Pass the PECB ISO 27002 ISO-IEC-27002-Foundation Questions and answers with CertsForce

Information security should be integrated into project management so that security risks related to projects and deliverables are effectively addressed. Projects often introduce new systems, processes, suppliers, data flows, technologies, applications, facilities, or business changes. If security is considered only after implementation, weaknesses may already be embedded in design, architecture, contracts, code, configurations, or operating procedures. ISO/IEC 27002 Control 5.8 expects information security to be integrated into project management activities so risks are identified and treated throughout the project lifecycle. This includes security requirements, risk assessments, roles and responsibilities, acceptance criteria, testing, supplier requirements, privacy considerations, change control, and secure transition to operation. Option A is too general and focuses on applying ISO/IEC 27001 principles rather than the precise purpose of the control. Option B is too narrow because audits can support assurance but are not the primary reason for integration. The main purpose is risk management within projects and deliverables. Therefore, option C is verified. References/Chapters: ISO/IEC 27002:2022, Control 5.8 Information security in project management; Control 8.26 Application security requirements; Control 8.29 Security testing in development and acceptance.

==========

Control 8.19, Installation of software on operational systems, aims to ensure the integrity of operational systems and prevent exploitation of technical vulnerabilities. Software installed in production can introduce malware, insecure configurations, untested functionality, compatibility problems, unauthorized tools, or vulnerable components. ISO/IEC 27002 therefore expects installation on operational systems to be controlled, authorized, tested, and managed. This protects live systems from unauthorized or inappropriate software that could weaken security or disrupt operations. Control 8.15, Logging, records events and supports monitoring, investigation, accountability, and detection, but it does not primarily control software installation. Control 8.17, Clock synchronization, ensures consistent time settings across systems so logs, events, and transactions can be correlated accurately. It is important but not the control aimed at preventing exploitation through software installation weaknesses. The exam phrase “integrity of operational systems” is directly aligned with controlling what software is installed in production. Therefore, option A is verified. References/Chapters: ISO/IEC 27002:2022, Control 8.19 Installation of software on operational systems; Control 8.8 Management of technical vulnerabilities; Control 8.32 Change management.

==========

The purpose of Control 8.20, Network security, is to protect information in networks and supporting information processing facilities from compromise through the network. This includes protecting data in transit, network devices, network services, communication paths, routing, management interfaces, and connected systems. Network compromise can lead to unauthorized access, interception, malware propagation, denial of service, lateral movement, data exfiltration, or manipulation of traffic. Option B relates more closely to Control 8.21, Security of network services, which addresses security mechanisms, service levels, and management requirements for network services. Option C relates to Control 8.22, Segregation of networks, which specifically concerns splitting networks into security boundaries or domains. Control 8.20 is broader: it establishes the general objective of securing networks against compromise. ISO/IEC 27002 expects organizations to manage and control networks according to risk, including architecture, monitoring, authentication, encryption where needed, device hardening, and protection of network management functions. The correct answer is therefore option A. References/Chapters: ISO/IEC 27002:2022, Control 8.20 Network security; Control 8.21 Security of network services; Control 8.22 Segregation of networks.

==========

A digital customer identity is the best example of an organizational asset in cyberspace because it exists, functions, and is protected within digital systems, networks, applications, and online services. ISO/IEC 27002 treats identities, authentication information, access rights, and digital accounts as critical security subjects because compromise of identity can enable unauthorized access, fraud, impersonation, privacy breaches, and loss of accountability. A digital customer identity can include usernames, identifiers, credentials, account attributes, authentication factors, access permissions, profile data, and linked personal information. Medical data and intellectual property are also important information assets, but the phrase “asset in cyberspace” points most directly to a digitally represented identity used for electronic interaction. ISO/IEC 27002 contains several controls that protect this asset type, including identity management, authentication information, access rights, secure authentication, and access restriction. These controls ensure that identities are created, maintained, verified, modified, disabled, and removed in a controlled manner. The exam logic therefore favors option B because cyberspace emphasizes digital identity and online representation. References/Chapters: ISO/IEC 27002:2022, Control 5.16 Identity management; Control 5.17 Authentication information; Control 5.18 Access rights; Control 8.5 Secure authentication.

==========

Confidentiality is breached when information is made available or disclosed to unauthorized individuals, entities, or processes. Option A is the correct answer because employees from all departments have access to colleagues’ personal data, even though such access should normally be restricted to authorized roles such as HR, payroll, compliance, or designated management. Internal users can still be unauthorized users when their role does not justify access. ISO/IEC 27002 addresses this through access control, access rights management, classification, privacy protection, and information access restriction. Option B is an availability issue because a department cannot access needed customer phone numbers due to equipment failure. Option C is an integrity issue because banking information was accidentally modified. The confidentiality principle is specifically about limiting disclosure and availability of information to authorized parties only. Personal data requires additional care because privacy obligations may apply, and excessive internal access can create legal, ethical, and reputational harm. The verified answer is therefore option A. References/Chapters: ISO/IEC 27002:2022, Control 5.15 Access control; Control 5.18 Access rights; Control 5.34 Privacy and protection of PII; Control 8.3 Information access restriction.

==========

Information security determines both what needs to be protected and how protection should be applied. The first part is understanding information assets, their value, their sensitivity, their owners, their business purpose, and the consequences if they are disclosed, altered, lost, or unavailable. This answers what must be protected and why. The second part is understanding threats, vulnerabilities, risk levels, legal obligations, contractual duties, and control options. This answers what the information must be protected from and how security controls should be designed. ISO/IEC 27002 supports both dimensions. Asset inventory and classification clarify protection needs. Access control, cryptography, backup, logging, network security, secure development, incident management, and physical security define protection methods. Option A is correct but incomplete. Option B is also correct but incomplete. Option C is therefore the verified answer because information security is a complete discipline covering asset understanding, risk understanding, control selection, implementation, monitoring, and improvement. The ISO/IEC 27002 control set is structured to support that full protection lifecycle. References/Chapters: ISO/IEC 27002:2022, Control 5.9 Inventory of information and other associated assets; Control 5.12 Classification of information; Controls 5–8.

System requirements should not be the primary factor listed for locating and constructing physical premises in the ISO/IEC 27002 physical security context. When selecting and constructing premises, organizations should consider physical and environmental threats such as local topography, flood risk, earthquake exposure, weather conditions, crime levels, civil unrest, neighboring facilities, hazardous sites, and urban threats. These considerations help reduce risks to secure areas, information processing facilities, equipment, personnel, and supporting utilities. Local topography is relevant because geography can influence flooding, landslides, access routes, drainage, and natural hazards. Urban threats are relevant because location can affect exposure to crime, protests, terrorism, traffic disruption, adjacent buildings, or public access. System requirements are important in technology design and facility planning, but they are not the type of environmental or location threat consideration targeted by this question. ISO/IEC 27002 physical controls emphasize protecting premises from physical and environmental risks, not choosing location based on application or system functional requirements. Therefore, option C is verified. References/Chapters: ISO/IEC 27002:2022, Control 7.1 Physical security perimeters; Control 7.5 Protecting against physical and environmental threats; Control 7.8 Equipment siting and protection.

==========

Management should require all personnel to apply information security according to the organization’s established information security policy, topic-specific policies, and procedures. ISO/IEC 27002 makes management responsibilities clear: leadership must ensure personnel understand and fulfill their security duties. Personnel are expected to follow approved policies and procedures, protect information assets, report security events, and comply with assigned responsibilities. Option B is incorrect because establishing and approving policies is a management responsibility, not a duty assigned to all personnel. Option C is incorrect because reading ISO/IEC 27002 guidelines is not a substitute for following the organization’s own approved policies and procedures. ISO/IEC 27002 provides guidance to organizations, but employees need practical internal rules that apply to their roles, systems, data, and processes. Management commitment is demonstrated by assigning responsibilities, communicating expectations, providing awareness and training, and enforcing compliance. The core principle is that information security must be operationalized through everyday behavior, not left as abstract documentation. Therefore, option A is the verified answer. References/Chapters: ISO/IEC 27002:2022, Control 5.4 Management responsibilities; Control 5.1 Policies for information security; Control 6.3 Information security awareness, education and training.

==========

Management should define and approve an information security policy to provide direction and support for information security. In ISO/IEC 27002:2022, Control 5.1 requires policies for information security to be defined, approved by management, published, communicated to relevant personnel and interested parties, and reviewed at planned intervals or when significant changes occur. The policy establishes management intent, expectations, responsibilities, and the basis for more detailed topic-specific policies. Option B, a risk management program, is important, but it is not the specific item required by this control to provide overall direction and support. Option C, a list of assets, is also important because asset inventories support control implementation, but it does not replace the policy framework. The policy is the governing statement that aligns information security with business objectives, legal requirements, and risk treatment. It gives authority to procedures, standards, and operational controls. Therefore, the correct answer is option A, understood as the organization’s information security policy. References/Chapters: ISO/IEC 27002:2022, Control 5.1 Policies for information security; Control 5.2 Information security roles and responsibilities; Control 5.9 Inventory of information and other associated assets.

==========

Control 5.35, Independent review of information security, is the control intended to ensure that the organization’s approach to managing information security remains suitable, adequate, and effective. Independent reviews provide objective evaluation of whether policies, processes, controls, responsibilities, and implementation remain aligned with business needs, risks, legal requirements, and the organization’s security objectives. The review may consider governance, control design, control operation, risk treatment, compliance, incident trends, technology changes, supplier dependencies, and audit results. Control 5.4, Management responsibilities, is important because management must ensure personnel apply security according to policies and procedures, but it is not the control specifically focused on independent review. Control 5.24 concerns planning and preparation for incident management, which supports response capability but does not broadly assess the continuing suitability of the whole security approach. The phrase “suitable, adequate and effective” is a strong indicator of review and assurance. ISO/IEC 27002 uses independent review to challenge assumptions, detect weaknesses, and support continual improvement. Therefore, option B is the verified answer. References/Chapters: ISO/IEC 27002:2022, Control 5.35 Independent review of information security; Control 5.36 Compliance with policies, rules and standards for information security; Control 5.4 Management responsibilities.