PECB ISO-IEC-27035-Lead-Incident-Manager Practice Test Questions Answers

Comprehensive and Detailed Explanation From Exact Extract:

Digital evidence gathering, as outlined in ISO/IEC 27037 and referenced in ISO/IEC 27035-2, must adhere to several core principles—reliability, sufficiency, relevance, and integrity. Relevance, in particular, means that the Digital Evidence First Responder (DEFR) must ensure that any item collected has direct or potential bearing on the investigation.

Relevance also requires:

Clear justification for why an item was acquired

Ability to trace the decision-making process

Alignment with investigation objectives

Option A misrepresents “sufficiency,” which does not mean minimal collection but rather collecting enough evidence to support conclusions without overburdening the investigation. Option B contradicts the principle of reliability, which requires that processes be standardized and reproducible.

Comprehensive and Detailed Explanation From Exact Extract:

The SMART model (Specific, Measurable, Achievable, Relevant, Time-bound) is outlined in ISO/IEC 27035-2:2016 for defining and tracking performance metrics in incident response. The “Specific” component ensures that measures are clearly defined and understood by stakeholders to avoid ambiguity.

This clarity is essential for accountability, tracking, and reporting performance accurately, which directly aligns with Option B.

Comprehensive and Detailed Explanation From Exact Extract:

According to ISO/IEC 27035 and industry best practices, a Security Operations Center (SOC) is the central hub for an organization’s cybersecurity operations. Its responsibilities go beyond pure incident response. SOCs continuously monitor the organization’s network and systems for suspicious activity and threats, providing real-time threat detection, incident response coordination, vulnerability management, and overall security infrastructure oversight.

While CSIRTs and CERTs specialize in handling and managing security incidents, their roles are generally more narrowly focused on the detection, reporting, and resolution of security events. SOCs, on the other hand, manage the broader spectrum of operations, including:

Real-time monitoring and logging

Threat hunting and intelligence

Security incident analysis and triage

Coordinating CSIRT activities

Supporting policy compliance and auditing

Integration with vulnerability management and security infrastructure

Reference Extracts:

ISO/IEC 27035-2:2016, Clause 7.3.1: “Monitoring systems and activities should be established, operated and maintained to identify deviations from normal behavior.”

NIST SP 800-61 Revision 2 and industry alignment with ISO/IEC 27035 recognize the SOC as the broader operational environment that houses or interacts with the CSIRT/CERT.

Therefore, the correct answer is: B – Security Operations Center (SOC)

—

Comprehensive and Detailed Explanation From Exact Extract:

ISO/IEC 27035-1:2016 emphasizes that part of the incident handling process—particularly during assessment and documentation—must include evaluation of both the seriousness (severity) and urgency (criticality) of the incident.

Clause 6.4.2 requires that an incident’s potential impact and required response timelines be assessed promptly to determine appropriate action. Nate’s omission of this evaluation, despite creating a technically sound report, means that the organization could misjudge the incident’s risk, delay appropriate response, or fail to meet notification obligations.

Option A is incorrect because ISO/IEC 27035 explicitly lists impact and urgency as required analysis elements. Option C, while possibly helpful in forensic analysis, is not a required component per the standard.

Comprehensive and Detailed Explanation From Exact Extract:

ISO/IEC 27035-1 classifies incidents into several categories based on the nature of their impact. Incidents involving the abuse of user rights, denial of authorized activities, or improper system use are considered violations of internal policies or rules. These fall under the category of “Breach of Rule” incidents.

This category emphasizes that while data or functionality may not be directly compromised, internal governance, permissions, or acceptable use policies have been violated. These incidents are crucial to detect as they often indicate insider threats or misconfigured permissions.