Preaload Image


EXIN Information Security Foundation based on ISO/IEC 2700 1 (ISFS.EN)


EXIN Information Security Foundation based on ISO/IEC 27001 is a certification that validates a

professional’s knowledge about:

  • Information and security: the concept, the value, the importance and the reliability of information;
  • Threats and risks: the concepts of threat and risk and the relationship with the reliability of information;
  • Approach and organization: the security policy and security organization including the components of the security organization and management of (security) incidents;
  • Measures: the importance of security measures including physical, technical and organizational measures and
  • Legislation and regulations: the importance and impact of legislation and

Target group

The examination for EXIN Information Security Foundation based on ISO/IEC 27001 is intended for everyone in the organization who is processing information. The module is also suitable for entrepreneurs of small independent businesses for whom some basic knowledge of information security is necessary.

This module can be a good start for new information security professionals.


Information security is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities.

Information security is gaining importance in the Information Technology (IT) world. Globalization of the economy is leading to an ever-increasing exchange of information between organizations (their employees, customers and suppliers) and an explosion in the use of networked computers and computing devices.

The international standard for Information Security Management ISO/IEC 27001 is a widely respected and referenced standard and provides a framework for the organization and management of an information security program. Implementing a program based on this standard will serve an organization well in its goal of meeting many of the requirements faced in today’s complex operating environment. A strong understanding of this standard is important to the personal development of every information security professional.

In EXIN’s Information Security modules the following definition is used: Information Security deals with the definition, implementation, maintenance, compliance and evaluation of a coherent set of controls (measures) which safeguard the availability, integrity and confidentiality of the (manual and automated) information supply.

In the module EXIN Information Security Foundation based on ISO/IEC 27001, the basic concepts of information security and their relationships are tested. One of the objectives of this module is to raise the awareness that information is valuable and vulnerable, and to learn which measures are necessary to protect information.

Requirements for certification

  • Successful completion of the EXIN Information Security Foundation

Examination details

Examination type: Multiple-choice questions
Number of questions: 40 questions
Pass mark: 65%
Open book/notes: No
Electronic equipment/aides permitted: No
Time allotted for examination: 60 minutes


The Rules and Regulations for EXIN’s examinations apply to this exam.


Contact hours

The minimum number of contact hours for the course is 14. This number includes group assignments, exam preparation and short coffee breaks. Not included are: homework, the logistics related to the exam session, the exam session and lunch breaks.

Exam specifications

1. Information and Security

1.1 The concept of Information
The candidate can …
1.1.1 Explain the difference between data and information.
1.1.2 Describe the storage medium that forms part of the basic infrastructure.
1.2 Value of Information
The candidate can …
1.2.1 Describe the value of data/information for organizations.
1.2.2 Describe how the value of data/information can influence organizations.
1.2.3 Explain how applied information security concepts protect the value of data/information.
1.3 Reliability Aspects
The candidate can …
1.3.1 Name the reliability aspects of information.
1.3.2 Describe the reliability aspects of information.

2. Threats and Risks

2.1 Threat and Risk
The candidate can …
2.1.1 Explain the concepts threat, risk and risk analysis.
2.1.2 Explain the relationship between a threat and a risk.
2.1.3 Describe various types of threats.
2.1.4 Describe various types of damage.
2.1.5 Describe various risk strategies.
2.2 Relationships between threats, risks and the reliability of information
The candidate can …
2.2.1 Recognize examples of the various types of threats.
2.2.2 Describe the effects that the various types of threats have on information and the processing of information.

3. Approach and Organization

3.1 Security Policy and Security Organization
The candidate can…
3.1.1 Outline the objectives and the content of a security policy.
3.1.2 Outline the objectives and the content of a security organization.
3.2 Components
The candidate can..
3.2.1 Explain the importance of a code of conduct.
3.2.2 Explain the importance of ownership.
3.2.3 Name the most important roles in the information security organization.
3.3 Incident Management
The candidate can..
3.3.1 Summarize how security incidents are reported and what information is required.
3.3.2 Give examples of security incidents.
3.3.3 Explain the consequences of not reporting security incidents.
3.3.4 Explain what an escalation entails (functionally and hierarchically).
3.3.5 Describe the effects of escalation within the organization.
3.3.6 Explain the incident cycle.

4. Measures

4.1 Importance of Measures
The candidate can..
4.1.1 Describe various ways in which security measures may be structured or arranged.
4.1.2 Give examples for each type of security measure.
4.1.3 Explain the relationship between risks and security measures.
4.1.4 Explain the objective of the classification of information.
4.1.5 Describe the effect of classification.
4.2 Physical Security Measures
The candidate can…
4.2.1 Give examples of physical security measures.
4.2.2 Describe the risks involved with insufficient physical security measures.
4.3 Technical Measures
The candidate can…
4.3.1 Give examples of technical security measures.
4.3.2 Describe the risks involved with insufficient technical security measures.
4.3.3 Understand the concepts cryptography, digital signature and certificate.
4.3.4 Name the three steps for online banking (PC, web site, payment).
4.3.5 Name various types of malicious software.
4.3.6 Describe the measures that can be used against malicious software.
4.4 Organizational Measures
The candidate can…
4.4.1 Give examples of organizational security measures.
4.4.2 Describe the dangers and risks involved with insufficient organizational

security measures.

4.4.3 Describe access security measures such as the segregation of duties and the

use of passwords.

4.4.4 Describe the principles of access management.
4.4.5 Describe the concepts identification, authentication and authorization.
4.4.6 Explain the importance to an organization of a well set-up Business Continuity Management.
4.4.7 Make clear the importance of conducting exercises.

5. Legislation and Regulations

5.1 Legislation and Regulations
The candidate can…
5.1.1 Explain why legislation and regulations are important for the reliability of information.
5.1.2 Give examples of legislation related to information security.
5.1.3 Give examples of regulations related to information security.
5.1.4 Indicate possible measures that may be taken to fulfill the requirements of legislation and regulations.