PECB ISO/IEC 27002 Foundation ISO-IEC-27002-Foundation Exam Questions

Answer : C

Risk assessment is the overall process of risk identification, risk analysis, and risk evaluation. Option A describes only one component: risk identification. This is where risks are found, recognized, and described. Option B describes risk analysis, where the organization understands the nature of risk and determines the level of risk, often by considering likelihood and consequence. A full assessment also requires risk evaluation, where the analyzed risk is compared against criteria to determine whether it is acceptable or requires treatment. ISO/IEC 27002 relies on this risk-based logic because controls should be selected according to actual security needs. The standard provides guidance on controls, but it does not require every organization to implement every control in the same way. Risk assessment helps determine which controls are necessary, how strongly they should be implemented, and what residual risk remains. This is why option C is the complete and correct answer. ISO/IEC 27002 control implementation is meaningful only when linked to risk, context, business value, and obligations. Reference/Chapters: ISO/IEC 27002:2022, Clause 4 control selection and attributes; ISO/IEC 27001 risk assessment and treatment; ISO/IEC 27005 risk management terminology.

Answer : B

Control 8.31, Separation of development, testing and operational environments, aims to protect the production environment and production data from unauthorized or inappropriate change, exposure, or disruption. Development and testing activities often involve code changes, debugging, experimental configurations, test accounts, incomplete controls, and simulated transactions. If these activities occur directly in production, they can compromise confidentiality, integrity, and availability. Separation reduces the risk that untested software, test data, developer privileges, or debugging tools affect live systems and real business information. Control 5.13, Labelling of information, supports correct handling by communicating classification and protection needs, but it does not specifically protect production environments. Control 6.6, Confidentiality or non-disclosure agreements, supports legal and people-related confidentiality commitments, but it does not directly separate technical environments. The exam logic focuses on the control whose stated purpose is to protect production systems and data from risks introduced by development and testing. Therefore, option B is correct. Reference/Chapters: ISO/IEC 27002:2022, Control 8.31 Separation of development, testing and operational environments; Control 8.32 Change management; Control 8.29 Security testing in development and acceptance.

Answer : A

The situation describes a people-related operational threat: data input error by employees. The root cause is not a malicious external attack or theft; it is that employees cannot reliably follow complicated processing procedures. ISO/IEC 27002 recognizes that people, competence, awareness, and documented procedures are essential to information security. When procedures are unclear, excessive, or difficult to follow, employees may enter incorrect data, omit fields, select wrong categories, mishandle classifications, misroute information, or unintentionally corrupt records. This primarily threatens integrity because the information may no longer be accurate or complete. Hacking would involve unauthorized technical intrusion, and information theft would involve intentional unauthorized taking or disclosure of information. Neither is stated in the scenario. ISO/IEC 27002 addresses this type of risk through information security awareness, education and training, documented operating procedures, clear responsibilities, and appropriate segregation of duties. Effective controls should make correct behavior practical and repeatable, not merely documented. Therefore, the verified answer is option A. Reference/Chapters: ISO/IEC 27002:2022, Control 6.3 Information security awareness, education and training; Control 5.37 Documented operating procedures; Control 5.3 Segregation of duties.

Answer : B

Control 5.35, Independent review of information security, is the control intended to ensure that the organization's approach to managing information security remains suitable, adequate, and effective. Independent reviews provide objective evaluation of whether policies, processes, controls, responsibilities, and implementation remain aligned with business needs, risks, legal requirements, and the organization's security objectives. The review may consider governance, control design, control operation, risk treatment, compliance, incident trends, technology changes, supplier dependencies, and audit results. Control 5.4, Management responsibilities, is important because management must ensure personnel apply security according to policies and procedures, but it is not the control specifically focused on independent review. Control 5.24 concerns planning and preparation for incident management, which supports response capability but does not broadly assess the continuing suitability of the whole security approach. The phrase ''suitable, adequate and effective'' is a strong indicator of review and assurance. ISO/IEC 27002 uses independent review to challenge assumptions, detect weaknesses, and support continual improvement. Therefore, option B is the verified answer. Reference/Chapters: ISO/IEC 27002:2022, Control 5.35 Independent review of information security; Control 5.36 Compliance with policies, rules and standards for information security; Control 5.4 Management responsibilities.

Answer : B

Control 7.9, Security of assets off-premises, belongs to the physical control group. ISO/IEC 27002:2022 organizes controls into four themes: organizational controls, people controls, physical controls, and technological controls. Controls in Clause 7 are physical controls, and Control 7.9 specifically addresses protection of organizational assets when they are outside the organization's premises. This includes laptops, mobile devices, storage media, documents, portable equipment, and other assets used during travel, remote work, home working, customer visits, supplier sites, or field operations. Off-premises use increases physical risk because assets may be exposed to theft, loss, damage, unauthorized viewing, insecure storage, or uncontrolled environments. Although technological measures such as encryption and remote wipe may support this control, the control itself is placed in the physical theme because its focus is the secure handling and protection of assets outside controlled facilities. Option A is incorrect because organizational controls are in Clause 5. Option C is incorrect because technological controls are in Clause 8. Reference/Chapters: ISO/IEC 27002:2022, Clause 7 Physical controls; Control 7.9 Security of assets off-premises; Clause 4 Structure of the standard.

Answer : A

When using cryptography, organizations should consider roles and responsibilities for key management. Cryptographic controls are only effective when keys are properly generated, stored, distributed, rotated, backed up, revoked, destroyed, and protected from unauthorized access. Weak key management can defeat strong algorithms because compromise of the key can expose encrypted information or allow unauthorized signing, decryption, or impersonation. ISO/IEC 27002 Control 8.24, Use of cryptography, guides organizations to define rules for effective cryptographic use, including protection of confidentiality, authenticity, integrity, and non-repudiation where relevant. Key management responsibilities must be assigned clearly so that ownership, custody, approval, recovery, and emergency access are controlled. Option B relates to project security management, not cryptographic implementation specifically. Option C relates to network security and filtering, not cryptographic key governance. Cryptography requires policy decisions about algorithms, key lengths, certificate management, lifecycle handling, legal restrictions, and separation of duties. The exam's correct answer is therefore option A because key management is a central technical and governance constraint of cryptographic protection. Reference/Chapters: ISO/IEC 27002:2022, Control 8.24 Use of cryptography; Control 5.15 Access control; Control 5.17 Authentication information.

Answer : A

ISO/IEC 27002 requires equipment to be sited and protected in a way that reduces risks from physical and environmental threats. These threats include fire, flood, dust, vibration, electrical interference, unauthorized access, power instability, temperature extremes, and other environmental hazards. Option A is correct because secure siting and protection of equipment are essential to preserving confidentiality, integrity, and availability of information processing facilities. Option B is incorrect because equipment can absolutely be affected by power failures, utility disruptions, voltage fluctuations, overheating, and related events. Option C is incorrect because supporting utilities should be maintained, monitored, and tested as appropriate over time, not only at the beginning. ISO/IEC 27002 physical controls emphasize that technical systems depend on the physical environment. Servers, network devices, storage, and endpoint systems need appropriate location, power, cooling, cabling protection, and resilience measures. Equipment placement should also reduce unauthorized viewing, tampering, theft, and environmental exposure. The verified answer is option A because it reflects the physical protection objective in ISO/IEC 27002. Reference/Chapters: ISO/IEC 27002:2022, Control 7.8 Equipment siting and protection; Control 7.5 Protecting against physical and environmental threats; Control 7.11 Supporting utilities.