PECB ISO-IEC-27001-Lead-Implementer - PECB Certified ISO/IEC 27001 : 2022 Lead Implementer exam

Scenario 10: NetworkFuse develops, manufactures, and sells network hardware. The company has had an operational information security management system (ISMS) based on ISO/IEC 27001 requirements and a quality management system (QMS) based on ISO 9001 for approximately two years. Recently, it has applied for a j^ombined certification audit in order to obtain certification against ISO/IEC 27001 and ISO 9001.

After selecting the certification body, NetworkFuse prepared the employees for the audit The company decided to not conduct a self-evaluation before the audit since, according to the top management, it was not necessary. In addition, it ensured the availability of documented information, including internal audit reports and management reviews, technologies in place, and the general operations of the ISMS and the QMS. However, the company requested from the certification body that the documentation could not be carried off-site

However, the audit was not performed within the scheduled days because NetworkFuse rejected the audit team leader assigned and requested their replacement The company asserted that the same audit team leader issued a recommendation for certification to its main competitor, which, for the company's top management, was a potential conflict of interest. The request was not accepted by the certification body

According to scenario 10, NetworkFuse requested from the certification body to review all the documentation only on-site. Is this acceptable?

Scenario 5: Bytes iS a dynamic and innovative Company specializing in the design, manufacturing. and distribution Of hardware and software, with a focus On providing comprehensive network and supporting

services. It is headquartered in the vibrant tech hub of Lagos, Nigeria. It has a diverse and dedicated team, boasting a workforce of over 800 employees who are passionate about delivering cutting-edge solutions

to their Clients. Given the nati-jte Of its business. Bytes frequently handles sensitive data both internally and When collaborating With Clients and partners.

Recognizing the Challenges inherent in securely sharing data with clients. partners, and within its own internal operations. Bytes has implemented robust information security measures, They utilize a defined risk

assessment process, which enables them to assess and address potential threats and information security risks. This process ensures compliance with ISOflEC 27001 requirements, a critical aspect of Bytes'

operations.

Initially. Bytes identified both external and internal issues that are relevant to its purpose and that impact its ability to achieve the intended information security management System Outcomes, External issues

beyond the company'S control include factors Such as social and Cultural dynamics, political. legal. normative, and regulatory environments, financial and macroeconomic conditions. technological developments,

natural factors, and competitive pressures. Internal issues, which are within the organization's control, encompass aspects like the company's culture. its policies, objectives, and strategies; govetnance structures.

roles, and responsibilities: adopted standards and guidelines; contractual relationships that influence processes within the ISMS scope: processes and procedures resources and knowledge capabilities; physical

infrastructure information systems. information flows. and decisiorwnaking processes; as well as the results of previous audits and risk assessments. Bytes also focused on identifying the interested parties

relevant to the ISMS understanding their requirements, and determining which Of those requirements will be addressed by the ISMS

In pursuing a secure digital environment, Bytes leverages the latest technology, utilizing automated vulnerability scanning tools to identify known vulnerable services in their ICT systems. This proactive approach

ensures that potential weaknesses are swiftly addressed. bolstering their overall information security posture. In their comprehensive approach to information security, Bytes has identified and assessed various

risks. During this process, despite implementing the security controls, Bytes' expert team identified unacceptable residual risks, and the team Currently faces uncertainty regarding which specific options to for

addressing these identified and unacceptable residual risks.

Based on scenario 5, certain residual risks were defined as unacceptable. Which risk treatment options should Bytes consider?

Scenario 1: HealthGenic is a pediatric clinic that monitors the health and growth of individuals from infancy to early adulthood using a web-based medical software. The software is also used to schedule appointments, create customized medical reports, store patients' data and medical history, and communicate with all the [^involved parties, including parents, other physicians, and the medical laboratory staff.

Last month, HealthGenic experienced a number of service interruptions due to the increased number of users accessing the software Another issue the company faced while using the software was the complicated user interface, which the untrained personnel found challenging to use.

The top management of HealthGenic immediately informed the company that had developed the software about the issue. The software company fixed the issue; however, in the process of doing so, it modified some files that comprised sensitive information related to HealthGenic's patients. The modifications that were made resulted in incomplete and incorrect medical reports and, more importantly, invaded the patients' privacy.

In scenario 1, HealthGenic experienced a number of service interruptions due to the loss of functionality of the software. Which principle of information security has been affected in this case?

Scenario 4: TradeB. a commercial bank that has just entered the market, accepts deposits from its clients and offers basic financial services and loans for investments. TradeB has decided to implement an information security management system (ISMS) based on ISO/IEC 27001 Having no experience of a management [^system implementation, TradeB's top management contracted two experts to direct and manage the ISMS implementation project.

First, the project team analyzed the 93 controls of ISO/IEC 27001 Annex A and listed only the security controls deemed applicable to the company and their objectives Based on this analysis, they drafted the Statement of Applicability. Afterward, they conducted a risk assessment, during which they identified assets, such as hardware, software, and networks, as well as threats and vulnerabilities, assessed potential consequences and likelihood, and determined the level of risks based on three nonnumerical categories (low, medium, and high). They evaluated the risks based on the risk evaluation criteria and decided to treat only the high risk category They also decided to focus primarily on the unauthorized use of administrator rights and system interruptions due to several hardware failures by establishing a new version of the access control policy, implementing controls to manage and control user access, and implementing a control for ICT readiness for business continuity

Lastly, they drafted a risk assessment report, in which they wrote that if after the implementation of these security controls the level of risk is below the acceptable level, the risks will be accepted

Based on the scenario above, answer the following question:

The decision to treat only risks that were classified as high indicates that Trade B has:

Scenario 3: Auto Tsaab, a Swedish Car manufacturer founded in and headquartered in Sweden, iS well-known for its innovation in the automotive industry, Despite this Strong reputation, the

company has faced considerable challenges managing its documented information.

Although manual methods of handling this information may have been sufficient in the past, they now pose substantial challenges. particularly in efficiency, accuracy, and scalability. Moreover, entrusting the

responsibility Of managing documented information to a single individual creates a critical vulnerability, introducing a potential single point Of failure within the organization's information management system,

To address these challenges and reinforce its commitment to protecting information assets, Auto Tsaab implemented an information security management system ISMS aligned with ISO/IEC 27001. This move

was critical 10 ensuring the security, confidentiality, and integrity of the companys information, particularly as it transitioned from manual to automated information management methods.

initially, Auto Tsaab established automated checking Systems that detect and Correct corruption. By implementing these automated checks, Auto Tsaab not only improved its ability to maintain data accuracy and

consistency but also significantly reduced the risk of undetected errors.

Central to Auto ISMS ate documented processes. By documenting essential aspects and processes Such as the ISMS scope, information security policy, operational planning and control, information

security risk assessment, internal audit. and management review. Auto Tsaab ensured that these documents were readily available and adequately protected. Moreover. Auto Tsaab utilizes a comprehensive

framework incorporating 36 distinct categories spanning products, services. hardware, and software. This framework. organized in a two-dimensional matrix with six rows and six columns, facilitates the

specification of technical details for components and assemblies in its small automobiles. underscoring the company's commitment to innovation and quality,

TO maintain the industry standards. Auto Tsaab follows rigorous protocols in personnel selection. guaranteeing that every team member is not only eligible but also well-suited for their respective roles within the

organization. Additionally, the company established formal procedures for handling policy violations and appointed an internal consultant to continuously enhance its documentation and security practices.

After committing to ISO/IEC 27001 adherence, was the documented information in Auto Tsaab’s information security management system managed in compliance with the standard?

The purpose of control 5.9 inventory of Information and other associated assets of ISO/IEC 27001 is to identify organization's information and other associated assets in order to preserve their information security and assign ownership. Which of the following actions docs NOT fulfill this purpose?

Scenario 6: Skyver offers worldwide shipping of electronic products, including gaming consoles, flat-screen TVs. computers, and printers. In order to ensure information security, the company has decided to implement an information security management system (ISMS) based on the requirements of ISO/IEC 27001.

Colin, the company's best information security expert, decided to hold a training and awareness session for the personnel of the company regarding the information security challenges and other information security-related controls. The session included topics such as Skyver's information security approaches and techniques for mitigating phishing and malware.

One of the participants in the session is Lisa, who works in the HR Department. Although Colin explains the existing Skyver's information security policies and procedures in an honest and fair manner, she finds some of the issues being discussed too technical and does not fully understand the session. Therefore, in a lot of cases, she requests additional help from the trainer and her colleagues

Based on scenario 6. Lisa found some of the issues being discussed in the training and awareness session too technical, thus not fully understanding the session. What does this indicate?