Free Practice Questions for PECB ISO-IEC-27002-Foundation Exam

Under Control 5.1, information security policies should include statements that define direction, responsibilities, and policy expectations, including how exemptions and exceptions are handled. Exception handling is important because policies cannot be treated casually or bypassed informally. When an exception is necessary, it should be justified, approved, documented, time-bound where appropriate, risk-assessed, and reviewed. This preserves governance and ensures deviations do not become uncontrolled weaknesses. Option A, recovery from a data breach, is important but belongs more naturally to incident management, business continuity, and response planning rather than the general information security policy statement. Option C, procedures for using automated information systems, may be addressed in acceptable use or operational procedures, but it is not the best match for Control 5.1’s policy content. The information security policy establishes the authority and framework for topic-specific policies and procedures. It should include high-level statements on objectives, principles, responsibilities, compliance expectations, and exception management. Therefore, option B is verified. References/Chapters: ISO/IEC 27002:2022, Control 5.1 Policies for information security; Control 5.36 Compliance with policies, rules and standards for information security; Control 5.37 Documented operating procedures.

==========

A fire alarm is a detective and technical control. It is detective because it identifies or signals that a fire-related event may be occurring. The alarm does not normally stop the fire from starting, and it does not restore damaged assets after the event. Its purpose is to detect indicators such as smoke, heat, or fire and trigger response actions such as evacuation, suppression, emergency communication, or incident handling. It is technical because it operates through engineered or electronic mechanisms rather than through management approval, legal clauses, or purely administrative processes. ISO/IEC 27002:2022 classifies controls using attributes, including control type. Control types include preventive, detective, and corrective. Fire alarms align with the physical security control area because fire is a physical and environmental threat to information processing facilities, equipment, storage media, and supporting infrastructure. The value of the control is timely detection, reducing the chance that a physical event escalates unnoticed into major damage or service disruption. References/Chapters: ISO/IEC 27002:2022, Clause 4 control attributes; Control 7.4 Physical security monitoring; Control 7.5 Protecting against physical and environmental threats.

==========

Continual improvement is the process of increasing an organization’s effectiveness and efficiency so that it better fulfills its policies and objectives. In information security, improvement is not limited to fixing one defect. It is the ongoing refinement of controls, processes, responsibilities, technologies, awareness, monitoring, and response capabilities. Option B describes analysis, which may support improvement but is not the definition. Option C describes correction or corrective action for a nonconformity, which can be one mechanism of improvement but does not cover the complete concept. ISO/IEC 27002 supports continual improvement through controls such as learning from information security incidents, independent review, compliance monitoring, threat intelligence, vulnerability management, change management, and documented operating procedures. A mature organization uses evidence from incidents, audits, metrics, user behavior, supplier performance, new threats, and business changes to adjust its controls. The key idea is progressive enhancement of suitability, adequacy, and effectiveness. Therefore, option A aligns with the management system and ISO/IEC 27002 control logic. References/Chapters: ISO/IEC 27002:2022, Control 5.27 Learning from information security incidents; Control 5.35 Independent review of information security; Control 8.8 Management of technical vulnerabilities.

==========

Information security should be integrated into project management so that security risks related to projects and deliverables are effectively addressed. Projects often introduce new systems, processes, suppliers, data flows, technologies, applications, facilities, or business changes. If security is considered only after implementation, weaknesses may already be embedded in design, architecture, contracts, code, configurations, or operating procedures. ISO/IEC 27002 Control 5.8 expects information security to be integrated into project management activities so risks are identified and treated throughout the project lifecycle. This includes security requirements, risk assessments, roles and responsibilities, acceptance criteria, testing, supplier requirements, privacy considerations, change control, and secure transition to operation. Option A is too general and focuses on applying ISO/IEC 27001 principles rather than the precise purpose of the control. Option B is too narrow because audits can support assurance but are not the primary reason for integration. The main purpose is risk management within projects and deliverables. Therefore, option C is verified. References/Chapters: ISO/IEC 27002:2022, Control 5.8 Information security in project management; Control 8.26 Application security requirements; Control 8.29 Security testing in development and acceptance.

==========

Confidentiality is breached when information is made available or disclosed to unauthorized individuals, entities, or processes. Option A is the correct answer because employees from all departments have access to colleagues’ personal data, even though such access should normally be restricted to authorized roles such as HR, payroll, compliance, or designated management. Internal users can still be unauthorized users when their role does not justify access. ISO/IEC 27002 addresses this through access control, access rights management, classification, privacy protection, and information access restriction. Option B is an availability issue because a department cannot access needed customer phone numbers due to equipment failure. Option C is an integrity issue because banking information was accidentally modified. The confidentiality principle is specifically about limiting disclosure and availability of information to authorized parties only. Personal data requires additional care because privacy obligations may apply, and excessive internal access can create legal, ethical, and reputational harm. The verified answer is therefore option A. References/Chapters: ISO/IEC 27002:2022, Control 5.15 Access control; Control 5.18 Access rights; Control 5.34 Privacy and protection of PII; Control 8.3 Information access restriction.

==========

Control 5.35, Independent review of information security, is the control intended to ensure that the organization’s approach to managing information security remains suitable, adequate, and effective. Independent reviews provide objective evaluation of whether policies, processes, controls, responsibilities, and implementation remain aligned with business needs, risks, legal requirements, and the organization’s security objectives. The review may consider governance, control design, control operation, risk treatment, compliance, incident trends, technology changes, supplier dependencies, and audit results. Control 5.4, Management responsibilities, is important because management must ensure personnel apply security according to policies and procedures, but it is not the control specifically focused on independent review. Control 5.24 concerns planning and preparation for incident management, which supports response capability but does not broadly assess the continuing suitability of the whole security approach. The phrase “suitable, adequate and effective” is a strong indicator of review and assurance. ISO/IEC 27002 uses independent review to challenge assumptions, detect weaknesses, and support continual improvement. Therefore, option B is the verified answer. References/Chapters: ISO/IEC 27002:2022, Control 5.35 Independent review of information security; Control 5.36 Compliance with policies, rules and standards for information security; Control 5.4 Management responsibilities.

When an employee leaves the organization or changes roles, their information security responsibilities should be identified and transferred appropriately. ISO/IEC 27002 emphasizes that responsibilities must remain clear throughout the employment lifecycle, including changes and termination. Security duties cannot simply disappear when a person leaves a role. Examples include ownership of assets, approval duties, incident response responsibilities, privileged access administration, supplier contact responsibilities, classification decisions, or operational security tasks. The organization should determine which responsibilities the employee holds, remove responsibilities that no longer apply, revoke or adjust access rights, and assign continuing responsibilities to another competent person. Option B is too limited because documenting responsibilities in a termination policy does not ensure that active duties are transferred. Option C is incorrect because outsourcing is not required and may introduce additional supplier risk. The central ISO/IEC 27002 principle is continuity of accountability: responsibilities must be maintained even when personnel move, leave, or change duties. This also supports least privilege because access and responsibilities should match the current role. References/Chapters: ISO/IEC 27002:2022, Control 6.5 Responsibilities after termination or change of employment; Control 5.2 Information security roles and responsibilities; Control 5.18 Access rights.

==========

When using cryptography, organizations should consider roles and responsibilities for key management. Cryptographic controls are only effective when keys are properly generated, stored, distributed, rotated, backed up, revoked, destroyed, and protected from unauthorized access. Weak key management can defeat strong algorithms because compromise of the key can expose encrypted information or allow unauthorized signing, decryption, or impersonation. ISO/IEC 27002 Control 8.24, Use of cryptography, guides organizations to define rules for effective cryptographic use, including protection of confidentiality, authenticity, integrity, and non-repudiation where relevant. Key management responsibilities must be assigned clearly so that ownership, custody, approval, recovery, and emergency access are controlled. Option B relates to project security management, not cryptographic implementation specifically. Option C relates to network security and filtering, not cryptographic key governance. Cryptography requires policy decisions about algorithms, key lengths, certificate management, lifecycle handling, legal restrictions, and separation of duties. The exam’s correct answer is therefore option A because key management is a central technical and governance constraint of cryptographic protection. References/Chapters: ISO/IEC 27002:2022, Control 8.24 Use of cryptography; Control 5.15 Access control; Control 5.17 Authentication information.

==========

ISO/IEC 27002:2022 provides guidance for selecting, implementing, and managing information security controls. It is not the certification requirements standard; that role belongs to ISO/IEC 27001. ISO/IEC 27002 supports organizations by explaining the purpose of each control, the implementation guidance, and other related information needed to apply controls appropriately. Its controls are grouped into organizational, people, physical, and technological themes. The standard is intended to be used as a reference when organizations design security measures based on their risks, business needs, legal obligations, contractual requirements, and information security objectives. Therefore, option A is correct because “guidance” is the core function of ISO/IEC 27002. Option B is incorrect because ISO/IEC 27002 does not set mandatory requirements for certification. Option C is related to risk management, but it is not the main purpose of ISO/IEC 27002; risk management guidance is more directly associated with ISO/IEC 27005. ISO/IEC 27002 guides control implementation after risk and control needs are determined. References/Chapters: ISO/IEC 27002:2022, Clause 1 Scope; Clause 4 Structure of the standard; Controls 5–8.

==========