Question:
Which of the following would be an acceptable justification for excluding the Annex A 6.1 Screening control?
Scenario 7: InfoSec is a multinational corporation headquartered in Boston, MA, which provides professional electronics, gaming, and entertainment services. After facing numerous information security incidents, InfoSec has decided to establish teams and implement measures to prevent potential incidents in the future
Emma, Bob. and Anna were hired as the new members of InfoSec ' s information security team, which consists of a security architecture team, an incident response team (IRT) and a forensics team Emma ' s job is to create information security plans, policies, protocols, and training to prepare InfoSec to respond to incidents effectively Emma and Bob would be full-time employees of InfoSec, whereas Anna was contracted as an external consultant.
Bob, a network expert, will deploy a screened subnet network architecture This architecture will isolate the demilitarized zone (OMZ) to which hosted public services are attached and InfoSec ' s publicly accessible resources from their private network Thus, InfoSec will be able to block potential attackers from causing unwanted events inside the company ' s network. Bob is also responsible for ensuring that a thorough evaluation of the nature of an unexpected event is conducted, including the details on how the event happened and what or whom it might affect.
Anna will create records of the data, reviews, analysis, and reports in order to keep evidence for the purpose of disciplinary and legal action, and use them to prevent future incidents. To do the work accordingly, she should be aware of the company ' s information security incident management policy beforehand
Among others, this policy specifies the type of records to be created, the place where they should be kept, and the format and content that specific record types should have.
According to scenario 7, a demilitarized zone (DMZ) is deployed within InfoSec ' s network. What type of control has InfoSec implemented in this case?
Question:
How should the level of detail in risk identification evolve over time?
Scenario 9: CoreBit Systems
CoreBit Systems, with its headquarters m San Francisco, specializes in information and communication technology (ICT) solutions, its clientele primarily includes data communication enterprises and network operators. The company ' s core objective is to enable its clients a smooth transition into multi-service providers, aligning their operations with the complex demands of the digital landscape.
Recently. John, the internal auditor of CoreBit Systems, conducted an internal audit which uncovered nonconformities related to their monitoring procedures and system vulnerabilities, in response to the identified nonconformities. CoreBit Systems decided to employ a comprehensive problem-solving approach to solve these issues systematically. The method encompasses a team-oriented approach, aiming to identify, correct, and eliminate the root causes of issues. This approach involves several steps. First, establish a group of experts with deep knowledge of processes and controls. Next, break down the nonconformity into measurable components and implement interim containment measures. Then, identify potential root causes and select and verify permanent corrective actions. Finally, put those actions into practice, validate them, take steps to prevent recurrence, and recognize and acknowledge the team ' s efforts.
Following the analysis of the root cause of the nonconformities, CoreBit Systems ' s ISMS project manager. Julia, developed a list of potential actions to address the identified nonconformities. Julia carefully evaluated the list to ensure that each action would effectively eliminate the root cause of the respective nonconformity. While assessing potential corrective action for addressing a nonconformity, Julia identified the issue as significant and assessed a high likelihood of its reoccurrence Consequently, she chose to implement temporary corrective actions. Afterward. Julia combined all the nonconformities Into a single action plan and sought approval from the top management.
The submitted action plan was written as follows:
A new version of the access control policy will be established and new restrictions will be created to ensure that network access is effectively managed and monitored by the Information and Communication Technology (ICT) Department.
However. Julia ' s submitted action plan was not approved by top management The reason cited was that a general action plan meant to address all nonconformities was deemed unacceptable. Consequently, Julia revised the action plan and submitted separate ones for approval Unfortunately, Julia did not adhere to the organization ' s specified deadline for submission, resulting in a delay in the corrective action process, and notably, the revised action plans lacked a defined schedule for execution.
Question:
Which method did CoreBit Systems use to address and prevent reoccurring problems after identifying the nonconformities?
Question:
Whom should an organization interview to obtain information regarding information security risks in their respective fields?
Refer to Scenario 4 (FinSecure)
Finsecure is a financial institution based in Finland, providing services to a diverse clientele, encompassing retail banking, corporate banking, wealth management, and digital banking, all tailored to meet the evolving financial needs of individuals and businesses in the region. Recognizing the critical importance of information security in the modern banking landscape, FinSecure has initiated the implementation of an information security management system (ISMS) based on ISO/IEC 27001. To ensure the successful implementation of the ISMS, the top management decided to contract two experts to lead and oversee the ISMS implementation project.
As a primary strategy for implementing the ISMS, the experts chose an approach that emphasizes a swift implementation of the ISMS by initially meeting the minimum requirements of ISO/IEC 27001, followed by continual improvement over time. Additionally, under the guidance of experts, FinSecure opted for a methodological framework, which serves as a structured framework that outlines the high-level stages of the ISMS implementation, the associated activities, and the deliverables without incorporating any specific tools.
The experts conducted a risk assessment, identifying all the supporting assets, which were the most tangible ones. They assessed the potential consequences and likelihood of various risks, determining the level of risks using a methodical approach that involved defining and characterizing the terms and criteria used in the assessment process. These risks were categorized into nonnumerical levels (e g., very low, low. moderate, high, very high). Explanatory notes were thoughtfully crafted to justify assessed values, with the primary goal of enhancing repeatability and reproducibility.
After completing the risk assessment, the experts reviewed a selected number of the security controls from Annex A of ISO/IEC 27001 to determine which ones were applicable to the company ' s specific context. The decision to implement security controls was justified by the risk assessment results. Based on this review, they drafted the Statement of Applicability (SoA). They focused on treating only the high-risk category particularly addressing unauthorized use of administrator rights and system interruptions due to several hardware failures. To address these issues, they established a new version of the access control policy, implemented controls to manage and control user access, and introduced a control for ICT readiness to ensure business continuity.
Their risk assessment report indicated that if the implemented security controls reduce the risk levels to an acceptable threshold, those risks will be accepted
Question:
Did the experts draft the Statement of Applicability (SoA) in accordance with ISO/IEC 27001?
Upon the risk assessment outcomes. Socket Inc. decided to:
• Require the use of passwords with at least 12 characters containing uppercase and lowercase letters, symbols, and numbers
• Require the change of passwords at least once every 60 days
• Keep backup copies of files on IT-provided network drives
• Assign users to a separate network when they have access to cloud storage files storing customers ' personal data.
Based on scenario 5. Socket Inc. decided to use cloud storage to store customers ' personal data considering that the identified risks have low likelihood and high impact, is this acceptable?
Org Y. a well-known bank, uses an online banking platform that enables clients to easily and securely access their bank accounts. To log in. clients are required to enter the one-time authorization code sent to their smartphone. What can be concluded from this scenario?
Infralink is a medium-sized IT consultancy firm headquartered in Dublin, Ireland. It specializes in secure cloud infrastructure, software integration, and data analytics, serving a diverse client base in the healthcare, financial services, and legal sectors, including hospitals, insurance providers, and law firms. To safeguard sensitive client data and support business continuity, Infralink has implemented an information security management system (ISMS) aligned with the requirements of ISO/IEC 27001.
In developing its security architecture, the company adopted services to support centralized user identification and shared authentication mechanisms across its departments. These services also governed the creation and management of credentials within the company. Additionally, Infralink deployed solutions to protect sensitive data in transit and at rest, maintaining confidentiality and integrity across its systems.
In preparation for implementing information security controls, the company ensured the availability of necessary resources, personnel competence, and structured planning. It conducted a cost-benefit analysis, scheduled implementation phases, and prepared documentation and activity checklists for each phase. The intended outcomes were clearly defined to align security controls with business objectives.
Infralink started by implementing several controls from Annex A of ISO/IEC 27001. These included regulating physical and logical access to information and assets in accordance with business and information security requirements, managing the identity life cycle, and establishing procedures for providing, reviewing, modifying, and revoking access rights. However, controls related to the secure allocation and management of authentication information, as well as the establishment of rules or agreements for secure information transfer, have not yet been implemented. During the documentation process, the company ensured that all ISMS-related documents supported traceability by including titles, creation or update dates, author names, and unique reference numbers. Based on the scenario above, answer the following question.
Is the project team ' s decision to not consider certain business processes and departmental responsibilities during the review for the ISMS scope establishment acceptable? Refer to scenario 5.
TESTED 04 May 2026
