EXIN Foundation in IT Service Management based on ISO/IEC 20000 — Question 2

Which security measure is not an organizational level security measure?

Answer options

• A. Carrying out background investigations on new personnel
• B. Implementing Role Based Access Control
• C. Setting up a security awareness program
• D. Setting up an information security policy document

Correct answer: B

Explanation

The correct answer is B, as implementing Role Based Access Control is a technical measure focused on user permissions rather than an organizational policy. Options A, C, and D are all organizational measures that involve policies and training aimed at enhancing security within the organization.