- Email support@dumps4free.com
An organization that has an ISMS in place conducts management reviews at planned intervals, but does not retain documented information on the results. Is this in accordance with the requirements of ISO/IEC 27001?
A. Yes. ISO/IEC 27001 does not require organizations to document the results of management reviews
B. No, ISO/IEC 27001 requires organizations to document the results of management reviews
C. Yes. ISO/IEC 27001 requires organizations to document the results of management reviews only if they are conducted ad hoc
Explanation: According to ISO/IEC 27001:2022, clause 9.3.3, the organization must retain documented information as evidence of the results of management reviews. The results of management reviews must include decisions and actions related to the ISMS policy, objectives, risks, opportunities, resources, and communication. Documenting the results of management reviews is important to ensure the accountability, traceability, and effectiveness of the ISMS. It also helps the organization to monitor and measure the performance and improvement of the ISMS, and to demonstrate compliance with the requirements of ISO/IEC 27001:2022. Therefore, an organization that has an ISMS in place and conducts management reviews at planned intervals, but does not retain documented information on the results, is not in accordance with the requirements of ISO/IEC 27001. (From the PECB ISO/IEC 27001 Lead Implementer Course Manual, page 107)
Which security controls must be implemented to comply with ISO/IEC 27001?
A. Those designed by the organization only
B. Those included in the risk treatment plan
C. Those listed in Annex A of ISO/IEC 27001, without any exception
Explanation: ISO/IEC 27001:2022 does not prescribe a specific set of security controls that must be implemented by all organizations. Instead, it allows organizations to select and implement the controls that are appropriate for their context, based on the results of a risk assessment and a risk treatment plan. The risk treatment plan is a document that specifies the actions to be taken to address the identified risks, including the selection of controls from Annex A or other sources, the allocation of responsibilities, the expected outcomes, the priorities and the resources. Therefore, the security controls that must be implemented to comply with ISO/IEC 27001 are those that are included in the risk treatment plan, which may vary from one organization to another.
Scenario 2: Beauty is a cosmetics company that has recently switched to an e-commerce
model, leaving the traditional retail. The top management has decided to build their own
custom platform in-house and outsource the payment process to an external provider
operating online payments systems that support online money transfers.
Due to this transformation of the business model, a number of security controls were
implemented based on the identified threats and vulnerabilities associated to critical assets.
To protect customers' information. Beauty's employees had to sign a confidentiality
agreement. In addition, the company reviewed all user access rights so that only
authorized personnel can have access to sensitive files and drafted a new segregation of
duties chart.
However, the transition was difficult for the IT team, who had to deal with a security incident
not long after transitioning to the e commerce model. After investigating the incident, the
team concluded that due to the out-of-date anti-malware software, an attacker gamed
access to their files and exposed customers' information, including their names and home
addresses.
The IT team decided to stop using the old anti-malware software and install a new one
which would automatically remove malicious code in case of similar incidents. The new
software was installed in every workstation within the company. After installing the new
software, the team updated it with the latest malware definitions and enabled the automatic
update feature to keep it up to date at all times. Additionally, they established an
authentication process that requires a user identification and password when accessing
sensitive information.
In addition, Beauty conducted a number of information security awareness sessions for the
IT team and other employees that have access to confidential information in order to raise
awareness on the importance of system and network security.
According to scenario 2. Beauty has reviewed all user access rights. What type of control is
this?
A. Detective and administrative
B. Corrective and managerial
C. Legal and technical
Explanation: According to ISO/IEC 27001:2022, controls can be classified into different
types based on their nature and purpose1. Some of the common types of controls are:
Preventive controls: These are controls that aim to prevent or deter the occurrence
of a security incident or reduce its likelihood. Examples of preventive controls are
encryption, firewalls, locks, policies, etc.
Detective controls: These are controls that aim to detect or discover the
occurrence of a security incident or its symptoms. Examples of detective controls
are logs, alarms, audits, etc.
Corrective controls: These are controls that aim to correct or restore the normal
state of an asset or a process after a security incident or mitigate its impact.
Examples of corrective controls are backups, recovery plans, incident response
teams, etc.
Administrative controls: These are controls that involve the management and
governance of information security, such as policies, procedures, roles,
responsibilities, awareness, training, etc.
Technical controls: These are controls that involve the use of technology or
software to implement information security, such as encryption, firewalls, antimalware,
authentication, etc.
Physical controls: These are controls that involve the protection of physical assets
or locations from unauthorized access, damage, or theft, such as locks, fences,
cameras, guards, etc.
Legal controls: These are controls that involve the compliance with laws,
regulations, contracts, or agreements related to information security, such as
privacy laws, data protection laws, confidentiality agreements, etc.
In this scenario, reviewing all user access rights is a type of detective and administrative
control. It is a detective control because it helps to identify any unauthorized or
inappropriate access to sensitive information or systems. It is also an administrative control
because it involves the definition and enforcement of policies and procedures for granting,
revoking, and monitoring user access rights.
What should an organization allocate to ensure the maintenance and improvement of the information security management system?
A. The appropriate transfer to operations
B. Sufficient resources, such as the budget, qualified personnel, and required tools
C. The documented information required by ISO/IEC 27001
Explanation: According to ISO/IEC 27001:2022, clause 10.2.2, the organization shall
define and apply an information security incident management process that includes the
following activities:
reporting information security events and weaknesses;
assessing information security events and classifying them as information security
incidents;
responding to information security incidents according to their classification;
learning from information security incidents, including identifying causes, taking
corrective actions and preventive actions, and communicating the results and
actions taken;
collecting evidence, where applicable.
The standard does not specify who should perform these activities, as long as they are
done in a consistent and effective manner. Therefore, the organization may choose to
conduct forensic investigation internally or by using external consultants, depending on its
needs, resources, and capabilities. However, the organization should ensure that the
external consultants are competent, trustworthy, and comply with the organization’s
policies and procedures.
An organization has decided to conduct information security awareness and training sessions on a monthly basis for all employees. Only 45% of employees who attended these sessions were able to pass the exam. What does the percentage represent?
A. Measurement objective
B. Attribute
C. Performance indicator
Explanation: According to the ISO/IEC 27001:2022 standard, a performance indicator is “a metric that provides information about the effectiveness or efficiency of an activity, process, system or organization” (section 3.35). A performance indicator should be measurable, relevant, achievable, realistic and time-bound (SMART). In this case, the percentage of employees who passed the exam is a performance indicator that measures the effectiveness of the information security awareness and training sessions. It shows how well the sessions achieved their intended learning outcomes and how well the employees understood the information security concepts and practices.
| Page 2 out of 16 Pages |
| Previous |