ISO-IEC-27035-Lead-Incident-Manager PECB Certified ISO/IEC 27035 Lead Incident Manager Free Practice Exam Questions (2025 Updated)

Comprehensive and Detailed Explanation From Exact Extract:

The SMART model (Specific, Measurable, Achievable, Relevant, Time-bound) is outlined in ISO/IEC 27035-2:2016 for defining and tracking performance metrics in incident response. The “Specific” component ensures that measures are clearly defined and understood by stakeholders to avoid ambiguity.

This clarity is essential for accountability, tracking, and reporting performance accurately, which directly aligns with Option B.

Comprehensive and Detailed Explanation From Exact Extract:

According to ISO/IEC 27035 and industry best practices, a Security Operations Center (SOC) is the central hub for an organization’s cybersecurity operations. Its responsibilities go beyond pure incident response. SOCs continuously monitor the organization’s network and systems for suspicious activity and threats, providing real-time threat detection, incident response coordination, vulnerability management, and overall security infrastructure oversight.

While CSIRTs and CERTs specialize in handling and managing security incidents, their roles are generally more narrowly focused on the detection, reporting, and resolution of security events. SOCs, on the other hand, manage the broader spectrum of operations, including:

Real-time monitoring and logging

Threat hunting and intelligence

Security incident analysis and triage

Coordinating CSIRT activities

Supporting policy compliance and auditing

Integration with vulnerability management and security infrastructure

Reference Extracts:

ISO/IEC 27035-2:2016, Clause 7.3.1: “Monitoring systems and activities should be established, operated and maintained to identify deviations from normal behavior.”

NIST SP 800-61 Revision 2 and industry alignment with ISO/IEC 27035 recognize the SOC as the broader operational environment that houses or interacts with the CSIRT/CERT.

Therefore, the correct answer is: B – Security Operations Center (SOC)

—

Comprehensive and Detailed Explanation From Exact Extract:

ISO/IEC 27035-1:2016 emphasizes that part of the incident handling process—particularly during assessment and documentation—must include evaluation of both the seriousness (severity) and urgency (criticality) of the incident.

Clause 6.4.2 requires that an incident’s potential impact and required response timelines be assessed promptly to determine appropriate action. Nate’s omission of this evaluation, despite creating a technically sound report, means that the organization could misjudge the incident’s risk, delay appropriate response, or fail to meet notification obligations.

Option A is incorrect because ISO/IEC 27035 explicitly lists impact and urgency as required analysis elements. Option C, while possibly helpful in forensic analysis, is not a required component per the standard.

Comprehensive and Detailed Explanation From Exact Extract:

ISO/IEC 27035-1 classifies incidents into several categories based on the nature of their impact. Incidents involving the abuse of user rights, denial of authorized activities, or improper system use are considered violations of internal policies or rules. These fall under the category of “Breach of Rule” incidents.

This category emphasizes that while data or functionality may not be directly compromised, internal governance, permissions, or acceptable use policies have been violated. These incidents are crucial to detect as they often indicate insider threats or misconfigured permissions.

Comprehensive and Detailed Explanation From Exact Extract:

During the response phase, one of the most critical activities—according to ISO/IEC 27035-1 and 27035-2—is the documentation of actions, decisions, and results. Clause 6.4.6 of ISO/IEC 27035-1 emphasizes that all activities must be logged to support post-incident analysis, audit trails, and lessons learned. This ensures that:

Accountability is maintained

Decisions can be reviewed

Investigations are legally sound (especially in regulated environments)

While restoring systems (Option C) typically occurs in the recovery phase, logging activities and outcomes is essential during the actual response. Change control processes (Option B) are supporting functions but are not core to the immediate response phase.

Comprehensive and Detailed Explanation From Exact Extract:

ISO/IEC 27035-1:2016 Clause 7.1 explicitly states that the frequency and depth of reviewing the incident management strategy should be based on the organization’s size, complexity, and threat environment. Larger or more complex environments may require more frequent reviews to remain agile and responsive.

Audit schedules (Option C) may influence timing, but they do not dictate the necessary frequency for strategic reviews. The number of employees (Option A) alone is not a sufficient factor.

Comprehensive and Detailed Explanation From Exact Extract:

ISO/IEC 27035 strongly encourages information sharing among trusted parties to enhance collective incident response capabilities and reduce the broader impact of cyber threats. Clause 6.5.6 in ISO/IEC 27035-1 highlights the importance of cooperation and communication with external parties, including industry-specific information-sharing forums, CERTs/CSIRTs, and trusted partners.

The practice of proactive information exchange allows organizations to:

Detect coordinated or widespread attacks

Accelerate response through shared indicators of compromise (IOCs)

Benefit from collective intelligence and incident analysis

Build sector-wide resilience

However, such exchanges must occur within well-defined protocols that preserve confidentiality, legal compliance, and operational integrity.

Option B and C reflect overly cautious or siloed approaches that may delay response or reduce the effectiveness of collaborative efforts.

Reference Extracts:

ISO/IEC 27035-1:2016, Clause 6.5.6: “Incident management should consider the importance of trusted collaboration, sharing of incident information, and threat intelligence between relevant entities.”

ENISA and FIRST.org also support this collaborative approach in their best practices.

Correct answer: A

—

Comprehensive and Detailed Explanation From Exact Extract:

The impact of an information security event is assessed by evaluating how the event affects the CIA triad—Confidentiality, Integrity, and Availability—of information assets. This fundamental concept underpins all ISO/IEC 27000-series standards, including ISO/IEC 27035.

ISO/IEC 27035-1:2016, Clause 6.2.3 explicitly states that an event's severity and urgency are to be assessed by evaluating its actual or potential impact on the organization’s information security objectives, namely:

Confidentiality: Protection from unauthorized disclosure

Integrity: Protection from unauthorized modification

Availability: Assurance of timely and reliable access

This approach ensures consistent and risk-based decision-making during incident assessment. Options A and B are important steps, but they are part of the broader process; they do not directly measure impact.

Comprehensive and Detailed Explanation:

An automated vulnerability scanning tool is designed specifically to scan systems, hosts, or networks for known vulnerabilities based on a maintained vulnerability database. These tools are efficient for covering large environments quickly and are commonly used in routine security assessments.

Security testing and evaluation (A) is broader and includes manual assessments. Penetration testing (C) simulates real-world attacks but is usually more targeted and time-intensive.

Comprehensive and Detailed Explanation From Exact Extract:

ISO/IEC 27035 and ISO/IEC 27001 emphasize that information security awareness and training must extend to all personnel, not just those in technical roles. Clause 7.3.2 of ISO/IEC 27035-2 specifically states that “training should be made available to all staff,” including non-technical users, third-party service providers, contractors, and any personnel with access to organizational assets or systems.

The rationale is that every user is a potential entry point for cyber threats. Whether through phishing, social engineering, or misconfiguration, untrained staff can unintentionally compromise the organization’s security posture. Therefore, organizations must ensure that everyone—especially new hires, contractors, and third-party partners—is trained on incident reporting procedures, security responsibilities, and escalation paths.

Reference Extracts:

ISO/IEC 27035-2:2016, Clause 7.3.2: “Training and awareness activities should be targeted at all users of the organization's systems and services.”

ISO/IEC 27001:2022, Control 6.3: “Ensure that personnel are aware of their information security responsibilities.”

Correct answer: C

—

Comprehensive and Detailed Explanation From Exact Extract:

According to ISO/IEC 27035-2:2016, Clause 7.3.2, implementing continuous monitoring across all critical assets and endpoints is a key component of proactive incident detection. Organizations are encouraged to establish real-time detection mechanisms that allow prompt identification of unauthorized or abnormal behavior.

Mike’s approach—ensuring all systems are under constant surveillance—is consistent with this recommendation. Comprehensive monitoring allows the early identification of security events that may otherwise go unnoticed, especially in environments where advanced persistent threats (APTs) or insider threats are concerns.

While focusing only on new devices or limiting monitoring to certain components may reduce noise, it creates gaps in coverage and increases the risk of missed threats.

Comprehensive and Detailed Explanation From Exact Extract:

In ISO/IEC 27035-2:2016, the planning phase of incident response starts with establishing a classification system. Response classification is essential to ensure that incidents are assessed and categorized in a consistent manner, allowing appropriate response measures to be applied. This classification forms the foundation for selecting the right procedures, team involvement, and communication protocols.

Assigning a response class (Option A) is a subsequent step that occurs once an incident is analyzed and matched to a pre-defined category. Developing response processes (Option B) is important but comes after the classification model is defined.

Reference Extracts:

ISO/IEC 27035-2:2016, Clause 6.3.2: “The response planning process begins with the classification of potential incidents to determine the required actions and responsibilities.”

Clause 7.2.2: “Defining response classes helps the organization decide how to handle specific categories of incidents.”

Correct answer: C

—

Comprehensive and Detailed Explanation From Exact Extract:

ISO/IEC 27035-1:2016 and ISO/IEC 27035-2:2016 emphasize the importance of monitoring not only internal systems but also third-party or outsourced services. Clause 7.3.2 of ISO/IEC 27035-2 specifically recommends that organizations establish mechanisms for the continuous monitoring of service providers and outsourced systems, particularly when such services process or store sensitive information.

In the scenario, Konzolo suffered an incident due to a failure by a third-party service provider to uphold security controls. This indicates that Konzolo had insufficient or no effective monitoring of outsourced services in place, which directly contributed to the breach and system downtime.

On the other hand:

Option A is incorrect because Konzolo did conduct a vulnerability scan, identifying and addressing cryptographic weaknesses.

Option B is also incorrect, as Paulina conducted forensic and behavioral analysis (both manual and automated) as part of the investigation process.

Reference Extracts:

ISO/IEC 27035-2:2016, Clause 7.3.2: “Monitoring should not be limited to internal infrastructure but should include third-party and outsourced services to ensure that they are operating within defined security parameters.”

ISO/IEC 27002:2022, Control 5.23: “Information security should be addressed in agreements with third parties.”

Correct answer: C

—

—

Comprehensive and Detailed Explanation From Exact Extract:

Yes, the use of ISO/IEC 27035-1 to support compliance with ISO/IEC 27001 ISMS requirements is fully acceptable and encouraged. ISO/IEC 27035-1:2016 is explicitly designed to support organizations in establishing and maintaining effective information security incident management processes. These processes are a crucial component of a well-functioning Information Security Management System (ISMS), which is governed by ISO/IEC 27001.

Clause 6.1.3 and Clause A.16.1 of ISO/IEC 27001:2022 (formerly 2013) require that organizations establish and respond to information security incidents, including detection, response, and learning from such events. ISO/IEC 27035-1 directly supports these controls by providing specific guidance on how to identify, manage, and learn from information security incidents in a structured and repeatable way.

Moreover, ISO/IEC 27035-1 is referenced by ISO/IEC 27001 Annex A (specifically A.5.24 to A.5.27 and A.5.31 in the 2022 version), supporting requirements related to incident management, monitoring, and improvement. The ISO 27035 series acts as a detailed implementation guide for these controls, helping organizations meet both the management and operational requirements of the ISMS.

Therefore, Mark’s decision to use ISO/IEC 27035-1 guidelines to align and enhance the incident management aspects of the ISMS is both appropriate and aligned with international best practices.

Reference Extracts:

* ISO/IEC 27035-1:2016, Clause 0.2: “This document also supports the information security requirements defined in ISO/IEC 27001 and provides detailed guidance on incident management activities relevant to an ISMS.”

* ISO/IEC 27001:2022, Annex A (A.5.24–A.5.27): “Information security incident management should be based on established processes for detection, response, and learning.”

* ISO/IEC 27001:2022, Clause 6.1.3: “Information security risks must be identified and treated as part of the ISMS.”

Therefore, the correct answer is A: Yes, another objective associated with ISO/IEC 27035-1 is to provide guidance on meeting the ISMS requirements specified in ISO/IEC 27001.

—

Certainly! Below is your requested content in the structured ISO/IEC format for:

✅ QUESTION NO: 15

Including: full scenario, correct answer option, and a comprehensive explanation based on ISO/IEC 27035-1, 27035-2, and related ISO/IEC standards.

—

Comprehensive and Detailed Explanation From Exact Extract:

The incident coordinator plays a vital managerial and operational role in guiding and synchronizing the efforts of Incident Response Teams (IRTs). ISO/IEC 27035-2:2016, Clause 7.2.2 describes the role as one that involves coordination of resources, communication, and oversight to ensure that all phases of the response are executed according to procedure and within acceptable timelines.

Responsibilities include:

Assigning roles and responsibilities

Overseeing containment, eradication, and recovery efforts

Communicating with stakeholders

Tracking incident metrics and resolution progress

Initiating the response (Option B) is typically a decision taken collectively or by senior management or the IMT after classification. Assessing the nature of an event (Option C) falls under the detection and classification phase, not the coordinator's primary role during response.

Comprehensive and Detailed Explanation From Exact Extract:

The deployment of an Intrusion Detection System (IDS) by RoLawyers following the incident is a classic example of implementing a detective control. According to ISO/IEC 27002:2022 (formerly 27002:2013), detective controls are designed to identify and report the occurrence of information security events in a timely manner. They help organizations discover that an event has occurred so that an appropriate response can be initiated.

The IDS mentioned in the scenario monitors the network for suspicious activity and alerts the IT security team when anomalies or intrusion attempts are detected. This aligns directly with the definition of detective controls.

By contrast:

Preventive controls are designed to prevent incidents from occurring in the first place (e.g., firewalls, access controls).

Corrective controls are actions taken after an incident to restore systems or data and prevent recurrence (e.g., patch management, backups).

Reference Extracts:

ISO/IEC 27002:2022, Clause 5.27 – “Detection controls should be implemented to identify incidents and anomalies in a timely manner.”

ISO/IEC 27035-1:2016, Clause 4.3.2 – “Detecting and reporting information security events and weaknesses are the first steps in the incident response process.”

RoLawyers' use of an IDS matches the description of a detective control designed to provide early warning signs of potential threats, making it easier for the organization to take timely action.

Therefore, the correct answer is B: Detective controls.

Comprehensive and Detailed Explanation From Exact Extract:

Incident identification is the first operational step in the incident response process. It involves detecting unusual or suspicious activity and recognizing whether it constitutes an information security incident. ISO/IEC 27035-1:2016 describes various sources of detection, such as:

Security monitoring tools (e.g., IDS/IPS)

User reports or helpdesk notifications

Automated alerts from applications or infrastructure

The goal at this stage is not to collect detailed forensic data or conduct deep analysis, but rather to determine whether the activity warrants classification as a potential incident and to escalate accordingly.

Comprehensive and Detailed Explanation From Exact Extract:

Internal exercises, such as simulations, tabletop exercises, and mock drills, are designed primarily to assess the readiness, coordination, and performance of the internal incident response team (IRT). According to ISO/IEC 27035-2:2016, these exercises aim to validate that the IRT understands their roles, follows documented procedures, and can act effectively under pressure.

While external collaboration (Options A and B) may be tested during joint exercises or industry-wide scenarios, the focus of internal exercises is on internal capabilities. These exercises help identify gaps in training, procedures, communication, and escalation pathways.

Reference Extracts:

ISO/IEC 27035-2:2016, Clause 7.3.3: “Exercises and simulations should be conducted to test the readiness of the incident response capability.”

NIST SP 800-84: “Regular exercises increase response efficiency and allow staff to develop incident handling confidence.”

Correct answer: C

—

—

Comprehensive and Detailed Explanation From Exact Extract:

ISO/IEC 27035-1:2016 outlines a structured five-phase approach to information security incident management, which includes:

1. Prepare

2. Identify (or detect and report)

3. Assess and Decide

4. Respond

5. Lessons Learned

According to the standard, the “Assess and Decide” phase must include the collection, review, and analysis of information associated with the occurrence of a potential incident. This phase ensures that the organization bases its classification decisions on factual data and contextual analysis, allowing the organization to determine whether the event should be categorized as a formal security incident.

In the scenario, Mark does introduce an accelerated “count down” process to evaluate and classify incidents, which is a commendable improvement in efficiency. However, there is no mention of gathering or documenting the actual event data prior to classification. This oversight fails to fully align with the standard.

Option A is incorrect because not all phases were implemented as defined—specifically, phase 3 (“Assess and Decide”) lacks an essential component: the collection of evidence/information from the anomaly or event.

Option C is also incorrect. According to ISO/IEC 27035, assessment and classification take place within the formal incident management process—not before it. The initiation of the process includes the evaluation of whether a security event becomes an incident.

Reference Extracts:

* ISO/IEC 27035-1:2016, Clause 6.2.2: “The assessment and decision process involves analyzing the information associated with reported events to decide whether they should be treated as incidents.”

* ISO/IEC 27035-2:2016, Clause 7.3: “This phase includes collecting information from available sources... such as logs, reports, and alerts, to support classification and response decisions.”

Therefore, the correct answer is B: No, the second phase of the incident management process should include the collection of information associated with the occurrences of information security events.

—

Certainly! Below is the full response in your requested format for:

✅ QUESTION NO: 14

Including: scenario, correct answer option, and a comprehensive explanation referencing ISO/IEC 27035-1 and ISO/IEC 27001 standards.

—