ISO 28000 - The Supply Chain Quiz

Approved & Edited by ProProfs Editorial Team
The editorial team at ProProfs Quizzes consists of a select group of subject experts, trivia writers, and quiz masters who have authored over 10,000 quizzes taken by more than 100 million users. This team includes our in-house seasoned quiz moderators and subject matter experts. Our editorial experts, spread across the world, are rigorously trained using our comprehensive guidelines to ensure that you receive the highest quality quizzes.
Learn about Our Editorial Process
| By Catherine Halcomb
C
Catherine Halcomb
Community Contributor
Quizzes Created: 1453 | Total Attempts: 5,799,863
Questions: 18 | Attempts: 117

SettingsSettingsSettings
ISO 28000 - The Supply Chain Quiz - Quiz

ISO 28000:2007 is an ISO standard published by International Organization for Standardization which includes requirements of a security management system particularly dealing with security assurance in the supply chain. The standard was developed by ISO/TC 8 on "Ships and maritime technology" and published in 2007


Questions and Answers
  • 1. 

    Outline 5 agenda points that would be discussed during Management review meeting

  • 2. 

    Outline 3 key steps involved in managing a security incident? 

  • 3. 

    State 4 mandatory procedures required in ISO 28000? 

  • 4. 

    The standard ISO 28000 specifies the requirement for:

    • A.

      Security management system for supply chain

    • B.

      Information security management system

    • C.

      Business continuity management system

    • D.

      Safety management systems

    Correct Answer
    A. Security management system for supply chain
    Explanation
    ISO 28000 is a standard that outlines the requirements for a security management system for the supply chain. This means that organizations need to establish and maintain a system to manage security risks within their supply chain, ensuring the safety and integrity of goods and services throughout the entire process. This includes implementing measures to prevent theft, damage, and unauthorized access to goods, as well as ensuring compliance with relevant laws and regulations. The standard aims to enhance the security and resilience of supply chains, ultimately protecting organizations and their stakeholders from potential security threats.

    Rate this question:

  • 5. 

    PDCA Refers to

    • A.

      Plan Do Correct Acknowledge

    • B.

      Plan Define Check Act

    • C.

      Plan Do Check Act

    • D.

      Please Do and Check Accordingly

    Correct Answer
    C. Plan Do Check Act
    Explanation
    The correct answer is "Plan Do Check Act." PDCA refers to a four-step management method used for continuous improvement. It starts with planning, where goals and objectives are set. Then, actions are taken to implement the plan. Next, the results are checked and compared to the desired outcomes. Finally, adjustments are made to correct any issues and improve future performance.

    Rate this question:

  • 6. 

    Risk is defined as

    • A.

      Any possible intentional action

    • B.

      Process of verifying the trustworthiness of people

    • C.

      Likelihood of a security threat materializing and the consequences

    • D.

      All of the above

    Correct Answer
    C. Likelihood of a security threat materializing and the consequences
    Explanation
    The correct answer is "likelihood of a security threat materializing and the consequences." This definition of risk refers to the probability of a security threat occurring and the potential negative impact it could have. It encompasses both the chance of a threat happening and the potential consequences that could result from it.

    Rate this question:

  • 7. 

    As per the ISO 28000 standard internal audit shall be conducted?

    • A.

      Always Every Year

    • B.

      At planned Intervals

    • C.

      Prior to Certification audit

    • D.

      As per management availability

    Correct Answer
    B. At planned Intervals
    Explanation
    The correct answer is "At planned intervals." According to the ISO 28000 standard, internal audits should be conducted at regular intervals that are planned in advance. This ensures that the organization's security management system is regularly assessed and evaluated for compliance and effectiveness. Conducting audits at planned intervals allows for a systematic and proactive approach to identifying areas for improvement and ensuring ongoing compliance with the standard's requirements.

    Rate this question:

  • 8. 

    According to ISO 28000, security risk assessment shall consider risks due to:

    • A.

      Physical failure threats and risks

    • B.

      Operational threats and risks

    • C.

      Stakeholder threats and risks

    • D.

      All of the above

    Correct Answer
    D. All of the above
    Explanation
    According to ISO 28000, security risk assessment should consider risks due to physical failure threats and risks, operational threats and risks, as well as stakeholder threats and risks. This means that when conducting a security risk assessment, all these factors should be taken into account to ensure a comprehensive evaluation of potential risks and vulnerabilities.

    Rate this question:

  • 9. 

    Action to eliminate the cause of a nonconformity and to prevent recurrence" is called:

    • A.

      Security failure

    • B.

      Preventive action

    • C.

      Corrective action

    • D.

      Correction

    Correct Answer
    C. Corrective action
    Explanation
    Corrective action is the appropriate term for the action taken to eliminate the cause of a nonconformity and prevent its recurrence. It involves identifying the root cause of the nonconformity, implementing measures to address it, and ensuring that the issue does not happen again in the future. This is different from correction, which refers to the action taken to rectify the nonconformity itself, without necessarily addressing the underlying cause. Preventive action, on the other hand, focuses on taking proactive measures to prevent nonconformities from occurring in the first place. Security failure is unrelated to the concept described in the question.

    Rate this question:

  • 10. 

    The documented procedure for security risk assessment include

    • A.

      Identification of security threats

    • B.

      Determination of the risks associated with the identified security threats

    • C.

      Indication of the level of the risks related to each security threat and whether they are or are not, tolerable

    • D.

      All of the above.

    Correct Answer
    D. All of the above.
    Explanation
    The correct answer is "All of the above" because the documented procedure for security risk assessment includes all three components mentioned in the options. It involves identifying security threats, determining the risks associated with those threats, and indicating the level of risks and whether they are tolerable or not. This comprehensive approach ensures that all potential security risks are considered and evaluated properly.

    Rate this question:

  • 11. 

    To address the root cause(s) of a nonconformity the company will implement

    • A.

      One or several corrective actions

    • B.

      One or several corrections

    • C.

      Corrective actions and preventive actions

    • D.

      None of the above

    Correct Answer
    A. One or several corrective actions
    Explanation
    To address the root cause(s) of a nonconformity, the company will implement one or several corrective actions. This means that the company will take specific actions to correct the issue at hand and prevent it from happening again in the future. These actions may include making changes to processes, procedures, or systems, providing additional training or resources, or implementing new controls or measures. By taking corrective actions, the company aims to eliminate the root cause of the nonconformity and prevent its recurrence.

    Rate this question:

  • 12. 

    Security management programmes is

    • A.

      Means by which a security management objective is achieved

    • B.

      Overall intentions and direction of an organization

    • C.

      Global security risks

    • D.

      Security achievements

    Correct Answer
    A. Means by which a security management objective is achieved
    Explanation
    The correct answer means that security management programs are the methods or strategies used to accomplish a security management objective. These programs outline the specific steps and actions that need to be taken in order to achieve the desired level of security within an organization. They provide a structured approach to addressing security risks and implementing necessary measures to protect against potential threats.

    Rate this question:

  • 13. 

    To be a first party internal auditor a person has to be

    • A.

      A competent internal auditor

    • B.

      Down stream Vendor

    • C.

      Upstream Vendor

    • D.

      All of the above

    Correct Answer
    A. A competent internal auditor
    Explanation
    The correct answer is "A competent internal auditor" because being a first-party internal auditor requires having the necessary skills, knowledge, and experience to effectively perform internal audits within an organization. This role involves assessing and evaluating the organization's internal controls, risk management processes, and compliance with policies and regulations. Being a downstream or upstream vendor is not a requirement for being a first-party internal auditor.

    Rate this question:

  • 14. 

    ISO 28000:2007 requires that the security policy:

    • A.

      Provide the framework which, enables the specific security management objectives, targets and programmes to be produced.

    • B.

      Be consistent with the organization’s overall security threat and risk management framework.

    • C.

      Include a commitment to continual improvement of the security management process.

    • D.

      Be documented, implemented and maintained;

    • E.

      All of the above

    Correct Answer
    E. All of the above
    Explanation
    ISO 28000:2007 requires that the security policy includes several elements. First, it must provide a framework that enables the specific security management objectives, targets, and programs to be produced. This means that the policy should outline the overall goals and plans for security management within the organization. Second, the security policy should be consistent with the organization's overall security threat and risk management framework. This ensures that security measures are aligned with the organization's specific risks and threats. Third, the policy should include a commitment to the continual improvement of the security management process. This means that the organization should continuously strive to enhance its security practices. Lastly, the security policy should be documented, implemented, and maintained. This ensures that the policy is properly communicated and followed throughout the organization. Therefore, all of the above elements are required in the security policy according to ISO 28000:2007.

    Rate this question:

  • 15. 

    According to ISO 28000, Security management objectives shall be

    • A.

      Consistent with commitment to supplier evaluation ratings

    • B.

      One-time activity

    • C.

      Communicated to Regulatory body

    • D.

      Communicated, documented and reviewed periodically

    • E.

      Approved by Regulatory body

    Correct Answer
    D. Communicated, documented and reviewed periodically
    Explanation
    According to ISO 28000, security management objectives should be communicated, documented, and reviewed periodically. This means that the objectives should be clearly communicated to all relevant stakeholders, documented in a formal manner, and regularly reviewed to ensure their effectiveness and relevance. This ensures that the security management system remains up-to-date and aligned with the organization's goals and commitments. The other options, such as being consistent with supplier evaluation ratings, a one-time activity, or approved by a regulatory body, do not align with the requirements stated in ISO 28000.

    Rate this question:

  • 16. 

    ISO 28000 section 4.4.1 requires organization to:

    • A.

      Appointing a member of the top management with overall responsibility

    • B.

      Establish and maintain a structure of roles, responsibilities and authorities

    • C.

      Above two points

    • D.

      Companies to be certified to Information security

    Correct Answer
    C. Above two points
    Explanation
    ISO 28000 section 4.4.1 requires organizations to appoint a member of the top management with overall responsibility and establish and maintain a structure of roles, responsibilities, and authorities. These two points are mentioned in the given options, indicating that both of them are required by the standard. The option "Above two points" correctly summarizes the requirements stated in ISO 28000 section 4.4.1.

    Rate this question:

  • 17. 

    In accordance with ISO 28000, which of the following requires records to be retained by the organization?

    • A.

      Training and competence records

    • B.

      Security inspection reports

    • C.

      Reports of security exercises and drills

    • D.

      All of the above

    Correct Answer
    D. All of the above
    Explanation
    ISO 28000 requires organizations to retain records for various aspects, including training and competence records, security inspection reports, and reports of security exercises and drills. This means that the organization must keep a record of the training and competence of its personnel, maintain records of security inspections conducted, and retain reports of security exercises and drills undertaken. By retaining these records, organizations can demonstrate compliance with ISO 28000 requirements and ensure the effectiveness of their security management system.

    Rate this question:

  • 18. 

    Internal audit must be conducted by:

    • A.

      Trained auditors

    • B.

      Competent personnel

    • C.

      Certification body

    • D.

      None of the above.

    Correct Answer
    A. Trained auditors
    Explanation
    Internal audit must be conducted by trained auditors because they possess the necessary skills, knowledge, and expertise to effectively evaluate and assess the organization's internal controls, risk management processes, and compliance with policies and regulations. Trained auditors are familiar with auditing standards and methodologies, which enables them to conduct thorough and objective audits. Their training ensures that they can identify areas of improvement, recommend corrective actions, and provide valuable insights to management. Competent personnel may not have the specific training and expertise required for conducting internal audits, and a certification body is not responsible for conducting internal audits.

    Rate this question:

Back to Top Back to top
Advertisement
×

Wait!
Here's an interesting quiz for you.

We have other quizzes matching your interest.