ISO-IEC-27002-Foundation ISO/IEC 27002 Foundation Exam Questions and Answers

A fire alarm is a detective and technical control. It is detective because it identifies or signals that a fire-related event may be occurring. The alarm does not normally stop the fire from starting, and it does not restore damaged assets after the event. Its purpose is to detect indicators such as smoke, heat, or fire and trigger response actions such as evacuation, suppression, emergency communication, or incident handling. It is technical because it operates through engineered or electronic mechanisms rather than through management approval, legal clauses, or purely administrative processes. ISO/IEC 27002:2022 classifies controls using attributes, including control type. Control types include preventive, detective, and corrective. Fire alarms align with the physical security control area because fire is a physical and environmental threat to information processing facilities, equipment, storage media, and supporting infrastructure. The value of the control is timely detection, reducing the chance that a physical event escalates unnoticed into major damage or service disruption. References/Chapters: ISO/IEC 27002:2022, Clause 4 control attributes; Control 7.4 Physical security monitoring; Control 7.5 Protecting against physical and environmental threats.

==========

Access control software that allows only authorized employees to access sensitive files is a preventive control. Its purpose is to stop unauthorized access before it occurs by enforcing approved access rules. In ISO/IEC 27002, access control is implemented through policies, identity management, authentication, authorization, access rights review, privileged access control, and restrictions on information access. This type of software can prevent unauthorized disclosure, unauthorized modification, misuse of sensitive data, and violation of privacy or contractual obligations. It is not primarily detective because it does not merely discover an event after it has happened. It is not corrective because it does not restore damaged information or reverse the impact of an incident. Its security value is in blocking access attempts that do not meet authorization criteria. The principle behind the control is least privilege: users should receive only the access necessary for their role and responsibilities. For sensitive files, this is especially important because confidentiality, integrity, and accountability depend on correct authorization. References/Chapters: ISO/IEC 27002:2022, Control 5.15 Access control; Control 5.16 Identity management; Control 5.18 Access rights; Control 8.3 Information access restriction.

==========

Control 5.35, Independent review of information security, is the control intended to ensure that the organization’s approach to managing information security remains suitable, adequate, and effective. Independent reviews provide objective evaluation of whether policies, processes, controls, responsibilities, and implementation remain aligned with business needs, risks, legal requirements, and the organization’s security objectives. The review may consider governance, control design, control operation, risk treatment, compliance, incident trends, technology changes, supplier dependencies, and audit results. Control 5.4, Management responsibilities, is important because management must ensure personnel apply security according to policies and procedures, but it is not the control specifically focused on independent review. Control 5.24 concerns planning and preparation for incident management, which supports response capability but does not broadly assess the continuing suitability of the whole security approach. The phrase “suitable, adequate and effective” is a strong indicator of review and assurance. ISO/IEC 27002 uses independent review to challenge assumptions, detect weaknesses, and support continual improvement. Therefore, option B is the verified answer. References/Chapters: ISO/IEC 27002:2022, Control 5.35 Independent review of information security; Control 5.36 Compliance with policies, rules and standards for information security; Control 5.4 Management responsibilities.

Continual improvement is the process of increasing an organization’s effectiveness and efficiency so that it better fulfills its policies and objectives. In information security, improvement is not limited to fixing one defect. It is the ongoing refinement of controls, processes, responsibilities, technologies, awareness, monitoring, and response capabilities. Option B describes analysis, which may support improvement but is not the definition. Option C describes correction or corrective action for a nonconformity, which can be one mechanism of improvement but does not cover the complete concept. ISO/IEC 27002 supports continual improvement through controls such as learning from information security incidents, independent review, compliance monitoring, threat intelligence, vulnerability management, change management, and documented operating procedures. A mature organization uses evidence from incidents, audits, metrics, user behavior, supplier performance, new threats, and business changes to adjust its controls. The key idea is progressive enhancement of suitability, adequacy, and effectiveness. Therefore, option A aligns with the management system and ISO/IEC 27002 control logic. References/Chapters: ISO/IEC 27002:2022, Control 5.27 Learning from information security incidents; Control 5.35 Independent review of information security; Control 8.8 Management of technical vulnerabilities.

==========

Confidentiality means that information is protected from unauthorized disclosure or availability. The correct statement is option A because it expresses the essential confidentiality concept: information must not be made available or disclosed to unauthorized individuals, entities, or processes. ISO/IEC 27002 supports confidentiality through controls such as information classification, labelling, access control, identity management, authentication, cryptography, data masking, information transfer rules, and data leakage prevention. The purpose is to ensure that only approved users, systems, or processes can view or receive information according to business need and authorization. Option B describes integrity, because accuracy and completeness relate to whether information remains correct and unaltered. Option C describes availability, because accessibility and usability on demand relate to authorized access when needed. In ISO/IEC 27002, many controls are mapped to confidentiality, integrity, and availability through control attributes. A confidentiality breach can occur through excessive internal access, accidental disclosure, lost media, weak access permissions, exposed credentials, or insecure transfer. References/Chapters: ISO/IEC 27002:2022, Clause 4 control attributes; Control 5.12 Classification of information; Control 5.15 Access control; Control 8.24 Use of cryptography.

==========

When establishing a remote working policy, organizations should consider the threat of unauthorized access to information or resources from other persons in public places. Remote working changes the security environment because employees may work from homes, hotels, airports, cafés, shared offices, client sites, or while travelling. These environments can expose information to shoulder surfing, overheard conversations, device theft, insecure Wi-Fi, unattended screens, family or visitor access, and uncontrolled printing or storage. ISO/IEC 27002 Control 6.7, Remote working, expects organizations to define security measures for remote work based on risk. This can include secure authentication, encryption, screen privacy, endpoint protection, physical protection of devices, secure network access, acceptable use, incident reporting, backup, and restrictions on handling sensitive information. Option B relates more to equipment siting and physical protection of facilities. Option C relates to access rights and privileged access management. Both can be relevant elsewhere, but the remote working policy question directly points to risks from other persons in public or uncontrolled locations. Therefore, option A is verified. References/Chapters: ISO/IEC 27002:2022, Control 6.7 Remote working; Control 7.9 Security of assets off-premises; Control 5.15 Access control.

Information security should be integrated into project management so that security risks related to projects and deliverables are effectively addressed. Projects often introduce new systems, processes, suppliers, data flows, technologies, applications, facilities, or business changes. If security is considered only after implementation, weaknesses may already be embedded in design, architecture, contracts, code, configurations, or operating procedures. ISO/IEC 27002 Control 5.8 expects information security to be integrated into project management activities so risks are identified and treated throughout the project lifecycle. This includes security requirements, risk assessments, roles and responsibilities, acceptance criteria, testing, supplier requirements, privacy considerations, change control, and secure transition to operation. Option A is too general and focuses on applying ISO/IEC 27001 principles rather than the precise purpose of the control. Option B is too narrow because audits can support assurance but are not the primary reason for integration. The main purpose is risk management within projects and deliverables. Therefore, option C is verified. References/Chapters: ISO/IEC 27002:2022, Control 5.8 Information security in project management; Control 8.26 Application security requirements; Control 8.29 Security testing in development and acceptance.

==========

Risk assessment is the overall process of risk identification, risk analysis, and risk evaluation. Option A describes only one component: risk identification. This is where risks are found, recognized, and described. Option B describes risk analysis, where the organization understands the nature of risk and determines the level of risk, often by considering likelihood and consequence. A full assessment also requires risk evaluation, where the analyzed risk is compared against criteria to determine whether it is acceptable or requires treatment. ISO/IEC 27002 relies on this risk-based logic because controls should be selected according to actual security needs. The standard provides guidance on controls, but it does not require every organization to implement every control in the same way. Risk assessment helps determine which controls are necessary, how strongly they should be implemented, and what residual risk remains. This is why option C is the complete and correct answer. ISO/IEC 27002 control implementation is meaningful only when linked to risk, context, business value, and obligations. References/Chapters: ISO/IEC 27002:2022, Clause 4 control selection and attributes; ISO/IEC 27001 risk assessment and treatment; ISO/IEC 27005 risk management terminology.

==========

A vulnerability with no currently identified corresponding threat should still be recognized and monitored. A vulnerability is a weakness that could be exploited, but risk usually depends on the relationship between assets, threats, vulnerabilities, likelihood, and consequences. When no active or relevant threat is identified, immediate treatment may not be proportionate. However, ignoring the vulnerability would be inconsistent with ISO/IEC 27002’s risk-aware approach. Threat conditions change. A weakness that appears low priority today may become exploitable after a new attack technique, system exposure, business change, supplier change, or threat actor capability emerges. Recognizing the vulnerability ensures it is recorded and available for future assessment. Monitoring it ensures the organization detects changes in exploitability, exposure, or threat relevance. ISO/IEC 27002 supports this through threat intelligence and management of technical vulnerabilities, both of which require organizations to remain alert to changes in the threat and vulnerability landscape. Therefore, the correct answer is both recognizing and monitoring the vulnerability. References/Chapters: ISO/IEC 27002:2022, Control 5.7 Threat intelligence; Control 8.8 Management of technical vulnerabilities; Control 5.36 Compliance with policies, rules and standards for information security.

==========