Welcome to TestSimulate

Pass Your Next Certification Exam Fast!

Everything you need to prepare, learn & pass your certification exam easily.

365 days free updates. First attempt guaranteed success.

  • Home
  • Blogs
  • Give You Free Regular Updates on ISO-IEC-27001-Lead-Implementer Exam Questions Mar 14, 2024 [Q26-Q51]

Give You Free Regular Updates on ISO-IEC-27001-Lead-Implementer Exam Questions Mar 14, 2024 [Q26-Q51]

Share

Give You Free Regular Updates on ISO-IEC-27001-Lead-Implementer Exam Questions Mar 14, 2024

Achieve the ISO-IEC-27001-Lead-Implementer Exam Best Results with Help from PECB Certified Experts

NEW QUESTION # 26
Based on scenario 3. which information security control of Annex A of ISO/IEC 27001 did Socket Inc.
implement by establishing a new system to maintain, collect, and analyze information related to information security threats?

  • A. Annex A 5.5 Contact with authorities
  • B. Annex A 5 7 Threat Intelligence
  • C. Annex A 5.13 Labeling of information

Answer: B


NEW QUESTION # 27
Select risk control activities for domain "10. Encryption" of ISO / 27002: 2013 (Choose two)

  • A. Physical security perimeter
  • B. Key management
  • C. Cryptographic Controls Use Policy
  • D. Work in safe areas

Answer: B,C


NEW QUESTION # 28
Based on scenario 5. after migrating to cloud. Operaze's IT team changed the ISMS scope and implemented all the required modifications Is this acceptable?

  • A. Yes, because the ISMS scope should be changed when there are changes to the external environment
  • B. No, because any change in ISMS scope should be accepted by the management
  • C. No, because the company has already defined the ISMS scope

Answer: B


NEW QUESTION # 29
According to scenario 2. Beauty has reviewed all user access rights. What type of control is this?

  • A. Legal and technical
  • B. Corrective and managerial
  • C. Detective and administrative

Answer: C


NEW QUESTION # 30
You apply for a position in another company and get the job. Along with your contract, you are asked to sign a code of conduct. What is a code of conduct?

  • A. A code of conduct is a standard part of a labor contract.
  • B. A code ofconduct specifies how employees are expected to conduct themselves and is the same for all companies.
  • C. A code of conduct differs from company to company and specifies, among other things, the rules of behavior with regard to the usage of information systems.

Answer: C


NEW QUESTION # 31
Based on scenario 9. is the action plan for the identified nonconformities sufficient to eliminate the detected nonconformities?

  • A. Yes, because a separate action plan has been created for the identified nonconformity
  • B. No, because the action plan does not include a timeframe for implementation
  • C. No, because the action plan does not address the root cause of the identified nonconformity

Answer: B


NEW QUESTION # 32
Scenario 1: HealthGenic is a pediatric clinic that monitors the health and growth of individuals from infancy to early adulthood using a web-based medical software. The software is also used to schedule appointments, create customized medical reports, store patients' data and medical history, and communicate with all the
[^involved parties, including parents, other physicians, and the medical laboratory staff.
Last month, HealthGenic experienced a number of service interruptions due to the increased number of users accessing the software Another issue the company faced while using the software was the complicated user interface, which the untrained personnel found challenging to use.
The top management of HealthGenic immediately informed the company that had developed the software about the issue. The software company fixed the issue; however, in the process of doing so, it modified some files that comprised sensitive information related to HealthGenic's patients. The modifications that were made resulted in incomplete and incorrect medical reports and, more importantly, invaded the patients' privacy.
Based on the scenario above, answer the following question:
Which of the following indicates that the confidentiality of information was compromised?

  • A. Invasion of patients' privacy
  • B. Service interruptions due to the increased number of users
  • C. Modification of patients' medical reports

Answer: A


NEW QUESTION # 33
Of the following, which is the best organization or set of organizations to contribute to compliance?

  • A. IT and legal
  • B. IT and management
  • C. IT,business management, HR and legal
  • D. IT only

Answer: C


NEW QUESTION # 34
Scenario 3: Socket Inc is a telecommunications company offering mainly wireless products and services. It uses MongoDB. a document model database that offers high availability, scalability, and flexibility.
Last month, Socket Inc. reported an information security incident. A group of hackers compromised its MongoDB database, because the database administrators did not change its default settings, leaving it without a password and publicly accessible.
Fortunately. Socket Inc. performed regular information backups in their MongoDB database, so no information was lost during the incident. In addition, a syslog server allowed Socket Inc. to centralize all logs in one server. The company found out that no persistent backdoor was placed and that the attack was not initiated from an employee inside the company by reviewing the event logs that record user faults and exceptions.
To prevent similar incidents in the future, Socket Inc. decided to use an access control system that grants access to authorized personnel only. The company also implemented a control in order to define and implement rules for the effective use of cryptography, including cryptographic key management, to protect the database from unauthorized access The implementation was based on all relevant agreements, legislation, and regulations, and the information classification scheme. To improve security and reduce the administrative efforts, network segregation using VPNs was proposed.
Lastly, Socket Inc. implemented a new system to maintain, collect, and analyze information related to information security threats, and integrate information security into project management.
Based on scenario 3. which information security control of Annex A of ISO/IEC 27001 did Socket Inc.
implement by establishing a new system to maintain, collect, and analyze information related to information security threats?

  • A. Annex A 5.5 Contact with authorities
  • B. Annex A 5 7 Threat Intelligence
  • C. Annex A 5.13 Labeling of information

Answer: B

Explanation:
Explanation
Annex A 5.7 Threat Intelligence is a new control in ISO 27001:2022 that aims to provide the organisation with relevant information regarding the threats and vulnerabilities of its information systems and the potential impacts of information security incidents. By establishing a new system to maintain, collect, and analyze information related to information security threats, Socket Inc. implemented this control and improved its ability to prevent, detect, and respond to information security incidents.
References:
ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, Annex A 5.7 Threat Intelligence ISO/IEC 27002:2022 Information technology - Security techniques - Information security, cybersecurity and privacy protection controls, Clause 5.7 Threat Intelligence PECB ISO/IEC 27001:2022 Lead Implementer Course, Module 6: Implementation of Information Security Controls Based on ISO/IEC 27002:2022, Slide 18: A.5.7 Threat Intelligence


NEW QUESTION # 35
Scenario 8: SunDee is an American biopharmaceutical company, headquartered in California, the US. It specializes in developing novel human therapeutics, with a focus on cardiovascular diseases, oncology, bone health, and inflammation. The company has had an information security management system (ISMS) based on SO/IEC 27001 in place for the past two years. However, it has not monitored or measured the performance and effectiveness of its ISMS and conducted management reviews regularly Just before the recertification audit, the company decided to conduct an internal audit. It also asked most of their staff to compile the written individual reports of the past two years for their departments. This left the Production Department with less than the optimum workforce, which decreased the company's stock.
Tessa was SunDee's internal auditor. With multiple reports written by 50 different employees, the internal audit process took much longer than planned, was very inconsistent, and had no qualitative measures whatsoever Tessa concluded that SunDee must evaluate the performance of the ISMS adequately. She defined SunDee's negligence of ISMS performance evaluation as a major nonconformity, so she wrote a nonconformity report including the description of the nonconformity, the audit findings, and recommendations. Additionally, Tessa created a new plan which would enable SunDee to resolve these issues and presented it to the top management According to scenario 8, Tessa created a plan for ISMS monitoring and measurement and presented it to the top management Is this acceptable?

  • A. Yes, Tessa can advise the top management on improving the company's functions
  • B. No, Tessa should only communicate the issues found to the top management
  • C. No, Tessa must implement all the improvements needed for issues found during the audit

Answer: A

Explanation:
Explanation
According to the ISO/IEC 27001 : 2022 Lead Implementer course, one of the roles and responsibilities of an internal auditor is to provide recommendations for improvement based on the audit findings1. Therefore, Tessa can create a plan for ISMS monitoring and measurement and present it to the top management as a way of advising them on how to improve the company's functions. However, Tessa is not responsible for implementing the improvements or communicating the issues found to the top management. Those tasks belong to the process owners and the management representative, respectively2.
References: 1: PECB, ISO/IEC 27001 Lead Implementer Course, Module 9: Internal Audit, slide 14 2: PECB, ISO/IEC 27001 Lead Implementer Course, Module 9: Internal Audit, slide 15


NEW QUESTION # 36
Scenario 4: TradeB. a commercial bank that has just entered the market, accepts deposits from its clients and offers basic financial services and loans for investments. TradeB has decided to implement an information security management system (ISMS) based on ISO/IEC 27001 Having no experience of a management
[^system implementation, TradeB's top management contracted two experts to direct and manage the ISMS implementation project.
First, the project team analyzed the 93 controls of ISO/IEC 27001 Annex A and listed only the security controls deemed applicable to the company and their objectives Based on this analysis, they drafted the Statement of Applicability. Afterward, they conducted a risk assessment, during which they identified assets, such as hardware, software, and networks, as well as threats and vulnerabilities, assessed potential consequences and likelihood, and determined the level of risks based on three nonnumerical categories (low, medium, and high). They evaluated the risks based on the risk evaluation criteria and decided to treat only the high risk category They also decided to focus primarily on the unauthorized use of administrator rights and system interruptions due to several hardware failures by establishing a new version of the access control policy, implementing controls to manage and control user access, and implementing a control for ICT readiness for business continuity Lastly, they drafted a risk assessment report, in which they wrote that if after the implementation of these security controls the level of risk is below the acceptable level, the risks will be accepted Based on scenario 4, the fact that TradeB defined the level of risk based on three nonnumerical categories indicates that;

  • A. The level of risk will be evaluated against qualitative criteria
  • B. The level of risk will be defined using a formula
  • C. The level of risk will be evaluated using quantitative analysis

Answer: A

Explanation:
Explanation
Qualitative risk assessment is a method of evaluating risks based on nonnumerical categories, such as low, medium, and high. It is often used when there is not enough data or resources to perform a quantitative risk assessment, which involves numerical values and calculations. Qualitative risk assessment relies on the subjective judgment and experience of the risk assessors, and it can be influenced by various factors, such as the context, the stakeholders, and the criteria. According to ISO/IEC 27001:2022, Annex A, control A.8.2.1 states: "The organization shall define and apply an information security risk assessment process that: ... d) identifies the risk owners; e) analyses the risks: i) assesses the consequences that would result if the risks identified were to materialize; ii) assesses the realistic likelihood of the occurrence of the risks; f) identifies and evaluates options for the treatment of risks; g) determines the levels of residual risk and whether these are acceptable; and h) identifies the risk owners for the residual risks." Therefore, TradeB's decision to define the level of risk based on three nonnumerical categories indicates that they used a qualitative risk assessment process.
References:
ISO/IEC 27001:2022, Annex A, control A.8.2.1
PECB ISO/IEC 27001 Lead Implementer Course, Module 7, slides 12-13


NEW QUESTION # 37
Which of the following measures is a correctivemeasure?

  • A. Restoring a backup of the correct database after a corrupt copy of the database was written over the original
  • B. Installing a virus scanner in an information system
  • C. Making a backup of the data that has been created or altered that day
  • D. Incorporating an Intrusion Detection System (IDS) in the design of a computer center

Answer: A


NEW QUESTION # 38
Scenario 10: NetworkFuse develops, manufactures, and sells network hardware. The company has had an operational information security management system (ISMS) based on ISO/IEC 27001 requirements and a quality management system (QMS) based on ISO 9001 for approximately two years. Recently, it has applied for a j^ombined certification audit in order to obtain certification against ISO/IEC 27001 and ISO 9001.
After selecting the certification body, NetworkFuse prepared the employees for the audit The company decided to not conduct a self-evaluation before the audit since, according to the top management, it was not necessary. In addition, it ensured the availability of documented information, including internal audit reports and management reviews, technologies in place, and the general operations of the ISMS and the QMS.
However, the company requested from the certification body that the documentation could not be carried off-site However, the audit was not performed within the scheduled days because NetworkFuse rejected the audit team leader assigned and requested their replacement The company asserted that the same audit team leader issued a recommendation for certification to its main competitor, which, for the company's top management, was a potential conflict of interest. The request was not accepted by the certification body The certification body rejected NetworkFuse's request to change the audit team leader. Is this acceptable?
Refer to scenario 10.

  • A. No, auditee's requests for the replacement of auditors must be accepted
  • B. No, because an auditee cannot request the rejection of an audit team member
  • C. Yes, because NetworkFuse did not give a valid reason to support their claims

Answer: C

Explanation:
Explanation
According to the ISO/IEC 27001 : 2022 Lead Implementer course, the certification body is responsible for selecting and appointing the audit team members, taking into account the competence, impartiality, and objectivity of the auditors1. The auditee can request the replacement of an audit team member only if there is a valid reason to doubt their competence or impartiality, such as a personal or professional conflict of interest, a lack of relevant experience or qualifications, or a previous involvement in the auditee's activities2. However, NetworkFuse did not give a valid reason to support their claims, as the fact that the audit team leader issued a recommendation for certification to their main competitor does not imply a conflict of interest or a bias.
Therefore, the certification body rejected NetworkFuse's request to change the audit team leader, which is acceptable.
References: 1: PECB, ISO/IEC 27001 Lead Implementer Course, Module 11: Certification Audit of the ISMS, slide 13 2: PECB, ISO/IEC 27001 Lead Implementer Course, Module 11: Certification Audit of the ISMS, slide 14


NEW QUESTION # 39
An organization has adopted a new authentication method to ensure secure access to sensitive areas and facilities of the company. It requires every employee to use a two-factor authentication (password and QR code). This control has been documented, standardized, and communicated to all employees, however its use has been "left to individual initiative, and it is likely that failures can be detected. Which level of maturity does this control refer to?

  • A. Defined
  • B. Optimized
  • C. Quantitatively managed

Answer: A

Explanation:
Explanation
According to the ISO/IEC 27001:2022 Lead Implementer objectives and content, the maturity levels of information security controls are based on the ISO/IEC 15504 standard, which defines five levels of process capability: incomplete, performed, managed, established, and optimized1. Each level has a set of attributes that describe the characteristics of the process at that level. The level of defined corresponds to the attribute of process performance, which means that the process achieves its expected outcomes2. In this case, the control of two-factor authentication has been documented, standardized, and communicated, which implies that it has a clear purpose and expected outcomes. However, the control is not consistently implemented, monitored, or measured, which means that it does not meet the attributes of the higher levels of managed, established, or optimized. Therefore, the control is at the level of defined, which is the second level of maturity.
References:
1: ISO/IEC 27001:2022 Lead Implementer Course Brochure, page 5
2: ISO/IEC 27001:2022 Lead Implementer Course Presentation, slide 25


NEW QUESTION # 40
Physical labels and ________ are two common forms of labeling which are mentioned in ISO 27002.

  • A. metadata
  • B. bridge
  • C. teradata

Answer: A


NEW QUESTION # 41
Which of the actions presented in scenario 4 is NOT compliant with the requirements of ISO/IEC 27001?

  • A. TradeB selected only ISO/IEC 27001 controls deemed applicable to the company
  • B. The Statement of Applicability was drafted before conducting the risk assessment
  • C. The external experts selected security controls and drafted the Statement of Applicability

Answer: B


NEW QUESTION # 42
An organization has decided to conduct information security awareness and training sessions on a monthly basis for all employees. Only 45% of employees who attended these sessions were able to pass the exam.
What does the percentage represent?

  • A. Measurement objective
  • B. Performance indicator
  • C. Attribute

Answer: B

Explanation:
Explanation
According to the ISO/IEC 27001:2022 standard, a performance indicator is "a metric that provides information about the effectiveness or efficiency of an activity, process, system or organization" (section 3.35). A performance indicator should be measurable, relevant, achievable, realistic and time-bound (SMART). In this case, the percentage of employees who passed the exam is a performance indicator that measures the effectiveness of the information security awareness and training sessions. It shows how well the sessions achieved their intended learning outcomes and how well the employees understood the information security concepts and practices.
References:
ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection - Information security management systems - Requirements1 ISO/IEC 27001 Lead Implementer Info Kit Key performance indicators for an ISO 27001 ISMS2


NEW QUESTION # 43
You are the owner of the courier company SpeeDelivery. You have carried out a risk analysis and now want to determine your risk strategy. You decide to take measures for the large risks but not for the small risks. What is this risk strategy called?

  • A. Risk passing
  • B. Risk neutral
  • C. Risk bearing
  • D. Risk avoiding

Answer: B


NEW QUESTION # 44
Scenario 7: InfoSec is a multinational corporation headquartered in Boston, MA, which provides professional electronics, gaming, and entertainment services. After facing numerous information security incidents, InfoSec has decided to establish teams and implement measures to prevent potential incidents in the future Emma, Bob. and Anna were hired as the new members of InfoSec's information security team, which consists of a security architecture team, an incident response team (IRT) and a forensics team Emma's job is to create information security plans, policies, protocols, and training to prepare InfoSec to respond to incidents effectively Emma and Bob would be full-time employees of InfoSec, whereas Anna was contracted as an external consultant.
Bob, a network expert, will deploy a screened subnet network architecture This architecture will isolate the demilitarized zone (OMZ) to which hosted public services are attached and InfoSec's publicly accessible resources from their private network Thus, InfoSec will be able to block potential attackers from causing unwanted events inside the company's network. Bob is also responsible for ensuring that a thorough evaluation of the nature of an unexpected event is conducted, including the details on how the event happened and what or whom it might affect.
Anna will create records of the data, reviews, analysis, and reports in order to keep evidence for the purpose of disciplinary and legal action, and use them to prevent future incidents. To do the work accordingly, she should be aware of the company's information security incident management policy beforehand Among others, this policy specifies the type of records to be created, the place where they should be kept, and the format and content that specific record types should have.
Based on this scenario, answer the following question:
Based on his tasks, which team is Bob part of?

  • A. Incident response team
  • B. Forensics team
  • C. Security architecture team

Answer: A


NEW QUESTION # 45
FinanceX, a well-known financial institution, uses an online banking platform that enables clients to easily and securely access their bank accounts. To log in, clients are required to enter the one-lime authorization code sent to their smartphone. What can be concluded from this scenario?

  • A. FinanceX has implemented an integrity control that avoids the involuntary corruption of data
  • B. FinanceX has implemented a securityControl that ensures the confidentiality of information
  • C. FinanceX has incorrectly implemented a security control that could become a vulnerability

Answer: B


NEW QUESTION # 46
A small organization that is implementing an ISMS based on ISO/lEC 27001 has decided to outsource the internal audit function to a third party. Is this acceptable?

  • A. No, the outsourcing of the internal audit function may compromise the independence and impartiality of the internal audit team
  • B. No, the organizations cannot outsource the internal audit function to a third party because during internal audit, the organization audits its own system
  • C. Yes, outsourcing the internal audit function to a third party is often a better option for small organizations to demonstrate independence and impartiality

Answer: C


NEW QUESTION # 47
Scenario 2: Beauty is a cosmetics company that has recently switched to an e-commerce model, leaving the traditional retail. The top management has decided to build their own custom platform in-house and outsource the payment process to an external provider operating online payments systems that support online money transfers.
Due to this transformation of the business model, a number of security controls were implemented based on the identified threats and vulnerabilities associated to critical assets. To protect customers' information.
Beauty's employees had to sign a confidentiality agreement. In addition, the company reviewed all user access rights so that only authorized personnel can have access to sensitive files and drafted a new segregation of duties chart.
However, the transition was difficult for the IT team, who had to deal with a security incident not long after transitioning to the e commerce model. After investigating the incident, the team concluded that due to the out-of-date anti-malware software, an attacker gamed access to their files and exposed customers' information, including their names and home addresses.
The IT team decided to stop using the old anti-malware software and install a new one which would automatically remove malicious code in case of similar incidents. The new software was installed in every workstation within the company. After installing the new software, the team updated it with the latest malware definitions and enabled the automatic update feature to keep it up to date at all times. Additionally, they established an authentication process that requires a user identification and password when accessing sensitive information.
In addition, Beauty conducted a number of information security awareness sessions for the IT team and other employees that have access to confidential information in order to raise awareness on the importance of system and network security.
Based on the scenario above, answer the following question:
After investigating the incident. Beauty decided to install a new anti-malware software. What type of security control has been implemented in this case?

  • A. Detective
  • B. Corrective
  • C. Preventive

Answer: B


NEW QUESTION # 48
How does SunDee's negligence affect the ISMS certificate? Refer to scenario 8.

  • A. SunDee might not be able to renew the ISMS certificate, because the internal audit lasted longer than planned
  • B. SunDee might not be able to renew the ISMS certificate, because it has not conducted management reviews at planned intervals
  • C. SunDee will renew the ISMS certificate, because it has conducted an Internal audit to evaluate the ISMS effectiveness

Answer: B


NEW QUESTION # 49
Scenario 4: TradeB. a commercial bank that has just entered the market, accepts deposits from its clients and offers basic financial services and loans for investments. TradeB has decided to implement an information security management system (ISMS) based on ISO/IEC 27001 Having no experience of a management
[^system implementation, TradeB's top management contracted two experts to direct and manage the ISMS implementation project.
First, the project team analyzed the 93 controls of ISO/IEC 27001 Annex A and listed only the security controls deemed applicable to the company and their objectives Based on this analysis, they drafted the Statement of Applicability. Afterward, they conducted a risk assessment, during which they identified assets, such as hardware, software, and networks, as well as threats and vulnerabilities, assessed potential consequences and likelihood, and determined the level of risks based on three nonnumerical categories (low, medium, and high). They evaluated the risks based on the risk evaluation criteria and decided to treat only the high risk category They also decided to focus primarily on the unauthorized use of administrator rights and system interruptions due to several hardware failures by establishing a new version of the access control policy, implementing controls to manage and control user access, and implementing a control for ICT readiness for business continuity Lastly, they drafted a risk assessment report, in which they wrote that if after the implementation of these security controls the level of risk is below the acceptable level, the risks will be accepted What should TradeB do in order to deal with residual risks? Refer to scenario 4.

  • A. TradeB should evaluate, calculate, and document the value of risk reduction following risk treatment
  • B. TradeB should accept the residual risks only above the acceptance level
  • C. TradeB should immediately implement new controls to treat all residual risks

Answer: A

Explanation:
Explanation
According to ISO/IEC 27001 : 2022 Lead Implementer, residual risk is the risk remaining after risk treatment.
Residual risk should be compared with the acceptable level of risk, which is the level of risk that the organization is willing to tolerate. If the residual risk is below the acceptable level of risk, then the risk can be accepted. If the residual risk is above the acceptable level of risk, then additional risk treatment options should be considered. Therefore, TradeB should evaluate, calculate, and document the value of risk reduction following risk treatment, which is the difference between the initial risk and the residual risk. This will help TradeB to determine whether the risk treatment was effective and whether the residual risk is acceptable or not.
References:
ISO/IEC 27001 : 2022 Lead Implementer Study guide and documents, section 8.3.2 Risk treatment ISO/IEC 27001 : 2022 Lead Implementer Info Kit, page 14, Risk management process


NEW QUESTION # 50
Scenario 8: SunDee is an American biopharmaceutical company, headquartered in California, the US. It specializes in developing novel human therapeutics, with a focus on cardiovascular diseases, oncology, bone health, and inflammation. The company has had an information security management system (ISMS) based on SO/IEC 27001 in place for the past two years. However, it has not monitored or measured the performance and effectiveness of its ISMS and conducted management reviews regularly Just before the recertification audit, the company decided to conduct an internal audit. It also asked most of their staff to compile the written individual reports of the past two years for their departments. This left the Production Department with less than the optimum workforce, which decreased the company's stock.
Tessa was SunDee's internal auditor. With multiple reports written by 50 different employees, the internal audit process took much longer than planned, was very inconsistent, and had no qualitative measures whatsoever Tessa concluded that SunDee must evaluate the performance of the ISMS adequately. She defined SunDee's negligence of ISMS performance evaluation as a major nonconformity, so she wrote a nonconformity report including the description of the nonconformity, the audit findings, and recommendations. Additionally, Tessa created a new plan which would enable SunDee to resolve these issues and presented it to the top management Based on scenario 8. does SunDee comply with ISO/IEC 27001 requirements regarding the monitoring and measurement process?

  • A. Yes, because the standard requires that the monitoring and measurement phase be conducted every two years
  • B. No, because even though the standard does not imply when such a process should be performed, the company must have a monitoring and measurement process in place
  • C. Yes. because the standard does not Indicate when the monitoring and measurement phase should be performed

Answer: B

Explanation:
Explanation
According to ISO/IEC 27001:2022, clause 9.1, the organization shall determine:
what needs to be monitored and measured, including information security processes and controls, as well as information security performance and the effectiveness of the ISMS; the methods for monitoring, measurement, analysis and evaluation, to ensure valid and reliable results; when the monitoring and measurement shall be performed; who shall monitor and measure; who shall analyze and evaluate the monitoring and measurement results; and how the results shall be communicated and used for decision making and improvement.
The organization shall retain documented information as evidence of the monitoring and measurement results.
The standard does not prescribe a specific frequency or method for monitoring and measurement, but it requires the organization to have a defined and documented process that is appropriate to its context, objectives, risks, and opportunities. The organization should also ensure that the monitoring and measurement results are analyzed and evaluated to determine the performance and effectiveness of the ISMS, and to identify any nonconformities, gaps, or improvement opportunities.
In the scenario, SunDee did not comply with these requirements, as it did not have a monitoring and measurement process in place, and did not monitor or measure the performance and effectiveness of its ISMS regularly. It also did not use valid and reliable methods, or communicate and use the results for improvement.
Therefore, SunDee's negligence of ISMS performance evaluation was a major nonconformity, as Tessa correctly identified.
References: ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection - Information security management systems - Requirements, clause 9.1; PECB ISO/IEC 27001 Lead Implementer Course, Module 9: Monitoring, Measurement, Analysis and Evaluation.


NEW QUESTION # 51
......

Detailed New ISO-IEC-27001-Lead-Implementer Exam Questions for Concept Clearance: https://www.testsimulate.com/ISO-IEC-27001-Lead-Implementer-study-materials.html

Related Blogs

more
Go To ISO-IEC-27001-Lead-Implementer Questions

Copyright © 2026 TESTSIMULATE.COM. All rights reserved. All trademarks are the property of their respective owners and we don't provide actual questions from any vendor.