Exam ISO-IEC-27001-Lead-Implementer Topic 4 Question 288 Discussion
Actual exam question for PECB's ISO-IEC-27001-Lead-Implementer exam
Question #: 288
Topic #: 4
Question #: 288
Topic #: 4
Refer to Scenario 4 (FinSecure)
Finsecure is a financial institution based in Finland, providing services to a diverse clientele, encompassing retail banking, corporate banking, wealth management, and digital banking, all tailored to meet the evolving financial needs of individuals and businesses in the region. Recognizing the critical importance of information security in the modern banking landscape, FinSecure has initiated the implementation of an information security management system (ISMS) based on ISO/IEC 27001. To ensure the successful implementation of the ISMS, the top management decided to contract two experts to lead and oversee the ISMS implementation project.
As a primary strategy for implementing the ISMS, the experts chose an approach that emphasizes a swift implementation of the ISMS by initially meeting the minimum requirements of ISO/IEC 27001, followed by continual improvement over time. Additionally, under the guidance of experts, FinSecure opted for a methodological framework, which serves as a structured framework that outlines the high-level stages of the ISMS implementation, the associated activities, and the deliverables without incorporating any specific tools.
The experts conducted a risk assessment, identifying all the supporting assets, which were the most tangible ones. They assessed the potential consequences and likelihood of various risks, determining the level of risks using a methodical approach that involved defining and characterizing the terms and criteria used in the assessment process. These risks were categorized into nonnumerical levels (e g., very low, low. moderate, high, very high). Explanatory notes were thoughtfully crafted to justify assessed values, with the primary goal of enhancing repeatability and reproducibility.
After completing the risk assessment, the experts reviewed a selected number of the security controls from Annex A of ISO/IEC 27001 to determine which ones were applicable to the company's specific context. The decision to implement security controls was justified by the risk assessment results. Based on this review, they drafted the Statement of Applicability (SoA). They focused on treating only the high-risk category particularly addressing unauthorized use of administrator rights and system interruptions due to several hardware failures. To address these issues, they established a new version of the access control policy, implemented controls to manage and control user access, and introduced a control for ICT readiness to ensure business continuity.
Their risk assessment report indicated that if the implemented security controls reduce the risk levels to an acceptable threshold, those risks will be accepted Question:
Did the experts draft the Statement of Applicability (SoA) in accordance with ISO/IEC 27001?
Finsecure is a financial institution based in Finland, providing services to a diverse clientele, encompassing retail banking, corporate banking, wealth management, and digital banking, all tailored to meet the evolving financial needs of individuals and businesses in the region. Recognizing the critical importance of information security in the modern banking landscape, FinSecure has initiated the implementation of an information security management system (ISMS) based on ISO/IEC 27001. To ensure the successful implementation of the ISMS, the top management decided to contract two experts to lead and oversee the ISMS implementation project.
As a primary strategy for implementing the ISMS, the experts chose an approach that emphasizes a swift implementation of the ISMS by initially meeting the minimum requirements of ISO/IEC 27001, followed by continual improvement over time. Additionally, under the guidance of experts, FinSecure opted for a methodological framework, which serves as a structured framework that outlines the high-level stages of the ISMS implementation, the associated activities, and the deliverables without incorporating any specific tools.
The experts conducted a risk assessment, identifying all the supporting assets, which were the most tangible ones. They assessed the potential consequences and likelihood of various risks, determining the level of risks using a methodical approach that involved defining and characterizing the terms and criteria used in the assessment process. These risks were categorized into nonnumerical levels (e g., very low, low. moderate, high, very high). Explanatory notes were thoughtfully crafted to justify assessed values, with the primary goal of enhancing repeatability and reproducibility.
After completing the risk assessment, the experts reviewed a selected number of the security controls from Annex A of ISO/IEC 27001 to determine which ones were applicable to the company's specific context. The decision to implement security controls was justified by the risk assessment results. Based on this review, they drafted the Statement of Applicability (SoA). They focused on treating only the high-risk category particularly addressing unauthorized use of administrator rights and system interruptions due to several hardware failures. To address these issues, they established a new version of the access control policy, implemented controls to manage and control user access, and introduced a control for ICT readiness to ensure business continuity.
Their risk assessment report indicated that if the implemented security controls reduce the risk levels to an acceptable threshold, those risks will be accepted Question:
Did the experts draft the Statement of Applicability (SoA) in accordance with ISO/IEC 27001?
Suggested Answer: A Vote an answer
ISO/IEC 27001:2022 Clause 6.1.3 (c) states:
"Compare the controls determined in 6.1.3 b) with those in Annex A and verify that no necessary controls have been omitted." Clause 6.1.3 (d) continues:
"Produce a Statement of Applicability that contains the necessary controls, justification for inclusion, whether implemented, and justification for exclusion." The SoA does not require selection of all controls, but rather only those that are applicable based on the context, risk assessment, and needs of the organization. FinSecure's experts complied by selecting relevant controls and documenting justifications-thus aligning with the standard.
References:
ISO/IEC 27001:2022 Clause 6.1.3 (c)-(d)
ISO/IEC 27002:2022 Introduction 0.4 - Determining Controls===========
"Compare the controls determined in 6.1.3 b) with those in Annex A and verify that no necessary controls have been omitted." Clause 6.1.3 (d) continues:
"Produce a Statement of Applicability that contains the necessary controls, justification for inclusion, whether implemented, and justification for exclusion." The SoA does not require selection of all controls, but rather only those that are applicable based on the context, risk assessment, and needs of the organization. FinSecure's experts complied by selecting relevant controls and documenting justifications-thus aligning with the standard.
References:
ISO/IEC 27001:2022 Clause 6.1.3 (c)-(d)
ISO/IEC 27002:2022 Introduction 0.4 - Determining Controls===========
by free.soukaina7 at Mar 27, 2026, 03:38 AM
0
0
0
10
Comments
free.soukaina7
2026-03-27 03:38:05Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Report Comment
Commenting
You can sign-up / login (it's free).