Correct Answer: A

Explanation: According to ISO/IEC 27001, an incident management process must include processes for using knowledge gained from information security incidents to reduce the likelihood or impact of future incidents, and to improve the overall level of information security. This means that the organization should conduct a root cause analysis of the incidents, identify the lessons learned, and implement corrective actions to prevent recurrence or mitigate consequences. The organization should also document and communicate the results of the incident management process to relevant stakeholders, and update the risk assessment and treatment plan accordingly. (Must be taken from ISO/IEC 27001 : 2022 Lead Implementer resources) References: ISO/IEC 27001 : 2022 Lead Implementer Study guide and documents, specifically: ISO/IEC 27001:2022, clause 10.2 Nonconformity and corrective action ISO/IEC 27001:2022, Annex A.16 Information security incident management ISO/IEC TS 27022:2021, clause 7.5.3.16 Information security incident management process PECB ISO/IEC 27001 Lead Implementer Course, Module 9: Incident Management

Correct Answer: A

Explanation: According to the ISO/IEC 27001:2022 standard, the organization should establish, implement and maintain a process to manage changes that affect the information security management system (ISMS) and to continually improve the suitability, adequacy and effectiveness of the ISMS (section 8.1.3 and 10.2). The standard also states that the organization should update the documented information of the ISMS as necessary to reflect the changes and the results of the improvement process (section 8.1.3.2 and 10.2.2). Therefore, the update of documented information supports the continual improvement of the ISMS by ensuring that the ISMS is aligned with the current and future needs and expectations of the organization and its interested parties. References: ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection -- Information security management systems -- Requirements1 ISO/IEC 27001 Lead Implementer Info Kit Continual Improvement For ISO 27001 Requirement 10.22

Correct Answer: B

Explanation: The power/interest matrix is a tool that can be used to identify, analyze, and manage interested parties according to ISO/IEC 27001:2022. The power/interest matrix is a two-dimensional diagram that plots the level of power and interest of each interested party in relation to the organization's information security objectives. The power/interest matrix can help the organization to prioritize the interested parties, understand their expectations and needs, and develop appropriate communication and engagement strategies. The power/interest matrix can also help the organization to identify potential risks and opportunities related to the interested parties. References: ISO/IEC 27001:2022, clause 4.2; PECB ISO/IEC 27001 Lead Implementer Course, Module 4, slide 12.

Correct Answer: B

Explanation: According to the ISO/IEC 27001 : 2022 Lead Implementer course, one of the roles and responsibilities of an internal auditor is to provide recommendations for improvement based on the audit findings1. Therefore, Tessa can create a plan for ISMS monitoring and measurement and present it to the top management as a way of advising them on how to improve the company's functions. However, Tessa is not responsible for implementing the improvements or communicating the issues found to the top management. Those tasks belong to the process owners and the management representative, respectively2. References: 1: PECB, ISO/IEC 27001 Lead Implementer Course, Module 9: Internal Audit, slide 14 2: PECB, ISO/IEC 27001 Lead Implementer Course, Module 9: Internal Audit, slide

Correct Answer: A

Explanation: According to the scenario, Operaze conducted a risk assessment to assess the information security risks that could arise from operating in a digital landscape. Using different testing methods, including penetration testing and code review, the company identified some issues in its ICT systems, such as improper user permissions, misconfigured security settings, and insecure network configurations. These issues are examples of vulnerabilities, which are weaknesses or gaps in the protection of an asset that can be exploited by a threat. Therefore, the identification of vulnerabilities led Operaze to implement the ISMS. References: ISO/IEC 27001:2022 Lead Implementer Training Course Guide1 ISO/IEC 27001:2022 Lead Implementer Info Kit2

Correct Answer: B

Explanation: According to ISO/IEC 27001:2022, clause 7.5.1, the organization shall ensure that the documented information required by the ISMS and by this document is controlled to ensure that it is available and suitable for use, where and when it is needed, and that it is adequately protected. This includes ensuring that the documented information is reviewed and approved for suitability and adequacy. The information security procedures are part of the documented information that supports the operation of the ISMS processes and the implementation of the information security controls. Therefore, they should be drafted, reviewed, and validated by the information security committee, which is the group of people responsible for overseeing the ISMS and ensuring its alignment with the organization's objectives and strategy. The information security committee should include representatives from different functions and levels of the organization, as well as external experts if needed. The information security committee should also ensure that the information security procedures are communicated to the relevant employees and other interested parties, and that they are periodically reviewed and updated as necessary. References: ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection -- Information security management systems -- Requirements, clauses 5.3, 7.5.1, and 9.3 ISO/IEC 27001:2022 Lead Implementer objectives and content, 4 and 5

Correct Answer: B

Explanation: According to ISO/IEC 27001:2022, clause 7.2.3, the organization shall conduct a competence needs analysis to determine the necessary competence of persons doing work under its control that affects the performance and effectiveness of the ISMS. The organization shall also evaluate the effectiveness of the actions taken to acquire the necessary competence and retain appropriate documented information as evidence of competence. Therefore, Colin should deliver the next training and awareness session after he conducts a competence needs analysis and records the competence related issues, such as the level of understanding, the gaps in knowledge, and the feedback from the participants. References: ISO/IEC 27001:2022, clause 7.2.3; PECB ISO/IEC 27001 Lead Implementer Course, Module 7, slide 8.

Correct Answer: B

Explanation: The loss of integrity of information in HealthGenic means that the information was modified or corrupted in an unauthorized or improper way, resulting in inaccurate, incomplete, or unreliable data. This can have a serious impact

on the quality and safety of the medical services provided by HealthGenic, as well as the trust and satisfaction of the patients and their families. In particular, incomplete and incorrect medical reports can lead to:

Misdiagnosis or delayed diagnosis of the patients' conditions, which can affect their treatment and recovery.

Prescription of wrong or inappropriate medications or dosages, which can cause adverse effects or interactions.

Violation of the patients' privacy and confidentiality, which can expose them to identity theft, fraud, or discrimination.

Legal liability and reputational damage for HealthGenic, which can result in lawsuits, fines, or loss of customers.

Therefore, it is essential for HealthGenic to ensure the integrity of its information by implementing appropriate security controls and measures, such as encryption, authentication, backup, audit, and incident response.

References:

ISO/IEC 27001:2022 Lead Implementer Course Guide1

ISO/IEC 27001:2022 Lead Implementer Info Kit2

ISO/IEC 27001:2022 Information Security Management Systems - Requirements3 ISO/IEC 27002:2022 Code of Practice for Information Security Controls4

Correct Answer: B

Explanation: According to the ISO/IEC 27001:2022 standard, an information security policy is a high-level document that defines the management approach and objectives for information security within the organization. It should include,

among other things, the legal and regulatory obligations imposed upon the organization, such as compliance with laws, contracts, agreements, and standards that are relevant to information security. The information security policy should also

provide the basis for establishing, implementing, maintaining, and continually improving the information security management system (ISMS).

References:

ISO/IEC 27001:2022, Clause 5.2 Policy

ISO/IEC 27002:2022, Clause 5.1 Policies for information security PECB

ISO/IEC 27001 Lead Implementer Course, Module 3: Information Security Management System (ISMS)

Correct Answer: B

Explanation: According to ISO/IEC 27001:2022, Annex A.8.24, the control for the effective use of cryptography is intended to ensure proper and effective use of cryptography to protect the confidentiality, authenticity, and/or integrity of information. This control can include cryptographic key management, which is the process of generating, distributing, storing, using, and destroying cryptographic keys in a secure manner. Cryptographic key management is essential for ensuring the security and functionality of cryptographic solutions, such as encryption, digital signatures, or authentication. The standard provides the following guidance for implementing this control: A policy on the use of cryptographic controls should be developed and implemented. The policy should define the circumstances and conditions in which the different types of cryptographic controls should be used, based on the information classification scheme, the relevant agreements, legislation, and regulations, and the assessed risks. The policy should also define the standards and techniques to be used for each type of cryptographic control, such as the algorithms, key lengths, key formats, and key lifecycles. The policy should be reviewed and updated regularly to reflect the changes in the technology, the business environment, and the legal requirements. The cryptographic keys should be managed through their whole lifecycle, from generation to destruction, in a secure and controlled manner, following the principles of need-to-know and segregation of duties. The cryptographic keys should be protected from unauthorized access, disclosure, modification, loss, or theft, using appropriate physical and logical security measures, such as encryption, access control, backup, and audit. The cryptographic keys should be changed or replaced periodically, or when there is a suspicion of compromise, following a defined process that ensures the continuity of the cryptographic services and the availability of the information. The cryptographic keys should be securely destroyed when they are no longer required, or when they reach their end of life, using methods that prevent their recovery or reconstruction. References: ISO/IEC 27001:2022 Lead Implementer Course Guide1 ISO/IEC 27001:2022 Lead Implementer Info Kit2 ISO/IEC 27001:2022 Information Security Management Systems - Requirements3 ISO/IEC 27002:2022 Code of Practice for Information Security Controls4 Understanding Cryptographic Controls in Information Security5