PECB ISO-IEC-27002-Foundation Practice Test Questions Answers

The situation describes a people-related operational threat: data input error by employees. The root cause is not a malicious external attack or theft; it is that employees cannot reliably follow complicated processing procedures. ISO/IEC 27002 recognizes that people, competence, awareness, and documented procedures are essential to information security. When procedures are unclear, excessive, or difficult to follow, employees may enter incorrect data, omit fields, select wrong categories, mishandle classifications, misroute information, or unintentionally corrupt records. This primarily threatens integrity because the information may no longer be accurate or complete. Hacking would involve unauthorized technical intrusion, and information theft would involve intentional unauthorized taking or disclosure of information. Neither is stated in the scenario. ISO/IEC 27002 addresses this type of risk through information security awareness, education and training, documented operating procedures, clear responsibilities, and appropriate segregation of duties. Effective controls should make correct behavior practical and repeatable, not merely documented. Therefore, the verified answer is option A. References/Chapters: ISO/IEC 27002:2022, Control 6.3 Information security awareness, education and training; Control 5.37 Documented operating procedures; Control 5.3 Segregation of duties.

==========

Control 5.37, Documented operating procedures, aims to ensure the correct and secure operation of information processing facilities. Operating procedures translate security and operational requirements into repeatable instructions for administrators, operators, support teams, and users. They can cover system startup and shutdown, backup, restoration, logging, error handling, media handling, job scheduling, maintenance, incident escalation, access administration, and secure processing steps. Without documented procedures, operations become inconsistent and dependent on individual memory or informal practice, increasing the likelihood of mistakes, outages, unauthorized changes, or insecure handling. Control 7.2, Physical entry, protects secure physical areas by controlling access to facilities, but it does not define operational procedures. Control 5.35, Independent review of information security, assesses whether the information security approach remains suitable, adequate, and effective, but it does not provide the day-to-day operating instructions. ISO/IEC 27002 places documented procedures in the organizational control group because reliable operation requires governance, clarity, and repeatability. Therefore, option B is the verified answer. References/Chapters: ISO/IEC 27002:2022, Control 5.37 Documented operating procedures; Control 7.2 Physical entry; Control 5.35 Independent review of information security.

==========

Establishing and maintaining contact with special interest groups is a good practice under ISO/IEC 27002. Organizations benefit from timely information about security threats, vulnerabilities, attack trends, advisories, defensive practices, and sector-specific risks. Special interest groups can include industry associations, information sharing and analysis centers, professional forums, security communities, vendor groups, government-supported networks, and trusted peer organizations. This supports threat intelligence, incident readiness, vulnerability management, and continual improvement. Option A is incorrect because avoiding information exchange would isolate the organization and weaken its ability to anticipate emerging threats. Option B is too restrictive because authorities may be important contacts, but they are not the only legitimate or useful source of security information. ISO/IEC 27002 encourages appropriate contact with relevant groups while still requiring responsible handling of shared information, confidentiality, trust boundaries, and legal obligations. The security value lies in turning external knowledge into better internal controls, awareness, monitoring, and response. Therefore, option C is the verified answer. References/Chapters: ISO/IEC 27002:2022, Control 5.6 Contact with special interest groups; Control 5.7 Threat intelligence; Control 8.8 Management of technical vulnerabilities.

==========

System requirements should not be the primary factor listed for locating and constructing physical premises in the ISO/IEC 27002 physical security context. When selecting and constructing premises, organizations should consider physical and environmental threats such as local topography, flood risk, earthquake exposure, weather conditions, crime levels, civil unrest, neighboring facilities, hazardous sites, and urban threats. These considerations help reduce risks to secure areas, information processing facilities, equipment, personnel, and supporting utilities. Local topography is relevant because geography can influence flooding, landslides, access routes, drainage, and natural hazards. Urban threats are relevant because location can affect exposure to crime, protests, terrorism, traffic disruption, adjacent buildings, or public access. System requirements are important in technology design and facility planning, but they are not the type of environmental or location threat consideration targeted by this question. ISO/IEC 27002 physical controls emphasize protecting premises from physical and environmental risks, not choosing location based on application or system functional requirements. Therefore, option C is verified. References/Chapters: ISO/IEC 27002:2022, Control 7.1 Physical security perimeters; Control 7.5 Protecting against physical and environmental threats; Control 7.8 Equipment siting and protection.

==========

Control 8.28, Secure coding, is the correct control because the question focuses on software being written securely and reducing potential vulnerabilities in the code. Secure coding addresses the practices, rules, and techniques developers should use to avoid common software weaknesses. This can include input validation, output encoding, error handling, authentication handling, secure session management, memory safety, protection against injection, secure API use, cryptographic correctness, dependency management, and code review. Control 8.29, Security testing in development and acceptance, verifies whether security requirements and controls are effective, but testing occurs after or during development and does not itself define how code should be written. Control 8.26, Application security requirements, defines security requirements for applications, but secure coding is the specific implementation practice that reduces vulnerabilities during software construction. ISO/IEC 27002 treats secure development as a lifecycle discipline: requirements define what is needed, secure coding implements it safely, and testing validates it. The direct match to the exam wording is Control 8.28. References/Chapters: ISO/IEC 27002:2022, Control 8.28 Secure coding; Control 8.26 Application security requirements; Control 8.29 Security testing in development and acceptance.

==========