Pass the PECB ISO 27002 ISO-IEC-27002-Foundation Questions and answers with Dumpstech

When establishing a remote working policy, organizations should consider the threat of unauthorized access to information or resources from other persons in public places. Remote working changes the security environment because employees may work from homes, hotels, airports, cafés, shared offices, client sites, or while travelling. These environments can expose information to shoulder surfing, overheard conversations, device theft, insecure Wi-Fi, unattended screens, family or visitor access, and uncontrolled printing or storage. ISO/IEC 27002 Control 6.7, Remote working, expects organizations to define security measures for remote work based on risk. This can include secure authentication, encryption, screen privacy, endpoint protection, physical protection of devices, secure network access, acceptable use, incident reporting, backup, and restrictions on handling sensitive information. Option B relates more to equipment siting and physical protection of facilities. Option C relates to access rights and privileged access management. Both can be relevant elsewhere, but the remote working policy question directly points to risks from other persons in public or uncontrolled locations. Therefore, option A is verified. References/Chapters: ISO/IEC 27002:2022, Control 6.7 Remote working; Control 7.9 Security of assets off-premises; Control 5.15 Access control.

Access control software that allows only authorized employees to access sensitive files is a preventive control. Its purpose is to stop unauthorized access before it occurs by enforcing approved access rules. In ISO/IEC 27002, access control is implemented through policies, identity management, authentication, authorization, access rights review, privileged access control, and restrictions on information access. This type of software can prevent unauthorized disclosure, unauthorized modification, misuse of sensitive data, and violation of privacy or contractual obligations. It is not primarily detective because it does not merely discover an event after it has happened. It is not corrective because it does not restore damaged information or reverse the impact of an incident. Its security value is in blocking access attempts that do not meet authorization criteria. The principle behind the control is least privilege: users should receive only the access necessary for their role and responsibilities. For sensitive files, this is especially important because confidentiality, integrity, and accountability depend on correct authorization. References/Chapters: ISO/IEC 27002:2022, Control 5.15 Access control; Control 5.16 Identity management; Control 5.18 Access rights; Control 8.3 Information access restriction.

==========

Risk assessment is the overall process of risk identification, risk analysis, and risk evaluation. Option A describes only one component: risk identification. This is where risks are found, recognized, and described. Option B describes risk analysis, where the organization understands the nature of risk and determines the level of risk, often by considering likelihood and consequence. A full assessment also requires risk evaluation, where the analyzed risk is compared against criteria to determine whether it is acceptable or requires treatment. ISO/IEC 27002 relies on this risk-based logic because controls should be selected according to actual security needs. The standard provides guidance on controls, but it does not require every organization to implement every control in the same way. Risk assessment helps determine which controls are necessary, how strongly they should be implemented, and what residual risk remains. This is why option C is the complete and correct answer. ISO/IEC 27002 control implementation is meaningful only when linked to risk, context, business value, and obligations. References/Chapters: ISO/IEC 27002:2022, Clause 4 control selection and attributes; ISO/IEC 27001 risk assessment and treatment; ISO/IEC 27005 risk management terminology.

==========

A PII controller is the privacy stakeholder that determines the purposes and means of processing personally identifiable information. This means the controller decides why PII is processed, what PII is needed, how it is processed, how long it is retained, who receives it, and which controls are required. Option A describes the PII principal, which is the natural person to whom the PII relates. Option C describes a PII processor, which processes PII on behalf of and according to the instructions of the controller. ISO/IEC 27002 includes privacy and PII protection as part of its information security control guidance where privacy obligations apply. The distinction matters because controllers carry decision-making responsibility and accountability for lawful, secure, and appropriate processing. Processors must protect the information but do not independently determine the processing purpose. Relevant controls include privacy and protection of PII, access control, supplier relationships, information deletion, data masking, data leakage prevention, and cloud service controls. The verified answer is therefore option B. References/Chapters: ISO/IEC 27002:2022, Control 5.34 Privacy and protection of PII; Control 5.19 Information security in supplier relationships; Control 8.11 Data masking.

==========

Control 5.37, Documented operating procedures, aims to ensure the correct and secure operation of information processing facilities. Operating procedures translate security and operational requirements into repeatable instructions for administrators, operators, support teams, and users. They can cover system startup and shutdown, backup, restoration, logging, error handling, media handling, job scheduling, maintenance, incident escalation, access administration, and secure processing steps. Without documented procedures, operations become inconsistent and dependent on individual memory or informal practice, increasing the likelihood of mistakes, outages, unauthorized changes, or insecure handling. Control 7.2, Physical entry, protects secure physical areas by controlling access to facilities, but it does not define operational procedures. Control 5.35, Independent review of information security, assesses whether the information security approach remains suitable, adequate, and effective, but it does not provide the day-to-day operating instructions. ISO/IEC 27002 places documented procedures in the organizational control group because reliable operation requires governance, clarity, and repeatability. Therefore, option B is the verified answer. References/Chapters: ISO/IEC 27002:2022, Control 5.37 Documented operating procedures; Control 7.2 Physical entry; Control 5.35 Independent review of information security.

==========

ISO/IEC 27002 recommends that audit testing should be planned and agreed upon between the tester and appropriate management. The purpose is to obtain assurance without creating unnecessary disruption, exposure, or operational risk. Audit tests can involve access attempts, vulnerability checks, sampling, transaction tracing, configuration review, log review, or control validation. If such activities are unmanaged, they may overload systems, expose sensitive information, interrupt services, conflict with change windows, or create false incident signals. Option B is incorrect because ad hoc assurance testing can be risky and inconsistent unless properly authorized and controlled. Option C is incorrect because audits should not normally require stopping operational systems and business processes; rather, they should be designed to minimize disruption while preserving evidence quality. ISO/IEC 27002 treats audit and assurance activities as important but controlled. Planning should define scope, timing, method, responsibilities, data handling, access requirements, and communication. The verified answer is option A because it balances assurance with operational security and business continuity. References/Chapters: ISO/IEC 27002:2022, Control 8.34 Protection of information systems during audit testing; Control 5.35 Independent review of information security.

==========

Information security determines both what needs to be protected and how protection should be applied. The first part is understanding information assets, their value, their sensitivity, their owners, their business purpose, and the consequences if they are disclosed, altered, lost, or unavailable. This answers what must be protected and why. The second part is understanding threats, vulnerabilities, risk levels, legal obligations, contractual duties, and control options. This answers what the information must be protected from and how security controls should be designed. ISO/IEC 27002 supports both dimensions. Asset inventory and classification clarify protection needs. Access control, cryptography, backup, logging, network security, secure development, incident management, and physical security define protection methods. Option A is correct but incomplete. Option B is also correct but incomplete. Option C is therefore the verified answer because information security is a complete discipline covering asset understanding, risk understanding, control selection, implementation, monitoring, and improvement. The ISO/IEC 27002 control set is structured to support that full protection lifecycle. References/Chapters: ISO/IEC 27002:2022, Control 5.9 Inventory of information and other associated assets; Control 5.12 Classification of information; Controls 5–8.

Information security should be integrated into project management so that security risks related to projects and deliverables are effectively addressed. Projects often introduce new systems, processes, suppliers, data flows, technologies, applications, facilities, or business changes. If security is considered only after implementation, weaknesses may already be embedded in design, architecture, contracts, code, configurations, or operating procedures. ISO/IEC 27002 Control 5.8 expects information security to be integrated into project management activities so risks are identified and treated throughout the project lifecycle. This includes security requirements, risk assessments, roles and responsibilities, acceptance criteria, testing, supplier requirements, privacy considerations, change control, and secure transition to operation. Option A is too general and focuses on applying ISO/IEC 27001 principles rather than the precise purpose of the control. Option B is too narrow because audits can support assurance but are not the primary reason for integration. The main purpose is risk management within projects and deliverables. Therefore, option C is verified. References/Chapters: ISO/IEC 27002:2022, Control 5.8 Information security in project management; Control 8.26 Application security requirements; Control 8.29 Security testing in development and acceptance.

==========

Organizations can manage the security of large networks by dividing them into separate network domains and separating them from the public network where appropriate. This reflects the principle of network segregation, which reduces the ability of an attacker, malware, or unauthorized user to move freely across the environment. Separate domains can be based on trust level, business function, system criticality, data sensitivity, user group, supplier access, development environment, or regulatory requirement. ISO/IEC 27002 supports this through network security, network segregation, access control, and secure architecture practices. Option B is incorrect because including internal domains into the public network would increase exposure and weaken boundaries. Option C is not realistic or aligned with modern enterprise architecture; organizations often need integrated services, users, and systems, but they must integrate them securely. Segmentation allows controlled communication through firewalls, gateways, routing rules, access controls, monitoring, and filtering. The goal is not isolation for its own sake, but risk-based separation and controlled connectivity. Therefore, option A is verified. References/Chapters: ISO/IEC 27002:2022, Control 8.20 Network security; Control 8.22 Segregation of networks; Control 5.15 Access control.

==========

System requirements should not be the primary factor listed for locating and constructing physical premises in the ISO/IEC 27002 physical security context. When selecting and constructing premises, organizations should consider physical and environmental threats such as local topography, flood risk, earthquake exposure, weather conditions, crime levels, civil unrest, neighboring facilities, hazardous sites, and urban threats. These considerations help reduce risks to secure areas, information processing facilities, equipment, personnel, and supporting utilities. Local topography is relevant because geography can influence flooding, landslides, access routes, drainage, and natural hazards. Urban threats are relevant because location can affect exposure to crime, protests, terrorism, traffic disruption, adjacent buildings, or public access. System requirements are important in technology design and facility planning, but they are not the type of environmental or location threat consideration targeted by this question. ISO/IEC 27002 physical controls emphasize protecting premises from physical and environmental risks, not choosing location based on application or system functional requirements. Therefore, option C is verified. References/Chapters: ISO/IEC 27002:2022, Control 7.1 Physical security perimeters; Control 7.5 Protecting against physical and environmental threats; Control 7.8 Equipment siting and protection.

==========