Pass4Future also provide interactive practice exam software for preparing PECB ISO/IEC 27002 Foundation (ISO-IEC-27002-Foundation) Exam effectively. You are welcome to explore sample free PECB ISO-IEC-27002-Foundation Exam questions below and also try PECB ISO-IEC-27002-Foundation Exam practice test software.
Do you know that you can access more real PECB ISO-IEC-27002-Foundation exam questions via Premium Access? ()
What does ISO/IEC 27002 recommend regarding audit testing?
Answer : A
ISO/IEC 27002 recommends that audit testing should be planned and agreed upon between the tester and appropriate management. The purpose is to obtain assurance without creating unnecessary disruption, exposure, or operational risk. Audit tests can involve access attempts, vulnerability checks, sampling, transaction tracing, configuration review, log review, or control validation. If such activities are unmanaged, they may overload systems, expose sensitive information, interrupt services, conflict with change windows, or create false incident signals. Option B is incorrect because ad hoc assurance testing can be risky and inconsistent unless properly authorized and controlled. Option C is incorrect because audits should not normally require stopping operational systems and business processes; rather, they should be designed to minimize disruption while preserving evidence quality. ISO/IEC 27002 treats audit and assurance activities as important but controlled. Planning should define scope, timing, method, responsibilities, data handling, access requirements, and communication. The verified answer is option A because it balances assurance with operational security and business continuity. Reference/Chapters: ISO/IEC 27002:2022, Control 8.34 Protection of information systems during audit testing; Control 5.35 Independent review of information security.
What should the organization do with regard to the information security roles and responsibilities of an employee who is leaving or changing the job role?
Answer : A
When an employee leaves the organization or changes roles, their information security responsibilities should be identified and transferred appropriately. ISO/IEC 27002 emphasizes that responsibilities must remain clear throughout the employment lifecycle, including changes and termination. Security duties cannot simply disappear when a person leaves a role. Examples include ownership of assets, approval duties, incident response responsibilities, privileged access administration, supplier contact responsibilities, classification decisions, or operational security tasks. The organization should determine which responsibilities the employee holds, remove responsibilities that no longer apply, revoke or adjust access rights, and assign continuing responsibilities to another competent person. Option B is too limited because documenting responsibilities in a termination policy does not ensure that active duties are transferred. Option C is incorrect because outsourcing is not required and may introduce additional supplier risk. The central ISO/IEC 27002 principle is continuity of accountability: responsibilities must be maintained even when personnel move, leave, or change duties. This also supports least privilege because access and responsibilities should match the current role. Reference/Chapters: ISO/IEC 27002:2022, Control 6.5 Responsibilities after termination or change of employment; Control 5.2 Information security roles and responsibilities; Control 5.18 Access rights.
How can organizations manage the security of large networks?
Answer : A
Organizations can manage the security of large networks by dividing them into separate network domains and separating them from the public network where appropriate. This reflects the principle of network segregation, which reduces the ability of an attacker, malware, or unauthorized user to move freely across the environment. Separate domains can be based on trust level, business function, system criticality, data sensitivity, user group, supplier access, development environment, or regulatory requirement. ISO/IEC 27002 supports this through network security, network segregation, access control, and secure architecture practices. Option B is incorrect because including internal domains into the public network would increase exposure and weaken boundaries. Option C is not realistic or aligned with modern enterprise architecture; organizations often need integrated services, users, and systems, but they must integrate them securely. Segmentation allows controlled communication through firewalls, gateways, routing rules, access controls, monitoring, and filtering. The goal is not isolation for its own sake, but risk-based separation and controlled connectivity. Therefore, option A is verified. Reference/Chapters: ISO/IEC 27002:2022, Control 8.20 Network security; Control 8.22 Segregation of networks; Control 5.15 Access control.
What should NOT be taken into account when locating and constructing physical premises?
Answer : C
System requirements should not be the primary factor listed for locating and constructing physical premises in the ISO/IEC 27002 physical security context. When selecting and constructing premises, organizations should consider physical and environmental threats such as local topography, flood risk, earthquake exposure, weather conditions, crime levels, civil unrest, neighboring facilities, hazardous sites, and urban threats. These considerations help reduce risks to secure areas, information processing facilities, equipment, personnel, and supporting utilities. Local topography is relevant because geography can influence flooding, landslides, access routes, drainage, and natural hazards. Urban threats are relevant because location can affect exposure to crime, protests, terrorism, traffic disruption, adjacent buildings, or public access. System requirements are important in technology design and facility planning, but they are not the type of environmental or location threat consideration targeted by this question. ISO/IEC 27002 physical controls emphasize protecting premises from physical and environmental risks, not choosing location based on application or system functional requirements. Therefore, option C is verified. Reference/Chapters: ISO/IEC 27002:2022, Control 7.1 Physical security perimeters; Control 7.5 Protecting against physical and environmental threats; Control 7.8 Equipment siting and protection.
When can clock synchronization be difficult?
Answer : B
Clock synchronization can be difficult when using multiple cloud services. ISO/IEC 27002 Control 8.17 emphasizes that clocks of information processing systems should be synchronized to approved time sources. Accurate time is essential for logging, monitoring, incident investigation, transaction integrity, forensic analysis, authentication, certificate validation, and event correlation. In a simple on-premises environment, an organization may centrally manage time sources using internal NTP servers or domain services. In multi-cloud environments, systems may span different providers, regions, platforms, managed services, containers, serverless functions, and third-party logging systems. Each environment may have different time settings, time source controls, administrative access limits, time zone handling, timestamp formats, and logging precision. This makes consistent synchronization and correlation more challenging. Option A is not the best answer because ''only on-premises services'' are typically easier to synchronize under a single administrative model. Option C is too broad because the question asks when synchronization can be difficult, and the ISO/IEC 27002 exam logic points to multiple cloud services. Reference/Chapters: ISO/IEC 27002:2022, Control 8.17 Clock synchronization; Control 8.15 Logging; Control 5.23 Information security for use of cloud services.
