Pass the PECB ISO 27002 ISO-IEC-27002-Foundation Questions and answers with ExamsMirror

Accidental changes compromise integrity. Integrity is the property that information remains accurate, complete, and protected against unauthorized or improper modification. Even when a change is accidental rather than malicious, the effect is the same from an integrity perspective: the information may no longer be trustworthy. ISO/IEC 27002 supports integrity through many controls, including access control, change management, configuration management, backup, logging, secure coding, malware protection, segregation of duties, and separation of development, test, and production environments. Availability would be affected if information or systems were not accessible or usable when required. Confidentiality would be affected if information were disclosed or made available to unauthorized parties. The question specifically mentions accidental changes, not unavailability or disclosure, so integrity is the correct principle. This distinction is central to information security because different principles require different controls. For example, preventing accidental changes may require access restrictions, validation, change approval, version control, monitoring, and recovery procedures. References/Chapters: ISO/IEC 27002:2022, Clause 4 control attributes; Control 8.32 Change management; Control 8.9 Configuration management; Control 8.13 Information backup.

==========

Control 7.2, Physical entry, is the correct control because the problem is unauthorized physical access to a server room. ISO/IEC 27002 expects secure areas to be protected by appropriate entry controls so that only authorized persons can enter. Authentication of identity at entry points may include badges, access cards, biometric verification, PINs, visitor registration, security guards, turnstiles, logs, escorts, or electronic access systems. The server room contains information processing facilities, and unauthorized physical access could lead to theft, tampering, cable disconnection, hardware compromise, installation of rogue devices, or direct access to consoles and storage media. Control 8.6, Capacity management, concerns resource capacity for information processing facilities, not physical access. Control 8.4, Access to source code, concerns protecting program source code from unauthorized access, not entry into a secure physical room. Because the scenario specifically says people can enter the server room without identity authentication, the matching ISO/IEC 27002 physical control is Control 7.2. References/Chapters: ISO/IEC 27002:2022, Control 7.2 Physical entry; Control 7.1 Physical security perimeter; Control 7.4 Physical security monitoring.

==========

Control 8.28, Secure coding, is the correct control because the question focuses on software being written securely and reducing potential vulnerabilities in the code. Secure coding addresses the practices, rules, and techniques developers should use to avoid common software weaknesses. This can include input validation, output encoding, error handling, authentication handling, secure session management, memory safety, protection against injection, secure API use, cryptographic correctness, dependency management, and code review. Control 8.29, Security testing in development and acceptance, verifies whether security requirements and controls are effective, but testing occurs after or during development and does not itself define how code should be written. Control 8.26, Application security requirements, defines security requirements for applications, but secure coding is the specific implementation practice that reduces vulnerabilities during software construction. ISO/IEC 27002 treats secure development as a lifecycle discipline: requirements define what is needed, secure coding implements it safely, and testing validates it. The direct match to the exam wording is Control 8.28. References/Chapters: ISO/IEC 27002:2022, Control 8.28 Secure coding; Control 8.26 Application security requirements; Control 8.29 Security testing in development and acceptance.

==========

Organizations can manage the security of large networks by dividing them into separate network domains and separating them from the public network where appropriate. This reflects the principle of network segregation, which reduces the ability of an attacker, malware, or unauthorized user to move freely across the environment. Separate domains can be based on trust level, business function, system criticality, data sensitivity, user group, supplier access, development environment, or regulatory requirement. ISO/IEC 27002 supports this through network security, network segregation, access control, and secure architecture practices. Option B is incorrect because including internal domains into the public network would increase exposure and weaken boundaries. Option C is not realistic or aligned with modern enterprise architecture; organizations often need integrated services, users, and systems, but they must integrate them securely. Segmentation allows controlled communication through firewalls, gateways, routing rules, access controls, monitoring, and filtering. The goal is not isolation for its own sake, but risk-based separation and controlled connectivity. Therefore, option A is verified. References/Chapters: ISO/IEC 27002:2022, Control 8.20 Network security; Control 8.22 Segregation of networks; Control 5.15 Access control.

==========

Information gained from evaluating information security incidents should be used to improve both user awareness and training and the incident management plan. Control 5.27 focuses on learning from incidents so that organizations reduce the likelihood or impact of recurrence. Incident evaluation can reveal root causes, control failures, user mistakes, unclear procedures, delayed escalation, insufficient logging, poor communication, supplier weaknesses, or technical vulnerabilities. If users contributed to the incident through phishing response, mishandling of information, weak passwords, or reporting delays, awareness and training should be improved. If the incident response process showed weaknesses in roles, escalation, evidence collection, communication, containment, recovery, or decision-making, the incident management plan should be updated. ISO/IEC 27002 treats incidents as a feedback mechanism for continual improvement, not merely isolated events to close. Option B is correct because both listed uses are valid and mutually reinforcing. Strong incident learning improves controls, procedures, monitoring, user behavior, and readiness for future events. References/Chapters: ISO/IEC 27002:2022, Control 5.27 Learning from information security incidents; Control 5.24 Information security incident management planning and preparation; Control 6.3 Information security awareness, education and training.

==========

The “Act” phase is the phase in which an organization maintains and improves the information security management system. In the PDCA logic, “Plan” establishes objectives, policies, processes, risk treatment plans, and controls. “Do” implements and operates the planned processes and controls. “Check” monitors, measures, audits, and reviews performance. “Act” uses the results of checking to correct weaknesses, improve effectiveness, and adapt the ISMS to changing conditions. ISO/IEC 27002 is not itself the PDCA requirements standard, but its controls support the management system lifecycle used by ISO/IEC 27001. Examples include independent review of information security, compliance review, learning from incidents, management of vulnerabilities, and change management. These controls generate findings and lessons that feed improvement actions. “Do” is not the best answer because it focuses on implementation. “Check” is not the best answer because it evaluates performance but does not itself complete improvement. The phase that maintains and improves the ISMS is “Act.” References/Chapters: ISO/IEC 27002:2022, Control 5.35 Independent review of information security; Control 5.27 Learning from information security incidents; ISO/IEC 27001 PDCA-based management system model.

==========

Control 5.37, Documented operating procedures, aims to ensure the correct and secure operation of information processing facilities. Operating procedures translate security and operational requirements into repeatable instructions for administrators, operators, support teams, and users. They can cover system startup and shutdown, backup, restoration, logging, error handling, media handling, job scheduling, maintenance, incident escalation, access administration, and secure processing steps. Without documented procedures, operations become inconsistent and dependent on individual memory or informal practice, increasing the likelihood of mistakes, outages, unauthorized changes, or insecure handling. Control 7.2, Physical entry, protects secure physical areas by controlling access to facilities, but it does not define operational procedures. Control 5.35, Independent review of information security, assesses whether the information security approach remains suitable, adequate, and effective, but it does not provide the day-to-day operating instructions. ISO/IEC 27002 places documented procedures in the organizational control group because reliable operation requires governance, clarity, and repeatability. Therefore, option B is the verified answer. References/Chapters: ISO/IEC 27002:2022, Control 5.37 Documented operating procedures; Control 7.2 Physical entry; Control 5.35 Independent review of information security.

==========

A vulnerability with no currently identified corresponding threat should still be recognized and monitored. A vulnerability is a weakness that could be exploited, but risk usually depends on the relationship between assets, threats, vulnerabilities, likelihood, and consequences. When no active or relevant threat is identified, immediate treatment may not be proportionate. However, ignoring the vulnerability would be inconsistent with ISO/IEC 27002’s risk-aware approach. Threat conditions change. A weakness that appears low priority today may become exploitable after a new attack technique, system exposure, business change, supplier change, or threat actor capability emerges. Recognizing the vulnerability ensures it is recorded and available for future assessment. Monitoring it ensures the organization detects changes in exploitability, exposure, or threat relevance. ISO/IEC 27002 supports this through threat intelligence and management of technical vulnerabilities, both of which require organizations to remain alert to changes in the threat and vulnerability landscape. Therefore, the correct answer is both recognizing and monitoring the vulnerability. References/Chapters: ISO/IEC 27002:2022, Control 5.7 Threat intelligence; Control 8.8 Management of technical vulnerabilities; Control 5.36 Compliance with policies, rules and standards for information security.

==========

When using cryptography, organizations should consider roles and responsibilities for key management. Cryptographic controls are only effective when keys are properly generated, stored, distributed, rotated, backed up, revoked, destroyed, and protected from unauthorized access. Weak key management can defeat strong algorithms because compromise of the key can expose encrypted information or allow unauthorized signing, decryption, or impersonation. ISO/IEC 27002 Control 8.24, Use of cryptography, guides organizations to define rules for effective cryptographic use, including protection of confidentiality, authenticity, integrity, and non-repudiation where relevant. Key management responsibilities must be assigned clearly so that ownership, custody, approval, recovery, and emergency access are controlled. Option B relates to project security management, not cryptographic implementation specifically. Option C relates to network security and filtering, not cryptographic key governance. Cryptography requires policy decisions about algorithms, key lengths, certificate management, lifecycle handling, legal restrictions, and separation of duties. The exam’s correct answer is therefore option A because key management is a central technical and governance constraint of cryptographic protection. References/Chapters: ISO/IEC 27002:2022, Control 8.24 Use of cryptography; Control 5.15 Access control; Control 5.17 Authentication information.

==========

Control 8.19, Installation of software on operational systems, aims to ensure the integrity of operational systems and prevent exploitation of technical vulnerabilities. Software installed in production can introduce malware, insecure configurations, untested functionality, compatibility problems, unauthorized tools, or vulnerable components. ISO/IEC 27002 therefore expects installation on operational systems to be controlled, authorized, tested, and managed. This protects live systems from unauthorized or inappropriate software that could weaken security or disrupt operations. Control 8.15, Logging, records events and supports monitoring, investigation, accountability, and detection, but it does not primarily control software installation. Control 8.17, Clock synchronization, ensures consistent time settings across systems so logs, events, and transactions can be correlated accurately. It is important but not the control aimed at preventing exploitation through software installation weaknesses. The exam phrase “integrity of operational systems” is directly aligned with controlling what software is installed in production. Therefore, option A is verified. References/Chapters: ISO/IEC 27002:2022, Control 8.19 Installation of software on operational systems; Control 8.8 Management of technical vulnerabilities; Control 8.32 Change management.

==========