The Best ISO-IEC-27035-Lead-Incident-Manager Exam Study Material and Preparation Test Question Dumps
Get Ready to Pass the ISO-IEC-27035-Lead-Incident-Manager exam Right Now Using Our ISO 27001 Exam Package
NEW QUESTION # 38
Why is it important for performance measures to be specific according to the SMART methodology?
- A. To ensure they are aligned with organizational culture
- B. To compare them to other data easily
- C. To avoid misconception and ensure clarity
Answer: C
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
The SMART model (Specific, Measurable, Achievable, Relevant, Time-bound) is outlined in ISO/IEC 27035-
2:2016 for defining and tracking performance metrics in incident response. The "Specific" component ensures that measures are clearly defined and understood by stakeholders to avoid ambiguity.
This clarity is essential for accountability, tracking, and reporting performance accurately, which directly aligns with Option B.
Reference:
ISO/IEC 27035-2:2016 Clause 7.3.2: "Performance indicators should be SMART to ensure they are effective and meaningful." Correct answer: B
-
NEW QUESTION # 39
How should vulnerabilities lacking corresponding threats be handled?
- A. They should be disregarded as they pose no risk
- B. They still require controls and should be promptly addressed
- C. They may not require controls but should be analyzed and monitored for changes
Answer: C
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
According to ISO/IEC 27005:2018 (which supports ISO/IEC 27035 in risk management and threat assessment processes), vulnerabilities that are not currently associated with known threats do not necessarily need immediate remediation or technical control measures. However, they cannot be ignored entirely either.
Such vulnerabilities may not pose an active risk at the present time, but that can change quickly if a new threat emerges that can exploit them. Therefore, these vulnerabilities should be documented, assessed in context, and monitored over time. This process ensures that if the threat landscape evolves, the organization can respond proactively.
The standard emphasizes a risk-based approach, which includes:
* Analyzing vulnerabilities in relation to assets and threat likelihood
* Monitoring the environment for changes that may introduce new threats
* Avoiding unnecessary or unjustified resource expenditure on low-risk issues Option A is incorrect because it suggests addressing all vulnerabilities without considering risk context.
Option B is risky and contradicts ISO best practices, which emphasize continuous risk monitoring.
Reference Extracts:
* ISO/IEC 27005:2018, Clause 8.2.2: "Vulnerabilities without known threats may not require treatment immediately but should be monitored regularly."
* ISO/IEC 27001:2022, Annex A, Control A.8.8 - "Management of technical vulnerabilities should be risk- based and responsive to changes." Therefore, the correct answer is C: They may not require controls but should be analyzed and monitored for changes.
-
NEW QUESTION # 40
Scenario 5: Located in Istanbul. Turkey. Alura Hospital is a leading medical institution specializing in advanced eye surgery and vision care. Renowned for its modern facilities, cutting edge technology, and highly skilled staff, Alura Hospital is committed to delivering exceptional patient care. Additionally, Alura Hospital has implemented the ISO/IEC 27035 standards to enhance its information security incident management practices.
At Alura Hospital, the information security incident management plan is a critical component of safeguarding patient data and maintaining the integrity of its medical services This comprehensive plan includes instructions for handling vulnerabilities discovered during incident management According to this plan, when new vulnerabilities are discovered, Mehmet is appointed as the incident handler and is authorized to patch the vulnerabilities without assessing their potential impact on the current incident, prioritizing patient data security above all else Recognizing the importance of a structured approach to incident management. Alura Hospital has established four teams dedicated to various aspects of incident response The planning team focuses on implementing security processes and communicating with external organizations The monitoring team is responsible for security patches, upgrades, and security policy implementation The analysis team adjusts risk priorities and manages vulnerability reports, while the test and evaluation team organizes and performs incident response tests to ensure preparedness During an incident management training session, staff members at Alura Hospital were provided with clear roles and responsibilities. However, a technician expressed uncertainty about their role during a data integrity incident as the manager assigned them a role unrelated to their expertise. This decision was made to ensure that all staff members possess versatile skills and are prepared to handle various scenarios effectively.
Additionally. Alura Hospital realized it needed to communicate better with stakeholders during security incidents. The hospital discovered it was not adequately informing stakeholders and that relevant information must be provided using formats, language, and media that meet their needs. This would enable them to participate fully in the incident response process and stay informed about potential risks and mitigation strategies.
Also, the hospital has experienced frequent network performance issues affecting critical hospital systems and increased sophisticated cyber attacks designed to bypass traditional security measures. So, it has deployed an external firewall. This action is intended to strengthen the hospital s network security by helping detect threats that have already breached the perimeter defenses. The firewall's implementation is a part of the hospital's broader strategy to maintain a robust and secure IT infrastructure, which is crucial for protecting sensitive patient data and ensuring the reliability of critical hospital systems. Alura Hospital remains committed to integrating state-of-the-art technology solutions to uphold the highest patient care and data security standards.
During a training session on incident management at Alura Hospital, staff members are presented with various roles and responsibilities. One staff member, a technician, was unsure about their role during a data integrity incident. According to the training objectives, did the manager take the correct action to ensure the technician was prepared?
- A. Yes, roles and responsibilities should include rotational training to ensure all staff are versatile
- B. No, they should have provided the technician with specific role-playing exercises related to data integrity incidents
- C. No, roles and responsibilities should be assigned based on seniority to ensure that more experienced staff handle complex scenarios
Answer: A
Explanation:
Comprehensive and Detailed Explanation:
According to ISO/IEC 27035-2 and ISO/IEC 27002:2022 (A.6.3 - Information Security Awareness and Training), incident response training should aim to build both competence and adaptability. Cross-training and rotational exposure to different incident types prepare staff for a wide range of potential scenarios, enhancing organizational resilience.
Assigning roles not strictly based on current expertise fosters flexibility and supports development, particularly in incident response, where versatile response capabilities are critical.
Reference:
ISO/IEC 27035-2:2016, Clause 5.2.3: "Training should cover various incident scenarios and enable staff to take on different responsibilities as required." ISO/IEC 27002:2022, Control A.6.3: "Training should be ongoing and adaptive to emerging threats and varied incident types." Correct answer: A
NEW QUESTION # 41
Scenario 6: EastCyber has established itself as a premier cyber security company that offers threat detection, vulnerability assessment, and penetration testing tailored to protect organizations from emerging cyber threats. The company effectively utilizes ISO/IEC 27035*1 and 27035-2 standards, enhancing its capability to manage information security incidents.
EastCyber appointed an information security management team led by Mike Despite limited resources, Mike and the team implemented advanced monitoring protocols to ensure that every device within the company's purview is under constant surveillance This monitoring approach is crucial for covering everything thoroughly, enabling the information security and cyber management team to proactively detect and respond to any sign of unauthorized access, modifications, or malicious activity within its systems and networks.
In addition, they focused on establishing an advanced network traffic monitoring system This system carefully monitors network activity, quickly spotting and alerting the security team to unauthorized actions This vigilance is pivotal in maintaining the integrity of EastCyber's digital infrastructure and ensuring the confidentiality, availability, and integrity of the data it protects.
Furthermore, the team focused on documentation management. They meticulously crafted a procedure to ensure thorough documentation of information security events. Based on this procedure, the company would document only the events that escalate into high-severity incidents and the subsequent actions. This documentation strategy streamlines the incident management process, enabling the team to allocate resources more effectively and focus on incidents that pose the greatest threat.
A recent incident involving unauthorized access to company phones highlighted the critical nature of incident management. Nate, the incident coordinator, quickly prepared an exhaustive incident report. His report detailed an analysis of the situation, identifying the problem and its cause. However, it became evident that assessing the seriousness and the urgency of a response was inadvertently overlooked.
In response to the incident, EastCyber addressed the exploited vulnerabilities. This action started the eradication phase, aimed at systematically eliminating the elements of the incident. This approach addresses the immediate concerns and strengthens EastCyber's defenses against similar threats in the future.
Based on scenario 6, EastCyber's team established a procedure for documenting only the information security events that escalate into high-severity incidents. According to ISO/IEC 27035-1, is this approach acceptable?
- A. No, they should use established guidelines to document events and subsequent actions when the event is classified as an information security incident
- B. No, because documentation should only occur post-incident to avoid any interference with the response process
- C. The standard suggests that organizations document only events that classify as high-severity incidents
Answer: A
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
ISO/IEC 27035-1:2016 clearly states that documentation is essential for all information security incidents, regardless of severity. While prioritization is necessary, the standard recommends that events meeting the threshold of an information security incident (based on classification and assessment) must be recorded, along with the corresponding actions taken.
The practice described-documenting only high-severity incidents-may result in overlooking patterns in lower-priority events that could lead to significant issues if repeated or correlated.
Clause 6.4.5 of ISO/IEC 27035-1:2016 emphasizes that documentation should be thorough and begin from the detection phase through to response and lessons learned.
Option A is incorrect, as the standard does not permit selective documentation only for severe incidents.
Option C misrepresents the intent of documentation, which must be concurrent with or shortly after incident handling-not only post-event.
Reference:
ISO/IEC 27035-1:2016, Clause 6.4.5: "All incident information, decisions, and activities should be documented in a structured way to enable future review, learning, and audit." Clause 6.2.3: "When an event is assessed as an incident, it must be recorded along with all subsequent actions." Correct answer: B
-
NEW QUESTION # 42
What is the purpose of incident categorization within the incident management lifecycle?
- A. To automatically assign incidents to technicians
- B. To determine the priority of incidents
- C. To sort incidents based on the disrupted IT or business domain
Answer: C
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
According to ISO/IEC 27035-1:2016 and ISO/IEC 27035-2:2016, incident categorization is a vital step in the incident management lifecycle. Its primary purpose is to sort and group incidents based on specific criteria so that appropriate actions and escalation paths can be taken.
One of the core objectives of categorization is to sort incidents by the domain or system affected - whether it' s a database, email system, network, or physical server. This enables organizations to assign incidents to relevant subject matter experts and apply the right procedures, based on the affected business function or IT component.
While categorization can influence prioritization (option A), the main intent is classification based on nature and domain. Automatic technician assignment (option B) may be supported by some service management platforms but is not the foundational purpose of incident categorization under ISO 27035.
Reference Extracts:
ISO/IEC 27035-1:2016, Clause 6.1.2 - "Categorization should identify the domain or component affected to enable appropriate response and escalation." ISO/IEC 27035-2:2016, Clause 7.3 - "Incidents should be categorized based on the type of disruption they cause and the business or technical domain they impact." Therefore, the correct answer is C: To sort incidents based on the disrupted IT or business domain.
-
NEW QUESTION # 43
Which document provides guidelines for planning and preparing for incident response and for learning lessons from the incident response process?
- A. ISO/IEC 27037
- B. ISO/IEC 27035-2
- C. ISO/IEC 27035-1
Answer: B
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
ISO/IEC 27035-2:2016 is titled "Information security incident management - Part 2: Guidelines to plan and prepare for incident response." This document provides detailed guidance on establishing an incident response capability, planning for incident response, and implementing effective response actions. It also emphasizes the importance of post-incident analysis and lessons learned to improve future incident handling.
Key activities covered in ISO/IEC 27035-2 include:
* Planning and preparing for incident handling (e.g., policy development, roles and responsibilities)
* Establishing and training the incident response team (IRT)
* Developing communication strategies and escalation procedures
* Conducting root cause analysis and collecting lessons learned
* Applying improvements to prevent recurrence
By contrast:
* ISO/IEC 27035-1 provides high-level principles of incident management (Part 1: Principles).
* ISO/IEC 27037 relates to the handling of digital evidence and is focused more on forensic practices than incident response preparation.
Reference Extracts:
* ISO/IEC 27035-2:2016, Introduction: "This part provides guidance on the planning and preparation necessary for effective incident response and for learning lessons from incidents."
* ISO/IEC 27035-2:2016, Clause 6.5: "Lessons learned and reporting can help improve future incident response and provide input to risk assessments and control improvements."
NEW QUESTION # 44
Scenario 6: EastCyber has established itself as a premier cyber security company that offers threat detection, vulnerability assessment, and penetration testing tailored to protect organizations from emerging cyber threats. The company effectively utilizes ISO/IEC 27035*1 and 27035-2 standards, enhancing its capability to manage information security incidents.
EastCyber appointed an information security management team led by Mike Despite limited resources, Mike and the team implemented advanced monitoring protocols to ensure that every device within the company's purview is under constant surveillance This monitoring approach is crucial for covering everything thoroughly, enabling the information security and cyber management team to proactively detect and respond to any sign of unauthorized access, modifications, or malicious activity within its systems and networks.
In addition, they focused on establishing an advanced network traffic monitoring system This system carefully monitors network activity, quickly spotting and alerting the security team to unauthorized actions This vigilance is pivotal in maintaining the integrity of EastCyber's digital infrastructure and ensuring the confidentiality, availability, and integrity of the data it protects.
Furthermore, the team focused on documentation management. They meticulously crafted a procedure to ensure thorough documentation of information security events. Based on this procedure, the company would document only the events that escalate into high-severity incidents and the subsequent actions. This documentation strategy streamlines the incident management process, enabling the team to allocate resources more effectively and focus on incidents that pose the greatest threat.
A recent incident involving unauthorized access to company phones highlighted the critical nature of incident management. Nate, the incident coordinator, quickly prepared an exhaustive incident report. His report detailed an analysis of the situation, identifying the problem and its cause. However, it became evident that assessing the seriousness and the urgency of a response was inadvertently overlooked.
In response to the incident, EastCyber addressed the exploited vulnerabilities. This action started the eradication phase, aimed at systematically eliminating the elements of the incident. This approach addresses the immediate concerns and strengthens EastCyber's defenses against similar threats in the future.
According to scenario 6, Nate compiled a detailed incident report that analyzed the problem and its cause but did not evaluate the incident's severity and response urgency. Does this align with the ISO/IEC 27035-1 guidelines?
- A. No, Nate overlooked the necessity of assessing the seriousness and the urgency of the response
- B. Yes. Nate included all the elements required by ISO/IEC 27035-1
- C. No, as the report did not include a comprehensive list of all employees who accessed the system within
24 hours before the incident
Answer: A
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
ISO/IEC 27035-1:2016 emphasizes that part of the incident handling process-particularly during assessment and documentation-must include evaluation of both the seriousness (severity) and urgency (criticality) of the incident.
Clause 6.4.2 requires that an incident's potential impact and required response timelines be assessed promptly to determine appropriate action. Nate's omission of this evaluation, despite creating a technically sound report, means that the organization could misjudge the incident's risk, delay appropriate response, or fail to meet notification obligations.
Option A is incorrect because ISO/IEC 27035 explicitly lists impact and urgency as required analysis elements. Option C, while possibly helpful in forensic analysis, is not a required component per the standard.
Reference:
ISO/IEC 27035-1:2016, Clause 6.4.2: "Assess the impact, severity, and urgency of the incident to determine the necessary response and escalation procedures." Clause 6.5.4: "An incident report should include an evaluation of incident criticality to inform decision- making." Correct answer: B Each includes the correct answer, detailed justification, and citation from ISO/IEC 27035 standards.
-
NEW QUESTION # 45
Scenario 2: NoSpace, a forward-thinking e-commerce store based in London, is renowned for its diverse products and advanced technology. To enhance its information security, NoSpace implemented an ISMS according to ISO/IEC 27001 to better protect customer data and ensure business continuity. Additionally, the company adopted ISO/IEC 27035-1 and ISO/IEC 27035-2 guidelines. Mark, the incident manager at NoSpace, strategically led the entire implementation. He played a crucial role in aligning the company's ISMS with the requirements specified in ISO/IEC 27001, using ISO/IEC 27035-1 guidelines as the foundation.
During a routine internal audit a minor anomaly was detected in the data traffic that could potentially indicate a security threat. Mark was immediately notified to assess the situation. Then, Mark and his team immediately escalated the incident to crisis management to handle the potential threat without further assessment. The decision was made to ensure a swift response.
After resolving the situation, Mark decided to update the incident management process. During the initial phase of incident management, Mark recognized the necessity of updating NoSpace's information security policies. This included revising policies related to risk management at the organizational level as well as for specific systems, services, or networks. The second phase of the updated incident management process included the assessment of the information associated with occurrences of information security events and the importance of classifying events and vulnerabilities as information security incidents. During this phase, he also introduced a 'count down' process to expedite the evaluation and classification of occurrences, determining whether they should be recognized as information security incidents.
Mark developed a new incident management policy to enhance the organization's resilience and adaptability in handling information security incidents. Starting with a strategic review session with key stakeholders, the team prioritized critical focus areas over less impactful threats, choosing not to include all potential threats in the policy document. This decision was made to keep the policy streamlined and actionable, focusing on the most significant risks identified through a risk assessment. The policy was shaped by integrating feedback from various department heads to ensure it was realistic and enforceable. Training and awareness initiatives were tailored to focus only on critical response roles, optimizing resource allocation and focusing on essential capabilities.
Based on scenario 2, NoSpace used the ISO/IEC 27035-1 guidelines to meet the ISMS requirements specified in ISO/IEC 27001. Is this acceptable?
- A. No, ISO/IEC 27035-1 is designed for incident management and response and does not address the broader scope of ISMS requirements specified in ISO/IEC 27001
- B. No, guidelines provided in ISO/IEC 27035-1 do not apply to ISMS requirements specified in ISO/IEC
27001 - C. Yes, another objective associated with ISO/IEC 27035-1 is to provide guidance on meeting the ISMS requirements specified in ISO/IEC 27001
Answer: C
Explanation:
-
Comprehensive and Detailed Explanation From Exact Extract:
Yes, the use of ISO/IEC 27035-1 to support compliance with ISO/IEC 27001 ISMS requirements is fully acceptable and encouraged. ISO/IEC 27035-1:2016 is explicitly designed to support organizations in establishing and maintaining effective information security incident management processes. These processes are a crucial component of a well-functioning Information Security Management System (ISMS), which is governed by ISO/IEC 27001.
Clause 6.1.3 and Clause A.16.1 of ISO/IEC 27001:2022 (formerly 2013) require that organizations establish and respond to information security incidents, including detection, response, and learning from such events.
ISO/IEC 27035-1 directly supports these controls by providing specific guidance on how to identify, manage, and learn from information security incidents in a structured and repeatable way.
Moreover, ISO/IEC 27035-1 is referenced by ISO/IEC 27001 Annex A (specifically A.5.24 to A.5.27 and A.
5.31 in the 2022 version), supporting requirements related to incident management, monitoring, and improvement. The ISO 27035 series acts as a detailed implementation guide for these controls, helping organizations meet both the management and operational requirements of the ISMS.
Therefore, Mark's decision to use ISO/IEC 27035-1 guidelines to align and enhance the incident management aspects of the ISMS is both appropriate and aligned with international best practices.
Reference Extracts:
* ISO/IEC 27035-1:2016, Clause 0.2: "This document also supports the information security requirements defined in ISO/IEC 27001 and provides detailed guidance on incident management activities relevant to an ISMS."
* ISO/IEC 27001:2022, Annex A (A.5.24-A.5.27): "Information security incident management should be based on established processes for detection, response, and learning."
* ISO/IEC 27001:2022, Clause 6.1.3: "Information security risks must be identified and treated as part of the ISMS." Therefore, the correct answer is A: Yes, another objective associated with ISO/IEC 27035-1 is to provide guidance on meeting the ISMS requirements specified in ISO/IEC 27001.
NEW QUESTION # 46
Scenario 3: L&K Associates is a graphic design firm headquartered in Johannesburg, South Africa. It specializes in providing innovative and creative design solutions to clients across various industries. With offices in multiple parts of the country, they effectively serve clients, delivering design solutions that meet their unique needs and preferences.
In its commitment to maintaining information security, L&K Associates is implementing an information security incident management process guided by ISO/IEC 27035-1 and ISO/IEC 27035-2. Leona, the designated leader overseeing the implementation of the incident management process, customized the scope of incident management to align with the organization's unique requirements. This involved specifying the IT systems, services, and personnel involved in the incident management process while excluding potential incident sources beyond those directly related to IT systems and services.
In scenario 3, which of the following risk identification approaches was used by L&K Associates?
- A. Asset-based approach
- B. Both A and B
- C. Event-based approach
Answer: B
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
L&K Associates employed two distinct approaches as described in ISO/IEC 27005:2018 and referenced in ISO/IEC 27035-2:
Strategic scenario identification, which involves analyzing sources of risk and their impact on stakeholders and objectives. This is aligned with the event-based approach, which focuses on risk sources and events that may lead to incidents.
Operational scenario identification, which involves a thorough assessment of assets, threats, and vulnerabilities - aligning with the asset-based approach, where the focus is on critical assets and the threats that may exploit their weaknesses.
ISO/IEC 27005:2018, Clause 8.2.2, identifies multiple methods for risk identification, including:
Asset-based approach
Event-based (or threat-based) approach
Vulnerability-centered approach
In this scenario, both the asset- and event-based methods were clearly applied by Leona, which is encouraged in ISO risk management practices to provide a holistic view of risk.
Therefore, the correct answer is C: Both A and B.
NEW QUESTION # 47
Scenario 4: ORingo is a company based in Krakow, Poland, specializing in developing and distributing electronic products for health monitoring and heart rate measurement applications. With a strong emphasis on innovation and technological advancement, ORingo has established itself as a trusted provider of high-quality, reliable devices that enhance the well being and healthcare capabilities of individuals and healthcare professionals alike.
As part of its commitment to maintaining the highest standards of information security, ORingo has established an information security incident management process This process aims to ensure that any potential threats are swiftly identified, assessed, and addressed to protect systems and information. However, despite these measures, an incident response team member at ORingo recently detected a suspicious state in their systems operational data, leading to the decision to shut down the company-wide system until the anomaly could be thoroughly investigated Upon detecting the threat, the company promptly established an incident response team to respond to the incident effectively. The team's responsibilities encompassed identifying root causes, uncovering hidden vulnerabilities, and implementing timely resolutions to mitigate the impact of the incident on ORingo's operations and customer trust.
In response to the threat detected across its cloud environments. ORingo employed a sophisticated security tool that broadened the scope of incident detection and mitigation This tool covers network traffic, doud environments, and potential attack vectors beyond traditional endpoints, enabling ORingo to proactively defend against evolving cybersecurity threats During a routine check, the IT manager at ORingo discovered that multiple employees lacked awareness of proper procedures following the detection of a phishing email. In response, immediate training sessions on information security policies and incident response were scheduled for all employees, emphasizing the importance of vigilance and adherence to established protocols in safeguarding ORingo's sensitive data and assets.
As part of the training initiative. ORingo conducted a simulated phishing attack exercise to assess employee response and knowledge. However, an employee inadvertently informed an external partner about the 'attack'' during the exercise, highlighting the importance of ongoing education and reinforcement of security awareness principles within the organization.
Through its proactive approach to incident management and commitment to fostering a culture of security awareness and readiness. ORingo reaffirms its dedication to safeguarding the integrity and confidentiality of its electronic products and ensuring the trust and confidence of its customers and stakeholders worldwide.
In scenario 4, during a routine check, the IT manager discovered that multiple employees were unaware of the proper procedures following the detection of a phishing email and scheduled immediate training for all employees on information security policies and incident response. Is this recommended?
- A. Yes, it is recommended that immediate training on these topics be provided to ensure employees know how to respond correctly to phishing emails
- B. No, providing training is unnecessary; the employees' ignorance of proper procedures regarding phishing emails is a minor issue
- C. No, the IT manager should handle the incident without involving other employees
Answer: A
Explanation:
Comprehensive and Detailed Explanation:
Phishing is one of the most common entry points for cybersecurity incidents. ISO/IEC 27035 and ISO/IEC
27002 both recommend security awareness training as a key preventive control. When users do not understand proper response procedures, the risk of successful attacks increases significantly.
Providing immediate training, especially following the identification of a knowledge gap, is considered best practice. This aligns with ISO/IEC 27001:2022 Annex A.6.3 and A.5.36, which emphasize the need for education and continuous awareness on security topics, including how to handle phishing attempts.
Reference:
ISO/IEC 27035-1:2016, Clause 6.1 - "Preparation includes awareness training to reduce the likelihood and impact of incidents." ISO/IEC 27002:2022, Control A.6.3 - "Personnel should receive appropriate awareness education and training to carry out their information security responsibilities." Therefore, the correct answer is A.
NEW QUESTION # 48
Scenario 3: L&K Associates is a graphic design firm headquartered in Johannesburg, South Africa. It specializes in providing innovative and creative design solutions to clients across various industries. With offices in multiple parts of the country, they effectively serve clients, delivering design solutions that meet their unique needs and preferences.
In its commitment to maintaining information security, L&K Associates is implementing an information security incident management process guided by ISO/IEC 27035-1 and ISO/IEC 27035-2. Leona, the designated leader overseeing the implementation of the incident management process, customized the scope of incident management to align with the organization's unique requirements. This involved specifying the IT systems, services, and personnel involved in the incident management process while excluding potential incident sources beyond those directly related to IT systems and services.
According to scenario 3, Leona decided to initially include only the elements provided in Clause 4.3 of ISO
/IEC 27035-2, Information security incident management policy content, in the incident management policy.
Is this acceptable?
- A. No, clause 4.3 of ISO/IEC 27035-2 does not cover elements for an effective incident management policy
- B. Yes, because as a minimum, the policy must cover the elements provided in clause 4.3 of ISO/IEC
27035-2 - C. Yes, because Leona has conducted a thorough risk assessment to identify potential gaps in the incident management policy beyond the scope of clause 4.3 of ISO/IEC 27035-2
Answer: B
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
Clause 4.3 of ISO/IEC 27035-2:2016 outlines the minimum content requirements for an effective incident management policy. These include:
Purpose and objectives of the policy
Scope and applicability
Roles and responsibilities
Key terminology and definitions
High-level processes for incident detection, reporting, response, and learning Obligations of internal stakeholders Leona's decision to base the initial policy draft on Clause 4.3 is fully compliant and appropriate, as it ensures foundational consistency. ISO/IEC 27035-2 explicitly states that these elements form the minimum baseline for effective policy creation, and the document can be expanded later as needed.
Reference:
ISO/IEC 27035-2:2016, Clause 4.3: "The information security incident management policy should, at a minimum, contain the following elements..." Therefore, the correct answer is B: Yes, because as a minimum, the policy must cover the elements provided in clause 4.3 of ISO/IEC 27035-2.
-
NEW QUESTION # 49
What is the primary focus of internal exercises in information security incident management?
- A. Involving external organizations to assess collaboration
- B. Evaluating the readiness of the incident response team
- C. Testing inter-organizational communication
Answer: B
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
Internal exercises, such as simulations, tabletop exercises, and mock drills, are designed primarily to assess the readiness, coordination, and performance of the internal incident response team (IRT). According to ISO
/IEC 27035-2:2016, these exercises aim to validate that the IRT understands their roles, follows documented procedures, and can act effectively under pressure.
While external collaboration (Options A and B) may be tested during joint exercises or industry-wide scenarios, the focus of internal exercises is on internal capabilities. These exercises help identify gaps in training, procedures, communication, and escalation pathways.
Reference Extracts:
ISO/IEC 27035-2:2016, Clause 7.3.3: "Exercises and simulations should be conducted to test the readiness of the incident response capability." NIST SP 800-84: "Regular exercises increase response efficiency and allow staff to develop incident handling confidence." Correct answer: C
-
NEW QUESTION # 50
According to ISO/IEC 27035-2, how should an organization plan the development of the incident response team capabilities?
- A. By discontinuing any capabilities that have not been used recently
- B. By considering how often certain capabilities were needed in the past
- C. By focusing only on internal capabilities
Answer: B
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
ISO/IEC 27035-2:2016 recommends that organizations should assess the necessary capabilities of the Incident Response Team (IRT) based on risk exposure and the frequency of past incidents requiring specific skills or tools. This ensures a balanced and realistic approach to resource allocation while preparing for probable future events.
Section 7.2.1 of ISO/IEC 27035-2 outlines that capability planning should consider:
Lessons learned from prior incidents
Incident history and trends
Anticipated threat landscape
Option A is incorrect because relying solely on internal capabilities may leave organizations vulnerable when specialized expertise is required. Option C contradicts ISO guidance because a lack of recent use does not mean a capability is no longer critical; it may still be required during high-impact, low-frequency incidents.
Reference:
ISO/IEC 27035-2:2016, Clause 7.2.1: "Incident response capabilities should be planned and developed based on the history of incidents, business requirements, and likely future needs." Correct answer: B
-
NEW QUESTION # 51
Scenario 5: Located in Istanbul, Turkey, Alura Hospital is a leading medical institution specializing in advanced eye surgery and vision care. Renowned for its modern facilities, cutting-edge technology, and highly skilled staff, Alura Hospital is committed to delivering exceptional patient care. Additionally, Alura Hospital has implemented the ISO/IEC 27035 standards to enhance its information security incident management practices.
At Alura Hospital, the information security incident management plan is a critical component of safeguarding patient data and maintaining the integrity of its medical services. This comprehensive plan includes instructions for handling vulnerabilities discovered during incident management. According to this plan, when new vulnerabilities are discovered, Mehmet is appointed as the incident handler and is authorized to patch the vulnerabilities without assessing their potential impact on the current incident, prioritizing patient data security above all else.
Recognizing the importance of a structured approach to incident management, Alura Hospital has established four teams dedicated to various aspects of incident response. The planning team focuses on implementing security processes and communicating with external organizations. The monitoring team is responsible for security patches, upgrades, and security policy implementation. The analysis team adjusts risk priorities and manages vulnerability reports, while the test and evaluation team organizes and performs incident response tests to ensure preparedness.
During an incident management training session, staff members at Alura Hospital were provided with clear roles and responsibilities. However, a technician expressed uncertainty about their role during a data integrity incident, as the manager assigned them a role unrelated to their expertise. This decision was made to ensure that all staff members possess versatile skills and are prepared to handle various scenarios effectively.
Additionally, Alura Hospital realized it needed to communicate better with stakeholders during security incidents. The hospital discovered it was not adequately informing stakeholders and that relevant information must be provided using formats, language, and media that meet their needs. This would enable them to participate fully in the incident response process and stay informed about potential risks and mitigation strategies.
Also, the hospital has experienced frequent network performance issues affecting critical hospital systems and increased sophisticated cyberattacks designed to bypass traditional security measures. So, it has deployed an external firewall. This action is intended to strengthen the hospital's network security by helping detect threats that have already breached the perimeter defenses. The firewall's implementation is a part of the hospital's broader strategy to maintain a robust and secure IT infrastructure, which is crucial for protecting sensitive patient data and ensuring the reliability of critical hospital systems. Alura Hospital remains committed to integrating state-of-the-art technology solutions to uphold the highest patient care and data security standards.
According to scenario 5, which of the following principles of efficient communication did Alura Hospital NOT adhere to?
- A. Appropriateness
- B. Credibility
- C. Responsiveness
Answer: A
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
According to ISO/IEC 27035-1:2016 (Information Security Incident Management - Part 1: Principles of Incident Management), one of the core principles of effective communication in incident management is
"appropriateness." This refers to ensuring that the right information is shared with the right stakeholders using the appropriate channels, language, format, and timing. The objective is to guarantee that communication is both understandable and actionable by its recipients.
In the scenario, Alura Hospital recognized that they were not adequately informing stakeholders during security incidents. They identified a gap in providing relevant information using suitable formats, media, or language. This failure points directly to a lack of "appropriateness" in their communication strategy.
According to ISO/IEC 27035-1, Section 6.4 (Communication), it is essential to tailor incident communication to stakeholder needs to ensure informed decision-making and engagement.
The other options-credibility and responsiveness-are not indicated as the failing areas. There is no mention that the information provided lacked credibility or that the hospital failed to respond to incidents or communicate in a timely manner. Rather, the issue lies with the medium, clarity, and stakeholder alignment- hallmarks of appropriateness.
Reference Extracts from ISO/IEC 27035-1:2016:
Clause 6.4: "Communication must be timely, relevant, accurate, and appropriate for the target audience." Clause 7.2.4: "Stakeholders should be informed using formats and channels that they can easily access and understand." Therefore, the principle not adhered to by Alura Hospital is clearly: Appropriateness (C).
-
NEW QUESTION # 52
Scenario 1: RoLawyers is a prominent legal firm based in Guadalajara, Mexico. It specializes in a wide range of legal services tailored to meet the diverse needs of its clients. Committed to excellence and integrity, RoLawyers has a reputation for providing legal representation and consultancy to individuals, businesses, and organizations across various sectors.
Recognizing the critical importance of information security in today's digital landscape, RoLawyers has embarked on a journey to enhance its information security measures. This company is implementing an information security incident management system aligned with ISO/IEC 27035-1 and ISO/IEC 27035-2 guidelines. This initiative aims to strengthen RoLawyers' protections against possible cyber threats by implementing a structured incident response process to provide guidance on establishing and maintaining a competent incident response team.
After transitioning its database from physical to online infrastructure to facilitate seamless information sharing among its branches, RoLawyers encountered a significant security incident. A malicious attack targeted the online database, overloading it with traffic and causing a system crash, making it impossible for employees to access it for several hours.
In response to this critical incident, RoLawyers quickly implemented new measures to mitigate the risk of future occurrences. These measures included the deployment of a robust intrusion detection system (IDS) designed to proactively identify and alert the IT security team of potential intrusions or suspicious activities across the network infrastructure. This approach empowers RoLawyers to respond quickly to security threats, minimizing the impact on their operations and ensuring the continuity of its legal services.
By being proactive about information security and incident management, RoLawyers shows its dedication to protecting sensitive data, keeping client information confidential, and earning the trust of its stakeholders.
Using the latest practices and technologies, RoLawyers stays ahead in legal innovation and is ready to handle cybersecurity threats with resilience and careful attention.
Based on scenario 1, which security control has RoLawyers implemented?
- A. Detective controls
- B. Preventive controls
- C. Corrective controls
Answer: A
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
The deployment of an Intrusion Detection System (IDS) by RoLawyers following the incident is a classic example of implementing a detective control. According to ISO/IEC 27002:2022 (formerly 27002:2013), detective controls are designed to identify and report the occurrence of information security events in a timely manner. They help organizations discover that an event has occurred so that an appropriate response can be initiated.
The IDS mentioned in the scenario monitors the network for suspicious activity and alerts the IT security team when anomalies or intrusion attempts are detected. This aligns directly with the definition of detective controls.
By contrast:
Preventive controls are designed to prevent incidents from occurring in the first place (e.g., firewalls, access controls).
Corrective controls are actions taken after an incident to restore systems or data and prevent recurrence (e.g., patch management, backups).
Reference Extracts:
ISO/IEC 27002:2022, Clause 5.27 - "Detection controls should be implemented to identify incidents and anomalies in a timely manner." ISO/IEC 27035-1:2016, Clause 4.3.2 - "Detecting and reporting information security events and weaknesses are the first steps in the incident response process." RoLawyers' use of an IDS matches the description of a detective control designed to provide early warning signs of potential threats, making it easier for the organization to take timely action.
Therefore, the correct answer is B: Detective controls.
NEW QUESTION # 53
Scenario 3: L&K Associates is a graphic design firm headquartered in Johannesburg, South Africa. It specializes in providing innovative and creative design solutions to clients across various industries. With offices in multiple parts of the country, they effectively serve clients, delivering design solutions that meet their unique needs and preferences.
In its commitment to maintaining information security, L&K Associates is implementing an information security incident management process guided by ISO/IEC 27035-1 and ISO/IEC 27035-2. Leona, the designated leader overseeing the implementation of the incident management process, customized the scope of incident management to align with the organization's unique requirements. This involved specifying the IT systems, services, and personnel involved in the incident management process while excluding potential incident sources beyond those directly related to IT systems and services.
Based on the scenario above, answer the following question:
Is the incident management scope correctly determined at L&K Associates?
- A. No, the incident management scope is overly restrictive, excluding potential incident sources beyond those directly related to IT systems and services
- B. No, the incident management scope is too broad, encompassing all IT systems regardless of relevance
- C. Yes, the incident management scope is customized to align with the organization's unique needs
Answer: C
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
ISO/IEC 27035-1:2016 encourages organizations to define the scope of incident management based on their own risk environment, business model, and available resources. This scope should be tailored to focus on the systems, services, and personnel that are most critical and relevant to the organization's operations.
In this scenario, Leona appropriately aligned the scope with L&K Associates' specific IT infrastructure and business processes, deliberately including relevant IT systems and associated personnel while excluding unrelated sources. This customization is consistent with best practices and ensures that the incident management process remains focused, efficient, and manageable.
ISO/IEC 27035-2, Clause 4.2, emphasizes that "the scope of incident management should be defined in a way that it supports the organization's objectives and risk environment." Therefore, the correct answer is A: Yes, the incident management scope is customized to align with the organization's unique needs.
-
NEW QUESTION # 54
What can documenting recovery options and associated data loss/recovery timeframes assist with during incident response?
- A. Minimizing the impact on system performance
- B. Making informed decisions about containment and recovery
- C. Accelerating the incident response process
Answer: B
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
Documenting recovery options and estimating recovery time objectives (RTOs) and data loss tolerances (Recovery Point Objectives - RPOs) is a crucial planning activity that supports decision-making during the containment and recovery phases. ISO/IEC 27035-2:2016, Clause 6.4.6 emphasizes that such documentation allows teams to:
Evaluate trade-offs between containment scope and data loss
Determine acceptable downtime for critical services
Select the most appropriate recovery strategy based on business impact
This documentation supports strategic thinking rather than rushed action, reducing the likelihood of costly decisions. It does not necessarily accelerate the process (Option C), nor is it designed to optimize performance (Option A).
Reference:
ISO/IEC 27035-2:2016, Clause 6.4.6: "Recovery planning should consider documented recovery procedures, acceptable data loss, and system downtime to support business continuity." Correct answer: B
NEW QUESTION # 55
......
PECB ISO-IEC-27035-Lead-Incident-Manager Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
| Topic 5 |
|
Get Special Discount Offer of ISO-IEC-27035-Lead-Incident-Manager Certification Exam Sample Questions and Answers: https://passleader.bootcamppdf.com/ISO-IEC-27035-Lead-Incident-Manager-exam-actual-tests.html