
3.3.6 Explain the incident cycle

4.

Measures (40%)

4.1

Importance of measures (10%)

The candidate understands the importance of security measures.
The candidate is able to:
4.1.1 Describe various ways in which security measures may be structured
or arranged
4.1.2 Give examples for each type of security measure
4.1.3 Explain the relationship between risks and security measures
4.1.4 Explain the objective of the classification of information
4.1.5 Describe the effect of classification

4.2

Physical security measures (10%)

The candidate has knowledge of both the set-up and execution of physical
security measures.
The candidate is able to:
4.2.1 Give examples of physical security measures
4.2.2 Describe the risks involved with insufficient physical security measures

Preparation Guide EXIN Information Security Foundation

based on ISO/IEC 27002 (ISFS.EN)

99

4.3

Technical measures (10%)

The candidate has knowledge of both the set-up and execution of technical
security measures.
The candidate is able to:
4.3.1 Give examples of technical security measures
4.3.2 Describe the risks involved with insufficient technical securi ty measures
4.3.3 Understand the concepts cryptography, digital signature and certificate
4.3.4 Name the three steps for online banking (PC, web site, payment)
4.3.5 Name various types of malicious software
4.3.6 Describe the measures that can be used against malicious software

4.4

Organizational measures (10%)

The candidate has knowledge of both the set-up and execution of
organizational security measures.
The candidate is able to:
4.4.1 Give examples of organizational security measures
4.4.2 Describe the dangers and risks involved with insufficient organizational
security measures
4.4.3 Describe access security measures such as the segregation of duties
and the use of passwords
4.4.4 Describe the principles of access management
4.4.5 Describe the concepts identification, authentication and authorization
4.4.6 Explain the importance to an organization of a well set-up Business
Continuity Management
4.4.7 Make clear the importance of conducting exercises

5.

Legislation and regulations (10%)

5.1

Legislation and regulations (10%)

The candidate understands the importance and effect of legislation and
regulations.
The candidate is able to:
5.1.1 Explain why legislation and regulations are important for the reliability
of information
5.1.2 Give examples of legislation related to information security
5.1.3 Give examples of regulations related to information security
5.1.4 Indicate possible measures that may be taken to fulfill the requirements
of legislation and regulations

Comment
The security measures are for most staff members the first aspects of information
security they encounter. Therefore the measures are central to the module and
have the highest weight. The threats and risks follow in terms of weight. Finally,
insight in the policy, organization and legislation and regulation in the area of
information security is necessary in order to understand the importance of the
information security measures.

Preparation Guide EXIN Information Security Foundation

based on ISO/IEC 27002 (ISFS.EN)

10
10

3. List of basic concepts

This list contains the terms with which candidates should be familiar. Terms are
listed in alphabetical order.

Access control
Asset
Audit
Authentication
Authenticity
Authorization
Availability
Backup
Biometrics
Botnet
Business Continuity Management (BCM)
Business Continuity Plan (BCP)
Category
Certificate
Change Management
Classification (grading)
Clear desk policy
Code of conduct
Code of practice for information security (ISO/IEC
27002:2013)
Completeness
Compliance
Computer criminality legislation
Confidentiality
Continuity
Controls
Copyright legislation
Corrective
Correctness
Cryptography
Cyber crime
Damage
Data
Detective
Digital signature
Direct damage
Disaster
Disaster Recovery Plan (DRP)
Encryption
Escalation
o Functional escalation
o Hierarchical escalation

Preparation Guide EXIN Information Security Foundation

based on ISO/IEC 27002 (ISFS.EN)

11
11

Exclusivity
Hacking
Hoax
Identification
Impact
Incident cycle
Indirect damage
Information
Information analysis
Information architecture
Information management
Information system
Infrastructure
Integrity
Interference
ISO/IEC 27001:2005
ISO/IEC 27002:2005
Key
Logical access management
Maintenance door
Malware
Non-repudiation
Patch
Personal data protection legislation
Personal firewall
Phishing
Precision
Preventive
Priority
Privacy
Production factor
Public Key Infrastructure (PKI)
Public records legislation
Qualitative risk analysis
Quantitative risk analysis
Reductive
Reliability of information
Repressive
Risk
Risk analysis
Risk assessment (Dependency & Vulnerability analysis)
o Risk avoiding
o Risk bearing
Risk management
o Risk neutral
Risk strategy
Robustness
Rootkit
Security incident
Security measure
Security Organization
Security Policy
Security regulations for the government

Preparation Guide EXIN Information Security Foundation

based on ISO/IEC 27002 (ISFS.EN)

12
12

Segregation of duties
Social engineering
Spam
Spyware
Stand-by arrangement
Storage medium
Threat
Timeliness
Trojan
Uninterruptible Power Supply (UPS)
Urgency
Validation
Verification
Virtual Private Network (VPN)
Virus
Vulnerability
Worm

Preparation Guide EXIN Information Security Foundation

based on ISO/IEC 27002 (ISFS.EN)

13
13

4. Literature
Exam literature
A

Hintzbergen, J., Hintzbergen, K., Smulders, A. and Baars, H.

Foundations of Information Security Based on ISO27001 and ISO27002
Van Haren Publishing, 2010
ISBN 978 90 8753 568 1
eBook ISBN 978 90 8753 634 3

Overview of the literature

Exam specification Literature
1.1

A:

Chapter 4

1.2

A:

Chapter 4

1.3

A:

Chapter 4

2.1

A:

Chapter 5

2.2

A:

Chapter 5

3.1

A:

Chapter 9

3.2

A:

6.2, 6.4, Chapter 9

3.3

A:

Chapter 6

4.1

A:

Chapter 5, Chapter 6

4.2

A:

Chapter 7

4.3

A:

Chapter 8, 10

4.4

A:

Chapter 9, 10

5.1

A:

Chapter 11

Preparation Guide EXIN Information Security Foundation

based on ISO/IEC 27002 (ISFS.EN)

14
14

Preparation Guide EXIN Information Security Foundation

based on ISO/IEC 27002 (ISFS.EN)

15
15

Contact EXIN
www.exin.com