PECB ISO-27001-LI Online Practice Questions and Exam Preparation

PECB ISO-27001-LI Online Questions & Answers

• Question 21:

  What is the first phase in the information security policy development life cycle?

  A. Policy construction
  B. Policy implementation
  C. Risk assessment
  D. Policy planning / Needs assessment
  D. Policy planning / Needs assessment

  ---

  Explanation

• Question 22:

  Scenario 6: Skyver offers worldwide shipping of electronic products, including gaming consoles, flat-screen TVs. computers, and printers. In order to ensure information security, the company has decided to implement an information security management system (ISMS) based on the requirements of ISO/IEC 27001. Colin, the company's best information security expert, decided to hold a training and awareness session for the personnel of the company regarding the information security challenges and other information security-related controls. The session included topics such as Skyver's information security approaches and techniques for mitigating phishing and malware.

  One of the participants in the session is Lisa, who works in the HR Department. Although Colin explains the existing Skyver's information security policies and procedures in an honest and fair manner, she finds some of the issues being discussed too technical and does not fully understand the session. Therefore, in a lot of cases, she requests additional help from the trainer and her colleagues

  Based on the scenario above, answer the following question: How should Colin have handled the situation with Lisa?

  A. Extend the duration of the training and awareness session in order to be able to achieve better results
  B. Promise Lisa that future training and awareness sessions will be easily understandable
  C. Deliver training and awareness sessions for employees with the same level of competence needs based on the activities they perform within the company
  C. Deliver training and awareness sessions for employees with the same level of competence needs based on the activities they perform within the company

  ---

  Explanation

  According to the ISO/IEC 27001:2022 standard, the organization should determine the necessary competence of persons doing work under its control that affects the performance and effectiveness of the ISMS. The organization should also ensure that these persons are aware of the information security policy, their contribution to the effectiveness of the ISMS, the implications of not conforming with the ISMS requirements, and the benefits of improved information security performance. The organization should also provide information security awareness, education, and training to all employees and, where relevant, contractors and third-party users, as relevant for their job function. The awareness, education, and training programs should be planned, implemented, and maintained according to the needs of the organization and the results of the risk assessment and risk treatment. Therefore, Colin should have handled the situation with Lisa by delivering training and awareness sessions for employees with the same level of competence needs based on the activities they perform within the company. This would ensure that the content and the language of the sessions are appropriate and understandable for the target audience, and that the sessions are effective and efficient in achieving the desired learning outcomes. By doing so, Colin would also avoid wasting time and resources on delivering sessions that are too technical or too basic for some employees, and that do not address their specific information security challenges and responsibilities.

• Question 23:

  Which of the following would be an acceptable justification for excluding the Annex A 6.1 Screening control?

  A. The organization considers background verification checks unnecessary for its operations
  B. A collective agreement with employees prohibits security checks
  C. The organization voluntarily performs comprehensive criminal background checks on all employees
  B. A collective agreement with employees prohibits security checks

  ---

  Explanation

  Annex A Control A.6.1 of ISO/IEC 27001:2022 (and ISO/IEC 27002:2022 Clause 6.1) covers Screening :

  "Background verification checks on all candidates for employment should be carried out in accordance with relevant laws, regulations and ethics, and proportional to the business requirements, the classification of the information to be

  accessed, and the perceived risks."

  If collective agreements (e.g., labor union agreements) or local labor laws prohibit such checks, this is a valid justification for exclusion in the Statement of Applicability (SoA), per ISO/IEC 27001:2022 Clause 6.1.3 (d), which allows exclusions

  when properly justified .

• Question 24:

  Scenario 2:

  Beauty is a well-established cosmetics company in the beauty industry. The company was founded several decades ago with a passion for creating high-quality skincare, makeup, and personal care products that enhance natural beauty.

  Over the years, Beauty has built a strong reputation for its innovative product offerings, commitment to customer satisfaction, and dedication to ethical and sustainable business practices.

  In response to the rapidly evolving landscape of consumer shopping habits, Beauty transitioned from traditional retail to an e-commerce model. To initiate this strategy, Beauty conducted a comprehensive information security risk assessment,

  analyzing potential threats and vulnerabilities associated with its new e-commerce venture, aligned with its business strategy and objectives. Concerning the identified risks, the company implemented several information security controls. All

  employees were required to sign confidentiality agreements to emphasize the importance of protecting sensitive customer data. The company thoroughly reviewed user access rights, ensuring only authorized personnel could access sensitive

  information. In addition, since the company stores valuable products and unique formulas in the warehouse, it installed alarm systems and surveillance cameras with real-time alerts to prevent any potential act of vandalism.

  After a while, the information security team analyzed the audit logs to monitor and track activities across the newly implemented security controls. Upon investigating and analyzing the audit logs, it was discovered that an attacker had

  accessed the system due to out-of-date anti-malware software, exposing customers' sensitive information, including names and home addresses. Following this, the IT team replaced the anti-malware software with a new one capable of

  automatically removing malicious code in case of similar incidents. The new software was installed on all workstations and regularly updated with the latest malware definitions, with an automatic update feature enabled. An authentication

  process requiring user identification and a password was also implemented to access sensitive information.

  During the investigation, Maya, the information security manager of Beauty, found that information security responsibilities in job descriptions were not clearly defined, for which the company took immediate action. Recognizing that their e-

  commerce operations would have a global reach, Beauty diligently researched and complied with the industry's legal, statutory, regulatory, and contractual requirements. It considered international and local regulations, including data privacy

  laws, consumer protection acts, and global trade agreements.

  To meet these requirements, Beauty invested in legal counsel and compliance experts who continuously monitored and ensured the company's compliance with legal standards in every market they operated in. Additionally, Beauty conducted

  multiple information security awareness sessions for the IT team and other employees with access to confidential information, emphasizing the importance of system and network security.

  What type of controls did Beauty implement to ensure the safety of products and unique formulas stored in the warehouse?

  A. Administrative
  B. Legal
  C. Technical
  C. Technical

  ---

  Explanation

• Question 25:

  Scenario 9: SkyFleet specializes in air freight services, providing fast and reliable transportation solutions for businesses that need quick delivery of goods across long distances. Given the confidential nature of the information it handles, SkyFleet is committed to maintaining the highest information security standards. To achieve this, the company has had an information security management system (ISMS) based on ISO/ IEC 27001 in operation for a year. To enhance its reputation, SkyFleet is pursuing certification against ISO/ IEC 27001. SkyFleet strongly emphasizes the ongoing maintenance of information security. In pursuit of this goal, it has established a rigorous review process, conducting in-depth assessments of the ISMS strategy every two years to ensure security measures remain robust and up to date. In addition, the company takes a balanced approach to nonconformities. For example, when employees fail to follow proper data encryption protocols for internal communications, SkyFleet assesses the nature and scale of this nonconformity. If this deviation is deemed minor and limited in scope, the company does not prioritize immediate resolution. However, a significant action plan was developed to address a major nonconformity involving the revamp of the company's entire data management system to ensure the protection of client data. SkyFleet entrusted the approval of this action plan to the employees directly responsible for implementing the changes. This streamlined approach ensures that those closest to the issues actively engage in the resolution process. SkyFleet's blend of innovation, dedication to information security, and adaptability has built its reputation as a key player in the IT and communications services sector.

  Despite initially not being recommended for certification due to missed deadlines for submitting required action plans, SkyFleet undertook corrective measures to address these deficiencies in preparation for the next certification process. These measures involved analyzing the root causes of the delay, developing a corrective action plan, reassessing ISMS implementation to ensure compliance with ISO/IEC 27001 requirements, intensifying internal audit activities, and engaging with a certification body for a follow-up audit.

  Based on Scenario 9, SkyFleet did not take any measures in certain situations when the employees do not behave as expected by procedures and policies. Is this acceptable?

  A. Yes, as it pertains to a limited number of employees and is not deemed a significant concern
  B. Yes, it is acceptable when the issues are limited in scope
  C. No, they should have taken action to control and correct it
  D. Yes, if the ISMS review is pending
  C. No, they should have taken action to control and correct it

  ---

  Explanation

• Question 26:

  Which of the following represents an example of The Open Security Architecture (TOGAF) framework?

  A. Classifying techniques that ensure the integrity of software
  B. Choosing specific security architecture requirements
  C. Defining components for security architecture
  C. Defining components for security architecture

  ---

  Explanation

• Question 27:

  An organization documented each security control that it Implemented by describing their functions in detail. Is this compliant with ISO/IEC 27001?

  A. No, the standard requires to document only the operation of processes and controls, so no description of each security control is needed
  B. No, because the documented information should have a strict format, including the date, version number and author identification
  C. Yes, but documenting each security control and not the process in general will make it difficult to review the documented information
  C. Yes, but documenting each security control and not the process in general will make it difficult to review the documented information

  ---

  Explanation

  According to ISO/IEC 27001:2022, clause 7.5, an organization is required to maintain documented information to support the operation of its processes and to have confidence that the processes are being carried out as planned. This includes documenting the information security policy, the scope ofthe ISMS, the risk assessment and treatment methodology, the statement of applicability, the risk treatment plan, the information security objectives, and the results of monitoring, measurement, analysis, evaluation, internal audit, and management review. However, the standard does not specify the level of detail or the format of the documented information, as long as it is suitable for the organization's needs and context. Therefore, documenting each security control that is implemented by describing their functions in detail is not a violation of the standard, but it may not be the most efficient or effective way to document the ISMS. Documenting each security control separately may make it harder to review, update, and communicate the documented information, and may also create unnecessary duplication or inconsistency. A better approach would be to document the processes and activities that involve the use of security controls, and to reference the relevant controls from Annex A or other sources. This way, the documented information would be more aligned with the process approach and the PlanDoCheck-Act cycle that the standard promotes.

• Question 28:

  A company decided to use an algorithm that analyzes various attributes of customer behavior, such as browsing patterns and demographics, and groups customers based on their similar characteristics. This way. the company will be able to identify frequent buyers and trend-followers, among others. What type of machine learning this the company using?

  A. Decision tree machine learning
  B. Supervised machine learning
  C. Unsupervised machine learning
  C. Unsupervised machine learning

  ---

  Explanation

  According to the ISO/IEC 27001 : 2022 Lead Implementer course, one of the objectives of information security incident management is to collect and preserve records that can be used as evidence for disciplinary and legal action, as well as for learning and improvement purposes. Therefore, Anna should be aware of the collection and preservation of records when gathering data for the forensics team. She should follow the guidelines and procedures specified in the information security incident management policy of InfoSec, which defines the type, format, content, and location of the records to be created and maintained. The records should be accurate, complete, consistent, and reliable, and should be protected from unauthorized access, modification, or deletion.

• Question 29:

  Scenario 7: InfoSec is a multinational corporation headquartered in Boston, MA, which provides professional electronics, gaming, and entertainment services.

  After facing numerous information security incidents, InfoSec has decided to establish teams and implement measures to prevent potential incidents in the future Emma, Bob. and Anna were hired as the new members of InfoSec's information security team, which consists of a security architecture team, an incident response team (IRT) and a forensics team Emma's job is to create information security plans, policies, protocols, and training to prepare InfoSec to respond to incidents effectively Emma and Bob would be full-time employees of InfoSec, whereas Anna was contracted as an external consultant.

  Bob, a network expert, will deploy a screened subnet network architecture This architecture will isolate the demilitarized zone (OMZ) to which hosted public services are attached and InfoSec's publicly accessible resources from their private network Thus, InfoSec will be able to block potential attackers from causing unwanted events inside the company's network. Bob is also responsible for ensuring that a thorough evaluation of the nature of an unexpected event is conducted, including the details on how the event happened and what or whom it might affect.

  Anna will create records of the data, reviews, analysis, and reports in order to keep evidence for the purpose of disciplinary and legal action, and use them to prevent future incidents. To do the work accordingly, she should be aware of the company's information security incident management policy beforehand

  Among others, this policy specifies the type of records to be created, the place where they should be kept, and the format and content that specific record types should have.

  Based on this scenario, answer the following question:

  Based on his tasks, which team is Bob part of?

  A. Security architecture team
  B. Forensics team
  C. Incident response team
  C. Incident response team

  ---

  Explanation

  Based on his tasks, Bob is part of the incident response team (IRT) of InfoSec. According to ISO/IEC 270352:2023, the IRT is a team of appropriately skilled and trusted members of an organization that responds to and resolves incidents in a coordinated way1. One of the tasks of the IRT is to conduct an evaluation of the nature of an unexpected event, including the details on how the event happened and what or whom it might affect1. This is consistent with Bob's responsibility of ensuring that a thorough evaluation of the nature of an unexpected event is conducted. Therefore, Bob belongs to the incident response team.

• Question 30:

  What action should an organization take to ensure the security of information when it is transferred or treated by an external party?

  A. Rely on external parties to implement their own security measures
  B. Include security clauses in a contractual agreement with the external party
  C. Exclude external parties from the ISMS scope to limit risk exposure
  B. Include security clauses in a contractual agreement with the external party

  ---

  Explanation

  ISO/IEC 27002:2022 Clause 5.20 ?Addressing information security within supplier agreements states:

  "Agreements with suppliers should include requirements to address the information security risks associated with information and communications technology services and products provided by suppliers." Further emphasized in Clause

  5.19 ?Information security in supplier relationships , which mandates managing supplier-related risks. This means contracts must include clauses addressing information security expectations, responsibilities, access rights, compliance, audits, and breach response mechanisms.