PECB ISO-IEC-27005-Risk-Manager Exam Practice Test Instant Access

Question 1

Scenario 2: Travivve is a travel agency that operates in more than 100 countries. Headquartered in San Francisco, the US, the agency is known for its personalized vacation packages and travel services. Travivve aims to deliver reliable services that meet its clients' needs. Considering the impact of information security in its reputation, Travivve decided to implement an information security management system (ISMS) based on ISO/IEC 27001. In addition, they decided to establish and implement an information security risk management program. Based on the priority of specific departments in Travivve, the top management decided to initially apply the risk management process only in the Sales Management Department. The process would be applicable for other departments only when introducing new technology.

Travivve's top management wanted to make sure that the risk management program is established based on the industry best practices. Therefore, they created a team of three members that would be responsible for establishing and implementing it. One of the team members was Travivve's risk manager who was responsible for supervising the team and planning all risk management activities. In addition, the risk manager was responsible for monitoring the program and reporting the monitoring results to the top management.

Initially, the team decided to analyze the internal and external context of Travivve. As part of the process of understanding the organization and its context, the team identified key processes and activities. Then, the team identified the interested parties and their basic requirements and determined the status of compliance with these requirements. In addition, the team identified all the reference documents that applied to the defined scope of the risk management process, which mainly included the Annex A of ISO/IEC 27001 and the internal security rules established by Travivve. Lastly, the team analyzed both reference documents and justified a few noncompliances with those requirements.

The risk manager selected the information security risk management method which was aligned with other approaches used by the company to manage other risks. The team also communicated the risk management process to all interested parties through previously established communication mechanisms. In addition, they made sure to inform all interested parties about their roles and responsibilities regarding risk management. Travivve also decided to involve interested parties in its risk management activities since, according to the top management, this process required their active participation.

Lastly, Travivve's risk management team decided to conduct the initial information security risk assessment process. As such, the team established the criteria for performing the information security risk assessment which included the consequence criteria and likelihood criteria.

Did the risk management team establish all the criteria required to perform the information security risk assessment? Refer to scenario 2.

ANo, the risk management team should also establish the criteria for determining the level of risk

BNo, the risk management team should also establish the criteria for treating the identified risks

CYes. the risk management team established all the criteria that are necessary to perform an information security risk assessment

Answer : A

While Travivve's risk management team established criteria for consequence and likelihood, ISO/IEC 27005 requires that additional criteria should be defined to complete a risk assessment. Specifically, the team should also establish criteria for determining the level of risk, which involves combining the likelihood and consequence to evaluate risk magnitude. This step is crucial for prioritizing risks and determining which risks require treatment. The absence of criteria for determining the level of risk means that the team did not fully meet the requirements of ISO/IEC 27005 for performing an information security risk assessment. Therefore, the correct answer is A.

ISO/IEC 27005:2018, Clause 8.4, 'Risk Assessment,' which outlines the need to establish criteria for risk acceptance, which includes determining the level of risk.

Question 2

Did Travivve's risk management team identify the basic requirements of interested parties in accordance with the guidelines of ISO/IEC 27005? Refer to scenario 2.

ANo, the team should define the basic requirements of interested parties, but it should determine status of compliance with the requirements after implementing the risk treatment options

BNo, the team should use only the organization's internal security rules to determine the status of compliance with the basic requirements of interested parties

CYes, the team identified the basic requirements of interested parties and determined the status of compliance with those requirements as recommended by ISO/IEC 27005

Answer : C

According to ISO/IEC 27005, understanding the organization and its context, including the identification of interested parties and their requirements, is a critical part of the risk management process. The team at Travivve identified the interested parties and their basic requirements and determined the status of compliance with these requirements, which aligns with the guidelines provided by ISO/IEC 27005. This standard recommends that organizations should understand their context and stakeholders' requirements to effectively manage risks. Additionally, it is appropriate to evaluate compliance with requirements as part of the context analysis, rather than after implementing risk treatment options. Therefore, the team's approach was in accordance with ISO/IEC 27005, making option C the correct answer.

ISO/IEC 27005:2018, Clause 7, 'Context Establishment,' which outlines the importance of identifying the context, including the interested parties and their requirements, as a basis for risk management.

Question 3

An organization has installed security cameras and alarm systems. What type of information security control has been implemented in this case?

ATechnical

BManagerial

CLegal

Answer : A

Security cameras and alarm systems are considered technical controls in the context of information security. Technical controls, also known as logical controls, involve the use of technology to protect information and information systems. These controls are designed to prevent or detect security breaches and mitigate risks related to physical access and surveillance. While security cameras and alarms are physical in nature, they fall under the broader category of technical controls because they involve electronic monitoring and alert systems. Option B (Managerial) refers to administrative policies and procedures, and option C (Legal) refers to controls related to compliance with laws and regulations, neither of which applies in this case.

Question 4

Does information security reduce the impact of risks?

AYes, information security reduces risks and their impact by protecting the organization against threats and vulnerabilities

BNo, information security does not have an impact on risks as information security and risk management are separate processes

CYes, information security reduces the impact of risks by eliminating the likelihood of exploitation of vulnerabilities by threats

Answer : A

Information security aims to protect information assets against threats and vulnerabilities that could lead to unauthorized access, disclosure, alteration, or destruction. By implementing effective security measures (such as access controls, encryption, and monitoring), an organization reduces the likelihood of vulnerabilities being exploited and mitigates the potential impact of risks. According to ISO/IEC 27005, risk management in information security includes identifying, assessing, and applying controls to reduce both the likelihood and impact of potential risks. Thus, option A is correct because it acknowledges the role of information security in reducing the impact of risks. Option B is incorrect because information security is a key component of risk management, and option C is incorrect because information security does not eliminate risks entirely; it mitigates their impact.

Question 5

Which of the following risk assessment methods provides an information security risk assessment methodology and involves three phases build asset-based threat profiles, identify infrastructure vulnerabilities, and develop security strategy and plans?

AOCTAVE-S

BMEHARI

CTRA

Answer : A

OCTAVE-S (Operationally Critical Threat, Asset, and Vulnerability Evaluation for Small Organizations) is a risk assessment methodology tailored for small organizations. It provides a structured approach for identifying and managing information security risks. The OCTAVE-S method involves three main phases:

Building asset-based threat profiles, where critical assets and their associated threats are identified.

Identifying infrastructure vulnerabilities by assessing the organization's technological infrastructure for weaknesses that could be exploited by threats.

Developing security strategy and plans to address the identified risks and improve the overall security posture.

The OCTAVE-S method aligns with the description provided in the question, making it the correct answer. MEHARI and TRA are other risk assessment methods, but they do not specifically follow the three phases outlined above.

Question 6

Which of the following statements best defines information security risk?

AThe potential that threats will exploit vulnerabilities of an information asset and cause harm to an organization

BWeakness of an asset or control that can be exploited by one or a group of threats

CPotential cause of an unwanted incident related to information security that can cause harm to an organization

Answer : A

Information security risk, as defined by ISO/IEC 27005, is 'the potential that a threat will exploit a vulnerability of an asset or group of assets and thereby cause harm to the organization.' This definition emphasizes the interplay between threats (e.g., cyber attackers, natural disasters), vulnerabilities (e.g., weaknesses in software, inadequate security controls), and the potential impact or harm that could result from this exploitation. Therefore, option A is the most comprehensive and accurate description of information security risk. In contrast, option B describes a vulnerability, and option C focuses on the cause of an incident rather than defining risk itself. Option A aligns directly with the risk definition in ISO/IEC 27005.

Question 7

Can organizations obtain certification against ISO 31000?

AYes, organizations of any type or size can obtain certification against ISO 31000

BYes, but only organizations that manufacture products can obtain an ISO 31000 certification

C[No, organizations cannot obtain certification against ISO 31000, as the standard provides only guidelines

Answer : C

ISO 31000 is an international standard that provides guidelines for risk management. It is a framework that helps organizations develop a risk management strategy to effectively manage risk, taking into consideration their specific contexts. However, ISO 31000 is not designed to be used as a certifiable standard; instead, it offers principles, a framework, and a process for managing risk. Unlike other ISO standards, such as ISO/IEC 27001 for information security management systems, which are certifiable, ISO 31000 does not have a certification process because it does not specify any requirements that an organization must comply with. Therefore, option C is the correct answer because ISO 31000 is intended to provide guidelines and is not certifiable.

PECB ISO-IEC-27005-Risk-Manager PECB Certified ISO/IEC 27005 Risk Manager Exam Practice Test