Free Access to PECB.ISO-IEC-27001-Lead-Implementer.v2025-02-17.q125 with Valid Practice Test (Page 11)

Question 46

'The ISMS covers all departments within Company XYZ that have access to customers' data. The purpose of the ISMS is to ensure the confidentiality, integrity, and availability of customers' data, and ensure compliance with the applicable regulatory requirements regarding information security." What does this statement
^"describe?

A.The information systems boundary of the ISMS scope
B.The organizational boundaries of the ISMS scope
C.The physical boundary of the ISMS scope

Correct Answer: B

Explanation
The statement describes the organizational boundaries of the ISMS scope, which define which parts of the organization are included or excluded from the ISMS. The organizational boundaries can be based on criteria such as departments, functions, processes, activities, or locations. In this case, the statement specifies that the ISMS covers all departments within Company XYZ that have access to customers' data, and excludes the ones that do not. The statement also explains the purpose of the ISMS, which is to ensure the confidentiality, integrity, and availability of customers' data, and ensure compliance with the applicable regulatory requirements regarding information security.
The statement does not describe the information systems boundary of the ISMS scope, which defines which information systems are included or excluded from the ISMS. The information systems boundary can be based on criteria such as hardware, software, networks, databases, or applications. The statement does not mention any specific information systems that are covered by the ISMS.
The statement also does not describe the physical boundary of the ISMS scope, which defines which physical locations are included or excluded from the ISMS. The physical boundary can be based on criteria such as buildings, rooms, cabinets, or devices. The statement does not mention any specific physical locations that are covered by the ISMS.
References:
ISO/IEC 27001:2013, clause 4.3: Determining the scope of the information security management system ISO/IEC 27001 Lead Implementer Course, Module 4: Planning the ISMS based on ISO/IEC 27001 ISO/IEC 27001 Lead Implementer Course, Module 6: Implementing the ISMS based on ISO/IEC 27001 ISO/IEC 27001 Lead Implementer Course, Module 7: Performance evaluation, monitoring and measurement of the ISMS based on ISO/IEC 27001 ISO/IEC 27001 Lead Implementer Course, Module 8: Continual improvement of the ISMS based on ISO/IEC 27001 ISO/IEC 27001 Lead Implementer Course, Module 9: Preparing for the ISMS certification audit ISO/IEC 27001 scope statement | How to set the scope of your ISMS - Advisera1 How to Write an ISO 27001 Scope Statement (+3 Examples) - Compleye2 How To Use an Information Flow Map to Determine Scope of Your ISMS3 ISMS SCOPE DOCUMENT - Resolver4 Define the Scope and Objectives - ISMS Info5

Question 47

Scenario 4: TradeB. a commercial bank that has just entered the market, accepts deposits from its clients and offers basic financial services and loans for investments. TradeB has decided to implement an information security management system (ISMS) based on ISO/IEC 27001 Having no experience of a management [^system implementation, TradeB's top management contracted two experts to direct and manage the ISMS implementation project.
First, the project team analyzed the 93 controls of ISO/IEC 27001 Annex A and listed only the security controls deemed applicable to the company and their objectives Based on this analysis, they drafted the Statement of Applicability. Afterward, they conducted a risk assessment, during which they identified assets, such as hardware, software, and networks, as well as threats and vulnerabilities, assessed potential consequences and likelihood, and determined the level of risks based on three nonnumerical categories (low, medium, and high). They evaluated the risks based on the risk evaluation criteria and decided to treat only the high risk category They also decided to focus primarily on the unauthorized use of administrator rights and system interruptions due to several hardware failures by establishing a new version of the access control policy, implementing controls to manage and control user access, and implementing a control for ICT readiness for business continuity Lastly, they drafted a risk assessment report, in which they wrote that if after the implementation of these security controls the level of risk is below the acceptable level, the risks will be accepted Based on the scenario above, answer the following question:
The decision to treat only risks that were classified as high indicates that Trade B has:

A.Evaluated other risk categories based on risk treatment criteria
B.Accepted other risk categories based on risk acceptance criteria
C.Modified other risk categories based on risk evaluation criteria

Question 48

Why is the power/interest matrix used for?

A.Determine and manage interested parties
B.Define the information security and physical boundaries
C.identify business requirements

Question 49

Which statement is an example of risk retention?

A.An organization has decided to release the software even though some minor bugs have not been fixed yet
B.An organization has implemented a data loss protection software
C.An organization terminates work in the construction site during a severe storm

Question 50

Which approach should organizations use to implement an ISMS based on ISO/IEC 27001?

A.An approach that is suitable for organization's scope
B.Any approach that enables the ISMS implementation within the 12month period
C.Only the approach provided by the standard

Question 46

Question 47

Question 48

Question 49

Question 50

Download PDF File