Free PECB ISO-IEC-27001-Lead-Implementer Exam Questions

The purpose of control 5.9 inventory of Information and other associated assets of ISO/IEC 27001 is to identify organization's information and other associated assets in order to preserve their information security and assign ownership. Which of the following actions docs NOT fulfill this purpose? 

Responsibilities for information security in projects should be defined and allocated to: 

Scenario 5: OperazelT is a software development company that develops applications for various companiesworldwide. Recently, the company conducted a risk assessment in response to the evolving digital landscapeand emerging information security challenges. Through rigorous testing techniques like penetration testingand code review, the company identified issues in its IT systems, including improper user permissions,misconfigured security settings, and insecure network configurations. To resolve these issues and enhanceinformation security, OperazelT implemented an information security management system (ISMS) based onISO/IEC 27001.In a collaborative effort involving the implementation team, OperazelT thoroughly assessed its businessrequirements and internal and external environment, identified its key processes and activities, and identifiedand analyzed the interested parties to establish the preliminary scope of the ISMS. Followingthis, theimplementation team conducted a comprehensive review of the company's functional units, opting to includemost of the company departments within the ISMS scope. Additionally, the team decided to include internaland external physical locations, both external and internal issues referred to in clause 4.1, the requirements inclause 4.2, and the interfaces and dependencies between activities performed by the company. The ITmanager had a pivotal role in approving the final scope, reflecting OperazelT’s commitment to informationsecurity.OperazelT's information security team created a comprehensive information security policy that aligned withthe company's strategic direction and legal requirements, informed by risk assessment findings and businessstrategies. This policy, alongside specific policies detailing security issues and assigning roles andresponsibilities, was communicated internally and shared with external parties. The drafting, review, andapproval of these policies involved active participation from top management, ensuring a robust frameworkfor safeguarding information across all interested parties.As OperazelT moved forward, the company entered the policy implementation phase, with a detailed planencompassing security definition, role assignments, and training sessions. Lastly, the policy monitoring andmaintenance phase was conducted, where monitoring mechanisms were established to ensure the company'sinformation security policy is enforced and all employees comply with its requirements.To further strengthen its information security framework, OperazelT initiated a comprehensive gap analysis aspart of the ISMS implementation process. Rather than relying solely on internal assessments, OperazelT  decided to involve the services of external consultants to assess the state of its ISMS. The companycollaborated with external consultants, which brought a fresh perspective and valuable insights to the gapanalysis process, enabling OperazelT to identify vulnerabilities and areas for improvement with a higherdegree of objectivity. Lastly, OperazelT created a committee whose mission includes ensuring the properoperation of the ISMS, overseeing the company's risk assessment process, managing information securityrelated issues, recommending solutions to nonconformities, and monitoring the implementation of correctionsand corrective actions.Based on the scenario above, answer the following question:Did OperazelT include all the necessary factors when determining its scope?

Scenario 7: Incident Response at Texas H&H Inc.Once they made sure that the attackers do not have access in their system, the security administrators decidedto proceed with the forensic analysis. They concluded that their access security system was not designed torthreat detection, including the detection of malicious files which could be the cause of possible future attacks.Based on these findings. Texas H$H inc, decided to modify its access security system to avoid futureincidents and integrate an incident management policy in their Information security policy that could serve asguidance for employees on how to respond to similar incidents.Based on the scenario above, answer the following question: Texas H&H Inc. decided to assign an internal expert for their forensic analysis. Is this acceptable? Refer lo scenario 7.

Scenario 7: InfoSec is a multinational corporation headquartered in Boston, MA, which provides professional electronics, gaming, and entertainment services. After facing numerous information security incidents, InfoSec has decided to establish teams and implement measures to prevent potential incidents in the future Emma, Bob. and Anna were hired as the new members of InfoSec's information security team, which consists of a security architecture team, an incident response team (IRT) and a forensics team Emma's job is to create information security plans, policies, protocols, and training to prepare InfoSec to respond to incidents effectively Emma and Bob would be full-time employees of InfoSec, whereas Anna was contracted as an external consultant. Bob, a network expert, will deploy a screened subnet network architecture This architecture will isolate the demilitarized zone (OMZ) to which hosted public services are attached and InfoSec's publicly accessible resources from their private network Thus, InfoSec will be able to block potential attackers from causing unwanted events inside the company's network. Bob is also responsible for ensuring that a thorough evaluation of the nature of an unexpected event is conducted, including the details on how the event happened and what or whom it might affect. Anna will create records of the data, reviews, analysis, and reports in order to keep evidence for the purpose of disciplinary and legal action, and use them to prevent future incidents. To do the work accordingly, she should be aware of the company's information security incident management policy beforehand Among others, this policy specifies the type of records to be created, the place where they should be kept, and the format and content that specific record types should have. Based on scenario 7. InfoSec contracted Anna as an external consultant. Based on her tasks, is this action compliant with ISO/IEC 27001°