Exam ISO-IEC-27001-Lead-Implementer Topic 4 Question 27 Discussion
Actual exam question for PECB's ISO-IEC-27001-Lead-Implementer exam
Question #: 27
Topic #: 4
Question #: 27
Topic #: 4
Infralink is a medium-sized IT consultancy firm headquartered in Dublin, Ireland. It specializes in secure cloud infrastructure, software integration, and data analytics, serving a diverse client base in the healthcare, financial services, and legal sectors, including hospitals, insurance providers, and law firms. To safeguard sensitive client data and support business continuity, Infralink has implemented an information security management system (ISMS) aligned with the requirements of ISO/IEC 27001.
In developing its security architecture, the company adopted services to support centralized user identification and shared authentication mechanisms across its departments. These services also governed the creation and management of credentials within the company. Additionally, Infralink deployed solutions to protect sensitive data in transit and at rest, maintaining confidentiality and integrity across its systems.
In preparation for implementing information security controls, the company ensured the availability of necessary resources, personnel competence, and structured planning. It conducted a cost-benefit analysis, scheduled implementation phases, and prepared documentation and activity checklists for each phase. The intended outcomes were clearly defined to align security controls with business objectives.
Infralink started by implementing several controls from Annex A of ISO/IEC 27001. These included regulating physical and logical access to information and assets in accordance with business and information security requirements, managing the identity life cycle, and establishing procedures for providing, reviewing, modifying, and revoking access rights. However, controls related to the secure allocation and management of authentication information, as well as the establishment of rules or agreements for secure information transfer, have not yet been implemented. During the documentation process, the company ensured that all ISMS- related documents supported traceability by including titles, creation or update dates, author names, and unique reference numbers. Based on the scenario above, answer the following question.
According to scenario A. did AegisCure identify supporting assets?
In developing its security architecture, the company adopted services to support centralized user identification and shared authentication mechanisms across its departments. These services also governed the creation and management of credentials within the company. Additionally, Infralink deployed solutions to protect sensitive data in transit and at rest, maintaining confidentiality and integrity across its systems.
In preparation for implementing information security controls, the company ensured the availability of necessary resources, personnel competence, and structured planning. It conducted a cost-benefit analysis, scheduled implementation phases, and prepared documentation and activity checklists for each phase. The intended outcomes were clearly defined to align security controls with business objectives.
Infralink started by implementing several controls from Annex A of ISO/IEC 27001. These included regulating physical and logical access to information and assets in accordance with business and information security requirements, managing the identity life cycle, and establishing procedures for providing, reviewing, modifying, and revoking access rights. However, controls related to the secure allocation and management of authentication information, as well as the establishment of rules or agreements for secure information transfer, have not yet been implemented. During the documentation process, the company ensured that all ISMS- related documents supported traceability by including titles, creation or update dates, author names, and unique reference numbers. Based on the scenario above, answer the following question.
According to scenario A. did AegisCure identify supporting assets?
Suggested Answer: C Vote an answer
Based on the scenario, Infralink did not explicitly identify supporting assets; it focused primarily on information and access-related assets, which are considered primary assets. Therefore, Option C is the correct answer.
ISO/IEC 27001:2022 requires organizations to identify information and other associated assets as part of establishing and operating the ISMS. While the standard itself does not mandate a specific asset taxonomy, ISO/IEC 27002:2022 Annex A control A.5.9 - Inventory of information and other associated assets requires that:
"Information and other associated assets shall be identified and an inventory of these assets shall be maintained." In common ISO/IEC 27001-aligned risk management practice (as supported by ISO/IEC 27005), primary assets typically include information and business processes, while supporting assets include hardware, software, networks, facilities, people, and services that support those primary assets.
In the scenario, Infralink implemented controls related to:
* Access to information and assets (A.5.15)
* Identity lifecycle management (A.5.16)
* Access rights management (A.5.18)
However, there is no explicit reference to identifying or inventorying supporting assets such as infrastructure components, platforms, physical facilities, or third-party services. The focus remains on information access and control mechanisms, indicating that asset identification was limited to primary assets.
* Option A is incorrect because there is no evidence that all supporting assets were identified.
* Option B is incorrect because the scenario does go beyond business processes and information by addressing access mechanisms-but still does not explicitly include supporting assets.
ISO/IEC 27001:2022 requires organizations to identify information and other associated assets as part of establishing and operating the ISMS. While the standard itself does not mandate a specific asset taxonomy, ISO/IEC 27002:2022 Annex A control A.5.9 - Inventory of information and other associated assets requires that:
"Information and other associated assets shall be identified and an inventory of these assets shall be maintained." In common ISO/IEC 27001-aligned risk management practice (as supported by ISO/IEC 27005), primary assets typically include information and business processes, while supporting assets include hardware, software, networks, facilities, people, and services that support those primary assets.
In the scenario, Infralink implemented controls related to:
* Access to information and assets (A.5.15)
* Identity lifecycle management (A.5.16)
* Access rights management (A.5.18)
However, there is no explicit reference to identifying or inventorying supporting assets such as infrastructure components, platforms, physical facilities, or third-party services. The focus remains on information access and control mechanisms, indicating that asset identification was limited to primary assets.
* Option A is incorrect because there is no evidence that all supporting assets were identified.
* Option B is incorrect because the scenario does go beyond business processes and information by addressing access mechanisms-but still does not explicitly include supporting assets.
by mohamedalifarouk at Jun 27, 2026, 05:58 AM
0
0
0
10
Comments
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Report Comment
Commenting
You can sign-up / login (it's free).