Itfreedumps provides the latest online questions for all IT certifications,

such as IBM, Microsoft, CompTIA, Huawei, and so on.

Hot exams are available below.

AZ-204 Developing Solutions for Microsoft Azure

820-605 Cisco Customer Success Manager

MS-203 Microsoft 365 Messaging

HPE2-T37 Using HPE OneView

300-415 Implementing Cisco SD-WAN Solutions (ENSDWI)

DP-203 Data Engineering on Microsoft Azure

500-220 Engineering Cisco Meraki Solutions v1.0

NACE-CIP1-001 Coating Inspector Level 1

NACE-CIP2-001 Coating Inspector Level 2

200-301 Implementing and Administering Cisco Solutions

Share some ISO-IEC-27001 Lead Implementer exam online questions

below.
1.Which feedback relates specifically to information security performance during management
review?
A. Opportunities for continual improvement
B. Risk assessment results
C. Nonconformities and corrective actions
Answer: B

2.Scenario 3: Socket Inc. is a dynamic telecommunications company specializing in wireless products

and services, committed to delivering high-quality and secure communication solutions. Socket Inc.
leverages innovative technology, including the MongoDB database, renowned for its high availability,
scalability, and flexibility, to provide reliable, accessible, efficient, and well-organized services to its
customers. Recently, the company faced a security breach where external hackers exploited the
default settings of its MongoDB database due to an oversight in the configuration settings, which had
not been properly addressed. Fortunately, diligent data backups and centralized logging through a
server ensured no loss of information. In response to this incident, Socket Inc. undertook a thorough
evaluation of its security measures. The company recognized the urgent need to improve its
information security and decided to implement an information security management system (ISMS)
based on ISO/IEC 27001.
To improve its data security and protect its resources, Socket Inc. implemented entry controls and
secure access points. These measures were designed to prevent unauthorized access to critical
areas housing sensitive data and essential assets. In compliance with relevant laws, regulations, and
ethical standards, Socket Inc. implemented pre-employment background checks tailored to business
needs, information classification, and associated risks. A formalized disciplinary procedure was also
established to address policy violations. Additionally, security measures were implemented for
personnel working remotely to safeguard information accessed, processed, or stored outside the
organization's premises.
Socket Inc. safeguarded its information processing facilities against power failures and other
disruptions. Unauthorized access to critical records from external sources led to the implementation of
data flow control services to prevent unauthorized access between departments and external
networks. In addition, Socket Inc. used data masking based on the organization’s topic-level general
policy on access control and other related topic-level general policies and business requirements,
considering applicable legislation. It also updated and documented all operating procedures for
information processing facilities and ensured that they were accessible to top management
exclusively.
The company also implemented a control to define and implement rules for the effective use of
cryptography, including cryptographic key management, to protect the database from unauthorized
access. The implementation was based on all relevant agreements, legislation, regulations, and the
information classification scheme. Network segregation using VPNs was proposed to improve
security and reduce administrative efforts.
Regarding the design and description of its security controls, Socket Inc. has categorized them into
groups, consolidating all controls within a single document. Lastly, Socket Inc. implemented a new
system to maintain, collect, and analyze information about information security threats and integrate
information security into project management.
Based on the scenario above, answer the following question:
Which of the following physical controls was NOT included in Socket Inc.'s strategy?
A. Annex A 7.2 Physical entry
B. Annex A 7.9 Security of assets off-premises
C. Annex A 7.11 Supporting utilities
Answer: C

3.SkyFleet did not submit action plans within the specified deadline and was not recommended for
certification.
Is this acceptable?
A. No, SkyFleet should receive an extension
B. No, SkyFleet should be recommended for certification
C. Yes, SkyFleet should not be recommended for certification
Answer: C

4.Scenario 5: Bytes iS a dynamic and innovative Company specializing in the design, manufacturing.
and distribution Of hardware and software, with a focus On providing comprehensive network and
supporting services. It is headquartered in the vibrant tech hub of Lagos, Nigeria. It has a diverse and
dedicated team, boasting a workforce of over 800 employees who are passionate about delivering
cutting-edge solutions to their Clients. Given the nati-jte Of its business. Bytes frequently handles
sensitive data both internally and When collaborating With Clients and partners.
Recognizing the Challenges inherent in securely sharing data with clients. partners, and within its own
internal operations. Bytes has implemented robust information security measures, They utilize a
defined risk assessment process, which enables them to assess and address potential threats and
information security risks. This process ensures compliance with ISOflEC 27001 requirements, a
critical aspect of Bytes' operations.
Initially. Bytes identified both external and internal issues that are relevant to its purpose and that
impact its ability to achieve the intended information security management System Outcomes,
External issues beyond the company'S control include factors Such as social and Cultural dynamics,
political. legal. normative, and regulatory environments, financial and macroeconomic conditions.
technological developments, natural factors, and competitive pressures. Internal issues, which are
within the organization's control, encompass aspects like the company's culture. its policies,
objectives, and strategies; govetnance structures.
roles, and responsibilities: adopted standards and guidelines; contractual relationships that influence
processes within the ISMS scope: processes and procedures resources and knowledge capabilities;
physical infrastructure information systems. information flows. and decisiorwnaking processes; as well
as the results of previous audits and risk assessments. Bytes also focused on identifying the
interested parties relevant to the ISMS understanding their requirements, and determining which Of
those requirements will be addressed by the ISMS
In pursuing a secure digital environment, Bytes leverages the latest technology, utilizing automated
vulnerability scanning tools to identify known vulnerable services in their ICT systems. This proactive
approach
ensures that potential weaknesses are swiftly addressed. bolstering their overall information security
posture. In their comprehensive approach to information security, Bytes has identified and assessed
various risks. During this process, despite implementing the security controls, Bytes' expert team
identified unacceptable residual risks, and the team Currently faces uncertainty regarding which
specific options to for addressing these identified and unacceptable residual risks.
According to scenario 5, what should Bytes consider when assessing the security of its ICT systems?
A. The skills and expertise of the IT team responsible for assessing the ICT systems
B. The cost of the tools they used when assessing the security of their ICT systems
C. The tools they used may produce false positives due to a lack of environmental context
Answer: C

5.Scenario 8: SunDee is a biopharmaceutical firm headquartered in California, US. Renowned for its
pioneering work in the field of human therapeutics, SunDee places a strong emphasis on addressing
critical healthcare concerns, particularly in the domains of cardiovascular diseases, oncology, bone
health, and inflammation. SunDee has demonstrated its commitment to data security and integrity by
maintaining an effective information security management system (ISMS) based on ISO/IEC 27001
for the past two years.
In preparation for the recertification audit, SunDee conducted an internal audit. The company's top
management appointed Alex, who has actively managed the Compliance Department's day-to-day
operations for the last six months, as the internal auditor. With this dual role assignment, Alex is
tasked with conducting an audit that ensures compliance and provides valuable recommendations to
improve operational efficiency.
During the internal audit, a few nonconformities were identified. To address them comprehensively,
the company created action plans for each nonconformity, working closely with the audit team leader.
SunDee's senior management conducted a comprehensive review of the ISMS to evaluate its
appropriateness, sufficiency, and efficiency. This was integrated into their regular management
meetings. Essential documents, including audit reports, action plans, and review outcomes, were
distributed to all members before the meeting. The agenda covered the status of previous review
actions, changes affecting the ISMS, feedback, stakeholder inputs, and opportunities for
improvement. Decisions and actions targeting ISMS improvements were made, with a significant role
played by the ISMS coordinator and the internal audit team in preparing follow-up action plans, which
were then approved by top management.
In response to the review outcomes, SunDee promptly implemented corrective actions, strengthening
its information security measures. Additionally, dashboard tools were introduced to provide a high-
level overview of key performance indicators essential for monitoring the organization's information
security management. These indicators included metrics on security incidents, their costs, system
vulnerability tests, nonconformity detection, and resolution times, facilitating effective recording,
reporting, and tracking of monitoring activities. Furthermore, SunDee embarked on a comprehensive
measurement process to assess the progress and outcomes of ongoing projects, implementing
extensive measures across all processes. The top management determined that the individual
responsible for the information, aside from owning the data that contributes to the measures, would
also be designated accountable for executing these measurement activities.
Based on the scenario above, answer the following question:
Based on scenario 8, which of the following dashboards did SunDee utilize?
A. Operational dashboards
B. Tactical dashboards
C. Strategic dashboards
Answer: C

6.FinanceX, a well-known financial institution, uses an online banking platform that enables clients to
easily and securely access their bank accounts. To log in, clients are required to enter the one-lime
authorization code sent to their smartphone.
What can be concluded from this scenario?
A. FinanceX has implemented a security Control that ensures the confidentiality of information
B. FinanceX has implemented an integrity control that avoids the involuntary corruption of data
C. FinanceX has incorrectly implemented a security control that could become a vulnerability
Answer: A

7.Based on scenario 5, did Bytes meet the criteria when selecting the risk assessment methodology?
Scenario 5: Bytes iS a dynamic and innovative Company specializing in the design, manufacturing.
and distribution Of hardware and software, with a focus On providing comprehensive network and
supporting services. It is headquartered in the vibrant tech hub of Lagos, Nigeria. It has a diverse and
dedicated team, boasting a workforce of over 800 employees who are passionate about delivering
cutting-edge solutions to their Clients. Given the nati-jte Of its business. Bytes frequently handles
sensitive data both internally and When collaborating With Clients and partners.
Recognizing the Challenges inherent in securely sharing data with clients. partners, and within its own
internal operations. Bytes has implemented robust information security measures, They utilize a
defined risk assessment process, which enables them to assess and address potential threats and
information security risks. This process ensures compliance with ISOflEC 27001 requirements, a
critical aspect of Bytes' operations.
Initially. Bytes identified both external and internal issues that are relevant to its purpose and that
impact its ability to achieve the intended information security management System Outcomes,
External issues
beyond the company'S control include factors Such as social and Cultural dynamics, political. legal.
normative, and regulatory environments, financial and macroeconomic conditions. technological
developments, natural factors, and competitive pressures. Internal issues, which are within the
organization's control, encompass aspects like the company's culture. its policies, objectives, and
strategies; govetnance structures.
roles, and responsibilities: adopted standards and guidelines; contractual relationships that influence
processes within the ISMS scope: processes and procedures resources and knowledge capabilities;
physical infrastructure information systems. information flows. and decisiorwnaking processes; as well
as the results of previous audits and risk assessments. Bytes also focused on identifying the
interested parties relevant to the ISMS understanding their requirements, and determining which Of
those requirements will be addressed by the ISMS In pursuing a secure digital environment, Bytes
leverages the latest technology, utilizing automated vulnerability scanning tools to identify known
vulnerable services in their ICT systems. This proactive approach ensures that potential weaknesses
are swiftly addressed. bolstering their overall information security posture. In their comprehensive
approach to information security, Bytes has identified and assessed various risks. During this
process, despite implementing the security controls, Bytes' expert team identified unacceptable
residual risks, and the team Currently faces uncertainty regarding which specific options to for
addressing these identified and unacceptable residual risks.
A. No, because Bytes selected a method developed in-house
B. Yes, since the risk assessment methodology complied with the ISO/IEC 27001 requirements
C. No, Bytes did not consult with external stakeholders or subject matter experts when selecting the
risk assessment methodology
Answer: B

8.Scenario 10:
NetworkFuse is a leading company that specializes in the design, production, and distribution of
network hardware products. Over the past two years, NetworkFuse has maintained an operational
Information Security Management System (ISMS) based on ISO/IEC 27001 requirements and a
Quality Management System (QMS) based on ISO 9001. These systems are designed to ensure the
company's commitment to both information security and the highest quality standards.
To further demonstrate its dedication to best practices and industry standards, NetworkFuse recently
scheduled a combined certification audit. This audit seeks to validate NetworkFuse’s compliance with
both ISO/IEC 27001 and ISO 9001, showcasing the company’s strong commitment to maintaining
high standards in information security management and quality management. The process began
with the careful selection of a certification body. NetworkFuse then took steps to prepare its
employees for the audit, which was crucial for ensuring a smooth and successful audit process.
Additionally, NetworkFuse appointed individuals to manage the ISMS and the QMS. NetworkFuse
decided not to conduct a self-evaluation before the audit, a step often taken by organizations to
proactively identify potential areas for improvement. The company's top management believed such
an evaluation was unnecessary, confident in their existing systems and practices. This decision
reflected their trust in the robustness of their ISMS and QMS. As part of the preparations,
NetworkFuse took careful measures to ensure that all necessary documented information?including
internal audit reports, management reviews, technological infrastructure, and the overall functioning of
the ISMS and QMS?was readily available for the audit. This information would be vital in
demonstrating their compliance with the ISO standards.
During the audit, NetworkFuse requested that the certification body not carry documentation off-site.
This request stemmed from their commitment to safeguarding sensitive and proprietary information,
reflecting their desire for maximum security and control during the audit process. Despite meticulous
preparations, the actual audit did not proceed as scheduled. NetworkFuse raised concerns about the
assigned audit team leader and requested a replacement. The company asserted that the same audit
team leader had previously issued a recommendation for certification to one of NetworkFuse's main
competitors. This potential conflict of interest raised concerns among the company’s top
management. However, the certification body rejected NetworkFuse's request for a replacement, and
the audit process was canceled.
Which of the following actions is NOT a requirement for NetworkFuse in preparing for the certification
audit?
A. Identifying subject matter experts
B. Preparing the personnel
C. Gathering documented information
Answer: A

9.Scenario 6: Skyver offers worldwide shipping of electronic products, including gaming consoles, flat-
screen TVs. computers, and printers. In order to ensure information security, the company has
decided to implement an information security management system (ISMS) based on the requirements
of ISO/IEC 27001.
Colin, the company's best information security expert, decided to hold a training and awareness
session for the personnel of the company regarding the information security challenges and other
information security-related controls. The session included topics such as Skyver's information
security approaches and techniques for mitigating phishing and malware.
One of the participants in the session is Lisa, who works in the HR Department. Although Colin
explains the existing Skyver's information security policies and procedures in an honest and fair
manner, she finds some of the issues being discussed too technical and does not fully understand the
session. Therefore, in a lot of cases, she requests additional help from the trainer and her colleagues
Based on scenario 6. when should Colin deliver the next training and awareness session?
A. After he ensures that the group of employees targeted have satisfied the organization's needs
B. After he conducts a competence needs analysis and records the competence related issues
C. After he determines the employees' availability and motivation
Answer: B

10.Is NyvMarketing required to follow the guidelines of ISO/IEC 27002 to attain ISO/IEC 27001
certification?
A. No, adherence to ISO/IEC 27002 guidelines is not mandatory for ISO/IEC 27001 certification
B. Yes, since it is a requirement according to ISO/IEC 27001
C. Yes, since the controls provided in Annex A of ISO/IEC 27001 are aligned with ISO/IEC 27002
controls
D. Yes, since ISO/IEC 27002 is an auditable standard
Answer: A

11.Scenario 3: Socket Inc is a telecommunications company offering mainly wireless products and
services. It uses MongoDB. a document model database that offers high availability, scalability, and
flexibility.
Last month, Socket Inc. reported an information security incident. A group of hackers compromised its
MongoDB database, because the database administrators did not change its default settings, leaving
it without a password and publicly accessible.
Fortunately. Socket Inc. performed regular information backups in their MongoDB database, so no
information was lost during the incident. In addition, a syslog server allowed Socket Inc. to centralize
all logs in one server. The company found out that no persistent backdoor was placed and that the
attack was not initiated from an employee inside the company by reviewing the event logs that record
user faults and exceptions.
To prevent similar incidents in the future, Socket Inc. decided to use an access control system that
grants access to authorized personnel only. The company also implemented a control in order to
define and implement rules for the effective use of cryptography, including cryptographic key
management, to protect the database from unauthorized access The implementation was based on
all relevant agreements, legislation, and regulations, and the information classification scheme. To
improve security and reduce the administrative efforts, network segregation using VPNs was
proposed.
Lastly, Socket Inc. implemented a new system to maintain, collect, and analyze information related to
information security threats, and integrate information security into project management.
Based on scenario 3. which information security control of Annex A of ISO/IEC 27001 did Socket Inc.
implement by establishing a new system to maintain, collect, and analyze information related to
information security threats?
A. Annex A 5.5 Contact with authorities
B. Annex A 5 7 Threat Intelligence
C. Annex A 5.13 Labeling of information
Answer: B

12.An employee from Reyae Ltd. unintentionally sent an email containing critical business strategies
to a competitor.
Which information security principle was compromised in this case?
A. Integrity
B. Availability
C. Confidentiality
Answer: C

13.Following a repotted event, an Information security event ticket has been completed and its priority
has been assigned. Then, the event has been evaluated to determine.
If it is an information security incident, which phase of the incident management has been completed?
A. initial assessment and decision
B. Detection and reporting
C. Evaluation and confirmation
Answer: C

14.Scenario 5: OperazelT is a software development company that develops applications for various
companies worldwide. Recently, the company conducted a risk assessment in response to the
evolving digital landscape and emerging information security challenges. Through rigorous testing
techniques like penetration testing and code review, the company identified issues in its IT systems,
including improper user permissions, misconfigured security settings, and insecure network
configurations. To resolve these issues and enhance information security, OperazelT implemented an
information security management system (ISMS) based on ISO/IEC 27001.
In a collaborative effort involving the implementation team, OperazelT thoroughly assessed its
business requirements and internal and external environment, identified its key processes and
activities, and identified and analyzed the interested parties to establish the preliminary scope of the
ISMS. Following this, the implementation team conducted a comprehensive review of the company's
functional units, opting to include most of the company departments within the ISMS scope.
Additionally, the team decided to include internal and external physical locations, both external and
internal issues referred to in clause 4.1, the requirements in clause 4.2, and the interfaces and
dependencies between activities performed by the company. The IT manager had a pivotal role in
approving the final scope, reflecting OperazelT’s commitment to information security.
OperazelT's information security team created a comprehensive information security policy that
aligned with the company's strategic direction and legal requirements, informed by risk assessment
findings and business strategies. This policy, alongside specific policies detailing security issues and
assigning roles and responsibilities, was communicated internally and shared with external parties.
The drafting, review, and approval of these policies involved active participation from top
management, ensuring a robust framework for safeguarding information across all interested parties.
As OperazelT moved forward, the company entered the policy implementation phase, with a detailed
plan encompassing security definition, role assignments, and training sessions. Lastly, the policy
monitoring and maintenance phase was conducted, where monitoring mechanisms were established
to ensure the company's information security policy is enforced and all employees comply with its
requirements.
To further strengthen its information security framework, OperazelT initiated a comprehensive gap
analysis as part of the ISMS implementation process. Rather than relying solely on internal
assessments, OperazelT decided to involve the services of external consultants to assess the state of
its ISMS. The company collaborated with external consultants, which brought a fresh perspective and
valuable insights to the gap analysis process, enabling OperazelT to identify vulnerabilities and areas
for improvement with a higher degree of objectivity. Lastly, OperazelT created a committee whose
mission includes ensuring the proper operation of the ISMS, overseeing the company's risk
assessment process, managing information security-related issues, recommending solutions to
nonconformities, and monitoring the implementation of corrections and corrective actions. Based on
the scenario above, answer the following question:
Was there any issue with how OperazelT determined its current ISMS state?
A. Yes, as the ISMS state must be determined by the implementation team
B. Yes, as it is the top management’s responsibility to determine the ISMS state
C. No, as the ISMS state can be determined by outsourced external consultants
Answer: C

15.Scenario 5: Operaze is a small software development company that develops applications for
various companies around the world. Recently, the company conducted a risk assessment to assess
the information security risks that could arise from operating in a digital landscape. Using different
testing methods, including penetration Resting and code review, the company identified some issues
in its ICT systems, including improper user permissions, misconfigured security settings, and insecure
network configurations. To resolve these issues and enhance information security, Operaze decided
to implement an information security management system (ISMS) based on ISO/IEC 27001.
Considering that Operaze is a small company, the entire IT team was involved in the ISMS
implementation project. Initially, the company analyzed the business requirements and the internal
and external environment, identified its key processes and activities, and identified and analyzed the
interested parties In addition, the top management of Operaze decided to Include most of the
company's departments within the ISMS scope. The defined scope included the organizational and
physical boundaries. The IT team drafted an information security policy and communicated it to all
relevant interested parties In addition, other specific policies were developed to elaborate on security
issues and the roles and responsibilities were assigned to all interested parties.
Following that, the HR manager claimed that the paperwork created by ISMS does not justify its value
and the implementation of the ISMS should be canceled However, the top management determined
that this claim was invalid and organized an awareness session to explain the benefits of
the ISMS to all interested parties.
Operaze decided to migrate Its physical servers to their virtual servers on third-party infrastructure.
The new cloud computing solution brought additional changes to the company Operaze's top
management, on the other hand, aimed to not only implement an effective ISMS but also ensure the
smooth running of the ISMS operations. In this situation, Operaze's top management concluded that
the services of external experts were required to implement their information security strategies. The
IT team, on the other hand, decided to initiate a change in the ISMS scope and implemented the
required modifications to the processes of the company.
Based on scenario 5. after migrating to cloud. Operaze's IT team changed the ISMS scope and
implemented all the required modifications Is this acceptable?
A. Yes, because the ISMS scope should be changed when there are changes to the external
environment
B. No, because the company has already defined the ISMS scope
C. No, because any change in ISMS scope should be accepted by the management
Answer: C

16.Scenario 7: Incident Response at Texas H&H Inc.

Once they made sure that the attackers do not have access in their system, the security
administrators decided to proceed with the forensic analysis. They concluded that their access
security system was not designed tor threat detection, including the detection of malicious files which
could be the cause of possible future attacks.
Based on these findings. Texas H$H inc, decided to modify its access security system to avoid future
incidents and integrate an incident management policy in their Information security policy that could
serve as guidance for employees on how to respond to similar incidents. Based on the scenario
above, answer the following question:
Texas H&H Inc. decided to assign an internal expert for their forensic analysis. Is this acceptable?
Refer lo scenario 7.
A. Yes. forensic analysis can be done by cither an internal or external expert
B. Yes. hiring an external expert for forensic analysis Is a requirement of the standard
C. No. the company's forensic analysis should be based on the conclusion of Its cloud storage
provide investigation
Answer: A

17.Scenario 7: CyTekShield
CyTekShield based in Dublin. Ireland, is a cybersecurity consulting provider specializing in digital risk
management and enterprise security solutions. After facing multiple security incidents.
CyberTekShield formed expanded its information security team by bringing in Sadie and Niamh as
part of the team. This team is structured into three key divisions: incident response, security
architecture and forensics
Sadie will separate the demilitarized zone from CyTekShield's private network and publicly accessible
resources, as part of implementing a screened subnet network architecture. In addition, Sadie will
carry out comprehensive evaluations of any unexpected incidents, analyzing their causes and
assessing their potential impact. She also developed security strategies and policies. Whereas
Niamh. a specialized expert in forensic investigations, will be responsible for creating records of
different data for evidence purposes To do this effectively, she first reviewed the company's
information security incident management policy, which outlines the types of records to be created,
their storage location, and the required format and content for specific record types.
To support the process of handling of evidence related to information security events. CyTekShield
has established internal procedures. These procedures ensure that evidence is properly identified,
collected, and preserved within the company CyTekShield's procedures specify how to handle
records in various storage mediums, ensuring that all evidence is safeguarded in its original state,
whether the devices are powered on or off.
As part of CyTekShield's initiative to strengthen information security measures, Niamh will conduct
information security risk assessments only when significant changes are proposed and will document
the results of these risk assessments Upon completion of the risk assessment process, Niamh is
responsible to develop and implement a plan for treating information security risks and document the
risk treatment results.
Furthermore, while implementing the communication plan for information security, the CyTekShield's
top management was responsible for creating a roadmap for new product development. This
approach helps the company to align its security measures with the product development efforts,
demonstrating a commitment to integrating security into every aspect of its business
operations.CyTekShield uses a cloud service model that includes cloud-based apps accessed
through the web or an application programming interface (API). All cloud services are provided by the
cloud service provider, while data is managed by CyTekShield This introduces unique security
considerations and becomes a primary focus for the information security team to ensure data and
systems are protected in this environment.CyTekShield uses a cloud service model that includes
cloud-based apps accessed through the web or an application programming interface (API). All cloud
services are provided by the cloud service provider, while data is managed by CyTekShield This
introduces unique security considerations and becomes a primary focus for the information security
team to ensure data and systems are protected in this environment.
Has CyTekShield appropriately addressed the handling of evidence related to information security
events?
A. No C as it does not include proper training for staff involved in evidence handling
B. Yes C it has appropriately addressed the handling of evidence
C. No C because the process of evidence acquisition was not fully detailed
Answer: B

18.Scenario 9: SkyFleet specializes in air freight services, providing fast and reliable transportation
solutions for businesses that need quick delivery of goods across long distances. Given the
confidential nature of the information it handles, SkyFleet is committed to maintaining the highest
information security standards. To achieve this, the company has had an information security
management system (ISMS) based on ISO/IEC 27001 in operation for a year. To enhance its
reputation, SkyFleet is pursuing certification against ISO/IEC 27001.
SkyFleet strongly emphasizes the ongoing maintenance of information security. In pursuit of this goal,
it has established a rigorous review process, conducting in-depth assessments of the ISMS strategy
every two years to ensure security measures remain robust and up to date. In addition, the company
takes a balanced approach to nonconformities. For example, when employees fail to follow proper
data encryption protocols for internal communications, SkyFleet assesses the nature and scale of this
nonconformity. If this deviation is deemed minor and limited in scope, the company does not prioritize
immediate resolution. However, a significant action plan was developed to address a major
nonconformity involving the revamp of the company's entire data management system to ensure the
protection of client data. SkyFleet entrusted the approval of this action plan to the employees directly
responsible for implementing the changes. This streamlined approach ensures that those closest to
the issues actively engage in the resolution process. SkyFleet's blend of innovation, dedication to
information security, and adaptability has built its reputation as a key player in the IT and
communications services sector.
Despite initially not being recommended for certification due to missed deadlines for submitting
required action plans, SkyFleet undertook corrective measures to address these deficiencies in
preparation for the next certification process. These measures involved analyzing the root causes of
the delay, developing a corrective action plan, reassessing ISMS implementation to ensure
compliance with ISO/IEC 27001 requirements, intensifying internal audit activities, and engaging with
a certification body for a follow-up audit.
According to scenario 9, has SkyFleet accurately outlined the responsible party for approving its
action plan for the revamp of the company's entire data management system?
A. Yes, the employees directly involved in implementing the actions should approve the action plans
B. No, the responsibility for approving action plans lies on top management
C. No, an independent third party should be responsible for approving action plans
D. Yes, any employee can approve as long as they are part of the team
Answer: B

19.What is the main purpose of Annex A 7.1 Physical security perimeters of ISO/IEC 27001?
A. To prevent unauthorized physical access, damage, and interference to the organization's
information and other associated assets
B. To maintain the confidentiality of information that is accessible by personnel or external parties
C. To ensure access to information and other associated assets is defined and authorized
Answer: A

20.A tech company rapidly expanded its operations over the past few years. Its information system,
consisting of servers, databases, and communication tools, is a critical part of its daily operations.
However, due to rapid growth and increased data flow, the company is now facing a saturation of its
information system. This saturation has led to slower response times, increased downtime, and
difficulty in managing the overwhelming volume of data.
In which category does this threat fall into?
A. Infrastructure failures
B. Technical failures
C. Compromise of functions
Answer: B

21.An employee of the organization accidentally deleted customers' data stored in the database.
What is the impact of this action?
A. Information is not accessible when required
B. Information is modified in transit
C. Information is not available to only authorized users
Answer: A

22.Scenario 9: OpenTech provides IT and communications services. It helps data communication

enterprises and network operators become multi-service providers During an internal audit, its internal
auditor, Tim, has identified nonconformities related to the monitoring procedures He identified and
evaluated several system Invulnerabilities.
Tim found out that user IDs for systems and services that process sensitive information have been
reused and the access control policy has not been followed After analyzing the root causes of this
nonconformity, the ISMS project manager developed a list of possible actions to resolve the
nonconformity. Then, the ISMS project manager analyzed the list and selected the activities that
would allow the elimination of the root cause and the prevention of a similar situation in the future.
These activities were included in an action plan.
The action plan, approved by the top management, was written as follows:
A new version of the access control policy will be established and new restrictions will be created to
ensure that network access is effectively managed and monitored by the Information and
Communication Technology (ICT) Department
The approved action plan was implemented and all actions described in the plan were documented.
Based on scenario 9. is the action plan for the identified nonconformities sufficient to eliminate the
detected nonconformities?
A. Yes, because a separate action plan has been created for the identified nonconformity
B. No, because the action plan does not include a timeframe for implementation
C. No, because the action plan does not address the root cause of the identified nonconformity
Answer: B

23.Scenario 2: Beauty is a cosmetics company that has recently switched to an e-commerce model,
leaving the traditional retail. The top management has decided to build their own custom platform in-
house and outsource the payment process to an external provider operating online payments
systems that support online money transfers.
Due to this transformation of the business model, a number of security controls were implemented
based on the identified threats and vulnerabilities associated to critical assets. To protect customers'
information. Beauty's employees had to sign a confidentiality agreement. In addition, the company
reviewed all user access rights so that only authorized personnel can have access to sensitive files
and drafted a new segregation of duties chart.
However, the transition was difficult for the IT team, who had to deal with a security incident not long
after transitioning to the e commerce model. After investigating the incident, the team concluded that
due to the out-of-date anti-malware software, an attacker gamed access to their files and exposed
customers' information, including their names and home addresses.
The IT team decided to stop using the old anti-malware software and install a new one which would
automatically remove malicious code in case of similar incidents. The new software was installed in
every workstation within the company. After installing the new software, the team updated it with the
latest malware definitions and enabled the automatic update feature to keep it up to date at all times.
Additionally, they established an authentication process that requires a user identification and
password when accessing sensitive information.
In addition, Beauty conducted a number of information security awareness sessions for the IT team
and other employees that have access to confidential information in order to raise awareness on the
importance of system and network security.
Based on the scenario above, answer the following question:
Based on scenario 2. which principle of information security was NOT compromised by the attack?
A. Confidentiality
B. integrity
C. Availability
Answer: B

24.Which statement regarding organizational roles, responsibilities, and authorities is NOT correct?
A. Top management is responsible for reporting on the performance of the ISMS and cannot assign
this responsibility to someone else
B. A project manager can have information security responsibilities as well
C. Top management must assign the responsibility for ensuring that the ISMS conforms to ISO/IEC
27001
Answer: A

25.What is the purpose of an internal audit charter?

A. To outline how the organization benefits from internal audits, especially in achieving its objectives
B. To outline the assessment of collected audit evidence against predefined audit criteria
C. To outline the audit results, considering the audit objectives and all findings
Answer: A
26.Scenario 9:
OpenTech, headquartered in San Francisco, specializes in information and communication
technology (ICT) solutions. Its clientele primarily includes data communication enterprises and
network operators. The company's core objective is to enable its clients to transition smoothly into
multi-service providers, aligning their operations with the complex demands of the digital landscape.
Recently, Tim, the internal auditor of OpenTech, conducted an internal audit that uncovered
nonconformities related to their monitoring procedures and system vulnerabilities. In response to
these nonconformities, OpenTech decided to employ a comprehensive problem-solving approach to
address the issues systematically. This method encompasses a team-oriented approach, aiming to
identify, correct, and eliminate the root causes of the issues. The approach involves several steps:
First, establish a group of experts with deep knowledge of processes and controls. Next, break down
the nonconformity into measurable components and implement interim containment measures. Then,
identify potential root causes and select and verify permanent corrective actions. Finally, put those
actions into practice, validate them, take steps to prevent recurrence, and recognize and
acknowledge the team's efforts.
Following the analysis of the root causes of the nonconformities, OpenTech's ISMS project manager,
Julia, developed a list of potential actions to address the identified nonconformities. Julia carefully
evaluated the list to ensure that each action would effectively eliminate the root cause of the
respective nonconformity. While assessing potential corrective actions, Julia identified one issue as
significant and assessed a high likelihood of its recurrence. Consequently, she chose to implement
temporary corrective actions. Julia then combined all the nonconformities into a single action plan and
sought approval from top management.
The submitted action plan was written as follows:
"A new version of the access control policy will be established and new restrictions will be created to
ensure that network access is effectively managed and monitored by the Information and
Communication Technology (ICT) Department."
However, Julia's submitted action plan was not approved by top management. The reason cited was
that a general action plan meant to address all nonconformities was deemed unacceptable.
Consequently, Julia revised the action plan and submitted separate ones for approval. Unfortunately,
Julia did not adhere to the organization's specified deadline for submission, resulting in a delay in the
corrective action process. Additionally, the revised action plans lacked a defined schedule for
execution.
Did Julia's approach to submitting action plans for addressing nonconformities align with best
practices?
A. Yes, as action plan submission can be flexible
B. No, as action plans are typically expected to meet specified deadlines
C. Yes, Julia revised the action plan to ensure alignment with best practices
Answer: B

27.An organization documented each security control that it Implemented by describing their functions
in detail. Is this compliant with ISO/IEC 27001?
A. No, the standard requires to document only the operation of processes and controls, so no
description of each security control is needed
B. No, because the documented information should have a strict format, including the date, version
number and author identification
C. Yes, but documenting each security control and not the process in general will make it difficult to
review the documented information
Answer: C
28.Scenario 4: TradeB is a newly established commercial bank located in Europe, with a diverse
clientele. It provides services that encompass retail banking, corporate banking, wealth management,
and digital banking, all tailored to meet the evolving financial needs of individuals and businesses in
the region. Recognizing the critical importance of information security in the modern banking
landscape, TradeB has initiated the implementation of an information security management system
(ISMS) based on ISO/IEC 27001. To ensure the successful implementation of the ISMS, the top
management decided to contract two experts to lead and oversee the ISMS implementation project.
As a primary strategy for implementing the ISMS, the experts chose an approach that emphasizes a
swift implementation of the ISMS by initially meeting the minimum requirements of ISO/IEC 27001,
followed by continual improvement over time. Additionally, under the guidance of the experts, TradeB
opted for a methodological framework, which serves as a structured framework and a guideline that
outlines the high-level stages of the ISMS implementation, the associated activities, and the
deliverables without incorporating any specific tools.
The experts analyzed the ISO/IEC 27001 controls and listed only the security controls deemed
applicable to the company and its objectives. Based on this analysis, they drafted the Statement of
Applicability. Afterward, they conducted a risk assessment, during which they identified assets, such
as hardware, software, and networks, as well as threats and vulnerabilities, assessed potential
consequences and likelihood, and determined the level of risks based on a methodical approach that
involved defining and characterizing the terms and criteria used in the assessment process,
categorizing them into non-numerical levels (e.g., very low, low, moderate, high, very high).
Explanatory notes were thoughtfully crafted to justify assessed values, with the primary goal of
enhancing repeatability and reproducibility.
Then, they evaluated the risks based on the risk evaluation criteria, where they decided to treat only
the risks of the high-risk category. Additionally, they focused primarily on the unauthorized use of
administrator rights and system interruptions due to several hardware failures. To address these
issues, they established a new version of the access control policy, implemented controls to manage
and control user access, and introduced a control for ICT readiness to ensure business continuity.
Their risk assessment report indicated that if the implemented security controls reduce the risk levels
to an acceptable threshold, those risks will be accepted. Based on the scenario above, answer the
following question:
Based on scenario 4, from which source did TradeB's ISMS implementation draw its methodological
framework?
A. ISO/IEC 27003
B. ISO 10006
C. COBIT 5
Answer: A

29.Scenario 8: BioVitalis
BioVitalis is a biopharmaceutical firm headquartered in California, the US Renowned for its pioneering
work in the field of human therapeutics, BioVitalis places a strong emphasis on addressing critical
healthcare concerns, particularly in the domains of cardiovascular diseases, oncology, bone health,
and inflammation BioVitalis has demonstrated its commitment to data security and integrity by
maintaining an effective information security management system (ISMS) based on ISO/IEC 27001
for the past two years.
In preparation for the recertification audit. BioVitalis conducted an internal audit. The company's top
management appointed Alex, who has actively managed the Compliance Department's day-to-day
operations for the last six months, as the internal auditor. With this dual role assignment. Alex is
tasked with conducting an audit that ensures compliance and provides valuable recommendations to
improve operational efficiency.
During the internal audit, a few nonconformities were identified. To address them comprehensively,
the company created action plans for each nonconformity, working closely with the audit team leader
BioVitalis's senior management conducted a comprehensive review of the ISMS to evaluate its
appropriateness, sufficiency, and efficiency. This was integrated into their regular management
meetings. Essential documents, including audit reports, action plans, and review outcomes, were
distributed to all members before the meeting. The agenda covered the status of previous review
actions, changes affecting the ISMS, feedback, stakeholder inputs, and opportunities for improvement
Decisions and actions targeting ISMS improvements were made, with a significant role played by the
ISMS coordinator and the internal audit team in preparing follow up action plans, which were then
approved by top management.
In response to the review outcomes. BioVitalis promptly implemented corrective actions,
strengthening its Information security measures Additionally, dashboard tools were Introduced to
provide a high-level overview of key performance indicators essential for monitoring the organization's
information security management. These indicators included metrics on security incidents, their costs,
system vulnerability tests, nonconformity detection, and resolution times, facilitating effective
recording, reporting, and tracking of monitoring activities.
Furthermore. BioVitalis embarked on a comprehensive measurement process to assess the progress
and outcomes of ongoing projects, implementing extensive measures across all processes The top
management determined that the individual responsible for the information, aside from owning the
data that contributes to the measures, would also be designated accountable for executing these
measurement activities
BioVitalis is a biopharma company with an ISMS certified under ISO/IEC 27001. For recertification, it
reviewed ISMS performance, created dashboards to monitor KPIs such as incident cost, vulnerability
tests, and resolution times.
What type of dashboards did BioVitalis utilize?
A. Operational
B. Tactical
C. Strategic
Answer: C

30.Why is an in-depth review crucial for organizations to evaluate their security architecture?
A. To conduct background checks on potential employees to ensure security compliance
B. To determine the organization’s compliance with financial regulations
C. To assess whether security requirements based on industry best practices can be met
D. To meet shareholder expectations
Answer: C

31.Scenario 2: Beauty is a cosmetics company that has recently switched to an e-commerce model,
leaving the traditional retail. The top management has decided to build their own custom platform in-
house and outsource the payment process to an external provider operating online payments
systems that support online money transfers.
Due to this transformation of the business model, a number of security controls were implemented
based on the identified threats and vulnerabilities associated to critical assets. To protect customers'
information. Beauty's employees had to sign a confidentiality agreement. In addition, the company
reviewed all user access rights so that only authorized personnel can have access to sensitive files
and drafted a new segregation of duties chart.
However, the transition was difficult for the IT team, who had to deal with a security incident not long
after transitioning to the e commerce model. After investigating the incident, the team concluded that
due to the out-of-date anti-malware software, an attacker gamed access to their files and exposed
customers' information, including their names and home addresses.
The IT team decided to stop using the old anti-malware software and install a new one which would
automatically remove malicious code in case of similar incidents. The new software was installed in
every workstation within the company. After installing the new software, the team updated it with the
latest malware definitions and enabled the automatic update feature to keep it up to date at all times.
Additionally, they established an authentication process that requires a user identification and
password when accessing sensitive information.
In addition, Beauty conducted a number of information security awareness sessions for the IT team
and other employees that have access to confidential information in order to raise awareness on the
importance of system and network security.
Which statement below suggests that Beauty has implemented a managerial control that helps avoid
the occurrence of incidents? Refer to scenario 2.
A. Beauty's employees signed a confidentiality agreement
B. Beauty conducted a number of information security awareness sessions for the IT team and other
employees that have access to confidential information
C. Beauty updated the segregation of duties chart
Answer: B

32.In addition to leading the new project involving sensitive client data, what is Sarah’s role within the
company? Refer to scenario 6.
Scenario 6: CB Consulting iS a reputable firm based in Dublin, Ireland. providing Strategic business
Solutions to diverse clients, With a dedicated team Of professionals, CB Consulting prides itself on its
commitment to excellence, integrity, and client satisfaction. CB Consulting started implementing an
ISMS aligned with ISOflEC 27001 as part of its ongoing commitment to enhancing its information
security
practices. Throughout this process, ensuring effective communication and adherence to establi Shed
security protocols is essential.
Sarah, an employee at CB has been appointed as the head Of a new project focused on managing
sensitive client data, Additionally, she is responsible for Overseeing activities during the response
phase of incident management, including regular reporting to the incident manager of the incident
management team and keeping key stakeholders informed. Meanwhile, CB Consulting has
reassigned Tom to
serve as the company's legal consultant.
CB Consulting has also reassigned Clare. formerly an IT security analyst, as their information security
officer to oversee the implementation Of the ISMS and ensure compliance with ISO/IEC 27001.
Clare's primary responsibility iS to conduct regular risk assessments. identlfy potential vulnerabilities,
and implement appropriate Security measures to mitigate risks effectively. Clare has established a
procedure Stating that information security risk assessments are conducted only when significant
changes occur. playing a crucial role in strengthening the companys security posture and
safeguarding against potential threats.
TO ensure it has a Competent workforce to meet information security Objectives, CB Consulting has
implemented a process to and verify that all employees, including Sarah, Tom, and Clare, possess
the necessary competence based on their education. training, or experience. Where gaps were
identified, the company has taken specific actions such as providing additional training and
mentoring. Additionally, CB
Consulting retains documented information as evidence of the competencies requ.red and acquired.
CB Consulting has established a robust communication strategy aligned with industry standards to
ensure secure and effective information exchange. It identified the requirements for communication
on relevant issues. First, the company designated specific toles. Such as a public relations officer for
external communication and a Security officer for internal matters, to manage sensitive issues like
data breaches. Then. communication triggers, content. and recipients were carefully defined. with
messages pre-approved by management where necessary. Lastly, dedicated channels were
implemented to ensure the confidentiality and integrity of transmitted information.
Based on the scenario above, answer the following question.
CB Consulting prioritizes transparent and Substantive communication practices to foster trust,
enhance Stakeholder engagement, and reinforce its commitment to information security excellence.
Which principle of effective communication is emphasized by this approach?
Transparency
A. CSIRT
B. Incident coordinator
C. Incident manager
Answer: B

33.Scenario 3: Socket Inc. is a dynamic telecommunications company specializing in wireless

products and services, committed to delivering high-quality and secure communication solutions.
Socket Inc. leverages innovative technology, including the MongoDB database, renowned for its high
availability, scalability, and flexibility, to provide reliable, accessible, efficient, and well-organized
services to its customers. Recently, the company faced a security breach where external hackers
exploited the default settings of its MongoDB database due to an oversight in the configuration
settings, which had not been properly addressed. Fortunately, diligent data backups and centralized
logging through a server ensured no loss of information. In response to this incident, Socket Inc.
undertook a thorough evaluation of its security measures. The company recognized the urgent need
to improve its information security and decided to implement an information security management
system (ISMS) based on ISO/IEC 27001.
To improve its data security and protect its resources, Socket Inc. implemented entry controls and
secure access points. These measures were designed to prevent unauthorized access to critical
areas housing sensitive data and essential assets. In compliance with relevant laws, regulations, and
ethical standards, Socket Inc. implemented pre-employment background checks tailored to business
needs, information classification, and associated risks. A formalized disciplinary procedure was also
established to address policy violations. Additionally, security measures were implemented for
personnel working remotely to safeguard information accessed, processed, or stored outside the
organization's premises.
Socket Inc. safeguarded its information processing facilities against power failures and other
disruptions. Unauthorized access to critical records from external sources led to the implementation of
data flow control services to prevent unauthorized access between departments and external
networks. In addition, Socket Inc. used data masking based on the organization’s topic-level general
policy on access control and other related topic-level general policies and business requirements,
considering applicable legislation. It also updated and documented all operating procedures for
information processing facilities and ensured that they were accessible to top management
exclusively.
The company also implemented a control to define and implement rules for the effective use of
cryptography, including cryptographic key management, to protect the database from unauthorized
access. The implementation was based on all relevant agreements, legislation, regulations, and the
information classification scheme. Network segregation using VPNs was proposed to improve
security and reduce administrative efforts.
Regarding the design and description of its security controls, Socket Inc. has categorized them into
groups, consolidating all controls within a single document. Lastly, Socket Inc. implemented a new
system to maintain, collect, and analyze information about information security threats and integrate
information security into project management.
Based on the scenario above, answer the following question:
Which of the following controls did Socket Inc. implement by conducting pre-employment background
checks? Refer to scenario 3.
A. Annex A 6.1 Screening
B. Annex A 6.7 Remote working
C. Annex A 6.4 Disciplinary process
Answer: A

34.Scenario 4: TradeB is a newly established commercial bank located in Europe, with a diverse
clientele. It provides services that encompass retail banking, corporate banking, wealth management,
and digital banking, all tailored to meet the evolving financial needs of individuals and businesses in
the region. Recognizing the critical importance of information security in the modern banking
landscape, TradeB has initiated the implementation of an information security management system
(ISMS) based on ISO/IEC 27001. To ensure the successful implementation of the ISMS, the top
management decided to contract two experts to lead and oversee the ISMS implementation project.
As a primary strategy for implementing the ISMS, the experts chose an approach that emphasizes a
swift implementation of the ISMS by initially meeting the minimum requirements of ISO/IEC 27001,
followed by continual improvement over time. Additionally, under the guidance of the experts, TradeB
opted for a methodological framework, which serves as a structured framework and a guideline that
outlines the high-level stages of the ISMS implementation, the associated activities, and the
deliverables without incorporating any specific tools.
The experts analyzed the ISO/IEC 27001 controls and listed only the security controls deemed
applicable to the company and its objectives. Based on this analysis, they drafted the Statement of
Applicability. Afterward, they conducted a risk assessment, during which they identified assets, such
as hardware, software, and networks, as well as threats and vulnerabilities, assessed potential
consequences and likelihood, and determined the level of risks based on a methodical approach that
involved defining and characterizing the terms and criteria used in the assessment process,
categorizing them into non-numerical levels (e.g., very low, low, moderate, high, very high).
Explanatory notes were thoughtfully crafted to justify assessed values, with the primary goal of
enhancing repeatability and reproducibility.
Then, they evaluated the risks based on the risk evaluation criteria, where they decided to treat only
the risks of the high-risk category. Additionally, they focused primarily on the unauthorized use of
administrator rights and system interruptions due to several hardware failures. To address these
issues, they established a new version of the access control policy, implemented controls to manage
and control user access, and introduced a control for ICT readiness to ensure business continuity.
Their risk assessment report indicated that if the implemented security controls reduce the risk levels
to an acceptable threshold, those risks will be accepted. Based on the scenario above, answer the
following question:
Which risk analysis technique did the experts use to determine the level of risk? Refer to scenario 4.
A. Qualitative risk analysis
B. Semi-quantitative analysis
C. Quantitative risk analysis
Answer: A

35.Scenario 10: ProEBank

ProEBank is an Austrian financial institution known for its comprehensive range of banking services.
Headquartered in Vienna, it leaverages the city's advanced technological and financial ecosystem To
enhance its security posture, ProEBank has implementied an information security management
system (ISMS) based on the ISO/IEC 27001. After a year of having the ISMS in place, the company
decided to apply for a certification audit to obtain certification against ISO/IEC 27001.
To prepare for the audit, the company first informed its employees for the audit and organized training
sessions to prepare them. It also prepared documented information in advance, so that the
documents would be ready when external auditors asked to review them Additionally, it determined
which of its employees have the knowledge to help the external auditors understand and evaluate the
processes.
During the planning phase for the audit, ProEBank reviewed the list of assigned auditors provided by
the certification body. Upon reviewing the list, ProEBank identified a potential conflict of interest with
one of the auditors, who had previously worked for ProEBank's mein competitor in the banking
industry To ensure the integrity of the audit process. ProEBank refused to undergo the audit until a
completely new audit team was assigned. In response, the certification body acknowledged the
conflict of interest and made the necessary adjustments to ensure the impartiality of the audit team
After the resolution of this issue, the audit team assessed whether the ISMS met both the standard's
requirements and the company's objectives. During this process, the audit team focused on reviewing
documented information.
Three weeks later, the team conducted an on-site visit to the auditee’s location where they aimed to
evaluate whether the ISMS conformed to the requirements of ISO/IEC 27001. was effectively
implemented, and enabled the auditee to reach its information security objectives. After the on-site
visit the team prepared the audit conclusions and notified the auditee that some minor
nonconformities had been detected The audit team leader then issued a recommendation for
certification.
After receiving the recommendation from the audit team leader, the certification body established a
committee to make the decision for certification. The committee included one member from the audit
team and two other experts working for the certification body.
After the Stage 2 audit, minor nonconformities were found. Despite this, the audit team leader issued
a positive recommendation for certification.
Is this acceptable?
A. No C the auditor should have issued an unfavorable recommendation for certification because
minor nonconformities were identified
B. Yes C a recommendation for certification should be issued when only minor nonconformities are
identified
C. No C the auditor should have issued a recommendation for certification conditional upon the filing
of corrective action plans for the minor nonconformities
Answer: B

36.Which of the following statements is accurate regarding the methodology for managing the
implementation of an ISMS?
A. Organizations must strictly follow a specific methodology to meet the minimum requirements
B. The sequence of steps must remain fixed throughout the ISMS implementation
C. Organizations can adapt the methodology to their specific context, and steps can be modified as
needed
Answer: C

37.Scenario 3: Socket Inc is a telecommunications company offering mainly wireless products and
services. It uses MongoDB. a document model database that offers high availability, scalability, and
flexibility.
Last month, Socket Inc. reported an information security incident. A group of hackers compromised its
MongoDB database, because the database administrators did not change its default settings, leaving
it without a password and publicly accessible.
Fortunately. Socket Inc. performed regular information backups in their MongoDB database, so no
information was lost during the incident. In addition, a syslog server allowed Socket Inc. to centralize
all logs in one server. The company found out that no persistent backdoor was placed and that the
attack was not initiated from an employee inside the company by reviewing the event logs that record
user faults and exceptions.
To prevent similar incidents in the future, Socket Inc. decided to use an access control system that
grants access to authorized personnel only. The company also implemented a control in order to
define and implement rules for the effective use of cryptography, including cryptographic key
management, to protect the database from unauthorized access The implementation was based on
all relevant agreements, legislation, and regulations, and the information classification scheme. To
improve security and reduce the administrative efforts, network segregation using VPNs was
proposed.
Lastly, Socket Inc. implemented a new system to maintain, collect, and analyze information related to
information security threats, and integrate information security into project management.
Based on the scenario above, answer the following question:
Which security control does NOT prevent information security incidents from recurring?
A. Segregation of networks
B. Privileged access rights
C. Information backup
Answer: C

38.Scenario 8: SunDee is a biopharmaceutical firm headquartered in California, US. Renowned for its
pioneering work in the field of human therapeutics, SunDee places a strong emphasis on addressing
critical healthcare concerns, particularly in the domains of cardiovascular diseases, oncology, bone
health, and inflammation. SunDee has demonstrated its commitment to data security and integrity by
maintaining an effective information security management system (ISMS) based on ISO/IEC 27001
for the past two years.
In preparation for the recertification audit, SunDee conducted an internal audit. The company's top
management appointed Alex, who has actively managed the Compliance Department's day-to-day
operations for the last six months, as the internal auditor. With this dual role assignment, Alex is
tasked with conducting an audit that ensures compliance and provides valuable recommendations to
improve operational efficiency.
During the internal audit, a few nonconformities were identified. To address them comprehensively,
the company created action plans for each nonconformity, working closely with the audit team leader.
SunDee's senior management conducted a comprehensive review of the ISMS to evaluate its
appropriateness, sufficiency, and efficiency. This was integrated into their regular management
meetings. Essential documents, including audit reports, action plans, and review outcomes, were
distributed to all members before the meeting. The agenda covered the status of previous review
actions, changes affecting the ISMS, feedback, stakeholder inputs, and opportunities for
improvement. Decisions and actions targeting ISMS improvements were made, with a significant role
played by the ISMS coordinator and the internal audit team in preparing follow-up action plans, which
were then approved by top management.
In response to the review outcomes, SunDee promptly implemented corrective actions, strengthening
its information security measures. Additionally, dashboard tools were introduced to provide a high-
level overview of key performance indicators essential for monitoring the organization's information
security management. These indicators included metrics on security incidents, their costs, system
vulnerability tests, nonconformity detection, and resolution times, facilitating effective recording,
reporting, and tracking of monitoring activities. Furthermore, SunDee embarked on a comprehensive
measurement process to assess the progress and outcomes of ongoing projects, implementing
extensive measures across all processes. The top management determined that the individual
responsible for the information, aside from owning the data that contributes to the measures, would
also be designated accountable for executing these measurement activities.
Based on the scenario above, answer the following question:
Does SunDee's approach align with the best practices for evaluating and maintaining the
effectiveness of an ISMS?
A. Yes, because comprehensive coverage is essential to achieve ISMS objectives
B. Yes, because a diverse set of measures minimizes the likelihood of overlooking any potential
security risks
C. No, as an excessive number of measures may distort SunDee’s focus and obscure what is
genuinely important
Answer: B

39.Scenario 4: TradeB. a commercial bank that has just entered the market, accepts deposits from its
clients and offers basic financial services and loans for investments. TradeB has decided to
implement an information security management system (ISMS) based on ISO/IEC 27001 Having no
experience of a management [^system implementation, TradeB's top management contracted two
experts to direct and manage the ISMS implementation project.
First, the project team analyzed the 93 controls of ISO/IEC 27001 Annex A and listed only the security
controls deemed applicable to the company and their objectives Based on this analysis, they drafted
the Statement of Applicability. Afterward, they conducted a risk assessment, during which they
identified assets, such as hardware, software, and networks, as well as threats and vulnerabilities,
assessed potential consequences and likelihood, and determined the level of risks based on three
nonnumerical categories (low, medium, and high). They evaluated the risks based on the risk
evaluation criteria and decided to treat only the high risk category They also decided to focus
primarily on the unauthorized use of administrator rights and system interruptions due to several
hardware failures by establishing a new version of the access control policy, implementing controls to
manage and control user access, and implementing a control for ICT readiness for business
continuity
Lastly, they drafted a risk assessment report, in which they wrote that if after the implementation of
these security controls the level of risk is below the acceptable level, the risks will be accepted Based
on the scenario above, answer the following question:
The decision to treat only risks that were classified as high indicates that Trade B has:
A. Evaluated other risk categories based on risk treatment criteria
B. Accepted other risk categories based on risk acceptance criteria
C. Modified other risk categories based on risk evaluation criteria
Answer: B

40.Scenario 6: CB Consulting iS a reputable firm based in Dublin, Ireland. providing Strategic

business Solutions to diverse clients, With a dedicated team Of professionals, CB Consulting prides
itself on its commitment to excellence, integrity, and client satisfaction. CB Consulting started
implementing an ISMS aligned with ISOflEC 27001 as part of its ongoing commitment to enhancing
its information security practices. Throughout this process, ensuring effective communication and
adherence to establi Shed security protocols is essential.
Sarah, an employee at CB has been appointed as the head Of a new project focused on managing
sensitive client data, Additionally, she is responsible for Overseeing activities during the response
phase of incident management, including regular reporting to the incident manager of the incident
management team and keeping key stakeholders informed. Meanwhile, CB Consulting has
reassigned Tom to serve as the company's legal consultant.
CB Consulting has also reassigned Clare. formerly an IT security analyst, as their information security
officer to oversee the implementation Of the ISMS and ensure compliance with ISO/IEC 27001.
Clare's primary responsibility iS to conduct regular risk assessments. identlfy potential vulnerabilities,
and implement appropriate Security measures to mitigate risks effectively. Clare has established a
procedure Stating that information security risk assessments are conducted only when significant
changes occur. playing a crucial role in strengthening the companys security posture and
safeguarding against potential threats.
TO ensure it has a Competent workforce to meet information security Objectives, CB Consulting has
implemented a process to and verify that all employees, including Sarah, Tom, and Clare, possess
the necessary competence based on their education. training, or experience. Where gaps were
identified, the company has taken specific actions such as providing additional training and
mentoring. Additionally, CB Consulting retains documented information as evidence of the
competencies requ.red and acquired. CB Consulting has established a robust communication
strategy aligned with industry standards to ensure secure and effective information exchange. It
identified the requirements for communication on relevant issues. First, the company designated
specific toles. Such as a public relations officer for external communication and a Security officer for
internal matters, to manage sensitive issues like data breaches. Then. communication triggers,
content. and recipients were carefully defined. with messages pre-approved by management where
necessary. Lastly, dedicated channels were implemented to ensure the confidentiality and integrity of
transmitted information.
Based on the scenario above, answer the following question.
CB Consulting prioritizes transparent and Substantive communication practices to foster trust,
enhance Stakeholder engagement, and reinforce its commitment to information security excellence.
Which principle of effective communication is emphasized by this approach?
Transparency
Based on scenario 6, Clare has established a procedure stating that information security risk
assessments are conducted only when significant changes occur. Is the frequency of risk
assessments determined correctly?
A. No, she should perform risk assessments quarterly per ISO/IEC 27001 requirements
B. No, she should perform risk assessments annually, as mandated by regulatory authorities
C. No, the company must conduct risk assessments at planned intervals
Answer: C

41.Scenario 10: CircuitLinking is a company specializing in water purification solutions, designing and
manufacturing efficient filtration and treatment systems for both residential and commercial
applications. Over the past two years, the company has actively implemented an integrated
management system (IMS) that aligns with both ISO/IEC 27001 for information security and ISO 9001
for quality management. Recently, the company has applied for a combined audit to achieve
certification against both ISO/IEC 27001 and ISO 9001.
In preparation, CircuitLinking ensured a clear understanding of ISO/IEC 27001, identified subject-
matter experts, allocated resources, and gathered documentation to provide evidence of effective
procedures. After passing Stage 1 (focused on verifying the design), Stage 2 was conducted to
examine implementation and effectiveness. An auditor with a potential conflict of interest was
replaced at the company’s request. The audit process continued, and the company was awarded
certification.
During a later recertification audit, significant changes to the management system triggered a Stage 1
assessment to evaluate the impact.
Based on the scenario above, answer the following question:
During the Stage 1 audit, the auditor assessed the design of CircuitLinking's management system.
Is this approach recommended?
A. Yes, during the Stage 1 audit, the auditor should assess the design of the management system
B. No, during the Stage 1 audit, the auditor should assess the auditee's physical infrastructure
C. No, during the Stage 1 audit, the auditor should assess the effectiveness of the management
system
Answer: A

42.Scenario 4: TradeB. a commercial bank that has just entered the market, accepts deposits from its
clients and offers basic financial services and loans for investments. TradeB has decided to
implement an information security management system (ISMS) based on ISO/IEC 27001 Having no
experience of a management [^system implementation, TradeB's top management contracted two
experts to direct and manage the ISMS implementation project.
First, the project team analyzed the 93 controls of ISO/IEC 27001 Annex A and listed only the security
controls deemed applicable to the company and their objectives Based on this analysis, they drafted
the Statement of Applicability. Afterward, they conducted a risk assessment, during which they
identified assets, such as hardware, software, and networks, as well as threats and vulnerabilities,
assessed potential consequences and likelihood, and determined the level of risks based on three
nonnumerical categories (low, medium, and high). They evaluated the risks based on the risk
evaluation criteria and decided to treat only the high risk category They also decided to focus
primarily on the unauthorized use of administrator rights and system interruptions due to several
hardware failures by establishing a new version of the access control policy, implementing controls to
manage and control user access, and implementing a control for ICT readiness for business
continuity
Lastly, they drafted a risk assessment report, in which they wrote that if after the implementation of
these security controls the level of risk is below the acceptable level, the risks will be accepted
Based on scenario 4, what type of assets were identified during risk assessment?
A. Supporting assets
B. Primary assets
C. Business assets
Answer: A

43.Del&Co has decided to improve their staff-related controls to prevent incidents.

Which of the following is NOT a preventive control related to the Del&Co's staff?
A. Authentication and authorization
B. Control of physical access to the equipment
C. Video cameras
Answer: C

44.Scenario 10: CircuitLinking is a company specializing in water purification solutions, designing and
manufacturing efficient filtration and treatment systems for both residential and commercial
applications. Over the past two years, the company has actively implemented an integrated
management system (IMS) that aligns with both ISO/IEC 27001 for information security and ISO 9001
for quality management. Recently, the company has taken a significant step forward by applying for a
combined audit, aiming to achieve certification against both ISO/IEC 27001 and ISO 9001.
In preparation for the certification audit, CircuitLinking ensured a clear understanding of ISO/IEC
27001 within the company and identified key subject-matter experts to assist the auditors. It also
allocated sufficient resources and performed a self-assessment to verify that processes were clearly
defined, roles and responsibilities were segregated, and documented information was maintained.
To avoid delays, the company gathered all necessary documentation in advance to provide evidence
that procedures were in place and effective.
Following the successful completion of the Stage 1 audit, which focused on verifying the design of the
management system, the Stage 2 audit was conducted to examine the implementation and
effectiveness of the information security and quality management systems.
One of the auditors, Megan, was a previous employee of the company. To uphold the integrity of the
certification process, the company notified the certification body about the potential conflict of interest
and requested an auditor change. Subsequently, the certification body selected a replacement,
ensuring impartiality. Additionally, the company requested a background check of the audit team
members; however, the certification body denied this request. The necessary adjustments to the audit
plan were made, and transparent communication with stakeholders was maintained.
The audit process continued seamlessly under the new auditor’s guidance. Upon audit completion,
the certification body evaluated the results and conclusions of the audit and CircuitLinking's public
information and awarded CircuitLinking the combined certification.
 A recertification audit for CircuitLinking was conducted to verify that the company's management
system continued to meet the required standards and remained effective within the defined scope of
certification. CircuitLinking had implemented significant changes to its management system, including
a major overhaul of its information security processes, the adoption of new technology platforms, and
adjustments to comply with recent changes in industry legislation. Due to these substantial updates,
the recertification audit required a Stage 1 assessment to evaluate the impact of these changes.
According to Scenario 10, the certification body evaluated the results and conclusions of the audit and
CircuitLinking’s public information when making the certification decision.
Is this acceptable?
A. No, the certification body should also consider the auditor's opinions when making the certification
decision
B. No, the certification decision must be based solely on the audit findings, and no external
information can be considered
C. Yes, the certification body must make the certification decision based on other relevant
information, such as public information
D. No, only top management’s input should be considered
Answer: C

Get ISO-IEC-27001 Lead Implementer exam

dumps full version.

Powered by TCPDF (www.tcpdf.org)