Get the Preplance app for a seamless learning experience. Practice offline, get daily streaks, and stay ahead with real-time interview updates.
Get it on
Google Play
4.9/5 Rating on Store
Risk & Compliance · Question Set
Frameworks interview questions for placements and exams.
Questions
15
Included in this set
Subject
Risk & Compliance
Explore more sets
Difficulty
Mixed
Level of this set
Go through each question and its explanation. Use this set as a focused practice pack for Risk & Compliance .
Continual improvement ensures that the security management system remains effective as new risks appear and technology changes. Regular reviews, audits, and corrective actions drive updates to controls and processes. This creates a cycle of learning and adaptation that strengthens long-term resilience.
For complete preparation, combine this set with full subject-wise practice for Risk & Compliance . You can also explore other subjects and sets from the links below.
ISO 27001 defines how an organization should build and maintain an Information Security Management System, also known as an I S M S. It ensures that information assets are protected using a structured process of risk assessment, control selection, and continuous improvement. The standard focuses on people, processes, and technology working together to safeguard data.
The NIST Cybersecurity Framework organizes key security activities into five core functions. Identify builds awareness of assets and risks, Protect strengthens defenses, Detect finds anomalies, Respond manages incidents, and Recover restores systems to normal. Together, they form a complete cycle of cybersecurity management.
COBIT focuses on ensuring that IT systems and processes support overall business goals. It connects management, governance, and control requirements in a single model. By applying COBIT, organizations can measure performance, reduce risk, and ensure that technology adds value rather than introducing exposure.
Purpose limitation means that personal data must be collected for clear, specific, and lawful reasons. Once the purpose is defined, the data cannot be reused for other unrelated activities. This principle prevents unnecessary data processing and reinforces individual privacy rights.
HIPAA protects all forms of protected health information, or P H I, that identify an individual and relate to their medical history or treatment. It applies to hospitals, insurers, and business associates, requiring safeguards for confidentiality, integrity, and availability of patient data.
The Sarbanes–Oxley Act ensures that financial information presented by companies is accurate and transparent. It requires strict internal controls, segregation of duties, and detailed audit trails to prevent fraud. In technology terms, this translates to securing financial systems and maintaining complete audit logs.
Annex A in ISO 27001 lists a structured set of security controls that help manage risks to information assets. These controls cover governance, access control, cryptography, supplier relationships, and more. Organizations select relevant controls from Annex A based on their specific risks and business context.
NIST provides detailed technical guidance and operational practices, ISO 27001 focuses on building a management system around security, and COBIT aligns technology controls with governance and business strategy. Together, they create a layered structure that covers governance, management, and execution.
Compliance means following a specific set of laws, regulations, or standards. Security means actively protecting systems from threats. A company can meet compliance requirements and still be insecure if controls are outdated or not enforced. Compliance provides structure, while security provides actual protection.
Most privacy laws emphasize fairness, transparency, consent, purpose limitation, data minimization, and accountability. They ensure that personal data is collected only for legitimate purposes, used responsibly, and protected from unauthorized disclosure. These shared principles form the foundation of modern privacy governance worldwide.
Preparing for an audit involves reviewing policies, verifying control implementation, and collecting supporting evidence such as logs and training records. Internal assessments should be done first to identify and fix gaps. All documentation must be organized and accessible to show that processes are consistent and effective.
CIS Controls are a set of practical and prioritized actions developed by security experts to reduce real-world threats. They cover areas such as asset management, secure configuration, continuous monitoring, and incident response. They are designed to be implementable and measurable, helping organizations quickly strengthen their security posture.
PCI DSS protects data related to payment cards, such as card numbers, expiration dates, and security codes. It defines a strict set of requirements for network segmentation, encryption, and access control to reduce card fraud and data breaches in the payment ecosystem.
The Information Technology Act 2000 provides a legal foundation for electronic records and digital signatures in India. It also defines offenses such as hacking, data theft, and cyber fraud, establishing penalties and procedures for handling cybercrime cases.