Académique Documents
Professionnel Documents
Culture Documents
Edition 201710
Copyright © EXIN Holding B.V. 2017. All rights reserved.
EXIN® is a registered trademark.
No part of this publication may be reproduced, stored, utilized or transmitted in any form or by any means, electronic,
mechanical, or otherwise, without the prior written permission from EXIN.
General 4
Confidentiality 4
Design of the exam 4
Written section 4
Oral section 6
Procedure 7
Appendix 1: Evaluation tools 9
Appendix 2: Case study Smith Consultants Inc. 19
This document describes the design of the written exam (practical project), the design and duration
of the oral exam as well as the procedure of the entire exam. The document, moreover, contains
the evaluation criteria and a case study which can be used for the practical project.
Confidentiality
The examiners have a Non-Disclosure Agreement with EXIN. The information in the practical
project, the presentation and the examination conversation will be confidential.
Written section
Practical project
The written section comprises a practical project paper of approximately 6000 words and a
management summary.
Ideally, the entire practical project paper should be written for the ISMES module; for example, as
the logical continuation of an ongoing project, or because of the needs of the organization for
which the candidate works. The guidelines also apply to the introductory and final chapter.
The content of the practical project has to be related to the professional context of the candidate.
The core of the practical project could consist of an existing document (about one of the
examination requirements), provided that the candidate is the author or co-author, and has had
sufficient say with regard to the content. It should clearly state in the introductory chapter what the
level of involvement of the candidate has been.
The practical project paper contains an introductory chapter, a core and a final
chapter.
If a candidate is not able to write a practical paper based on his/her work environment, the
candidate can put in a request to the trainer to allow a practical paper based on the case study. The
case study can be found in this Guide. Should the candidate choose to write a practical paper
based on the case study, he or she needs to make clear the personal work experience and
professional context that was applied when doing so. In the final chapter of the practical paper the
candidate can indicate how his/her own experience has been an inspiration for the particular
components dealt with, what relevant similarities/differences there are with his/her own
professional context, what he/she has learned from the case study that is relevant to his/her own
professional environment, etc.
It is highly recommended that the candidate sends a plan for the project paper to EXIN in an early
stage in order to have the minimum requirements checked.
Evaluation
The practical project will be evaluated by two examiners. The evaluation tools that are used for this
can be found as of page 9 of this Guide.
The candidate can only take the oral exam when his or her practical project has received a
satisfactory rating (55% or more).
The examiners’ feedback to the practical project will be sent to the training institute two weeks
before the oral exam.
Oral section
I A presentation by the candidate
The exam starts with a presentation by the candidate. He or she will do a presentation about the
project he or she worked on. The presentation will simulate a situation in which the candidate gives
a presentation to the management team with the purpose of persuading management, and to gain
acceptance for certain proposals. The presentation will be evaluated on the basis of whether or not
it was sufficiently geared toward the management team. The presentation lasts for a maximum of
15 minutes. An overview of the evaluation criteria can be found in the ISMES Guide (oral section).
IV Final conclusion
Immediately following the exam, the examiners will reach mutual agreement and will come to a
final decision, resulting in a final mark. This takes 25 minutes. After that, the examiners will notify
the candidate verbally of the final mark, and will clarify their final decision. This takes 10 minutes.
The entire exam will take a maximum total of 90 minutes.
No later than eight weeks prior to the oral exam three copies of the practical project paper
have to have been submitted to EXIN along with a management summary.
The trainer will have added an account of the relationship between the selected examination
requirement and the practical project.
The candidate is to include and send a short CV to prove that he or she has had at least 2 years
of work experience at management level in the areas of at least 2 examination requirements.
• During the presentation the candidate is required to use power point slides on a cd or from
their own laptop.
• Immediately before the presentation, the examiners are provided with two sets of one-
sided prints of the slides (1 slide per page).
• The presentation starts with:
o One slide with the title of the presentation.
o One slide with the name of the candidate, his/her job title, the company and the
type of company.
• The presentation is about the practical project, so it is not about the career history of the
examinee, and not a description of the company for which the candidate works.
• During the presentation the examiners can only ask clarification questions.
• The entire oral exam is documented using recording equipment.
• It is not permitted to influence the examiners by disclosing business or private matters.
The candidate’s trainer/supervisor can attend the oral exam as observer, when the candidate has
given his or her approval.
The exam session can be done via a web conference with video and audio facilities. In that case an
EXIN accredited supervisor should be present at the candidate’s site.
Time frame
The entire examination session lasts a maximum of 90 minutes; including communication of the
result. The examination is structured as follows:
• 15 minutes (maximum) for the presentation;
• 15 minutes for discussing the presentation;
• 25 minutes for the examination interview about the other exam requirements ;
• 25 minutes evaluation meeting among the examiners;
• 10 minutes for discussing the outcome with the candidate.
The examiners evaluate the three parts of the exam based on three evaluation tools (Table I, II and
III). The examiners will fill in these evaluation tools during the oral exam. Once the exam is over the
examinee will leave the room where the exam was taken. The examiners will discuss and
determine the final mark. Afterwards the examiners will inform the examinee of their mark for this
oral exam and justify the result.
Name of candidate :
Candidate number :
Title of practical project :
Name of candidate :
Candidate number :
Title of practical project :
Name of candidate :
Candidate number :
Title of practical project :
Name of candidate :
Candidate number :
Title of practical project :
Name of candidate :
Candidate number :
Title of practical project :
Name of candidate :
Candidate number :
Title of practical project :
Name of candidate :
Candidate number :
Title of practical project :
I - Presentation
In Table I the examiners record the score that you achieved for the presentation. This is the first
part of the oral exam.
Max. Oral
Exam requirement points Score
1. Organization of the information security (formulating ISMS) 20
1.1 The candidate can substantiate the risk management process
in relationship with the ISMS.
1.2 The candidate can define the roles for information security.
1.3 The candidate can set up and apply a reporting system for the
management.
2. Information security policy 10
2.1 The candidate can participate in the process of establishing
the information security policy.
2.2 The candidate can set up, present and disseminate an
information security policy.
3. Risk analysis 10
3.1 The candidate can select and carry out a method based on
an understanding of the various risk analysis methods.
3.2 The candidate can analyze the result of a risk analysis.
4. Organizational change and development regarding
40
Information security
4.1 The candidate can, if the situation so requires, draft or modify
a change plan.
4.2 The candidate can, if the situation so requires, draft,
communicate, present and execute an awareness program.
4.3 The candidate can, if the situation so requires, implement the
changes or guide this process.
5. Standards and norms 10
5.1 The candidate can, if the situation so requires, select and
implement a relevant standard.
5.2 The candidate can, if the situation so requires, implement a
standards framework or baseline construction.
6. Audit and certification 10
6.1 The candidate can organize the execution of audits.
6.2 The candidate can help with a management evaluation of the
ISMS.
Total 100 III
Table III: evaluation other exam requirements
Part Weighting Points per exam section Weighting points per part
Practical project 10% W
Oral
I Presentation 20% I
II Examination 20% II
conversation resulting
from presentation
III Examination 50% III
conversation other
examination requirements
100% Total points achieved
Company Profile
Smith Consultants Inc.1 is a relatively small consultancy agency (approximately 180 staff)
specializing in IT. The company was set up approximately 16 years ago.
Their clients appreciate its ability to solve unconventional problems. They have, for example,
carried out demonstration projects to show that open source software can be successfully used to
realize complete office environments or complex security functionality, and that this software can
be used to build on-line and mobile applications that allow organizations to connect easily with
their customers.
Smith Consultants Inc. is divided into three divisions that carry out the various activities. The
divisions are regarded as business units with their own profit/loss responsibilities.
• Consultancy: Business consultants (25) – supply consultancy services for the interfaces of
business and IT. Subjects include: business analysis, translating business processes to web
applications, support in setting up functional requirements, identifying business information
assets and their business owners etc.
• ITC: IT consultants (60) – supply consultancy services in the area of IT, software design and
development, project management etc. Examples include: converting functional specifications
to technical specifications, configuring infrastructure components, capacity management,
setting up configuration management, designing information security, Network Management,
Service Management, etc.
• SD: Software development (85): designing, developing and supplying software. When the
occasion arises hardware components and software can also be supplied so that clients can
receive complete solutions. In addition, for a small number of clients remote management
services are carried out as well.
Each division has its own administration staff who are responsible for human resource
management (HRM), time administration and invoicing. Office management and first line
application management are also locally available.
The central organization (10) consists of the Management Board, legal affairs, facilities
management (including IT), Internal Communication and public relations (PR), payroll
administration, central personnel administration, help desk and Quality & Security (Q&S).
Smith Consultants Inc. has an ISO 9001 quality certificate. This has been awarded for carrying out
projects in the ITC division and for remote management and support in the SD division.
During their certification process for ISO 9001 Bettina Smith (not related to Brad) was appointed
quality controller (hence the ‘Q‘). Three months ago, security was added to her portfolio.
1) any similarity with an existing organization or company is purely coincidental. This case is a complete work of
fiction.
field mgr field mgr field mgr field mgr field mgr
Office environments
Each office has a manned reception (only during office hours). In Coleville and Rockville the staff
regularly work after hours. At night the offices are closed. Each branch has an alarm system that is
connected to a local emergency center.
Six months ago a report showed that the number of false alarms had risen; at present this has
decreased somewhat again. The alarm systems are now 5 to 7 years old. It appears that these
days people are increasingly forgetting to switch on the alarm systems in the evenings.
IT environment
Smith Consultants Inc. has a network with various brands of hubs bought by different staff over the
years and when the price was low. There is relatively little network traffic between the branches.
The connection between the branches consists of a rather slow and old broadband Internet
connection.
Each branch has file servers for storing reports and documents (the Y disk). Most staff have
access to their own directory; a number of people (office management) also have access to joint
directories.
The Rockville office has an Internet connection with a Cisco firewall protection for which it has a
maintenance contract. A router (placed four years ago) distributes the traffic between the internal
network and the Internet.
The SD consultant who had determined the technical details at the time left two years ago. As the
system has been working without any problems no one had given the documentation any thought.
It is also not clear who is responsible for maintenance.
The content of the corporate web pages is maintained by the people from the PR group.
In Rockville there is a separate LAN (two Servers, five workstations and extra hubs for the laptops)
for SD to experiment with new features/functionalities. Furthermore, there are three Linux servers
for development and testing. There are also a number of workstations with Linux versions.
The financial administration and the time administration are run centrally, using an Oracle database
with Internet application front end (Oracle application server). Branch administration does not have
access to these applications. Local information is transmitted to the central administration by
email (Excel sheet in attachment, once per month), where it is converted into the correct format
and imported into the databases.
For remote use of intranet and webmail a user name and password are used. Plans are being made
about a token may be used for this in the future.
All staff have a fast Internet connection at home. Everyone receives $30,- per month as a
contribution to the costs of the work related use of the Internet connection. A few employees have
been given a written-off PC in order to be able to send e-mails.
Office applications (all recent variants of MS-Office) run locally on the workstations and laptops.
The consultants have been divided according to an expertise group (EG) structure. Each EG has a
joint directory for the storage and distribution of reports and other documentation.
Up until now information security has not been dealt with in a consistent and structured manner.
Some questions had been asked about intranet and security, but these soon faded away. The
appointment of Bettina Smith has not yet had any effect, but she joined only three months ago. It is,
however, expected that all sorts of procedures will soon be implemented. This could mean that the
more technically grounded consultants and the people from SD may lose a number of their
unofficially acquired privileges.
The core of the security is formed by a username-password construction in order to gain access to
the network. Based on the username, access is granted to files and applications. Access rights are
assigned through Active Directory (AD). There are some staff who regularly change their password,
but they are not yet forced to do so.
A backup is made centrally of the database files. Backups of the Mail and Web content are
managed by the external Cloud service provider. There is the possibility of saving the most
important files on the network, but not everybody (euphemistically, for almost no one) does this.
The documents that are used by the administration, however, are all on the network.
There are too few filing cabinets in Forestville. The financial administration in particular complains
about not being able to store their documents. They are also in charge of the contracts.
Rockville is the only place that has a shredder, a large one, in which entire books can be destroyed.
The machine was left to the office after a confidential project for the Ministry of Defense ended, as
well as the safe in which the original CDs of most of the purchased software are now kept.
Centrally a subscription to antivirus software has been arranged. This runs on the servers,
workstations and on the laptops. Part of the login script is that the version of the anti-virus
software is checked. If necessary this is updated to the latest version. Users of the workstations
and laptops are able to switch off the virus scanner. This makes the PC start a lot faster.
Operational processes
The operational processes of Smith Consultants Inc. are approached in a rather simple manner.
The company regards three processes as primary ones:
• Consultancy and projects: supplying services according to agreed contracts in three forms
(individual placement, time-and-material cost consultancy or projects and fixed price
projects)
• Sales: selling the services
• Invoicing: sending invoices and receiving payments for the services supplied.
There is, however, some difference in opinion regarding which of the primary processes have the
highest priority. The supply of services should not be unavailable for a long time. What's more,
some clients consider their information as highly sensitive and of high competitive value.
If necessary the sales process can be unavailable for a week but any longer would cause too many
problems. This process particularly uses office automation functions. Fortunately, a great deal of
information that is used in the sales process is available scattered over diaries and laptops.
Invoicing is at its peak in the first week of the month. Any interruption to the invoicing process
leads to an immediate loss of money. This is less important during the rest of the month.
The management team (director, managers and controller) believe that all these processes can be
unavailable for a longer period of time without risking the business. A solution, however, will need
to be found for the salary payments.
Smith Consultants Inc. has grown from four consultants who started a small business to the
organization that it is now. As we always got more assignments than we could handle – the
company regularly had to hire external help – the operation always had priority. In fact a ‘Wild West’
culture predominates: we shot at everything that moved with everything that we had, and it worked.
It is for that reason that the infrastructure is in such a mess. We no longer know exactly which
hardware and software are used in the company. License and asset management has never been
considered. Whenever something is required, it is bought. That goes for the hardware, but also for
the software. The decentralized structure paves the way for this. It costs a great deal of money, but
at least you don't have to give it much thought.
Fortunately, the SD experts know what they are doing. There have never been – as far as I know –
any major problems. We have never been hacked and we have only had to disconnect the Internet
once or twice for a while due to too many viruses. This resulted in only one or two days of lost e-
mail.
Oh yes, I almost forgot, one of the consultants lost his laptop (had it stolen) a year ago. This was a
nuisance as there were no backups. Fortunately, most of the information could be retrieved. I don't
think that the client noticed anything. But I am not 100 per cent sure. And the company still doesn't
make any backups now.
Unfortunately, I don't know much about computer security myself. I have only just started doing
this. There are not many crash courses in this area. I could do with some help in setting it up. I have
many questions, such as:
• Where do I start?
• What is already in place?
• How many measures do we need? And will this then be sufficient?
• Who is responsible?
• How can we get staff, for example, to regularly change their password?
• What can I do to get the managers influence their staff?
Can we also sell this as a service to our customers? In the form of risk management maybe? I will
have a look to see if there is demand for this. I have some business contacts.
Would information security make our work more difficult? My consultants are not IT specialists. It
mustn't be too difficult.
What's more, would we then still be able to carry out our work? Would we actually have any access?
Why is this necessary all of a sudden? Everything is going well, isn't it? We have never had any
major problems. Apart from that laptop; that was stupid. You shouldn't leave that sort of thing on
the back seat if a car. It was a nuisance that the client’s database was on it. Fortunately, we still
had someone working at the clients site who was able to make a copy. It was a good thing that the
client didn’t notice anything, otherwise we would have had to clear our desk there.
Oh yes, that disk crash last year was bad news, especially when the backup turned out to be
useless. We should test more often. I have no idea if this has ever been looked into. It was clever
how that company managed to retrieve 72% of the data that was on the disk. It cost a bit, and took
longer than we would have liked, but oh well, what can you do.
See, it's not that bad really. I'm sure everyone has had to put up with their network failing, or with
Windows crashing at some time.
Write a practical project paper for Smith Consultants Inc. based on one of the following
components of ISMES:
• Security Awareness plan
• Risk analysis
• Change plan
• ISMS plan
• Audit plan
• Quick scan
• Information Security policy
www.exin.com