ISO Beingcert ISO/IEC 20000 Lead Implementer Sample Questions:
1. Which statement is an example of risk retention?
A) An organization has decided to release the software even though some minor bugs have not been fixed yet
B) An organization terminates work in the construction site during a severe storm
C) An organization has implemented a data loss protection software
2. Scenario 6: Skyver offers worldwide shipping of electronic products, including gaming consoles, flat-screen TVs. computers, and printers. In order to ensure information security, the company has decided to implement an information security management system (ISMS) based on the requirements of ISO/IEC 27001.
Colin, the company's best information security expert, decided to hold a training and awareness session for the personnel of the company regarding the information security challenges and other information security- related controls. The session included topics such as Skyver's information security approaches and techniques for mitigating phishing and malware.
One of the participants in the session is Lisa, who works in the HR Department. Although Colin explains the existing Skyver's information security policies and procedures in an honest and fair manner, she finds some of the issues being discussed too technical and does not fully understand the session. Therefore, in a lot of cases, she requests additional help from the trainer and her colleagues Based on scenario 6. when should Colin deliver the next training and awareness session?
A) After he ensures that the group of employees targeted have satisfied the organization's needs
B) After he determines the employees' availability and motivation
C) After he conducts a competence needs analysis and records the competence related issues
3. Scenario 3: Socket Inc is a telecommunications company offering mainly wireless products and services. It uses MongoDB. a document model database that offers high availability, scalability, and flexibility.
Last month, Socket Inc. reported an information security incident. A group of hackers compromised its MongoDB database, because the database administrators did not change its default settings, leaving it without a password and publicly accessible.
Fortunately. Socket Inc. performed regular information backups in their MongoDB database, so no information was lost during the incident. In addition, a syslog server allowed Socket Inc. to centralize all logs in one server. The company found out that no persistent backdoor was placed and that the attack was not initiated from an employee inside the company by reviewing the event logs that record user faults and exceptions.
To prevent similar incidents in the future, Socket Inc. decided to use an access control system that grants access to authorized personnel only. The company also implemented a control in order to define and implement rules for the effective use of cryptography, including cryptographic key management, to protect the database from unauthorized access The implementation was based on all relevant agreements, legislation, and regulations, and the information classification scheme. To improve security and reduce the administrative efforts, network segregation using VPNs was proposed.
Lastly, Socket Inc. implemented a new system to maintain, collect, and analyze information related to information security threats, and integrate information security into project management.
Based on the scenario above, answer the following question:
Which security control does NOT prevent information security incidents from recurring?
A) Information backup
B) Segregation of networks
C) Privileged access rights
4. TradeB communicated the information security processes and procedures to employees. Which principle of efficient communication strategy did they use?
A) Appropriateness
B) Responsiveness
C) Transparency
5. Some of the issues being discussed in the awareness session were too technical for the participants. What does this situation indicate? Refer to scenario 6.
A) TradeB did not evaluate the competence of the trainer
B) TradeB did not determine the type and level of competence needed
C) Employees are equipped with information security expertise, therefore. they do not represent a potential risk
Solutions:
| Question # 1 Answer: A | Question # 2 Answer: C | Question # 3 Answer: A | Question # 4 Answer: C | Question # 5 Answer: B |
We're so confident of our products that we provide no hassle product exchange.


By Joa

