Pass the PECB ISO 27001 ISO-IEC-27035-Lead-Incident-Manager Questions and answers with CertsForce

Comprehensive and Detailed Explanation From Exact Extract:

ISO/IEC 27035 strongly encourages information sharing among trusted parties to enhance collective incident response capabilities and reduce the broader impact of cyber threats. Clause 6.5.6 in ISO/IEC 27035-1 highlights the importance of cooperation and communication with external parties, including industry-specific information-sharing forums, CERTs/CSIRTs, and trusted partners.

The practice of proactive information exchange allows organizations to:

Detect coordinated or widespread attacks

Accelerate response through shared indicators of compromise (IOCs)

Benefit from collective intelligence and incident analysis

Build sector-wide resilience

However, such exchanges must occur within well-defined protocols that preserve confidentiality, legal compliance, and operational integrity.

Option B and C reflect overly cautious or siloed approaches that may delay response or reduce the effectiveness of collaborative efforts.

Reference Extracts:

ISO/IEC 27035-1:2016, Clause 6.5.6: “Incident management should consider the importance of trusted collaboration, sharing of incident information, and threat intelligence between relevant entities.”

ENISA and FIRST.org also support this collaborative approach in their best practices.

Correct answer: A

—

Comprehensive and Detailed Explanation From Exact Extract:

The deployment of an Intrusion Detection System (IDS) by RoLawyers following the incident is a classic example of implementing a detective control. According to ISO/IEC 27002:2022 (formerly 27002:2013), detective controls are designed to identify and report the occurrence of information security events in a timely manner. They help organizations discover that an event has occurred so that an appropriate response can be initiated.

The IDS mentioned in the scenario monitors the network for suspicious activity and alerts the IT security team when anomalies or intrusion attempts are detected. This aligns directly with the definition of detective controls.

By contrast:

Preventive controls are designed to prevent incidents from occurring in the first place (e.g., firewalls, access controls).

Corrective controls are actions taken after an incident to restore systems or data and prevent recurrence (e.g., patch management, backups).

Reference Extracts:

ISO/IEC 27002:2022, Clause 5.27 – “Detection controls should be implemented to identify incidents and anomalies in a timely manner.”

ISO/IEC 27035-1:2016, Clause 4.3.2 – “Detecting and reporting information security events and weaknesses are the first steps in the incident response process.”

RoLawyers' use of an IDS matches the description of a detective control designed to provide early warning signs of potential threats, making it easier for the organization to take timely action.

Therefore, the correct answer is B: Detective controls.

—

Comprehensive and Detailed Explanation From Exact Extract:

Yes, Mark’s approach to developing NoSpace’s information security incident management policy was aligned with the structured guidelines outlined in ISO/IEC 27035-1 and ISO/IEC 27035-2. These standards emphasize the importance of establishing an effective and realistic policy framework that supports the identification, management, and learning from information security incidents.

ISO/IEC 27035-1:2016, Clause 6.1, outlines the core components of the “Prepare” phase of the incident management lifecycle. A well-developed incident management policy should:

* Define the purpose, scope, and applicability of the policy

* Focus on critical assets and threats identified through a formal risk assessment

* Be shaped by stakeholder input

* Be realistic, enforceable, and capable of being integrated across departments

* Include training and awareness tailored to relevant personnel

In this scenario, Mark held a strategic session with stakeholders, ensured the policy was risk-based, and tailored training initiatives to critical roles only — which aligns precisely with ISO guidance on optimizing resource allocation and ensuring enforceability.

Option A is incorrect because the scenario clearly states that Mark implemented training and awareness initiatives tailored to critical response roles, which meets ISO/IEC 27035-1 expectations.

Option B is incorrect because ISO/IEC 27035-1 emphasizes prioritization of high-risk threats rather than attempting to address all potential threats equally. A focused and actionable policy that targets the most significant risks is more practical and aligns with international best practices.

Reference Extracts:

* ISO/IEC 27035-1:2016, Clause 6.1: “The preparation phase should include the definition of incident management policy, development of procedures, and awareness/training initiatives.”

* ISO/IEC 27035-2:2016, Clause 5.1: “The policy should be concise, focused on relevant threats, and shaped by organizational structure and risk appetite.”

* ISO/IEC 27001:2022, Annex A.5.25 & A.5.27: “Clear roles, responsibilities, and awareness should be assigned and supported through training.”

Therefore, the correct answer is: C. Yes, the information security incident management policy was appropriately developed.

—

Let me know when you’re ready for QUESTION NO: 16.

—

Comprehensive and Detailed Explanation From Exact Extract:

The impact of an information security event is assessed by evaluating how the event affects the CIA triad—Confidentiality, Integrity, and Availability—of information assets. This fundamental concept underpins all ISO/IEC 27000-series standards, including ISO/IEC 27035.

ISO/IEC 27035-1:2016, Clause 6.2.3 explicitly states that an event's severity and urgency are to be assessed by evaluating its actual or potential impact on the organization’s information security objectives, namely:

Confidentiality: Protection from unauthorized disclosure

Integrity: Protection from unauthorized modification

Availability: Assurance of timely and reliable access

This approach ensures consistent and risk-based decision-making during incident assessment. Options A and B are important steps, but they are part of the broader process; they do not directly measure impact.

Comprehensive and Detailed Explanation From Exact Extract:

During the response phase, one of the most critical activities—according to ISO/IEC 27035-1 and 27035-2—is the documentation of actions, decisions, and results. Clause 6.4.6 of ISO/IEC 27035-1 emphasizes that all activities must be logged to support post-incident analysis, audit trails, and lessons learned. This ensures that:

Accountability is maintained

Decisions can be reviewed

Investigations are legally sound (especially in regulated environments)

While restoring systems (Option C) typically occurs in the recovery phase, logging activities and outcomes is essential during the actual response. Change control processes (Option B) are supporting functions but are not core to the immediate response phase.

Comprehensive and Detailed Explanation From Exact Extract:

According to ISO/IEC 27035-1:2016 and ISO/IEC 27035-2:2016, incident categorization is a vital step in the incident management lifecycle. Its primary purpose is to sort and group incidents based on specific criteria so that appropriate actions and escalation paths can be taken.

One of the core objectives of categorization is to sort incidents by the domain or system affected — whether it’s a database, email system, network, or physical server. This enables organizations to assign incidents to relevant subject matter experts and apply the right procedures, based on the affected business function or IT component.

While categorization can influence prioritization (option A), the main intent is classification based on nature and domain. Automatic technician assignment (option B) may be supported by some service management platforms but is not the foundational purpose of incident categorization under ISO 27035.

Reference Extracts:

ISO/IEC 27035-1:2016, Clause 6.1.2 – “Categorization should identify the domain or component affected to enable appropriate response and escalation.”

ISO/IEC 27035-2:2016, Clause 7.3 – “Incidents should be categorized based on the type of disruption they cause and the business or technical domain they impact.”

Therefore, the correct answer is C: To sort incidents based on the disrupted IT or business domain.

—

Comprehensive and Detailed Explanation From Exact Extract:

ISO/IEC 27035-1:2016 encourages organizations to define the scope of incident management based on their own risk environment, business model, and available resources. This scope should be tailored to focus on the systems, services, and personnel that are most critical and relevant to the organization's operations.

In this scenario, Leona appropriately aligned the scope with L&K Associates' specific IT infrastructure and business processes, deliberately including relevant IT systems and associated personnel while excluding unrelated sources. This customization is consistent with best practices and ensures that the incident management process remains focused, efficient, and manageable.

ISO/IEC 27035-2, Clause 4.2, emphasizes that “the scope of incident management should be defined in a way that it supports the organization’s objectives and risk environment.”

Therefore, the correct answer is A: Yes, the incident management scope is customized to align with the organization’s unique needs.

—

Comprehensive and Detailed Explanation From Exact Extract:

Internal exercises, such as simulations, tabletop exercises, and mock drills, are designed primarily to assess the readiness, coordination, and performance of the internal incident response team (IRT). According to ISO/IEC 27035-2:2016, these exercises aim to validate that the IRT understands their roles, follows documented procedures, and can act effectively under pressure.

While external collaboration (Options A and B) may be tested during joint exercises or industry-wide scenarios, the focus of internal exercises is on internal capabilities. These exercises help identify gaps in training, procedures, communication, and escalation pathways.

Reference Extracts:

ISO/IEC 27035-2:2016, Clause 7.3.3: “Exercises and simulations should be conducted to test the readiness of the incident response capability.”

NIST SP 800-84: “Regular exercises increase response efficiency and allow staff to develop incident handling confidence.”

Correct answer: C

—

Comprehensive and Detailed Explanation:

According to ISO/IEC 27035-1:2016, effective communication of the incident management policy must include not only policy content, roles, and responsibilities but also specific procedural aspects—such as how to report an incident and who to contact. This ensures that all stakeholders clearly understand their responsibilities in the event of an incident and know how to respond.

In the scenario, Leona communicated the outcomes of incidents, mitigation strategies, personnel obligations, and policy content. However, she did not include the incident reporting procedures or contact points, which are essential components of incident communication as per ISO guidelines.

Comprehensive and Detailed Explanation:

Gap analysis is a structured method used to compare the current state of processes, capabilities, or systems against a desired or required state (such as compliance with ISO standards). The main goal is to determine what needs to change to achieve that future state. While identifying gaps (A) and assessing risks (C) may occur during the process, the primary purpose is strategic planning and improvement.