PECB ISO-IEC-27002-Foundation Dumps

A vulnerability with no currently identified corresponding threat should still be recognized and monitored. A vulnerability is a weakness that could be exploited, but risk usually depends on the relationship between assets, threats, vulnerabilities, likelihood, and consequences. When no active or relevant threat is identified, immediate treatment may not be proportionate. However, ignoring the vulnerability would be inconsistent with ISO/IEC 27002’s risk-aware approach. Threat conditions change. A weakness that appears low priority today may become exploitable after a new attack technique, system exposure, business change, supplier change, or threat actor capability emerges. Recognizing the vulnerability ensures it is recorded and available for future assessment. Monitoring it ensures the organization detects changes in exploitability, exposure, or threat relevance. ISO/IEC 27002 supports this through threat intelligence and management of technical vulnerabilities, both of which require organizations to remain alert to changes in the threat and vulnerability landscape. Therefore, the correct answer is both recognizing and monitoring the vulnerability. References/Chapters: ISO/IEC 27002:2022, Control 5.7 Threat intelligence; Control 8.8 Management of technical vulnerabilities; Control 5.36 Compliance with policies, rules and standards for information security.

==========

A fire alarm is a detective and technical control. It is detective because it identifies or signals that a fire-related event may be occurring. The alarm does not normally stop the fire from starting, and it does not restore damaged assets after the event. Its purpose is to detect indicators such as smoke, heat, or fire and trigger response actions such as evacuation, suppression, emergency communication, or incident handling. It is technical because it operates through engineered or electronic mechanisms rather than through management approval, legal clauses, or purely administrative processes. ISO/IEC 27002:2022 classifies controls using attributes, including control type. Control types include preventive, detective, and corrective. Fire alarms align with the physical security control area because fire is a physical and environmental threat to information processing facilities, equipment, storage media, and supporting infrastructure. The value of the control is timely detection, reducing the chance that a physical event escalates unnoticed into major damage or service disruption. References/Chapters: ISO/IEC 27002:2022, Clause 4 control attributes; Control 7.4 Physical security monitoring; Control 7.5 Protecting against physical and environmental threats.

==========

Confidentiality is breached when information is made available or disclosed to unauthorized individuals, entities, or processes. Option A is the correct answer because employees from all departments have access to colleagues’ personal data, even though such access should normally be restricted to authorized roles such as HR, payroll, compliance, or designated management. Internal users can still be unauthorized users when their role does not justify access. ISO/IEC 27002 addresses this through access control, access rights management, classification, privacy protection, and information access restriction. Option B is an availability issue because a department cannot access needed customer phone numbers due to equipment failure. Option C is an integrity issue because banking information was accidentally modified. The confidentiality principle is specifically about limiting disclosure and availability of information to authorized parties only. Personal data requires additional care because privacy obligations may apply, and excessive internal access can create legal, ethical, and reputational harm. The verified answer is therefore option A. References/Chapters: ISO/IEC 27002:2022, Control 5.15 Access control; Control 5.18 Access rights; Control 5.34 Privacy and protection of PII; Control 8.3 Information access restriction.

==========

The purpose of Control 8.20, Network security, is to protect information in networks and supporting information processing facilities from compromise through the network. This includes protecting data in transit, network devices, network services, communication paths, routing, management interfaces, and connected systems. Network compromise can lead to unauthorized access, interception, malware propagation, denial of service, lateral movement, data exfiltration, or manipulation of traffic. Option B relates more closely to Control 8.21, Security of network services, which addresses security mechanisms, service levels, and management requirements for network services. Option C relates to Control 8.22, Segregation of networks, which specifically concerns splitting networks into security boundaries or domains. Control 8.20 is broader: it establishes the general objective of securing networks against compromise. ISO/IEC 27002 expects organizations to manage and control networks according to risk, including architecture, monitoring, authentication, encryption where needed, device hardening, and protection of network management functions. The correct answer is therefore option A. References/Chapters: ISO/IEC 27002:2022, Control 8.20 Network security; Control 8.21 Security of network services; Control 8.22 Segregation of networks.

==========

Information gained from evaluating information security incidents should be used to improve both user awareness and training and the incident management plan. Control 5.27 focuses on learning from incidents so that organizations reduce the likelihood or impact of recurrence. Incident evaluation can reveal root causes, control failures, user mistakes, unclear procedures, delayed escalation, insufficient logging, poor communication, supplier weaknesses, or technical vulnerabilities. If users contributed to the incident through phishing response, mishandling of information, weak passwords, or reporting delays, awareness and training should be improved. If the incident response process showed weaknesses in roles, escalation, evidence collection, communication, containment, recovery, or decision-making, the incident management plan should be updated. ISO/IEC 27002 treats incidents as a feedback mechanism for continual improvement, not merely isolated events to close. Option B is correct because both listed uses are valid and mutually reinforcing. Strong incident learning improves controls, procedures, monitoring, user behavior, and readiness for future events. References/Chapters: ISO/IEC 27002:2022, Control 5.27 Learning from information security incidents; Control 5.24 Information security incident management planning and preparation; Control 6.3 Information security awareness, education and training.

==========

The “Act” phase is the phase in which an organization maintains and improves the information security management system. In the PDCA logic, “Plan” establishes objectives, policies, processes, risk treatment plans, and controls. “Do” implements and operates the planned processes and controls. “Check” monitors, measures, audits, and reviews performance. “Act” uses the results of checking to correct weaknesses, improve effectiveness, and adapt the ISMS to changing conditions. ISO/IEC 27002 is not itself the PDCA requirements standard, but its controls support the management system lifecycle used by ISO/IEC 27001. Examples include independent review of information security, compliance review, learning from incidents, management of vulnerabilities, and change management. These controls generate findings and lessons that feed improvement actions. “Do” is not the best answer because it focuses on implementation. “Check” is not the best answer because it evaluates performance but does not itself complete improvement. The phase that maintains and improves the ISMS is “Act.” References/Chapters: ISO/IEC 27002:2022, Control 5.35 Independent review of information security; Control 5.27 Learning from information security incidents; ISO/IEC 27001 PDCA-based management system model.

==========

Continual improvement is the process of increasing an organization’s effectiveness and efficiency so that it better fulfills its policies and objectives. In information security, improvement is not limited to fixing one defect. It is the ongoing refinement of controls, processes, responsibilities, technologies, awareness, monitoring, and response capabilities. Option B describes analysis, which may support improvement but is not the definition. Option C describes correction or corrective action for a nonconformity, which can be one mechanism of improvement but does not cover the complete concept. ISO/IEC 27002 supports continual improvement through controls such as learning from information security incidents, independent review, compliance monitoring, threat intelligence, vulnerability management, change management, and documented operating procedures. A mature organization uses evidence from incidents, audits, metrics, user behavior, supplier performance, new threats, and business changes to adjust its controls. The key idea is progressive enhancement of suitability, adequacy, and effectiveness. Therefore, option A aligns with the management system and ISO/IEC 27002 control logic. References/Chapters: ISO/IEC 27002:2022, Control 5.27 Learning from information security incidents; Control 5.35 Independent review of information security; Control 8.8 Management of technical vulnerabilities.

==========

Under Control 5.1, information security policies should include statements that define direction, responsibilities, and policy expectations, including how exemptions and exceptions are handled. Exception handling is important because policies cannot be treated casually or bypassed informally. When an exception is necessary, it should be justified, approved, documented, time-bound where appropriate, risk-assessed, and reviewed. This preserves governance and ensures deviations do not become uncontrolled weaknesses. Option A, recovery from a data breach, is important but belongs more naturally to incident management, business continuity, and response planning rather than the general information security policy statement. Option C, procedures for using automated information systems, may be addressed in acceptable use or operational procedures, but it is not the best match for Control 5.1’s policy content. The information security policy establishes the authority and framework for topic-specific policies and procedures. It should include high-level statements on objectives, principles, responsibilities, compliance expectations, and exception management. Therefore, option B is verified. References/Chapters: ISO/IEC 27002:2022, Control 5.1 Policies for information security; Control 5.36 Compliance with policies, rules and standards for information security; Control 5.37 Documented operating procedures.

==========

Access control software that allows only authorized employees to access sensitive files is a preventive control. Its purpose is to stop unauthorized access before it occurs by enforcing approved access rules. In ISO/IEC 27002, access control is implemented through policies, identity management, authentication, authorization, access rights review, privileged access control, and restrictions on information access. This type of software can prevent unauthorized disclosure, unauthorized modification, misuse of sensitive data, and violation of privacy or contractual obligations. It is not primarily detective because it does not merely discover an event after it has happened. It is not corrective because it does not restore damaged information or reverse the impact of an incident. Its security value is in blocking access attempts that do not meet authorization criteria. The principle behind the control is least privilege: users should receive only the access necessary for their role and responsibilities. For sensitive files, this is especially important because confidentiality, integrity, and accountability depend on correct authorization. References/Chapters: ISO/IEC 27002:2022, Control 5.15 Access control; Control 5.16 Identity management; Control 5.18 Access rights; Control 8.3 Information access restriction.

==========

When using cryptography, organizations should consider roles and responsibilities for key management. Cryptographic controls are only effective when keys are properly generated, stored, distributed, rotated, backed up, revoked, destroyed, and protected from unauthorized access. Weak key management can defeat strong algorithms because compromise of the key can expose encrypted information or allow unauthorized signing, decryption, or impersonation. ISO/IEC 27002 Control 8.24, Use of cryptography, guides organizations to define rules for effective cryptographic use, including protection of confidentiality, authenticity, integrity, and non-repudiation where relevant. Key management responsibilities must be assigned clearly so that ownership, custody, approval, recovery, and emergency access are controlled. Option B relates to project security management, not cryptographic implementation specifically. Option C relates to network security and filtering, not cryptographic key governance. Cryptography requires policy decisions about algorithms, key lengths, certificate management, lifecycle handling, legal restrictions, and separation of duties. The exam’s correct answer is therefore option A because key management is a central technical and governance constraint of cryptographic protection. References/Chapters: ISO/IEC 27002:2022, Control 8.24 Use of cryptography; Control 5.15 Access control; Control 5.17 Authentication information.

==========

System requirements should not be the primary factor listed for locating and constructing physical premises in the ISO/IEC 27002 physical security context. When selecting and constructing premises, organizations should consider physical and environmental threats such as local topography, flood risk, earthquake exposure, weather conditions, crime levels, civil unrest, neighboring facilities, hazardous sites, and urban threats. These considerations help reduce risks to secure areas, information processing facilities, equipment, personnel, and supporting utilities. Local topography is relevant because geography can influence flooding, landslides, access routes, drainage, and natural hazards. Urban threats are relevant because location can affect exposure to crime, protests, terrorism, traffic disruption, adjacent buildings, or public access. System requirements are important in technology design and facility planning, but they are not the type of environmental or location threat consideration targeted by this question. ISO/IEC 27002 physical controls emphasize protecting premises from physical and environmental risks, not choosing location based on application or system functional requirements. Therefore, option C is verified. References/Chapters: ISO/IEC 27002:2022, Control 7.1 Physical security perimeters; Control 7.5 Protecting against physical and environmental threats; Control 7.8 Equipment siting and protection.

==========

The situation describes a people-related operational threat: data input error by employees. The root cause is not a malicious external attack or theft; it is that employees cannot reliably follow complicated processing procedures. ISO/IEC 27002 recognizes that people, competence, awareness, and documented procedures are essential to information security. When procedures are unclear, excessive, or difficult to follow, employees may enter incorrect data, omit fields, select wrong categories, mishandle classifications, misroute information, or unintentionally corrupt records. This primarily threatens integrity because the information may no longer be accurate or complete. Hacking would involve unauthorized technical intrusion, and information theft would involve intentional unauthorized taking or disclosure of information. Neither is stated in the scenario. ISO/IEC 27002 addresses this type of risk through information security awareness, education and training, documented operating procedures, clear responsibilities, and appropriate segregation of duties. Effective controls should make correct behavior practical and repeatable, not merely documented. Therefore, the verified answer is option A. References/Chapters: ISO/IEC 27002:2022, Control 6.3 Information security awareness, education and training; Control 5.37 Documented operating procedures; Control 5.3 Segregation of duties.

==========