- Email support@dumps4free.com
Which tool is used to identify, analyze, and manage interested parties?
A. The probability/impact matrix
B. The power/interest matrix
C. The likelihood/severity matrix
Explanation: The power/interest matrix is a tool that can be used to identify, analyze, and manage interested parties according to ISO/IEC 27001:2022. The power/interest matrix is a two-dimensional diagram that plots the level of power and interest of each interested party in relation to the organization’s information security objectives. The power/interest matrix can help the organization to prioritize the interested parties, understand their expectations and needs, and develop appropriate communication and engagement strategies. The power/interest matrix can also help the organization to identify potential risks and opportunities related to the interested parties.
Scenario 8: SunDee is an American biopharmaceutical company, headquartered in
California, the US. It specializes in developing novel human therapeutics, with a focus on
cardiovascular diseases, oncology, bone health, and inflammation. The company has had
an information security management system (ISMS) based on SO/IEC 27001 in place for
the past two years. However, it has not monitored or measured the performance and
effectiveness of its ISMS and conducted management reviews regularly.
Just before the recertification audit, the company decided to conduct an internal audit. It
also asked most of their staff to compile the written individual reports of the past two years
for their departments. This left the Production Department with less than the optimum
workforce, which decreased the company's stock.
Tessa was SunDee's internal auditor. With multiple reports written by 50 different
employees, the internal audit process took much longer than planned, was very
inconsistent, and had no qualitative measures whatsoever Tessa concluded that SunDee
must evaluate the performance of the ISMS adequately. She defined SunDee's negligence
of ISMS performance evaluation as a major nonconformity, so she wrote a nonconformity
report including the description of the nonconformity, the audit findings, and
recommendations. Additionally, Tessa created a new plan which would enable SunDee to
resolve these issues and presented it to the top management.
Based on scenario 8. did the nonconformity report include all the necessary aspects?
A. Yes, the report included all the necessary aspects
B. No, the report must also specify the root cause of the nonconformity
C. No, the report must also specify the audit criteria
Explanation: According to ISO/IEC 27001:2022, a nonconformity report is a document that
records the details of any deviation from the audit criteria that is identified during an
audit2. The audit criteria are the set of policies, procedures, requirements, or specifications
that are used as a reference against which audit evidence is compared3. Therefore, a
nonconformity report must include the following aspects:
In scenario 8, Tessa’s nonconformity report included the description of the nonconformity,
the audit findings, and the recommendations, but it did not specify the audit criteria.
Therefore, the report did not include all the necessary aspects and was incomplete.
An organization has justified the exclusion of control 5.18 Access rights of ISO/IEC 27001 in the Statement of Applicability (SoA) as follows: "An access control reader is already installed at the main entrance of the building." Which statement is correct'
A. The justification for the exclusion of a control is not required to be included in the SoA
B. The justification is not acceptable, because it does not reflect the purpose of control 5.18
C. The justification is not acceptable because it does not indicate that it has been selected based on the risk assessment results
Explanation: According to ISO/IEC 27001:2022, clause 6.1.3, the Statement of
Applicability (SoA) is a document that identifies the controls that are applicable to the
organization’s ISMS and explains why they are selected or not. The SoA is based on the
results of the risk assessment and risk treatment, which are the previous steps in the risk
management process. Therefore, the justification for the exclusion of a control should be based on the risk assessment results and the risk treatment plan, and should reflect the
purpose and objective of the control.
Control 5.18 of ISO/IEC 27001:2022 is about access rights to information and other
associated assets, which should be provisioned, reviewed, modified and removed in
accordance with the organization’s topic-specific policy on and rules for access control. The
purpose of this control is to prevent unauthorized access to, modification of, and
destruction of information assets. Therefore, the justification for the exclusion of this control
should explain why the organization does not need to implement this control to protect its
information assets from unauthorized access.
The justification given by the organization in the question is not acceptable, because it
does not reflect the purpose of control 5.18. An access control reader at the main entrance
of the building is a physical security measure, which is related to control 5.15 of ISO/IEC
27001:2022, not control 5.18. Control 5.18 is about logical access rights to information
systems and services, which are not addressed by the access control reader. Therefore,
the organization should either provide a valid justification for the exclusion of control 5.18,
or include it in the SoA and implement it according to the risk assessment and risk
treatment results.
An organization uses Platform as a Services (PaaS) to host its cloud-based services As such, the cloud provider manages most off the services to the organization. However, the organization still manages____________________
A. Operating system and visualization
B. Servers and storage
C. Application and data
Del&Co has decided to improve their staff-related controls to prevent incidents. Which of the following is NOT a preventive control related to the Del&Co's staff?
A. Authentication and authorization
B. Control of physical access to the equipment
C. Video cameras
Explanation: According to ISO/IEC 27001:2022, Annex A.7, the objective of human
resource security is to ensure that employees and contractors understand their
responsibilities and are suitable for the roles for which they are considered, and to reduce
the risk of human error, theft, fraud, or misuse of facilities. The standard specifies eight
controls in this domain, which are:
A.7.1 Prior to employment: This control covers the screening, terms and
conditions, and roles and responsibilities of employees and contractors before they
are hired.
A.7.2 During employment: This control covers the awareness, education, and
training, disciplinary process, and management responsibilities of employees and
contractors during their employment.
A.7.3 Termination and change of employment: This control covers the return of
assets, removal of access rights, and exit interviews of employees and contractors
when they leave or change their roles.
The other controls in Annex A are related to other aspects of information security, such as
organizational, physical, and technological controls. For example:
A.9.2 User access management: This control covers the authentication and
authorization of users to access information systems and services, based on their
roles and responsibilities.
A.11.1 Secure areas: This control covers the control of physical access to the
equipment and information assets, such as locks, alarms, guards, etc.
A.13.2 Information transfer: This control covers the protection of information during
its transfer, such as encryption, digital signatures, secure protocols, etc.
Therefore, video cameras are not a preventive control related to the staff, but rather a
physical control related to the equipment and assets. Video cameras can be used to
monitor and record the activities of the staff, but they cannot prevent them from causing
incidents. They can only help to detect and investigate incidents after they occur.
| Page 5 out of 16 Pages |
| Previous |