New Year Sale ! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

PECB Exam ISO-IEC-27005-Risk-Manager Topic 1 Question 6 Discussion

Actual exam question for PECB's ISO-IEC-27005-Risk-Manager exam
Question #: 6
Topic #: 1
[All ISO-IEC-27005-Risk-Manager Questions]

Scenario 2: Travivve is a travel agency that operates in more than 100 countries. Headquartered in San Francisco, the US, the agency is known for its personalized vacation packages and travel services. Travivve aims to deliver reliable services that meet its clients' needs. Considering the impact of information security in its reputation, Travivve decided to implement an information security management system (ISMS) based on ISO/IEC 27001. In addition, they decided to establish and implement an information security risk management program. Based on the priority of specific departments in Travivve, the top management decided to initially apply the risk management process only in the Sales Management Department. The process would be applicable for other departments only when introducing new technology.

Travivve's top management wanted to make sure that the risk management program is established based on the industry best practices. Therefore, they created a team of three members that would be responsible for establishing and implementing it. One of the team members was Travivve's risk manager who was responsible for supervising the team and planning all risk management activities. In addition, the risk manager was responsible for monitoring the program and reporting the monitoring results to the top management.

Initially, the team decided to analyze the internal and external context of Travivve. As part of the process of understanding the organization and its context, the team identified key processes and activities. Then, the team identified the interested parties and their basic requirements and determined the status of compliance with these requirements. In addition, the team identified all the reference documents that applied to the defined scope of the risk management process, which mainly included the Annex A of ISO/IEC 27001 and the internal security rules established by Travivve. Lastly, the team analyzed both reference documents and justified a few noncompliances with those requirements.

The risk manager selected the information security risk management method which was aligned with other approaches used by the company to manage other risks. The team also communicated the risk management process to all interested parties through previously established communication mechanisms. In addition, they made sure to inform all interested parties about their roles and responsibilities regarding risk management. Travivve also decided to involve interested parties in its risk management activities since, according to the top management, this process required their active participation.

Lastly, Travivve's risk management team decided to conduct the initial information security risk assessment process. As such, the team established the criteria for performing the information security risk assessment which included the consequence criteria and likelihood criteria.

Did the risk management team establish all the criteria required to perform the information security risk assessment? Refer to scenario 2.

Show Suggested Answer Hide Answer
Suggested Answer: A

While Travivve's risk management team established criteria for consequence and likelihood, ISO/IEC 27005 requires that additional criteria should be defined to complete a risk assessment. Specifically, the team should also establish criteria for determining the level of risk, which involves combining the likelihood and consequence to evaluate risk magnitude. This step is crucial for prioritizing risks and determining which risks require treatment. The absence of criteria for determining the level of risk means that the team did not fully meet the requirements of ISO/IEC 27005 for performing an information security risk assessment. Therefore, the correct answer is A.


ISO/IEC 27005:2018, Clause 8.4, 'Risk Assessment,' which outlines the need to establish criteria for risk acceptance, which includes determining the level of risk.

Contribute your Thoughts:

Douglass
2 months ago
I'm not sure why they wouldn't have included the risk level criteria. That seems like a pretty fundamental part of a risk assessment. Maybe they were just rushed or overlooked that detail.
upvoted 0 times
Han
1 months ago
B) No, the risk management team should also establish the criteria for treating the identified risks
upvoted 0 times
...
Sarina
1 months ago
I agree, it's important to have criteria for determining the level of risk in a risk assessment.
upvoted 0 times
...
Val
2 months ago
A) No, the risk management team should also establish the criteria for determining the level of risk
upvoted 0 times
...
...
Tyra
2 months ago
Haha, I bet the team members were scratching their heads trying to figure out the right answer. Risk management can be such a tricky thing sometimes.
upvoted 0 times
...
Shonda
2 months ago
I agree with Margurite. The question specifically mentions that the team should establish all the criteria required to perform the information security risk assessment. Defining the risk level criteria is a key part of that.
upvoted 0 times
...
Margurite
3 months ago
Hmm, I think the team should have also established the criteria for determining the level of risk. Just setting the consequence and likelihood criteria isn't enough to fully assess the risk.
upvoted 0 times
Lindsey
1 months ago
C) Yes. the risk management team established all the criteria that are necessary to perform an information security risk assessment
upvoted 0 times
...
Rose
1 months ago
Hmm, I think the team should have also established the criteria for determining the level of risk. Just setting the consequence and likelihood criteria isn't enough to fully assess the risk.
upvoted 0 times
...
Bettye
1 months ago
B) No, the risk management team should also establish the criteria for treating the identified risks
upvoted 0 times
...
Madonna
2 months ago
A) No, the risk management team should also establish the criteria for determining the level of risk
upvoted 0 times
...
...
Kasandra
3 months ago
So, it seems like the correct answer is B) No, the risk management team should also establish the criteria for treating the identified risks.
upvoted 0 times
...
Felton
3 months ago
That's a good point, Carmela. The team should also establish criteria for treating the risks.
upvoted 0 times
...
Carmela
3 months ago
But what about treating the identified risks? Shouldn't that be a criteria as well?
upvoted 0 times
...
Kasandra
3 months ago
I agree with Felton. It's important to have clear criteria for assessing the level of risk.
upvoted 0 times
...
Felton
3 months ago
I think the risk management team should establish the criteria for determining the level of risk.
upvoted 0 times
...

Save Cancel