Which situation presented below represents a threat?
Correct Answer: C
Comprehensive and Detailed In-Depth C . Correct Answer - This is a Threat. A cyberattack exploiting a zero-day vulnerability is an active security threat, as it causes harm to the organization. A . Employee accessing unauthorized files is a vulnerability (insider risk) rather than an external threat. B . Lack of MFA is a security weakness (vulnerability), not a threat.
Question 272
The following are definitions of Information, except:
Correct Answer: C
The definition of information that is not correct is C: mature and measurable data. This is not a valid definition of information, as information does not have to be mature or measurable to be considered as such. Information can be any data that has meaning or value for someone or something in a certain context. Information can be subjective, qualitative, incomplete or uncertain, depending on how it is interpreted or used. Mature and measurable data are characteristics that may apply to some types of information, but not all. The other definitions of information are correct, as they describe different aspects of information, such as accuracy and timeliness (A), specificity and organization (B), and understanding and uncertainty reduction (D). ISO/IEC 27001:2022 defines information as "any data that has meaning" (see clause 3.25). References: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, What is Information?
Question 273
What is meant by the term 'Corrective Action'? Select one
Correct Answer: B
Corrective action is a process of identifying and eliminating the root causes of nonconformities or incidents that have occurred or could potentially occur, in order to prevent their recurrence or occurrence. Corrective action is part of the improvement requirement of ISO 27001 and follows a standard workflow of identification, evaluation, implementation, review and documentation of corrections and corrective actions. References: Procedure for Corrective Action, Nonconformity & Corrective Action For ISO 27001 Requirement 10.1, PECB Candidate Handbook ISO 27001 Lead Auditor (page 12)
Question 274
You are an experienced ISMS audit team leader. During the conducting of a third-party surveillance audit, you decide to test your auditee's knowledge of ISO/IEC 27001's risk management requirements. You ask her a series of questions to which the answer is either 'that is true' or 'that is false'. Which four of the following should she answer 'that is true'?
Correct Answer: A,C,D,H
Explanation The following four statements are true according to ISO/IEC 27001's risk management requirements: 12 * The results of risk assessments must be maintained. This is true because clause 8.2.3 of ISO/IEC 27001:2022 requires the organisation to retain documented information of the information security risk assessment process and the results12 * ISO/IEC 27001 provides an outline approach for the management of risk. This is true because clause 6.1.2 of ISO/IEC 27001:2022 specifies the general steps for the information security risk management process, which include establishing the risk criteria, assessing the risks, treating the risks, and monitoring and reviewing the risks12 * The organisation must produce a risk treatment plan for every business risk identified. This is true because clause 6.1.3 of ISO/IEC 27001:2022 requires the organisation to produce a risk treatment plan that defines the actions to be taken to address the unacceptable risks, the responsibilities, the expected dates, and the resources required12 * Risk assessments should be undertaken following significant changes. This is true because clause 8.2.4 of ISO/IEC 27001:2022 requires the organisation to review and update the risk assessment at planned intervals or when significant changes occur12 The following four statements are false according to ISO/IEC 27001's risk management requirements: * Risk identification is used to determine the severity of an information security risk. This is false because risk identification is used to identify the assets, threats, vulnerabilities, and existing controls that are relevant to the information security risk management process. The severity of an information security risk is determined by the risk analysis, which evaluates the likelihood and impact of the risk scenarios12 * The organisation must operate a risk treatment process to eliminate its information security risks. This is false because the organisation can choose from four options to treat its information security risks: avoid, transfer, mitigate, or accept. The organisation does not have to eliminate all its information security risks, but only those that are unacceptable according to its risk criteria12 * The initial phase in an organisation's risk management process should be information security risk assessment. This is false because the initial phase in an organisation's risk management process should be establishing the risk management framework, which includes defining the risk management policy, objectives, scope, roles, responsibilities, and criteria. The information security risk assessment is the second phase in the risk management process12 * Risks assessments should be undertaken at monthly intervals. This is false because there is no fixed frequency for conducting risk assessments in ISO/IEC 27001. The organisation should determine the appropriate intervals for reviewing and updating the risk assessment based on its risk appetite, risk profile, and operational context12 References: 1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1 2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2
Question 275
Often, people do not pick up their prints from a shared printer. How can this affect the confidentiality of information?
Correct Answer: A
Explanation Confidentiality is one of the security principles that states that only authorized parties should have access to information assets. Confidentiality protects the secrecy and privacy of information from unauthorized disclosure or exposure. Often, people do not pick up their prints from a shared printer. This can affect the confidentiality of information, as anyone who passes by the printer can see or take the printed documents that may contain confidential or personal information. This can lead to information leakage, identity theft, fraud, or other malicious activities. Therefore, the correct answer is A. References: ISO/IEC 27000:2022, clause 3.8; How & Where to Print Sensitive Documents on a Shared Printer.
