Try Before You Buy

Download a free sample of any of our exam questions and answers

  • 24/7 customer support, Secure shopping site
  • Free One year updates to match real exam scenarios
  • If you failed your exam after buying our products we will refund the full amount back to you.

Latest PECB ISO-IEC-27001-Lead-Implementer PDF and Dumps (2023) Free Exam Questions Answers [Q38-Q62]

Share

Latest PECB ISO-IEC-27001-Lead-Implementer PDF and Dumps (2023) Free Exam Questions Answers

Pass Your ISO 27001 ISO-IEC-27001-Lead-Implementer Exam on Dec 27, 2023 with 82 Questions


PECB ISO-IEC-27001-Lead-Implementer exam is designed for individuals who want to become certified lead implementers in ISO/IEC 27001. PECB Certified ISO/IEC 27001 Lead Implementer Exam certification is a globally recognized standard for information security management systems (ISMS) implementation. ISO-IEC-27001-Lead-Implementer exam focuses on assessing the candidate's knowledge and skills in implementing and maintaining the ISMS framework as per the ISO/IEC 27001 standard.

 

NEW QUESTION # 38
Who is accountable to classify information assets?

  • A. theasset owner
  • B. the CEO
  • C. the Information Security Team
  • D. the CISO

Answer: A


NEW QUESTION # 39
What is the best description of a risk analysis?

  • A. A risk analysis calculates the exact financial consequences of damages.
  • B. A risk analysis helps to estimate the risks and develop the appropriate security measures.
  • C. A risk analysis is a method of mapping risks without looking at company processes.

Answer: B


NEW QUESTION # 40
Based on scenario 3, what would help Socket Inc. address similar information security incidents in the future?

  • A. Using cryptographic keys to protect the database from unauthorized access
  • B. Using the MongoDB database with the default settings
  • C. Using the access control system to ensure that only authorized personnel is granted access

Answer: C


NEW QUESTION # 41
What is the objective of classifying information?

  • A. Authorizing the use of an information system
  • B. Defining different levels of sensitivity into which information may be arranged
  • C. Displaying on the document who is permitted access
  • D. Creating alabel that indicates how confidential the information is

Answer: B


NEW QUESTION # 42
Scenario 2: Beauty is a cosmetics company that has recently switched to an e-commerce model, leaving the traditional retail. The top management has decided to build their own custom platform in-house and outsource the payment process to an external provider operating online payments systems that support online money transfers.
Due to this transformation of the business model, a number of security controls were implemented based on the identified threats and vulnerabilities associated to critical assets. To protect customers' information.
Beauty's employees had to sign a confidentiality agreement. In addition, the company reviewed all user access rights so that only authorized personnel can have access to sensitive files and drafted a new segregation of duties chart.
However, the transition was difficult for the IT team, who had to deal with a security incident not long after transitioning to the e commerce model. After investigating the incident, the team concluded that due to the out-of-date anti-malware software, an attacker gamed access to their files and exposed customers' information, including their names and home addresses.
The IT team decided to stop using the old anti-malware software and install a new one which would automatically remove malicious code in case of similar incidents. The new software was installed in every workstation within the company. After installing the new software, the team updated it with the latest malware definitions and enabled the automatic update feature to keep it up to date at all times. Additionally, they established an authentication process that requires a user identification and password when accessing sensitive information.
In addition, Beauty conducted a number of information security awareness sessions for the IT team and other employees that have access to confidential information in order to raise awareness on the importance of system and network security.
Which statement below suggests that Beauty has implemented a managerial control that helps avoid the occurrence of incidents? Refer to scenario 2.

  • A. Beauty's employees signed a confidentiality agreement
  • B. Beauty conducted a number of information security awareness sessions for the IT team and other employees that have access to confidential information
  • C. Beauty updated the segregation of duties chart

Answer: B

Explanation:
Explanation
Managerial controls are administrative actions that are designed to prevent or reduce the likelihood of security incidents by influencing human behavior. They include policies, procedures, guidelines, standards, training, and awareness programs. In scenario 2, Beauty has implemented a managerial control by conducting information security awareness sessions for the IT team and other employees that have access to confidential information. These sessions aim to educate the staff on the importance of system and network security, the potential threats and vulnerabilities, and the best practices to follow to avoid the occurrence of incidents. By raising the level of awareness and knowledge of the employees, Beauty can reduce the human errors and negligence that might compromise the security of the information assets.
References: ISO/IEC 27001:2022 Lead Implementer Course Content, Module 7: Implementation of an ISMS based on ISO/IEC 27001:20221; ISO/IEC 27001:2022 Information Security, Cybersecurity and Privacy Protection, Clause 7.2: Competence2; ISO/IEC 27002:2022 Code of practice for information security controls, Clause 7.2.2: Information security awareness, education and training3


NEW QUESTION # 43
According to scenario 2. Beauty has reviewed all user access rights. What type of control is this?

  • A. Legal and technical
  • B. Detective and administrative
  • C. Corrective and managerial

Answer: B


NEW QUESTION # 44
Scenario 10: NetworkFuse develops, manufactures, and sells network hardware. The company has had an operational information security management system (ISMS) based on ISO/IEC 27001 requirements and a quality management system (QMS) based on ISO 9001 for approximately two years. Recently, it has applied for a j^ombined certification audit in order to obtain certification against ISO/IEC 27001 and ISO 9001.
After selecting the certification body, NetworkFuse prepared the employees for the audit The company decided to not conduct a self-evaluation before the audit since, according to the top management, it was not necessary. In addition, it ensured the availability of documented information, including internal audit reports and management reviews, technologies in place, and the general operations of the ISMS and the QMS.
However, the company requested from the certification body that the documentation could not be carried off-site However, the audit was not performed within the scheduled days because NetworkFuse rejected the audit team leader assigned and requested their replacement The company asserted that the same audit team leader issued a recommendation for certification to its main competitor, which, for the company's top management, was a potential conflict of interest. The request was not accepted by the certification body The certification body rejected NetworkFuse's request to change the audit team leader. Is this acceptable?
Refer to scenario 10.

  • A. No, because an auditee cannot request the rejection of an audit team member
  • B. No, auditee's requests for the replacement of auditors must be accepted
  • C. Yes, because NetworkFuse did not give a valid reason to support their claims

Answer: C

Explanation:
Explanation
According to the ISO/IEC 27001 : 2022 Lead Implementer course, the certification body is responsible for selecting and appointing the audit team members, taking into account the competence, impartiality, and objectivity of the auditors1. The auditee can request the replacement of an audit team member only if there is a valid reason to doubt their competence or impartiality, such as a personal or professional conflict of interest, a lack of relevant experience or qualifications, or a previous involvement in the auditee's activities2. However, NetworkFuse did not give a valid reason to support their claims, as the fact that the audit team leader issued a recommendation for certification to their main competitor does not imply a conflict of interest or a bias.
Therefore, the certification body rejected NetworkFuse's request to change the audit team leader, which is acceptable.
References: 1: PECB, ISO/IEC 27001 Lead Implementer Course, Module 11: Certification Audit of the ISMS, slide 13 2: PECB, ISO/IEC 27001 Lead Implementer Course, Module 11: Certification Audit of the ISMS, slide 14


NEW QUESTION # 45
Scenario 6: Skyver offers worldwide shipping of electronic products, including gaming consoles, flat-screen TVs. computers, and printers. In order to ensure information security, the company has decided to implement an information security management system (ISMS) based on the requirements of ISO/IEC 27001.
Colin, the company's best information security expert, decided to hold a training and awareness session for the personnel of the company regarding the information security challenges and other information security-related controls. The session included topics such as Skyver's information security approaches and techniques for mitigating phishing and malware.
One of the participants in the session is Lisa, who works in the HR Department. Although Colin explains the existing Skyver's information security policies and procedures in an honest and fair manner, she finds some of the issues being discussed too technical and does not fully understand the session. Therefore, in a lot of cases, she requests additional help from the trainer and her colleagues What is the difference between training and awareness? Refer to scenario 6.

  • A. Training helps transfer a message with the intent of informing, whereas awareness helps change the behavior toward the message
  • B. Training helps acquire certain skills, whereas awareness develops certain habits and behaviors.
  • C. Training helps acquire a skill, whereas awareness helps apply it in practice

Answer: B

Explanation:
Explanation
According to ISO/IEC 27001, training and awareness are two different but complementary activities that aim to enhance the information security competence and performance of the organization's personnel. Training is the process of providing instruction and guidance to help individuals acquire certain skills, knowledge, or abilities related to information security. Awareness is the process of raising the level of consciousness and understanding of the importance and benefits of information security, and developing certain habits and behaviors that support the information security objectives and requirements.
In scenario 6, Colin is holding a training and awareness session for the personnel of Skyver, which means he is combining both activities to achieve a more effective and comprehensive information security education. The training part of the session covers topics such as Skyver's information security policies and procedures, and techniques for mitigating phishing and malware. The awareness part of the session covers topics such as Skyver's information security approaches and challenges, and the benefits of information security for the organization and its customers. The purpose of the session is to help the personnel acquire the necessary skills to perform their information security roles and responsibilities, and to develop the appropriate habits and behaviors to protect the information assets of the organization.
References:
ISO/IEC 27001:2013, clause 7.2.2: Information security awareness, education and training ISO/IEC 27001 Lead Implementer Course, Module 6: Implementing the ISMS based on ISO/IEC 27001 ISO/IEC 27001 Lead Implementer Course, Module 7: Performance evaluation, monitoring and measurement of the ISMS based on ISO/IEC 27001 ISO/IEC 27001 Lead Implementer Course, Module 8: Continual improvement of the ISMS based on ISO/IEC 27001 ISO/IEC 27001 Lead Implementer Course, Module 9: Preparing for the ISMS certification audit ISO 27001 Security Awareness Training and Compliance - InfosecTrain1 ISO/IEC 27001 compliance and cybersecurity awareness training2 ISO 27001 Free Training | Online Course | British Assessment Bureau


NEW QUESTION # 46
Scenario 3: Socket Inc is a telecommunications company offering mainly wireless products and services. It uses MongoDB. a document model database that offers high availability, scalability, and flexibility.
Last month, Socket Inc. reported an information security incident. A group of hackers compromised its MongoDB database, because the database administrators did not change its default settings, leaving it without a password and publicly accessible.
Fortunately. Socket Inc. performed regular information backups in their MongoDB database, so no information was lost during the incident. In addition, a syslog server allowed Socket Inc. to centralize all logs in one server. The company found out that no persistent backdoor was placed and that the attack was not initiated from an employee inside the company by reviewing the event logs that record user faults and exceptions.
To prevent similar incidents in the future, Socket Inc. decided to use an access control system that grants access to authorized personnel only. The company also implemented a control in order to define and implement rules for the effective use of cryptography, including cryptographic key management, to protect the database from unauthorized access The implementation was based on all relevant agreements, legislation, and regulations, and the information classification scheme. To improve security and reduce the administrative efforts, network segregation using VPNs was proposed.
Lastly, Socket Inc. implemented a new system to maintain, collect, and analyze information related to information security threats, and integrate information security into project management.
Based on the scenario above, answer the following question:
Which security control does NOT prevent information security incidents from recurring?

  • A. Information backup
  • B. Privileged access rights
  • C. Segregation of networks

Answer: A

Explanation:
Explanation
Information backup is a corrective control that aims to restore the information in case of data loss, corruption, or deletion. It does not prevent information security incidents from recurring, but rather mitigates their impact.
The other options are preventive controls that reduce the likelihood of information security incidents by limiting the access to authorized personnel, segregating the networks, and using cryptography. These controls can help Socket Inc. avoid future attacks on its MongoDB database by addressing the vulnerabilities that were exploited by the hackers.
References:
ISO 27001:2022 Annex A 8.13 - Information Backup1
ISO 27001:2022 Annex A 8.1 - Access Control Policy2
ISO 27001:2022 Annex A 8.2 - User Access Management3
ISO 27001:2022 Annex A 8.3 - User Responsibilities4
ISO 27001:2022 Annex A 8.4 - System and Application Access Control
ISO 27001:2022 Annex A 8.5 - Cryptography
ISO 27001:2022 Annex A 8.6 - Network Security Management


NEW QUESTION # 47
What should an organization allocate to ensure the maintenance and improvement of the information security management system?

  • A. Sufficient resources, such as the budget, qualified personnel, and required tools
  • B. The documented information required by ISO/IEC 27001
  • C. The appropriate transfer to operations

Answer: A


NEW QUESTION # 48
Prior to employment, _________ as well as terms & conditions of employment are included as controls in ISO
27002 to ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered.

  • A. controlling
  • B. flexing
  • C. authorizing
  • D. screening

Answer: D


NEW QUESTION # 49
What is the main purpose of Annex A 7.1 Physical security perimeters of ISO/IEC 27001?

  • A. To maintain the confidentiality of information that is accessible by personnel or external parties
  • B. To prevent unauthorized physical access, damage, and interference to the organization's information and other associated assets
  • C. To ensure access to information and other associated assets is defined and authorized

Answer: B


NEW QUESTION # 50
Scenario 8: SunDee is an American biopharmaceutical company, headquartered in California, the US. It specializes in developing novel human therapeutics, with a focus on cardiovascular diseases, oncology, bone health, and inflammation. The company has had an information security management system (ISMS) based on SO/IEC 27001 in place for the past two years. However, it has not monitored or measured the performance and effectiveness of its ISMS and conducted management reviews regularly Just before the recertification audit, the company decided to conduct an internal audit. It also asked most of their staff to compile the written individual reports of the past two years for their departments. This left the Production Department with less than the optimum workforce, which decreased the company's stock.
Tessa was SunDee's internal auditor. With multiple reports written by 50 different employees, the internal audit process took much longer than planned, was very inconsistent, and had no qualitative measures whatsoever Tessa concluded that SunDee must evaluate the performance of the ISMS adequately. She defined SunDee's negligence of ISMS performance evaluation as a major nonconformity, so she wrote a nonconformity report including the description of the nonconformity, the audit findings, and recommendations. Additionally, Tessa created a new plan which would enable SunDee to resolve these issues and presented it to the top management Based on scenario 8. did the nonconformity report include all the necessary aspects?

  • A. Yes, the report included all the necessary aspects
  • B. No, the report must also specify the audit criteria
  • C. No, the report must also specify the root cause of the nonconformity

Answer: C

Explanation:
Explanation
According to ISO/IEC 27001:2022, a nonconformity report is a document that records the details of any deviation from the audit criteria that is identified during an audit2. The audit criteria are the set of policies, procedures, requirements, or specifications that are used as a reference against which audit evidence is compared3. Therefore, a nonconformity report must include the following aspects:
The description of the nonconformity, which should clearly state what the deviation is, where it occurred, and when it was detected The audit findings, which should provide the objective evidence that supports the identification of the nonconformity The audit criteria, which should specify the reference document or standard that the nonconformity deviates from The recommendations, which should suggest the possible corrective actions or improvements that can be taken to address the nonconformity In scenario 8, Tessa's nonconformity report included the description of the nonconformity, the audit findings, and the recommendations, but it did not specify the audit criteria. Therefore, the report did not include all the necessary aspects and was incomplete.
References:
1: ISO/IEC 27001:2022, Clause 9.2.3
2: ISO/IEC 27001:2022, Clause 3.23
3: ISO/IEC 27001:2022, Clause 3.5
4: ISO/IEC 27001:2022, Annex A.9.2.3


NEW QUESTION # 51
It is allowed that employees and contractors are provided with an anonymous reporting channel to report violations of information security policies or procedures ("whistle blowing")

  • A. True
  • B. False

Answer: A


NEW QUESTION # 52
Which of the following measures is a preventive measure?

  • A. Installing a logging system that enables changes in a system to be recognized
  • B. Putting sensitive information in a safe
  • C. Classifying a risk as acceptable because the cost of addressing the threat is higher than the value of the information at risk
  • D. Shutting down all internet traffic after a hacker has gained access to thecompany systems

Answer: B


NEW QUESTION # 53
According to scenario 8, Tessa created a plan for ISMS monitoring and measurement and presented it to the top management Is this acceptable?

  • A. Yes, Tessa can advise the top management on improving the company's functions
  • B. No, Tessa must implement all the improvements needed for issues found during the audit
  • C. No, Tessa should only communicate the issues found to the top management

Answer: A


NEW QUESTION # 54
Who should be involved, among others, in the draft, review, and validation of information security procedures?

  • A. An external expert
  • B. The information security committee
  • C. The employees in charge of ISMS operation

Answer: B


NEW QUESTION # 55
In scenario 1, HealthGenic experienced a number of service interruptions due to the loss of functionality of the software. Which principle of information security has been affected in this case?

  • A. Integrity
  • B. Confidentiality
  • C. Availability

Answer: C


NEW QUESTION # 56
What is the main purpose of Annex A 7.1 Physical security perimeters of ISO/IEC 27001?

  • A. To maintain the confidentiality of information that is accessible by personnel or external parties
  • B. To prevent unauthorized physical access, damage, and interference to the organization's information and other associated assets
  • C. To ensure access to information and other associated assets is defined and authorized

Answer: B

Explanation:
Explanation
Annex A 7.1 of ISO/IEC 27001 : 2022 is a control that requires an organization to define and implement security perimeters and use them to protect areas that contain information and other associated assets.
Information and information security assets can include data, infrastructure, software, hardware, and personnel. The main purpose of this control is to prevent unauthorized physical access, damage, and interference to these assets, which could compromise the confidentiality, integrity, and availability of the information. Physical security perimeters can include fences, walls, gates, locks, alarms, cameras, and other barriers or devices that restrict or monitor access to the facility or area. The organization should also consider the environmental and fire protection of the assets, as well as the disposal of any waste or media that could contain sensitive information.
References:
ISO/IEC 27001 : 2022 Lead Implementer Study Guide, Section 5.3.1.7, page 101 ISO/IEC 27001 : 2022 Lead Implementer Info Kit, page 17 ISO/IEC 27002 : 2022, Control 7.1 - Physical Security Perimeters123


NEW QUESTION # 57
Scenario 5: Operaze is a small software development company that develops applications for various companies around the world. Recently, the company conducted a risk assessment to assess the information security risks that could arise from operating in a digital landscape. Using different testing methods, including penetration Resting and code review, the company identified some issues in its ICT systems, including improper user permissions, misconfigured security settings, and insecure network configurations. To resolve these issues and enhance information security, Operaze decided to implement an information security management system (ISMS) based on ISO/IEC 27001.
Considering that Operaze is a small company, the entire IT team was involved in the ISMS implementation project. Initially, the company analyzed the business requirements and the internal and external environment, identified its key processes and activities, and identified and analyzed the interested parties In addition, the top management of Operaze decided to Include most of the company's departments within the ISMS scope. The defined scope included the organizational and physical boundaries. The IT team drafted an information security policy and communicated it to all relevant interested parties In addition, other specific policies were developed to elaborate on security issues and the roles and responsibilities were assigned to all interested parties.
Following that, the HR manager claimed that the paperwork created by ISMS does not justify its value and the implementation of the ISMS should be canceled However, the top management determined that this claim was invalid and organized an awareness session to explain the benefits of the ISMS to all interested parties.
Operaze decided to migrate Its physical servers to their virtual servers on third-party infrastructure. The new cloud computing solution brought additional changes to the company Operaze's top management, on the other hand, aimed to not only implement an effective ISMS but also ensure the smooth running of the ISMS operations. In this situation, Operaze's top management concluded that the services of external experts were required to implement their information security strategies. The IT team, on the other hand, decided to initiate a change in the ISMS scope and implemented the required modifications to the processes of the company.
Based on the scenario above, answer the following question:
What led Operaze to implement the ISMS?

  • A. Identification of assets
  • B. Identification of vulnerabilities
  • C. Identification of threats

Answer: B


NEW QUESTION # 58
Which of these control objectives are NOT in the domain "12.OPERATIONAL SAFETY"?

  • A. Test data
  • B. Technical vulnerability management
  • C. Redundancies
  • D. Protection against malicious code

Answer: C


NEW QUESTION # 59
Scenario 2: Beauty is a cosmetics company that has recently switched to an e-commerce model, leaving the traditional retail. The top management has decided to build their own custom platform in-house and outsource the payment process to an external provider operating online payments systems that support online money transfers.
Due to this transformation of the business model, a number of security controls were implemented based on the identified threats and vulnerabilities associated to critical assets. To protect customers' information.
Beauty's employees had to sign a confidentiality agreement. In addition, the company reviewed all user access rights so that only authorized personnel can have access to sensitive files and drafted a new segregation of duties chart.
However, the transition was difficult for the IT team, who had to deal with a security incident not long after transitioning to the e commerce model. After investigating the incident, the team concluded that due to the out-of-date anti-malware software, an attacker gamed access to their files and exposed customers' information, including their names and home addresses.
The IT team decided to stop using the old anti-malware software and install a new one which would automatically remove malicious code in case of similar incidents. The new software was installed in every workstation within the company. After installing the new software, the team updated it with the latest malware definitions and enabled the automatic update feature to keep it up to date at all times. Additionally, they established an authentication process that requires a user identification and password when accessing sensitive information.
In addition, Beauty conducted a number of information security awareness sessions for the IT team and other employees that have access to confidential information in order to raise awareness on the importance of system and network security.
According to scenario 2. Beauty has reviewed all user access rights. What type of control is this?

  • A. Legal and technical
  • B. Detective and administrative
  • C. Corrective and managerial

Answer: B

Explanation:
Explanation
According to ISO/IEC 27001:2022, controls can be classified into different types based on their nature and purpose1. Some of the common types of controls are:
Preventive controls: These are controls that aim to prevent or deter the occurrence of a security incident or reduce its likelihood. Examples of preventive controls are encryption, firewalls, locks, policies, etc.
Detective controls: These are controls that aim to detect or discover the occurrence of a security incident or its symptoms. Examples of detective controls are logs, alarms, audits, etc.
Corrective controls: These are controls that aim to correct or restore the normal state of an asset or a process after a security incident or mitigate its impact. Examples of corrective controls are backups, recovery plans, incident response teams, etc.
Administrative controls: These are controls that involve the management and governance of information security, such as policies, procedures, roles, responsibilities, awareness, training, etc.
Technical controls: These are controls that involve the use of technology or software to implement information security, such as encryption, firewalls, anti-malware, authentication, etc.
Physical controls: These are controls that involve the protection of physical assets or locations from unauthorized access, damage, or theft, such as locks, fences, cameras, guards, etc.
Legal controls: These are controls that involve the compliance with laws, regulations, contracts, or agreements related to information security, such as privacy laws, data protection laws, confidentiality agreements, etc.
In this scenario, reviewing all user access rights is a type of detective and administrative control. It is a detective control because it helps to identify any unauthorized or inappropriate access to sensitive information or systems. It is also an administrative control because it involves the definition and enforcement of policies and procedures for granting, revoking, and monitoring user access rights.
References:
ISO/IEC 27001:2022 - Information security, cybersecurity and privacy protection - Information security management systems - Requirements


NEW QUESTION # 60
Scenario 4: TradeB. a commercial bank that has just entered the market, accepts deposits from its clients and offers basic financial services and loans for investments. TradeB has decided to implement an information security management system (ISMS) based on ISO/IEC 27001 Having no experience of a management
[^system implementation, TradeB's top management contracted two experts to direct and manage the ISMS implementation project.
First, the project team analyzed the 93 controls of ISO/IEC 27001 Annex A and listed only the security controls deemed applicable to the company and their objectives Based on this analysis, they drafted the Statement of Applicability. Afterward, they conducted a risk assessment, during which they identified assets, such as hardware, software, and networks, as well as threats and vulnerabilities, assessed potential consequences and likelihood, and determined the level of risks based on three nonnumerical categories (low, medium, and high). They evaluated the risks based on the risk evaluation criteria and decided to treat only the high risk category They also decided to focus primarily on the unauthorized use of administrator rights and system interruptions due to several hardware failures by establishing a new version of the access control policy, implementing controls to manage and control user access, and implementing a control for ICT readiness for business continuity Lastly, they drafted a risk assessment report, in which they wrote that if after the implementation of these security controls the level of risk is below the acceptable level, the risks will be accepted Based on the scenario above, answer the following question:
The decision to treat only risks that were classified as high indicates that Trade B has:

  • A. Modified other risk categories based on risk evaluation criteria
  • B. Evaluated other risk categories based on risk treatment criteria
  • C. Accepted other risk categories based on risk acceptance criteria

Answer: C

Explanation:
Explanation
According to ISO/IEC 27001 : 2022, risk acceptance criteria are the criteria used to decide whether a risk can be accepted or not1. Risk acceptance criteria are often based on a maximum level of acceptable risks, on cost-benefits considerations, or on consequences for the organization2. In the scenario, TradeB decided to treat only the high risk category, which implies that


NEW QUESTION # 61
Scenario 5: Operaze is a small software development company that develops applications for various companies around the world. Recently, the company conducted a risk assessment to assess the information security risks that could arise from operating in a digital landscape. Using different testing methods, including penetration Resting and code review, the company identified some issues in its ICT systems, including improper user permissions, misconfigured security settings, and insecure network configurations. To resolve these issues and enhance information security, Operaze decided to implement an information security management system (ISMS) based on ISO/IEC 27001.
Considering that Operaze is a small company, the entire IT team was involved in the ISMS implementation project. Initially, the company analyzed the business requirements and the internal and external environment, identified its key processes and activities, and identified and analyzed the interested parties In addition, the top management of Operaze decided to Include most of the company's departments within the ISMS scope. The defined scope included the organizational and physical boundaries. The IT team drafted an information security policy and communicated it to all relevant interested parties In addition, other specific policies were developed to elaborate on security issues and the roles and responsibilities were assigned to all interested parties.
Following that, the HR manager claimed that the paperwork created by ISMS does not justify its value and the implementation of the ISMS should be canceled However, the top management determined that this claim was invalid and organized an awareness session to explain the benefits of the ISMS to all interested parties.
Operaze decided to migrate Its physical servers to their virtual servers on third-party infrastructure. The new cloud computing solution brought additional changes to the company Operaze's top management, on the other hand, aimed to not only implement an effective ISMS but also ensure the smooth running of the ISMS operations. In this situation, Operaze's top management concluded that the services of external experts were required to implement their information security strategies. The IT team, on the other hand, decided to initiate a change in the ISMS scope and implemented the required modifications to the processes of the company.
Based on scenario 5. in which category of the interested parties does the MR manager of Operaze belong?

  • A. Both A and B
  • B. Negatively influenced interested parties, because the HR Department will deal with more documentation
  • C. Positively influenced interested parties, because the ISMS will increase the effectiveness and efficiency of the HR Department

Answer: B

Explanation:
Explanation
According to ISO/IEC 27001, interested parties are those who can affect, be affected by, or perceive themselves to be affected by the organization's information security activities, products, or services. Interested parties can be classified into four categories based on their influence and interest in the ISMS:
Positively influenced interested parties: those who benefit from the ISMS and support its implementation and operation Negatively influenced interested parties: those who are adversely affected by the ISMS and oppose its implementation and operation High-interest interested parties: those who have a strong interest in the ISMS and its outcomes, regardless of their influence Low-interest interested parties: those who have a weak interest in the ISMS and its outcomes, regardless of their influence In scenario 5, the HR manager of Operaze belongs to the category of negatively influenced interested parties, because he/she perceives that the ISMS will create more paperwork and documentation for the HR Department, and therefore opposes its implementation and operation. The HR manager does not benefit from the ISMS and does not support its objectives and requirements.
References:
ISO/IEC 27001:2013, clause 4.2: Understanding the needs and expectations of interested parties ISO/IEC 27001:2013, Annex A.18.1.4: Assessment of and decision on information security events ISO/IEC 27001 Lead Implementer Course, Module 2: Introduction to Information Security Management System (ISMS) concepts as required by ISO/IEC 27001 ISO/IEC 27001 Lead Implementer Course, Module 4: Planning the ISMS based on ISO/IEC 27001 ISO/IEC 27001 Lead Implementer Course, Module 6: Implementing the ISMS based on ISO/IEC 27001 ISO/IEC 27001 Lead Implementer Course, Module 7: Performance evaluation, monitoring and measurement of the ISMS based on ISO/IEC 27001 ISO/IEC 27001 Lead Implementer Course, Module 8: Continual improvement of the ISMS based on ISO/IEC 27001 ISO/IEC 27001 Lead Implementer Course, Module 9: Preparing for the ISMS certification audit


NEW QUESTION # 62
......

ISO-IEC-27001-Lead-Implementer Dumps for ISO 27001 Certified Exam Questions and Answer: https://www.braindumpsit.com/ISO-IEC-27001-Lead-Implementer_real-exam.html

ISO-IEC-27001-Lead-Implementer Free Exam Study Guide! (Updated 82 Questions): https://drive.google.com/open?id=1Zgjcealxd3GpDpz6xdkcgMlr074mhTE_