FreeQAs
 Request Exam  Contact
  • Home
  • View All Exams
  • New QA's
  • Upload
PRACTICE EXAMS:
  • Oracle
  • Fortinet
  • Juniper
  • Microsoft
  • Cisco
  • Citrix
  • CompTIA
  • VMware
  • ISC
  • SAP
  • EMC
  • PMI
  • HP
  • Salesforce
  • Other
  • Oracle
    Oracle
  • Fortinet
    Fortinet
  • Juniper
    Juniper
  • Microsoft
    Microsoft
  • Cisco
    Cisco
  • Citrix
    Citrix
  • CompTIA
    CompTIA
  • VMware
    VMware
  • ISC
    ISC
  • SAP
    SAP
  • EMC
    EMC
  • PMI
    PMI
  • HP
    HP
  • Salesforce
    Salesforce
  1. Home
  2. PECB Certification
  3. ISO-IEC-27001-Lead-Implementer Exam
  4. PECB.ISO-IEC-27001-Lead-Implementer.v2025-06-12.q165 Dumps
  • ««
  • «
  • …
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • …
  • »
  • »»
Download Now

Question 131

Scenario 1: HealthGenic is a pediatric clinic that monitors the health and growth of individuals from infancy to early adulthood using a web-based medical software. The software is also used to schedule appointments, create customized medical reports, store patients' data and medical history, and communicate with all the
[^involved parties, including parents, other physicians, and the medical laboratory staff.
Last month, HealthGenic experienced a number of service interruptions due to the increased number of users accessing the software Another issue the company faced while using the software was the complicated user interface, which the untrained personnel found challenging to use.
The top management of HealthGenic immediately informed the company that had developed the software about the issue. The software company fixed the issue; however, in the process of doing so, it modified some files that comprised sensitive information related to HealthGenic's patients. The modifications that were made resulted in incomplete and incorrect medical reports and, more importantly, invaded the patients' privacy.
Based on the scenario above, answer the following question:
According to scenario 1, which of the following controls implemented by Antiques is a detective and administrative control?

Correct Answer: B
insert code

Question 132

Scenario 9: CoreBit Systems
CoreBit Systems, with its headquarters m San Francisco, specializes in information and communication technology (ICT) solutions, its clientele primarily includes data communication enterprises and network operators. The company's core objective is to enable its clients a smooth transition into multi-service providers, aligning their operations with the complex demands of the digital landscape.
Recently. John, the internal auditor of CoreBit Systems, conducted an internal audit which uncovered nonconformities related to their monitoring procedures and system vulnerabilities, in response to the identified nonconformities. CoreBit Systems decided to employ a comprehensive problem-solving approach to solve these issues systematically. The method encompasses a team-oriented approach, aiming to identify, correct, and eliminate the root causes of issues. This approach involves several steps. First, establish a group of experts with deep knowledge of processes and controls. Next, break down the nonconformity into measurable components and implement interim containment measures. Then, identify potential root causes and select and verify permanent corrective actions. Finally, put those actions into practice, validate them, take steps to prevent recurrence, and recognize and acknowledge the team's efforts.
Following the analysis of the root cause of the nonconformities, CoreBit Systems's ISMS project manager.
Julia, developed a list of potential actions to address the identified nonconformities. Julia carefully evaluated the list to ensure that each action would effectively eliminate the root cause of the respective nonconformity.
While assessing potential corrective action for addressing a nonconformity, Julia identified the issue as significant and assessed a high likelihood of its reoccurrence Consequently, she chose to implement temporary corrective actions. Afterward. Julia combined all the nonconformities Into a single action plan and sought approval from the top management.
The submitted action plan was written as follows:
A new version of the access control policy will be established and new restrictions will be created to ensure that network access is effectively managed and monitored by the Information and Communication Technology (ICT) Department.
However. Julia's submitted action plan was not approved by top management The reason cited was that a general action plan meant to address all nonconformities was deemed unacceptable. Consequently, Julia revised the action plan and submitted separate ones for approval Unfortunately, Julia did not adhere to the organization's specified deadline for submission, resulting in a delay in the corrective action process, and notably, the revised action plans lacked a defined schedule for execution.
Julia, the ISMS project manager, developed a combined action plan for all nonconformities. However, it was rejected, revised, and resubmitted late-without defined execution schedules.
Question:
Did CoreBit Systems have a plan in place to implement permanent corrective action to address the identified nonconformities?

Correct Answer: B
ISO/IEC 27001:2022 Clause 10.2 -Nonconformity and corrective actionrequires:
"Corrective actions shall be implemented without undue delay and include:
- evaluating the need for action to eliminate the cause;
- implementing the necessary actions;
- reviewing the effectiveness;
- updating risks and SoA if needed."
Although Julia drafted an action plan, it was not approved initially, wasresubmitted late, andlacked scheduling-failing to meet key requirements of a "clear and actionable plan."
insert code

Question 133

Scenario 5: Operaze is a small software development company that develops applications for various companies around the world. Recently, the company conducted a risk assessment to assess the information security risks that could arise from operating in a digital landscape. Using different testing methods, including penetration Resting and code review, the company identified some issues in its ICT systems, including improper user permissions, misconfigured security settings, and insecure network configurations. To resolve these issues and enhance information security, Operaze decided to implement an information security management system (ISMS) based on ISO/IEC 27001.
Considering that Operaze is a small company, the entire IT team was involved in the ISMS implementation project. Initially, the company analyzed the business requirements and the internal and external environment, identified its key processes and activities, and identified and analyzed the interested parties In addition, the top management of Operaze decided to Include most of the company's departments within the ISMS scope.
The defined scope included the organizational and physical boundaries. The IT team drafted an information security policy and communicated it to all relevant interested parties In addition, other specific policies were developed to elaborate on security issues and the roles and responsibilities were assigned to all interested parties.
Following that, the HR manager claimed that the paperwork created by ISMS does not justify its value and the implementation of the ISMS should be canceled However, the top management determined that this claim was invalid and organized an awareness session to explain the benefits of the ISMS to all interested parties.
Operaze decided to migrate Its physical servers to their virtual servers on third-party infrastructure. The new cloud computing solution brought additional changes to the company Operaze's top management, on the other hand, aimed to not only implement an effective ISMS but also ensure the smooth running of the ISMS operations. In this situation, Operaze's top management concluded that the services of external experts were required to implement their information security strategies. The IT team, on the other hand, decided to initiate a change in the ISMS scope and implemented the required modifications to the processes of the company.
Based on scenario 5. which committee should Operaze create to ensure the smooth running of the ISMS?

Correct Answer: A
According to ISO/IEC 27001:2022, clause 5.1, the top management of an organization is responsible for ensuring the leadership and commitment for the ISMS. However, the top management may delegate some of its responsibilities to an information security committee, which is a group of people who oversee the ISMS and provide guidance and support for its implementation and operation. The information security committee may include representatives from different departments, functions, or levels of the organization, as well as external experts or consultants. The information security committee may have various roles and responsibilities, such as:
* Establishing the information security policy and objectives
* Approving the risk assessment and risk treatment methodology and criteria
* Reviewing and approving the risk assessment and risk treatment results and plans
* Monitoring and evaluating the performance and effectiveness of the ISMS
* Reviewing and approving the internal and external audit plans and reports
* Initiating and approving corrective and preventive actions
* Communicating and promoting the ISMS to all interested parties
* Ensuring the alignment of the ISMS with the strategic direction and objectives of the organization
* Ensuring the availability of resources and competencies for the ISMS
* Ensuring the continual improvement of the ISMS
Therefore, in scenario 5, Operaze should create an information security committee to ensure the smooth running of the ISMS, as this committee would provide the necessary leadership, guidance, and support for the ISMS implementation and operation.
insert code

Question 134

Scenario 4: TradeB. a commercial bank that has just entered the market, accepts deposits from its clients and offers basic financial services and loans for investments. TradeB has decided to implement an information security management system (ISMS) based on ISO/IEC 27001 Having no experience of a management [^system implementation, TradeB's top management contracted two experts to direct and manage the ISMS implementation project.
First, the project team analyzed the 93 controls of ISO/IEC 27001 Annex A and listed only the security controls deemed applicable to the company and their objectives Based on this analysis, they drafted the Statement of Applicability. Afterward, they conducted a risk assessment, during which they identified assets, such as hardware, software, and networks, as well as threats and vulnerabilities, assessed potential consequences and likelihood, and determined the level of risks based on three nonnumerical categories (low, medium, and high). They evaluated the risks based on the risk evaluation criteria and decided to treat only the high risk category They also decided to focus primarily on the unauthorized use of administrator rights and system interruptions due to several hardware failures by establishing a new version of the access control policy, implementing controls to manage and control user access, and implementing a control for ICT readiness for business continuity Lastly, they drafted a risk assessment report, in which they wrote that if after the implementation of these security controls the level of risk is below the acceptable level, the risks will be accepted Which of the actions presented in scenario 4 is NOT compliant with the requirements of ISO/IEC 27001?

Correct Answer: B
According to ISO/IEC 27001:2022, clause 6.1.3, the Statement of Applicability (SoA) is a document that identifies the controls that are applicable to the organization's ISMS and explains why they are selected or not. The SoA is based on the results of the risk assessment and risk treatment, which are the previous steps in the risk management process. Therefore, the SoA should be drafted after conducting the risk assessment, not before. Drafting the SoA before the risk assessment may lead to inappropriate or incomplete selection of controls, as the organization may not have a clear understanding of its information security risks and their impact.
insert code

Question 135

Scenario 1: HealthGenic is a pediatric clinic that monitors the health and growth of individuals from infancy to early adulthood using a web-based medical software. The software is also used to schedule appointments, create customized medical reports, store patients' data and medical history, and communicate with all the
[^involved parties, including parents, other physicians, and the medical laboratory staff.
Last month, HealthGenic experienced a number of service interruptions due to the increased number of users accessing the software Another issue the company faced while using the software was the complicated user interface, which the untrained personnel found challenging to use.
The top management of HealthGenic immediately informed the company that had developed the software about the issue. The software company fixed the issue; however, in the process of doing so, it modified some files that comprised sensitive information related to HealthGenic's patients. The modifications that were made resulted in incomplete and incorrect medical reports and, more importantly, invaded the patients' privacy.
Which situation described in scenario 1 represents a threat to HealthGenic?

Correct Answer: B
Explanation
According to ISO/IEC 27001:2022, a threat is any incident that could negatively affect the confidentiality, integrity or availability of an asset1. In this scenario, the asset is the information related to HealthGenic's patients, which is stored and processed by the web-based medical software. The software company's modification of some files that comprised sensitive information related to HealthGenic's patients is an incident that could negatively affect the confidentiality and integrity of the asset, as it resulted in incomplete and incorrect medical reports and invaded the patients' privacy. Therefore, this situation represents a threat to HealthGenic.
References:
ISO/IEC 27001:2022 - Information security, cybersecurity and privacy protection - Information security management systems - Requirements ISO 27001 Key Terms - PJR
insert code
  • ««
  • «
  • …
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • …
  • »
  • »»
[×]

Download PDF File

Enter your email address to download PECB.ISO-IEC-27001-Lead-Implementer.v2025-06-12.q165 Dumps

Email:

FreeQAs

Our website provides the Largest and the most Latest vendors Certification Exam materials around the world.

Using dumps we provide to Pass the Exam, we has the Valid Dumps with passing guranteed just which you need.

  • DMCA
  • About
  • Contact Us
  • Privacy Policy
  • Terms & Conditions
©2026 FreeQAs

www.freeqas.com materials do not contain actual questions and answers from Cisco's certification exams.