Free PECB ISO-IEC-27005-Risk-Manager Exam Questions
Absolute Free ISO-IEC-27005-Risk-Manager Exam Practice for Comprehensive Preparation
-
PECB ISO-IEC-27005-Risk-Manager Exam Questions
-
Provided By: PECB
- Exam: PECB Certified ISO/IEC 27005 Risk Manager Certification
- Certification: PECB Auditor
-
Total Questions: 60
-
Updated On: Jan 27, 2025
-
Rated: 4.9 |
-
Online Users: 120
-
Question 1
-
Which activity below is NOT included in the information security risk assessment process?
Answer: C
-
Which activity below is NOT included in the information security risk assessment process?
-
Question 2
-
Scenario 3: Printary is an American company that offers digital printing services. Creating cost-effective andcreative products, the company has been part of the printing industry for more than 30 years. Three years ago,the company started to operate online, providing greater flexibility for its clients. Through the website, clientscould find information about all services offered by Printary and order personalized products. However,operating online increased the risk of cyber threats, consequently, impacting the business functions of thecompany. Thus, along with the decision of creating an online business, the company focused on managinginformation security risks. Their risk management program was established based on ISO/IEC 27005guidelines and industry best practices.Last year, the company considered the integration of an online payment system on its website in order toprovide more flexibility and transparency to customers. Printary analyzed various available solutions andselected Pay0, a payment processing solution that allows any company to easily collect payments on theirwebsite. Before making the decision, Printary conducted a risk assessment to identify and analyze informationsecurity risks associated with the software. The risk assessment process involved three phases: identification,analysis, and evaluation. During risk identification, the company inspected assets, threats, and vulnerabilities.In addition, to identify the information security risks, Printary used a list of the identified events that couldnegatively affect the achievement of information security objectives. The risk identification phase highlightedtwo main threats associated with the online payment system: error in use and data corruption After conductinga gap analysis, the company concluded that the existing security controls were sufficient to mitigate the threatof data corruption. However, the user interface of the payment solution was complicated, which couldincrease the risk associated with user errors, and, as a result, impact data integrity and confidentiality.Subsequently, the risk identification results were analyzed. The company conducted risk analysis in order tounderstand the nature of the identified risks. They decided to use a quantitative risk analysis methodologybecause it would provide more detailed information. The selected risk analysis methodology was consistentwith the risk evaluation criteria. Firstly, they used a list of potential incident scenarios to assess their potentialimpact. In addition, the likelihood of incident scenarios was defined and assessed. Finally, the level of riskwas defined as low.In the end, the level of risk was compared to the risk evaluation and acceptance criteria and was prioritizedaccordingly.Based on the scenario above, answer the following question:What type of risk identification approach did Printary use?
Answer: B
-
Scenario 3: Printary is an American company that offers digital printing services. Creating cost-effective andcreative products, the company has been part of the printing industry for more than 30 years. Three years ago,the company started to operate online, providing greater flexibility for its clients. Through the website, clientscould find information about all services offered by Printary and order personalized products. However,operating online increased the risk of cyber threats, consequently, impacting the business functions of thecompany. Thus, along with the decision of creating an online business, the company focused on managinginformation security risks. Their risk management program was established based on ISO/IEC 27005guidelines and industry best practices.Last year, the company considered the integration of an online payment system on its website in order toprovide more flexibility and transparency to customers. Printary analyzed various available solutions andselected Pay0, a payment processing solution that allows any company to easily collect payments on theirwebsite. Before making the decision, Printary conducted a risk assessment to identify and analyze informationsecurity risks associated with the software. The risk assessment process involved three phases: identification,analysis, and evaluation. During risk identification, the company inspected assets, threats, and vulnerabilities.In addition, to identify the information security risks, Printary used a list of the identified events that couldnegatively affect the achievement of information security objectives. The risk identification phase highlightedtwo main threats associated with the online payment system: error in use and data corruption After conductinga gap analysis, the company concluded that the existing security controls were sufficient to mitigate the threatof data corruption. However, the user interface of the payment solution was complicated, which couldincrease the risk associated with user errors, and, as a result, impact data integrity and confidentiality.Subsequently, the risk identification results were analyzed. The company conducted risk analysis in order tounderstand the nature of the identified risks. They decided to use a quantitative risk analysis methodologybecause it would provide more detailed information. The selected risk analysis methodology was consistentwith the risk evaluation criteria. Firstly, they used a list of potential incident scenarios to assess their potentialimpact. In addition, the likelihood of incident scenarios was defined and assessed. Finally, the level of riskwas defined as low.In the end, the level of risk was compared to the risk evaluation and acceptance criteria and was prioritizedaccordingly.Based on the scenario above, answer the following question:What type of risk identification approach did Printary use?
-
Question 3
-
Scenario 4: In 2017, seeing that millions of people turned to online shopping, Ed and James Cordon foundedthe online marketplace for footwear called Poshoe. In the past, purchasing pre-owned designer shoes onlinewas not a pleasant experience because of unattractive pictures and an inability to ascertain the products’authenticity. However, after Poshoe’s establishment, each product was well advertised and certified asauthentic before being offered to clients. This increased the customers’ confidence and trust in Poshoe’sproducts and services. Poshoe has approximately four million users and its mission is to dominate the secondhand sneaker market and become a multi-billion dollar company.Due to the significant increase of daily online buyers, Poshoe’s top management decided to adopt a big dataanalytics tool that could help the company effectively handle, store, and analyze data. Before initiating the implementation process, they decided to conduct a risk assessment. Initially, the company identified its assets,threats, and vulnerabilities associated with its information systems. In terms of assets, the company identifiedthe information that was vital to the achievement of the organization’s mission and objectives. During thisphase, the company also detected a rootkit in their software, through which an attacker could remotely accessPoshoe’s systems and acquire sensitive data.The company discovered that the rootkit had been installed by an attacker who had gained administratoraccess. As a result, the attacker was able to obtain the customers’ personal data after they purchased a productfrom Poshoe. Luckily, the company was able to execute some scans from the target device and gain greatervisibility into their software’s settings in order to identify the vulnerability of the system.The company initially used the qualitative risk analysis technique to assess the consequences and thelikelihood and to determine the level of risk. The company defined the likelihood of risk as “a few times intwo years with the probability of 1 to 3 times per year.” Later, it was decided that they would use aquantitative risk analysis methodology since it would provide additional information on this major risk.Lastly, the top management decided to treat the risk immediately as it could expose the company to otherissues. In addition, it was communicated to their employees that they should update, secure, and back upPoshoe’s software in order to protect customers’ personal information and prevent unauthorized access fromattackers.According to scenario 4, which type of assets was identified during the risk identification process?
Answer: B
-
Scenario 4: In 2017, seeing that millions of people turned to online shopping, Ed and James Cordon foundedthe online marketplace for footwear called Poshoe. In the past, purchasing pre-owned designer shoes onlinewas not a pleasant experience because of unattractive pictures and an inability to ascertain the products’authenticity. However, after Poshoe’s establishment, each product was well advertised and certified asauthentic before being offered to clients. This increased the customers’ confidence and trust in Poshoe’sproducts and services. Poshoe has approximately four million users and its mission is to dominate the secondhand sneaker market and become a multi-billion dollar company.Due to the significant increase of daily online buyers, Poshoe’s top management decided to adopt a big dataanalytics tool that could help the company effectively handle, store, and analyze data. Before initiating the implementation process, they decided to conduct a risk assessment. Initially, the company identified its assets,threats, and vulnerabilities associated with its information systems. In terms of assets, the company identifiedthe information that was vital to the achievement of the organization’s mission and objectives. During thisphase, the company also detected a rootkit in their software, through which an attacker could remotely accessPoshoe’s systems and acquire sensitive data.The company discovered that the rootkit had been installed by an attacker who had gained administratoraccess. As a result, the attacker was able to obtain the customers’ personal data after they purchased a productfrom Poshoe. Luckily, the company was able to execute some scans from the target device and gain greatervisibility into their software’s settings in order to identify the vulnerability of the system.The company initially used the qualitative risk analysis technique to assess the consequences and thelikelihood and to determine the level of risk. The company defined the likelihood of risk as “a few times intwo years with the probability of 1 to 3 times per year.” Later, it was decided that they would use aquantitative risk analysis methodology since it would provide additional information on this major risk.Lastly, the top management decided to treat the risk immediately as it could expose the company to otherissues. In addition, it was communicated to their employees that they should update, secure, and back upPoshoe’s software in order to protect customers’ personal information and prevent unauthorized access fromattackers.According to scenario 4, which type of assets was identified during the risk identification process?
-
Question 4
-
Which statement regarding information gathering techniques is correct?
Answer: B
-
Which statement regarding information gathering techniques is correct?
-
Question 5
-
Scenario 3: Printary is an American company that offers digital printing services. Creating cost-effective andcreative products, the company has been part of the printing industry for more than 30 years. Three years ago,the company started to operate online, providing greater flexibility for its clients. Through the website, clientscould find information about all services offered by Printary and order personalized products. However,operating online increased the risk of cyber threats, consequently, impacting the business functions of thecompany. Thus, along with the decision of creating an online business, the company focused on managinginformation security risks. Their risk management program was established based on ISO/IEC 27005guidelines and industry best practices.Last year, the company considered the integration of an online payment system on its website in order toprovide more flexibility and transparency to customers. Printary analyzed various available solutions andselected Pay0, a payment processing solution that allows any company to easily collect payments on theirwebsite. Before making the decision, Printary conducted a risk assessment to identify and analyze informationsecurity risks associated with the software. The risk assessment process involved three phases: identification,analysis, and evaluation. During risk identification, the company inspected assets, threats, and vulnerabilities.In addition, to identify the information security risks, Printary used a list of the identified events that couldnegatively affect the achievement of information security objectives. The risk identification phase highlightedtwo main threats associated with the online payment system: error in use and data corruption After conductinga gap analysis, the company concluded that the existing security controls were sufficient to mitigate the threatof data corruption. However, the user interface of the payment solution was complicated, which couldincrease the risk associated with user errors, and, as a result, impact data integrity and confidentiality.Subsequently, the risk identification results were analyzed. The company conducted risk analysis in order tounderstand the nature of the identified risks. They decided to use a quantitative risk analysis methodologybecause it would provide more detailed information. The selected risk analysis methodology was consistentwith the risk evaluation criteria. Firstly, they used a list of potential incident scenarios to assess their potentialimpact. In addition, the likelihood of incident scenarios was defined and assessed. Finally, the level of riskwas defined as low.In the end, the level of risk was compared to the risk evaluation and acceptance criteria and was prioritizedaccordingly.Based on the scenario above, answer the following question:What type of risk identification approach did Printary use?
Answer: B
-
Scenario 3: Printary is an American company that offers digital printing services. Creating cost-effective andcreative products, the company has been part of the printing industry for more than 30 years. Three years ago,the company started to operate online, providing greater flexibility for its clients. Through the website, clientscould find information about all services offered by Printary and order personalized products. However,operating online increased the risk of cyber threats, consequently, impacting the business functions of thecompany. Thus, along with the decision of creating an online business, the company focused on managinginformation security risks. Their risk management program was established based on ISO/IEC 27005guidelines and industry best practices.Last year, the company considered the integration of an online payment system on its website in order toprovide more flexibility and transparency to customers. Printary analyzed various available solutions andselected Pay0, a payment processing solution that allows any company to easily collect payments on theirwebsite. Before making the decision, Printary conducted a risk assessment to identify and analyze informationsecurity risks associated with the software. The risk assessment process involved three phases: identification,analysis, and evaluation. During risk identification, the company inspected assets, threats, and vulnerabilities.In addition, to identify the information security risks, Printary used a list of the identified events that couldnegatively affect the achievement of information security objectives. The risk identification phase highlightedtwo main threats associated with the online payment system: error in use and data corruption After conductinga gap analysis, the company concluded that the existing security controls were sufficient to mitigate the threatof data corruption. However, the user interface of the payment solution was complicated, which couldincrease the risk associated with user errors, and, as a result, impact data integrity and confidentiality.Subsequently, the risk identification results were analyzed. The company conducted risk analysis in order tounderstand the nature of the identified risks. They decided to use a quantitative risk analysis methodologybecause it would provide more detailed information. The selected risk analysis methodology was consistentwith the risk evaluation criteria. Firstly, they used a list of potential incident scenarios to assess their potentialimpact. In addition, the likelihood of incident scenarios was defined and assessed. Finally, the level of riskwas defined as low.In the end, the level of risk was compared to the risk evaluation and acceptance criteria and was prioritizedaccordingly.Based on the scenario above, answer the following question:What type of risk identification approach did Printary use?