Month End Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: scxmas70

ISO-IEC-27001-Lead-Implementer Exam Dumps - PECB Certified ISO/IEC 27001 : 2022 Lead Implementer exam

Go to page:
Question # 41

Scenario 8: SunDee is a biopharmaceutical firm headquartered in California, US. Renowned for its pioneering work in the field of human therapeutics, SunDee places a strong emphasis on addressing critical healthcare concerns, particularly in the domains of cardiovascular diseases, oncology, bone health, and inflammation. SunDee has demonstrated its commitment to data security and integrity by maintaining an effective information security management system (ISMS) based on ISO/IEC 27001 for the past two years.

In preparation for the recertification audit, SunDee conducted an internal audit. The company's top management appointed Alex, who has actively managed the Compliance Department's day-to-day operations for the last six months, as the internal auditor. With this dual role assignment, Alex is tasked with conducting an audit that ensures compliance and provides valuable recommendations to improve operational efficiency.

During the internal audit, a few nonconformities were identified. To address them comprehensively, the company created action plans for each nonconformity, working closely with the audit team leader.

SunDee's senior management conducted a comprehensive review of the ISMS to evaluate its appropriateness, sufficiency, and efficiency. This was integrated into their regular management meetings. Essential documents, including audit reports, action plans, and review outcomes, were distributed to all members before the meeting. The agenda covered the status of previous review actions, changes affectingthe ISMS, feedback, stakeholder inputs, and opportunities for improvement. Decisions and actions targeting ISMS improvements were made, with a significant role played by the ISMS coordinator and the internal audit team in preparing follow-up action plans, which were then approved by top management.

In response to the review outcomes, SunDee promptly implemented corrective actions, strengthening its information security measures. Additionally, dashboard tools were introduced to provide a high-level overview of key performance indicators essential for monitoring the organization's information security management. These indicators included metrics on security incidents, their costs, system vulnerability tests, nonconformity detection, and resolution times, facilitating effective recording, reporting, and tracking of monitoring activities. Furthermore, SunDee embarked on a comprehensive measurement process to assess the progress and outcomes of ongoing projects, implementing extensive measures across all processes. The top management determined that the individual responsible for the information, aside from owning the data that contributes to the measures, would also be designated accountable for executing these measurement activities.

Based on the scenario above, answer the following question:

Did SunDee define the roles for measurement activities correctly?

A.

Yes, the information owner can also be responsible for conducting measurement activities

B.

No, as the information owner cannot perform different measurement-related roles and responsibilities

C.

No, as the responsibility for conducting measurement activities should have been assigned to the information communicator

Full Access
Question # 42

What is the primary requirement for the documented information of an ISMS?

A.

It must exist solely in a digital format to ensure modern compatibility

B.

It must be sufficiently flexible to adapt to any identified change triggers

C.

It must be accessible to the public at all times to maintain transparency

Full Access
Question # 43

Question:

How should the level of detail in risk identification evolve over time?

A.

It should be refined gradually through iterative assessments, increasing the level of detail over time

B.

It should be performed in full detail only when significant changes occur in the organization

C.

It should focus on highly detailed assessments conducted on an ad-hoc basis rather than broad risk assessments

Full Access
Question # 44

Scenario 4: TradeB. a commercial bank that has just entered the market, accepts deposits from its clients and offers basic financial services and loans for investments. TradeB has decided to implement an information security management system (ISMS) based on ISO/IEC 27001 Having no experience of a management [^system implementation, TradeB's top management contracted two experts to direct and manage the ISMS implementation project.

First, the project team analyzed the 93 controls of ISO/IEC 27001 Annex A and listed only the security controls deemed applicable to the company and their objectives Based on this analysis, they drafted the Statement of Applicability. Afterward, they conducted a risk assessment, during which they identified assets, such as hardware, software, and networks, as well as threats and vulnerabilities, assessed potential consequences and likelihood, and determined the level of risks based on three nonnumerical categories (low, medium, and high). They evaluated the risks based on the risk evaluation criteria anddecided to treat only the high risk category They also decided to focus primarily on the unauthorized use of administrator rights and system interruptions due to several hardware failures by establishing a new version of the access control policy, implementing controls to manage and control user access, and implementing a control for ICT readiness for business continuity

Lastly, they drafted a risk assessment report, in which they wrote that if after the implementation of these security controls the level of risk is below the acceptable level, the risks will be accepted

Based on scenario 4, the fact that TradeB defined the level of risk based on three nonnumerical categories indicates that;

A.

The level of risk will be evaluated against qualitative criteria

B.

The level of risk will be defined using a formula

C.

The level of risk will be evaluated using quantitative analysis

Full Access
Question # 45

Scenario 9: OpenTech provides IT and communications services. It helps data communication enterprises and network operators become multi-service providers During an internal audit, its internal auditor, Tim, has identified nonconformities related to the monitoring procedures He identified and evaluated several system Invulnerabilities.

Tim found out that user IDs for systems and services that process sensitive information have been reused and the access control policy has not been followed After analyzing the root causes of this nonconformity, the ISMS project manager developed a list of possible actions to resolve the nonconformity. Then, the ISMS project manager analyzed the list and selected the activities that would allow the elimination of the root cause and the prevention of a similar situation in the future. These activities were included in an action plan The action plan, approved by the top management, was written as follows:

A new version of the access control policy will be established and new restrictions will be created to ensure that network access is effectively managed and monitored by the Information and Communication Technology (ICT) Department

The approved action plan was implemented and all actions described in the plan were documented.

Based on scenario 9. is the action plan for the identified nonconformities sufficient to eliminate the detected nonconformities?

A.

Yes, because a separate action plan has been created for the identified nonconformity

B.

No, because the action plan does not include a timeframe for implementation

C.

No, because the action plan does not address the root cause of the identified nonconformity

Full Access
Question # 46

Which of the situations below can negatively affect the internal audit process?

A.

Restricting the internal auditor's access to offices and documentation

B.

Conducting internal audit interviews with all employees of the organization

C.

Reporting the internal audit results to the top management

Full Access
Question # 47

Upon the risk assessment outcomes. Socket Inc. decided to:

• Require the use of passwords with at least 12 characters containing uppercase and lowercase letters, symbols, and numbers

• Require the change of passwords at least once every 60 days

• Keep backup copies of files on IT-provided network drives

• Assign users to a separate network when they have access to cloud storage files storing customers' personal data.

Based on scenario 5. Socket Inc. decided to use cloud storage to store customers' personal data considering that the identified risks have low likelihood and high impact, is this acceptable?

A.

Yes. because the calculated level of risk is below the acceptable threshold

B.

No, because the impact of the identified risks is considered in he high

C.

No. because the identified risks fall above the risk acceptable criteria threshold

Full Access
Question # 48

Which of the following is the most suitable option for presenting raw data in a user-friendly, easy-to-read format?

A.

Scorecards

B.

Reports

C.

Gages

Full Access
Go to page: