• Home
  • Articles
  • ISO-IEC-27001-Lead-Implementer Self-Study Guide for Becoming an PECB Certified ISO/IEC 27001 Lead Implementer Exam Expert [Q37-Q55]

ISO-IEC-27001-Lead-Implementer Self-Study Guide for Becoming an PECB Certified ISO/IEC 27001 Lead Implementer Exam Expert [Q37-Q55]

Share

ISO-IEC-27001-Lead-Implementer Self-Study Guide for Becoming an PECB Certified ISO/IEC 27001 Lead Implementer Exam Expert

ISO-IEC-27001-Lead-Implementer Study Guide Realistic Verified ISO-IEC-27001-Lead-Implementer Dumps


PECB ISO-IEC-27001-Lead-Implementer certification exam is intended for professionals who are responsible for the implementation and management of an ISMS, including IT managers, security managers, compliance managers, and quality managers. Individuals who are seeking to become certified lead auditors or lead implementers of an ISMS should also consider obtaining this certification. ISO-IEC-27001-Lead-Implementer exam is suitable for individuals who have prior knowledge and experience with information security management systems and the ISO/IEC 27001 standard.


The best resource for getting prepared for the PECB ISO IEC 27001 Lead Implementer Exam:

All the resources mentioned above are important for the PECB ISO IEC 27001 Lead Implementer certification exam. However, a great resource is practice exams of the VCEDumps software will direct you throughout your preparation process. You will get to know about your weak points and areas of the ISO IEC 27001 Lead Implementer Certification Exam. ISO IEC 27001 Lead Implementer exam dumps will help you to understand the concepts better and get prepared yourself effectively for the exam. It is also advisable to refer to study guides for the PECB ISO IEC 27001 Lead Implementer examination. You can avail the offer of a free trial of the training simulator, you can do this analysis in a day. If you have purchased the premium account, you can do learning in-depth.

 

NEW QUESTION # 37
Based on scenario 5. in which category of the interested parties does the MR manager of Operaze belong?

  • A. Positively influenced interested parties, because the ISMS will increase the effectiveness and efficiency of the HR Department
  • B. Both A and B
  • C. Negatively influenced interested parties, because the HR Department will deal with more documentation

Answer: B


NEW QUESTION # 38
Scenario 7: InfoSec is a multinational corporation headquartered in Boston, MA, which provides professional electronics, gaming, and entertainment services. After facing numerous information security incidents, InfoSec has decided to establish teams and implement measures to prevent potential incidents in the future Emma, Bob. and Anna were hired as the new members of InfoSec's information security team, which consists of a security architecture team, an incident response team (IRT) and a forensics team Emma's job is to create information security plans, policies, protocols, and training to prepare InfoSec to respond to incidents effectively Emma and Bob would be full-time employees of InfoSec, whereas Anna was contracted as an external consultant.
Bob, a network expert, will deploy a screened subnet network architecture This architecture will isolate the demilitarized zone (OMZ) to which hosted public services are attached and InfoSec's publicly accessible resources from their private network Thus, InfoSec will be able to block potential attackers from causing unwanted events inside the company's network. Bob is also responsible for ensuring that a thorough evaluation of the nature of an unexpected event is conducted, including the details on how the event happened and what or whom it might affect.
Anna will create records of the data, reviews, analysis, and reports in order to keep evidence for the purpose of disciplinary and legal action, and use them to prevent future incidents. To do the work accordingly, she should be aware of the company's information security incident management policy beforehand Among others, this policy specifies the type of records to be created, the place where they should be kept, and the format and content that specific record types should have.
Based on this scenario, answer the following question:
Based on his tasks, which team is Bob part of?

  • A. Security architecture team
  • B. Forensics team
  • C. Incident response team

Answer: C

Explanation:
Explanation
Based on his tasks, Bob is part of the incident response team (IRT) of InfoSec. According to ISO/IEC
27035-2:2023, the IRT is a team of appropriately skilled and trusted members of an organization that responds to and resolves incidents in a coordinated way1. One of the tasks of the IRT is to conduct an evaluation of the nature of an unexpected event, including the details on how the event happened and what or whom it might affect1. This is consistent with Bob's responsibility of ensuring that a thorough evaluation of the nature of an unexpected event is conducted. Therefore, Bob belongs to the incident response team.
References:
ISO/IEC 27035-2:2023 (en), Information technology - Information security incident management - Part 2: Guidelines to plan and prepare for incident response1 Response to Information Security Incidents | ISMS.online2


NEW QUESTION # 39
Which of the following is NOT part of the steps required by ISO/IEC 27001 that an organization must take when a nonconformity is detected?

  • A. Evaluate the need for action to eliminate the causes of the nonconformity so that it does not recur or occur elsewhere
  • B. React to the nonconformity, take action to control and correct it. and deal with its consequences
  • C. Communicate the details of the nonconformity to every employee of the organization and suspend the employee that caused the nonconformity

Answer: C


NEW QUESTION # 40
An organization documented each security control that it Implemented by describing their functions in detail.
Is this compliant with ISO/IEC 27001?

  • A. No, because the documented information should have a strict format, including the date, version number and author identification
  • B. Yes, but documenting each security control and not the process in general will make it difficult to review the documented information
  • C. No, the standard requires to document only the operation of processes and controls, so no description of each security control is needed

Answer: B


NEW QUESTION # 41
Scenario 5: Operaze is a small software development company that develops applications for various companies around the world. Recently, the company conducted a risk assessment to assess the information security risks that could arise from operating in a digital landscape. Using different testing methods, including penetration Resting and code review, the company identified some issues in its ICT systems, including improper user permissions, misconfigured security settings, and insecure network configurations. To resolve these issues and enhance information security, Operaze decided to implement an information security management system (ISMS) based on ISO/IEC 27001.
Considering that Operaze is a small company, the entire IT team was involved in the ISMS implementation project. Initially, the company analyzed the business requirements and the internal and external environment, identified its key processes and activities, and identified and analyzed the interested parties In addition, the top management of Operaze decided to Include most of the company's departments within the ISMS scope. The defined scope included the organizational and physical boundaries. The IT team drafted an information security policy and communicated it to all relevant interested parties In addition, other specific policies were developed to elaborate on security issues and the roles and responsibilities were assigned to all interested parties.
Following that, the HR manager claimed that the paperwork created by ISMS does not justify its value and the implementation of the ISMS should be canceled However, the top management determined that this claim was invalid and organized an awareness session to explain the benefits of the ISMS to all interested parties.
Operaze decided to migrate Its physical servers to their virtual servers on third-party infrastructure. The new cloud computing solution brought additional changes to the company Operaze's top management, on the other hand, aimed to not only implement an effective ISMS but also ensure the smooth running of the ISMS operations. In this situation, Operaze's top management concluded that the services of external experts were required to implement their information security strategies. The IT team, on the other hand, decided to initiate a change in the ISMS scope and implemented the required modifications to the processes of the company.
Based on scenario 5. in which category of the interested parties does the MR manager of Operaze belong?

  • A. Negatively influenced interested parties, because the HR Department will deal with more documentation
  • B. Positively influenced interested parties, because the ISMS will increase the effectiveness and efficiency of the HR Department
  • C. Both A and B

Answer: A

Explanation:
Explanation
According to ISO/IEC 27001, interested parties are those who can affect, be affected by, or perceive themselves to be affected by the organization's information security activities, products, or services. Interested parties can be classified into four categories based on their influence and interest in the ISMS:
Positively influenced interested parties: those who benefit from the ISMS and support its implementation and operation Negatively influenced interested parties: those who are adversely affected by the ISMS and oppose its implementation and operation High-interest interested parties: those who have a strong interest in the ISMS and its outcomes, regardless of their influence Low-interest interested parties: those who have a weak interest in the ISMS and its outcomes, regardless of their influence In scenario 5, the HR manager of Operaze belongs to the category of negatively influenced interested parties, because he/she perceives that the ISMS will create more paperwork and documentation for the HR Department, and therefore opposes its implementation and operation. The HR manager does not benefit from the ISMS and does not support its objectives and requirements.
References:
ISO/IEC 27001:2013, clause 4.2: Understanding the needs and expectations of interested parties ISO/IEC 27001:2013, Annex A.18.1.4: Assessment of and decision on information security events ISO/IEC 27001 Lead Implementer Course, Module 2: Introduction to Information Security Management System (ISMS) concepts as required by ISO/IEC 27001 ISO/IEC 27001 Lead Implementer Course, Module 4: Planning the ISMS based on ISO/IEC 27001 ISO/IEC 27001 Lead Implementer Course, Module 6: Implementing the ISMS based on ISO/IEC 27001 ISO/IEC 27001 Lead Implementer Course, Module 7: Performance evaluation, monitoring and measurement of the ISMS based on ISO/IEC 27001 ISO/IEC 27001 Lead Implementer Course, Module 8: Continual improvement of the ISMS based on ISO/IEC 27001 ISO/IEC 27001 Lead Implementer Course, Module 9: Preparing for the ISMS certification audit


NEW QUESTION # 42
An organization documented each security control that it Implemented by describing their functions in detail.
Is this compliant with ISO/IEC 27001?

  • A. No, because the documented information should have a strict format, including the date, version number and author identification
  • B. Yes, but documenting each security control and not the process in general will make it difficult to review the documented information
  • C. No, the standard requires to document only the operation of processes and controls, so no description of each security control is needed

Answer: B

Explanation:
Explanation
According to ISO/IEC 27001:2022, clause 7.5, an organization is required to maintain documented information to support the operation of its processes and to have confidence that the processes are being carried out as planned. This includes documenting the information security policy, the scope of the ISMS, the risk assessment and treatment methodology, the statement of applicability, the risk treatment plan, the information security objectives, and the results of monitoring, measurement, analysis, evaluation, internal audit, and management review. However, the standard does not specify the level of detail or the format of the documented information, as long as it is suitable for the organization's needs and context. Therefore, documenting each security control that is implemented by describing their functions in detail is not a violation of the standard, but it may not be the most efficient or effective way to document the ISMS. Documenting each security control separately may make it harder to review, update, and communicate the documented information, and may also create unnecessary duplication or inconsistency. A better approach would be to document the processes and activities that involve the use of security controls, and to reference the relevant controls from Annex A or other sources. This way, the documented information would be more aligned with the process approach and the Plan-Do-Check-Act cycle that the standard promotes.
References:
ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection - Information security management systems - Requirements, clauses 4.3, 5.2, 6.1, 6.2, 7.5, 8.2, 8.3, 9.1, 9.2, 9.3, and Annex A ISO/IEC 27001:2022 Lead Implementer objectives and content, 4 and 5


NEW QUESTION # 43
Scenario 2: Beauty is a cosmetics company that has recently switched to an e-commerce model, leaving the traditional retail. The top management has decided to build their own custom platform in-house and outsource the payment process to an external provider operating online payments systems that support online money transfers.
Due to this transformation of the business model, a number of security controls were implemented based on the identified threats and vulnerabilities associated to critical assets. To protect customers' information.
Beauty's employees had to sign a confidentiality agreement. In addition, the company reviewed all user access rights so that only authorized personnel can have access to sensitive files and drafted a new segregation of duties chart.
However, the transition was difficult for the IT team, who had to deal with a security incident not long after transitioning to the e commerce model. After investigating the incident, the team concluded that due to the out-of-date anti-malware software, an attacker gamed access to their files and exposed customers' information, including their names and home addresses.
The IT team decided to stop using the old anti-malware software and install a new one which would automatically remove malicious code in case of similar incidents. The new software was installed in every workstation within the company. After installing the new software, the team updated it with the latest malware definitions and enabled the automatic update feature to keep it up to date at all times. Additionally, they established an authentication process that requires a user identification and password when accessing sensitive information.
In addition, Beauty conducted a number of information security awareness sessions for the IT team and other employees that have access to confidential information in order to raise awareness on the importance of system and network security.
Which statement below suggests that Beauty has implemented a managerial control that helps avoid the occurrence of incidents? Refer to scenario 2.

  • A. Beauty's employees signed a confidentiality agreement
  • B. Beauty conducted a number of information security awareness sessions for the IT team and other employees that have access to confidential information
  • C. Beauty updated the segregation of duties chart

Answer: B

Explanation:
Explanation
Managerial controls are administrative actions that are designed to prevent or reduce the likelihood of security incidents by influencing human behavior. They include policies, procedures, guidelines, standards, training, and awareness programs. In scenario 2, Beauty has implemented a managerial control by conducting information security awareness sessions for the IT team and other employees that have access to confidential information. These sessions aim to educate the staff on the importance of system and network security, the potential threats and vulnerabilities, and the best practices to follow to avoid the occurrence of incidents. By raising the level of awareness and knowledge of the employees, Beauty can reduce the human errors and negligence that might compromise the security of the information assets.
References: ISO/IEC 27001:2022 Lead Implementer Course Content, Module 7: Implementation of an ISMS based on ISO/IEC 27001:20221; ISO/IEC 27001:2022 Information Security, Cybersecurity and Privacy Protection, Clause 7.2: Competence2; ISO/IEC 27002:2022 Code of practice for information security controls, Clause 7.2.2: Information security awareness, education and training3


NEW QUESTION # 44
Scenario 2: Beauty is a cosmetics company that has recently switched to an e-commerce model, leaving the traditional retail. The top management has decided to build their own custom platform in-house and outsource the payment process to an external provider operating online payments systems that support online money transfers.
Due to this transformation of the business model, a number of security controls were implemented based on the identified threats and vulnerabilities associated to critical assets. To protect customers' information.
Beauty's employees had to sign a confidentiality agreement. In addition, the company reviewed all user access rights so that only authorized personnel can have access to sensitive files and drafted a new segregation of duties chart.
However, the transition was difficult for the IT team, who had to deal with a security incident not long after transitioning to the e commerce model. After investigating the incident, the team concluded that due to the out-of-date anti-malware software, an attacker gamed access to their files and exposed customers' information, including their names and home addresses.
The IT team decided to stop using the old anti-malware software and install a new one which would automatically remove malicious code in case of similar incidents. The new software was installed in every workstation within the company. After installing the new software, the team updated it with the latest malware definitions and enabled the automatic update feature to keep it up to date at all times. Additionally, they established an authentication process that requires a user identification and password when accessing sensitive information.
In addition, Beauty conducted a number of information security awareness sessions for the IT team and other employees that have access to confidential information in order to raise awareness on the importance of system and network security.
Based on scenario 2, which information security principle is the IT team aiming to ensure by establishing a user authentication process that requires user identification and password when accessing sensitive information?

  • A. Confidentiality
  • B. Integrity
  • C. Availability

Answer: A

Explanation:
Explanation
Confidentiality is one of the three information security principles, along with integrity and availability, that form the CIA triad. Confidentiality means protecting information from unauthorized access or disclosure, and ensuring that only those who are authorized to view or use it can do so. Confidentiality is essential for preserving the privacy and trust of the information owners, such as customers, employees, or business partners.
The IT team of Beauty is aiming to ensure confidentiality by establishing a user authentication process that requires user identification and password when accessing sensitive information. User authentication is a security control that verifies the identity and credentials of the users who attempt to access a system or network, and grants or denies them access based on their authorization level. User authentication helps to prevent unauthorized users, such as hackers, competitors, or malicious insiders, from accessing confidential information that they are not supposed to see or use. User authentication also helps to create an audit trail that records who accessed what information and when, which can be useful for accountability and compliance purposes.
References:
ISO/IEC 27001:2022 Lead Implementer Course Guide1
ISO/IEC 27001:2022 Lead Implementer Info Kit2
ISO/IEC 27001:2022 Information Security Management Systems - Requirements3 ISO/IEC 27002:2022 Code of Practice for Information Security Controls What is Information Security | Policy, Principles & Threats | Imperva1 What is information security? Definition, principles, and jobs2 What is Information Security? Principles, Types - KnowledgeHut3


NEW QUESTION # 45
Scenario 10: NetworkFuse develops, manufactures, and sells network hardware. The company has had an operational information security management system (ISMS) based on ISO/IEC 27001 requirements and a quality management system (QMS) based on ISO 9001 for approximately two years. Recently, it has applied for a j^ombined certification audit in order to obtain certification against ISO/IEC 27001 and ISO 9001.
After selecting the certification body, NetworkFuse prepared the employees for the audit The company decided to not conduct a self-evaluation before the audit since, according to the top management, it was not necessary. In addition, it ensured the availability of documented information, including internal audit reports and management reviews, technologies in place, and the general operations of the ISMS and the QMS.
However, the company requested from the certification body that the documentation could not be carried off-site However, the audit was not performed within the scheduled days because NetworkFuse rejected the audit team leader assigned and requested their replacement The company asserted that the same audit team leader issued a recommendation for certification to its main competitor, which, for the company's top management, was a potential conflict of interest. The request was not accepted by the certification body Based on the scenario above, answer the following question:
Does NetworkFuse fulfill the prerequisites for a certification audit?

  • A. Yes, because the certification body has been selected
  • B. Yes, because internal audits and management reviews have been performed
  • C. Yes, because the ISMS must be operational for at least one year prior to the certification audit

Answer: B

Explanation:
Explanation
According to ISO/IEC 27006:2015, the prerequisites for a certification audit are:
The ISMS must be operational for a period of time that is sufficient to demonstrate its effectiveness and performance.
The organization must have conducted at least one internal audit and one management review of the ISMS prior to the certification audit.
The organization must provide the certification body with access to all the relevant documented information, records, personnel, and facilities related to the ISMS.
In the scenario, NetworkFuse has fulfilled these prerequisites, as it has had an operational ISMS for approximately two years, and it has performed internal audits and management reviews. Therefore, the correct answer is B.
References: ISO/IEC 27006:2015, clauses 9.1.1, 9.1.2, and 9.2.1.


NEW QUESTION # 46
Kyte. a company that has an online shopping website, has added a Q&A section to its website; however, its Customer Service Department almost never provides answers to users' questions. Which principle of an effective communication strategy has Kyte not followed?

  • A. Appropriateness
  • B. Clarity
  • C. Responsiveness

Answer: A

Explanation:
Explanation
A demilitarized zone (DMZ) is a network segment that separates the internal network from the external network, such as the internet. A DMZ is designed to provide a layer of protection for the internal network by limiting the exposure of publicly accessible resources and services to potential attackers. A DMZ is an example of a preventive control, which is a type of security control that aims to prevent or deter cyberattacks from occurring in the first place. Preventive controls reduce the likelihood of a successful attack by implementing safeguards and countermeasures that make it more difficult or costly for an attacker to exploit vulnerabilities or bypass security mechanisms. Other examples of preventive controls include encryption, authentication, access control, firewalls, antivirus software, and security awareness training. (From the PECB ISO/IEC 27001 Lead Implementer Course Manual, page 83) References:
PECB ISO/IEC 27001 Lead Implementer Course Manual, page 83
PECB ISO/IEC 27001 Lead Implementer Info Kit, page 7


NEW QUESTION # 47
Who should be involved, among others, in the draft, review, and validation of information security procedures?

  • A. The employees in charge of ISMS operation
  • B. The information security committee
  • C. An external expert

Answer: B

Explanation:
Explanation
According to ISO/IEC 27001:2022, clause 7.5.1, the organization shall ensure that the documented information required by the ISMS and by this document is controlled to ensure that it is available and suitable for use, where and when it is needed, and that it is adequately protected. This includes ensuring that the documented information is reviewed and approved for suitability and adequacy. The information security procedures are part of the documented information that supports the operation of the ISMS processes and the implementation of the information security controls. Therefore, they should be drafted, reviewed, and validated by the information security committee, which is the group of people responsible for overseeing the ISMS and ensuring its alignment with the organization's objectives and strategy. The information security committee should include representatives from different functions and levels of the organization, as well as external experts if needed. The information security committee should also ensure that the information security procedures are communicated to the relevant employees and other interested parties, and that they are periodically reviewed and updated as necessary.
References:
ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection - Information security management systems - Requirements, clauses 5.3, 7.5.1, and 9.3 ISO/IEC 27001:2022 Lead Implementer objectives and content, 4 and 5


NEW QUESTION # 48
Based on scenario 6. when should Colin deliver the next training and awareness session?

  • A. After he determines the employees' availability and motivation
  • B. After he ensures that the group of employees targeted have satisfied the organization's needs
  • C. After he conducts a competence needs analysis and records the competence related issues

Answer: C


NEW QUESTION # 49
What supports the continual improvement of an ISMS?

  • A. The update of action plans
  • B. The update of eternal audit reports
  • C. The update of documented information

Answer: C

Explanation:
Explanation
According to the ISO/IEC 27001:2022 standard, the organization should establish, implement and maintain a process to manage changes that affect the information security management system (ISMS) and to continually improve the suitability, adequacy and effectiveness of the ISMS (section 8.1.3 and 10.2). The standard also states that the organization should update the documented information of the ISMS as necessary to reflect the changes and the results of the improvement process (section 8.1.3.2 and 10.2.2). Therefore, the update of documented information supports the continual improvement of the ISMS by ensuring that the ISMS is aligned with the current and future needs and expectations of the organization and its interested parties.
References:
ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection - Information security management systems - Requirements1 ISO/IEC 27001 Lead Implementer Info Kit Continual Improvement For ISO 27001 Requirement 10.22


NEW QUESTION # 50
Which option below should be addressed in an information security policy?

  • A. Actions to be performed after an information security incident
  • B. Legal and regulatory obligations imposed upon the organization
  • C. The complexity of information security processes and their interactions

Answer: B

Explanation:
Explanation
According to the ISO/IEC 27001:2022 standard, an information security policy is a high-level document that defines the management approach and objectives for information security within the organization. It should include, among other things, the legal and regulatory obligations imposed upon the organization, such as compliance with laws, contracts, agreements, and standards that are relevant to information security. The information security policy should also provide the basis for establishing, implementing, maintaining, and continually improving the information security management system (ISMS).
References:
ISO/IEC 27001:2022, Clause 5.2 Policy
ISO/IEC 27002:2022, Clause 5.1 Policies for information security
PECB ISO/IEC 27001 Lead Implementer Course, Module 3: Information Security Management System (ISMS)


NEW QUESTION # 51
Which of the following statements regarding information security risk is NOT correct?

  • A. Information security risk can be expressed as the effect of uncertainty on information security objectives
  • B. Information security risk is associated with the potential that the vulnerabilities of an information asset may be exploited by threats
  • C. Information security risk cannot be accepted without being treated or during the process of risk treatment

Answer: C

Explanation:
Explanation
According to ISO/IEC 27001:2022, information security risk can be accepted as one of the four possible options for risk treatment, along with avoiding, modifying, or sharing the risk12. Risk acceptance means that the organization decides to tolerate the level of risk without taking any further action to reduce it3. Risk acceptance can be done before, during, or after the risk treatment process, depending on the organization's risk criteria and the residual risk level4.
References: 1: ISO 27001 Risk Assessments | IT Governance UK 2: ISO 27001 Risk Assessment: 7 Step Guide - IT Governance UK Blog 3: ISO 27001 Clause 6.1.2 Information security risk assessment process 4:
ISO 27001 Risk Assessment & Risk Treatment: The Complete Guide - Advisera


NEW QUESTION # 52
What should an organization allocate to ensure the maintenance and improvement of the information security management system?

  • A. The documented information required by ISO/IEC 27001
  • B. Sufficient resources, such as the budget, qualified personnel, and required tools
  • C. The appropriate transfer to operations

Answer: B

Explanation:
Explanation
According to ISO/IEC 27001:2022, clause 10.2.2, the organization shall define and apply an information security incident management process that includes the following activities:
reporting information security events and weaknesses;
assessing information security events and classifying them as information security incidents; responding to information security incidents according to their classification; learning from information security incidents, including identifying causes, taking corrective actions and preventive actions, and communicating the results and actions taken; collecting evidence, where applicable.
The standard does not specify who should perform these activities, as long as they are done in a consistent and effective manner. Therefore, the organization may choose to conduct forensic investigation internally or by using external consultants, depending on its needs, resources, and capabilities. However, the organization should ensure that the external consultants are competent, trustworthy, and comply with the organization's policies and procedures.
References: ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection - Information security management systems - Requirements, clause 10.2.2; PECB ISO/IEC 27001 Lead Implementer Course, Module 10: Incident Management.


NEW QUESTION # 53
Scenario 4: TradeB. a commercial bank that has just entered the market, accepts deposits from its clients and offers basic financial services and loans for investments. TradeB has decided to implement an information security management system (ISMS) based on ISO/IEC 27001 Having no experience of a management
[^system implementation, TradeB's top management contracted two experts to direct and manage the ISMS implementation project.
First, the project team analyzed the 93 controls of ISO/IEC 27001 Annex A and listed only the security controls deemed applicable to the company and their objectives Based on this analysis, they drafted the Statement of Applicability. Afterward, they conducted a risk assessment, during which they identified assets, such as hardware, software, and networks, as well as threats and vulnerabilities, assessed potential consequences and likelihood, and determined the level of risks based on three nonnumerical categories (low, medium, and high). They evaluated the risks based on the risk evaluation criteria and decided to treat only the high risk category They also decided to focus primarily on the unauthorized use of administrator rights and system interruptions due to several hardware failures by establishing a new version of the access control policy, implementing controls to manage and control user access, and implementing a control for ICT readiness for business continuity Lastly, they drafted a risk assessment report, in which they wrote that if after the implementation of these security controls the level of risk is below the acceptable level, the risks will be accepted Based on the scenario above, answer the following question:
The decision to treat only risks that were classified as high indicates that Trade B has:

  • A. Accepted other risk categories based on risk acceptance criteria
  • B. Modified other risk categories based on risk evaluation criteria
  • C. Evaluated other risk categories based on risk treatment criteria

Answer: A

Explanation:
Explanation
According to ISO/IEC 27001 : 2022, risk acceptance criteria are the criteria used to decide whether a risk can be accepted or not1. Risk acceptance criteria are often based on a maximum level of acceptable risks, on cost-benefits considerations, or on consequences for the organization2. In the scenario, TradeB decided to treat only the high risk category, which implies that


NEW QUESTION # 54
What is an example of a good physical security measure?

  • A. Printers that are defective or have been replacedare immediately removed and given away as garbage for recycling.
  • B. All employees and visitors carry an access pass.
  • C. Maintenance staff can be given quick and unimpeded access to the server area in the event of disaster.

Answer: B


NEW QUESTION # 55
......

Valid ISO-IEC-27001-Lead-Implementer Exam Dumps Ensure you a HIGH SCORE: https://www.vcedumps.com/ISO-IEC-27001-Lead-Implementer-examcollection.html

ISO-IEC-27001-Lead-Implementer Questions & Practice Test are Available On-Demand: https://drive.google.com/open?id=1TM4RQyvaBIyODc0M8u4iHEzZ5Sz2jz_0

Related Articles

more
PECB ISO-IEC-27001-Lead-Implementer Certification Practice Exam

VCEDumps is a joint venture for provding vce files free and valid dumps pdf. We guarantee VCEDumps dumps pdf help you pass exam 100% for sure. Not Valid, Full Refund!

Latest VCE Dumps

Useful Links

Contact Us

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now 

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Copyright © 2026 VCEDumps NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy

Disclaimers:
VCEDumps material do not contain actual Business Architecture Guild Exam Questions or materials.
SAP, Microsoft, Google, Amazon, Certiport, Qualtrics are Registered Trade Mark.
VCEDumps website is not related to, affiliated with, endorsed or authorized by Amazon. Trademarks, certification & product names are used for reference only and belong to Amazon.
VCEDumps offers only Probable Questions and Answers. VCEDumps offer learning materials and practice tests created by subject matter experts to assist and help learner prepare for those exams.
All Certification Brands used on the website are owned by the respective brand owners. VCEDumps does not own or claim any ownership on any of the brands. The site www.vcedumps.com is in no way affiliated with SAP SE.