PECB Updated ISO-IEC-27002-Foundation Exam Questions and Answers by kobi

A digital customer identity is the best example of an organizational asset in cyberspace because it exists, functions, and is protected within digital systems, networks, applications, and online services. ISO/IEC 27002 treats identities, authentication information, access rights, and digital accounts as critical security subjects because compromise of identity can enable unauthorized access, fraud, impersonation, privacy breaches, and loss of accountability. A digital customer identity can include usernames, identifiers, credentials, account attributes, authentication factors, access permissions, profile data, and linked personal information. Medical data and intellectual property are also important information assets, but the phrase “asset in cyberspace” points most directly to a digitally represented identity used for electronic interaction. ISO/IEC 27002 contains several controls that protect this asset type, including identity management, authentication information, access rights, secure authentication, and access restriction. These controls ensure that identities are created, maintained, verified, modified, disabled, and removed in a controlled manner. The exam logic therefore favors option B because cyberspace emphasizes digital identity and online representation. References/Chapters: ISO/IEC 27002:2022, Control 5.16 Identity management; Control 5.17 Authentication information; Control 5.18 Access rights; Control 8.5 Secure authentication.

==========

ISO/IEC 27002:2022 provides guidance for selecting, implementing, and managing information security controls. It is not the certification requirements standard; that role belongs to ISO/IEC 27001. ISO/IEC 27002 supports organizations by explaining the purpose of each control, the implementation guidance, and other related information needed to apply controls appropriately. Its controls are grouped into organizational, people, physical, and technological themes. The standard is intended to be used as a reference when organizations design security measures based on their risks, business needs, legal obligations, contractual requirements, and information security objectives. Therefore, option A is correct because “guidance” is the core function of ISO/IEC 27002. Option B is incorrect because ISO/IEC 27002 does not set mandatory requirements for certification. Option C is related to risk management, but it is not the main purpose of ISO/IEC 27002; risk management guidance is more directly associated with ISO/IEC 27005. ISO/IEC 27002 guides control implementation after risk and control needs are determined. References/Chapters: ISO/IEC 27002:2022, Clause 1 Scope; Clause 4 Structure of the standard; Controls 5–8.

==========

Control 5.35, Independent review of information security, is the control intended to ensure that the organization’s approach to managing information security remains suitable, adequate, and effective. Independent reviews provide objective evaluation of whether policies, processes, controls, responsibilities, and implementation remain aligned with business needs, risks, legal requirements, and the organization’s security objectives. The review may consider governance, control design, control operation, risk treatment, compliance, incident trends, technology changes, supplier dependencies, and audit results. Control 5.4, Management responsibilities, is important because management must ensure personnel apply security according to policies and procedures, but it is not the control specifically focused on independent review. Control 5.24 concerns planning and preparation for incident management, which supports response capability but does not broadly assess the continuing suitability of the whole security approach. The phrase “suitable, adequate and effective” is a strong indicator of review and assurance. ISO/IEC 27002 uses independent review to challenge assumptions, detect weaknesses, and support continual improvement. Therefore, option B is the verified answer. References/Chapters: ISO/IEC 27002:2022, Control 5.35 Independent review of information security; Control 5.36 Compliance with policies, rules and standards for information security; Control 5.4 Management responsibilities.

A PII controller is the privacy stakeholder that determines the purposes and means of processing personally identifiable information. This means the controller decides why PII is processed, what PII is needed, how it is processed, how long it is retained, who receives it, and which controls are required. Option A describes the PII principal, which is the natural person to whom the PII relates. Option C describes a PII processor, which processes PII on behalf of and according to the instructions of the controller. ISO/IEC 27002 includes privacy and PII protection as part of its information security control guidance where privacy obligations apply. The distinction matters because controllers carry decision-making responsibility and accountability for lawful, secure, and appropriate processing. Processors must protect the information but do not independently determine the processing purpose. Relevant controls include privacy and protection of PII, access control, supplier relationships, information deletion, data masking, data leakage prevention, and cloud service controls. The verified answer is therefore option B. References/Chapters: ISO/IEC 27002:2022, Control 5.34 Privacy and protection of PII; Control 5.19 Information security in supplier relationships; Control 8.11 Data masking.

==========