Amazon
Avaya
Checkpoint
Cisco®
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL®
Juniper
Microsoft
MuleSoft
Okta
Oracle
Palo Alto Networks
Salesforce
All Vendors
  1. Home
  2. PECB
  3. ISO-IEC-27005-Risk-Manager

PECB ISO-IEC-27005-Risk-Manager Exam (page: 1)
PECB Certified ISO/IEC 27005 Risk Manager
Updated on: 25-Sep-2025

Viewing Page 1 of 9
ISO-IEC-27005-Risk-Manager PDF 60 Questions

Can organizations obtain certification against ISO 31000?

  1. Yes, organizations of any type or size can obtain certification against ISO 31000
  2. Yes, but only organizations that manufacture products can obtain an ISO 31000 certification
  3. [No, organizations cannot obtain certification against ISO 31000, as the standard provides only guidelines

Answer(s): C

Explanation:

ISO 31000 is an international standard that provides guidelines for risk management. It is a framework that helps organizations develop a risk management strategy to effectively manage risk, taking into consideration their specific contexts. However, ISO 31000 is not designed to be used as a certifiable standard; instead, it offers principles, a framework, and a process for managing risk. Unlike other ISO standards, such as ISO/IEC 27001 for information security management systems, which are certifiable, ISO 31000 does not have a certification process because it does not specify any requirements that an organization must comply with. Therefore, option C is the correct answer because ISO 31000 is intended to provide guidelines and is not certifiable.



Which of the following statements best defines information security risk?

  1. The potential that threats will exploit vulnerabilities of an information asset and cause harm to an organization
  2. Weakness of an asset or control that can be exploited by one or a group of threats
  3. Potential cause of an unwanted incident related to information security that can cause harm to an organization

Answer(s): A

Explanation:

Information security risk, as defined by ISO/IEC 27005, is "the potential that a threat will exploit a vulnerability of an asset or group of assets and thereby cause harm to the organization." This definition emphasizes the interplay between threats (e.g., cyber attackers, natural disasters),

vulnerabilities (e.g., weaknesses in software, inadequate security controls), and the potential impact or harm that could result from this exploitation. Therefore, option A is the most comprehensive and accurate description of information security risk. In contrast, option B describes a vulnerability, and option C focuses on the cause of an incident rather than defining risk itself. Option A aligns directly with the risk definition in ISO/IEC 27005.



Scenario:
The risk assessment process was led by Henry, Bontton's risk manager. The first step that Henry took was identifying the company's assets. Afterward, Henry created various potential incident scenarios. One of the main concerns regarding the use of the application was the possibility of being targeted by cyber attackers, as a great number of organizations were experiencing cyberattacks during that time. After analyzing the identified risks, Henry evaluated them and concluded that new controls must be implemented if the company wants to use the application. Among others, he stated that training should be provided to personnel regarding the use of the application and that awareness sessions should be conducted regarding the importance of protecting customers' personal data. Lastly, Henry communicated the risk assessment results to the top management. They decided that the application will be used only after treating the identified risks.
Based on the scenario above, answer the following question:
Bontton established a risk management process based on ISO/IEC 27005, to systematically manage information security threats. Is this a good practice?

  1. Yes, ISO/IEC 27005 provides guidelines for information security risk management that enable organizations to systematically manage information security threats
  2. Yes, ISO/IEC 27005 provides guidelines to systematically manage all types of threats that organizations may face
  3. No, ISO/IEC 27005 cannot be used to manage information security threats in the food sector

Answer(s): A

Explanation:

ISO/IEC 27005 is the standard that provides guidelines for information security risk management, which supports the requirements of an Information Security Management System (ISMS) as specified in ISO/IEC 27001. In the scenario provided, Bontton established a risk management process to identify, analyze, evaluate, and treat information security risks, which is in alignment with the guidelines set out in ISO/IEC 27005. The standard emphasizes a systematic approach to identifying assets, identifying threats and vulnerabilities, assessing risks, and implementing appropriate risk treatment measures, such as training and awareness sessions. Thus, option A is correct, as it accurately reflects the purpose and application of ISO/IEC 27005 in managing information security threats. Option B is incorrect because ISO/IEC 27005 specifically addresses information security threats, not all types of threats, and option C is incorrect because ISO/IEC 27005 is applicable to any sector, including the food industry, as long as it concerns information security risks.



Scenario:

The risk assessment process was led by Henry, Bontton's risk manager. The first step that Henry took was identifying the company's assets. Afterward, Henry created various potential incident scenarios. One of the main concerns regarding the use of the application was the possibility of being targeted by cyber attackers, as a great number of organizations were experiencing cyberattacks during that time. After analyzing the identified risks, Henry evaluated them and concluded that new controls must be implemented if the company wants to use the application. Among others, he stated that training should be provided to personnel regarding the use of the application and that awareness sessions should be conducted regarding the importance of protecting customers' personal data. Lastly, Henry communicated the risk assessment results to the top management. They decided that the application will be used only after treating the identified risks. Based on scenario 1, Bontton used ISO/IEC 27005 to ensure effective implementation of all ISO/IEC 27001 requirements. Is this appropriate?

  1. Yes, ISO/IEC 27005 provides direct guidance on the implementation of the requirements given in ISO/IEC 27001
  2. Yes, ISO/IEC 27005 provides a number of methodologies that can be used under the risk management framework for implementing all requirements given in ISO/IEC 27001
  3. No, ISO/IEC 27005 does not contain direct guidance on the implementation of all requirements given in ISO/IEC 27001

Answer(s): C

Explanation:

ISO/IEC 27005 is an international standard specifically focused on providing guidelines for information security risk management within the context of an organization's overall Information Security Management System (ISMS). It does not provide direct guidance on implementing the specific requirements of ISO/IEC 27001, which is a standard for establishing, implementing, maintaining, and continually improving an ISMS. Instead, ISO/IEC 27005 provides a framework for managing risks that could affect the confidentiality, integrity, and availability of information assets. Therefore, while ISO/IEC 27005 supports the risk management process that is crucial for compliance with ISO/IEC 27001, it does not contain specific guidelines or methodologies for implementing all the requirements of ISO/IEC 27001. This makes option C the correct answer.


Reference:

ISO/IEC 27005:2018, "Information Security Risk Management," which emphasizes risk management guidance rather than direct implementation of ISO/IEC 27001 requirements. ISO/IEC 27001:2013, Clause 6.1.2, "Information Security Risk Assessment," where risk assessment and treatment options are outlined but not in a prescriptive manner found in ISO/IEC 27005.



Scenario:
The risk assessment process was led by Henry, Bontton's risk manager. The first step that Henry took was identifying the company's assets. Afterward, Henry created various potential incident scenarios. One of the main concerns regarding the use of the application was the possibility of being targeted by cyber attackers, as a great number of organizations were experiencing cyberattacks during that time. After analyzing the identified risks, Henry evaluated them and concluded that new controls must be implemented if the company wants to use the application. Among others, he stated that training should be provided to personnel regarding the use of the application and that awareness sessions should be conducted regarding the importance of protecting customers' personal data. Lastly, Henry communicated the risk assessment results to the top management. They decided that the application will be used only after treating the identified risks. According to scenario 1, what type of controls did Henry suggest?

  1. Technical
  2. Managerial
  3. Administrative

Answer(s): C

Explanation:

In the context of Scenario 1, the controls suggested by Henry, such as training personnel on the use of the application and conducting awareness sessions on protecting customers' personal data, fall under the category of "Administrative" controls. Administrative controls are policies, procedures, guidelines, and training programs designed to manage the human factors of information security. These controls are aimed at reducing the risks associated with human behavior, such as lack of awareness or improper handling of sensitive data, and are distinct from "Technical" controls (like firewalls or encryption) and "Managerial" controls (which include risk management strategies and governance frameworks).


Reference:

ISO/IEC 27005:2018, Annex A, "Controls and Safeguards," which mentions the importance of administrative controls, such as awareness training and the development of policies, to mitigate identified risks.
ISO/IEC 27001:2013, Annex A, Control A.7.2.2, "Information security awareness, education, and training," which directly relates to administrative controls for personnel security.



Scenario:
The risk assessment process was led by Henry, Bontton's risk manager. The first step that Henry took was identifying the company's assets. Afterward, Henry created various potential incident scenarios. One of the main concerns regarding the use of the application was the possibility of being targeted by cyber attackers, as a great number of organizations were experiencing cyberattacks during that time. After analyzing the identified risks, Henry evaluated them and concluded that new controls must be implemented if the company wants to use the application. Among others, he stated that training should be provided to personnel regarding the use of the application and that awareness sessions should be conducted regarding the importance of protecting customers' personal data. Lastly, Henry communicated the risk assessment results to the top management. They decided that the application will be used only after treating the identified risks. Henry concluded that one of the main concerns regarding the use of the application for online ordering was cyberattacks.
What did Henry identify in this case? Refer to scenario 1.\

  1. A threat
  2. The vulnerabilities of an asset
  3. The consequences of a potential security incident

Answer(s): A

Explanation:

In this scenario, Henry identifies "cyberattacks" as one of the main concerns related to the use of the application for online ordering. According to ISO/IEC 27005, a "threat" is any potential cause of an unwanted incident that may result in harm to a system or organization. In this context, cyberattacks are considered a threat because they represent a potential cause that could compromise the security of the application. Henry's identification of cyberattacks as a primary concern aligns with recognizing a specific threat that could exploit vulnerabilities within the system.


Reference:

ISO/IEC 27005:2018, Clause 8.3, "Threat identification," which provides guidance on identifying threats that could affect the organization's information assets. ISO/IEC 27001:2013, Clause 6.1.2, "Information Security Risk Assessment," where identifying threats is part of the risk assessment process.
These answers are verified based on the standards' definitions and guidelines, providing a comprehensive understanding of how ISO/IEC 27005 is used within the context of ISO/IEC 27001.



Scenario:
The risk assessment process was led by Henry, Bontton's risk manager. The first step that Henry took was identifying the company's assets. Afterward, Henry created various potential incident scenarios. One of the main concerns regarding the use of the application was the possibility of being targeted by cyber attackers, as a great number of organizations were experiencing cyberattacks during that time. After analyzing the identified risks, Henry evaluated them and concluded that new controls must be implemented if the company wants to use the application. Among others, he stated that training should be provided to personnel regarding the use of the application and that awareness sessions should be conducted regarding the importance of protecting customers' personal data. Lastly, Henry communicated the risk assessment results to the top management. They decided that the application will be used only after treating the identified risks. According to scenario 1, Bontton wanted to use an application that ensures only authorized users have access to customers' personal data.

Which information security principle does Bontton want to ensure in this case?

  1. Integrity
  2. Availability
  3. Confidentiality

Answer(s): C

Explanation:

In the context of information security, confidentiality refers to ensuring that information is accessible only to those who are authorized to have access. According to scenario 1, Bontton wanted to use an application that ensures only authorized users have access to customers' personal data. This directly aligns with the principle of confidentiality, as Bontton aims to protect personal data from unauthorized access or disclosure. This focus on restricting access to sensitive data to authorized personnel clearly indicates that the confidentiality of information is the primary concern in this case.
Thus, the correct answer is C.



According to ISO/IEC 27000, what is the definition of information security?

  1. Preservation of confidentiality, integrity, and availability of information
  2. Protection of privacy during the processing of personally identifiable information
  3. Preservation of authenticity, accountability, and reliability in the cyberspace

Answer(s): A

Explanation:

According to ISO/IEC 27000, information security is defined as the "preservation of confidentiality, integrity, and availability of information." This definition highlights the three core principles of information security:
Confidentiality ensures that information is not disclosed to unauthorized individuals or systems. Integrity ensures the accuracy and completeness of information and its processing methods. Availability ensures that authorized users have access to information and associated assets when required.
This definition encompasses the protection of information in all forms and aligns with ISO/IEC 27005's guidelines on managing information security risks. Therefore, option A is the correct answer. Options B and C are incorrect as they refer to more specific aspects or other areas of information management.



Viewing Page 1 of 9



Share your comments for PECB ISO-IEC-27005-Risk-Manager exam with other users:

Ben 9/9/2023 7:35:00 AM

please upload it
Anonymous


anonymous 9/20/2023 11:27:00 PM

hye when will post again the past year question for this h13-311_v3 part since i have to for my test tommorow…thank you very much
Anonymous


Randall 9/28/2023 8:25:00 PM

on question 22, option b-once per session is also valid.
Anonymous


Tshegofatso 8/28/2023 11:51:00 AM

this website is very helpful
SOUTH AFRICA


philly 9/18/2023 2:40:00 PM

its my first time exam
SOUTH AFRICA


Beexam 9/4/2023 9:06:00 PM

correct answers are device configuration-enable the automatic installation of webview2 runtime. & policy management- prevent users from submitting feedback.
NEW ZEALAND


RAWI 7/9/2023 4:54:00 AM

is this dump still valid? today is 9-july-2023
SWEDEN


Annie 6/7/2023 3:46:00 AM

i need this exam.. please upload these are really helpful
PAKISTAN


Shubhra Rathi 8/26/2023 1:08:00 PM

please upload the oracle 1z0-1059-22 dumps
Anonymous


Shiji 10/15/2023 1:34:00 PM

very good questions
INDIA


Rita Rony 11/27/2023 1:36:00 PM

nice, first step to exams
Anonymous


Aloke Paul 9/11/2023 6:53:00 AM

is this valid for chfiv9 as well... as i am reker 3rd time...
CHINA


Calbert Francis 1/15/2024 8:19:00 PM

great exam for people taking 220-1101
UNITED STATES


Ayushi Baria 11/7/2023 7:44:00 AM

this is very helpfull for me
Anonymous


alma 8/25/2023 1:20:00 PM

just started preparing for the exam
UNITED KINGDOM


CW 7/10/2023 6:46:00 PM

these are the type of questions i need.
UNITED STATES


Nobody 8/30/2023 9:54:00 PM

does this actually work? are they the exam questions and answers word for word?
Anonymous


Salah 7/23/2023 9:46:00 AM

thanks for providing these questions
Anonymous


Ritu 9/15/2023 5:55:00 AM

interesting
CANADA


Ron 5/30/2023 8:33:00 AM

these dumps are pretty good.
Anonymous


Sowl 8/10/2023 6:22:00 PM

good questions
UNITED STATES


Blessious Phiri 8/15/2023 2:02:00 PM

dbua is used for upgrading oracle database
Anonymous


Richard 10/24/2023 6:12:00 AM

i am thrilled to say that i passed my amazon web services mls-c01 exam, thanks to study materials. they were comprehensive and well-structured, making my preparation efficient.
Anonymous


Janjua 5/22/2023 3:31:00 PM

please upload latest ibm ace c1000-056 dumps
GERMANY


Matt 12/30/2023 11:18:00 AM

if only explanations were provided...
FRANCE


Rasha 6/29/2023 8:23:00 PM

yes .. i need the dump if you can help me
Anonymous


Anonymous 7/25/2023 8:05:00 AM

good morning, could you please upload this exam again?
SPAIN


AJ 9/24/2023 9:32:00 AM

hi please upload sre foundation and practitioner exam questions
Anonymous


peter parker 8/10/2023 10:59:00 AM

the exam is listed as 80 questions with a pass mark of 70%, how is your 50 questions related?
Anonymous


Berihun 7/13/2023 7:29:00 AM

all questions are so important and covers all ccna modules
Anonymous


nspk 1/19/2024 12:53:00 AM

q 44. ans:- b (goto setup > order settings > select enable optional price books for orders) reference link --> https://resources.docs.salesforce.com/latest/latest/en-us/sfdc/pdf/sfom_impl_b2b_b2b2c.pdf(decide whether you want to enable the optional price books feature. if so, select enable optional price books for orders. you can use orders in salesforce while managing price books in an external platform. if you’re using d2c commerce, you must select enable optional price books for orders.)
Anonymous


Muhammad Rawish Siddiqui 12/2/2023 5:28:00 AM

"cost of replacing data if it were lost" is also correct.
SAUDI ARABIA


Anonymous 7/14/2023 3:17:00 AM

pls upload the questions
UNITED STATES


Mukesh 7/10/2023 4:14:00 PM

good questions
UNITED KINGDOM