PECB Certified ISO/IEC 27001 Lead Implementer v1.0

What should TradeB do in order to deal with residual risks? Refer to scenario 4.

Scenario 5: Operaze is a small software development company that develops applications for various companies around the world. Recently, the company conducted a risk assessment to assess the information security risks that could arise from operating in a digital landscape. Using different testing methods, including penetration testing and code review, the company identified some issues in its ICT systems, including improper user permissions, misconfigured security settings, and insecure network configurations. To resolve these issues and enhance information security. Operaze decided to implement an information security management system (ISMS) based on ISO/IEC 27001.
Considering that Operaze is a small company, the entire IT team was involved in the ISMS implementation project. Initially, the company analyzed the business requirements and the internal and external environment, identified its key processes and activities, and identified and analyzed the interested parties. In addition, the top management of Operaze decided to include most of the company’s departments within the ISMS scope. The defined scope included the organizational and physical boundaries. The IT team drafted an information security policy and communicated it to all relevant interested parties. In addition, other specific policies were developed to elaborate on security issues and the roles and responsibilities were assigned to all interested parties.
Following that, the HR manager claimed that the paperwork created by ISMS does not justify its value and the implementation of the ISMS should be canceled. However, the top management determined that this claim was invalid and organized an awareness session to explain the benefits of the ISMS to all interested parties.
Operaze decided to migrate its physical servers to their virtual servers on third-party infrastructure. The new cloud computing solution brought additional changes to the company. Operaze’s top management, on the other hand, aimed to not only implement an effective ISMS but also ensure the smooth running of the ISMS operations. In this situation, Operaze’s top management concluded that the services of external experts were required to implement their information security strategies. The IT team, on the other hand, decided to initiate a change in the ISMS scope and implemented the required modifications to the processes of the company.
Based on the scenario above, answer the following question:
What led Operaze to implement the ISMS?

Based on scenario 5, after migrating to cloud, Operaze’s IT team changed the ISMS scope and implemented all the required modifications. Is this acceptable?

Based on scenario 5, in which category of the interested parties does the HR manager of Operaze belong?

Based on scenario 5, which committee should Operaze create to ensure the smooth running of the ISMS?

What is the next step that Operaze’s ISMS implementation team should take after drafting the information security policy? Refer to scenario 5.

An organization has adopted a new authentication method to ensure secure access to sensitive areas and facilities of the company. It requires every employee to use a two-factor authentication (password and QR code). This control has been documented, standardized, and communicated to all employees, however its use has been left to individual initiative, and it is likely that failures can be detected. Which level of maturity does this control refer to?

Which tool is used to identify, analyze, and manage interested parties?

“The ISMS covers all departments within Company XYZ that have access to customers’ data. The purpose of the ISMS is to ensure the confidentiality, integrity, and availability of customers’ data, and ensure compliance with the applicable regulatory requirements regarding information security.” What does this statement describe?

An organization has justified the exclusion of control 5.18 Access rights of ISO/IEC 27001 in the Statement of Applicability (SoA) as follows: “An access control reader is already installed at the main entrance of the building.” Which statement is correct?

Which statement is an example of risk retention?

Which option below should be addressed in an information security policy?

Which approach should organizations use to implement an ISMS based on ISO/IEC 27001?

What risk treatment option has Company A implemented if it has required from its employees the change of email passwords at least once every 60 days?