Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

PECB Exam ISO-IEC-27001-Lead-Implementer Topic 6 Question 55 Discussion

Actual exam question for PECB's ISO-IEC-27001-Lead-Implementer exam
Question #: 55
Topic #: 6
[All ISO-IEC-27001-Lead-Implementer Questions]

Scenario 7: InfoSec, based in Boston, MA, is a multinational corporation offering professional electronics, gaming, and entertainment products. Following several information security incidents, InfoSec has decided to establish teams of experts and implement measures to prevent potential incidents in the future.

Emma, Bob, and Anna were hired as the new members of InfoSec's information security team, which consists of a security architecture team, an incident response team (IRT), and a forensics team. Emma's job is to create information security plans, policies, protocols, and training to prepare InfoSec to respond to incidents effectively. Emma and Bob would be full-time employees of InfoSec, whereas Anna was contracted as an external consultant.

Bob, a network expert, will implement a screened subnet network architecture. This architecture will isolate the demilitarized zone (DMZ), to which hosted public services are attached, and InfoSec's publicly accessible resources from their private network. Thus, InfoSec will be able to block potential attackers from causing unwanted events inside the company's network. Bob is also responsible for ensuring a thorough evaluation of the nature of an unexpected event, including how the event happened and what or whom it might affect.

On the other hand, Anna will create records of the data, reviews, analyses, and reports to keep evidence for disciplinary and legal action and use them to prevent future incidents. To do the work accordingly, she should be aware of the company's information security incident management policy beforehand. Among others, this policy specifies the type of records to be created, the place where they should be kept, and the format and content that specific record types should have.

As part of InfoSec's initiative to strengthen information security measures, Anna will conduct information security risk assessments only when significant changes are proposed and will document the results of these risk assessments. Upon completion of the risk assessment process, Anna is responsible for developing and implementing a plan for treating information security risks and documenting the risk treatment results.

Furthermore, while implementing the communication plan for information security, InfoSec's top management was responsible for creating a roadmap for new product development. This approach helps the company to align its security measures with the product development efforts, demonstrating a commitment to integrating security into every aspect of its business operations.

InfoSec uses a cloud service model that includes cloud-based apps accessed through the web or an application programming interface (API). All cloud services are provided by the cloud service provider, while data is managed by InfoSec. This introduces unique security considerations and becomes a primary focus for the information security team to ensure data and systems are protected in this environment.

Based on this scenario, answer the following question:

Does InfoSec comply with ISO/IEC 27001 requirements regarding the information security risk treatment plan?

Show Suggested Answer Hide Answer
Suggested Answer: A

Contribute your Thoughts:

Sherell
7 days ago
Option C is clearly the funniest choice here. As if the top management alone can handle the entire risk treatment plan. That's a good one!
upvoted 0 times
...
Detra
8 days ago
Hold up, why do they need to document the risk treatment results? Isn't that just a waste of time? Let's just focus on actually fixing the issues.
upvoted 0 times
...
Ceola
9 days ago
As the external consultant, I can confirm that InfoSec's approach aligns with the ISO/IEC 27001 standard. Solid documentation is essential for legal and disciplinary purposes.
upvoted 0 times
...
Lashandra
22 days ago
Yes, I also believe that InfoSec is doing the right thing by developing and implementing a plan for treating information security risks.
upvoted 0 times
...
Freida
1 months ago
I agree with Cathrine. Our risk treatment plan is essential for managing information security risks effectively.
upvoted 0 times
...
Yolande
1 months ago
I agree, option A is the way to go. Establishing a comprehensive risk treatment plan and keeping proper records is crucial for information security compliance.
upvoted 0 times
Judy
7 days ago
Bob: I agree, having a risk treatment plan is essential for compliance.
upvoted 0 times
...
Goldie
17 days ago
Emma: I think option A is the best choice.
upvoted 0 times
...
...
Cathrine
1 months ago
I think InfoSec complies with ISO/IEC 27001 requirements by implementing a risk treatment plan and documenting risk treatment results.
upvoted 0 times
...
Elenora
1 months ago
Looks like InfoSec is on the right track with their risk treatment plan. Documenting the results is a key requirement under ISO/IEC 27001, so option A seems to be the correct answer here.
upvoted 0 times
Leah
1 months ago
Yes, option A is the correct answer as InfoSec complies with ISO/IEC 27001 requirements by implementing a risk treatment plan and documenting the results.
upvoted 0 times
...
Raelene
1 months ago
I agree, documenting the risk treatment results is crucial for compliance with ISO/IEC 27001.
upvoted 0 times
...
...

Save Cancel