PECB ISO-IEC-27002-Foundation - ISO/IEC 27002 Foundation Exam

A vulnerability with no currently identified corresponding threat should still be recognized and monitored. A vulnerability is a weakness that could be exploited, but risk usually depends on the relationship between assets, threats, vulnerabilities, likelihood, and consequences. When no active or relevant threat is identified, immediate treatment may not be proportionate. However, ignoring the vulnerability would be inconsistent with ISO/IEC 27002’s risk-aware approach. Threat conditions change. A weakness that appears low priority today may become exploitable after a new attack technique, system exposure, business change, supplier change, or threat actor capability emerges. Recognizing the vulnerability ensures it is recorded and available for future assessment. Monitoring it ensures the organization detects changes in exploitability, exposure, or threat relevance. ISO/IEC 27002 supports this through threat intelligence and management of technical vulnerabilities, both of which require organizations to remain alert to changes in the threat and vulnerability landscape. Therefore, the correct answer is both recognizing and monitoring the vulnerability. References/Chapters: ISO/IEC 27002:2022, Control 5.7 Threat intelligence; Control 8.8 Management of technical vulnerabilities; Control 5.36 Compliance with policies, rules and standards for information security.

==========

Risk assessment is the overall process of risk identification, risk analysis, and risk evaluation. Option A describes only one component: risk identification. This is where risks are found, recognized, and described. Option B describes risk analysis, where the organization understands the nature of risk and determines the level of risk, often by considering likelihood and consequence. A full assessment also requires risk evaluation, where the analyzed risk is compared against criteria to determine whether it is acceptable or requires treatment. ISO/IEC 27002 relies on this risk-based logic because controls should be selected according to actual security needs. The standard provides guidance on controls, but it does not require every organization to implement every control in the same way. Risk assessment helps determine which controls are necessary, how strongly they should be implemented, and what residual risk remains. This is why option C is the complete and correct answer. ISO/IEC 27002 control implementation is meaningful only when linked to risk, context, business value, and obligations. References/Chapters: ISO/IEC 27002:2022, Clause 4 control selection and attributes; ISO/IEC 27001 risk assessment and treatment; ISO/IEC 27005 risk management terminology.

==========