PECB Updated ISO-IEC-27001-Lead-Implementer Exam Questions and Answers by gia

ISO/IEC 27005:2022 (Clause 8.2.1 – Risk Identification Process) and the ISMS Implementation Toolkit emphasize that risk identification is a cyclical and iterative process:

“Risk identification should evolve with organizational maturity and environmental change, becoming more detailed and effective through each cycle.”

This aligns with Clause 10.1 of ISO/IEC 27001:2022, which requires continual improvement:

“The organization shall continually improve the suitability, adequacy and effectiveness of the information security management system.”

Refining detail over time allows organizations to adjust to new threats and better understand their environment, promoting resilience and continual improvement.

The correct and verified answer is B. Technological, because the identified risk—unrestricted write access to production source code and development tools—must be managed through technical enforcement mechanisms, not solely by people or organizational measures.

The scenario describes a failure to restrict access to critical production systems, allowing a junior developer to modify source code without authorization. This is a classic access control and privilege management issue that requires technological controls such as role-based access control (RBAC), privileged access management, repository permissions, and segregation of environments.

ISO/IEC 27001:2022 Annex A categorizes controls into organizational, people, physical, and technological groups. The controls relevant to this scenario fall squarely under technological controls, including:

A.8.2 – Privileged access rightsRequires restriction and management of elevated access to prevent unauthorized or excessive privileges.

A.8.3 – Information access restrictionEnsures access to information and systems is limited in accordance with business requirements.

A.8.4 – Access to source codeExplicitly requires that access to source code is restricted, controlled, and monitored.

A.8.32 – Change managementEnsures that changes to production systems are authorized, tested, and approved.

While people controls (such as training or awareness) and organizational controls (such as policies) are supportive, they are insufficient on their own. Without technical enforcement, policies cannot prevent unauthorized access in practice.

ISO/IEC 27001:2022 emphasizes defense-in-depth, where technological controls enforce rules automatically, reducing reliance on human behavior alone.

An audit program provides the overall schedule, scope, and objectives for a series of audits. An audit plan is a document for a specific audit that describes activities, arrangements, and responsibilities.

“An audit program consists of one or more audits planned for a specific timeframe and direction. An audit plan describes how a particular audit will be conducted.”

— ISO/IEC 19011:2018, Clause 5.1 & 5.4