
Guaranteed Success in ISO 27001 ISO-IEC-27001-Lead-Implementer Exam Dumps
PECB ISO-IEC-27001-Lead-Implementer Daily Practice Exam New 2024 Updated 125 Questions
NEW QUESTION # 28
What is the main purpose of Annex A 7.1 Physical security perimeters of ISO/IEC 27001?
- A. To ensure access to information and other associated assets is defined and authorized
- B. To maintain the confidentiality of information that is accessible by personnel or external parties
- C. To prevent unauthorized physical access, damage, and interference to the organization's information and other associated assets
Answer: C
Explanation:
Explanation
Annex A 7.1 of ISO/IEC 27001 : 2022 is a control that requires an organization to define and implement security perimeters and use them to protect areas that contain information and other associated assets.
Information and information security assets can include data, infrastructure, software, hardware, and personnel. The main purpose of this control is to prevent unauthorized physical access, damage, and interference to these assets, which could compromise the confidentiality, integrity, and availability of the information. Physical security perimeters can include fences, walls, gates, locks, alarms, cameras, and other barriers or devices that restrict or monitor access to the facility or area. The organization should also consider the environmental and fire protection of the assets, as well as the disposal of any waste or media that could contain sensitive information.
References:
ISO/IEC 27001 : 2022 Lead Implementer Study Guide, Section 5.3.1.7, page 101 ISO/IEC 27001 : 2022 Lead Implementer Info Kit, page 17 ISO/IEC 27002 : 2022, Control 7.1 - Physical Security Perimeters123
NEW QUESTION # 29
According to scenario 10, NetworkFuse requested from the certification body to review all the documentation only on-site. Is this acceptable?
- A. Yes, only if a confidentiality agreement is formerly signed by the audit team
- B. No, the certification body decides whether the documentation review takes place on-site or off-site
- C. Yes, the auditee may request that the review of the documentation takes place on-site
Answer: B
NEW QUESTION # 30
Scenario 5: Operaze is a small software development company that develops applications for various companies around the world. Recently, the company conducted a risk assessment to assess the information security risks that could arise from operating in a digital landscape. Using different testing methods, including penetration Resting and code review, the company identified some issues in its ICT systems, including improper user permissions, misconfigured security settings, and insecure network configurations. To resolve these issues and enhance information security, Operaze decided to implement an information security management system (ISMS) based on ISO/IEC 27001.
Considering that Operaze is a small company, the entire IT team was involved in the ISMS implementation project. Initially, the company analyzed the business requirements and the internal and external environment, identified its key processes and activities, and identified and analyzed the interested parties In addition, the top management of Operaze decided to Include most of the company's departments within the ISMS scope. The defined scope included the organizational and physical boundaries. The IT team drafted an information security policy and communicated it to all relevant interested parties In addition, other specific policies were developed to elaborate on security issues and the roles and responsibilities were assigned to all interested parties.
Following that, the HR manager claimed that the paperwork created by ISMS does not justify its value and the implementation of the ISMS should be canceled However, the top management determined that this claim was invalid and organized an awareness session to explain the benefits of the ISMS to all interested parties.
Operaze decided to migrate Its physical servers to their virtual servers on third-party infrastructure. The new cloud computing solution brought additional changes to the company Operaze's top management, on the other hand, aimed to not only implement an effective ISMS but also ensure the smooth running of the ISMS operations. In this situation, Operaze's top management concluded that the services of external experts were required to implement their information security strategies. The IT team, on the other hand, decided to initiate a change in the ISMS scope and implemented the required modifications to the processes of the company.
What is the next step that Operaze's ISMS implementation team should take after drafting the information security policy? Refer to scenario 5.
- A. Obtain top management's approval for the information security policy
- B. Communicate the information security policy to all employees
- C. Implement the information security policy
Answer: A
Explanation:
Explanation
According to ISO/IEC 27001 : 2022 Lead Implementer, the information security policy is a high-level document that defines the organization's objectives, principles, and commitments regarding information security. The policy should be aligned with the organization's strategic direction and context, and should provide a framework for setting information security objectives and establishing the ISMS. The policy should also be approved by top management, who are ultimately responsible for the ISMS and its performance.
Therefore, after drafting the information security policy, the next step that Operaze's ISMS implementation team should take is to obtain top management's approval for the policy. This will ensure that the policy is consistent with the organization's vision and values, and that it has the necessary support and resources for its implementation and maintenance.
References:
ISO/IEC 27001 : 2022 Lead Implementer Study guide and documents, section 5.2 Policy ISO/IEC 27001 : 2022 Lead Implementer Info Kit, page 12, Information security policy
NEW QUESTION # 31
Scenario 7: InfoSec is a multinational corporation headquartered in Boston, MA, which provides professional electronics, gaming, and entertainment services. After facing numerous information security incidents, InfoSec has decided to establish teams and implement measures to prevent potential incidents in the future Emma, Bob. and Anna were hired as the new members of InfoSec's information security team, which consists of a security architecture team, an incident response team (IRT) and a forensics team Emma's job is to create information security plans, policies, protocols, and training to prepare InfoSec to respond to incidents effectively Emma and Bob would be full-time employees of InfoSec, whereas Anna was contracted as an external consultant.
Bob, a network expert, will deploy a screened subnet network architecture This architecture will isolate the demilitarized zone (OMZ) to which hosted public services are attached and InfoSec's publicly accessible resources from their private network Thus, InfoSec will be able to block potential attackers from causing unwanted events inside the company's network. Bob is also responsible for ensuring that a thorough evaluation of the nature of an unexpected event is conducted, including the details on how the event happened and what or whom it might affect.
Anna will create records of the data, reviews, analysis, and reports in order to keep evidence for the purpose of disciplinary and legal action, and use them to prevent future incidents. To do the work accordingly, she should be aware of the company's information security incident management policy beforehand Among others, this policy specifies the type of records to be created, the place where they should be kept, and the format and content that specific record types should have.
According to scenario 7, a demilitarized zone (DMZ) is deployed within InfoSec's network. What type of control has InfoSec implemented in this case?
- A. Detective
- B. Corrective
- C. Preventive
Answer: C
Explanation:
Explanation
A demilitarized zone (DMZ) is a network segment that separates the internal network from the external network, such as the Internet. It is used to host public services that need to be accessible from outside the organization, such as web servers, email servers, or DNS servers. A DMZ provides a layer of protection for the internal network by limiting the exposure of the public services and preventing unauthorized access from the external network. A DMZ is an example of a preventive control, which is a type of control that aims to prevent or deter the occurrence of an information security incident. Preventive controls reduce the likelihood of a threat exploiting a vulnerability and causing harm to the organization's information assets. Other examples of preventive controls are encryption, authentication, firewalls, antivirus software, and security awareness training.
References:
ISO/IEC 27001 : 2022 Lead Implementer Study Guide, Section 8.2.3.2.1, page 162 ISO/IEC 27001 : 2022 Lead Implementer Info Kit, page 13 ISO/IEC 27002 : 2022, Section 13.1.3, page 66
NEW QUESTION # 32
Why is compliance important forthe reliability of the information?
- A. When an organization is compliant, it meets the requirements of privacy legislation and, in doing so, protects the reliability of its information.
- B. By meeting the legislative requirements and theregulations of both the government and internal management, an organization shows that it manages its information in a sound manner.
- C. Compliance is another word for reliability. So, if a company indicates that it is compliant, it means that the information is managed properly.
- D. When an organization employs a standard such as the ISO/IEC 27002 and uses it everywhere, it is compliant and thereforeit guarantees the reliability of its information.
Answer: B
NEW QUESTION # 33
Some of the issues being discussed in the awareness session were too technical for the participants. What does this situation indicate? Refer to scenario 6.
- A. TradeB did not evaluate the competence of the trainer
- B. TradeB did not determine the type and level of competence needed
- C. Employees are equipped with information security expertise, therefore. they do not represent a potential risk
Answer: B
NEW QUESTION # 34
Scenario 2: Beauty is a cosmetics company that has recently switched to an e-commerce model, leaving the traditional retail. The top management has decided to build their own custom platform in-house and outsource the payment process to an external provider operating online payments systems that support online money transfers.
Due to this transformation of the business model, a number of security controls were implemented based on the identified threats and vulnerabilities associated to critical assets. To protect customers' information. Beauty's employees had to sign a confidentiality agreement. In addition, the company reviewed all user access rights so that only authorized personnel can have access to sensitive files and drafted a new segregation of duties chart.
However, the transition was difficult for the IT team, who had to deal with a security incident not long after transitioning to the e commerce model. After investigating the incident, the team concluded that due to the out-of-date anti-malware software, an attacker gamed access to their files and exposed customers' information, including their names and home addresses.
The IT team decided to stop using the old anti-malware software and install a new one which would automatically remove malicious code in case of similar incidents. The new software was installed in every workstation within the company. After installing the new software, the team updated it with the latest malware definitions and enabled the automatic update feature to keep it up to date at all times. Additionally, they established an authentication process that requires a user identification and password when accessing sensitive information.
In addition, Beauty conducted a number of information security awareness sessions for the IT team and other employees that have access to confidential information in order to raise awareness on the importance of system and network security.
Based on the scenario above, answer the following question:
After investigating the incident. Beauty decided to install a new anti-malware software. What type of security control has been implemented in this case?
- A. Detective
- B. Corrective
- C. Preventive
Answer: C
Explanation:
In the scenario described, Beauty's decision to install new anti-malware software after a security incident is a Preventive control. This type of control is aimed at preventing future security incidents by removing malicious code and protecting against malware infections. The purpose of the new anti-malware software is to proactively protect the company's systems and data from potential threats, thus it falls under the category of preventive measures.
Reference:
ISO/IEC 27001:2022 Lead Implementer Course Guide1
ISO/IEC 27001:2022 Lead Implementer Info Kit2
ISO/IEC 27001:2022 Information Security Management Systems - Requirements3 ISO/IEC 27002:2022 Code of Practice for Information Security Controls4 What are Security Controls? | IBM3 What Are Security Controls? - F54
NEW QUESTION # 35
Companies use 27002 for compliance for which of the following reasons:
- A. Explicit requirements for all regulations
- B. A structured program that helps with security and compliance
- C. Compliance with ISO 27002 is sufficient to comply with all regulations
Answer: B
NEW QUESTION # 36
Scenario 4: TradeB. a commercial bank that has just entered the market, accepts deposits from its clients and offers basic financial services and loans for investments. TradeB has decided to implement an information security management system (ISMS) based on ISO/IEC 27001 Having no experience of a management [^system implementation, TradeB's top management contracted two experts to direct and manage the ISMS implementation project.
First, the project team analyzed the 93 controls of ISO/IEC 27001 Annex A and listed only the security controls deemed applicable to the company and their objectives Based on this analysis, they drafted the Statement of Applicability. Afterward, they conducted a risk assessment, during which they identified assets, such as hardware, software, and networks, as well as threats and vulnerabilities, assessed potential consequences and likelihood, and determined the level of risks based on three nonnumerical categories (low, medium, and high). They evaluated the risks based on the risk evaluation criteria and decided to treat only the high risk category They also decided to focus primarily on the unauthorized use of administrator rights and system interruptions due to several hardware failures by establishing a new version of the access control policy, implementing controls to manage and control user access, and implementing a control for ICT readiness for business continuity Lastly, they drafted a risk assessment report, in which they wrote that if after the implementation of these security controls the level of risk is below the acceptable level, the risks will be accepted Based on scenario 4, what type of assets were identified during risk assessment?
- A. Primary assets
- B. Supporting assets
- C. Business assets
Answer: B
Explanation:
According to ISO/IEC 27005:2021, there are three types of assets in information security risk management: primary assets, supporting assets, and business assets. Primary assets are the information and business processes that support the organization's objectives and operations. Supporting assets are the resources that enable the primary assets to function, such as hardware, software, networks, people, facilities, etc. Business assets are the outcomes or benefits that the organization expects from the primary assets, such as reputation, market share, customer satisfaction, etc. (Must be taken from ISO/IEC 27001 : 2022 Lead Implementer resources) In scenario 4, the assets that were identified during risk assessment are hardware, software, and networks, which are examples of supporting assets. These assets are necessary for the information and business processes of TradeB to operate, but they are not the main focus of the risk assessment. The risk assessment should also consider the primary assets and the business assets, as well as the threats and vulnerabilities that affect them, and the potential impacts and likelihood of information security incidents.
Reference:
ISO/IEC 27001:2022, clause 6.1.2 Information security risk assessment
ISO/IEC 27005:2021, clause 5.2 Asset identification and valuation
PECB ISO/IEC 27001 Lead Implementer Course, Module 6: Risk Management
NEW QUESTION # 37
Scenario 3: Socket Inc is a telecommunications company offering mainly wireless products and services. It uses MongoDB. a document model database that offers high availability, scalability, and flexibility.
Last month, Socket Inc. reported an information security incident. A group of hackers compromised its MongoDB database, because the database administrators did not change its default settings, leaving it without a password and publicly accessible.
Fortunately. Socket Inc. performed regular information backups in their MongoDB database, so no information was lost during the incident. In addition, a syslog server allowed Socket Inc. to centralize all logs in one server. The company found out that no persistent backdoor was placed and that the attack was not initiated from an employee inside the company by reviewing the event logs that record user faults and exceptions.
To prevent similar incidents in the future, Socket Inc. decided to use an access control system that grants access to authorized personnel only. The company also implemented a control in order to define and implement rules for the effective use of cryptography, including cryptographic key management, to protect the database from unauthorized access The implementation was based on all relevant agreements, legislation, and regulations, and the information classification scheme. To improve security and reduce the administrative efforts, network segregation using VPNs was proposed.
Lastly, Socket Inc. implemented a new system to maintain, collect, and analyze information related to information security threats, and integrate information security into project management.
Can Socket Inc. find out that no persistent backdoor was placed and that the attack was initiated from an employee inside the company by reviewing event logs that record user faults and exceptions? Refer to scenario 3.
- A. No, Socket Inc should also have reviewed event logs that record user activities
- B. Yes. Socket Inc. can find out that no persistent backdoor was placed by only reviewing user faults and exceptions logs
- C. No, Socket Inc. should have reviewed all the logs on the syslog server
Answer: A
Explanation:
Event logs are records of events that occur in a system or network, such as user actions, faults, exceptions, errors, warnings, or security incidents. They can provide valuable information for monitoring, auditing, and troubleshooting purposes. Event logs can be categorized into different types, depending on the source and nature of the events. For example, user activity logs record the actions performed by users, such as login, logout, file access, or command execution. User fault and exception logs record the errors or anomalies that occur due to user input or behavior, such as invalid data entry, unauthorized access attempts, or system crashes. In scenario 3, Socket Inc. used a syslog server to centralize all logs in one server, which is a good practice for log management. However, to find out that no persistent backdoor was placed and that the attack was not initiated from an employee inside the company, Socket Inc. should have reviewed not only the user fault and exception logs, but also the user activity logs. The user activity logs could reveal any suspicious or malicious actions performed by the hackers or the employees, such as creating, modifying, or deleting files, executing commands, or installing software. By reviewing both types of logs, Socket Inc. could have a more complete picture of the incident and its root cause. Reviewing all the logs on the syslog server might not be necessary or feasible, as some logs might be irrelevant or too voluminous to analyze.
NEW QUESTION # 38
Scenario 5: Operaze is a small software development company that develops applications for various companies around the world. Recently, the company conducted a risk assessment to assess the information security risks that could arise from operating in a digital landscape. Using different testing methods, including penetration Resting and code review, the company identified some issues in its ICT systems, including improper user permissions, misconfigured security settings, and insecure network configurations. To resolve these issues and enhance information security, Operaze decided to implement an information security management system (ISMS) based on ISO/IEC 27001.
Considering that Operaze is a small company, the entire IT team was involved in the ISMS implementation project. Initially, the company analyzed the business requirements and the internal and external environment, identified its key processes and activities, and identified and analyzed the interested parties In addition, the top management of Operaze decided to Include most of the company's departments within the ISMS scope. The defined scope included the organizational and physical boundaries. The IT team drafted an information security policy and communicated it to all relevant interested parties In addition, other specific policies were developed to elaborate on security issues and the roles and responsibilities were assigned to all interested parties.
Following that, the HR manager claimed that the paperwork created by ISMS does not justify its value and the implementation of the ISMS should be canceled However, the top management determined that this claim was invalid and organized an awareness session to explain the benefits of the ISMS to all interested parties.
Operaze decided to migrate Its physical servers to their virtual servers on third-party infrastructure. The new cloud computing solution brought additional changes to the company Operaze's top management, on the other hand, aimed to not only implement an effective ISMS but also ensure the smooth running of the ISMS operations. In this situation, Operaze's top management concluded that the services of external experts were required to implement their information security strategies. The IT team, on the other hand, decided to initiate a change in the ISMS scope and implemented the required modifications to the processes of the company.
Based on scenario 5. which committee should Operaze create to ensure the smooth running of the ISMS?
- A. Information security committee
- B. Management committee
- C. Operational committee
Answer: A
Explanation:
According to ISO/IEC 27001:2022, clause 5.1, the top management of an organization is responsible for ensuring the leadership and commitment for the ISMS. However, the top management may delegate some of its responsibilities to an information security committee, which is a group of people who oversee the ISMS and provide guidance and support for its implementation and operation. The information security committee may include representatives from different departments, functions, or levels of the organization, as well as external experts or consultants. The information security committee may have various roles and responsibilities, such as:
* Establishing the information security policy and objectives
* Approving the risk assessment and risk treatment methodology and criteria
* Reviewing and approving the risk assessment and risk treatment results and plans
* Monitoring and evaluating the performance and effectiveness of the ISMS
* Reviewing and approving the internal and external audit plans and reports
* Initiating and approving corrective and preventive actions
* Communicating and promoting the ISMS to all interested parties
* Ensuring the alignment of the ISMS with the strategic direction and objectives of the organization
* Ensuring the availability of resources and competencies for the ISMS
* Ensuring the continual improvement of the ISMS
Therefore, in scenario 5, Operaze should create an information security committee to ensure the smooth running of the ISMS, as this committee would provide the necessary leadership, guidance, and support for the ISMS implementation and operation.
References: ISO/IEC 27001:2022, clause 5.1; PECB ISO/IEC 27001 Lead Implementer Course, Module 4, slide 9.
NEW QUESTION # 39
Logging in to a computer system is an access-granting process consisting of three steps: identification, authentication and authorization. What occurs during the first step of this process: identification?
- A. Thefirst step consists of checking if the user is using the correct certificate.
- B. The first step consists of granting access to the information to which the user is authorized.
- C. The first step consists of comparing the password with the registered password.
- D. The first step consists of checking if the user appears on the list of authorized users.
Answer: D
NEW QUESTION # 40
Scenario 10: NetworkFuse develops, manufactures, and sells network hardware. The company has had an operational information security management system (ISMS) based on ISO/IEC 27001 requirements and a quality management system (QMS) based on ISO 9001 for approximately two years. Recently, it has applied for a j^ombined certification audit in order to obtain certification against ISO/IEC 27001 and ISO 9001.
After selecting the certification body, NetworkFuse prepared the employees for the audit The company decided to not conduct a self-evaluation before the audit since, according to the top management, it was not necessary. In addition, it ensured the availability of documented information, including internal audit reports and management reviews, technologies in place, and the general operations of the ISMS and the QMS.
However, the company requested from the certification body that the documentation could not be carried off-site However, the audit was not performed within the scheduled days because NetworkFuse rejected the audit team leader assigned and requested their replacement The company asserted that the same audit team leader issued a recommendation for certification to its main competitor, which, for the company's top management, was a potential conflict of interest. The request was not accepted by the certification body Based on scenario 10. NetworkFuse did not conduct a self-evaluation of the ISMS before the audit. Is this compliant to ISO/IEC 27001?
- A. Yes, the standard indicates that the auditee shall rely only on internal audit and management review reports to prepare for the certification audit
- B. No, the auditee must review the requirements of clauses 4 to 10 before the conduct of a certification audit
- C. Yes, the standard does not require to conduct a self-evaluation before the audit but it is a good practice to follow
Answer: C
Explanation:
Explanation
According to the ISO/IEC 27001:2022 standard, the organization is responsible for establishing, implementing, maintaining and continually improving the information security management system (ISMS) in accordance with the requirements of the standard (section 4.1). The standard does not explicitly require the organization to conduct a self-evaluation of the ISMS before the certification audit, which is an external audit performed by an independent certification body to verify the conformity of the ISMS with the standard and to grant the certification (section 9.3.2). However, the standard does require the organization to conduct internal audits (section 9.2) and management reviews (section 9.3) of the ISMS at planned intervals to ensure its effectiveness, suitability and adequacy, and to identify opportunities for improvement and corrective actions.
Therefore, conducting a self-evaluation of the ISMS before the certification audit is a good practice to follow, as it can help the organization to prepare for the audit, to identify any gaps or nonconformities, and to demonstrate its commitment and readiness for the certification.
References:
ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection - Information security management systems - Requirements1 ISO/IEC 27001 Lead Implementer Info Kit SELF EVALUATION CHECKLIST ISO/IEC 27001:20222
NEW QUESTION # 41
Scenario 5: Operaze is a small software development company that develops applications for various companies around the world. Recently, the company conducted a risk assessment to assess the information security risks that could arise from operating in a digital landscape. Using different testing methods, including penetration Resting and code review, the company identified some issues in its ICT systems, including improper user permissions, misconfigured security settings, and insecure network configurations. To resolve these issues and enhance information security, Operaze decided to implement an information security management system (ISMS) based on ISO/IEC 27001.
Considering that Operaze is a small company, the entire IT team was involved in the ISMS implementation project. Initially, the company analyzed the business requirements and the internal and external environment, identified its key processes and activities, and identified and analyzed the interested parties In addition, the top management of Operaze decided to Include most of the company's departments within the ISMS scope. The defined scope included the organizational and physical boundaries. The IT team drafted an information security policy and communicated it to all relevant interested parties In addition, other specific policies were developed to elaborate on security issues and the roles and responsibilities were assigned to all interested parties.
Following that, the HR manager claimed that the paperwork created by ISMS does not justify its value and the implementation of the ISMS should be canceled However, the top management determined that this claim was invalid and organized an awareness session to explain the benefits of the ISMS to all interested parties.
Operaze decided to migrate Its physical servers to their virtual servers on third-party infrastructure. The new cloud computing solution brought additional changes to the company Operaze's top management, on the other hand, aimed to not only implement an effective ISMS but also ensure the smooth running of the ISMS operations. In this situation, Operaze's top management concluded that the services of external experts were required to implement their information security strategies. The IT team, on the other hand, decided to initiate a change in the ISMS scope and implemented the required modifications to the processes of the company.
Based on scenario 5. in which category of the interested parties does the MR manager of Operaze belong?
- A. Negatively influenced interested parties, because the HR Department will deal with more documentation
- B. Both A and B
- C. Positively influenced interested parties, because the ISMS will increase the effectiveness and efficiency of the HR Department
Answer: A
Explanation:
According to ISO/IEC 27001, interested parties are those who can affect, be affected by, or perceive themselves to be affected by the organization's information security activities, products, or services. Interested parties can be classified into four categories based on their influence and interest in the ISMS:
* Positively influenced interested parties: those who benefit from the ISMS and support its implementation and operation
* Negatively influenced interested parties: those who are adversely affected by the ISMS and oppose its implementation and operation
* High-interest interested parties: those who have a strong interest in the ISMS and its outcomes, regardless of their influence
* Low-interest interested parties: those who have a weak interest in the ISMS and its outcomes, regardless of their influence In scenario 5, the HR manager of Operaze belongs to the category of negatively influenced interested parties, because he/she perceives that the ISMS will create more paperwork and documentation for the HR Department, and therefore opposes its implementation and operation. The HR manager does not benefit from the ISMS and does not support its objectives and requirements.
References:
* ISO/IEC 27001:2013, clause 4.2: Understanding the needs and expectations of interested parties
* ISO/IEC 27001:2013, Annex A.18.1.4: Assessment of and decision on information security events
* ISO/IEC 27001 Lead Implementer Course, Module 2: Introduction to Information Security Management System (ISMS) concepts as required by ISO/IEC 27001
* ISO/IEC 27001 Lead Implementer Course, Module 4: Planning the ISMS based on ISO/IEC 27001
* ISO/IEC 27001 Lead Implementer Course, Module 6: Implementing the ISMS based on ISO/IEC 27001
* ISO/IEC 27001 Lead Implementer Course, Module 7: Performance evaluation, monitoring and measurement of the ISMS based on ISO/IEC 27001
* ISO/IEC 27001 Lead Implementer Course, Module 8: Continual improvement of the ISMS based on ISO/IEC 27001
* ISO/IEC 27001 Lead Implementer Course, Module 9: Preparing for the ISMS certification audit
NEW QUESTION # 42
An organization wants to enable the correlation and analysis of security-related events and other recorded data and to support investigations into information security incidents. Which control should it implement7
- A. Use of privileged utility programs
- B. Installation of software on operational systems
- C. Clock synchronization
Answer: C
NEW QUESTION # 43
Scenario 4: TradeB. a commercial bank that has just entered the market, accepts deposits from its clients and offers basic financial services and loans for investments. TradeB has decided to implement an information security management system (ISMS) based on ISO/IEC 27001 Having no experience of a management
[^system implementation, TradeB's top management contracted two experts to direct and manage the ISMS implementation project.
First, the project team analyzed the 93 controls of ISO/IEC 27001 Annex A and listed only the security controls deemed applicable to the company and their objectives Based on this analysis, they drafted the Statement of Applicability. Afterward, they conducted a risk assessment, during which they identified assets, such as hardware, software, and networks, as well as threats and vulnerabilities, assessed potential consequences and likelihood, and determined the level of risks based on three nonnumerical categories (low, medium, and high). They evaluated the risks based on the risk evaluation criteria and decided to treat only the high risk category They also decided to focus primarily on the unauthorized use of administrator rights and system interruptions due to several hardware failures by establishing a new version of the access control policy, implementing controls to manage and control user access, and implementing a control for ICT readiness for business continuity Lastly, they drafted a risk assessment report, in which they wrote that if after the implementation of these security controls the level of risk is below the acceptable level, the risks will be accepted Which of the actions presented in scenario 4 is NOT compliant with the requirements of ISO/IEC 27001?
- A. TradeB selected only ISO/IEC 27001 controls deemed applicable to the company
- B. The Statement of Applicability was drafted before conducting the risk assessment
- C. The external experts selected security controls and drafted the Statement of Applicability
Answer: B
Explanation:
According to ISO/IEC 27001:2022, clause 6.1.3, the Statement of Applicability (SoA) is a document that identifies the controls that are applicable to the organization's ISMS and explains why they are selected or not.
The SoA is based on the results of the risk assessment and risk treatment, which are the previous steps in the risk management process. Therefore, the SoA should be drafted after conducting the risk assessment, not before. Drafting the SoA before the risk assessment may lead to inappropriate or incomplete selection of controls, as the organization may not have a clear understanding of its information security risks and their impact.
References: ISO/IEC 27001:2022, clause 6.1.3; PECB ISO/IEC 27001 Lead Implementer Course, Module 5, slide 18.
NEW QUESTION # 44
What does the Information Security Policy describe?
- A. which Information Security-procedures are selected
- B. how the InfoSec-objectives will be reached
- C. which InfoSec-controls have been selected and taken
- D. what the implementation-planning of the information security management system is
Answer: B
NEW QUESTION # 45
Which situation described in scenario 7 Indicates that Texas H&H Inc. implemented a detective control?
- A. Texas H&H Inc. tested its system for malicious activity and checked cloud based email settings
- B. Texas H&H Inc. integrated the incident management policy in Its information security policy
- C. Texas H&H Inc. hired an expert to conduct a forensic analysis
Answer: C
NEW QUESTION # 46
Scenario 9: OpenTech provides IT and communications services. It helps data communication enterprises and network operators become multi-service providers During an internal audit, its internal auditor, Tim, has identified nonconformities related to the monitoring procedures He identified and evaluated several system Invulnerabilities.
Tim found out that user IDs for systems and services that process sensitive information have been reused and the access control policy has not been followed After analyzing the root causes of this nonconformity, the ISMS project manager developed a list of possible actions to resolve the nonconformity. Then, the ISMS project manager analyzed the list and selected the activities that would allow the elimination of the root cause and the prevention of a similar situation in the future. These activities were included in an action plan The action plan, approved by the top management, was written as follows:
A new version of the access control policy will be established and new restrictions will be created to ensure that network access is effectively managed and monitored by the Information and Communication Technology (ICT) Department The approved action plan was implemented and all actions described in the plan were documented.
Based on scenario 9. is the action plan for the identified nonconformities sufficient to eliminate the detected nonconformities?
- A. Yes, because a separate action plan has been created for the identified nonconformity
- B. No, because the action plan does not address the root cause of the identified nonconformity
- C. No, because the action plan does not include a timeframe for implementation
Answer: C
Explanation:
According to ISO/IEC 27001:2022, clause 10.1, an action plan for nonconformities and corrective actions should include the following elements1:
What needs to be done
Who is responsible for doing it
When it will be completed
How the effectiveness of the actions will be evaluated
How the results of the actions will be documented
In scenario 9, the action plan only describes what needs to be done and who is responsible for doing it, but it does not specify when it will be completed, how the effectiveness of the actions will be evaluated, and how the results of the actions will be documented. Therefore, the action plan is not sufficient to eliminate the detected nonconformities.
Reference:
1: ISO/IEC 27001:2022, Information technology - Security techniques - Information security management systems - Requirements, clause 10.1, Nonconformity and corrective action.
NEW QUESTION # 47
Scenario 10: NetworkFuse develops, manufactures, and sells network hardware. The company has had an operational information security management system (ISMS) based on ISO/IEC 27001 requirements and a quality management system (QMS) based on ISO 9001 for approximately two years. Recently, it has applied for a j^ombined certification audit in order to obtain certification against ISO/IEC 27001 and ISO 9001.
After selecting the certification body, NetworkFuse prepared the employees for the audit The company decided to not conduct a self-evaluation before the audit since, according to the top management, it was not necessary. In addition, it ensured the availability of documented information, including internal audit reports and management reviews, technologies in place, and the general operations of the ISMS and the QMS.
However, the company requested from the certification body that the documentation could not be carried off-site However, the audit was not performed within the scheduled days because NetworkFuse rejected the audit team leader assigned and requested their replacement The company asserted that the same audit team leader issued a recommendation for certification to its main competitor, which, for the company's top management, was a potential conflict of interest. The request was not accepted by the certification body Based on scenario 10. NetworkFuse did not conduct a self-evaluation of the ISMS before the audit. Is this compliant to ISO/IEC 27001?
- A. Yes, the standard indicates that the auditee shall rely only on internal audit and management review reports to prepare for the certification audit
- B. No, the auditee must review the requirements of clauses 4 to 10 before the conduct of a certification audit
- C. Yes, the standard does not require to conduct a self-evaluation before the audit but it is a good practice to follow
Answer: C
Explanation:
According to the ISO/IEC 27001:2022 standard, the organization is responsible for establishing, implementing, maintaining and continually improving the information security management system (ISMS) in accordance with the requirements of the standard (section 4.1). The standard does not explicitly require the organization to conduct a self-evaluation of the ISMS before the certification audit, which is an external audit performed by an independent certification body to verify the conformity of the ISMS with the standard and to grant the certification (section 9.3.2). However, the standard does require the organization to conduct internal audits (section 9.2) and management reviews (section 9.3) of the ISMS at planned intervals to ensure its effectiveness, suitability and adequacy, and to identify opportunities for improvement and corrective actions.
Therefore, conducting a self-evaluation of the ISMS before the certification audit is a good practice to follow, as it can help the organization to prepare for the audit, to identify any gaps or nonconformities, and to demonstrate its commitment and readiness for the certification.
References:
* ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection - Information security management systems - Requirements1
* ISO/IEC 27001 Lead Implementer Info Kit
* SELF EVALUATION CHECKLIST ISO/IEC 27001:20222
NEW QUESTION # 48
Scenario 8: SunDee is an American biopharmaceutical company, headquartered in California, the US. It specializes in developing novel human therapeutics, with a focus on cardiovascular diseases, oncology, bone health, and inflammation. The company has had an information security management system (ISMS) based on SO/IEC 27001 in place for the past two years. However, it has not monitored or measured the performance and effectiveness of its ISMS and conducted management reviews regularly Just before the recertification audit, the company decided to conduct an internal audit. It also asked most of their staff to compile the written individual reports of the past two years for their departments. This left the Production Department with less than the optimum workforce, which decreased the company's stock.
Tessa was SunDee's internal auditor. With multiple reports written by 50 different employees, the internal audit process took much longer than planned, was very inconsistent, and had no qualitative measures whatsoever Tessa concluded that SunDee must evaluate the performance of the ISMS adequately. She defined SunDee's negligence of ISMS performance evaluation as a major nonconformity, so she wrote a nonconformity report including the description of the nonconformity, the audit findings, and recommendations. Additionally, Tessa created a new plan which would enable SunDee to resolve these issues and presented it to the top management Based on scenario 8. did the nonconformity report include all the necessary aspects?
- A. No, the report must also specify the root cause of the nonconformity
- B. Yes, the report included all the necessary aspects
- C. No, the report must also specify the audit criteria
Answer: A
Explanation:
According to ISO/IEC 27001:2022, a nonconformity report is a document that records the details of any deviation from the audit criteria that is identified during an audit2. The audit criteria are the set of policies, procedures, requirements, or specifications that are used as a reference against which audit evidence is compared3. Therefore, a nonconformity report must include the following aspects:
The description of the nonconformity, which should clearly state what the deviation is, where it occurred, and when it was detected The audit findings, which should provide the objective evidence that supports the identification of the nonconformity The audit criteria, which should specify the reference document or standard that the nonconformity deviates from The recommendations, which should suggest the possible corrective actions or improvements that can be taken to address the nonconformity In scenario 8, Tessa's nonconformity report included the description of the nonconformity, the audit findings, and the recommendations, but it did not specify the audit criteria. Therefore, the report did not include all the necessary aspects and was incomplete.
Reference:
1: ISO/IEC 27001:2022, Clause 9.2.3
2: ISO/IEC 27001:2022, Clause 3.23
3: ISO/IEC 27001:2022, Clause 3.5
4: ISO/IEC 27001:2022, Annex A.9.2.3
NEW QUESTION # 49
Scenario 9: OpenTech provides IT and communications services. It helps data communication enterprises and network operators become multi-service providers During an internal audit, its internal auditor, Tim, has identified nonconformities related to the monitoring procedures He identified and evaluated several system Invulnerabilities.
Tim found out that user IDs for systems and services that process sensitive information have been reused and the access control policy has not been followed After analyzing the root causes of this nonconformity, the ISMS project manager developed a list of possible actions to resolve the nonconformity. Then, the ISMS project manager analyzed the list and selected the activities that would allow the elimination of the root cause and the prevention of a similar situation in the future. These activities were included in an action plan The action plan, approved by the top management, was written as follows:
A new version of the access control policy will be established and new restrictions will be created to ensure that network access is effectively managed and monitored by the Information and Communication Technology (ICT) Department The approved action plan was implemented and all actions described in the plan were documented.
Based on this scenario, answer the following question:
OpenTech has decided to establish a new version of its access control policy. What should the company do when such changes occur?
- A. Update the information security objectives
- B. Include the changes in the scope
- C. Identify the change factors to be monitored
Answer: A
Explanation:
Explanation
According to ISO/IEC 27001:2022, clause 6.2, the organization shall establish information security objectives at relevant functions and levels. The information security objectives shall be consistent with the information security policy and relevant to the information security risks. The organization shall update the information security objectives as changes occur. Therefore, when OpenTech decides to establish a new version of its access control policy, it should update its information security objectives accordingly to reflect the changes and ensure alignment with the policy.
References: ISO/IEC 27001:2022, clause 6.2; PECB ISO/IEC 27001 Lead Implementer Course, Module 10, slide 8.
NEW QUESTION # 50
Scenario 2: Beauty is a cosmetics company that has recently switched to an e-commerce model, leaving the traditional retail. The top management has decided to build their own custom platform in-house and outsource the payment process to an external provider operating online payments systems that support online money transfers.
Due to this transformation of the business model, a number of security controls were implemented based on the identified threats and vulnerabilities associated to critical assets. To protect customers' information.
Beauty's employees had to sign a confidentiality agreement. In addition, the company reviewed all user access rights so that only authorized personnel can have access to sensitive files and drafted a new segregation of duties chart.
However, the transition was difficult for the IT team, who had to deal with a security incident not long after transitioning to the e commerce model. After investigating the incident, the team concluded that due to the out-of-date anti-malware software, an attacker gamed access to their files and exposed customers' information, including their names and home addresses.
The IT team decided to stop using the old anti-malware software and install a new one which would automatically remove malicious code in case of similar incidents. The new software was installed in every workstation within the company. After installing the new software, the team updated it with the latest malware definitions and enabled the automatic update feature to keep it up to date at all times. Additionally, they established an authentication process that requires a user identification and password when accessing sensitive information.
In addition, Beauty conducted a number of information security awareness sessions for the IT team and other employees that have access to confidential information in order to raise awareness on the importance of system and network security.
Which statement below suggests that Beauty has implemented a managerial control that helps avoid the occurrence of incidents? Refer to scenario 2.
- A. Beauty's employees signed a confidentiality agreement
- B. Beauty conducted a number of information security awareness sessions for the IT team and other employees that have access to confidential information
- C. Beauty updated the segregation of duties chart
Answer: B
Explanation:
Explanation
Managerial controls are administrative actions that are designed to prevent or reduce the likelihood of security incidents by influencing human behavior. They include policies, procedures, guidelines, standards, training, and awareness programs. In scenario 2, Beauty has implemented a managerial control by conducting information security awareness sessions for the IT team and other employees that have access to confidential information. These sessions aim to educate the staff on the importance of system and network security, the potential threats and vulnerabilities, and the best practices to follow to avoid the occurrence of incidents. By raising the level of awareness and knowledge of the employees, Beauty can reduce the human errors and negligence that might compromise the security of the information assets.
References: ISO/IEC 27001:2022 Lead Implementer Course Content, Module 7: Implementation of an ISMS based on ISO/IEC 27001:20221; ISO/IEC 27001:2022 Information Security, Cybersecurity and Privacy Protection, Clause 7.2: Competence2; ISO/IEC 27002:2022 Code of practice for information security controls, Clause 7.2.2: Information security awareness, education and training3
NEW QUESTION # 51
......
Test Engine to Practice ISO-IEC-27001-Lead-Implementer Test Questions: https://www.examcost.com/ISO-IEC-27001-Lead-Implementer-practice-exam.html
Use Valid ISO-IEC-27001-Lead-Implementer Exam - Actual Exam Question & Answer: https://drive.google.com/open?id=1to03EFmNkSbq8razQ6ChF7Kg1PEOZPy9

