PECB ISO-IEC-27002-Foundation - ISO/IEC 27002 Foundation Exam

Confidentiality is breached when information is made available or disclosed to unauthorized individuals, entities, or processes. Option A is the correct answer because employees from all departments have access to colleagues’ personal data, even though such access should normally be restricted to authorized roles such as HR, payroll, compliance, or designated management. Internal users can still be unauthorized users when their role does not justify access. ISO/IEC 27002 addresses this through access control, access rights management, classification, privacy protection, and information access restriction. Option B is an availability issue because a department cannot access needed customer phone numbers due to equipment failure. Option C is an integrity issue because banking information was accidentally modified. The confidentiality principle is specifically about limiting disclosure and availability of information to authorized parties only. Personal data requires additional care because privacy obligations may apply, and excessive internal access can create legal, ethical, and reputational harm. The verified answer is therefore option A. References/Chapters: ISO/IEC 27002:2022, Control 5.15 Access control; Control 5.18 Access rights; Control 5.34 Privacy and protection of PII; Control 8.3 Information access restriction.

==========

A digital customer identity is the best example of an organizational asset in cyberspace because it exists, functions, and is protected within digital systems, networks, applications, and online services. ISO/IEC 27002 treats identities, authentication information, access rights, and digital accounts as critical security subjects because compromise of identity can enable unauthorized access, fraud, impersonation, privacy breaches, and loss of accountability. A digital customer identity can include usernames, identifiers, credentials, account attributes, authentication factors, access permissions, profile data, and linked personal information. Medical data and intellectual property are also important information assets, but the phrase “asset in cyberspace” points most directly to a digitally represented identity used for electronic interaction. ISO/IEC 27002 contains several controls that protect this asset type, including identity management, authentication information, access rights, secure authentication, and access restriction. These controls ensure that identities are created, maintained, verified, modified, disabled, and removed in a controlled manner. The exam logic therefore favors option B because cyberspace emphasizes digital identity and online representation. References/Chapters: ISO/IEC 27002:2022, Control 5.16 Identity management; Control 5.17 Authentication information; Control 5.18 Access rights; Control 8.5 Secure authentication.

==========

Under Control 5.1, information security policies should include statements that define direction, responsibilities, and policy expectations, including how exemptions and exceptions are handled. Exception handling is important because policies cannot be treated casually or bypassed informally. When an exception is necessary, it should be justified, approved, documented, time-bound where appropriate, risk-assessed, and reviewed. This preserves governance and ensures deviations do not become uncontrolled weaknesses. Option A, recovery from a data breach, is important but belongs more naturally to incident management, business continuity, and response planning rather than the general information security policy statement. Option C, procedures for using automated information systems, may be addressed in acceptable use or operational procedures, but it is not the best match for Control 5.1’s policy content. The information security policy establishes the authority and framework for topic-specific policies and procedures. It should include high-level statements on objectives, principles, responsibilities, compliance expectations, and exception management. Therefore, option B is verified. References/Chapters: ISO/IEC 27002:2022, Control 5.1 Policies for information security; Control 5.36 Compliance with policies, rules and standards for information security; Control 5.37 Documented operating procedures.

==========

Access control software that allows only authorized employees to access sensitive files is a preventive control. Its purpose is to stop unauthorized access before it occurs by enforcing approved access rules. In ISO/IEC 27002, access control is implemented through policies, identity management, authentication, authorization, access rights review, privileged access control, and restrictions on information access. This type of software can prevent unauthorized disclosure, unauthorized modification, misuse of sensitive data, and violation of privacy or contractual obligations. It is not primarily detective because it does not merely discover an event after it has happened. It is not corrective because it does not restore damaged information or reverse the impact of an incident. Its security value is in blocking access attempts that do not meet authorization criteria. The principle behind the control is least privilege: users should receive only the access necessary for their role and responsibilities. For sensitive files, this is especially important because confidentiality, integrity, and accountability depend on correct authorization. References/Chapters: ISO/IEC 27002:2022, Control 5.15 Access control; Control 5.16 Identity management; Control 5.18 Access rights; Control 8.3 Information access restriction.

==========

ISO/IEC 27002 recommends that audit testing should be planned and agreed upon between the tester and appropriate management. The purpose is to obtain assurance without creating unnecessary disruption, exposure, or operational risk. Audit tests can involve access attempts, vulnerability checks, sampling, transaction tracing, configuration review, log review, or control validation. If such activities are unmanaged, they may overload systems, expose sensitive information, interrupt services, conflict with change windows, or create false incident signals. Option B is incorrect because ad hoc assurance testing can be risky and inconsistent unless properly authorized and controlled. Option C is incorrect because audits should not normally require stopping operational systems and business processes; rather, they should be designed to minimize disruption while preserving evidence quality. ISO/IEC 27002 treats audit and assurance activities as important but controlled. Planning should define scope, timing, method, responsibilities, data handling, access requirements, and communication. The verified answer is option A because it balances assurance with operational security and business continuity. References/Chapters: ISO/IEC 27002:2022, Control 8.34 Protection of information systems during audit testing; Control 5.35 Independent review of information security.

==========

When establishing a remote working policy, organizations should consider the threat of unauthorized access to information or resources from other persons in public places. Remote working changes the security environment because employees may work from homes, hotels, airports, cafés, shared offices, client sites, or while travelling. These environments can expose information to shoulder surfing, overheard conversations, device theft, insecure Wi-Fi, unattended screens, family or visitor access, and uncontrolled printing or storage. ISO/IEC 27002 Control 6.7, Remote working, expects organizations to define security measures for remote work based on risk. This can include secure authentication, encryption, screen privacy, endpoint protection, physical protection of devices, secure network access, acceptable use, incident reporting, backup, and restrictions on handling sensitive information. Option B relates more to equipment siting and physical protection of facilities. Option C relates to access rights and privileged access management. Both can be relevant elsewhere, but the remote working policy question directly points to risks from other persons in public or uncontrolled locations. Therefore, option A is verified. References/Chapters: ISO/IEC 27002:2022, Control 6.7 Remote working; Control 7.9 Security of assets off-premises; Control 5.15 Access control.

Control 7.9, Security of assets off-premises, belongs to the physical control group. ISO/IEC 27002:2022 organizes controls into four themes: organizational controls, people controls, physical controls, and technological controls. Controls in Clause 7 are physical controls, and Control 7.9 specifically addresses protection of organizational assets when they are outside the organization’s premises. This includes laptops, mobile devices, storage media, documents, portable equipment, and other assets used during travel, remote work, home working, customer visits, supplier sites, or field operations. Off-premises use increases physical risk because assets may be exposed to theft, loss, damage, unauthorized viewing, insecure storage, or uncontrolled environments. Although technological measures such as encryption and remote wipe may support this control, the control itself is placed in the physical theme because its focus is the secure handling and protection of assets outside controlled facilities. Option A is incorrect because organizational controls are in Clause 5. Option C is incorrect because technological controls are in Clause 8. References/Chapters: ISO/IEC 27002:2022, Clause 7 Physical controls; Control 7.9 Security of assets off-premises; Clause 4 Structure of the standard.

==========

A fire alarm is a detective and technical control. It is detective because it identifies or signals that a fire-related event may be occurring. The alarm does not normally stop the fire from starting, and it does not restore damaged assets after the event. Its purpose is to detect indicators such as smoke, heat, or fire and trigger response actions such as evacuation, suppression, emergency communication, or incident handling. It is technical because it operates through engineered or electronic mechanisms rather than through management approval, legal clauses, or purely administrative processes. ISO/IEC 27002:2022 classifies controls using attributes, including control type. Control types include preventive, detective, and corrective. Fire alarms align with the physical security control area because fire is a physical and environmental threat to information processing facilities, equipment, storage media, and supporting infrastructure. The value of the control is timely detection, reducing the chance that a physical event escalates unnoticed into major damage or service disruption. References/Chapters: ISO/IEC 27002:2022, Clause 4 control attributes; Control 7.4 Physical security monitoring; Control 7.5 Protecting against physical and environmental threats.

==========

Control 8.31, Separation of development, testing and operational environments, aims to protect the production environment and production data from unauthorized or inappropriate change, exposure, or disruption. Development and testing activities often involve code changes, debugging, experimental configurations, test accounts, incomplete controls, and simulated transactions. If these activities occur directly in production, they can compromise confidentiality, integrity, and availability. Separation reduces the risk that untested software, test data, developer privileges, or debugging tools affect live systems and real business information. Control 5.13, Labelling of information, supports correct handling by communicating classification and protection needs, but it does not specifically protect production environments. Control 6.6, Confidentiality or non-disclosure agreements, supports legal and people-related confidentiality commitments, but it does not directly separate technical environments. The exam logic focuses on the control whose stated purpose is to protect production systems and data from risks introduced by development and testing. Therefore, option B is correct. References/Chapters: ISO/IEC 27002:2022, Control 8.31 Separation of development, testing and operational environments; Control 8.32 Change management; Control 8.29 Security testing in development and acceptance.

==========