PECB ISO-27001-LI Online Practice Questions and Exam Preparation

PECB ISO-27001-LI Online Questions & Answers

• Question 221:

  What does the organization still need to manage when using Platform as a Service (PaaS)?

  A. Operating system and virtualization
  B. Servers and storage
  C. Application and data
  C. Application and data

  ---

  Explanation

• Question 222:

  What service did Auto Tsaab implement to manage and protect information effectively?

  A. Cryptographic services
  B. Access control services
  C. Integrity services
  D. Backup services
  C. Integrity services

  ---

  Explanation

• Question 223:

  Scenario 8: SecureLynx is one Of the largest cybersecurity advisory and consulting companies that helps private sector organizations prevent security threats. improve security systems. and achieve business SecureLynr is committed to complying with national and international standards to enhance the company'S resilience and credibility_ SecureLynx has Started implementing an ISMS based on ISO/IEC 27001 as part of its relentless pursuit of security.

  As part of the internal audit activities. the top management reviewed and approved the audit objectives to assess the effectiveness of SecureLynx ISMS During the audit, the internal auditor evaluated whether top management Supports activities associated with the ISMS and if the toles and responsibilities Of relevant parties are Clearly defined. This rigorous examination is a testament to SecureLynx'S commitment to continuous improvernent and alignment of security measures with organizational goals.

  SecureLynx employs an innovative dashboard that visually represents implemented processes and controls to ensure transparency and accountability within the Organization. This tool Offers stakeholders a real-time overview of security measures. empowering them to make informed decisions and swiftly respond to emerging threats. As part of this initiative, Paula was appointed to a new position entrusted with the responsibility Of collecting, recordlng, and Stoting data to measure the effectiveness Of the ISMS- Furthermore, SecureLynx conducts management reviews every six months to ensure its Systems are robust and continually improving. These reviews serve as a crucial mechanism for assessing the efficacy Of security measures and identifying areas for enhancement. SecureLynx's dedication to implementing and maintaining a robust ISMS exemplifies its commitment to innovation and Client satisfaction.

  Based on the scenario above, answer the following question.

  Based on scenario 8, has SecureLynx appropriately conducted management reviews?

  A. No, management reviews should only occur when there are significant changes to the company's ISMS
  B. No, ISO/IEC 27001 requires management reviews to be conducted annually
  C. Yes, management reviews are intended to be conducted periodically
  C. Yes, management reviews are intended to be conducted periodically

  ---

  Explanation

• Question 224:

  What risk treatment option has Company A implemented if it has required from its employees the change of email passwords at least once every 60 days?

  A. Risk modification
  B. Risk avoidance
  C. Risk retention
  A. Risk modification

  ---

  Explanation

  Risk modification is one of the four risk treatment options defined by ISO/IEC 27001, which involves applying controls to reduce the likelihood and/or impact of the risk. By requiring its employees to change their email passwords at least once

  every 60 days, Company A has implemented a risk modification option to reduce the risk of unauthorized access to its email accounts. Changing passwords frequently can make it harder for attackers to guess or crack the passwords, and

  can limit the damage if a password is compromised.

  The other three risk treatment options are:

  Risk avoidance: This option involves eliminating the risk source or discontinuing the activity that causes the risk. For example, Company A could avoid the risk of email compromise by not using email at all, but this would also mean losing the

  benefits of email communication.

  Risk retention: This option involves accepting the risk and its consequences, either because the risk is too low to justify any treatment, or because the cost of treatment is too high compared to the potential loss. For example, Company A

  could retain the risk of email compromise by not implementing any security measures, but this would expose the company to potential breaches and reputational damage.

  Risk transfer: This option involves sharing or transferring the risk to a third party, such as an insurer, a supplier, or a partner. For example, Company A could transfer the risk of emailcompromise by outsourcing its email service to a cloud

  provider, who would be responsible for the security and availability of the email accounts.

• Question 225:

  What risk treatment option has Company A Implemented If it has decided not to collect information from users so that It is not necessary to implement information security controls?

  A. Risk avoidance
  B. Risk retention
  C. Risk modification
  A. Risk avoidance

  ---

  Explanation

• Question 226:

  'The ISMS covers all departments within Company XYZ that have access to customers' data. The purpose of the ISMS is to ensure the confidentiality, integrity, and availability of customers' data, and ensure compliance with the applicable regulatory requirements regarding information security."

  What does this statement describe?

  A. The information systems boundary of the ISMS scope
  B. The organizational boundaries of the ISMS scope
  C. The physical boundary of the ISMS scope
  B. The organizational boundaries of the ISMS scope

  ---

  Explanation

  The statement describes the organizational boundaries of the ISMS scope, which define which parts of the organization are included or excluded from the ISMS. The organizational boundaries can be based on criteria such as departments, functions, processes, activities, or locations. In this case, the statement specifies that the ISMS covers all departments within Company XYZ that have access to customers' data, and excludes the ones that do not. The statement also explains the purpose of the ISMS, which is to ensure the confidentiality, integrity, and availability of customers' data, and ensure compliance with the applicable regulatory requirements regarding information security. The statement does not describe the information systems boundary of the ISMS scope, which defines which information systems are included or excluded from the ISMS. The information systems boundary can be based on criteria such as hardware, software, networks, databases, or applications. The statement does not mention any specific information systems that are covered by the ISMS. The statement also does not describe the physical boundary of the ISMS scope, which defines which physical locations are included or excluded from the ISMS. The physical boundary can be based on criteria such as buildings, rooms, cabinets, or devices. The statement does not mention any specific physical locations that are covered by the ISMS.

• Question 227:

  If an organization wants to monitor operations in real time and notify users about deviations, which type of dashboard should be used?

  A. Strategic dashboard
  B. Tactical dashboard
  C. Operational dashboard
  C. Operational dashboard

  ---

  Explanation

• Question 228:

  According to ISO/IEC 270G1. why shall organizations document nonconformities?

  A. To provide evidence of the requirements set by internal audit after reviewing their audit reports
  B. To provide evidence of the results of the corrective actions and the nature of the nonconformities
  C. To provide evidence of regulations set by external sources that need to be followed by the organization
  B. To provide evidence of the results of the corrective actions and the nature of the nonconformities

  ---

  Explanation

• Question 229:

  Scenario 5: Operaze is a small software development company that develops applications for various companies around the world. Recently, the company conducted a risk assessment to assess theinformation security risks that could arise from operating in a digital landscape. Using different testing methods, including penetration Resting and code review, the company identified some issues in its ICT systems, including improper user permissions, misconfigured security settings, and insecure network configurations. To resolve these issues and enhance information security, Operaze decided to implement an information security management system (ISMS) based on ISO/IEC 27001. Considering that Operaze is a small company, the entire IT team was involved in the ISMS implementation project. Initially, the company analyzed the business requirements and the internal and external environment, identified its key processes and activities, and identified and analyzed the interested parties In addition, the top management of Operaze decided to Include most of the company's departments within the ISMS scope.

  The defined scope included the organizational and physical boundaries. The IT team drafted an information security policy and communicated it to all relevant interested parties In addition, other specific policies were developed to elaborate on security issues and the roles and responsibilities were assigned to all interested parties. Following that, the HR manager claimed that the paperwork created by ISMS does not justify its value and the implementation of the ISMS should be canceled However, the top management determined that this claim was invalid and organized an awareness session to explain the benefits of the ISMS to all interested parties. Operaze decided to migrate Its physical servers to their virtual servers on third-party infrastructure. The new cloud computing solution brought additional changes to the company Operaze's top management, on the other hand, aimed to not only implement an effective ISMS but also ensure the smooth running of the ISMS operations. In this situation, Operaze's top management concluded that the services of external experts were required to implement their information security strategies. The IT team, on the other hand, decided to initiate a change in the ISMS scope and implemented the required modifications to the processes of the company.

  What is the next step that Operaze's ISMS implementation team should take after drafting the information security policy? Refer to scenario 5. A. Implement the information security policy

  B. Obtain top management's approval for the information security policy

  C. Communicate the information security policy to all employees

  Correct Answer. B
  B

  ---

  Explanation

  According to ISO/IEC 27001 : 2022 Lead Implementer, the information security policy is a high-level document that defines the organization's objectives, principles, and commitments regarding information security. The policy should be aligned with the organization's strategic direction and context, and should provide a framework for setting information security objectives and establishing the ISMS. The policy should also be approved by top management, who are ultimately responsible for the ISMS and its performance. Therefore, after drafting the information security policy, the next step that Operaze's ISMS implementation team should take is to obtain top management's approval for the policy. This will ensure that the policy is consistent with the organization'svision and values, and that it has the necessary support and resources for its implementation and maintenance.

• Question 230:

  Scenario 3: Socket Inc is a telecommunications company offering mainly wireless products and services. It uses MongoDB. a document model database that offers high availability, scalability, and flexibility.

  Last month, Socket Inc. reported an information security incident. A group of hackers compromised its MongoDB database, because the database administrators did not change its default settings, leaving it without a password and publicly accessible.

  Fortunately. Socket Inc. performed regular information backups in their MongoDB database, so no information was lost during the incident. In addition, a syslog server allowed Socket Inc. to centralize all logs in one server.

  The company found out that no persistent backdoor was placed and that the attack was not initiated from an employee inside the company by reviewing the event logs that record user faults and exceptions. To prevent similar incidents in the future, Socket Inc. decided to use an access control system that grants access to authorized personnel only. The company also implemented a control in order to define and implement rules for the effective use of cryptography, including cryptographic key management, to protect the database from unauthorized access The implementation was based on all relevant agreements, legislation, and regulations, and the information classification scheme. To improve security and reduce the administrative efforts, network segregation using VPNs was proposed.

  Lastly, Socket Inc. implemented a new system to maintain, collect, and analyze information related to information security threats, and integrate information security into project management.

  Based on the scenario above, answer the following question:

  Which security control does NOT prevent information security incidents from recurring?

  A. Segregation of networks
  B. Privileged access rights
  C. Information backup
  C. Information backup

  ---

  Explanation

  Information backup is a corrective control that aims to restore the information in case of data loss, corruption, or deletion. It does not prevent information security incidents from recurring, but rather mitigates their impact. The other options are preventive controls that reduce the likelihood of information security incidents by limiting the access to authorized personnel, segregating the networks, and using cryptography. These controls can help Socket Inc. avoid future attacks on its MongoDB database by addressing the vulnerabilities that were exploited by the hackers.