Free Access to PECB.ISO-IEC-27001-Lead-Implementer.v2024-10-09.q104 with Valid Practice Test (Page 16)

Question 71

Based on scenario 4, the fact that TradeB defined the level of risk based on three nonnumerical categories indicates that;

A.The level of risk will be defined using a formula
B.The level of risk will be evaluated against qualitative criteria
C.The level of risk will be evaluated using quantitative analysis

Question 72

Del&Co has decided to improve their staff-related controls to prevent incidents. Which of the following is NOT a preventive control related to the Del&Co's staff?

A.Authentication and authorization
B.Control of physical access to the equipment
C.Video cameras

Correct Answer: C

According to ISO/IEC 27001:2022, Annex A.7, the objective of human resource security is to ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered, and to reduce the risk of human error, theft, fraud, or misuse of facilities. The standard specifies eight controls in this domain, which are:
* A.7.1 Prior to employment: This control covers the screening, terms and conditions, and roles and responsibilities of employees and contractors before they are hired.
* A.7.2 During employment: This control covers the awareness, education, and training, disciplinary
* process, and management responsibilities of employees and contractors during their employment.
* A.7.3 Termination and change of employment: This control covers the return of assets, removal of access rights, and exit interviews of employees and contractors when they leave or change their roles.
The other controls in Annex A are related to other aspects of information security, such as organizational, physical, and technological controls. For example:
* A.9.2 User access management: This control covers the authentication and authorization of users to access information systems and services, based on their roles and responsibilities.
* A.11.1 Secure areas: This control covers the control of physical access to the equipment and information assets, such as locks, alarms, guards, etc.
* A.13.2 Information transfer: This control covers the protection of information during its transfer, such as encryption, digital signatures, secure protocols, etc.
Therefore, video cameras are not a preventive control related to the staff, but rather a physical control related to the equipment and assets. Video cameras can be used to monitor and record the activities of the staff, but they cannot prevent them from causing incidents. They can only help to detect and investigate incidents after they occur.
References: ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection - Information security management systems - Requirements, Annex A; PECB ISO/IEC 27001 Lead Implementer Course, Module 8: Implementation of Information Security Controls.

Question 73

Scenario 2: Beauty is a cosmetics company that has recently switched to an e-commerce model, leaving the traditional retail. The top management has decided to build their own custom platform in-house and outsource the payment process to an external provider operating online payments systems that support online money transfers.
Due to this transformation of the business model, a number of security controls were implemented based on the identified threats and vulnerabilities associated to critical assets. To protect customers' information.
Beauty's employees had to sign a confidentiality agreement. In addition, the company reviewed all user access rights so that only authorized personnel can have access to sensitive files and drafted a new segregation of duties chart.
However, the transition was difficult for the IT team, who had to deal with a security incident not long after transitioning to the e commerce model. After investigating the incident, the team concluded that due to the out-of-date anti-malware software, an attacker gamed access to their files and exposed customers' information, including their names and home addresses.
The IT team decided to stop using the old anti-malware software and install a new one which would automatically remove malicious code in case of similar incidents. The new software was installed in every workstation within the company. After installing the new software, the team updated it with the latest malware definitions and enabled the automatic update feature to keep it up to date at all times. Additionally, they established an authentication process that requires a user identification and password when accessing sensitive information.
In addition, Beauty conducted a number of information security awareness sessions for the IT team and other employees that have access to confidential information in order to raise awareness on the importance of system and network security.
Based on scenario 2, Beauty should have implemented (1)_____________________________ to detect (2)_________________________.

A.(1) An access control software, (2) patches
B.(1) Network intrusions, (2) technical vulnerabilities
C.(1) An intrusion detection system, (2) intrusions on networks

Question 74

Which tool is used to identify, analyze, and manage interested parties?

A.The likelihood/severity matrix
B.The probability/impact matrix
C.The power/interest matrix

Question 75

An organization has implemented a control that enables the company to manage storage media through their life cycle of use. acquisition, transportation and disposal. Which control category does this control belong to?

A.Technological
B.Organizational
C.Physical

Question 71

Question 72

Question 73

Question 74

Question 75

Download PDF File