ISO 27001:2022 - Information Security Controls Professional (based on ISO 27002:2022) Free Practice Test — 30 Questions

Question 1

A global e-commerce firm, \"AstroGoods,\" is migrating its customer database to a new Software-as-a-Service (SaaS) provider for its customer relationship management (CRM) platform. This platform will house personally identifiable information (PII) and transaction histories for millions of customers worldwide. AstroGoods is particularly concerned about maintaining the confidentiality and integrity of this data, as well as being able to reconstruct events in case of a security incident, which could have significant legal repercussions under various data protection regulations. Which ISO 27001:2022 control, as detailed in ISO 27002:2022, is most critical for establishing an auditable trail of activities within the SaaS CRM to support incident investigation and compliance?

Accepted Answer

A.8.16 Monitoring activities

Question 2

Following the discovery of a significant data exfiltration event involving personally identifiable information of its clientele, a financial services firm, \"Veridian Capital,\" must swiftly implement measures to mitigate further harm and restore operational integrity. The breach was detected through anomalous network traffic patterns. Which control, as defined by ISO 27002:2022, should be the primary focus of immediate implementation to manage this ongoing security incident?

Accepted Answer

Information security incident management

Question 3

A financial services firm, \"Apex Wealth Management,\" has decided to leverage a third-party cloud provider for hosting its customer relationship management (CRM) system, which contains highly sensitive personal and financial data. The firm\'s chief information security officer (CISO) is tasked with ensuring that the engagement with this cloud provider aligns with the organization\'s information security management system (ISMS) and meets regulatory obligations, such as GDPR and CCPA, regarding data protection and third-party risk. Which of the following ISO 27002:2022 controls, or the principles they embody, would be most critical for Apex Wealth Management to prioritize and implement to manage this specific third-party cloud relationship effectively?

Accepted Answer

Establishing and enforcing information security requirements for cloud services and supplier relationships.

Question 4

A global logistics firm, \"SwiftShip Logistics,\" is migrating its primary customer relationship management (CRM) system to a Software-as-a-Service (SaaS) cloud provider. This transition aims to enhance scalability and reduce on-premises infrastructure management. SwiftShip Logistics operates under stringent data residency requirements mandated by various international trade regulations. The firm\'s information security team is tasked with ensuring that the adoption of this cloud service does not introduce new vulnerabilities or contravene existing compliance obligations. Which of the following actions would be the most critical first step in integrating the new cloud CRM system while adhering to ISO 27001:2022 principles and relevant regulatory mandates?

Accepted Answer

Conduct a comprehensive risk assessment of the cloud service provider's security controls and data handling practices, and establish clear contractual clauses defining security responsibilities and data residency.

Question 5

An enterprise is undertaking a significant digital transformation initiative, migrating its core operational data and applications from on-premises servers to a multi-cloud environment. This transition involves substantial changes to how data is accessed, processed, and stored, requiring a rigorous reassessment of existing information security controls. Considering the thematic grouping of controls introduced in ISO 27002:2022, which of the four primary themes would most comprehensively encompass the security measures designed to protect data within this new cloud infrastructure, including aspects like data segregation, access management to cloud resources, and encryption of data at rest and in transit?

Accepted Answer

Technological

Question 6

A global e-commerce firm, \"AstroGoods,\" is migrating its customer relationship management (CRM) system to a Software-as-a-Service (SaaS) cloud provider. This migration involves processing significant volumes of personal data belonging to customers in the European Union, making the General Data Protection Regulation (GDPR) a critical compliance factor. AstroGoods needs to ensure that the security of this data, as well as the overall cloud service engagement, is robustly managed within their existing ISO 27001:2022 compliant Information Security Management System (ISMS). Which control from Annex A of ISO 27002:2022 would be most instrumental in establishing the necessary framework for managing the security of this cloud-based CRM system, considering the shared responsibility model and regulatory obligations?

Accepted Answer

A.5.23 Information security for use of cloud services

Question 7

A financial institution, operating under strict regulatory oversight and handling substantial volumes of customer financial data, is migrating its core banking operations to a public cloud infrastructure. The chosen cloud service provider has a robust security posture but is based in a jurisdiction with different data protection laws. The institution\'s legal and information security teams must ensure that the contractual agreement with the provider adequately addresses the security and privacy of the sensitive data being processed. Which of the following contractual provisions would most effectively satisfy the requirements of ISO 27001:2022 and relevant data protection regulations for this scenario?

Accepted Answer

Explicitly define the provider's obligations for data confidentiality, integrity, and availability, including specific security measures aligned with the institution's risk assessment and data classification, and stipulate audit rights and incident notification procedures in accordance with applicable data protection laws.

Question 8

Aethelred Corp, a global technology firm, is subject to a new, stringent data privacy regulation enacted by the Republic of Veridia, which mandates specific data handling procedures and imposes significant penalties for non-compliance. This regulation requires a fundamental shift in how Aethelred Corp\'s employees across all departments interact with and protect personal data. Beyond implementing technical safeguards, the company recognizes the need to cultivate a strong internal culture of data stewardship and accountability to ensure consistent adherence to the Veridian mandate. Considering the control categories outlined in ISO 27002:2022, which category would most effectively guide Aethelred Corp in embedding these new data protection principles into its organizational culture and daily operations, thereby fostering a proactive and compliant workforce?

Accepted Answer

Information security roles and responsibilities

Question 9

A financial services firm is migrating its customer onboarding process to a new Software-as-a-Service (SaaS) platform. This platform will store highly sensitive Personally Identifiable Information (PII) and financial transaction details. The firm must ensure this data is protected against unauthorized access and disclosure, both during transit and when stored within the SaaS provider\'s infrastructure, while also adhering to stringent data residency requirements mandated by the jurisdiction where its customers are located. Which of the following ISO 27002:2022 controls, when properly implemented and managed in conjunction with the SaaS provider, would most comprehensively address the security of this sensitive data at rest within the new platform?

Accepted Answer

5.10 Information security for use of cloud services

Question 10

An enterprise, operating under strict data privacy mandates akin to the General Data Protection Regulation (GDPR), is migrating its customer data to a new Software-as-a-Service (SaaS) Customer Relationship Management (CRM) platform. The organization must ensure that the SaaS provider\'s data handling practices align with its legal obligations and internal security policies. Which of the following ISO 27002:2022 control categories most directly addresses the requirement to govern the information security aspects of this cloud service engagement?

Accepted Answer

Organizational controls

Question 11

A global e-commerce company, \"AstroMart,\" is migrating its customer database to a new Software-as-a-Service (SaaS) cloud provider. This database contains personally identifiable information (PII) and financial transaction details for millions of customers worldwide. AstroMart operates under stringent data protection regulations, including the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR). To ensure the ongoing security of this sensitive data within the cloud environment, what is the most critical control implementation from Annex A of ISO 27001:2022 to proactively detect and respond to potential security incidents?

Accepted Answer

Establishing comprehensive monitoring of system logs and access patterns for anomalies.

Question 12

Following a severe ransomware attack that resulted in the encryption of a significant portion of customer personal data, the IT security team at \"Aethelred Analytics\" successfully restored operations using offline backups. The attack vector was identified as a phishing email that bypassed existing email filtering. Considering the principles of effective information security incident management as per ISO 27002:2022, what is the most critical subsequent action to enhance the organization\'s resilience against future similar threats?

Accepted Answer

Conduct a detailed post-incident review to identify root causes, evaluate response effectiveness, and update security policies and procedures.

Question 13

A global e-commerce firm, \"AstroGoods,\" is migrating its customer database to a new Software-as-a-Service (SaaS) CRM platform hosted in a multi-tenant cloud environment. The company operates in jurisdictions with strict data privacy regulations, including requirements for data to remain within specific geographical boundaries. AstroGoods needs to ensure the confidentiality and integrity of its customer Personally Identifiable Information (PII) and transaction history. Which of the following ISO 27002:2022 controls, when implemented effectively, would most directly address the unique security challenges presented by this cloud migration, particularly concerning data protection and regulatory compliance in a shared responsibility model?

Accepted Answer

Control 5.10 (Information security in the cloud) and Control 8.23 (Use of cryptography)

Question 14

A global e-commerce firm, \"AstroGoods,\" is migrating its customer database to a Software as a Service (SaaS) cloud platform. The database contains personally identifiable information (PII) and payment card details, subject to regulations like GDPR and PCI DSS. AstroGoods needs to ensure robust information security for this data within the new cloud environment. Considering the principles of ISO 27001:2022 and the controls detailed in ISO 27002:2022, what is the most fundamental and immediate action AstroGoods must undertake to establish a secure foundation for its customer data in the SaaS environment?

Accepted Answer

Establish a comprehensive cloud service agreement with the SaaS provider that explicitly defines information security responsibilities and obligations for data protection.

Question 15

A financial services firm, \"Quantum Leap Analytics,\" is undertaking a significant project to migrate its entire customer relationship management (CRM) system from an on-premises data center to a Software-as-a-Service (SaaS) cloud provider. This migration involves transferring vast amounts of personally identifiable information (PII) and sensitive financial transaction data. The firm\'s information security team is tasked with ensuring that the security of this data is maintained throughout the migration process and once it resides in the cloud environment, adhering to regulations like GDPR and CCPA. They need to select the most relevant ISO 27002:2022 control to guide their strategy for managing the security implications of this cloud adoption. Which control best addresses the firm\'s primary concern regarding the secure handling of customer data in the new cloud environment?

Accepted Answer

5.23 Information security for use of cloud services

Question 16

A global e-commerce firm, \"AstroMart,\" is migrating its customer database to a Software as a Service (SaaS) cloud platform for its new customer relationship management (CRM) system. This CRM will store a vast amount of personally identifiable information (PII), including names, addresses, contact details, and purchase histories. AstroMart needs to ensure that this sensitive data remains confidential and is protected against unauthorized modification or deletion while residing in the cloud environment. Which of the following control categories from ISO 27002:2022 most directly addresses the overarching security requirements for information managed within such a cloud-based CRM system?

Accepted Answer

Organizational controls

Question 17

A global e-commerce firm, "AstroGoods," is migrating its customer database to a new cloud-based Customer Relationship Management (CRM) platform. This platform will store personally identifiable information (PII) and transaction details for millions of customers worldwide. AstroGoods is legally obligated to comply with the California Consumer Privacy Act (CCPA) and has a stringent internal policy mandating the encryption of all sensitive customer data when stored. The chosen CRM provider offers a standard service level agreement (SLA) that mentions general security measures but does not detail specific encryption algorithms or key management practices for data at rest. AstroGoods\' internal audit team has raised concerns about verifying the effectiveness of data protection in this outsourced environment.

Which of the following actions best addresses AstroGoods\' need to ensure compliance with CCPA and its internal policy regarding sensitive data encryption in the new CRM system?

Accepted Answer

Requesting a formal, documented confirmation from the CRM provider detailing their implementation of encryption for sensitive data at rest, including key management procedures and compliance with relevant data protection standards.

Question 18

Following a critical data exfiltration event that exposed personally identifiable information of over a million clients, a technology firm, \"Innovate Solutions,\" is facing intense scrutiny from regulatory bodies and public outcry. The firm\'s leadership is now prioritizing a comprehensive review of its incident response capabilities and the effectiveness of its existing security controls. Which of the following actions best aligns with the principles of ISO 27001:2022 for managing such a significant security event and fostering resilience?

Accepted Answer

Conduct a thorough post-incident analysis to identify the root cause, document lessons learned, and implement corrective actions to strengthen security controls and incident response procedures.

Question 19

A financial institution is evaluating a new cloud-based analytics platform that will process customer transaction data. The platform is hosted by a third-party cloud service provider (CSP). The institution\'s internal audit team has identified that the CSP\'s security certifications are outdated and their incident response plan has not been reviewed in over two years. Considering the principles outlined in ISO 27002:2022, which control area should be the primary focus for the financial institution to ensure the security of the customer data processed by the CSP?

Accepted Answer

Information security for use of cloud services

Question 20

A burgeoning e-commerce enterprise, \"AuraBloom,\" has decided to migrate its entire customer database and transaction processing system to a public cloud infrastructure. The chosen provider offers a robust Platform-as-a-Service (PaaS) offering. AuraBloom\'s chief information security officer (CISO) is tasked with ensuring that the migration adheres to the principles of ISO 27001:2022, particularly concerning the security of outsourced services. Given the PaaS model, where the provider manages the underlying infrastructure, operating system, and middleware, what is the most crucial initial step AuraBloom must undertake to maintain its information security posture and comply with relevant controls?

Accepted Answer

Formalize a comprehensive service level agreement (SLA) with the cloud provider that explicitly defines the security responsibilities for data protection, access management, and incident response for the PaaS environment.

Question 21

Aethelred Innovations, a burgeoning fintech firm, recently suffered a significant data exfiltration event. Forensic analysis confirmed the breach exploited a previously unknown vulnerability within their proprietary trading platform\'s authentication module. This vulnerability was introduced during the platform\'s last major feature update. The organization\'s incident response team successfully contained the breach and is now focused on preventing future occurrences. Considering the nature of the exploit and its origin within the development lifecycle, which ISO 27002:2022 control, when rigorously applied, would offer the most substantial preventative measure against a recurrence of this specific type of incident?

Accepted Answer

Secure development

Question 22

A global logistics firm, \"SwiftShip Logistics,\" is migrating its primary customer relationship management (CRM) system to a Software as a Service (SaaS) cloud platform. This migration involves handling sensitive customer data, including personal identification information and shipping preferences, which are subject to various data protection regulations like the GDPR. SwiftShip\'s internal IT security team has identified that the SaaS provider offers a baseline security configuration, but the exact division of security responsibilities for data processing and access control within the cloud environment remains ambiguous in the initial service contract. What is the most critical initial step SwiftShip Logistics must undertake to ensure robust information security and regulatory compliance for this cloud-based CRM system?

Accepted Answer

Formally revise the cloud service agreement with the SaaS provider to explicitly define the shared responsibilities for information security controls, data protection, and incident management.

Question 23

A global logistics firm, \"SwiftShip Logistics,\" is migrating its primary customer relationship management (CRM) system to a Software-as-a-Service (SaaS) cloud provider. This migration involves transferring sensitive customer data, including contact details and shipping histories. SwiftShip Logistics needs to ensure that the contractual arrangements with the SaaS provider adequately address information security risks and that ongoing compliance is maintained. Which Annex A control from ISO 27001:2022 is most directly applicable to establishing and managing the security aspects of this cloud service relationship?

Accepted Answer

A.5.23 Information security for use of cloud services

Question 24

An enterprise is migrating its customer database to a Software-as-a-Service (SaaS) platform for enhanced scalability and accessibility. The critical requirement is to ensure that only authorized personnel can access specific customer records and that the data remains confidential even if unauthorized access to the underlying storage occurs. The organization is focusing on implementing robust authentication mechanisms, role-based access control (RBAC) policies, and data-at-rest encryption for the customer information. Which of the ISO 27002:2022 control themes most directly encompasses the implementation of these specific security measures for the SaaS CRM?

Accepted Answer

Technological controls

Question 25

A financial services firm is migrating its customer data to a new Software-as-a-Service (SaaS) platform for enhanced analytics. The data includes personally identifiable information (PII) and sensitive financial transaction details. Given the regulatory landscape, such as GDPR and CCPA, the firm must ensure that this data remains confidential and is not subject to unauthorized modification. Which combination of ISO 27002:2022 controls would most effectively address the immediate risks associated with data protection in this new cloud-based environment?

Accepted Answer

Access control (5.15) and Information security for use of cloud services (5.23)

Question 26

A global technology firm, \"Innovate Solutions,\" is migrating its internal project documentation and client collaboration to a new Software-as-a-Service (SaaS) platform. This platform will be used by a mix of internal employees across various departments and a select group of external consultants working on specific projects. The firm needs to ensure that sensitive intellectual property and client data are protected according to its information security policy, which is aligned with ISO 27001:2022 principles. What is the most effective approach to manage user access to the SaaS platform, considering the diverse user base and varying information sensitivity levels?

Accepted Answer

Establish a formal, documented process for role-based access control, defining specific access privileges for different user roles and ensuring regular reviews and audits of these permissions.

Question 27

A global e-commerce firm, \"AstroGoods,\" is migrating its customer database to a Software as a Service (SaaS) CRM platform. This platform will store personally identifiable information (PII) and transaction histories for millions of customers across various jurisdictions, including those with strict data residency laws. AstroGoods must ensure the confidentiality, integrity, and availability of this sensitive data while leveraging the benefits of cloud computing. Considering the principles outlined in ISO 27001:2022, what is the most critical initial step AstroGoods should undertake to establish a secure foundation for its CRM data in the cloud environment?

Accepted Answer

Conduct a comprehensive review of the cloud provider's security certifications, audit reports, and contractual clauses pertaining to data protection, data residency, and service level agreements.

Question 28

Anya Sharma, the Information Security Manager at \"Innovate Solutions,\" is overseeing the adoption of a new cloud-based Customer Relationship Management (CRM) system. This system will store and process a significant volume of sensitive customer contact details and purchase histories. Anya\'s primary objective is to ensure the confidentiality, integrity, and availability of this data, while also adhering to stringent data protection regulations. Considering the shared responsibility model inherent in cloud computing and the need for robust data governance, which of the following approaches best reflects the critical steps Anya should prioritize to establish and maintain a secure cloud CRM environment in alignment with ISO 27001:2022 principles and relevant data privacy laws?

Accepted Answer

Negotiate comprehensive contractual clauses with the cloud provider regarding data protection, encryption standards, and incident notification, and implement detailed logging and monitoring of all system access and data modification activities.

Question 29

A financial services firm has adopted a new Software as a Service (SaaS) platform for customer relationship management. This platform processes a significant volume of sensitive client financial data. The firm\'s information security team is tasked with ensuring that the SaaS provider\'s security posture adequately protects this data, in line with the firm\'s own stringent regulatory obligations, such as those stemming from GDPR and similar data protection laws. Which of the following actions is the most critical and direct step to ensure contractual and operational alignment of security responsibilities with the cloud service provider?

Accepted Answer

Negotiate and finalize a comprehensive service agreement with the cloud provider that explicitly details information security requirements, responsibilities, and data protection clauses, referencing relevant regulatory mandates.

Question 30

A financial services firm is migrating its customer data to a new Software-as-a-Service (SaaS) Customer Relationship Management (CRM) platform hosted by a third-party vendor. The firm must ensure the confidentiality, integrity, and availability of this sensitive data, adhering to regulations like GDPR and CCPA. Which ISO 27001:2022 Annex A control provides the most foundational guidance for establishing the necessary security posture for this cloud-based data processing environment?

Accepted Answer

A.5.15 Information security for use of cloud services

ISO 27001:2022 - Information Security Controls Professional (based on ISO 27002:2022) Free Practice Test — 30 Questions

A lot more is already mapped out

About the ISO 27001:2022 - Information Security Controls Professional (based on ISO 27002:2022) Certification