PECB ISO-IEC-27005-Risk-Manager Exam Practice Test Instant Access

Question 1

Scenario 2: Travivve is a travel agency that operates in more than 100 countries. Headquartered in San Francisco, the US, the agency is known for its personalized vacation packages and travel services. Travivve aims to deliver reliable services that meet its clients' needs. Considering the impact of information security in its reputation, Travivve decided to implement an information security management system (ISMS) based on ISO/IEC 27001. In addition, they decided to establish and implement an information security risk management program. Based on the priority of specific departments in Travivve, the top management decided to initially apply the risk management process only in the Sales Management Department. The process would be applicable for other departments only when introducing new technology.

Travivve's top management wanted to make sure that the risk management program is established based on the industry best practices. Therefore, they created a team of three members that would be responsible for establishing and implementing it. One of the team members was Travivve's risk manager who was responsible for supervising the team and planning all risk management activities. In addition, the risk manager was responsible for monitoring the program and reporting the monitoring results to the top management.

Initially, the team decided to analyze the internal and external context of Travivve. As part of the process of understanding the organization and its context, the team identified key processes and activities. Then, the team identified the interested parties and their basic requirements and determined the status of compliance with these requirements. In addition, the team identified all the reference documents that applied to the defined scope of the risk management process, which mainly included the Annex A of ISO/IEC 27001 and the internal security rules established by Travivve. Lastly, the team analyzed both reference documents and justified a few noncompliances with those requirements.

The risk manager selected the information security risk management method which was aligned with other approaches used by the company to manage other risks. The team also communicated the risk management process to all interested parties through previously established communication mechanisms. In addition, they made sure to inform all interested parties about their roles and responsibilities regarding risk management. Travivve also decided to involve interested parties in its risk management activities since, according to the top management, this process required their active participation.

Lastly, Travivve's risk management team decided to conduct the initial information security risk assessment process. As such, the team established the criteria for performing the information security risk assessment which included the consequence criteria and likelihood criteria.

Did the risk management team establish all the criteria required to perform the information security risk assessment? Refer to scenario 2.

ANo, the risk management team should also establish the criteria for determining the level of risk

BNo, the risk management team should also establish the criteria for treating the identified risks

CYes. the risk management team established all the criteria that are necessary to perform an information security risk assessment

Answer : A

While Travivve's risk management team established criteria for consequence and likelihood, ISO/IEC 27005 requires that additional criteria should be defined to complete a risk assessment. Specifically, the team should also establish criteria for determining the level of risk, which involves combining the likelihood and consequence to evaluate risk magnitude. This step is crucial for prioritizing risks and determining which risks require treatment. The absence of criteria for determining the level of risk means that the team did not fully meet the requirements of ISO/IEC 27005 for performing an information security risk assessment. Therefore, the correct answer is A.

ISO/IEC 27005:2018, Clause 8.4, 'Risk Assessment,' which outlines the need to establish criteria for risk acceptance, which includes determining the level of risk.

Question 2

Did Travivve's risk management team identify the basic requirements of interested parties in accordance with the guidelines of ISO/IEC 27005? Refer to scenario 2.

ANo, the team should define the basic requirements of interested parties, but it should determine status of compliance with the requirements after implementing the risk treatment options

BNo, the team should use only the organization's internal security rules to determine the status of compliance with the basic requirements of interested parties

CYes, the team identified the basic requirements of interested parties and determined the status of compliance with those requirements as recommended by ISO/IEC 27005

Answer : C

According to ISO/IEC 27005, understanding the organization and its context, including the identification of interested parties and their requirements, is a critical part of the risk management process. The team at Travivve identified the interested parties and their basic requirements and determined the status of compliance with these requirements, which aligns with the guidelines provided by ISO/IEC 27005. This standard recommends that organizations should understand their context and stakeholders' requirements to effectively manage risks. Additionally, it is appropriate to evaluate compliance with requirements as part of the context analysis, rather than after implementing risk treatment options. Therefore, the team's approach was in accordance with ISO/IEC 27005, making option C the correct answer.

ISO/IEC 27005:2018, Clause 7, 'Context Establishment,' which outlines the importance of identifying the context, including the interested parties and their requirements, as a basis for risk management.

Question 3

An organization has installed security cameras and alarm systems. What type of information security control has been implemented in this case?

ATechnical

BManagerial

CLegal

Answer : A

Security cameras and alarm systems are considered technical controls in the context of information security. Technical controls, also known as logical controls, involve the use of technology to protect information and information systems. These controls are designed to prevent or detect security breaches and mitigate risks related to physical access and surveillance. While security cameras and alarms are physical in nature, they fall under the broader category of technical controls because they involve electronic monitoring and alert systems. Option B (Managerial) refers to administrative policies and procedures, and option C (Legal) refers to controls related to compliance with laws and regulations, neither of which applies in this case.

Question 4

Does information security reduce the impact of risks?

AYes, information security reduces risks and their impact by protecting the organization against threats and vulnerabilities

BNo, information security does not have an impact on risks as information security and risk management are separate processes

CYes, information security reduces the impact of risks by eliminating the likelihood of exploitation of vulnerabilities by threats

Answer : A

Information security aims to protect information assets against threats and vulnerabilities that could lead to unauthorized access, disclosure, alteration, or destruction. By implementing effective security measures (such as access controls, encryption, and monitoring), an organization reduces the likelihood of vulnerabilities being exploited and mitigates the potential impact of risks. According to ISO/IEC 27005, risk management in information security includes identifying, assessing, and applying controls to reduce both the likelihood and impact of potential risks. Thus, option A is correct because it acknowledges the role of information security in reducing the impact of risks. Option B is incorrect because information security is a key component of risk management, and option C is incorrect because information security does not eliminate risks entirely; it mitigates their impact.

Question 5

Which of the following risk assessment methods provides an information security risk assessment methodology and involves three phases build asset-based threat profiles, identify infrastructure vulnerabilities, and develop security strategy and plans?

AOCTAVE-S

BMEHARI

CTRA

Answer : A

OCTAVE-S (Operationally Critical Threat, Asset, and Vulnerability Evaluation for Small Organizations) is a risk assessment methodology tailored for small organizations. It provides a structured approach for identifying and managing information security risks. The OCTAVE-S method involves three main phases:

Building asset-based threat profiles, where critical assets and their associated threats are identified.

Identifying infrastructure vulnerabilities by assessing the organization's technological infrastructure for weaknesses that could be exploited by threats.

Developing security strategy and plans to address the identified risks and improve the overall security posture.

The OCTAVE-S method aligns with the description provided in the question, making it the correct answer. MEHARI and TRA are other risk assessment methods, but they do not specifically follow the three phases outlined above.

Question 6

Scenario 1

The risk assessment process was led by Henry, Bontton's risk manager. The first step that Henry took was identifying the company's assets. Afterward, Henry created various potential incident scenarios. One of the main concerns regarding the use of the application was the possibility of being targeted by cyber attackers, as a great number of organizations were experiencing cyberattacks during that time. After analyzing the identified risks, Henry evaluated them and concluded that new controls must be implemented if the company wants to use the application. Among others, he stated that training should be provided to personnel regarding the use of the application and that awareness sessions should be conducted regarding the importance of protecting customers' personal data.

Lastly, Henry communicated the risk assessment results to the top management. They decided that the application will be used only after treating the identified risks.

According to scenario 1, Bontton wanted to use an application that ensures only authorized users have access to customers' personal dat

a. Which information security principle does Bontton want to ensure in this case?

AIntegrity

BAvailability

CConfidentiality

Answer : C

In the context of information security, confidentiality refers to ensuring that information is accessible only to those who are authorized to have access. According to scenario 1, Bontton wanted to use an application that ensures only authorized users have access to customers' personal data. This directly aligns with the principle of confidentiality, as Bontton aims to protect personal data from unauthorized access or disclosure. This focus on restricting access to sensitive data to authorized personnel clearly indicates that the confidentiality of information is the primary concern in this case. Thus, the correct answer is C.

Question 7

Scenario 1

Lastly, Henry communicated the risk assessment results to the top management. They decided that the application will be used only after treating the identified risks.

Henry concluded that one of the main concerns regarding the use of the application for online ordering was cyberattacks. What did Henry identify in this case? Refer to scenario 1.\

AA threat

BThe vulnerabilities of an asset

CThe consequences of a potential security incident

Answer : A

In this scenario, Henry identifies 'cyberattacks' as one of the main concerns related to the use of the application for online ordering. According to ISO/IEC 27005, a 'threat' is any potential cause of an unwanted incident that may result in harm to a system or organization. In this context, cyberattacks are considered a threat because they represent a potential cause that could compromise the security of the application. Henry's identification of cyberattacks as a primary concern aligns with recognizing a specific threat that could exploit vulnerabilities within the system.

ISO/IEC 27005:2018, Clause 8.3, 'Threat identification,' which provides guidance on identifying threats that could affect the organization's information assets.

ISO/IEC 27001:2013, Clause 6.1.2, 'Information Security Risk Assessment,' where identifying threats is part of the risk assessment process.

These answers are verified based on the standards' definitions and guidelines, providing a comprehensive understanding of how ISO/IEC 27005 is used within the context of ISO/IEC 27001.

PECB ISO-IEC-27005-Risk-Manager PECB Certified ISO/IEC 27005 Risk Manager Exam Practice Test