New Year Sale ! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

PECB Exam ISO-IEC-27005-Risk-Manager Topic 3 Question 13 Discussion

Actual exam question for PECB's ISO-IEC-27005-Risk-Manager exam
Question #: 13
Topic #: 3
[All ISO-IEC-27005-Risk-Manager Questions]

Scenario 2: Travivve is a travel agency that operates in more than 100 countries. Headquartered in San Francisco, the US, the agency is known for its personalized vacation packages and travel services. Travivve aims to deliver reliable services that meet its clients' needs. Considering the impact of information security in its reputation, Travivve decided to implement an information security management system (ISMS) based on ISO/IEC 27001. In addition, they decided to establish and implement an information security risk management program. Based on the priority of specific departments in Travivve, the top management decided to initially apply the risk management process only in the Sales Management Department. The process would be applicable for other departments only when introducing new technology.

Travivve's top management wanted to make sure that the risk management program is established based on the industry best practices. Therefore, they created a team of three members that would be responsible for establishing and implementing it. One of the team members was Travivve's risk manager who was responsible for supervising the team and planning all risk management activities. In addition, the risk manager was responsible for monitoring the program and reporting the monitoring results to the top management.

Initially, the team decided to analyze the internal and external context of Travivve. As part of the process of understanding the organization and its context, the team identified key processes and activities. Then, the team identified the interested parties and their basic requirements and determined the status of compliance with these requirements. In addition, the team identified all the reference documents that applied to the defined scope of the risk management process, which mainly included the Annex A of ISO/IEC 27001 and the internal security rules established by Travivve. Lastly, the team analyzed both reference documents and justified a few noncompliances with those requirements.

The risk manager selected the information security risk management method which was aligned with other approaches used by the company to manage other risks. The team also communicated the risk management process to all interested parties through previously established communication mechanisms. In addition, they made sure to inform all interested parties about their roles and responsibilities regarding risk management. Travivve also decided to involve interested parties in its risk management activities since, according to the top management, this process required their active participation.

Lastly, Travivve's risk management team decided to conduct the initial information security risk assessment process. As such, the team established the criteria for performing the information security risk assessment which included the consequence criteria and likelihood criteria.

Did Travivve's risk management team identify the basic requirements of interested parties in accordance with the guidelines of ISO/IEC 27005? Refer to scenario 2.

Show Suggested Answer Hide Answer
Suggested Answer: C

According to ISO/IEC 27005, understanding the organization and its context, including the identification of interested parties and their requirements, is a critical part of the risk management process. The team at Travivve identified the interested parties and their basic requirements and determined the status of compliance with these requirements, which aligns with the guidelines provided by ISO/IEC 27005. This standard recommends that organizations should understand their context and stakeholders' requirements to effectively manage risks. Additionally, it is appropriate to evaluate compliance with requirements as part of the context analysis, rather than after implementing risk treatment options. Therefore, the team's approach was in accordance with ISO/IEC 27005, making option C the correct answer.


ISO/IEC 27005:2018, Clause 7, 'Context Establishment,' which outlines the importance of identifying the context, including the interested parties and their requirements, as a basis for risk management.

Contribute your Thoughts:

Flo
10 days ago
I believe the team did identify the basic requirements of interested parties as recommended by ISO/IEC 27005.
upvoted 0 times
...
Leota
11 days ago
Ah, the classic 'Travivve' -- where travel and security come together like peanut butter and jelly. Mmmm, security-flavored vacation packages!
upvoted 0 times
...
Raina
14 days ago
I agree with you, Selma. It's important to understand the requirements before determining compliance.
upvoted 0 times
...
Rashad
21 days ago
Analyzing the internal and external context is crucial, but I'm glad they also involved the interested parties. Gotta keep those stakeholders engaged!
upvoted 0 times
Adell
1 days ago
Yes, it's important to involve interested parties in the risk management process to ensure their needs are met.
upvoted 0 times
...
Elvera
15 days ago
C
upvoted 0 times
...
Troy
16 days ago
A
upvoted 0 times
...
...
Selma
28 days ago
I think the team should define the basic requirements of interested parties first.
upvoted 0 times
...
Keena
29 days ago
The team seems to have followed the ISO/IEC 27005 guidelines by identifying the basic requirements of interested parties and determining their compliance status. Solid start!
upvoted 0 times
Aliza
16 days ago
A) No, the team should define the basic requirements of interested parties, but it should determine status of compliance with the requirements after implementing the risk treatment options
upvoted 0 times
...
...

Save Cancel