
Get instant access to ISO-IEC-27035-Lead-Incident-Manager Practice Tests 2026 Free Updated Today!
Welcome to download the newest PassLeader ISO-IEC-27035-Lead-Incident-Manager PDF dumps ( 80 Q&As)
NEW QUESTION # 46
Scenario 6: EastCyber has established itself as a premier cyber security company that offers threat detection, vulnerability assessment, and penetration testing tailored to protect organizations from emerging cyber threats. The company effectively utilizes ISO/IEC 27035*1 and 27035-2 standards, enhancing its capability to manage information security incidents.
EastCyber appointed an information security management team led by Mike Despite limited resources, Mike and the team implemented advanced monitoring protocols to ensure that every device within the company's purview is under constant surveillance This monitoring approach is crucial for covering everything thoroughly, enabling the information security and cyber management team to proactively detect and respond to any sign of unauthorized access, modifications, or malicious activity within its systems and networks.
In addition, they focused on establishing an advanced network traffic monitoring system This system carefully monitors network activity, quickly spotting and alerting the security team to unauthorized actions This vigilance is pivotal in maintaining the integrity of EastCyber's digital infrastructure and ensuring the confidentiality, availability, and integrity of the data it protects.
Furthermore, the team focused on documentation management. They meticulously crafted a procedure to ensure thorough documentation of information security events. Based on this procedure, the company would document only the events that escalate into high-severity incidents and the subsequent actions. This documentation strategy streamlines the incident management process, enabling the team to allocate resources more effectively and focus on incidents that pose the greatest threat.
A recent incident involving unauthorized access to company phones highlighted the critical nature of incident management. Nate, the incident coordinator, quickly prepared an exhaustive incident report. His report detailed an analysis of the situation, identifying the problem and its cause. However, it became evident that assessing the seriousness and the urgency of a response was inadvertently overlooked.
In response to the incident, EastCyber addressed the exploited vulnerabilities. This action started the eradication phase, aimed at systematically eliminating the elements of the incident. This approach addresses the immediate concerns and strengthens EastCyber's defenses against similar threats in the future.
According to scenario 6, Nate compiled a detailed incident report that analyzed the problem and its cause but did not evaluate the incident's severity and response urgency. Does this align with the ISO/IEC 27035-1 guidelines?
- A. No, as the report did not include a comprehensive list of all employees who accessed the system within
24 hours before the incident - B. No, Nate overlooked the necessity of assessing the seriousness and the urgency of the response
- C. Yes. Nate included all the elements required by ISO/IEC 27035-1
Answer: B
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
ISO/IEC 27035-1:2016 emphasizes that part of the incident handling process-particularly during assessment and documentation-must include evaluation of both the seriousness (severity) and urgency (criticality) of the incident.
Clause 6.4.2 requires that an incident's potential impact and required response timelines be assessed promptly to determine appropriate action. Nate's omission of this evaluation, despite creating a technically sound report, means that the organization could misjudge the incident's risk, delay appropriate response, or fail to meet notification obligations.
Option A is incorrect because ISO/IEC 27035 explicitly lists impact and urgency as required analysis elements. Option C, while possibly helpful in forensic analysis, is not a required component per the standard.
Reference:
ISO/IEC 27035-1:2016, Clause 6.4.2: "Assess the impact, severity, and urgency of the incident to determine the necessary response and escalation procedures." Clause 6.5.4: "An incident report should include an evaluation of incident criticality to inform decision- making." Correct answer: B Each includes the correct answer, detailed justification, and citation from ISO/IEC 27035 standards.
-
NEW QUESTION # 47
Scenario 2: NoSpace, a forward-thinking e-commerce store based in London, is renowned for its diverse products and advanced technology. To enhance its information security, NoSpace implemented an ISMS according to ISO/IEC 27001 to better protect customer data and ensure business continuity. Additionally, the company adopted ISO/IEC 27035-1 and ISO/IEC 27035-2 guidelines. Mark, the incident manager at NoSpace, strategically led the entire implementation. He played a crucial role in aligning the company's ISMS with the requirements specified in ISO/IEC 27001, using ISO/IEC 27035-1 guidelines as the foundation.
During a routine internal audit, a minor anomaly was detected in the data traffic that could potentially indicate a security threat. Mark was immediately notified to assess the situation. Then, Mark and his team immediately escalated the incident to crisis management to handle the potential threat without further assessment. The decision was made to ensure a swift response.
After resolving the situation, Mark decided to update the incident management process. During the initial phase of incident management, Mark recognized the necessity of updating NoSpace's information security policies. This included revising policies related to risk management at the organizational level as well as for specific systems, services, or networks. The second phase of the updated incident management process included the assessment of the information associated with occurrences of information security events and the importance of classifying events and vulnerabilities as information security incidents. During this phase, he also introduced a "count down" process to expedite the evaluation and classification of occurrences, determining whether they should be recognized as information security incidents.
Mark developed a new incident management policy to enhance the organization's resilience and adaptability in handling information security incidents. Starting with a strategic review session with key stakeholders, the team prioritized critical focus areas over less impactful threats, choosing not to include all potential threats in the policy document. This decision was made to keep the policy streamlined and actionable, focusing on the most significant risks identified through a risk assessment. The policy was shaped by integrating feedback from various department heads to ensure it was realistic and enforceable. Training and awareness initiatives were tailored to focus only on critical response roles, optimizing resource allocation and focusing on essential capabilities.
Based on scenario 2, did Mark follow the guidelines of ISO/IEC 27035 series regarding the incident management phases in the updated incident management process?
- A. Yes, all phases of the incident management process were established according to the ISO/IEC 27035-1 guidelines
- B. No, the decision on whether to classify events as information security incidents should be assessed before initiating the incident management process
- C. No, the second phase of the incident management process should include the collection of information associated with the occurrences of information security events
Answer: C
Explanation:
-
Comprehensive and Detailed Explanation From Exact Extract:
ISO/IEC 27035-1:2016 outlines a structured five-phase approach to information security incident management, which includes:
1. Prepare
2. Identify (or detect and report)
3. Assess and Decide
4. Respond
5. Lessons Learned
According to the standard, the "Assess and Decide" phase must include the collection, review, and analysis of information associated with the occurrence of a potential incident. This phase ensures that the organization bases its classification decisions on factual data and contextual analysis, allowing the organization to determine whether the event should be categorized as a formal security incident.
In the scenario, Mark does introduce an accelerated "count down" process to evaluate and classify incidents, which is a commendable improvement in efficiency. However, there is no mention of gathering or documenting the actual event data prior to classification. This oversight fails to fully align with the standard.
Option A is incorrect because not all phases were implemented as defined-specifically, phase 3 ("Assess and Decide") lacks an essential component: the collection of evidence/information from the anomaly or event.
Option C is also incorrect. According to ISO/IEC 27035, assessment and classification take place within the formal incident management process-not before it. The initiation of the process includes the evaluation of whether a security event becomes an incident.
Reference Extracts:
* ISO/IEC 27035-1:2016, Clause 6.2.2: "The assessment and decision process involves analyzing the information associated with reported events to decide whether they should be treated as incidents."
* ISO/IEC 27035-2:2016, Clause 7.3: "This phase includes collecting information from available sources...
such as logs, reports, and alerts, to support classification and response decisions." Therefore, the correct answer is B: No, the second phase of the incident management process should include the collection of information associated with the occurrences of information security events.
NEW QUESTION # 48
Scenario 5: Located in Istanbul. Turkey. Alura Hospital is a leading medical institution specializing in advanced eye surgery and vision care. Renowned for its modern facilities, cutting edge technology, and highly skilled staff, Alura Hospital is committed to delivering exceptional patient care. Additionally, Alura Hospital has implemented the ISO/IEC 27035 standards to enhance its information security incident management practices.
At Alura Hospital, the information security incident management plan is a critical component of safeguarding patient data and maintaining the integrity of its medical services This comprehensive plan includes instructions for handling vulnerabilities discovered during incident management According to this plan, when new vulnerabilities are discovered, Mehmet is appointed as the incident handler and is authorized to patch the vulnerabilities without assessing their potential impact on the current incident, prioritizing patient data security above all else Recognizing the importance of a structured approach to incident management. Alura Hospital has established four teams dedicated to various aspects of incident response The planning team focuses on implementing security processes and communicating with external organizations The monitoring team is responsible for security patches, upgrades, and security policy implementation The analysis team adjusts risk priorities and manages vulnerability reports, while the test and evaluation team organizes and performs incident response tests to ensure preparedness During an incident management training session, staff members at Alura Hospital were provided with clear roles and responsibilities. However, a technician expressed uncertainty about their role during a data integrity incident as the manager assigned them a role unrelated to their expertise. This decision was made to ensure that all staff members possess versatile skills and are prepared to handle various scenarios effectively.
Additionally. Alura Hospital realized it needed to communicate better with stakeholders during security incidents. The hospital discovered it was not adequately informing stakeholders and that relevant information must be provided using formats, language, and media that meet their needs. This would enable them to participate fully in the incident response process and stay informed about potential risks and mitigation strategies.
Also, the hospital has experienced frequent network performance issues affecting critical hospital systems and increased sophisticated cyber attacks designed to bypass traditional security measures. So, it has deployed an external firewall. This action is intended to strengthen the hospital s network security by helping detect threats that have already breached the perimeter defenses. The firewall's implementation is a part of the hospital's broader strategy to maintain a robust and secure IT infrastructure, which is crucial for protecting sensitive patient data and ensuring the reliability of critical hospital systems. Alura Hospital remains committed to integrating state-of-the-art technology solutions to uphold the highest patient care and data security standards.
Based on scenario 5, the responsibilities of which team in Alura Hospital were NOT defined correctly?
- A. The analysis team
- B. The planning team
- C. The monitoring team
Answer: B
Explanation:
Comprehensive and Detailed Explanation:
ISO/IEC 27035-2:2016 clearly outlines functional responsibilities for various roles in the incident management structure. The issue in the scenario lies in the description of the planning team.
The planning team, per ISO guidance, should focus on policy development, incident readiness planning, role assignments, and maintaining readiness through simulations and updates-not on communicating with external parties (which typically falls under the remit of the communications or coordination function within the incident response team).
Monitoring and analysis team responsibilities-such as applying patches, managing risk priorities, and analyzing vulnerabilities-are accurately described.
Reference:
ISO/IEC 27035-2:2016, Clause 5.2.3 - "The planning function should be responsible for developing and maintaining the plan, identifying resource needs, and ensuring team training." Correct answer: A
-
NEW QUESTION # 49
Who is responsible for approving an organization's information security incident management policy?
- A. Incident manager
- B. Incident coordinator
- C. Top management
Answer: C
Explanation:
Comprehensive and Detailed Explanation:
According to ISO/IEC 27001:2022 and ISO/IEC 27035-2:2016, top management holds accountability for ensuring the alignment of security policies with organizational objectives. Policy approval, particularly for something as critical as incident management, must be authorized by top-level decision-makers to ensure authority, enforcement, and resource support.
Reference:
ISO/IEC 27001:2022, Clause 5.1: "Top management shall demonstrate leadership and commitment...
including approval of the information security policy."
ISO/IEC 27035-2:2016, Clause 4.3: "The policy should be approved and issued by top management." Correct answer: A
-
NEW QUESTION # 50
What is the purpose of incident categorization within the incident management lifecycle?
- A. To sort incidents based on the disrupted IT or business domain
- B. To determine the priority of incidents
- C. To automatically assign incidents to technicians
Answer: A
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
According to ISO/IEC 27035-1:2016 and ISO/IEC 27035-2:2016, incident categorization is a vital step in the incident management lifecycle. Its primary purpose is to sort and group incidents based on specific criteria so that appropriate actions and escalation paths can be taken.
One of the core objectives of categorization is to sort incidents by the domain or system affected - whether it' s a database, email system, network, or physical server. This enables organizations to assign incidents to relevant subject matter experts and apply the right procedures, based on the affected business function or IT component.
While categorization can influence prioritization (option A), the main intent is classification based on nature and domain. Automatic technician assignment (option B) may be supported by some service management platforms but is not the foundational purpose of incident categorization under ISO 27035.
Reference Extracts:
ISO/IEC 27035-1:2016, Clause 6.1.2 - "Categorization should identify the domain or component affected to enable appropriate response and escalation." ISO/IEC 27035-2:2016, Clause 7.3 - "Incidents should be categorized based on the type of disruption they cause and the business or technical domain they impact." Therefore, the correct answer is C: To sort incidents based on the disrupted IT or business domain.
-
NEW QUESTION # 51
Scenario 5: Located in Istanbul. Turkey. Alura Hospital is a leading medical institution specializing in advanced eye surgery and vision care. Renowned for its modern facilities, cutting edge technology, and highly skilled staff, Alura Hospital is committed to delivering exceptional patient care. Additionally, Alura Hospital has implemented the ISO/IEC 27035 standards to enhance its information security incident management practices.
At Alura Hospital, the information security incident management plan is a critical component of safeguarding patient data and maintaining the integrity of its medical services This comprehensive plan includes instructions for handling vulnerabilities discovered during incident management According to this plan, when new vulnerabilities are discovered, Mehmet is appointed as the incident handler and is authorized to patch the vulnerabilities without assessing their potential impact on the current incident, prioritizing patient data security above all else Recognizing the importance of a structured approach to incident management. Alura Hospital has established four teams dedicated to various aspects of incident response The planning team focuses on implementing security processes and communicating with external organizations The monitoring team is responsible for security patches, upgrades, and security policy implementation The analysis team adjusts risk priorities and manages vulnerability reports, while the test and evaluation team organizes and performs incident response tests to ensure preparedness During an incident management training session, staff members at Alura Hospital were provided with clear roles and responsibilities. However, a technician expressed uncertainty about their role during a data integrity incident as the manager assigned them a role unrelated to their expertise. This decision was made to ensure that all staff members possess versatile skills and are prepared to handle various scenarios effectively.
Additionally. Alura Hospital realized it needed to communicate better with stakeholders during security incidents. The hospital discovered it was not adequately informing stakeholders and that relevant information must be provided using formats, language, and media that meet their needs. This would enable them to participate fully in the incident response process and stay informed about potential risks and mitigation strategies.
Also, the hospital has experienced frequent network performance issues affecting critical hospital systems and increased sophisticated cyber attacks designed to bypass traditional security measures. So, it has deployed an external firewall. This action is intended to strengthen the hospital s network security by helping detect threats that have already breached the perimeter defenses. The firewall's implementation is a part of the hospital's broader strategy to maintain a robust and secure IT infrastructure, which is crucial for protecting sensitive patient data and ensuring the reliability of critical hospital systems. Alura Hospital remains committed to integrating state-of-the-art technology solutions to uphold the highest patient care and data security standards.
When vulnerabilities are discovered during incident management, Mehmet takes action to patch the vulnerabilities without assessing their potential impact on the current incident. Is this action in accordance with ISO/IEC 27035-2 recommendations?
- A. Yes, vulnerabilities should be patched without assessing their potential impact on the current incident
- B. No, he should wait for a scheduled vulnerability assessment instead
- C. No, he should report the vulnerability to the incident coordinator, who will redirect the issue to the team responsible for the vulnerability
Answer: C
Explanation:
Comprehensive and Detailed Explanation:
According to ISO/IEC 27035-2:2016, vulnerabilities identified during incident handling must be assessed and documented before remediation. Immediate patching without evaluating its impact could compromise incident evidence, interfere with ongoing investigations, or unintentionally trigger additional issues.
ISO/IEC 27035-2 recommends that the incident coordinator (or an equivalent role) be responsible for directing how such vulnerabilities are managed and coordinated across relevant teams. This maintains process integrity and avoids uncoordinated actions.
Reference:
ISO/IEC 27035-2:2016, Clause 6.4.2: "Detected vulnerabilities should be communicated to appropriate stakeholders for evaluation. Unauthorized immediate actions could affect incident containment or recovery efforts." Correct answer: C
-
NEW QUESTION # 52
Scenario 3: L&K Associates is a graphic design firm headquartered in Johannesburg, South Africa. It specializes in providing innovative and creative design solutions to clients across various industries. With offices in multiple parts of the country, they effectively serve clients, delivering design solutions that meet their unique needs and preferences.
In its commitment to maintaining information security, L&K Associates is implementing an information security incident management process guided by ISO/IEC 27035-1 and ISO/IEC 27035-2. Leona, the designated leader overseeing the implementation of the incident management process, customized the scope of incident management to align with the organization's unique requirements. This involved specifying the IT systems, services, and personnel involved in the incident management process while excluding potential incident sources beyond those directly related to IT systems and services.
Based on scenario 3, did Leona follow all the ISO/IEC 27035-1 guidelines when communicating the information security incident management policy to interested parties?
- A. No, she should also communicate how often the information security incident policies are updated and revised
- B. No, she should also communicate the incident reporting procedures and specify the appropriate contact for further information
- C. Yes, she effectively communicated the outcomes of incidents and strategies to minimize recurrence, meeting the necessary communication requirements
Answer: B
Explanation:
Comprehensive and Detailed Explanation:
According to ISO/IEC 27035-1:2016, effective communication of the incident management policy must include not only policy content, roles, and responsibilities but also specific procedural aspects-such as how to report an incident and who to contact. This ensures that all stakeholders clearly understand their responsibilities in the event of an incident and know how to respond.
In the scenario, Leona communicated the outcomes of incidents, mitigation strategies, personnel obligations, and policy content. However, she did not include the incident reporting procedures or contact points, which are essential components of incident communication as per ISO guidelines.
Reference:
ISO/IEC 27035-1:2016, Clause 6.1: "Communication of the incident management policy should include reporting channels, escalation contacts, and policy revision frequency." Therefore, the correct answer is B.
-
NEW QUESTION # 53
Scenario 2: NoSpace, a forward-thinking e-commerce store based in London, is renowned for its diverse products and advanced technology. To enhance its information security, NoSpace implemented an ISMS according to ISO/IEC 27001 to better protect customer data and ensure business continuity. Additionally, the company adopted ISO/IEC 27035-1 and ISO/IEC 27035-2 guidelines. Mark, the incident manager at NoSpace, strategically led the entire implementation. He played a crucial role in aligning the company's ISMS with the requirements specified in ISO/IEC 27001, using ISO/IEC 27035-1 guidelines as the foundation.
During a routine internal audit, a minor anomaly was detected in the data traffic that could potentially indicate a security threat. Mark was immediately notified to assess the situation. Then, Mark and his team immediately escalated the incident to crisis management to handle the potential threat without further assessment. The decision was made to ensure a swift response.
After resolving the situation, Mark decided to update the incident management process. During the initial phase of incident management, Mark recognized the necessity of updating NoSpace's information security policies. This included revising policies related to risk management at the organizational level as well as for specific systems, services, or networks. The second phase of the updated incident management process included the assessment of the information associated with occurrences of information security events and the importance of classifying events and vulnerabilities as information security incidents. During this phase, he also introduced a "count down" process to expedite the evaluation and classification of occurrences, determining whether they should be recognized as information security incidents.
Mark developed a new incident management policy to enhance the organization's resilience and adaptability in handling information security incidents. Starting with a strategic review session with key stakeholders, the team prioritized critical focus areas over less impactful threats, choosing not to include all potential threats in the policy document. This decision was made to keep the policy streamlined and actionable, focusing on the most significant risks identified through a risk assessment. The policy was shaped by integrating feedback from various department heads to ensure it was realistic and enforceable. Training and awareness initiatives were tailored to focus only on critical response roles, optimizing resource allocation and focusing on essential capabilities Scenario 2 (continued from above) According to scenario 2, in which phase did Mark introduce a "count down" process?
- A. Assess and Decide
- B. Learn Lessons
- C. Respond
Answer: A
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
The "count down" process introduced by Mark in the scenario is intended to expedite the evaluation and classification of information security events - determining whether they are actual incidents or not. This aligns precisely with the "Assess and Decide" phase in ISO/IEC 27035-1 and ISO/IEC 27035-2.
The "Assess and Decide" phase, as defined in ISO/IEC 27035-1:2016, involves the timely assessment of events, classification of vulnerabilities, and making decisions about appropriate handling paths. Speed is essential here, as delays in classifying and responding to potential incidents can increase risk exposure.
Mark's innovation-a "count down" timer-demonstrates a procedural enhancement to ensure incidents are not left unreviewed. This mechanism improves the timeliness and structure of incident classification and decision-making, which is a key objective of the "Assess and Decide" phase.
Reference Extracts:
ISO/IEC 27035-1:2016, Clause 6.2.2: "Assess and decide phase aims to determine the significance of reported events and decide how to treat them." ISO/IEC 27035-2:2016, Clause 7.3: "Assessment of events involves determining whether they constitute an incident and the urgency of response." Therefore, the correct answer is C: Assess and Decide.
Certainly! Below is your requested content in the exact structured format for:
NEW QUESTION # 54
Scenario 3: L&K Associates is a graphic design firm headquartered in Johannesburg, South Africa. It specializes in providing innovative and creative design solutions to clients across various industries. With offices in multiple parts of the country, they effectively serve clients, delivering design solutions that meet their unique needs and preferences.
In its commitment to maintaining information security, L&K Associates is implementing an information security incident management process guided by ISO/IEC 27035-1 and ISO/IEC 27035-2. Leona, the designated leader overseeing the implementation of the incident management process, customized the scope of incident management to align with the organization's unique requirements. This involved specifying the IT systems, services, and personnel involved in the incident management process while excluding potential incident sources beyond those directly related to IT systems and services.
In scenario 3, which of the following risk identification approaches was used by L&K Associates?
- A. Event-based approach
- B. Both A and B
- C. Asset-based approach
Answer: B
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
L&K Associates employed two distinct approaches as described in ISO/IEC 27005:2018 and referenced in ISO/IEC 27035-2:
Strategic scenario identification, which involves analyzing sources of risk and their impact on stakeholders and objectives. This is aligned with the event-based approach, which focuses on risk sources and events that may lead to incidents.
Operational scenario identification, which involves a thorough assessment of assets, threats, and vulnerabilities - aligning with the asset-based approach, where the focus is on critical assets and the threats that may exploit their weaknesses.
ISO/IEC 27005:2018, Clause 8.2.2, identifies multiple methods for risk identification, including:
Asset-based approach
Event-based (or threat-based) approach
Vulnerability-centered approach
In this scenario, both the asset- and event-based methods were clearly applied by Leona, which is encouraged in ISO risk management practices to provide a holistic view of risk.
Therefore, the correct answer is C: Both A and B.
NEW QUESTION # 55
What roles do business managers play in relation to the Incident Management Team (IMT) and Incident Response Teams (IRTs)?
- A. Guiding on liability and compliance issues to the IMT and IRT and advise on which incidents constitute mandatory data breach notifications
- B. Developing policies and procedures for managing internal employees found engaging in unauthorized or illegal computer activities
- C. Understanding how the IMT and IRTs support business processes and define authority over business systems
Answer: C
Explanation:
-
Comprehensive and Detailed Explanation From Exact Extract:
According to ISO/IEC 27035-1:2016 and ISO/IEC 27035-2:2016, business managers have a vital governance and operational oversight role in relation to information security incident response. Their main function is to ensure that incident management activities align with the organization's business processes and risk management strategies.
Clause 7.2.1 of ISO/IEC 27035-2 highlights that business managers are responsible for ensuring that the incident response teams (IRTs) understand business priorities, and that response activities reflect the criticality of affected systems and services. Business managers also help define the operational boundaries and authority of IMTs and IRTs when incidents impact key business systems. Their involvement ensures that decisions made during response efforts support overall organizational resilience and legal compliance.
Option A is more aligned with human resources or legal/compliance functions, not core business manager responsibilities. Option B relates more closely to legal counsel or data privacy officers who are tasked with interpreting laws and regulations concerning breach notifications and liability.
Reference Extracts:
ISO/IEC 27035-2:2016, Clause 7.2.1: "Business managers are responsible for ensuring the coordination between business requirements and incident response activities, and for defining authority over the systems under their management." Clause 6.1.1: "Incident response activities must be aligned with business continuity plans and critical asset protection priorities." Therefore, the correct and most comprehensive answer is: C - Understanding how the IMT and IRTs support business processes and define authority over business systems.
-
NEW QUESTION # 56
Which of the following is NOT an example of technical control?
- A. Implementing surveillance cameras
- B. Implementing a policy for regular password changes
- C. Installing a firewall to protect the network
Answer: B
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
According to ISO/IEC 27002:2022 (and earlier versions), information security controls can be broadly categorized into three types: technical (also called logical), physical, and administrative (or organizational) controls.
Technical controls (also known as logical controls) involve the use of software and hardware to protect assets.
Examples include:
Firewalls
Intrusion detection systems
Encryption
Access control mechanisms
Physical controls are designed to prevent physical access to IT systems and include things such as:
Surveillance cameras
Security guards
Biometric access systems
Administrative controls, also called management or procedural controls, include the policies, procedures, and guidelines that govern the organization's security practices. These include:
Security awareness training
Acceptable use policies
Password policies
Option A, "Implementing a policy for regular password changes," is an administrative control, not a technical one. It dictates user behavior through rules and policy enforcement, but does not technically enforce the change itself unless paired with technical enforcement (like system settings).
Option B, surveillance cameras, are physical controls, and option C, installing a firewall, is a classic example of a technical control.
Reference Extracts:
ISO/IEC 27002:2022, Clause 5.1 - "Information security controls can be administrative (policy-based), technical, or physical depending on their form and implementation." NIST SP 800-53, Control Families - Differentiates between management, operational, and technical controls.
Therefore, the correct answer is A: Implementing a policy for regular password changes.
-
NEW QUESTION # 57
Scenario 5: Located in Istanbul. Turkey. Alura Hospital is a leading medical institution specializing in advanced eye surgery and vision care. Renowned for its modern facilities, cutting edge technology, and highly skilled staff, Alura Hospital is committed to delivering exceptional patient care. Additionally, Alura Hospital has implemented the ISO/IEC 27035 standards to enhance its information security incident management practices.
At Alura Hospital, the information security incident management plan is a critical component of safeguarding patient data and maintaining the integrity of its medical services This comprehensive plan includes instructions for handling vulnerabilities discovered during incident management According to this plan, when new vulnerabilities are discovered, Mehmet is appointed as the incident handler and is authorized to patch the vulnerabilities without assessing their potential impact on the current incident, prioritizing patient data security above all else Recognizing the importance of a structured approach to incident management. Alura Hospital has established four teams dedicated to various aspects of incident response The planning team focuses on implementing security processes and communicating with external organizations The monitoring team is responsible for security patches, upgrades, and security policy implementation The analysis team adjusts risk priorities and manages vulnerability reports, while the test and evaluation team organizes and performs incident response tests to ensure preparedness During an incident management training session, staff members at Alura Hospital were provided with clear roles and responsibilities. However, a technician expressed uncertainty about their role during a data integrity incident as the manager assigned them a role unrelated to their expertise. This decision was made to ensure that all staff members possess versatile skills and are prepared to handle various scenarios effectively.
Additionally. Alura Hospital realized it needed to communicate better with stakeholders during security incidents. The hospital discovered it was not adequately informing stakeholders and that relevant information must be provided using formats, language, and media that meet their needs. This would enable them to participate fully in the incident response process and stay informed about potential risks and mitigation strategies.
Also, the hospital has experienced frequent network performance issues affecting critical hospital systems and increased sophisticated cyber attacks designed to bypass traditional security measures. So, it has deployed an external firewall. This action is intended to strengthen the hospital s network security by helping detect threats that have already breached the perimeter defenses. The firewall's implementation is a part of the hospital's broader strategy to maintain a robust and secure IT infrastructure, which is crucial for protecting sensitive patient data and ensuring the reliability of critical hospital systems. Alura Hospital remains committed to integrating state-of-the-art technology solutions to uphold the highest patient care and data security standards.
During a training session on incident management at Alura Hospital, staff members are presented with various roles and responsibilities. One staff member, a technician, was unsure about their role during a data integrity incident. According to the training objectives, did the manager take the correct action to ensure the technician was prepared?
- A. No, they should have provided the technician with specific role-playing exercises related to data integrity incidents
- B. Yes, roles and responsibilities should include rotational training to ensure all staff are versatile
- C. No, roles and responsibilities should be assigned based on seniority to ensure that more experienced staff handle complex scenarios
Answer: B
Explanation:
Comprehensive and Detailed Explanation:
According to ISO/IEC 27035-2 and ISO/IEC 27002:2022 (A.6.3 - Information Security Awareness and Training), incident response training should aim to build both competence and adaptability. Cross-training and rotational exposure to different incident types prepare staff for a wide range of potential scenarios, enhancing organizational resilience.
Assigning roles not strictly based on current expertise fosters flexibility and supports development, particularly in incident response, where versatile response capabilities are critical.
Reference:
ISO/IEC 27035-2:2016, Clause 5.2.3: "Training should cover various incident scenarios and enable staff to take on different responsibilities as required." ISO/IEC 27002:2022, Control A.6.3: "Training should be ongoing and adaptive to emerging threats and varied incident types." Correct answer: A
NEW QUESTION # 58
Which element should an organization consider when identifying the scope of their information security incident management?
- A. Hardcopy information
- B. Both A and B
- C. Electronic information
Answer: B
Explanation:
Comprehensive and Detailed Explanation:
According to ISO/IEC 27035-1:2016 and ISO/IEC 27001:2022, when defining the scope of an information security incident management system, organizations must consider all forms of information-whether digital or physical-that are relevant to the business. Incidents can affect hardcopy (e.g., paper-based records) and electronic data (e.g., emails, files), so both must be included in the scope assessment.
Reference:
ISO/IEC 27001:2022, Clause 4.3: "The scope shall consider interfaces and dependencies between activities performed by the organization and those that are outsourced." ISO/IEC 27035-1:2016, Clause 4.2.1: "Information in all formats-including printed or written-should be protected." Correct answer: C
-
NEW QUESTION # 59
Scenario 7: Located in central London, Konzolo has become a standout innovator in the cryptocurrency field.
The company faced challenges monitoring the security of its own and third-party systems. An incident involving server downtime exposed vulnerabilities in a third-party service provider's security posture, leading to unauthorized access.
In response, Konzolo launched a thorough vulnerability scan of its cryptographic wallet software and uncovered critical weaknesses due to outdated encryption algorithms. Noah, the IT manager, documented and communicated the findings. Paulina was brought in to lead a forensic investigation, provide actionable insights, and help enhance the company's overall incident response strategy based on ISO/IEC 27035 standards.
Based on the scenario above, answer the following question:
Which of the following steps for effective security monitoring did Konzolo NOT adhere to?
- A. Monitor security vulnerabilities
- B. Monitor behavioral analytics
- C. Monitor the outsourced services
Answer: C
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
ISO/IEC 27035-1:2016 and ISO/IEC 27035-2:2016 emphasize the importance of monitoring not only internal systems but also third-party or outsourced services. Clause 7.3.2 of ISO/IEC 27035-2 specifically recommends that organizations establish mechanisms for the continuous monitoring of service providers and outsourced systems, particularly when such services process or store sensitive information.
In the scenario, Konzolo suffered an incident due to a failure by a third-party service provider to uphold security controls. This indicates that Konzolo had insufficient or no effective monitoring of outsourced services in place, which directly contributed to the breach and system downtime.
On the other hand:
Option A is incorrect because Konzolo did conduct a vulnerability scan, identifying and addressing cryptographic weaknesses.
Option B is also incorrect, as Paulina conducted forensic and behavioral analysis (both manual and automated) as part of the investigation process.
Reference Extracts:
ISO/IEC 27035-2:2016, Clause 7.3.2: "Monitoring should not be limited to internal infrastructure but should include third-party and outsourced services to ensure that they are operating within defined security parameters." ISO/IEC 27002:2022, Control 5.23: "Information security should be addressed in agreements with third parties." Correct answer: C
-
NEW QUESTION # 60
Based on ISO/IEC 27035-2, which of the following is an example of evaluation activities used to evaluate the effectiveness of the incident management team?
- A. Conducting information security testing, particularly vulnerability assessment
- B. Analyzing the lessons learned once an information security incident has been handled and closed
- C. Evaluating the capabilities and services once they become operational
Answer: B
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
ISO/IEC 27035-2:2016 Clause 7.4.3 emphasizes the role of lessons learned reviews as key evaluation activities for assessing the performance of incident response teams. This activity involves post-incident debriefs to evaluate what went right or wrong and how response processes or team functions could improve.
While options A and C are related to broader security or deployment procedures, Option B directly reflects a formal evaluation mechanism used to gauge incident team effectiveness.
Reference:
ISO/IEC 27035-2:2016 Clause 7.4.3: "Lessons learned should be documented and used to evaluate the effectiveness of the incident management process." Correct answer: B
-
NEW QUESTION # 61
Scenario 6: EastCyber has established itself as a premier cyber security company that offers threat detection, vulnerability assessment, and penetration testing tailored to protect organizations from emerging cyber threats. The company effectively utilizes ISO/IEC 27035*1 and 27035-2 standards, enhancing its capability to manage information security incidents.
EastCyber appointed an information security management team led by Mike Despite limited resources, Mike and the team implemented advanced monitoring protocols to ensure that every device within the company's purview is under constant surveillance This monitoring approach is crucial for covering everything thoroughly, enabling the information security and cyber management team to proactively detect and respond to any sign of unauthorized access, modifications, or malicious activity within its systems and networks.
In addition, they focused on establishing an advanced network traffic monitoring system This system carefully monitors network activity, quickly spotting and alerting the security team to unauthorized actions This vigilance is pivotal in maintaining the integrity of EastCyber's digital infrastructure and ensuring the confidentiality, availability, and integrity of the data it protects.
Furthermore, the team focused on documentation management. They meticulously crafted a procedure to ensure thorough documentation of information security events. Based on this procedure, the company would document only the events that escalate into high-severity incidents and the subsequent actions. This documentation strategy streamlines the incident management process, enabling the team to allocate resources more effectively and focus on incidents that pose the greatest threat.
A recent incident involving unauthorized access to company phones highlighted the critical nature of incident management. Nate, the incident coordinator, quickly prepared an exhaustive incident report. His report detailed an analysis of the situation, identifying the problem and its cause. However, it became evident that assessing the seriousness and the urgency of a response was inadvertently overlooked.
In response to the incident, EastCyber addressed the exploited vulnerabilities. This action started the eradication phase, aimed at systematically eliminating the elements of the incident. This approach addresses the immediate concerns and strengthens EastCyber's defenses against similar threats in the future.
According to scenario 6, what mechanisms for detecting security incidents did EastCyber implement?
- A. Intrusion prevention systems
- B. Intrusion detection systems
- C. Security information and event management systems
Answer: B
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
In the scenario, EastCyber implemented an "advanced network traffic monitoring system" that "spots and alerts the security team to unauthorized actions." This aligns closely with the functional characteristics of an Intrusion Detection System (IDS), which monitors traffic or systems for malicious activities and policy violations and sends alerts for review.
While Security Information and Event Management (SIEM) tools and Intrusion Prevention Systems (IPS) offer valuable detection and response capabilities, the scenario specifically describes a system focused on monitoring and alerting-not automatically blocking traffic, which would indicate an IPS.
SIEM platforms correlate and analyze logs from various sources, which wasn't described. Therefore, IDS is the most accurate interpretation.
Reference:
ISO/IEC 27035-2:2016, Clause 7.4.2: "Detection mechanisms can include intrusion detection systems, log analysis tools, and traffic monitoring systems to detect potential security events." Correct answer: B
-
NEW QUESTION # 62
What is the primary focus of internal exercises in information security incident management?
- A. Testing inter-organizational communication
- B. Evaluating the readiness of the incident response team
- C. Involving external organizations to assess collaboration
Answer: B
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
Internal exercises, such as simulations, tabletop exercises, and mock drills, are designed primarily to assess the readiness, coordination, and performance of the internal incident response team (IRT). According to ISO
/IEC 27035-2:2016, these exercises aim to validate that the IRT understands their roles, follows documented procedures, and can act effectively under pressure.
While external collaboration (Options A and B) may be tested during joint exercises or industry-wide scenarios, the focus of internal exercises is on internal capabilities. These exercises help identify gaps in training, procedures, communication, and escalation pathways.
Reference Extracts:
ISO/IEC 27035-2:2016, Clause 7.3.3: "Exercises and simulations should be conducted to test the readiness of the incident response capability." NIST SP 800-84: "Regular exercises increase response efficiency and allow staff to develop incident handling confidence." Correct answer: C
-
NEW QUESTION # 63
Which factor of change should be monitored when maintaining incident management documentation?
- A. Employee attendance records
- B. Test results
- C. Market trends
Answer: B
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
When maintaining documentation for information security incident management, test results are critical indicators of how well current plans and controls are functioning. According to ISO/IEC 27035-2:2016 Clause 7.3.3, organizations must update documents based on test outcomes, incident experiences, or environmental changes.
Market trends (Option A) and attendance records (Option B) are not directly relevant to the content or accuracy of incident documentation.
Reference:
ISO/IEC 27035-2:2016 Clause 7.3.3: "Changes in the environment or test results should be used as input for reviewing documentation." Correct answer: C
-
NEW QUESTION # 64
Scenario 8: Moneda Vivo, headquartered in Kuala Lumpur. Malaysia, is a distinguished name in the banking sector. It is renowned for its innovative approach to digital banking and unwavering commitment to information security. Moneda Vivo stands out by offering various banking services designed to meet the needs of its clients. Central to its operations is an information security incident management process that adheres to the recommendations of ISO/IEC 27035-1 and 27035-2.
Recently. Moneda Vivo experienced a phishing attack aimed at its employees Despite the bank's swift identification and containment of the attack, the incident led to temporary service outages and data access issues, underscoring the need for improved resilience The response team compiled a detailed review of the attack, offering valuable insights into the techniques and entry points used and identifying areas for enhancing their preparedness.
Shortly after the attack, the bank strengthened its defense by implementing a continuous review process to ensure its incident management procedures and systems remain effective and appropriate While monitoring the incident management process, a trend became apparent. The mean time between similar incidents decreased after a few occurrences; however, Moneda Vivo strategically ignored the trend and continued with regular operations This decision was rooted in a deep confidence in its existing security measures and incident management protocols, which had proven effective in quick detection and resolution of issues Moneda Vivo's commitment to transparency and continual improvement is exemplified by its utilization of a comprehensive dashboard. This tool provides real time insights into the progress of its information security incident management, helping control operational activities and ensure that processes stay within the targets of productivity, quality, and efficiency. However, securing its digital banking platform proved challenging.
Following a recent upgrade, which included a user interface change to its digital banking platform and a software update, Moneda Vivo recognized the need to immediately review its incident management process for accuracy and completeness. The top management postponed the review due to financial and time constraints.
Based on scenario 8, Moneda Vivo ignored the trend and continued regular operations when the mean time between the same types of incidents decreased after a few occurrences. Is this acceptable?
- A. When the mean time between the same types of incidents decreases after a few occurrences, it shows that the incidents are becoming less significant
- B. No, when the mean time between the same types of incidents decreases, a study should be conducted to discover why
- C. No, when the mean time between the same types of incidents decreases, a study should be necessary to confirm that the incidents are unrelated
Answer: B
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
ISO/IEC 27035-1 encourages organizations to monitor metrics, such as the frequency of incident types, as part of continual improvement (Clause 7.3). A decreasing mean time between incidents (MTBI) may indicate increased threat frequency, weakened controls, or emerging vulnerabilities. Ignoring such trends can prevent timely corrective actions and weaken overall resilience.
Instead of assuming the incidents are less significant, ISO guidance suggests conducting root cause analysis and trend evaluations when patterns like this emerge.
Reference:
ISO/IEC 27035-1:2016, Clause 7.3: "Monitoring and measurement of the incident management process should include trend analysis to identify recurring issues or new patterns." Correct answer: C
-
NEW QUESTION # 65
Scenario 3: L&K Associates is a graphic design firm headquartered in Johannesburg, South Africa. It specializes in providing innovative and creative design solutions to clients across various industries. With offices in multiple parts of the country, they effectively serve clients, delivering design solutions that meet their unique needs and preferences.
In its commitment to maintaining information security, L&K Associates is implementing an information security incident management process guided by ISO/IEC 27035-1 and ISO/IEC 27035-2. Leona, the designated leader overseeing the implementation of the incident management process, customized the scope of incident management to align with the organization's unique requirements. This involved specifying the IT systems, services, and personnel involved in the incident management process while excluding potential incident sources beyond those directly related to IT systems and services.
According to scenario 3, Leona decided to initially include only the elements provided in Clause 4.3 of ISO
/IEC 27035-2, Information security incident management policy content, in the incident management policy.
Is this acceptable?
- A. Yes, because Leona has conducted a thorough risk assessment to identify potential gaps in the incident management policy beyond the scope of clause 4.3 of ISO/IEC 27035-2
- B. No, clause 4.3 of ISO/IEC 27035-2 does not cover elements for an effective incident management policy
- C. Yes, because as a minimum, the policy must cover the elements provided in clause 4.3 of ISO/IEC
27035-2
Answer: C
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
Clause 4.3 of ISO/IEC 27035-2:2016 outlines the minimum content requirements for an effective incident management policy. These include:
Purpose and objectives of the policy
Scope and applicability
Roles and responsibilities
Key terminology and definitions
High-level processes for incident detection, reporting, response, and learning Obligations of internal stakeholders Leona's decision to base the initial policy draft on Clause 4.3 is fully compliant and appropriate, as it ensures foundational consistency. ISO/IEC 27035-2 explicitly states that these elements form the minimum baseline for effective policy creation, and the document can be expanded later as needed.
Reference:
ISO/IEC 27035-2:2016, Clause 4.3: "The information security incident management policy should, at a minimum, contain the following elements..." Therefore, the correct answer is B: Yes, because as a minimum, the policy must cover the elements provided in clause 4.3 of ISO/IEC 27035-2.
-
NEW QUESTION # 66
Scenario 4: ORingo is a company based in Krakow, Poland, specializing in developing and distributing electronic products for health monitoring and heart rate measurement applications. With a strong emphasis on innovation and technological advancement, ORingo has established itself as a trusted provider of high-quality, reliable devices that enhance the well being and healthcare capabilities of individuals and healthcare professionals alike.
As part of its commitment to maintaining the highest standards of information security, ORingo has established an information security incident management process This process aims to ensure that any potential threats are swiftly identified, assessed, and addressed to protect systems and information. However, despite these measures, an incident response team member at ORingo recently detected a suspicious state in their systems operational data, leading to the decision to shut down the company-wide system until the anomaly could be thoroughly investigated Upon detecting the threat, the company promptly established an incident response team to respond to the incident effectively. The team's responsibilities encompassed identifying root causes, uncovering hidden vulnerabilities, and implementing timely resolutions to mitigate the impact of the incident on ORingo's operations and customer trust.
In response to the threat detected across its cloud environments. ORingo employed a sophisticated security tool that broadened the scope of incident detection and mitigation This tool covers network traffic, doud environments, and potential attack vectors beyond traditional endpoints, enabling ORingo to proactively defend against evolving cybersecurity threats During a routine check, the IT manager at ORingo discovered that multiple employees lacked awareness of proper procedures following the detection of a phishing email. In response, immediate training sessions on information security policies and incident response were scheduled for all employees, emphasizing the importance of vigilance and adherence to established protocols in safeguarding ORingo's sensitive data and assets.
As part of the training initiative. ORingo conducted a simulated phishing attack exercise to assess employee response and knowledge. However, an employee inadvertently informed an external partner about the 'attack'' during the exercise, highlighting the importance of ongoing education and reinforcement of security awareness principles within the organization.
Through its proactive approach to incident management and commitment to fostering a culture of security awareness and readiness. ORingo reaffirms its dedication to safeguarding the integrity and confidentiality of its electronic products and ensuring the trust and confidence of its customers and stakeholders worldwide.
Based on the scenario above, answer the following question:
After identifying a suspicious state in ORingo's system, a member of the IRT initiated a company-wide system shutdown until the anomaly was investigated. Is this acceptable?
- A. Yes, the correct action is to initiate a company-wide system shutdown until the anomaly is investigated
- B. No, the IRT should have determined the facts that enable detection of the event occurrence
- C. No, the IRT should have immediately informed all employees about the potential data breach
Answer: B
Explanation:
Comprehensive and Detailed Explanation:
According to ISO/IEC 27035-1:2016, particularly in Clause 6.2.2 (Assess and Decide), the organization must first assess the reported event to determine whether it qualifies as a security incident before implementing disruptive responses such as a full system shutdown.
Initiating a shutdown without first determining the cause, impact, or whether it's a confirmed incident can lead to unnecessary operational disruption and loss of services. The proper approach is to collect evidence, analyze system behavior, and make informed decisions based on risk level and confirmed facts.
Option B best reflects the required approach: The IRT should first determine the facts that enable detection and validation of the event's occurrence and impact before initiating drastic action like shutting down critical systems.
Reference:
ISO/IEC 27035-1:2016, Clause 6.2.2 - "An analysis should be conducted to determine whether the event should be treated as an information security incident." Clause 6.2.3 - "Response should be proportionate to the impact and type of the incident." Therefore, the correct answer is B.
-
NEW QUESTION # 67
During the 'detect and report' phase of incident management at TechFlow, the incident response team began collecting detailed threat intelligence and conducting vulnerability assessments related to these login attempts.
Additionally, the incident response team classified a series of unusual login attempts as a potential security incident and distributed initial reports to the incident coordinator. Is this approach correct?
- A. No, because collecting detailed information about threats and vulnerabilities should occur in later phases
- B. Yes, because classifying events as information security incidents is essential during this phase
- C. No, because information security incidents cannot yet be classified as information security incidents in this phase
Answer: B
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
The 'detect and report' phase, as defined in ISO/IEC 27035-1:2016 (Clause 6.2), includes the identification, classification, and initial reporting of information security events. If events meet certain thresholds-such as multiple failed login attempts from unknown IP addresses or matching threat indicators-they can and should be classified as potential incidents.
It is also appropriate to begin collecting supporting information during this phase. Gathering threat intelligence and performing basic vulnerability assessments help in confirming the scope and nature of the threat, allowing faster escalation and response.
Option B is incorrect because while deep forensic collection occurs later, preliminary data collection should begin during detection. Option C is incorrect as incident classification is explicitly allowed and encouraged in this phase.
Reference:
ISO/IEC 27035-1:2016, Clause 6.2.2: "Events should be assessed and classified to determine whether they qualify as information security incidents." Clause 6.2.3: "All relevant details should be collected to support early classification and reporting." Correct answer: A
NEW QUESTION # 68
......
PECB ISO-IEC-27035-Lead-Incident-Manager Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
Apr-2026 Latest ITCertMagic ISO-IEC-27035-Lead-Incident-Manager Exam Dumps with PDF and Exam Engine: https://passitsure.itcertmagic.com/PECB/real-ISO-IEC-27035-Lead-Incident-Manager-exam-prep-dumps.html