ISO-IEC-27002-Foundation ISO/IEC 27002 Foundation Exam Question and Answers

Information security should be integrated into project management so that security risks related to projects and deliverables are effectively addressed. Projects often introduce new systems, processes, suppliers, data flows, technologies, applications, facilities, or business changes. If security is considered only after implementation, weaknesses may already be embedded in design, architecture, contracts, code, configurations, or operating procedures. ISO/IEC 27002 Control 5.8 expects information security to be integrated into project management activities so risks are identified and treated throughout the project lifecycle. This includes security requirements, risk assessments, roles and responsibilities, acceptance criteria, testing, supplier requirements, privacy considerations, change control, and secure transition to operation. Option A is too general and focuses on applying ISO/IEC 27001 principles rather than the precise purpose of the control. Option B is too narrow because audits can support assurance but are not the primary reason for integration. The main purpose is risk management within projects and deliverables. Therefore, option C is verified. References/Chapters: ISO/IEC 27002:2022, Control 5.8 Information security in project management; Control 8.26 Application security requirements; Control 8.29 Security testing in development and acceptance.

==========

Clock synchronization can be difficult when using multiple cloud services. ISO/IEC 27002 Control 8.17 emphasizes that clocks of information processing systems should be synchronized to approved time sources. Accurate time is essential for logging, monitoring, incident investigation, transaction integrity, forensic analysis, authentication, certificate validation, and event correlation. In a simple on-premises environment, an organization may centrally manage time sources using internal NTP servers or domain services. In multi-cloud environments, systems may span different providers, regions, platforms, managed services, containers, serverless functions, and third-party logging systems. Each environment may have different time settings, time source controls, administrative access limits, time zone handling, timestamp formats, and logging precision. This makes consistent synchronization and correlation more challenging. Option A is not the best answer because “only on-premises services” are typically easier to synchronize under a single administrative model. Option C is too broad because the question asks when synchronization can be difficult, and the ISO/IEC 27002 exam logic points to multiple cloud services. References/Chapters: ISO/IEC 27002:2022, Control 8.17 Clock synchronization; Control 8.15 Logging; Control 5.23 Information security for use of cloud services.

==========

Control 5.37, Documented operating procedures, aims to ensure the correct and secure operation of information processing facilities. Operating procedures translate security and operational requirements into repeatable instructions for administrators, operators, support teams, and users. They can cover system startup and shutdown, backup, restoration, logging, error handling, media handling, job scheduling, maintenance, incident escalation, access administration, and secure processing steps. Without documented procedures, operations become inconsistent and dependent on individual memory or informal practice, increasing the likelihood of mistakes, outages, unauthorized changes, or insecure handling. Control 7.2, Physical entry, protects secure physical areas by controlling access to facilities, but it does not define operational procedures. Control 5.35, Independent review of information security, assesses whether the information security approach remains suitable, adequate, and effective, but it does not provide the day-to-day operating instructions. ISO/IEC 27002 places documented procedures in the organizational control group because reliable operation requires governance, clarity, and repeatability. Therefore, option B is the verified answer. References/Chapters: ISO/IEC 27002:2022, Control 5.37 Documented operating procedures; Control 7.2 Physical entry; Control 5.35 Independent review of information security.

==========

Control 5.35, Independent review of information security, is the control intended to ensure that the organization’s approach to managing information security remains suitable, adequate, and effective. Independent reviews provide objective evaluation of whether policies, processes, controls, responsibilities, and implementation remain aligned with business needs, risks, legal requirements, and the organization’s security objectives. The review may consider governance, control design, control operation, risk treatment, compliance, incident trends, technology changes, supplier dependencies, and audit results. Control 5.4, Management responsibilities, is important because management must ensure personnel apply security according to policies and procedures, but it is not the control specifically focused on independent review. Control 5.24 concerns planning and preparation for incident management, which supports response capability but does not broadly assess the continuing suitability of the whole security approach. The phrase “suitable, adequate and effective” is a strong indicator of review and assurance. ISO/IEC 27002 uses independent review to challenge assumptions, detect weaknesses, and support continual improvement. Therefore, option B is the verified answer. References/Chapters: ISO/IEC 27002:2022, Control 5.35 Independent review of information security; Control 5.36 Compliance with policies, rules and standards for information security; Control 5.4 Management responsibilities.

When an employee leaves the organization or changes roles, their information security responsibilities should be identified and transferred appropriately. ISO/IEC 27002 emphasizes that responsibilities must remain clear throughout the employment lifecycle, including changes and termination. Security duties cannot simply disappear when a person leaves a role. Examples include ownership of assets, approval duties, incident response responsibilities, privileged access administration, supplier contact responsibilities, classification decisions, or operational security tasks. The organization should determine which responsibilities the employee holds, remove responsibilities that no longer apply, revoke or adjust access rights, and assign continuing responsibilities to another competent person. Option B is too limited because documenting responsibilities in a termination policy does not ensure that active duties are transferred. Option C is incorrect because outsourcing is not required and may introduce additional supplier risk. The central ISO/IEC 27002 principle is continuity of accountability: responsibilities must be maintained even when personnel move, leave, or change duties. This also supports least privilege because access and responsibilities should match the current role. References/Chapters: ISO/IEC 27002:2022, Control 6.5 Responsibilities after termination or change of employment; Control 5.2 Information security roles and responsibilities; Control 5.18 Access rights.

==========

Confidentiality is breached when information is made available or disclosed to unauthorized individuals, entities, or processes. Option A is the correct answer because employees from all departments have access to colleagues’ personal data, even though such access should normally be restricted to authorized roles such as HR, payroll, compliance, or designated management. Internal users can still be unauthorized users when their role does not justify access. ISO/IEC 27002 addresses this through access control, access rights management, classification, privacy protection, and information access restriction. Option B is an availability issue because a department cannot access needed customer phone numbers due to equipment failure. Option C is an integrity issue because banking information was accidentally modified. The confidentiality principle is specifically about limiting disclosure and availability of information to authorized parties only. Personal data requires additional care because privacy obligations may apply, and excessive internal access can create legal, ethical, and reputational harm. The verified answer is therefore option A. References/Chapters: ISO/IEC 27002:2022, Control 5.15 Access control; Control 5.18 Access rights; Control 5.34 Privacy and protection of PII; Control 8.3 Information access restriction.

==========

Control 8.28, Secure coding, is the correct control because the question focuses on software being written securely and reducing potential vulnerabilities in the code. Secure coding addresses the practices, rules, and techniques developers should use to avoid common software weaknesses. This can include input validation, output encoding, error handling, authentication handling, secure session management, memory safety, protection against injection, secure API use, cryptographic correctness, dependency management, and code review. Control 8.29, Security testing in development and acceptance, verifies whether security requirements and controls are effective, but testing occurs after or during development and does not itself define how code should be written. Control 8.26, Application security requirements, defines security requirements for applications, but secure coding is the specific implementation practice that reduces vulnerabilities during software construction. ISO/IEC 27002 treats secure development as a lifecycle discipline: requirements define what is needed, secure coding implements it safely, and testing validates it. The direct match to the exam wording is Control 8.28. References/Chapters: ISO/IEC 27002:2022, Control 8.28 Secure coding; Control 8.26 Application security requirements; Control 8.29 Security testing in development and acceptance.

==========

Under Control 5.1, information security policies should include statements that define direction, responsibilities, and policy expectations, including how exemptions and exceptions are handled. Exception handling is important because policies cannot be treated casually or bypassed informally. When an exception is necessary, it should be justified, approved, documented, time-bound where appropriate, risk-assessed, and reviewed. This preserves governance and ensures deviations do not become uncontrolled weaknesses. Option A, recovery from a data breach, is important but belongs more naturally to incident management, business continuity, and response planning rather than the general information security policy statement. Option C, procedures for using automated information systems, may be addressed in acceptable use or operational procedures, but it is not the best match for Control 5.1’s policy content. The information security policy establishes the authority and framework for topic-specific policies and procedures. It should include high-level statements on objectives, principles, responsibilities, compliance expectations, and exception management. Therefore, option B is verified. References/Chapters: ISO/IEC 27002:2022, Control 5.1 Policies for information security; Control 5.36 Compliance with policies, rules and standards for information security; Control 5.37 Documented operating procedures.

==========

Continual improvement is the process of increasing an organization’s effectiveness and efficiency so that it better fulfills its policies and objectives. In information security, improvement is not limited to fixing one defect. It is the ongoing refinement of controls, processes, responsibilities, technologies, awareness, monitoring, and response capabilities. Option B describes analysis, which may support improvement but is not the definition. Option C describes correction or corrective action for a nonconformity, which can be one mechanism of improvement but does not cover the complete concept. ISO/IEC 27002 supports continual improvement through controls such as learning from information security incidents, independent review, compliance monitoring, threat intelligence, vulnerability management, change management, and documented operating procedures. A mature organization uses evidence from incidents, audits, metrics, user behavior, supplier performance, new threats, and business changes to adjust its controls. The key idea is progressive enhancement of suitability, adequacy, and effectiveness. Therefore, option A aligns with the management system and ISO/IEC 27002 control logic. References/Chapters: ISO/IEC 27002:2022, Control 5.27 Learning from information security incidents; Control 5.35 Independent review of information security; Control 8.8 Management of technical vulnerabilities.

==========