• Home
  • Articles
  • Actual ISO-IEC-27001-Lead-Implementer Exam Recently Updated Questions with Free Demo [Q46-Q63]

Actual ISO-IEC-27001-Lead-Implementer Exam Recently Updated Questions with Free Demo [Q46-Q63]

Share

Actual ISO-IEC-27001-Lead-Implementer Exam Recently Updated Questions with Free Demo

Free PECB ISO-IEC-27001-Lead-Implementer Exam Questions Self-Assess Preparation

NEW QUESTION # 46
Scenario 4: TradeB. a commercial bank that has just entered the market, accepts deposits from its clients and offers basic financial services and loans for investments. TradeB has decided to implement an information security management system (ISMS) based on ISO/IEC 27001 Having no experience of a management
[^system implementation, TradeB's top management contracted two experts to direct and manage the ISMS implementation project.
First, the project team analyzed the 93 controls of ISO/IEC 27001 Annex A and listed only the security controls deemed applicable to the company and their objectives Based on this analysis, they drafted the Statement of Applicability. Afterward, they conducted a risk assessment, during which they identified assets, such as hardware, software, and networks, as well as threats and vulnerabilities, assessed potential consequences and likelihood, and determined the level of risks based on three nonnumerical categories (low, medium, and high). They evaluated the risks based on the risk evaluation criteria and decided to treat only the high risk category They also decided to focus primarily on the unauthorized use of administrator rights and system interruptions due to several hardware failures by establishing a new version of the access control policy, implementing controls to manage and control user access, and implementing a control for ICT readiness for business continuity Lastly, they drafted a risk assessment report, in which they wrote that if after the implementation of these security controls the level of risk is below the acceptable level, the risks will be accepted Based on the scenario above, answer the following question:
The decision to treat only risks that were classified as high indicates that Trade B has:

  • A. Modified other risk categories based on risk evaluation criteria
  • B. Evaluated other risk categories based on risk treatment criteria
  • C. Accepted other risk categories based on risk acceptance criteria

Answer: C

Explanation:
Explanation
According to ISO/IEC 27001 : 2022, risk acceptance criteria are the criteria used to decide whether a risk can be accepted or not1. Risk acceptance criteria are often based on a maximum level of acceptable risks, on cost-benefits considerations, or on consequences for the organization2. In the scenario, TradeB decided to treat only the high risk category, which implies that


NEW QUESTION # 47
Which of the following is NOT part of the steps required by ISO/IEC 27001 that an organization must take when a nonconformity is detected?

  • A. Communicate the details of the nonconformity to every employee of the organization and suspend the employee that caused the nonconformity
  • B. Evaluate the need for action to eliminate the causes of the nonconformity so that it does not recur or occur elsewhere
  • C. React to the nonconformity, take action to control and correct it. and deal with its consequences

Answer: A

Explanation:
According to the ISO/IEC 27001 : 2022 Lead Implementer course, the steps required by ISO/IEC 27001 that an organization must take when a nonconformity is detected are as follows1:
* React to the nonconformity, take action to control and correct it, and deal with its consequences
* Evaluate the need for action to eliminate the causes of the nonconformity so that it does not recur or occur elsewhere
* Implement any action needed
* Review the effectiveness of the corrective action
* Make changes to the information security management system (ISMS) if necessary Therefore, communicating the details of the nonconformity to every employee of the organization and suspending the employee that caused the nonconformity is not part of the steps required by ISO/IEC
27001. This option is not only unnecessary, but also potentially harmful, as it could violate the principles of confidentiality, integrity, and availability of information, as well as the human rights and dignity of the employee involved2. Instead, the organization should follow the established procedures for reporting, recording, and analyzing nonconformities, and ensure that the corrective actions are appropriate, proportional, and fair3.
References: 1: PECB, ISO/IEC 27001 Lead Implementer Course, Module 10: Nonconformity and Corrective Action, slide 9 2: PECB, ISO/IEC 27001 Lead Implementer Course, Module 10: Nonconformity and Corrective Action, slide 10 3: PECB, ISO/IEC 27001 Lead Implementer Course, Module 10: Nonconformity and Corrective Action, slide 11


NEW QUESTION # 48
Scenario 10: NetworkFuse develops, manufactures, and sells network hardware. The company has had an operational information security management system (ISMS) based on ISO/IEC 27001 requirements and a quality management system (QMS) based on ISO 9001 for approximately two years. Recently, it has applied for a j^ombined certification audit in order to obtain certification against ISO/IEC 27001 and ISO 9001.
After selecting the certification body, NetworkFuse prepared the employees for the audit The company decided to not conduct a self-evaluation before the audit since, according to the top management, it was not necessary. In addition, it ensured the availability of documented information, including internal audit reports and management reviews, technologies in place, and the general operations of the ISMS and the QMS.
However, the company requested from the certification body that the documentation could not be carried off-site However, the audit was not performed within the scheduled days because NetworkFuse rejected the audit team leader assigned and requested their replacement The company asserted that the same audit team leader issued a recommendation for certification to its main competitor, which, for the company's top management, was a potential conflict of interest. The request was not accepted by the certification body Based on scenario 10. NetworkFuse did not conduct a self-evaluation of the ISMS before the audit. Is this compliant to ISO/IEC 27001?

  • A. Yes, the standard does not require to conduct a self-evaluation before the audit but it is a good practice to follow
  • B. Yes, the standard indicates that the auditee shall rely only on internal audit and management review reports to prepare for the certification audit
  • C. No, the auditee must review the requirements of clauses 4 to 10 before the conduct of a certification audit

Answer: A

Explanation:
According to the ISO/IEC 27001:2022 standard, the organization is responsible for establishing, implementing, maintaining and continually improving the information security management system (ISMS) in accordance with the requirements of the standard (section 4.1). The standard does not explicitly require the organization to conduct a self-evaluation of the ISMS before the certification audit, which is an external audit performed by an independent certification body to verify the conformity of the ISMS with the standard and to grant the certification (section 9.3.2). However, the standard does require the organization to conduct internal audits (section 9.2) and management reviews (section 9.3) of the ISMS at planned intervals to ensure its effectiveness, suitability and adequacy, and to identify opportunities for improvement and corrective actions.
Therefore, conducting a self-evaluation of the ISMS before the certification audit is a good practice to follow, as it can help the organization to prepare for the audit, to identify any gaps or nonconformities, and to demonstrate its commitment and readiness for the certification.
References:
* ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection - Information security management systems - Requirements1
* ISO/IEC 27001 Lead Implementer Info Kit
* SELF EVALUATION CHECKLIST ISO/IEC 27001:20222


NEW QUESTION # 49
Scenario 3: Socket Inc is a telecommunications company offering mainly wireless products and services. It uses MongoDB. a document model database that offers high availability, scalability, and flexibility.
Last month, Socket Inc. reported an information security incident. A group of hackers compromised its MongoDB database, because the database administrators did not change its default settings, leaving it without a password and publicly accessible.
Fortunately. Socket Inc. performed regular information backups in their MongoDB database, so no information was lost during the incident. In addition, a syslog server allowed Socket Inc. to centralize all logs in one server. The company found out that no persistent backdoor was placed and that the attack was not initiated from an employee inside the company by reviewing the event logs that record user faults and exceptions.
To prevent similar incidents in the future, Socket Inc. decided to use an access control system that grants access to authorized personnel only. The company also implemented a control in order to define and implement rules for the effective use of cryptography, including cryptographic key management, to protect the database from unauthorized access The implementation was based on all relevant agreements, legislation, and regulations, and the information classification scheme. To improve security and reduce the administrative efforts, network segregation using VPNs was proposed.
Lastly, Socket Inc. implemented a new system to maintain, collect, and analyze information related to information security threats, and integrate information security into project management.
Socket Inc. has implemented a control for the effective use of cryptography and cryptographic key management. Is this compliant with ISO/IEC 27001' Refer to scenario 3.

  • A. Yes, the control for the effective use of the cryptography can include cryptographic key management
  • B. No, the control should be implemented only for defining rules for cryptographic key management
  • C. No, because the standard provides a separate control for cryptographic key management

Answer: A

Explanation:
Explanation
According to ISO/IEC 27001:2022, Annex A.8.24, the control for the effective use of cryptography is intended to ensure proper and effective use of cryptography to protect the confidentiality, authenticity, and/or integrity of information. This control can include cryptographic key management, which is the process of generating, distributing, storing, using, and destroying cryptographic keys in a secure manner. Cryptographic key management is essential for ensuring the security and functionality of cryptographic solutions, such as encryption, digital signatures, or authentication.
The standard provides the following guidance for implementing this control:
A policy on the use of cryptographic controls should be developed and implemented.
The policy should define the circumstances and conditions in which the different types of cryptographic controls should be used, based on the information classification scheme, the relevant agreements, legislation, and regulations, and the assessed risks.
The policy should also define the standards and techniques to be used for each type of cryptographic control, such as the algorithms, key lengths, key formats, and key lifecycles.
The policy should be reviewed and updated regularly to reflect the changes in the technology, the business environment, and the legal requirements.
The cryptographic keys should be managed through their whole lifecycle, from generation to destruction, in a secure and controlled manner, following the principles of need-to-know and segregation of duties.
The cryptographic keys should be protected from unauthorized access, disclosure, modification, loss, or theft, using appropriate physical and logical security measures, such as encryption, access control, backup, and audit.
The cryptographic keys should be changed or replaced periodically, or when there is a suspicion of compromise, following a defined process that ensures the continuity of the cryptographic services and the availability of the information.
The cryptographic keys should be securely destroyed when they are no longer required, or when they reach their end of life, using methods that prevent their recovery or reconstruction.
References:
ISO/IEC 27001:2022 Lead Implementer Course Guide1
ISO/IEC 27001:2022 Lead Implementer Info Kit2
ISO/IEC 27001:2022 Information Security Management Systems - Requirements3 ISO/IEC 27002:2022 Code of Practice for Information Security Controls4 Understanding Cryptographic Controls in Information Security5


NEW QUESTION # 50
A small organization that is implementing an ISMS based on ISO/lEC 27001 has decided to outsource the internal audit function to a third party. Is this acceptable?

  • A. No, the outsourcing of the internal audit function may compromise the independence and impartiality of the internal audit team
  • B. Yes, outsourcing the internal audit function to a third party is often a better option for small organizations to demonstrate independence and impartiality
  • C. No, the organizations cannot outsource the internal audit function to a third party because during internal audit, the organization audits its own system

Answer: B

Explanation:
According to the ISO/IEC 27001:2022 standard, an internal audit is an audit conducted by the organization itself to evaluate the conformity and effectiveness of its information security management system (ISMS). The standard requires that the internal audit should be performed by auditors who are objective and impartial, meaning that they should not have any personal or professional interest or bias that could influence their judgment or compromise their integrity. The standard also allows the organization to outsource the internal audit function to a third party, as long as the criteria of objectivity and impartiality are met.
Outsourcing the internal audit function to a third party can be a better option for small organizations that may not have enough resources, skills, or experience to perform an internal audit by themselves. By hiring an external auditor, the organization can benefit from the following advantages:
* The external auditor can provide a fresh and independent perspective on the organization's ISMS, identifying strengths, weaknesses, opportunities, and threats that may not be apparent to the internal staff.
* The external auditor can bring in specialized knowledge, expertise, and best practices from other organizations and industries, helping the organization to improve its ISMS and achieve its objectives.
* The external auditor can reduce the risk of conflict of interest, bias, or influence that may arise when the internal staff audit their own work or the work of their colleagues.
* The external auditor can save the organization time and money by conducting the internal audit more efficiently and effectively, avoiding duplication of work or unnecessary delays.
Therefore, outsourcing the internal audit function to a third party is acceptable and often preferable for small organizations that are implementing an ISMS based on ISO/IEC 27001.
References:
* ISO/IEC 27001:2022, Information technology - Security techniques - Information security management systems - Requirements, Clause 9.2, Internal audit
* ISO/IEC 27007:2023, Information technology - Security techniques - Guidelines for information security management systems auditing
* PECB, ISO/IEC 27001 Lead Implementer Course, Module 12, Internal audit
* A Complete Guide to an ISO 27001 Internal Audit - Sprinto


NEW QUESTION # 51
Scenario 4: TradeB. a commercial bank that has just entered the market, accepts deposits from its clients and offers basic financial services and loans for investments. TradeB has decided to implement an information security management system (ISMS) based on ISO/IEC 27001 Having no experience of a management
[^system implementation, TradeB's top management contracted two experts to direct and manage the ISMS implementation project.
First, the project team analyzed the 93 controls of ISO/IEC 27001 Annex A and listed only the security controls deemed applicable to the company and their objectives Based on this analysis, they drafted the Statement of Applicability. Afterward, they conducted a risk assessment, during which they identified assets, such as hardware, software, and networks, as well as threats and vulnerabilities, assessed potential consequences and likelihood, and determined the level of risks based on three nonnumerical categories (low, medium, and high). They evaluated the risks based on the risk evaluation criteria and decided to treat only the high risk category They also decided to focus primarily on the unauthorized use of administrator rights and system interruptions due to several hardware failures by establishing a new version of the access control policy, implementing controls to manage and control user access, and implementing a control for ICT readiness for business continuity Lastly, they drafted a risk assessment report, in which they wrote that if after the implementation of these security controls the level of risk is below the acceptable level, the risks will be accepted Based on the scenario above, answer the following question:
The decision to treat only risks that were classified as high indicates that Trade B has:

  • A. Modified other risk categories based on risk evaluation criteria
  • B. Evaluated other risk categories based on risk treatment criteria
  • C. Accepted other risk categories based on risk acceptance criteria

Answer: C

Explanation:
According to ISO/IEC 27001 : 2022, risk acceptance criteria are the criteria used to decide whether a risk can be accepted or not1. Risk acceptance criteria are often based on a maximum level of acceptable risks, on cost-benefits considerations, or on consequences for the organization2. In the scenario, TradeB decided to treat only the high risk category, which implies that


NEW QUESTION # 52
We can acquire and supply information in various ways. The value of the information depends on whether it is reliable. What are the reliability aspects of information?

  • A. Timeliness, Accuracy and Completeness
  • B. Availability, Integrity and Confidentiality
  • C. Availability, Integrity and Completeness
  • D. Availability, Information Value and Confidentiality

Answer: B


NEW QUESTION # 53
Scenario 3: Socket Inc is a telecommunications company offering mainly wireless products and services. It uses MongoDB. a document model database that offers high availability, scalability, and flexibility.
Last month, Socket Inc. reported an information security incident. A group of hackers compromised its MongoDB database, because the database administrators did not change its default settings, leaving it without a password and publicly accessible.
Fortunately. Socket Inc. performed regular information backups in their MongoDB database, so no information was lost during the incident. In addition, a syslog server allowed Socket Inc. to centralize all logs in one server. The company found out that no persistent backdoor was placed and that the attack was not initiated from an employee inside the company by reviewing the event logs that record user faults and exceptions.
To prevent similar incidents in the future, Socket Inc. decided to use an access control system that grants access to authorized personnel only. The company also implemented a control in order to define and implement rules for the effective use of cryptography, including cryptographic key management, to protect the database from unauthorized access The implementation was based on all relevant agreements, legislation, and regulations, and the information classification scheme. To improve security and reduce the administrative efforts, network segregation using VPNs was proposed.
Lastly, Socket Inc. implemented a new system to maintain, collect, and analyze information related to information security threats, and integrate information security into project management.
Based on the scenario above, answer the following question:
Which security control does NOT prevent information security incidents from recurring?

  • A. Segregation of networks
  • B. Information backup
  • C. Privileged access rights

Answer: B

Explanation:
Explanation
Information backup is a corrective control that aims to restore the information in case of data loss, corruption, or deletion. It does not prevent information security incidents from recurring, but rather mitigates their impact.
The other options are preventive controls that reduce the likelihood of information security incidents by limiting the access to authorized personnel, segregating the networks, and using cryptography. These controls can help Socket Inc. avoid future attacks on its MongoDB database by addressing the vulnerabilities that were exploited by the hackers.
References:
ISO 27001:2022 Annex A 8.13 - Information Backup1
ISO 27001:2022 Annex A 8.1 - Access Control Policy2
ISO 27001:2022 Annex A 8.2 - User Access Management3
ISO 27001:2022 Annex A 8.3 - User Responsibilities4
ISO 27001:2022 Annex A 8.4 - System and Application Access Control
ISO 27001:2022 Annex A 8.5 - Cryptography
ISO 27001:2022 Annex A 8.6 - Network Security Management


NEW QUESTION # 54
What risk treatment option has Company A implemented if it has required from its employees the change of email passwords at least once every 60 days?

  • A. Risk modification
  • B. Risk retention
  • C. Risk avoidance

Answer: A

Explanation:
Risk modification is one of the four risk treatment options defined by ISO/IEC 27001, which involves applying controls to reduce the likelihood and/or impact of the risk. By requiring its employees to change their email passwords at least once every 60 days, Company A has implemented a risk modification option to reduce the risk of unauthorized access to its email accounts. Changing passwords frequently can make it harder for attackers to guess or crack the passwords, and can limit the damage if a password is compromised.
The other three risk treatment options are:
* Risk avoidance: This option involves eliminating the risk source or discontinuing the activity that causes the risk. For example, Company A could avoid the risk of email compromise by not using email at all, but this would also mean losing the benefits of email communication.
* Risk retention: This option involves accepting the risk and its consequences, either because the risk is too low to justify any treatment, or because the cost of treatment is too high compared to the potential loss. For example, Company A could retain the risk of email compromise by not implementing any security measures, but this would expose the company to potential breaches and reputational damage.
* Risk transfer: This option involves sharing or transferring the risk to a third party, such as an insurer, a supplier, or a partner. For example, Company A could transfer the risk of emailcompromise by outsourcing its email service to a cloud provider, who would be responsible for the security and availability of the email accounts.
References:
* ISO/IEC 27001:2013, clause 6.1.3: Information security risk treatment
* ISO/IEC 27001 Lead Implementer Course, Module 4: Planning the ISMS based on ISO/IEC 27001
* ISO/IEC 27001 Lead Implementer Course, Module 6: Implementing the ISMS based on ISO/IEC 27001
* ISO/IEC 27001 Lead Implementer Course, Module 7: Performance evaluation, monitoring and measurement of the ISMS based on ISO/IEC 27001
* ISO/IEC 27001 Lead Implementer Course, Module 8: Continual improvement of the ISMS based on ISO/IEC 27001
* ISO/IEC 27001 Lead Implementer Course, Module 9: Preparing for the ISMS certification audit
* ISO 27001 Risk Assessment & Risk Treatment: The Complete Guide - Advisera1
* Infosec Risk Treatment for ISO 27001 Requirement 8.3 - ISMS.online2
* ISO 27001 Clause 6.1.3 Information security risk treatment3
* ISO 27001 Risk Treatment Plan - Scrut Automation4


NEW QUESTION # 55
Which security controls must be implemented to comply with ISO/IEC 27001?

  • A. Those listed in Annex A of ISO/IEC 27001, without any exception
  • B. Those included in the risk treatment plan
  • C. Those designed by the organization only

Answer: B


NEW QUESTION # 56
Scenario 4: TradeB. a commercial bank that has just entered the market, accepts deposits from its clients and offers basic financial services and loans for investments. TradeB has decided to implement an information security management system (ISMS) based on ISO/IEC 27001 Having no experience of a management
[^system implementation, TradeB's top management contracted two experts to direct and manage the ISMS implementation project.
First, the project team analyzed the 93 controls of ISO/IEC 27001 Annex A and listed only the security controls deemed applicable to the company and their objectives Based on this analysis, they drafted the Statement of Applicability. Afterward, they conducted a risk assessment, during which they identified assets, such as hardware, software, and networks, as well as threats and vulnerabilities, assessed potential consequences and likelihood, and determined the level of risks based on three nonnumerical categories (low, medium, and high). They evaluated the risks based on the risk evaluation criteria and decided to treat only the high risk category They also decided to focus primarily on the unauthorized use of administrator rights and system interruptions due to several hardware failures by establishing a new version of the access control policy, implementing controls to manage and control user access, and implementing a control for ICT readiness for business continuity Lastly, they drafted a risk assessment report, in which they wrote that if after the implementation of these security controls the level of risk is below the acceptable level, the risks will be accepted Based on scenario 4, the fact that TradeB defined the level of risk based on three nonnumerical categories indicates that;

  • A. The level of risk will be evaluated using quantitative analysis
  • B. The level of risk will be evaluated against qualitative criteria
  • C. The level of risk will be defined using a formula

Answer: B

Explanation:
Qualitative risk assessment is a method of evaluating risks based on nonnumerical categories, such as low, medium, and high. It is often used when there is not enough data or resources to perform a quantitative risk assessment, which involves numerical values and calculations. Qualitative risk assessment relies on the subjective judgment and experience of the risk assessors, and it can be influenced by various factors, such as thecontext, the stakeholders, and the criteria. According to ISO/IEC 27001:2022, Annex A, control A.8.2.1 states: "The organization shall define and apply an information security risk assessment process that: ... d) identifies the risk owners; e) analyses the risks: i) assesses the consequences that would result if the risks identified were to materialize; ii) assesses the realistic likelihood of the occurrence of the risks; f) identifies and evaluates options for the treatment of risks; g) determines the levels of residual risk and whether these are acceptable; and h) identifies the risk owners for the residual risks." Therefore, TradeB's decision to define the level of risk based on three nonnumerical categories indicates that they used a qualitative risk assessment process.
References:
* ISO/IEC 27001:2022, Annex A, control A.8.2.1
* PECB ISO/IEC 27001 Lead Implementer Course, Module 7, slides 12-13


NEW QUESTION # 57
Scenario 5: Operaze is a small software development company that develops applications for various companies around the world. Recently, the company conducted a risk assessment to assess the information security risks that could arise from operating in a digital landscape. Using different testing methods, including penetration Resting and code review, the company identified some issues in its ICT systems, including improper user permissions, misconfigured security settings, and insecure network configurations. To resolve these issues and enhance information security, Operaze decided to implement an information security management system (ISMS) based on ISO/IEC 27001.
Considering that Operaze is a small company, the entire IT team was involved in the ISMS implementation project. Initially, the company analyzed the business requirements and the internal and external environment, identified its key processes and activities, and identified and analyzed the interested parties In addition, the top management of Operaze decided to Include most of the company's departments within the ISMS scope. The defined scope included the organizational and physical boundaries. The IT team drafted an information security policy and communicated it to all relevant interested parties In addition, other specific policies were developed to elaborate on security issues and the roles and responsibilities were assigned to all interested parties.
Following that, the HR manager claimed that the paperwork created by ISMS does not justify its value and the implementation of the ISMS should be canceled However, the top management determined that this claim was invalid and organized an awareness session to explain the benefits of the ISMS to all interested parties.
Operaze decided to migrate Its physical servers to their virtual servers on third-party infrastructure. The new cloud computing solution brought additional changes to the company Operaze's top management, on the other hand, aimed to not only implement an effective ISMS but also ensure the smooth running of the ISMS operations. In this situation, Operaze's top management concluded that the services of external experts were required to implement their information security strategies. The IT team, on the other hand, decided to initiate a change in the ISMS scope and implemented the required modifications to the processes of the company.
Based on scenario 5. which committee should Operaze create to ensure the smooth running of the ISMS?

  • A. Information security committee
  • B. Management committee
  • C. Operational committee

Answer: A

Explanation:
Explanation
According to ISO/IEC 27001:2022, clause 5.1, the top management of an organization is responsible for ensuring the leadership and commitment for the ISMS. However, the top management may delegate some of its responsibilities to an information security committee, which is a group of people who oversee the ISMS and provide guidance and support for its implementation and operation. The information security committee may include representatives from different departments, functions, or levels of the organization, as well as external experts or consultants. The information security committee may have various roles and responsibilities, such as:
Establishing the information security policy and objectives
Approving the risk assessment and risk treatment methodology and criteria Reviewing and approving the risk assessment and risk treatment results and plans Monitoring and evaluating the performance and effectiveness of the ISMS Reviewing and approving the internal and external audit plans and reports Initiating and approving corrective and preventive actions Communicating and promoting the ISMS to all interested parties Ensuring the alignment of the ISMS with the strategic direction and objectives of the organization Ensuring the availability of resources and competencies for the ISMS Ensuring the continual improvement of the ISMS Therefore, in scenario 5, Operaze should create an information security committee to ensure the smooth running of the ISMS, as this committee would provide the necessary leadership, guidance, and support for the ISMS implementation and operation.
References: ISO/IEC 27001:2022, clause 5.1; PECB ISO/IEC 27001 Lead Implementer Course, Module 4, slide 9.


NEW QUESTION # 58
Scenario 6: Skyver offers worldwide shipping of electronic products, including gaming consoles, flat-screen TVs. computers, and printers. In order to ensure information security, the company has decided to implement an information security management system (ISMS) based on the requirements of ISO/IEC 27001.
Colin, the company's best information security expert, decided to hold a training and awareness session for the personnel of the company regarding the information security challenges and other information security-related controls. The session included topics such as Skyver's information security approaches and techniques for mitigating phishing and malware.
One of the participants in the session is Lisa, who works in the HR Department. Although Colin explains the existing Skyver's information security policies and procedures in an honest and fair manner, she finds some of the issues being discussed too technical and does not fully understand the session. Therefore, in a lot of cases, she requests additional help from the trainer and her colleagues Based on the scenario above, answer the following question:
How should Colin have handled the situation with Lisa?

  • A. Promise Lisa that future training and awareness sessions will be easily understandable
  • B. Deliver training and awareness sessions for employees with the same level of competence needs based on the activities they perform within the company
  • C. Extend the duration of the training and awareness session in order to be able to achieve better results

Answer: B


NEW QUESTION # 59
Scenario 3: Socket Inc is a telecommunications company offering mainly wireless products and services. It uses MongoDB. a document model database that offers high availability, scalability, and flexibility.
Last month, Socket Inc. reported an information security incident. A group of hackers compromised its MongoDB database, because the database administrators did not change its default settings, leaving it without a password and publicly accessible.
Fortunately. Socket Inc. performed regular information backups in their MongoDB database, so no information was lost during the incident. In addition, a syslog server allowed Socket Inc. to centralize alllogs in one server. The company found out that no persistent backdoor was placed and that the attack was not initiated from an employee inside the company by reviewing the event logs that record user faults and exceptions.
To prevent similar incidents in the future, Socket Inc. decided to use an access control system that grants access to authorized personnel only. The company also implemented a control in order to define and implement rules for the effective use of cryptography, including cryptographic key management, to protect the database from unauthorized access The implementation was based on all relevant agreements, legislation, and regulations, and the information classification scheme. To improve security and reduce the administrative efforts, network segregation using VPNs was proposed.
Lastly, Socket Inc. implemented a new system to maintain, collect, and analyze information related to information security threats, and integrate information security into project management.
Based on scenario 3. which information security control of Annex A of ISO/IEC 27001 did Socket Inc.
implement by establishing a new system to maintain, collect, and analyze information related to information security threats?

  • A. Annex A 5 7 Threat Intelligence
  • B. Annex A 5.5 Contact with authorities
  • C. Annex A 5.13 Labeling of information

Answer: A

Explanation:
Annex A 5.7 Threat Intelligence is a new control in ISO 27001:2022 that aims to provide the organisation with relevant information regarding the threats and vulnerabilities of its information systems and the potential impacts of information security incidents. By establishing a new system to maintain, collect, and analyze information related to information security threats, Socket Inc. implemented this control and improved its ability to prevent, detect, and respond to information security incidents.
References:
* ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, Annex A 5.7 Threat Intelligence
* ISO/IEC 27002:2022 Information technology - Security techniques - Information security, cybersecurity and privacy protection controls, Clause 5.7 Threat Intelligence
* PECB ISO/IEC 27001:2022 Lead Implementer Course, Module 6: Implementation of Information Security Controls Based on ISO/IEC 27002:2022, Slide 18: A.5.7 Threat Intelligence


NEW QUESTION # 60
Scenario 3: Socket Inc is a telecommunications company offering mainly wireless products and services. It uses MongoDB. a document model database that offers high availability, scalability, and flexibility.
Last month, Socket Inc. reported an information security incident. A group of hackers compromised its MongoDB database, because the database administrators did not change its default settings, leaving it without a password and publicly accessible.
Fortunately. Socket Inc. performed regular information backups in their MongoDB database, so no information was lost during the incident. In addition, a syslog server allowed Socket Inc. to centralize all logs in one server. The company found out that no persistent backdoor was placed and that the attack was not initiated from an employee inside the company by reviewing the event logs that record user faults and exceptions.
To prevent similar incidents in the future, Socket Inc. decided to use an access control system that grants access to authorized personnel only. The company also implemented a control in order to define and implement rules for the effective use of cryptography, including cryptographic key management, to protect the database from unauthorized access The implementation was based on all relevant agreements, legislation, and regulations, and the information classification scheme. To improve security and reduce the administrative efforts, network segregation using VPNs was proposed.
Lastly, Socket Inc. implemented a new system to maintain, collect, and analyze information related to information security threats, and integrate information security into project management.
Based on the scenario above, answer the following question:
Which security control does NOT prevent information security incidents from recurring?

  • A. Segregation of networks
  • B. Information backup
  • C. Privileged access rights

Answer: B


NEW QUESTION # 61
According to scenario 8, Tessa created a plan for ISMS monitoring and measurement and presented it to the top management Is this acceptable?

  • A. Yes, Tessa can advise the top management on improving the company's functions
  • B. No, Tessa must implement all the improvements needed for issues found during the audit
  • C. No, Tessa should only communicate the issues found to the top management

Answer: A


NEW QUESTION # 62
Based on scenario 8. did the nonconformity report include all the necessary aspects?

  • A. No, the report must also specify the root cause of the nonconformity
  • B. No, the report must also specify the audit criteria
  • C. Yes, the report included all the necessary aspects

Answer: C


NEW QUESTION # 63
......


PECB ISO-IEC-27001-Lead-Implementer certification exam is designed to test a candidate's knowledge and expertise in implementing and managing an Information Security Management System (ISMS) based on the ISO/IEC 27001 standard. PECB Certified ISO/IEC 27001 Lead Implementer Exam certification is offered by the Professional Evaluation and Certification Board (PECB), an international organization that provides training, certification, and audit services in various fields, including information security.

 

ISO-IEC-27001-Lead-Implementer Free Sample Questions to Practice One Year Update: https://www.dumpstorrent.com/ISO-IEC-27001-Lead-Implementer-exam-dumps-torrent.html

Download ISO-IEC-27001-Lead-Implementer exam with PECB ISO-IEC-27001-Lead-Implementer Real Exam Questions: https://drive.google.com/open?id=1N6h-JjMvVTfHPb-aTqrr6qzKxfXdWEPf

Related Articles

more
PECB ISO-IEC-27001-Lead-Implementer Certification Practice Exam

Copyright © 2026 DumpsTorrent NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy