[Q27-Q52] Accurate & Verified 2026 New ISO-IEC-27035-Lead-Incident-Manager Answers As Experienced in the Actual Test!

Accurate & Verified 2026 New ISO-IEC-27035-Lead-Incident-Manager Answers As Experienced in the Actual Test!

ISO-IEC-27035-Lead-Incident-Manager Certification Sample Questions certification Exam

PECB ISO-IEC-27035-Lead-Incident-Manager Exam Syllabus Topics:

Topic	Details
Topic 1	Designing and developing an organizational incident management process based on ISO IEC 27035: This section of the exam measures skills of Information Security Analysts and covers how to tailor the ISO IEC 27035 framework to the unique needs of an organization, including policy development, role definition, and establishing workflows for handling incidents.
Topic 2	Information security incident management process based on ISO IEC 27035: This section of the exam measures skills of Incident Response Managers and covers the standardized steps and processes outlined in ISO IEC 27035. It emphasizes how organizations should structure their incident response lifecycle from detection to closure in a consistent and effective manner.
Topic 3	Fundamental principles and concepts of information security incident management: This section of the exam measures skills of Information Security Analysts and covers the core ideas behind incident management, including understanding what constitutes a security incident, why timely responses matter, and how to identify the early signs of potential threats.
Topic 4	Preparing and executing the incident response plan for information security incidents: This section of the exam measures skills of Incident Response Managers and covers the preparation and activation of incident response plans. It focuses on readiness activities such as team training, resource allocation, and simulation exercises, along with actual response execution when incidents occur.

NEW QUESTION # 27
Scenario 4: ORingo is a company based in Krakow, Poland, specializing in developing and distributing electronic products for health monitoring and heart rate measurement applications. With a strong emphasis on innovation and technological advancement, ORingo has established itself as a trusted provider of high-quality, reliable devices that enhance the well being and healthcare capabilities of individuals and healthcare professionals alike.
As part of its commitment to maintaining the highest standards of information security, ORingo has established an information security incident management process This process aims to ensure that any potential threats are swiftly identified, assessed, and addressed to protect systems and information. However, despite these measures, an incident response team member at ORingo recently detected a suspicious state in their systems operational data, leading to the decision to shut down the company-wide system until the anomaly could be thoroughly investigated Upon detecting the threat, the company promptly established an incident response team to respond to the incident effectively. The team's responsibilities encompassed identifying root causes, uncovering hidden vulnerabilities, and implementing timely resolutions to mitigate the impact of the incident on ORingo's operations and customer trust.
In response to the threat detected across its cloud environments. ORingo employed a sophisticated security tool that broadened the scope of incident detection and mitigation This tool covers network traffic, doud environments, and potential attack vectors beyond traditional endpoints, enabling ORingo to proactively defend against evolving cybersecurity threats During a routine check, the IT manager at ORingo discovered that multiple employees lacked awareness of proper procedures following the detection of a phishing email. In response, immediate training sessions on information security policies and incident response were scheduled for all employees, emphasizing the importance of vigilance and adherence to established protocols in safeguarding ORingo's sensitive data and assets.
As part of the training initiative. ORingo conducted a simulated phishing attack exercise to assess employee response and knowledge. However, an employee inadvertently informed an external partner about the 'attack'' during the exercise, highlighting the importance of ongoing education and reinforcement of security awareness principles within the organization.
Through its proactive approach to incident management and commitment to fostering a culture of security awareness and readiness. ORingo reaffirms its dedication to safeguarding the integrity and confidentiality of its electronic products and ensuring the trust and confidence of its customers and stakeholders worldwide.
Based on the scenario above, answer the following question:
After identifying a suspicious state in ORingo's system, a member of the IRT initiated a company-wide system shutdown until the anomaly was investigated. Is this acceptable?

A. Yes, the correct action is to initiate a company-wide system shutdown until the anomaly is investigated
B. No, the IRT should have determined the facts that enable detection of the event occurrence
C. No, the IRT should have immediately informed all employees about the potential data breach

Answer: B

Explanation:
Comprehensive and Detailed Explanation:
According to ISO/IEC 27035-1:2016, particularly in Clause 6.2.2 (Assess and Decide), the organization must first assess the reported event to determine whether it qualifies as a security incident before implementing disruptive responses such as a full system shutdown.
Initiating a shutdown without first determining the cause, impact, or whether it's a confirmed incident can lead to unnecessary operational disruption and loss of services. The proper approach is to collect evidence, analyze system behavior, and make informed decisions based on risk level and confirmed facts.
Option B best reflects the required approach: The IRT should first determine the facts that enable detection and validation of the event's occurrence and impact before initiating drastic action like shutting down critical systems.
Reference:
ISO/IEC 27035-1:2016, Clause 6.2.2 - "An analysis should be conducted to determine whether the event should be treated as an information security incident." Clause 6.2.3 - "Response should be proportionate to the impact and type of the incident." Therefore, the correct answer is B.
-

NEW QUESTION # 28
Which of the following is NOT an example of technical control?

A. Implementing surveillance cameras
B. Implementing a policy for regular password changes
C. Installing a firewall to protect the network

Answer: B

Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
According to ISO/IEC 27002:2022 (and earlier versions), information security controls can be broadly categorized into three types: technical (also called logical), physical, and administrative (or organizational) controls.
Technical controls (also known as logical controls) involve the use of software and hardware to protect assets.
Examples include:
Firewalls
Intrusion detection systems
Encryption
Access control mechanisms
Physical controls are designed to prevent physical access to IT systems and include things such as:
Surveillance cameras
Security guards
Biometric access systems
Administrative controls, also called management or procedural controls, include the policies, procedures, and guidelines that govern the organization's security practices. These include:
Security awareness training
Acceptable use policies
Password policies
Option A, "Implementing a policy for regular password changes," is an administrative control, not a technical one. It dictates user behavior through rules and policy enforcement, but does not technically enforce the change itself unless paired with technical enforcement (like system settings).
Option B, surveillance cameras, are physical controls, and option C, installing a firewall, is a classic example of a technical control.
Reference Extracts:
ISO/IEC 27002:2022, Clause 5.1 - "Information security controls can be administrative (policy-based), technical, or physical depending on their form and implementation." NIST SP 800-53, Control Families - Differentiates between management, operational, and technical controls.
Therefore, the correct answer is A: Implementing a policy for regular password changes.
-

NEW QUESTION # 29
Scenario 6: EastCyber has established itself as a premier cyber security company that offers threat detection, vulnerability assessment, and penetration testing tailored to protect organizations from emerging cyber threats. The company effectively utilizes ISO/IEC 27035-1 and 27035-2 standards, enhancing its capability to manage information security incidents.
EastCyber appointed an information security management team led by Mike. Despite limited resources, Mike and the team implemented advanced monitoring protocols to ensure that every device within the company's purview is under constant surveillance. This monitoring approach is crucial for covering everything thoroughly, enabling the information security and cyber management team to proactively detect and respond to any sign of unauthorized access, modifications, or malicious activity within its systems and networks.
A recent incident involving unauthorized access to company phones highlighted the critical nature of incident management. Nate, the incident coordinator, quickly prepared an exhaustive incident report. His report detailed an analysis of the situation, identifying the problem and its cause. In response to the incident, EastCyber addressed the exploited vulnerabilities. This action started the eradication phase, aimed at systematically eliminating the elements of the incident.
Based on scenario 6, answer the following:
EastCyber decided to address vulnerabilities exploited during an incident as part of the eradication phase, to eradicate the elements of the incident. Is this approach acceptable?

A. No, vulnerabilities exploited during an incident should be addressed during the recovery phase
B. No, vulnerabilities exploited during an incident should be addressed during the containment phase
C. Addressing vulnerabilities exploited during an incident is appropriate during the eradication phase

Answer: C

Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
According to ISO/IEC 27035-1:2016 and ISO/IEC 27035-2:2016, the eradication phase of incident management is defined as the stage in which the causes and components of the incident-such as malware, unauthorized access points, or system vulnerabilities-are completely removed or neutralized.
Clause 6.4.5 of ISO/IEC 27035-2 clearly outlines that the eradication phase includes actions to eliminate the root causes of incidents, which may include fixing exploited vulnerabilities and removing malicious code.
This ensures that the underlying issues that allowed the incident to occur are effectively resolved, reducing the risk of recurrence.
While containment aims to limit the damage and prevent the spread of an incident, it is not intended for remediation of vulnerabilities. Similarly, the recovery phase focuses on restoring services and returning systems to normal operations after the threat has been eradicated.
Reference Extracts:
ISO/IEC 27035-2:2016, Clause 6.4.5: "The eradication phase includes removing the root cause of the incident (e.g., patching vulnerabilities, deleting malware, and closing open ports)." Clause 6.4.3: "Containment is primarily focused on limiting the scope and impact, not resolving root causes." Correct answer: A

NEW QUESTION # 30
Scenario 7: Located in central London, Konzolo has become a standout innovator in the cryptocurrency field.
By introducing its unique cryptocurrency, Konzolo has contributed to the variety of digital currencies and prioritized enhancing the security and reliability of its offerings.
Konzolo aimed to enhance its systems but faced challenges in monitoring the security of its own and third- party systems. These issues became especially evident during an incident that caused several hours of server downtime This downtime was primarily caused by a third-party service provider that failed to uphold strong security measures, allowing unauthorized access.
In response to this critical situation, Konzolo strengthened its information security infrastructure. The company initiated a comprehensive vulnerability scan of its cryptographic wallet software, a cornerstone of its digital currency offerings The scan revealed a critical vulnerability due to the software using outdated encryption algorithms that are susceptible to decryption by modern methods that posed a significant risk of asset exposure Noah, the IT manager, played a central role in this discovery With careful attention to detail, he documented the vulnerability and communicated the findings to the incident response team and management.
Acknowledging the need for expertise in navigating the complexities of information security incident management. Konzolo welcomed Paulina to the team. After addressing the vulnerability and updating the cryptographic algorithms, they recognized the importance of conducting a thorough investigation to prevent future vulnerabilities. This marked the stage for Paulina s crucial involvement. She performed a detailed forensic analysis of the incident, employing automated and manual methods during the collection phase. Her analysis provided crucial insights into the security breach, enabling Konzolo to understand the depth of the vulnerability and the actions required to mitigate it.
Paulina also played a crucial role in the reporting phase, as her comprehensive approach extended beyond analysis. By defining clear and actionable steps for future prevention and response, she contributed significantly to developing a resilient information security incident management system based on ISO/IEC
27035-1 and 27035-2 guidelines. This strategic initiative marked a significant milestone in Konzolo's quest to strengthen its defenses against cyber threats Based on scenario 7, which phase of forensic analysis did Paulina fail to conduct correctly?

A. Reporting
B. Analysis
C. Collection

Answer: C

Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
As detailed in scenario 7 and reinforced in the previous question, Paulina began her forensic work after the system was restored-missing the critical Collection phase as defined in ISO/IEC 27043 and referenced in ISO/IEC 27035-2.
Forensic collection involves gathering volatile and non-volatile data (e.g., logs, RAM dumps, file artifacts) at the earliest possible moment in the incident lifecycle to avoid data loss. By waiting until after recovery, she likely compromised the chain of custody and the completeness of her evidence.
The scenario notes that her analysis and reporting were thorough, providing valuable insights and mitigation strategies. Thus, the failure lies in the timing and execution of the Collection phase.
Reference:
* ISO/IEC 27035-2:2016, Clause 6.4.2 and 7.2.3: "Collection activities should begin immediately upon identifying a potential incident and before recovery begins."
* ISO/IEC 27043:2015, Clause 8.2.1: "Forensic collection is critical to ensuring reliable analysis and admissible evidence." Correct answer: A
-
-

NEW QUESTION # 31
Scenario 6: EastCyber has established itself as a premier cyber security company that offers threat detection, vulnerability assessment, and penetration testing tailored to protect organizations from emerging cyber threats. The company effectively utilizes ISO/IEC 27035*1 and 27035-2 standards, enhancing its capability to manage information security incidents.
EastCyber appointed an information security management team led by Mike Despite limited resources, Mike and the team implemented advanced monitoring protocols to ensure that every device within the company's purview is under constant surveillance This monitoring approach is crucial for covering everything thoroughly, enabling the information security and cyber management team to proactively detect and respond to any sign of unauthorized access, modifications, or malicious activity within its systems and networks.
In addition, they focused on establishing an advanced network traffic monitoring system This system carefully monitors network activity, quickly spotting and alerting the security team to unauthorized actions This vigilance is pivotal in maintaining the integrity of EastCyber's digital infrastructure and ensuring the confidentiality, availability, and integrity of the data it protects.
Furthermore, the team focused on documentation management. They meticulously crafted a procedure to ensure thorough documentation of information security events. Based on this procedure, the company would document only the events that escalate into high-severity incidents and the subsequent actions. This documentation strategy streamlines the incident management process, enabling the team to allocate resources more effectively and focus on incidents that pose the greatest threat.
A recent incident involving unauthorized access to company phones highlighted the critical nature of incident management. Nate, the incident coordinator, quickly prepared an exhaustive incident report. His report detailed an analysis of the situation, identifying the problem and its cause. However, it became evident that assessing the seriousness and the urgency of a response was inadvertently overlooked.
In response to the incident, EastCyber addressed the exploited vulnerabilities. This action started the eradication phase, aimed at systematically eliminating the elements of the incident. This approach addresses the immediate concerns and strengthens EastCyber's defenses against similar threats in the future.
According to scenario 6, Nate compiled a detailed incident report that analyzed the problem and its cause but did not evaluate the incident's severity and response urgency. Does this align with the ISO/IEC 27035-1 guidelines?

A. No, as the report did not include a comprehensive list of all employees who accessed the system within
24 hours before the incident
B. Yes. Nate included all the elements required by ISO/IEC 27035-1
C. No, Nate overlooked the necessity of assessing the seriousness and the urgency of the response

Answer: C

Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
ISO/IEC 27035-1:2016 emphasizes that part of the incident handling process-particularly during assessment and documentation-must include evaluation of both the seriousness (severity) and urgency (criticality) of the incident.
Clause 6.4.2 requires that an incident's potential impact and required response timelines be assessed promptly to determine appropriate action. Nate's omission of this evaluation, despite creating a technically sound report, means that the organization could misjudge the incident's risk, delay appropriate response, or fail to meet notification obligations.
Option A is incorrect because ISO/IEC 27035 explicitly lists impact and urgency as required analysis elements. Option C, while possibly helpful in forensic analysis, is not a required component per the standard.
Reference:
ISO/IEC 27035-1:2016, Clause 6.4.2: "Assess the impact, severity, and urgency of the incident to determine the necessary response and escalation procedures." Clause 6.5.4: "An incident report should include an evaluation of incident criticality to inform decision- making." Correct answer: B Each includes the correct answer, detailed justification, and citation from ISO/IEC 27035 standards.
-

NEW QUESTION # 32
Scenario 1: RoLawyers is a prominent legal firm based in Guadalajara, Mexico. It specializes in a wide range of legal services tailored to meet the diverse needs of its clients. Committed to excellence and integrity, RoLawyers has a reputation for providing legal representation and consultancy to individuals, businesses, and organizations across various sectors.
Recognizing the critical importance of information security in today's digital landscape, RoLawyers has embarked on a journey to enhance its information security measures. This company is implementing an information security incident management system aligned with ISO/IEC 27035-1 and ISO/IEC 27035-2 guidelines. This initiative aims to strengthen RoLawyers' protections against possible cyber threats by implementing a structured incident response process to provide guidance on establishing and maintaining a competent incident response team.
After transitioning its database from physical to online infrastructure to facilitate seamless information sharing among its branches, RoLawyers encountered a significant security incident. A malicious attack targeted the online database, overloading it with traffic and causing a system crash, making it impossible for employees to access it for several hours.
In response to this critical incident, RoLawyers quickly implemented new measures to mitigate the risk of future occurrences. These measures included the deployment of a robust intrusion detection system (IDS) designed to proactively identify and alert the IT security team of potential intrusions or suspicious activities across the network infrastructure. This approach empowers RoLawyers to respond quickly to security threats, minimizing the impact on their operations and ensuring the continuity of its legal services.
By being proactive about information security and incident management, RoLawyers shows its dedication to protecting sensitive data, keeping client information confidential, and earning the trust of its stakeholders.
Using the latest practices and technologies, RoLawyers stays ahead in legal innovation and is ready to handle cybersecurity threats with resilience and careful attention.
According to scenario 1, what information security incident did RoLawyers face?

A. Denial-of-service attack
B. Malware attack
C. Man-in-the-middle attack

Answer: A

Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
According to ISO/IEC 27035-1:2016, an information security incident is any event that compromises the confidentiality, integrity, or availability of information. In this scenario, RoLawyers experienced an attack where their online database was overloaded with excessive traffic, resulting in a system crash. This incident made it impossible for employees to access the database for several hours.
This type of event is characteristic of a Denial-of-Service (DoS) attack. ISO/IEC 27035-1 Annex B provides examples of typical incidents, and one example includes "network-based attacks, including denial-of-service attacks." A DoS attack typically aims to make a service or resource unavailable to its intended users by overwhelming it with traffic.
There is no indication in the scenario that the attackers were intercepting communications (as would be seen in a Man-in-the-Middle attack) or installing malware to damage or steal data. The nature of the attack- excess traffic causing a crash-clearly aligns with the definition of a DoS attack.
Reference Extracts:
ISO/IEC 27035-1:2016, Clause B.2.1 (Examples of incident types): "Denial-of-service (DoS) attacks cause disruption or degradation of services." ISO/IEC 27035-1:2016, Clause 4.1: "An incident can result from deliberate attacks such as DoS, malicious code, or unauthorized access." Therefore, the incident faced by RoLawyers was a Denial-of-Service attack.
-

NEW QUESTION # 33
What is the purpose of incident identification in the incident response process?

A. To conduct a preliminary assessment of the incident
B. To collect all data related to the incident, including information from affected systems, network logs, user accounts, and any other relevant sources
C. To recognize incidents through various methods like intrusion detection systems and employee reports

Answer: C

Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
Incident identification is the first operational step in the incident response process. It involves detecting unusual or suspicious activity and recognizing whether it constitutes an information security incident. ISO
/IEC 27035-1:2016 describes various sources of detection, such as:
Security monitoring tools (e.g., IDS/IPS)
User reports or helpdesk notifications
Automated alerts from applications or infrastructure
The goal at this stage is not to collect detailed forensic data or conduct deep analysis, but rather to determine whether the activity warrants classification as a potential incident and to escalate accordingly.
Reference:
ISO/IEC 27035-1:2016, Clause 6.2.1: "Incident identification involves recognizing the occurrence of an event that could be an information security incident." Correct answer: C
-

NEW QUESTION # 34
What is the purpose of a gap analysis?

A. To identify the differences between current processes and company policies
B. To assess risks associated with identified gaps in current practices compared to best practices
C. To determine the steps to achieve a desired future state from the current state

Answer: C

Explanation:
Comprehensive and Detailed Explanation:
Gap analysis is a structured method used to compare the current state of processes, capabilities, or systems against a desired or required state (such as compliance with ISO standards). The main goal is to determine what needs to change to achieve that future state. While identifying gaps (A) and assessing risks (C) may occur during the process, the primary purpose is strategic planning and improvement.
Reference:
ISO/IEC 27001 Implementation Guidelines, Clause 0.3: "Gap analysis is used to evaluate the difference between current practices and ISO requirements and to define actions to meet compliance." Correct answer: B
-

NEW QUESTION # 35
What is the first step in planning the response to information security incidents?

A. Defining the response classification
B. Assigning the response class based on incident information
C. Developing processes that support the response to information security incidents

Answer: A

Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
In ISO/IEC 27035-2:2016, the planning phase of incident response starts with establishing a classification system. Response classification is essential to ensure that incidents are assessed and categorized in a consistent manner, allowing appropriate response measures to be applied. This classification forms the foundation for selecting the right procedures, team involvement, and communication protocols.
Assigning a response class (Option A) is a subsequent step that occurs once an incident is analyzed and matched to a pre-defined category. Developing response processes (Option B) is important but comes after the classification model is defined.
Reference Extracts:
ISO/IEC 27035-2:2016, Clause 6.3.2: "The response planning process begins with the classification of potential incidents to determine the required actions and responsibilities." Clause 7.2.2: "Defining response classes helps the organization decide how to handle specific categories of incidents." Correct answer: C
-

NEW QUESTION # 36
Based on ISO/IEC 27035-2, which of the following is an example of evaluation activities used to evaluate the effectiveness of the incident management team?

A. Evaluating the capabilities and services once they become operational
B. Analyzing the lessons learned once an information security incident has been handled and closed
C. Conducting information security testing, particularly vulnerability assessment

Answer: B

Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
ISO/IEC 27035-2:2016 Clause 7.4.3 emphasizes the role of lessons learned reviews as key evaluation activities for assessing the performance of incident response teams. This activity involves post-incident debriefs to evaluate what went right or wrong and how response processes or team functions could improve.
While options A and C are related to broader security or deployment procedures, Option B directly reflects a formal evaluation mechanism used to gauge incident team effectiveness.
Reference:
ISO/IEC 27035-2:2016 Clause 7.4.3: "Lessons learned should be documented and used to evaluate the effectiveness of the incident management process." Correct answer: B
-

NEW QUESTION # 37
Scenario 5: Located in Istanbul, Turkey, Alura Hospital is a leading medical institution specializing in advanced eye surgery and vision care. Renowned for its modern facilities, cutting-edge technology, and highly skilled staff, Alura Hospital is committed to delivering exceptional patient care. Additionally, Alura Hospital has implemented the ISO/IEC 27035 standards to enhance its information security incident management practices.
At Alura Hospital, the information security incident management plan is a critical component of safeguarding patient data and maintaining the integrity of its medical services. This comprehensive plan includes instructions for handling vulnerabilities discovered during incident management. According to this plan, when new vulnerabilities are discovered, Mehmet is appointed as the incident handler and is authorized to patch the vulnerabilities without assessing their potential impact on the current incident, prioritizing patient data security above all else.
Recognizing the importance of a structured approach to incident management, Alura Hospital has established four teams dedicated to various aspects of incident response. The planning team focuses on implementing security processes and communicating with external organizations. The monitoring team is responsible for security patches, upgrades, and security policy implementation. The analysis team adjusts risk priorities and manages vulnerability reports, while the test and evaluation team organizes and performs incident response tests to ensure preparedness.
During an incident management training session, staff members at Alura Hospital were provided with clear roles and responsibilities. However, a technician expressed uncertainty about their role during a data integrity incident, as the manager assigned them a role unrelated to their expertise. This decision was made to ensure that all staff members possess versatile skills and are prepared to handle various scenarios effectively.
Additionally, Alura Hospital realized it needed to communicate better with stakeholders during security incidents. The hospital discovered it was not adequately informing stakeholders and that relevant information must be provided using formats, language, and media that meet their needs. This would enable them to participate fully in the incident response process and stay informed about potential risks and mitigation strategies.
Also, the hospital has experienced frequent network performance issues affecting critical hospital systems and increased sophisticated cyberattacks designed to bypass traditional security measures. So, it has deployed an external firewall. This action is intended to strengthen the hospital's network security by helping detect threats that have already breached the perimeter defenses. The firewall's implementation is a part of the hospital's broader strategy to maintain a robust and secure IT infrastructure, which is crucial for protecting sensitive patient data and ensuring the reliability of critical hospital systems. Alura Hospital remains committed to integrating state-of-the-art technology solutions to uphold the highest patient care and data security standards.
Based on scenario 5, the hospital decided to deploy an external firewall to detect threats that have already breached the perimeter defenses in response to frequent network performance issues affecting critical hospital systems. Is this recommended?

A. No, they should have implemented a cloud-based antivirus solution instead of deploying an external firewall
B. Deploying an external firewall to detect threats that have already breached the perimeter defenses
C. No, they should have deployed an intrusion detection system to identify and alert the incident response team of the breach

Answer: B

Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
ISO/IEC 27035-2:2016 (Information Security Incident Management - Part 2: Guidelines to Plan and Prepare for Incident Response) provides specific guidance on implementing protective technologies that enhance detection, prevention, and response to information security incidents. Among the recommendations, deploying firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), and other layered security mechanisms are considered essential practices in ensuring network and system resilience.
In this case, Alura Hospital experienced repeated network performance issues and targeted cyberattacks. Their decision to deploy an external firewall is appropriate and aligns with best practices outlined in ISO/IEC
27035-2, especially for a healthcare institution handling sensitive patient data. External firewalls act as a network barrier that not only prevents unauthorized access but also helps monitor and detect anomalies or threats that may have already breached traditional perimeter defenses. This is particularly important in environments where traditional safeguards are being bypassed by sophisticated attackers.
While intrusion detection systems (option C) are also important, the scenario mentions that the firewall is being used as part of a broader layered defense system and is meant to detect already-breached threats. Cloud- based antivirus solutions (option B) are not a substitute for firewalls in terms of network protection and would not adequately address the complex, targeted threats that Alura is facing.
Reference Extracts from ISO/IEC 27035-2:2016:
Clause 7.3.2: "Organizations should implement network and system security controls such as firewalls, IDS
/IPS, and anti-malware tools to monitor and restrict unauthorized access." Annex B (Example Preparatory Activities): "Firewalls are vital components in detecting and preventing unauthorized traffic, especially when placed at external network perimeters." Thus, deploying an external firewall in this context is a recommended and justified security measure. The correct answer is: A.
-

NEW QUESTION # 38
Scenario 8: Moneda Vivo, headquartered in Kuala Lumpur. Malaysia, is a distinguished name in the banking sector. It is renowned for its innovative approach to digital banking and unwavering commitment to information security. Moneda Vivo stands out by offering various banking services designed to meet the needs of its clients. Central to its operations is an information security incident management process that adheres to the recommendations of ISO/IEC 27035-1 and 27035-2.
Recently. Moneda Vivo experienced a phishing attack aimed at its employees Despite the bank's swift identification and containment of the attack, the incident led to temporary service outages and data access issues, underscoring the need for improved resilience The response team compiled a detailed review of the attack, offering valuable insights into the techniques and entry points used and identifying areas for enhancing their preparedness.
Shortly after the attack, the bank strengthened its defense by implementing a continuous review process to ensure its incident management procedures and systems remain effective and appropriate While monitoring the incident management process, a trend became apparent. The mean time between similar incidents decreased after a few occurrences; however, Moneda Vivo strategically ignored the trend and continued with regular operations This decision was rooted in a deep confidence in its existing security measures and incident management protocols, which had proven effective in quick detection and resolution of issues Moneda Vivo's commitment to transparency and continual improvement is exemplified by its utilization of a comprehensive dashboard. This tool provides real time insights into the progress of its information security incident management, helping control operational activities and ensure that processes stay within the targets of productivity, quality, and efficiency. However, securing its digital banking platform proved challenging.
Following a recent upgrade, which included a user interface change to its digital banking platform and a software update, Moneda Vivo recognized the need to immediately review its incident management process for accuracy and completeness. The top management postponed the review due to financial and time constraints.
Based on scenario 8, Moneda Vivo ignored the trend and continued regular operations when the mean time between the same types of incidents decreased after a few occurrences. Is this acceptable?

A. No, when the mean time between the same types of incidents decreases, a study should be necessary to confirm that the incidents are unrelated
B. When the mean time between the same types of incidents decreases after a few occurrences, it shows that the incidents are becoming less significant
C. No, when the mean time between the same types of incidents decreases, a study should be conducted to discover why

Answer: C

Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
ISO/IEC 27035-1 encourages organizations to monitor metrics, such as the frequency of incident types, as part of continual improvement (Clause 7.3). A decreasing mean time between incidents (MTBI) may indicate increased threat frequency, weakened controls, or emerging vulnerabilities. Ignoring such trends can prevent timely corrective actions and weaken overall resilience.
Instead of assuming the incidents are less significant, ISO guidance suggests conducting root cause analysis and trend evaluations when patterns like this emerge.
Reference:
ISO/IEC 27035-1:2016, Clause 7.3: "Monitoring and measurement of the incident management process should include trend analysis to identify recurring issues or new patterns." Correct answer: C
-

NEW QUESTION # 39
Scenario 7: Located in central London, Konzolo has become a standout innovator in the cryptocurrency field.
By introducing its unique cryptocurrency, Konzolo has contributed to the variety of digital currencies and prioritized enhancing the security and reliability of its offerings.
Konzolo aimed to enhance its systems but faced challenges in monitoring the security of its own and third- party systems. These issues became especially evident during an incident that caused several hours of server downtime This downtime was primarily caused by a third-party service provider that failed to uphold strong security measures, allowing unauthorized access.
In response to this critical situation, Konzolo strengthened its information security infrastructure. The company initiated a comprehensive vulnerability scan of its cryptographic wallet software, a cornerstone of its digital currency offerings The scan revealed a critical vulnerability due to the software using outdated encryption algorithms that are susceptible to decryption by modern methods that posed a significant risk of asset exposure Noah, the IT manager, played a central role in this discovery With careful attention to detail, he documented the vulnerability and communicated the findings to the incident response team and management.
Acknowledging the need for expertise in navigating the complexities of information security incident management. Konzolo welcomed Paulina to the team. After addressing the vulnerability and updating the cryptographic algorithms, they recognized the importance of conducting a thorough investigation to prevent future vulnerabilities. This marked the stage for Paulina s crucial involvement. She performed a detailed forensic analysis of the incident, employing automated and manual methods during the collection phase. Her analysis provided crucial insights into the security breach, enabling Konzolo to understand the depth of the vulnerability and the actions required to mitigate it.
Paulina also played a crucial role in the reporting phase, as her comprehensive approach extended beyond analysis. By defining clear and actionable steps for future prevention and response, she contributed significantly to developing a resilient information security incident management system based on ISO/IEC
27035-1 and 27035-2 guidelines. This strategic initiative marked a significant milestone in Konzolo's quest to strengthen its defenses against cyber threats According to scenario 7, what type of incident has occurred at Konzolo?

A. High severity incident
B. Medium severity incident
C. Critical severity incident

Answer: A

Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
Severity classification of an incident under ISO/IEC 27035-2:2016 is determined by factors such as potential data exposure, business disruption, and impact on critical services. In this scenario, the server downtime caused by a third-party breach and a vulnerability in cryptographic wallet software-capable of leading to asset exposure-signifies serious business and operational risks.
Although the vulnerability was critical, no actual asset theft or breach was confirmed. Therefore, while serious, the incident does not reach the "critical" threshold (which would typically involve data exfiltration, irreversible loss, or public impact). The appropriate classification is "High Severity." Reference:
* ISO/IEC 27035-2:2016, Clause 6.3.1: "Severity is determined by the actual or potential impact on business operations, data, reputation, and legal obligations."
* Annex A (Example Severity Levels): "High-severity incidents involve confirmed vulnerabilities with significant potential for impact, such as financial loss or regulatory violations." Correct answer: B
-

NEW QUESTION # 40
Scenario 3: L&K Associates is a graphic design firm headquartered in Johannesburg, South Africa. It specializes in providing innovative and creative design solutions to clients across various industries. With offices in multiple parts of the country, they effectively serve clients, delivering design solutions that meet their unique needs and preferences.
In its commitment to maintaining information security, L&K Associates is implementing an information security incident management process guided by ISO/IEC 27035-1 and ISO/IEC 27035-2. Leona, the designated leader overseeing the implementation of the incident management process, customized the scope of incident management to align with the organization's unique requirements. This involved specifying the IT systems, services, and personnel involved in the incident management process while excluding potential incident sources beyond those directly related to IT systems and services.
According to scenario 3, Leona decided to initially include only the elements provided in Clause 4.3 of ISO
/IEC 27035-2, Information security incident management policy content, in the incident management policy.
Is this acceptable?

A. Yes, because Leona has conducted a thorough risk assessment to identify potential gaps in the incident management policy beyond the scope of clause 4.3 of ISO/IEC 27035-2
B. No, clause 4.3 of ISO/IEC 27035-2 does not cover elements for an effective incident management policy
C. Yes, because as a minimum, the policy must cover the elements provided in clause 4.3 of ISO/IEC
27035-2

Answer: C

Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
Clause 4.3 of ISO/IEC 27035-2:2016 outlines the minimum content requirements for an effective incident management policy. These include:
Purpose and objectives of the policy
Scope and applicability
Roles and responsibilities
Key terminology and definitions
High-level processes for incident detection, reporting, response, and learning Obligations of internal stakeholders Leona's decision to base the initial policy draft on Clause 4.3 is fully compliant and appropriate, as it ensures foundational consistency. ISO/IEC 27035-2 explicitly states that these elements form the minimum baseline for effective policy creation, and the document can be expanded later as needed.
Reference:
ISO/IEC 27035-2:2016, Clause 4.3: "The information security incident management policy should, at a minimum, contain the following elements..." Therefore, the correct answer is B: Yes, because as a minimum, the policy must cover the elements provided in clause 4.3 of ISO/IEC 27035-2.
-

NEW QUESTION # 41
What is the purpose of monitoring behavioral analytics in security monitoring?

A. To establish a standard for normal user behavior and detect unusual activities
B. To evaluate the effectiveness of security training programs
C. To prioritize the treatment of security incidents

Answer: A

Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
Behavioral analytics refers to using baselines of user or system behavior to identify anomalies that may indicate potential threats. According to ISO/IEC 27035-2, behavioral monitoring is an essential proactive technique for detecting insider threats, account compromise, and lateral movement by attackers.
Once a baseline for "normal behavior" is established (e.g., login patterns, file access, network usage), deviations can trigger alerts or investigations. This allows earlier detection of suspicious activities before they escalate into full-blown incidents.
Option A is a separate initiative related to awareness programs. Option B is more aligned with the response phase, not monitoring.
Reference:
ISO/IEC 27035-2:2016, Clause 7.3.2: "Security monitoring should include behavioral analysis to detect anomalies from baseline user and system activity." Correct answer: C
-

NEW QUESTION # 42
Scenario 4: ORingo is a company based in Krakow, Poland, specializing in developing and distributing electronic products for health monitoring and heart rate measurement applications. With a strong emphasis on innovation and technological advancement, ORingo has established itself as a trusted provider of high-quality, reliable devices that enhance the well being and healthcare capabilities of individuals and healthcare professionals alike.
As part of its commitment to maintaining the highest standards of information security, ORingo has established an information security incident management process This process aims to ensure that any potential threats are swiftly identified, assessed, and addressed to protect systems and information. However, despite these measures, an incident response team member at ORingo recently detected a suspicious state in their systems operational data, leading to the decision to shut down the company-wide system until the anomaly could be thoroughly investigated Upon detecting the threat, the company promptly established an incident response team to respond to the incident effectively. The team's responsibilities encompassed identifying root causes, uncovering hidden vulnerabilities, and implementing timely resolutions to mitigate the impact of the incident on ORingo's operations and customer trust.
In response to the threat detected across its cloud environments. ORingo employed a sophisticated security tool that broadened the scope of incident detection and mitigation This tool covers network traffic, doud environments, and potential attack vectors beyond traditional endpoints, enabling ORingo to proactively defend against evolving cybersecurity threats During a routine check, the IT manager at ORingo discovered that multiple employees lacked awareness of proper procedures following the detection of a phishing email. In response, immediate training sessions on information security policies and incident response were scheduled for all employees, emphasizing the importance of vigilance and adherence to established protocols in safeguarding ORingo's sensitive data and assets.
As part of the training initiative. ORingo conducted a simulated phishing attack exercise to assess employee response and knowledge. However, an employee inadvertently informed an external partner about the 'attack'' during the exercise, highlighting the importance of ongoing education and reinforcement of security awareness principles within the organization.
Through its proactive approach to incident management and commitment to fostering a culture of security awareness and readiness. ORingo reaffirms its dedication to safeguarding the integrity and confidentiality of its electronic products and ensuring the trust and confidence of its customers and stakeholders worldwide.
Based on scenario 4, are the responsibilities of the incident response team (IRT) established according to the ISO/IEC 27035-2 guidelines?

A. No, the responsibilities of IRT also include assessing events and declaring incidents
B. No, the responsibilities of IRT do not include resolving incidents
C. Yes, IRT's responsibilities include identifying root causes, discovering hidden vulnerabilities, and resolving incidents quickly to minimize their impact

Answer: A

Explanation:
Comprehensive and Detailed Explanation:
ISO/IEC 27035-2:2016 outlines comprehensive responsibilities for an incident response team, which include not just response and mitigation but also:
Assessing and classifying reported events
Determining if they qualify as incidents
Coordinating containment, eradication, and recovery actions
Conducting root cause analysis and lessons learned
While the scenario highlights the team's strengths in root cause analysis and resolution, it omits one key responsibility: the proper assessment and classification of the anomaly before response. This makes option C the most accurate.
Reference:
ISO/IEC 27035-2:2016, Clause 5.2.2 - "The IRT should assess events, determine whether they are incidents, and take appropriate actions." Therefore, the correct answer is C.
-

NEW QUESTION # 43
Scenario 7: Located in central London, Konzolo has become a standout innovator in the cryptocurrency field.
By introducing its unique cryptocurrency, Konzolo has contributed to the variety of digital currencies and prioritized enhancing the security and reliability of its offerings.
Konzolo aimed to enhance its systems but faced challenges in monitoring the security of its own and third- party systems. These issues became especially evident during an incident that caused several hours of server downtime This downtime was primarily caused by a third-party service provider that failed to uphold strong security measures, allowing unauthorized access.
In response to this critical situation, Konzolo strengthened its information security infrastructure. The company initiated a comprehensive vulnerability scan of its cryptographic wallet software, a cornerstone of its digital currency offerings The scan revealed a critical vulnerability due to the software using outdated encryption algorithms that are susceptible to decryption by modern methods that posed a significant risk of asset exposure Noah, the IT manager, played a central role in this discovery With careful attention to detail, he documented the vulnerability and communicated the findings to the incident response team and management.
Acknowledging the need for expertise in navigating the complexities of information security incident management. Konzolo welcomed Paulina to the team. After addressing the vulnerability and updating the cryptographic algorithms, they recognized the importance of conducting a thorough investigation to prevent future vulnerabilities. This marked the stage for Paulina s crucial involvement. She performed a detailed forensic analysis of the incident, employing automated and manual methods during the collection phase. Her analysis provided crucial insights into the security breach, enabling Konzolo to understand the depth of the vulnerability and the actions required to mitigate it.
Paulina also played a crucial role in the reporting phase, as her comprehensive approach extended beyond analysis. By defining clear and actionable steps for future prevention and response, she contributed significantly to developing a resilient information security incident management system based on ISO/IEC
27035-1 and 27035-2 guidelines. This strategic initiative marked a significant milestone in Konzolo's quest to strengthen its defenses against cyber threats Based on scenario 7, a vulnerability scan at Konzolo revealed a critical vulnerability in the cryptographic wallet software that could lead to asset exposure. Noah, the IT manager, documented the event and communicated it to the incident response team and management. Is this acceptable?

A. No, he should have waited for confirmation of an actual asset exposure before documenting and communicating the vulnerability
B. Yes, he should document the event and communicate it to the incident response team and management
C. No, he should have postponed the documentation process until a full investigation is completed

Answer: B

Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
According to ISO/IEC 27035-1:2016, an information security event should be documented and communicated as soon as it is identified-particularly if it has the potential to escalate into an incident. Timely documentation and escalation enable the organization to take immediate and coordinated actions, which are essential to managing risk effectively.
Clause 6.2.1 of ISO/IEC 27035-1 states that events, even before confirmation as incidents, must be logged and assessed to determine appropriate response measures. Waiting until after a breach occurs or delaying documentation may violate both internal policies and regulatory requirements, especially in high-risk domains like cryptocurrency.
Therefore, Noah's actions align fully with the recommended practices outlined in ISO/IEC 27035.
Reference:
* ISO/IEC 27035-1:2016, Clause 6.2.1: "All identified information security events should be recorded and communicated to ensure appropriate assessment and response."
* Clause 6.2.2: "Early communication and documentation are crucial to managing potential incidents effectively." Correct answer: C
-

NEW QUESTION # 44
Scenario 5: Located in Istanbul. Turkey. Alura Hospital is a leading medical institution specializing in advanced eye surgery and vision care. Renowned for its modern facilities, cutting edge technology, and highly skilled staff, Alura Hospital is committed to delivering exceptional patient care. Additionally, Alura Hospital has implemented the ISO/IEC 27035 standards to enhance its information security incident management practices.
At Alura Hospital, the information security incident management plan is a critical component of safeguarding patient data and maintaining the integrity of its medical services This comprehensive plan includes instructions for handling vulnerabilities discovered during incident management According to this plan, when new vulnerabilities are discovered, Mehmet is appointed as the incident handler and is authorized to patch the vulnerabilities without assessing their potential impact on the current incident, prioritizing patient data security above all else Recognizing the importance of a structured approach to incident management. Alura Hospital has established four teams dedicated to various aspects of incident response The planning team focuses on implementing security processes and communicating with external organizations The monitoring team is responsible for security patches, upgrades, and security policy implementation The analysis team adjusts risk priorities and manages vulnerability reports, while the test and evaluation team organizes and performs incident response tests to ensure preparedness During an incident management training session, staff members at Alura Hospital were provided with clear roles and responsibilities. However, a technician expressed uncertainty about their role during a data integrity incident as the manager assigned them a role unrelated to their expertise. This decision was made to ensure that all staff members possess versatile skills and are prepared to handle various scenarios effectively.
Additionally. Alura Hospital realized it needed to communicate better with stakeholders during security incidents. The hospital discovered it was not adequately informing stakeholders and that relevant information must be provided using formats, language, and media that meet their needs. This would enable them to participate fully in the incident response process and stay informed about potential risks and mitigation strategies.
Also, the hospital has experienced frequent network performance issues affecting critical hospital systems and increased sophisticated cyber attacks designed to bypass traditional security measures. So, it has deployed an external firewall. This action is intended to strengthen the hospital s network security by helping detect threats that have already breached the perimeter defenses. The firewall's implementation is a part of the hospital's broader strategy to maintain a robust and secure IT infrastructure, which is crucial for protecting sensitive patient data and ensuring the reliability of critical hospital systems. Alura Hospital remains committed to integrating state-of-the-art technology solutions to uphold the highest patient care and data security standards.
When vulnerabilities are discovered during incident management, Mehmet takes action to patch the vulnerabilities without assessing their potential impact on the current incident. Is this action in accordance with ISO/IEC 27035-2 recommendations?

A. No, he should report the vulnerability to the incident coordinator, who will redirect the issue to the team responsible for the vulnerability
B. Yes, vulnerabilities should be patched without assessing their potential impact on the current incident
C. No, he should wait for a scheduled vulnerability assessment instead

Answer: A

Explanation:
Comprehensive and Detailed Explanation:
According to ISO/IEC 27035-2:2016, vulnerabilities identified during incident handling must be assessed and documented before remediation. Immediate patching without evaluating its impact could compromise incident evidence, interfere with ongoing investigations, or unintentionally trigger additional issues.
ISO/IEC 27035-2 recommends that the incident coordinator (or an equivalent role) be responsible for directing how such vulnerabilities are managed and coordinated across relevant teams. This maintains process integrity and avoids uncoordinated actions.
Reference:
ISO/IEC 27035-2:2016, Clause 6.4.2: "Detected vulnerabilities should be communicated to appropriate stakeholders for evaluation. Unauthorized immediate actions could affect incident containment or recovery efforts." Correct answer: C
-

NEW QUESTION # 45
Scenario 6: EastCyber has established itself as a premier cyber security company that offers threat detection, vulnerability assessment, and penetration testing tailored to protect organizations from emerging cyber threats. The company effectively utilizes ISO/IEC 27035*1 and 27035-2 standards, enhancing its capability to manage information security incidents.
EastCyber appointed an information security management team led by Mike Despite limited resources, Mike and the team implemented advanced monitoring protocols to ensure that every device within the company's purview is under constant surveillance This monitoring approach is crucial for covering everything thoroughly, enabling the information security and cyber management team to proactively detect and respond to any sign of unauthorized access, modifications, or malicious activity within its systems and networks.
In addition, they focused on establishing an advanced network traffic monitoring system This system carefully monitors network activity, quickly spotting and alerting the security team to unauthorized actions This vigilance is pivotal in maintaining the integrity of EastCyber's digital infrastructure and ensuring the confidentiality, availability, and integrity of the data it protects.
Furthermore, the team focused on documentation management. They meticulously crafted a procedure to ensure thorough documentation of information security events. Based on this procedure, the company would document only the events that escalate into high-severity incidents and the subsequent actions. This documentation strategy streamlines the incident management process, enabling the team to allocate resources more effectively and focus on incidents that pose the greatest threat.
A recent incident involving unauthorized access to company phones highlighted the critical nature of incident management. Nate, the incident coordinator, quickly prepared an exhaustive incident report. His report detailed an analysis of the situation, identifying the problem and its cause. However, it became evident that assessing the seriousness and the urgency of a response was inadvertently overlooked.
In response to the incident, EastCyber addressed the exploited vulnerabilities. This action started the eradication phase, aimed at systematically eliminating the elements of the incident. This approach addresses the immediate concerns and strengthens EastCyber's defenses against similar threats in the future.
According to scenario 6, what mechanisms for detecting security incidents did EastCyber implement?

A. Intrusion prevention systems
B. Intrusion detection systems
C. Security information and event management systems

Answer: B

Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
In the scenario, EastCyber implemented an "advanced network traffic monitoring system" that "spots and alerts the security team to unauthorized actions." This aligns closely with the functional characteristics of an Intrusion Detection System (IDS), which monitors traffic or systems for malicious activities and policy violations and sends alerts for review.
While Security Information and Event Management (SIEM) tools and Intrusion Prevention Systems (IPS) offer valuable detection and response capabilities, the scenario specifically describes a system focused on monitoring and alerting-not automatically blocking traffic, which would indicate an IPS.
SIEM platforms correlate and analyze logs from various sources, which wasn't described. Therefore, IDS is the most accurate interpretation.
Reference:
ISO/IEC 27035-2:2016, Clause 7.4.2: "Detection mechanisms can include intrusion detection systems, log analysis tools, and traffic monitoring systems to detect potential security events." Correct answer: B
-

NEW QUESTION # 46
Which element should an organization consider when identifying the scope of their information security incident management?

A. Both A and B
B. Hardcopy information
C. Electronic information

Answer: A

Explanation:
Comprehensive and Detailed Explanation:
According to ISO/IEC 27035-1:2016 and ISO/IEC 27001:2022, when defining the scope of an information security incident management system, organizations must consider all forms of information-whether digital or physical-that are relevant to the business. Incidents can affect hardcopy (e.g., paper-based records) and electronic data (e.g., emails, files), so both must be included in the scope assessment.
Reference:
ISO/IEC 27001:2022, Clause 4.3: "The scope shall consider interfaces and dependencies between activities performed by the organization and those that are outsourced." ISO/IEC 27035-1:2016, Clause 4.2.1: "Information in all formats-including printed or written-should be protected." Correct answer: C
-

NEW QUESTION # 47
Scenario 1: RoLawyers is a prominent legal firm based in Guadalajara, Mexico. It specializes in a wide range of legal services tailored to meet the diverse needs of its clients. Committed to excellence and integrity, RoLawyers has a reputation for providing legal representation and consultancy to individuals, businesses, and organizations across various sectors.
Recognizing the critical importance of information security in today's digital landscape, RoLawyers has embarked on a journey to enhance its information security measures. This company is implementing an information security incident management system aligned with ISO/IEC 27035-1 and ISO/IEC 27035-2 guidelines. This initiative aims to strengthen RoLawyers' protections against possible cyber threats by implementing a structured incident response process to provide guidance on establishing and maintaining a competent incident response team.
After transitioning its database from physical to online infrastructure to facilitate seamless information sharing among its branches, RoLawyers encountered a significant security incident. A malicious attack targeted the online database, overloading it with traffic and causing a system crash, making it impossible for employees to access it for several hours.
In response to this critical incident, RoLawyers quickly implemented new measures to mitigate the risk of future occurrences. These measures included the deployment of a robust intrusion detection system (IDS) designed to proactively identify and alert the IT security team of potential intrusions or suspicious activities across the network infrastructure. This approach empowers RoLawyers to respond quickly to security threats, minimizing the impact on their operations and ensuring the continuity of its legal services.
By being proactive about information security and incident management, RoLawyers shows its dedication to protecting sensitive data, keeping client information confidential, and earning the trust of its stakeholders.
Using the latest practices and technologies, RoLawyers stays ahead in legal innovation and is ready to handle cybersecurity threats with resilience and careful attention.
Based on scenario 1, which security control has RoLawyers implemented?

A. Preventive controls
B. Corrective controls
C. Detective controls

Answer: C

Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
The deployment of an Intrusion Detection System (IDS) by RoLawyers following the incident is a classic example of implementing a detective control. According to ISO/IEC 27002:2022 (formerly 27002:2013), detective controls are designed to identify and report the occurrence of information security events in a timely manner. They help organizations discover that an event has occurred so that an appropriate response can be initiated.
The IDS mentioned in the scenario monitors the network for suspicious activity and alerts the IT security team when anomalies or intrusion attempts are detected. This aligns directly with the definition of detective controls.
By contrast:
Preventive controls are designed to prevent incidents from occurring in the first place (e.g., firewalls, access controls).
Corrective controls are actions taken after an incident to restore systems or data and prevent recurrence (e.g., patch management, backups).
Reference Extracts:
ISO/IEC 27002:2022, Clause 5.27 - "Detection controls should be implemented to identify incidents and anomalies in a timely manner." ISO/IEC 27035-1:2016, Clause 4.3.2 - "Detecting and reporting information security events and weaknesses are the first steps in the incident response process." RoLawyers' use of an IDS matches the description of a detective control designed to provide early warning signs of potential threats, making it easier for the organization to take timely action.
Therefore, the correct answer is B: Detective controls.

NEW QUESTION # 48
Scenario 3: L&K Associates is a graphic design firm headquartered in Johannesburg, South Africa. It specializes in providing innovative and creative design solutions to clients across various industries. With offices in multiple parts of the country, they effectively serve clients, delivering design solutions that meet their unique needs and preferences.
In its commitment to maintaining information security, L&K Associates is implementing an information security incident management process guided by ISO/IEC 27035-1 and ISO/IEC 27035-2. Leona, the designated leader overseeing the implementation of the incident management process, customized the scope of incident management to align with the organization's unique requirements. This involved specifying the IT systems, services, and personnel involved in the incident management process while excluding potential incident sources beyond those directly related to IT systems and services.
In scenario 3, which technique did L&K Associates use for its risk analysis process?

A. Qualitative risk analysis
B. Semi-quantitative risk analysis
C. Quantitative risk analysis

Answer: C

Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
In the scenario, Leona used a methodology that estimates "practical values for consequences and their probabilities," which clearly points to a quantitative risk analysis approach.
Quantitative risk analysis, as defined in ISO/IEC 27005:2018, involves assigning numerical values (e.g., monetary impact, frequency rates) to both the probability and consequence of risks. This allows for risk prioritization based on actual or estimated figures, enabling data-driven decisions on mitigation strategies.
Qualitative analysis uses descriptive categories (e.g., high/medium/low), and semi-quantitative methods mix ranking scales with partial numeric estimations - neither of which are described in this scenario.
Reference:
ISO/IEC 27005:2018, Clause 8.3.3: "Quantitative risk analysis estimates the probability and impact of risk using numerical values to derive a risk level." Therefore, the correct answer is C: Quantitative risk analysis.
-

NEW QUESTION # 49
Scenario 2: NoSpace, a forward-thinking e-commerce store based in London, is renowned for its diverse products and advanced technology. To enhance its information security, NoSpace implemented an ISMS according to ISO/IEC 27001 to better protect customer data and ensure business continuity. Additionally, the company adopted ISO/IEC 27035-1 and ISO/IEC 27035-2 guidelines. Mark, the incident manager at NoSpace, strategically led the entire implementation. He played a crucial role in aligning the company's ISMS with the requirements specified in ISO/IEC 27001, using ISO/IEC 27035-1 guidelines as the foundation.
During a routine internal audit, a minor anomaly was detected in the data traffic that could potentially indicate a security threat. Mark was immediately notified to assess the situation. Then, Mark and his team immediately escalated the incident to crisis management to handle the potential threat without further assessment. The decision was made to ensure a swift response.
After resolving the situation, Mark decided to update the incident management process. During the initial phase of incident management, Mark recognized the necessity of updating NoSpace's information security policies. This included revising policies related to risk management at the organizational level as well as for specific systems, services, or networks. The second phase of the updated incident management process included the assessment of the information associated with occurrences of information security events and the importance of classifying events and vulnerabilities as information security incidents. During this phase, he also introduced a "count down" process to expedite the evaluation and classification of occurrences, determining whether they should be recognized as information security incidents.
Mark developed a new incident management policy to enhance the organization's resilience and adaptability in handling information security incidents. Starting with a strategic review session with key stakeholders, the team prioritized critical focus areas over less impactful threats, choosing not to include all potential threats in the policy document. This decision was made to keep the policy streamlined and actionable, focusing on the most significant risks identified through a risk assessment. The policy was shaped by integrating feedback from various department heads to ensure it was realistic and enforceable. Training and awareness initiatives were tailored to focus only on critical response roles, optimizing resource allocation and focusing on essential capabilities.
Based on the scenario above, answer the following question:
Do the actions taken by the IRT of NoSpace upon detecting the anomaly align with the objectives of a structured approach to incident management?

A. No, the actions taken by the IRT do not align with structured incident management objectives because they failed to utilize external resources immediately
B. No, escalating a minor anomaly directly to crisis management without further assessment deviates from the objectives of a structured incident management approach, which typically reserves crisis management for more severe, crisis-level situations
C. Yes, escalating all incidents to crisis management regardless of severity and focusing solely on the crisis management process aligns with the objectives

Answer: B

Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
According to ISO/IEC 27035-1:2016, a structured approach to incident management involves a phased and deliberate process: detect and report, assess and decide, respond, and learn lessons. Each phase has specific objectives, especially the "Assess and Decide" phase, which is critical in determining whether an event is a real security incident and what level of response it necessitates.
The decision by NoSpace's IRT to escalate a minor anomaly directly to crisis management without performing a structured assessment contradicts this methodology. Crisis management is typically reserved for severe incidents that have already been assessed and confirmed to be of high impact.
Escalating prematurely not only bypasses the formal classification and analysis phase but also risks wasting resources and causing unnecessary alarm. ISO/IEC 27035-1, Clause 6.2.3, specifically outlines that incidents must first be categorized and assessed to determine their significance before involving higher-level response mechanisms such as crisis management.
Reference Extracts:
ISO/IEC 27035-1:2016, Clause 6.2.2: "Assess and decide involves analyzing reported events to determine whether they are to be classified as incidents, and how they should be handled." ISO/IEC 27035-2:2016, Clause 6.4: "Crisis management should be triggered only in cases of major incidents where organizational impact is high." Therefore, the correct answer is A: No, escalating a minor anomaly directly to crisis management without further assessment deviates from the objectives of a structured incident management approach.
-

NEW QUESTION # 50
Scenario 5: Located in Istanbul, Turkey, Alura Hospital is a leading medical institution specializing in advanced eye surgery and vision care. Renowned for its modern facilities, cutting-edge technology, and highly skilled staff, Alura Hospital is committed to delivering exceptional patient care. Additionally, Alura Hospital has implemented the ISO/IEC 27035 standards to enhance its information security incident management practices.
At Alura Hospital, the information security incident management plan is a critical component of safeguarding patient data and maintaining the integrity of its medical services. This comprehensive plan includes instructions for handling vulnerabilities discovered during incident management. According to this plan, when new vulnerabilities are discovered, Mehmet is appointed as the incident handler and is authorized to patch the vulnerabilities without assessing their potential impact on the current incident, prioritizing patient data security above all else.
Recognizing the importance of a structured approach to incident management, Alura Hospital has established four teams dedicated to various aspects of incident response. The planning team focuses on implementing security processes and communicating with external organizations. The monitoring team is responsible for security patches, upgrades, and security policy implementation. The analysis team adjusts risk priorities and manages vulnerability reports, while the test and evaluation team organizes and performs incident response tests to ensure preparedness.
During an incident management training session, staff members at Alura Hospital were provided with clear roles and responsibilities. However, a technician expressed uncertainty about their role during a data integrity incident, as the manager assigned them a role unrelated to their expertise. This decision was made to ensure that all staff members possess versatile skills and are prepared to handle various scenarios effectively.
Additionally, Alura Hospital realized it needed to communicate better with stakeholders during security incidents. The hospital discovered it was not adequately informing stakeholders and that relevant information must be provided using formats, language, and media that meet their needs. This would enable them to participate fully in the incident response process and stay informed about potential risks and mitigation strategies.
Also, the hospital has experienced frequent network performance issues affecting critical hospital systems and increased sophisticated cyberattacks designed to bypass traditional security measures. So, it has deployed an external firewall. This action is intended to strengthen the hospital's network security by helping detect threats that have already breached the perimeter defenses. The firewall's implementation is a part of the hospital's broader strategy to maintain a robust and secure IT infrastructure, which is crucial for protecting sensitive patient data and ensuring the reliability of critical hospital systems. Alura Hospital remains committed to integrating state-of-the-art technology solutions to uphold the highest patient care and data security standards.
According to scenario 5, which of the following principles of efficient communication did Alura Hospital NOT adhere to?

A. Credibility
B. Appropriateness
C. Responsiveness

Answer: B

Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
According to ISO/IEC 27035-1:2016 (Information Security Incident Management - Part 1: Principles of Incident Management), one of the core principles of effective communication in incident management is
"appropriateness." This refers to ensuring that the right information is shared with the right stakeholders using the appropriate channels, language, format, and timing. The objective is to guarantee that communication is both understandable and actionable by its recipients.
In the scenario, Alura Hospital recognized that they were not adequately informing stakeholders during security incidents. They identified a gap in providing relevant information using suitable formats, media, or language. This failure points directly to a lack of "appropriateness" in their communication strategy.
According to ISO/IEC 27035-1, Section 6.4 (Communication), it is essential to tailor incident communication to stakeholder needs to ensure informed decision-making and engagement.
The other options-credibility and responsiveness-are not indicated as the failing areas. There is no mention that the information provided lacked credibility or that the hospital failed to respond to incidents or communicate in a timely manner. Rather, the issue lies with the medium, clarity, and stakeholder alignment- hallmarks of appropriateness.
Reference Extracts from ISO/IEC 27035-1:2016:
Clause 6.4: "Communication must be timely, relevant, accurate, and appropriate for the target audience." Clause 7.2.4: "Stakeholders should be informed using formats and channels that they can easily access and understand." Therefore, the principle not adhered to by Alura Hospital is clearly: Appropriateness (C).
-

NEW QUESTION # 51
Scenario 8: Moneda Vivo, headquartered in Kuala Lumpur. Malaysia, is a distinguished name in the banking sector. It is renowned for its innovative approach to digital banking and unwavering commitment to information security. Moneda Vivo stands out by offering various banking services designed to meet the needs of its clients. Central to its operations is an information security incident management process that adheres to the recommendations of ISO/IEC 27035-1 and 27035-2.
Recently. Moneda Vivo experienced a phishing attack aimed at its employees Despite the bank's swift identification and containment of the attack, the incident led to temporary service outages and data access issues, underscoring the need for improved resilience The response team compiled a detailed review of the attack, offering valuable insights into the techniques and entry points used and identifying areas for enhancing their preparedness.
Shortly after the attack, the bank strengthened its defense by implementing a continuous review process to ensure its incident management procedures and systems remain effective and appropriate While monitoring the incident management process, a trend became apparent. The mean time between similar incidents decreased after a few occurrences; however, Moneda Vivo strategically ignored the trend and continued with regular operations This decision was rooted in a deep confidence in its existing security measures and incident management protocols, which had proven effective in quick detection and resolution of issues Moneda Vivo's commitment to transparency and continual improvement is exemplified by its utilization of a comprehensive dashboard. This tool provides real time insights into the progress of its information security incident management, helping control operational activities and ensure that processes stay within the targets of productivity, quality, and efficiency. However, securing its digital banking platform proved challenging.
Following a recent upgrade, which included a user interface change to its digital banking platform and a software update, Moneda Vivo recognized the need to immediately review its incident management process for accuracy and completeness. The top management postponed the review due to financial and time constraints.
Based on scenario 8, Moneda Vivo has recently upgraded its digital banking platform. In line with the continual improvement process, Moneda Vivo has decided to review the information security incident management process for accuracy immediately after the software update. Is this recommended?

A. No, the incident management process should be reviewed when the bank's annual audit is conducted
B. Yes, the incident management process should be reviewed after any minor software update
C. No, the incident management process should be evaluated after a significant technological overhaul to ensure the system is up-to-date

Answer: C

Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
According to ISO/IEC 27035-1:2016, Clause 7.1 and ISO/IEC 27035-2:2016, Clause 7.3.3, it is advised to review and revise the information security incident management process following major organizational or technical changes. These changes include upgrades, system overhauls, and structural IT shifts. While minor updates may not necessitate a full review, significant technological updates, such as those affecting core digital banking platforms, should trigger immediate evaluation to ensure continued relevance and effectiveness of incident response strategies.
In the scenario, Moneda Vivo recognized the need for a review but delayed it, which could pose risks. Option C accurately reflects ISO guidance.
Reference:
ISO/IEC 27035-1:2016 Clause 7.1: "Reviews should be performed after major changes or after information security incidents." ISO/IEC 27035-2:2016 Clause 7.3.3 Correct answer: C
-

NEW QUESTION # 52
......

Certification Topics of ISO-IEC-27035-Lead-Incident-Manager Exam PDF Recently Updated Questions: https://braindumps2go.dumpstorrent.com/ISO-IEC-27035-Lead-Incident-Manager-exam-prep.html

[Q27-Q52] Accurate & Verified 2026 New ISO-IEC-27035-Lead-Incident-Manager Answers As Experienced in the Actual Test!

PECB ISO-IEC-27035-Lead-Incident-Manager Exam Syllabus Topics:

Related Articles