Amazon
Avaya
Cisco
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL
Juniper
Microsoft
NVIDIA
Okta
Palo Alto Networks
Salesforce
All Vendors
  1. Home
  2. EXIN
  3. ISO/IEC 27001 Lead Implementer

EXIN ISO/IEC 27001 Lead Implementer Exam (page: 2)
EXIN Certified ISO/IEC 27001 Lead Implementer
Updated on: 12-Feb-2026

Viewing Page 2 of 44
ISO/IEC 27001 Lead Implementer PDF 135 Questions

Scenario 2: Beauty is a cosmetics company that has recently switched to an e-commerce model, leaving the traditional retail. The top management has decided to build their own custom platform in-house and outsource the payment process to an external provider operating online payments systems that support online money transfers.
Due to this transformation of the business model, a number of security controls were implemented based on the identified threats and vulnerabilities associated to critical assets. To protect customers' information. Beauty's employees had to sign a confidentiality agreement. In addition, the company reviewed all user access rights so that only authorized personnel can have access to sensitive files and drafted a new segregation of duties chart.
However, the transition was difficult for the IT team, who had to deal with a security incident not long after transitioning to the e commerce model. After investigating the incident, the team concluded that due to the out-of-date anti-malware software, an attacker gamed access to their files and exposed customers' information, including their names and home addresses. The IT team decided to stop using the old anti-malware software and install a new one which would automatically remove malicious code in case of similar incidents. The new software was installed in every workstation within the company. After installing the new software, the team updated it with the latest malware definitions and enabled the automatic update feature to keep it up to date at all times. Additionally, they established an authentication process that requires a user identification and password when accessing sensitive information.
In addition, Beauty conducted a number of information security awareness sessions for the IT team and other employees that have access to confidential information in order to raise awareness on the importance of system and network security.
Based on the scenario above, answer the following question:
After investigating the incident. Beauty decided to install a new anti-malware software.
What type of security control has been implemented in this case?

  1. Preventive
  2. Detective
  3. Corrective

Answer(s): A

Explanation:

In the scenario described, Beauty's decision to install new anti-malware software after a security incident is a Preventive control. This type of control is aimed at preventing future security incidents by removing malicious code and protecting against malware infections. The purpose of the new anti- malware software is to proactively protect the company's systems and data from potential threats, thus it falls under the category of preventive measures.


Reference:

ISO/IEC 27001:2022 Lead Implementer Course Guide1
ISO/IEC 27001:2022 Lead Implementer Info Kit2
ISO/IEC 27001:2022 Information Security Management Systems - Requirements3 ISO/IEC 27002:2022 Code of Practice for Information Security Controls4 What are Security Controls? | IBM3
What Are Security Controls? - F54



Scenario 2: Beauty is a cosmetics company that has recently switched to an e-commerce model, leaving the traditional retail. The top management has decided to build their own custom platform in-house and outsource the payment process to an external provider operating online payments systems that support online money transfers.
Due to this transformation of the business model, a number of security controls were implemented based on the identified threats and vulnerabilities associated to critical assets. To protect customers' information. Beauty's employees had to sign a confidentiality agreement. In addition, the company reviewed all user access rights so that only authorized personnel can have access to sensitive files and drafted a new segregation of duties chart.
However, the transition was difficult for the IT team, who had to deal with a security incident not long after transitioning to the e commerce model. After investigating the incident, the team concluded that due to the out-of-date anti-malware software, an attacker gamed access to their files and exposed customers' information, including their names and home addresses.

The IT team decided to stop using the old anti-malware software and install a new one which would automatically remove malicious code in case of similar incidents. The new software was installed in every workstation within the company. After installing the new software, the team updated it with the latest malware definitions and enabled the automatic update feature to keep it up to date at all times. Additionally, they established an authentication process that requires a user identification and password when accessing sensitive information.
In addition, Beauty conducted a number of information security awareness sessions for the IT team and other employees that have access to confidential information in order to raise awareness on the importance of system and network security.

Which statement below suggests that Beauty has implemented a managerial control that helps avoid the occurrence of incidents? Refer to scenario 2.

  1. Beauty's employees signed a confidentiality agreement
  2. Beauty conducted a number of information security awareness sessions for the IT team and other employees that have access to confidential information
  3. Beauty updated the segregation of duties chart

Answer(s): B

Explanation:

Managerial controls are administrative actions that are designed to prevent or reduce the likelihood of security incidents by influencing human behavior. They include policies, procedures, guidelines, standards, training, and awareness programs. In scenario 2, Beauty has implemented a managerial control by conducting information security awareness sessions for the IT team and other employees that have access to confidential information. These sessions aim to educate the staff on the importance of system and network security, the potential threats and vulnerabilities, and the best practices to follow to avoid the occurrence of incidents. By raising the level of awareness and knowledge of the employees, Beauty can reduce the human errors and negligence that might compromise the security of the information assets.


Reference:

ISO/IEC 27001:2022 Lead Implementer Course Content, Module 7: Implementation of an ISMS based on ISO/IEC 27001:20221; ISO/IEC 27001:2022 Information Security, Cybersecurity and Privacy Protection, Clause 7.2: Competence2; ISO/IEC 27002:2022 Code of practice for information security controls, Clause 7.2.2: Information security awareness, education and training3



Scenario 2: Beauty is a cosmetics company that has recently switched to an e-commerce model, leaving the traditional retail. The top management has decided to build their own custom platform in-house and outsource the payment process to an external provider operating online payments systems that support online money transfers.
Due to this transformation of the business model, a number of security controls were implemented based on the identified threats and vulnerabilities associated to critical assets. To protect customers' information. Beauty's employees had to sign a confidentiality agreement. In addition, the company reviewed all user access rights so that only authorized personnel can have access to sensitive files and drafted a new segregation of duties chart.
However, the transition was difficult for the IT team, who had to deal with a security incident not long after transitioning to the e commerce model. After investigating the incident, the team concluded that due to the out-of-date anti-malware software, an attacker gamed access to their files and exposed customers' information, including their names and home addresses. The IT team decided to stop using the old anti-malware software and install a new one which would automatically remove malicious code in case of similar incidents. The new software was installed in every workstation within the company. After installing the new software, the team updated it with the latest malware definitions and enabled the automatic update feature to keep it up to date at all times. Additionally, they established an authentication process that requires a user identification and password when accessing sensitive information.
In addition, Beauty conducted a number of information security awareness sessions for the IT team and other employees that have access to confidential information in order to raise awareness on the importance of system and network security.

According to scenario 2. Beauty has reviewed all user access rights.
What type of control is this?

  1. Detective and administrative
  2. Corrective and managerial
  3. Legal and technical

Answer(s): A

Explanation:

Preventive controls: These are controls that aim to prevent or deter the occurrence of a security incident or reduce its likelihood. Examples of preventive controls are encryption, firewalls, locks, policies, etc.
Detective controls: These are controls that aim to detect or discover the occurrence of a security incident or its symptoms. Examples of detective controls are logs, alarms, audits, etc. Corrective controls: These are controls that aim to correct or restore the normal state of an asset or a process after a security incident or mitigate its impact. Examples of corrective controls are backups, recovery plans, incident response teams, etc.
Administrative controls: These are controls that involve the management and governance of information security, such as policies, procedures, roles, responsibilities, awareness, training, etc. Technical controls: These are controls that involve the use of technology or software to implement information security, such as encryption, firewalls, anti-malware, authentication, etc. Physical controls: These are controls that involve the protection of physical assets or locations from unauthorized access, damage, or theft, such as locks, fences, cameras, guards, etc. Legal controls: These are controls that involve the compliance with laws, regulations, contracts, or agreements related to information security, such as privacy laws, data protection laws, confidentiality agreements, etc.
In scenario 2, the action of Beauty reviewing all user access rights is best described as a "Preventive and Administrative" control.

Preventive Control: The review of user access rights is a preventive measure. It is designed to prevent unauthorized access to sensitive information by ensuring that only authorized personnel have access to specific files. By controlling access rights, the organization aims to prevent potential security breaches and protect sensitive data.
Administrative Control: This action also falls under administrative controls, sometimes referred to as managerial controls. These controls involve policies, procedures, and practices related to the management of the organization and its employees. In this case, the review of access rights is a part of the company's administrative procedures to manage the security of information systems.


Reference:

ISO/IEC 27001:2022 - Information security, cybersecurity and privacy protection -- Information security management systems -- Requirements



Scenario 2: Beauty is a cosmetics company that has recently switched to an e-commerce model, leaving the traditional retail. The top management has decided to build their own custom platform in-house and outsource the payment process to an external provider operating online payments systems that support online money transfers.
Due to this transformation of the business model, a number of security controls were implemented based on the identified threats and vulnerabilities associated to critical assets. To protect customers' information. Beauty's employees had to sign a confidentiality agreement. In addition, the company reviewed all user access rights so that only authorized personnel can have access to sensitive files and drafted a new segregation of duties chart.
However, the transition was difficult for the IT team, who had to deal with a security incident not long after transitioning to the e commerce model. After investigating the incident, the team concluded that due to the out-of-date anti-malware software, an attacker gamed access to their files and exposed customers' information, including their names and home addresses. The IT team decided to stop using the old anti-malware software and install a new one which would automatically remove malicious code in case of similar incidents. The new software was installed in every workstation within the company. After installing the new software, the team updated it with the latest malware definitions and enabled the automatic update feature to keep it up to date at all times. Additionally, they established an authentication process that requires a user identification and password when accessing sensitive information.
In addition, Beauty conducted a number of information security awareness sessions for the IT team and other employees that have access to confidential information in order to raise awareness on the importance of system and network security.

Based on scenario 2, Beauty should have implemented (1)_____________________________ to detect (2)_________________________.

  1. (1) An access control software, (2) patches
  2. (1) Network intrusions, (2) technical vulnerabilities
  3. (1) An intrusion detection system, (2) intrusions on networks

Answer(s): C

Explanation:

An intrusion detection system (IDS) is a device or software application that monitors network activities, looking for malicious behaviors or policy violations, and reports their findings to a management station. An IDS can help an organization to detect intrusions on networks, which are unauthorized attempts to access, manipulate, or harm network resources or data. In the scenario, Beauty should have implemented an IDS to detect intrusions on networks, such as the one that exposed customers' information due to the out-of-date anti-malware software. An IDS could have alerted the IT team about the suspicious network activity and helped them to respond faster and more effectively. Therefore, the correct answer is C.


Reference:

ISO/IEC 27001:2013, Information technology -- Security techniques -- Information security management systems -- Requirements, clause 3.14; ISO/IEC 27039:2015, Information technology -- Security techniques -- Selection, deployment and operations of intrusion detection and prevention systems (IDPS), clause 4.1.



Scenario 2: Beauty is a cosmetics company that has recently switched to an e-commerce model,

leaving the traditional retail. The top management has decided to build their own custom platform in-house and outsource the payment process to an external provider operating online payments systems that support online money transfers.
Due to this transformation of the business model, a number of security controls were implemented based on the identified threats and vulnerabilities associated to critical assets. To protect customers' information. Beauty's employees had to sign a confidentiality agreement. In addition, the company reviewed all user access rights so that only authorized personnel can have access to sensitive files and drafted a new segregation of duties chart.
However, the transition was difficult for the IT team, who had to deal with a security incident not long after transitioning to the e commerce model. After investigating the incident, the team concluded that due to the out-of-date anti-malware software, an attacker gamed access to their files and exposed customers' information, including their names and home addresses. The IT team decided to stop using the old anti-malware software and install a new one which would automatically remove malicious code in case of similar incidents. The new software was installed in every workstation within the company. After installing the new software, the team updated it with the latest malware definitions and enabled the automatic update feature to keep it up to date at all times. Additionally, they established an authentication process that requires a user identification and password when accessing sensitive information.
In addition, Beauty conducted a number of information security awareness sessions for the IT team and other employees that have access to confidential information in order to raise awareness on the importance of system and network security.

Based on scenario 2, which information security principle is the IT team aiming to ensure by establishing a user authentication process that requires user identification and password when accessing sensitive information?

  1. Integrity
  2. Confidentiality
  3. Availability

Answer(s): B

Explanation:

Confidentiality is one of the three information security principles, along with integrity and availability, that form the CIA triad. Confidentiality means protecting information from unauthorized access or disclosure, and ensuring that only those who are authorized to view or use it can do so.

Confidentiality is essential for preserving the privacy and trust of the information owners, such as customers, employees, or business partners.
The IT team of Beauty is aiming to ensure confidentiality by establishing a user authentication process that requires user identification and password when accessing sensitive information. User authentication is a security control that verifies the identity and credentials of the users who attempt to access a system or network, and grants or denies them access based on their authorization level. User authentication helps to prevent unauthorized users, such as hackers, competitors, or malicious insiders, from accessing confidential information that they are not supposed to see or use. User authentication also helps to create an audit trail that records who accessed what information and when, which can be useful for accountability and compliance purposes.


Reference:

ISO/IEC 27001:2022 Lead Implementer Course Guide1

ISO/IEC 27001:2022 Lead Implementer Info Kit2
ISO/IEC 27001:2022 Information Security Management Systems - Requirements3 ISO/IEC 27002:2022 Code of Practice for Information Security Controls What is Information Security | Policy, Principles & Threats | Imperva1 What is information security? Definition, principles, and jobs2 What is Information Security? Principles, Types - KnowledgeHut3



Viewing Page 2 of 44



Share your comments for EXIN ISO/IEC 27001 Lead Implementer exam with other users:

Jamil aljamil 12/4/2023 4:47:00 AM

it’s good but not senatios based
UNITED KINGDOM


tumz 1/16/2024 10:30:00 AM

very helpful
UNITED STATES


Matt 11/18/2023 2:32:00 AM

aligns with the pecd notes
Anonymous


Wafa 11/13/2023 3:06:00 AM

very helpful
Anonymous