PECB Updated ISO-IEC-27001-Lead-Implementer Exam Questions and Answers by frances

According to the ISO/IEC 27001:2022 standard, the organization should determine the necessary competence of persons doing work under its control that affects the performance and effectiveness of the ISMS. The organization should also ensure that these persons are aware of the information security policy, their contribution to the effectiveness of the ISMS, the implications of not conforming with the ISMS requirements, and the benefits of improved information security performance. The organization should also provide information security awareness, education, and training to all employees and, where relevant, contractors and third-party users, as relevant for their job function. The awareness, education, and training programs should be planned, implemented, and maintained according to the needs of the organization and the results of the risk assessment and risk treatment.

Therefore, Colin should have handled the situation with Lisa by delivering training and awareness sessions for employees with the same level of competence needs based on the activities they perform within the company. This would ensure that the content and the language of the sessions are appropriate and understandable for the target audience, and that the sessions are effective and efficient in achieving the desired learning outcomes. By doing so, Colin would also avoid wasting time and resources on delivering sessions that are too technical or too basic for some employees, and that do not address their specific information security challenges and responsibilities.

ISO/IEC 27001:2022, Clause 7.2 Competence and Clause 7.3 Awareness

ISO/IEC 27002:2022, Clause 7.2.2 Information security awareness, education and training

PECB ISO/IEC 27001 Lead Implementer Course, Module 4: Leadership, Commitment, and Support of Top Management.

The primary purpose of comparing actual performance against targets is to assess whether security objectives are being met. This is a direct requirement of ISO/IEC 27001:2022, Clause 9.1, which mandates monitoring, measurement, analysis, and evaluation to determine if objectives are achieved and to support continual improvement.

“The organization shall evaluate the performance and the effectiveness of the information security management system... and compare results with the objectives set.”

— ISO/IEC 27001:2022, Clause 9.1

Bytes identified both external and internal issues relevant to its purpose and that impact its ability to achieve the intended ISMS outcomes, including social, cultural, political, legal, financial, technological, and other factors, as well as internal aspects like culture, policies, resources, infrastructure, etc. This approach fully aligns with ISO/IEC 27001:2022 Clause 4.1, which requires organizations to determine both internal and external issues relevant to the ISMS.

“The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system.”

— ISO/IEC 27001:2022, Clause 4.1

According to ISO/IEC 27001:2022, clause 10.2.2, the organization shall define and apply an information security incident management process that includes the following activities:

reporting information security events and weaknesses;

assessing information security events and classifying them as information security incidents;

responding to information security incidents according to their classification;

learning from information security incidents, including identifying causes, taking corrective actions and preventive actions, and communicating the results and actions taken;

collecting evidence, where applicable.

The standard does not specify who should perform these activities, as long as they are done in a consistent and effective manner. Therefore, the organization may choose to conduct forensic investigation internally or by using external consultants, depending on its needs, resources, and capabilities. However, the organization should ensure that the external consultants are competent, trustworthy, and comply with the organization’s policies and procedures.

ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements, clause 10.2.2; PECB ISO/IEC 27001 Lead Implementer Course, Module 10: Incident Management.