PECB Updated ISO-IEC-27001-Lead-Implementer Exam Questions and Answers by hari

According to the ISO/IEC 27001:2022 Lead Implementer objectives and content, the maturity levels of information security controls are based on the ISO/IEC 15504standard, which defines five levels of process capability: incomplete, performed, managed, established, and optimized1. Each level has a set of attributes that describe the characteristics of the process at that level. The level of defined corresponds to the attribute of process performance, which means that the process achieves its expected outcomes2. In this case, the control of two-factor authentication has been documented, standardized, and communicated, which implies that it has a clear purpose and expected outcomes. However, the control is not consistently implemented, monitored, or measured, which means that it does not meet the attributes of the higher levels of managed, established, or optimized. Therefore, the control is at the level of defined, which is the second level of maturity.

ISO/IEC 27002:2022 Clause 5.17 – Information Security in Project Management, and Clause 5.2 – Roles and Responsibilities, support role flexibility provided responsibilities are clear and documented.

Thesame groupcan assume multiple roles, provided:

The roles are defined

Competency is proven

There is no conflict of interest

It’s acceptable and sometimes encouraged for an established, competent committee like the ISC to assume emergency roles during incidents, enhancing response efficiency.

Annex A Control A.6.1 of ISO/IEC 27001:2022 (and ISO/IEC 27002:2022 Clause 6.1) coversScreening:

“Background verification checks on all candidates for employment should be carried out in accordance with relevant laws, regulations and ethics, and proportional to the business requirements, the classification of the information to be accessed, and the perceived risks.”

Ifcollective agreements(e.g., labor union agreements) orlocal labor lawsprohibit such checks, this is a valid justification forexclusionin the Statement of Applicability (SoA), per ISO/IEC 27001:2022 Clause 6.1.3 (d), which allows exclusions whenproperly justified.