
ISO-IEC-27001-Lead-Implementer Questions Prepare with Learning Information! 2026 Regularly updated
Get ISO-IEC-27001-Lead-Implementer Products Practice Material for ISO-IEC-27001-Lead-Implementer Exam Question Preparation
PECB ISO-IEC-27001-Lead-Implementer exam provides a comprehensive understanding of the ISO/IEC 27001 standard and its requirements. It covers the principles, concepts, and best practices for implementing and managing an ISMS, including risk assessment, risk management, security policies, procedures, and controls. ISO-IEC-27001-Lead-Implementer exam also includes topics related to the roles and responsibilities of top management, the importance of continual improvement, and the compliance and certification process.
PECB ISO-IEC-27001-Lead-Implementer is a certification exam that assesses an individual's knowledge and skills related to the implementation of an Information Security Management System (ISMS) based on the ISO/IEC 27001 standard. ISO-IEC-27001-Lead-Implementer exam is designed for professionals who are responsible for managing, implementing, maintaining, and improving an organization's ISMS. PECB Certified ISO/IEC 27001 Lead Implementer Exam certification is issued by the Professional Evaluation and Certification Board (PECB), a leading provider of training, examination, and certification services in the fields of information security, risk management, and business continuity.
NEW QUESTION # 77
Scenario 8: BioVitalis
BioVitalis is a biopharmaceutical firm headquartered in California, the US Renowned for its pioneering work in the field of human therapeutics, BioVitalis places a strong emphasis on addressing critical healthcare concerns, particularly in the domains of cardiovascular diseases, oncology, bone health, and inflammation BioVitalis has demonstrated its commitment to data security and integrity by maintaining an effective information security management system (ISMS) based on ISO/IEC 27001 for the past two years.
In preparation for the recertification audit. BioVitalis conducted an internal audit. The company's top management appointed Alex, who has actively managed the Compliance Department's day-to-day operations for the last six months, as the internal auditor. With this dual role assignment. Alex is tasked with conducting an audit that ensures compliance and provides valuable recommendations to improve operational efficiency.
During the internal audit, a few nonconformities were identified. To address them comprehensively, the company created action plans for each nonconformity, working closely with the audit team leader BioVitalis's senior management conducted a comprehensive review of the ISMS to evaluate its appropriateness, sufficiency, and efficiency. This was integrated into their regular management meetings.
Essential documents, including audit reports, action plans, and review outcomes, were distributed to all members before the meeting. The agenda covered the status of previous review actions, changes affecting the ISMS, feedback, stakeholder inputs, and opportunities for improvement Decisions and actions targeting ISMS improvements were made, with a significant role played by the ISMS coordinator and the internal audit team in preparing follow up action plans, which were then approved by top management.
In response to the review outcomes. BioVitalis promptly implemented corrective actions, strengthening its Information security measures Additionally, dashboard tools were Introduced to provide a high-level overview of key performance indicators essential for monitoring the organization's information security management. These indicators included metrics on security incidents, their costs, system vulnerability tests, nonconformity detection, and resolution times, facilitating effective recording, reporting, and tracking of monitoring activities.
Furthermore. BioVitalis embarked on a comprehensive measurement process to assess the progress and outcomes of ongoing projects, implementing extensive measures across all processes The top management determined that the individual responsible for the information, aside from owning the data that contributes to the measures, would also be designated accountable for executing these measurement activities Top management decided that the information owner would also be responsible for executing measurement activities across ISMS processes.
Question:
Did BioVitalis define the roles for measurement activities correctly?
- A. No - as the responsibility for conducting measurement activities should have been assigned to the information communicator
- B. No - as the information owner cannot perform different measurement-related roles and responsibilities
- C. Yes - the information owner can also be responsible for conducting measurement activities
Answer: C
Explanation:
ISO/IEC 27004:2016 Clause 6.2 states:
"Measurement roles can be assigned to information owners, system administrators, or process managers, as long as accountability and expertise are ensured." There is no restriction preventing information owners from also conducting measurements, provided competency and authority are documented. This is supported by ISO/IEC 27001:2022 Clause 5.3 - Organizational roles and responsibilities.
References:
ISO/IEC 27004:2016 Clause 6.2 - Roles and Responsibilities
ISO/IEC 27001:2022 Clause 5.3 - Role assignment
NEW QUESTION # 78
An employee of the organization accidentally deleted customers' data stored in the database. What is the impact of this action?
- A. Information is not available to only authorized users
- B. Information is modified in transit
- C. Information is not accessible when required
Answer: C
Explanation:
According to ISO/IEC 27001:2022, availability is one of the three principles of information security, along with confidentiality and integrity1. Availability means that information is accessible and usable by authorized persons whenever it is needed2. If an employee of the organization accidentally deleted customers' data stored in the database, this would affect the availability of the information, as it would not be accessible when required by the authorized persons, such as the customers themselves, the organization's staff, or other stakeholders. This could result in loss of trust, reputation, or business opportunities for the organization, as well as dissatisfaction or inconvenience for the customers.
References:
* ISO/IEC 27001:2022 - Information security, cybersecurity and privacy protection - Information security management systems - Requirements
* What is ISO 27001? A detailed and straightforward guide - Advisera
NEW QUESTION # 79
NeuroTrustMed is a leading medical technology company based in Seoul, South Korea. The company specializes in developing AI-assisted neuroimaging solutions used in early diagnosis and treatment planning for neurological disorders. As a data-intensive company handling sensitive patient health records and medical research data, NeuroTrustMed places a strong emphasis on cybersecurity and regulatory compliance. The company has maintained an ISO/IEC 27001-certified ISMS for the past three years. It continuously reviews and improves its ISMS to address emerging threats, support innovation in medical diagnostics, and maintain stakeholder trust. As part of its commitment to continual improvement, NeuroTrustMed actively tracks potential nonconformities, performs root-cause analyses, implements corrective and preventive actions, and ensures all changes are documented and aligned with the company's strategic objectives. When a new data protection regulation came into effect affecting cross-regional data handling, the information security team conducted a gap assessment between current policies and the new regulation. Then, it updated relevant documentation and processes to meet compliance. Following these revisions, NeuroTrustMed updated the ISMS documentation and added a new entry in the improvement register. The register, maintained in the form of a structured spreadsheet, included a unique change number, a description of the update, and a high-priority classification due to legal compliance, the dates of initiation and completion, and the sign-off by the information security manager. Around the same period, during a scheduled management review, the information security team also identified a pattern of onboarding errors. While these had not resulted in any data breaches, they posed a risk of unauthorized access. In response, the onboarding procedure was revised and an automated verification step was added to ensure accuracy before access is granted. To understand the underlying cause, the team collected data on the provisioning process. They analyzed process logs, interviewed onboarding staff, and traced access errors back to a misconfigured step in the HR-to-IT handover workflow. The team validated this finding through test cases before implementing any changes. Once confirmed, the information security team documented the nonconformity in the ISMS log. The documentation included a description of the issue, impacted systems, affected users, and a brief risk assessment of potential consequences related to access management. Based on the scenario above, answer the following question.
According to scenario 9. did NeuroTrustMed document the change in accordance with continual improvement practices?
- A. No, the register should have been implemented in the form of a database rather than a spreadsheet.
- B. Yes, the change was documented in a structured spreadsheet with appropriate metadata and formal approval.
- C. No, changes should only be recorded if they result from nonconformities.
Answer: B
Explanation:
NeuroTrustMed documented the ISMS change in full accordance with continual improvement practices, making Option C the correct answer.
ISO/IEC 27001:2022 Clause 10.1 - Continual improvement and Clause 10.2 - Nonconformity and corrective action require organizations to:
* Record changes,
* Track actions taken,
* Retain documented information as evidence.
The scenario states that NeuroTrustMed maintained an improvement register containing:
* A unique change number,
* Description of the update,
* Priority classification,
* Initiation and completion dates,
* Formal sign-off by the information security manager.
This fully satisfies Clause 7.5 - Documented information and demonstrates controlled, auditable improvement.
* Option A is incorrect because ISO/IEC 27001 does not mandate a database over a spreadsheet.
* Option B is incorrect because improvements may result from regulatory changes, risks, or opportunities-not only nonconformities.
NEW QUESTION # 80
Scenario 4: TradeB. a commercial bank that has just entered the market, accepts deposits from its clients and offers basic financial services and loans for investments. TradeB has decided to implement an information security management system (ISMS) based on ISO/IEC 27001 Having no experience of a management
[^system implementation, TradeB's top management contracted two experts to direct and manage the ISMS implementation project.
First, the project team analyzed the 93 controls of ISO/IEC 27001 Annex A and listed only the security controls deemed applicable to the company and their objectives Based on this analysis, they drafted the Statement of Applicability. Afterward, they conducted a risk assessment, during which they identified assets, such as hardware, software, and networks, as well as threats and vulnerabilities, assessed potential consequences and likelihood, and determined the level of risks based on three nonnumerical categories (low, medium, and high). They evaluated the risks based on the risk evaluation criteria and decided to treat only the high risk category They also decided to focus primarily on the unauthorized use of administrator rights and system interruptions due to several hardware failures by establishing a new version of the access control policy, implementing controls to manage and control user access, and implementing a control for ICT readiness for business continuity Lastly, they drafted a risk assessment report, in which they wrote that if after the implementation of these security controls the level of risk is below the acceptable level, the risks will be accepted What should TradeB do in order to deal with residual risks? Refer to scenario 4.
- A. TradeB should immediately implement new controls to treat all residual risks
- B. TradeB should accept the residual risks only above the acceptance level
- C. TradeB should evaluate, calculate, and document the value of risk reduction following risk treatment
Answer: C
Explanation:
According to ISO/IEC 27001 : 2022 Lead Implementer, residual risk is the risk remaining after risk treatment.
Residual risk should be compared with the acceptable level of risk, which is the level of risk that the organization is willing to tolerate. If the residual risk is below the acceptable level of risk, then the risk can be accepted. If the residual risk is above the acceptable level of risk, then additional risk treatment options should be considered. Therefore, TradeB should evaluate, calculate, and document the value of risk reduction following risk treatment, which is the difference between the initial risk and the residual risk. This will help TradeB to determine whether the risk treatment was effective and whether the residual risk is acceptable or not.
References:
* ISO/IEC 27001 : 2022 Lead Implementer Study guide and documents, section 8.3.2 Risk treatment
* ISO/IEC 27001 : 2022 Lead Implementer Info Kit, page 14, Risk management process
NEW QUESTION # 81
FinanceX, a well-known financial institution, uses an online banking platform that enables clients to easily and securely access their bank accounts. To log in, clients are required to enter the one-lime authorization code sent to their smartphone. What can be concluded from this scenario?
- A. FinanceX has implemented a securityControl that ensures the confidentiality of information
- B. FinanceX has incorrectly implemented a security control that could become a vulnerability
- C. FinanceX has implemented an integrity control that avoids the involuntary corruption of data
Answer: A
NEW QUESTION # 82
Scenario 6: CB Consulting iS a reputable firm based in Dublin, Ireland. providing Strategic business Solutions to diverse clients, With a dedicated team Of professionals, CB Consulting prides itself on its commitment to excellence, integrity, and client satisfaction. CB Consulting started implementing an ISMS aligned with ISOflEC 27001 as part of its ongoing commitment to enhancing its information security practices. Throughout this process, ensuring effective communication and adherence to establi Shed security protocols is essential.
Sarah, an employee at CB has been appointed as the head Of a new project focused on managing sensitive client data, Additionally, she is responsible for Overseeing activities during the response phase of incident management, including regular reporting to the incident manager of the incident management team and keeping key stakeholders informed. Meanwhile, CB Consulting has reassigned Tom to serve as the company's legal consultant.
CB Consulting has also reassigned Clare. formerly an IT security analyst, as their information security officer to oversee the implementation Of the ISMS and ensure compliance with ISO/IEC 27001. Clare's primary responsibility iS to conduct regular risk assessments. identlfy potential vulnerabilities, and implement appropriate Security measures to mitigate risks effectively. Clare has established a procedure Stating that information security risk assessments are conducted only when significant changes occur. playing a crucial role in strengthening the companys security posture and safeguarding against potential threats.
TO ensure it has a Competent workforce to meet information security Objectives, CB Consulting has implemented a process to and verify that all employees, including Sarah, Tom, and Clare, possess the necessary competence based on their education. training, or experience. Where gaps were identified, the company has taken specific actions such as providing additional training and mentoring. Additionally, CB Consulting retains documented information as evidence of the competencies requ.red and acquired.
CB Consulting has established a robust communication strategy aligned with industry standards to ensure secure and effective information exchange. It identified the requirements for communication on relevant issues. First, the company designated specific toles. Such as a public relations officer for external communication and a Security officer for internal matters, to manage sensitive issues like data breaches. Then.
communication triggers, content. and recipients were carefully defined. with messages pre-approved by management where necessary. Lastly, dedicated channels were implemented to ensure the confidentiality and integrity of transmitted information.
Based on the scenario above, answer the following question.
CB Consulting prioritizes transparent and Substantive communication practices to foster trust, enhance Stakeholder engagement, and reinforce its commitment to information security excellence. Which principle of effective communication is emphasized by this approach?
Transparency
Based on scenario 6, Clare has established a procedure stating that information security risk assessments are conducted only when significant changes occur. Is the frequency of risk assessments determined correctly?
- A. No, she should perform risk assessments annually, as mandated by regulatory authorities
- B. No, the company must conduct risk assessments at planned intervals
- C. No, she should perform risk assessments quarterly per ISO/IEC 27001 requirements
Answer: B
NEW QUESTION # 83
What potential vulnerability in AI systems could be exploited for malicious purposes?
- A. High computational power
- B. Lack of real-time processing capabilities
- C. Adversarial manipulation of data inputs
Answer: C
NEW QUESTION # 84
We can acquire and supply information in various ways. The value of the information depends on whether it is reliable. What are the reliability aspects of information?
- A. Availability, Information Value and Confidentiality
- B. Timeliness, Accuracy and Completeness
- C. Availability, Integrity and Completeness
- D. Availability, Integrity and Confidentiality
Answer: D
NEW QUESTION # 85
Based on scenario 9. is the action plan for treating the nonconformity related to control 8.13 Information backup valid?
- A. Yes. It allows the elimination of the detected nonconformity
- B. No. It does not allow the elimination of the reported nonconformity
- C. No. It does not describe the explicit changes of the existing backup procedure
Answer: A
NEW QUESTION # 86
Scenario 8: SunDee is an American biopharmaceutical company, headquartered in California, the US. It specializes in developing novel human therapeutics, with a focus on cardiovascular diseases, oncology, bone health, and inflammation. The company has had an information security management system (ISMS) based on SO/IEC 27001 in place for the past two years. However, it has not monitored or measured the performance and effectiveness of its ISMS and conducted management reviews regularly Just before the recertification audit, the company decided to conduct an internal audit. It also asked most of their staff to compile the written individual reports of the past two years for their departments. This left the Production Department with less than the optimum workforce, which decreased the company's stock.
Tessa was SunDee's internal auditor. With multiple reports written by 50 different employees, the internal audit process took much longer than planned, was very inconsistent, and had no qualitative measures whatsoever Tessa concluded that SunDee must evaluate the performance of the ISMS adequately. She defined SunDee's negligence of ISMS performance evaluation as a major nonconformity, so she wrote a nonconformity report including the description of the nonconformity, the audit findings, and recommendations. Additionally, Tessa created a new plan which would enable SunDee to resolve these issues and presented it to the top management Based on scenario 8. does SunDee comply with ISO/IEC 27001 requirements regarding the monitoring and measurement process?
- A. Yes. because the standard does not Indicate when the monitoring and measurement phase should be performed
- B. Yes, because the standard requires that the monitoring and measurement phase be conducted every two years
- C. No, because even though the standard does not imply when such a process should be performed, the company must have a monitoring and measurement process in place
Answer: C
NEW QUESTION # 87
What is the main difference between an audit program and an audit plan?
- A. An audit program outlines the overarching framework for a series of audits with specific timelines and purposes, while an audit plan outlines the activities and arrangements for a particular audit
- B. An audit program outlines the activities and arrangements for a particular audit, while an audit plan provides an overarching framework for a series of audits with specific timelines and purposes
- C. An audit program outlines policies, procedures, or requirements for reference in audit evidence comparison, while an audit plan provides an overarching framework for a series of audits with specific timelines and purposes
Answer: A
Explanation:
An audit program provides the overall schedule, scope, and objectives for a series of audits. An audit plan is a document for a specific audit that describes activities, arrangements, and responsibilities.
"An audit program consists of one or more audits planned for a specific timeframe and direction. An audit plan describes how a particular audit will be conducted."
- ISO/IEC 19011:2018, Clause 5.1 & 5.4
NEW QUESTION # 88
Scenario 9: OpenTech provides IT and communications services. It helps data communication enterprises and network operators become multi-service providers During an internal audit, its internal auditor, Tim, has identified nonconformities related to the monitoring procedures He identified and evaluated several system Invulnerabilities.
Tim found out that user IDs for systems and services that process sensitive information have been reused and the access control policy has not been followed After analyzing the root causes of this nonconformity, the ISMS project manager developed a list of possible actions to resolve the nonconformity. Then, the ISMS project manager analyzed the list and selected the activities that would allow the elimination of the root cause and the prevention of a similar situation in the future. These activities were included in an action plan The action plan, approved by the top management, was written as follows:
A new version of the access control policy will be established and new restrictions will be created to ensure that network access is effectively managed and monitored by the Information and Communication Technology (ICT) Department The approved action plan was implemented and all actions described in the plan were documented.
Based on scenario 9. is the action plan for the identified nonconformities sufficient to eliminate the detected nonconformities?
- A. Yes, because a separate action plan has been created for the identified nonconformity
- B. No, because the action plan does not address the root cause of the identified nonconformity
- C. No, because the action plan does not include a timeframe for implementation
Answer: C
Explanation:
Explanation
According to ISO/IEC 27001:2022, clause 10.1, an action plan for nonconformities and corrective actions should include the following elements1:
What needs to be done
Who is responsible for doing it
When it will be completed
How the effectiveness of the actions will be evaluated
How the results of the actions will be documented
In scenario 9, the action plan only describes what needs to be done and who is responsible for doing it, but it does not specify when it will be completed, how the effectiveness of the actions will be evaluated, and how the results of the actions will be documented. Therefore, the action plan is not sufficient to eliminate the detected nonconformities.
References:
1: ISO/IEC 27001:2022, Information technology - Security techniques - Information security management systems - Requirements, clause 10.1, Nonconformity and corrective action.
NEW QUESTION # 89
Which of the following would be an acceptable justification for excluding the Annex A 6.1 Screening control?
- A. The organization voluntarily performs comprehensive criminal background checks on all employees
- B. The organization considers background verification checks unnecessary for its operations
- C. A collective agreement with employees prohibits security checks
Answer: C
NEW QUESTION # 90
Scenario 9:
OpenTech, headquartered in San Francisco, specializes in information and communication technology (ICT) solutions. Its clientele primarily includes data communication enterprises and network operators. The company's core objective is to enable its clients to transition smoothly into multi-service providers, aligning their operations with the complex demands of the digital landscape.
Recently, Tim, the internal auditor of OpenTech, conducted an internal audit that uncovered nonconformities related to their monitoring procedures and system vulnerabilities. In response to these nonconformities, OpenTech decided to employ a comprehensive problem-solving approach to address the issues systematically.
This method encompasses a team-oriented approach, aiming to identify, correct, and eliminate the root causes of the issues. The approach involves several steps: First, establish a group of experts with deep knowledge of processes and controls. Next, break down the nonconformity into measurable components and implement interim containment measures. Then, identify potential root causes and select and verify permanent corrective actions. Finally, put those actions into practice, validate them, take steps to prevent recurrence, and recognize and acknowledge the team's efforts.
Following the analysis of the root causes of the nonconformities, OpenTech's ISMS project manager, Julia, developed a list of potential actions to address the identified nonconformities. Julia carefully evaluated the list to ensure that each action would effectively eliminate the root cause of the respective nonconformity. While assessing potential corrective actions, Julia identified one issue as significant and assessed a high likelihood of its recurrence. Consequently, she chose to implement temporary corrective actions. Julia then combined all the nonconformities into a single action plan and sought approval from top management. The submitted action plan was written as follows:
"A new version of the access control policy will be established and new restrictions will be created to ensure that network access is effectively managed and monitored by the Information and Communication Technology (ICT) Department." However, Julia's submitted action plan was not approved by top management. The reason cited was that a general action plan meant to address all nonconformities was deemed unacceptable. Consequently, Julia revised the action plan and submitted separate ones for approval. Unfortunately, Julia did not adhere to the organization's specified deadline for submission, resulting in a delay in the corrective action process.
Additionally, the revised action plans lacked a defined schedule for execution.
Did Julia make an appropriate decision regarding the nonconformities with a high likelihood of reoccurrence?
- A. Yes, Julia's decision to implement temporary corrective actions was consistent with best practices
- B. No, implementing temporary actions during the corrective action process is not recommended
- C. No, as temporary corrective actions are not allowed in the evaluation phase
Answer: A
NEW QUESTION # 91
Scenario 8: SunDee is an American biopharmaceutical company, headquartered in California, the US. It specializes in developing novel human therapeutics, with a focus on cardiovascular diseases, oncology, bone health, and inflammation. The company has had an information security management system (ISMS) based on SO/IEC 27001 in place for the past two years. However, it has not monitored or measured the performance and effectiveness of its ISMS and conducted management reviews regularly Just before the recertification audit, the company decided to conduct an internal audit. It also asked most of their staff to compile the written individual reports of the past two years for their departments. This left the Production Department with less than the optimum workforce, which decreased the company's stock.
Tessa was SunDee's internal auditor. With multiple reports written by 50 different employees, the internal audit process took much longer than planned, was very inconsistent, and had no qualitative measures whatsoever Tessa concluded that SunDee must evaluate the performance of the ISMS adequately. She defined SunDee's negligence of ISMS performance evaluation as a major nonconformity, so she wrote a nonconformity report including the description of the nonconformity, the audit findings, and recommendations. Additionally, Tessa created a new plan which would enable SunDee to resolve these issues and presented it to the top management Based on the scenario above, answer the following question:
What caused SunDee's workforce disruption?
- A. The inconsistency of reports written by different employees
- B. The voluminous written reports
- C. The negligence of performance evaluation and monitoring and measurement procedures
Answer: B
NEW QUESTION # 92
Why is an in-depth review crucial for organizations to evaluate their security architecture?
- A. To determine the organization's compliance with financial regulations
- B. To meet shareholder expectations
- C. To conduct background checks on potential employees to ensure security compliance
- D. To assess whether security requirements based on industry best practices can be met
Answer: D
NEW QUESTION # 93
Scenario 10: NetworkFuse develops, manufactures, and sells network hardware. The company has had an operational information security management system (ISMS) based on ISO/IEC 27001 requirements and a quality management system (QMS) based on ISO 9001 for approximately two years. Recently, it has applied for a j^ombined certification audit in order to obtain certification against ISO/IEC 27001 and ISO 9001.
After selecting the certification body, NetworkFuse prepared the employees for the audit The company decided to not conduct a self-evaluation before the audit since, according to the top management, it was not necessary. In addition, it ensured the availability of documented information, including internal audit reports and management reviews, technologies in place, and the general operations of the ISMS and the QMS.
However, the company requested from the certification body that the documentation could not be carried off- site However, the audit was not performed within the scheduled days because NetworkFuse rejected the audit team leader assigned and requested their replacement The company asserted that the same audit team leader issued a recommendation for certification to its main competitor, which, for the company's top management, was a potential conflict of interest. The request was not accepted by the certification body According to scenario 10, NetworkFuse requested from the certification body to review all the documentation only on-site. Is this acceptable?
- A. No, the certification body decides whether the documentation review takes place on-site or off-site
- B. Yes, the auditee may request that the review of the documentation takes place on-site
- C. Yes, only if a confidentiality agreement is formerly signed by the audit team
Answer: B
Explanation:
According to the ISO/IEC 27001:2022 standard, the certification body is responsible for planning and conducting the audit, including the review of the documented information. The certification body may decide to review the documentation on-site or off-site, depending on the audit objectives, scope, criteria, and risks.
The auditee may not impose any restrictions on the access to the documentation, unless there are valid reasons for confidentiality or security. However, such restrictions should be agreed upon before the audit and should not compromise the effectiveness and impartiality of the audit.
ISO/IEC 27001:2022, clause 9.2.2
ISO/IEC 27006:2021, clause 7.1.4
NEW QUESTION # 94
An organization has compared its actual performance against predetermined performance targets. What is the primary purpose of this action?
- A. To eliminate the need for manual tracking and reporting
- B. To verify that all security incidents are resolved
- C. To assess whether the organization's security objectives are being met
Answer: C
NEW QUESTION # 95
TradeB communicated the information security processes and procedures to employees. Which principle of efficient communication strategy did they use?
- A. Appropriateness
- B. Transparency
- C. Responsiveness
Answer: B
NEW QUESTION # 96
Del&Co has decided to improve their staff-related controls to prevent incidents. Which of the following is NOT a preventive control related to the Del&Co's staff?
- A. Video cameras
- B. Authentication and authorization
- C. Control of physical access to the equipment
Answer: A
NEW QUESTION # 97
Scenario 3: Socket Inc is a telecommunications company offering mainly wireless products and services. It uses MongoDB. a document model database that offers high availability, scalability, and flexibility.
Last month, Socket Inc. reported an information security incident. A group of hackers compromised its MongoDB database, because the database administrators did not change its default settings, leaving it without a password and publicly accessible.
Fortunately. Socket Inc. performed regular information backups in their MongoDB database, so no information was lost during the incident. In addition, a syslog server allowed Socket Inc. to centralize all logs in one server. The company found out that no persistent backdoor was placed and that the attack was not initiated from an employee inside the company by reviewing the event logs that record user faults and exceptions.
To prevent similar incidents in the future, Socket Inc. decided to use an access control system that grants access to authorized personnel only. The company also implemented a control in order to define and implement rules for the effective use of cryptography, including cryptographic key management, to protect the database from unauthorized access The implementation was based on all relevant agreements, legislation, and regulations, and the information classification scheme. To improve security and reduce the administrative efforts, network segregation using VPNs was proposed.
Lastly, Socket Inc. implemented a new system to maintain, collect, and analyze information related to information security threats, and integrate information security into project management.
Based on scenario 3, what would help Socket Inc. address similar information security incidents in the future?
- A. Using the MongoDB database with the default settings
- B. Using the access control system to ensure that only authorized personnel is granted access
- C. Using cryptographic keys to protect the database from unauthorized access
Answer: C
Explanation:
In Scenario 3, the measure that would help Socket Inc. address similar information security incidents in the future is "B. Using cryptographic keys to protect the database from unauthorized access." Implementing cryptographic controls, including cryptographic key management, is a proactive measure to secure the data in the MongoDB database against unauthorized access. It ensures that even if attackers gain access to the database, they cannot read or misuse the data without the appropriate cryptographic keys. This approach aligns with best practices for securing sensitive data and is part of a comprehensive security strategy.
ISO 27001 - Annex A.10 - Cryptography
ISO 27001 Annex A.10 - Cryptography | ISMS.online
ISO 27001 cryptographic controls policy | What needs to be included?
NEW QUESTION # 98
Which of the following is NOT part of the steps required by ISO/IEC 27001 that an organization must take when a nonconformity is detected?
- A. React to the nonconformity, take action to control and correct it. and deal with its consequences
- B. Evaluate the need for action to eliminate the causes of the nonconformity so that it does not recur or occur elsewhere
- C. Communicate the details of the nonconformity to every employee of the organization and suspend the employee that caused the nonconformity
Answer: C
Explanation:
According to the ISO/IEC 27001 : 2022 Lead Implementer course, the steps required by ISO/IEC 27001 that an organization must take when a nonconformity is detected are as follows1:
* React to the nonconformity, take action to control and correct it, and deal with its consequences
* Evaluate the need for action to eliminate the causes of the nonconformity so that it does not recur or occur elsewhere
* Implement any action needed
* Review the effectiveness of the corrective action
* Make changes to the information security management system (ISMS) if necessary Therefore, communicating the details of the nonconformity to every employee of the organization and suspending the employee that caused the nonconformity is not part of the steps required by ISO/IEC
27001. This option is not only unnecessary, but also potentially harmful, as it could violate the principles of confidentiality, integrity, and availability of information, as well as the human rights and dignity of the employee involved2. Instead, the organization should follow the established procedures for reporting, recording, and analyzing nonconformities, and ensure that the corrective actions are appropriate, proportional, and fair3.
NEW QUESTION # 99
Scenario 2: Beauty is a cosmetics company that has recently switched to an e-commerce model, leaving the traditional retail. The top management has decided to build their own custom platform in-house and outsource the payment process to an external provider operating online payments systems that support online money transfers.
Due to this transformation of the business model, a number of security controls were implemented based on the identified threats and vulnerabilities associated to critical assets. To protect customers' information.
Beauty's employees had to sign a confidentiality agreement. In addition, the company reviewed all user access rights so that only authorized personnel can have access to sensitive files and drafted a new segregation of duties chart.
However, the transition was difficult for the IT team, who had to deal with a security incident not long after transitioning to the e commerce model. After investigating the incident, the team concluded that due to the out- of-date anti-malware software, an attacker gamed access to their files and exposed customers' information, including their names and home addresses.
The IT team decided to stop using the old anti-malware software and install a new one which would automatically remove malicious code in case of similar incidents. The new software was installed in every workstation within the company. After installing the new software, the team updated it with the latest malware definitions and enabled the automatic update feature to keep it up to date at all times. Additionally, they established an authentication process that requires a user identification and password when accessing sensitive information.
In addition, Beauty conducted a number of information security awareness sessions for the IT team and other employees that have access to confidential information in order to raise awareness on the importance of system and network security.
According to scenario 2. Beauty has reviewed all user access rights. What type of control is this?
- A. Corrective and managerial
- B. Legal and technical
- C. Detective and administrative
Answer: C
Explanation:
* Preventive controls: These are controls that aim to prevent or deter the occurrence of a security incident or reduce its likelihood. Examples of preventive controls are encryption, firewalls, locks, policies, etc.
* Detective controls: These are controls that aim to detect or discover the occurrence of a security incident or its symptoms. Examples of detective controls are logs, alarms, audits, etc.
* Corrective controls: These are controls that aim to correct or restore the normal state of an asset or a process after a security incident or mitigate its impact. Examples of corrective controls are backups, recovery plans, incident response teams, etc.
* Administrative controls: These are controls that involve the management and governance of information security, such as policies, procedures, roles, responsibilities, awareness, training, etc.
* Technical controls: These are controls that involve the use of technology or software to implement information security, such as encryption, firewalls, anti-malware, authentication, etc.
* Physical controls: These are controls that involve the protection of physical assets or locations from unauthorized access, damage, or theft, such as locks, fences, cameras, guards, etc.
* Legal controls: These are controls that involve the compliance with laws, regulations, contracts, or agreements related to information security, such as privacy laws, data protection laws, confidentiality agreements, etc.
In scenario 2, the action of Beauty reviewing all user access rights is best described as a "Preventive and Administrative" control.
* Preventive Control: The review of user access rights is a preventive measure. It is designed to prevent unauthorized access to sensitive information by ensuring that only authorized personnel have access to specific files. By controlling access rights, the organization aims to prevent potential security breaches and protect sensitive data.
* Administrative Control: This action also falls under administrative controls, sometimes referred to as managerial controls. These controls involve policies, procedures, and practices related to the management of the organization and its employees. In this case, the review of access rights is a part of the company's administrative procedures to manage the security of information systems.
NEW QUESTION # 100
......
Most Reliable PECB ISO-IEC-27001-Lead-Implementer Training Materials: https://www.dumpsvalid.com/ISO-IEC-27001-Lead-Implementer-still-valid-exam.html
The Realest Study Materials ISO-IEC-27001-Lead-Implementer Dumps: https://drive.google.com/open?id=1NjW_f-Y2hSSO23xFRcUtmOmvqkOIwxq1