ISO/IEC 27002:2013 Code of Practice for Information Security Controls Exam Free Practice Test — 30 Questions

Question 1

A global e-commerce firm is migrating its customer database to a Software-as-a-Service (SaaS) platform provided by an external vendor. The firm\'s legal department has raised concerns about ensuring the continued confidentiality and integrity of sensitive customer Personally Identifiable Information (PII) as mandated by regulations like GDPR. Which ISO/IEC 27002:2013 control, when properly implemented through contractual agreements and ongoing oversight, most directly addresses the security implications of this outsourcing arrangement?

Accepted Answer

Establishing comprehensive supplier agreements that explicitly define information security requirements and responsibilities for data protection and incident management.

Question 2

An enterprise is migrating its customer database to a Software-as-a-Service (SaaS) Customer Relationship Management (CRM) platform hosted by an external vendor. The organization handles highly sensitive personal data, subject to stringent regulatory requirements like GDPR. What is the most critical control area within ISO/IEC 27002:2013 that must be rigorously addressed to manage the information security risks associated with this outsourcing arrangement?

Accepted Answer

Supplier Relationships (A.15)

Question 3

A financial services firm is migrating its customer database to a Software-as-a-Service (SaaS) cloud provider. The database contains highly sensitive Personally Identifiable Information (PII) and financial transaction details. The firm needs to ensure that only authorized personnel and systems can access this data through the cloud interface and underlying network infrastructure. Which control from ISO/IEC 27002:2013 most directly addresses the fundamental security requirement of managing access to the network services enabling this cloud-based data repository?

Accepted Answer

Access to networks and network services

Question 4

A financial services firm is migrating its customer onboarding and account management processes to a Software-as-a-Service (SaaS) cloud platform. This platform will store significant volumes of personally identifiable information (PII) and sensitive financial transaction data. The firm\'s legal and compliance departments have expressed concerns about data sovereignty, the provider\'s security certifications, and the ability to conduct independent security audits. Which ISO/IEC 27002:2013 control is most critical for establishing the necessary security assurances and managing the risks associated with this third-party cloud service engagement?

Accepted Answer

Supplier relationship management

Question 5

A financial services firm is migrating its legacy customer database to a new, cloud-hosted Customer Relationship Management (CRM) platform. This platform will store a significant volume of personally identifiable information (PII) and sensitive transaction details. The firm\'s chief information security officer (CISO) is tasked with ensuring the security of this data throughout the migration and ongoing operation of the new system, adhering to the principles outlined in ISO/IEC 27002:2013. Which control from the standard is most directly applicable to establishing a secure foundation for this new CRM system from its inception?

Accepted Answer

A.14.2.5 Secure system engineering principles

Question 6

A multinational corporation is migrating its critical customer database to a Software as a Service (SaaS) provider. The organization has identified that the SaaS provider will have administrative access to the underlying infrastructure hosting the customer data. What is the most crucial step the corporation must undertake to ensure the confidentiality and integrity of this sensitive data, adhering to the principles outlined in ISO/IEC 27002:2013?

Accepted Answer

Establish a comprehensive contractual agreement with the SaaS provider that explicitly details data protection obligations, security audit rights, and incident notification procedures.

Question 7

A financial services firm is migrating its customer data management to a new Software-as-a-Service (SaaS) Customer Relationship Management (CRM) platform hosted by an external vendor. This platform will store highly sensitive personal and financial information. The firm must ensure that the vendor\'s security practices align with its own stringent compliance obligations, including those mandated by financial regulations. Which control from ISO/IEC 27002:2013 provides the most foundational guidance for establishing and managing the security aspects of this third-party relationship?

Accepted Answer

Information security in supplier relationships

Question 8

A technology firm, \"Innovate Solutions,\" is preparing to launch a novel SaaS platform that will process sensitive customer financial data. They have decided to leverage a third-party cloud infrastructure provider for hosting and managing the underlying computing resources. To ensure the security and compliance of this arrangement, particularly concerning the protection of data handled by the cloud provider, which control from ISO/IEC 27002:2013 provides the foundational framework for addressing information security aspects within this supplier relationship?

Accepted Answer

15.1 Information security in supplier relationships

Question 9

A global financial services firm is migrating its legacy customer data management platform to a modern, cloud-hosted Customer Relationship Management (CRM) system. This migration involves transferring vast amounts of personally identifiable information (PII) and sensitive financial transaction records. The firm’s chief information security officer (CISO) is tasked with ensuring that the security posture of the new system meets stringent regulatory requirements, including those mandated by GDPR and similar data protection laws, while also aligning with the organization\'s internal information security policies. Which control category from ISO/IEC 27002:2013 is most critical to address during the initial planning and procurement phase of this CRM system to establish a robust security foundation?

Accepted Answer

System acquisition, development and maintenance

Question 10

Following the detection and confirmation of a significant data exfiltration event impacting customer personal identifiable information, what is the most critical initial step an organization, adhering to ISO/IEC 27002:2013 guidelines, should undertake to manage the incident?

Accepted Answer

Activate the established information security incident response plan to contain the breach and initiate recovery operations.

Question 11

A global e-commerce firm is migrating its customer database to a third-party cloud infrastructure. This new system will handle personally identifiable information (PII) and financial transaction details. The firm\'s legal department has highlighted stringent compliance obligations under various data privacy regulations. What fundamental step, as guided by ISO/IEC 27002:2013, should be prioritized during the selection and onboarding of the cloud service provider to ensure robust information security and regulatory adherence?

Accepted Answer

Establishing comprehensive contractual clauses with the cloud provider that explicitly define security responsibilities, data handling procedures, incident notification timelines, and audit rights, ensuring alignment with the firm's security policy and relevant legal frameworks.

Question 12

A global e-commerce firm, \"AstroMerch,\" is migrating its extensive customer database, containing personally identifiable information (PII) and transaction histories, to a third-party cloud service provider. AstroMerch needs to establish a robust security framework for this migration and ongoing operation, particularly concerning the integrity and confidentiality of the customer records stored off-premises. Which control from ISO/IEC 27002:2013 provides the most direct guidance for ensuring the cloud provider\'s commitment to safeguarding these sensitive customer records against unauthorized alteration or deletion?

Accepted Answer

A.18.1.4 Protection of records

Question 13

Following the discovery of a significant data exfiltration event stemming from an unpatched critical vulnerability on a public-facing web server, the organization\'s incident response team has initiated its predefined procedures. The breach has exposed personally identifiable information of thousands of clients. Considering the immediate need to mitigate further damage and address the underlying technical flaw that facilitated the compromise, which control from ISO/IEC 27002:2013 provides the most direct and immediate guidance for rectifying the situation and preventing its recurrence?

Accepted Answer

A.12.6.1 Management of technical vulnerabilities

Question 14

A technology firm is launching a novel SaaS platform that will ingest and process personally identifiable information (PII) from users across multiple jurisdictions. To facilitate this, they are leveraging a third-party hyperscale cloud provider. What is the most crucial step the firm must undertake to ensure the security and regulatory compliance of this data processing operation within the cloud environment, considering the principles outlined in ISO/IEC 27002:2013?

Accepted Answer

Establishing a legally binding service agreement with the cloud provider that explicitly defines data protection responsibilities, security measures, and incident handling protocols.

Question 15

A financial services firm is migrating its client onboarding process to a new Software-as-a-Service (SaaS) platform hosted by a third-party vendor. This platform will handle highly sensitive personal identifiable information (PII) and financial transaction details. The firm\'s internal audit team has raised concerns about the vendor\'s development lifecycle and how security is embedded within their operational processes. What is the most critical step the firm must take to ensure the security of the data processed by this new SaaS platform, aligning with the principles outlined in ISO/IEC 27002:2013?

Accepted Answer

Formally document and contractually obligate the SaaS vendor to adhere to the firm's defined security requirements for system development and support, ensuring these are integrated into the service agreement.

Question 16

A global e-commerce firm, \"AstroMart,\" is migrating its customer database to a new Software-as-a-Service (SaaS) Customer Relationship Management (CRM) platform hosted by a third-party vendor. This platform will store sensitive customer Personally Identifiable Information (PII) and transaction history. AstroMart needs to ensure that the information security of this outsourced service is maintained in accordance with its own internal policies and relevant data protection legislation, such as the General Data Protection Regulation (GDPR). Which of the following actions, derived from the principles outlined in ISO/IEC 27002:2013, represents the most fundamental and proactive step AstroMart should take to manage the information security risks associated with this supplier relationship?

Accepted Answer

Establishing a comprehensive contractual agreement with the SaaS CRM vendor that clearly defines information security responsibilities, data handling procedures, access controls, incident management, and audit rights, ensuring alignment with AstroMart's security policies and regulatory requirements.

Question 17

A global e-commerce firm is migrating its customer database to a Software as a Service (SaaS) cloud provider for its new customer relationship management (CRM) platform. This database contains personally identifiable information (PII) and financial transaction details for millions of customers across various jurisdictions, each with its own data protection regulations. The organization needs to ensure the highest level of assurance for data confidentiality and integrity within this outsourced environment. Which control area from ISO/IEC 27002:2013 is most critical to address upfront in the contractual agreements with the SaaS provider to mitigate the inherent risks of data processing by a third party?

Accepted Answer

Supplier Relationships

Question 18

An enterprise is migrating its customer data to a new Software-as-a-Service (SaaS) Customer Relationship Management (CRM) platform. The organization handles personally identifiable information (PII) and financial transaction details for its global clientele. Given the potential for data breaches and the need to comply with diverse data protection regulations, what fundamental principle from ISO/IEC 27002:2013 should guide the selection and integration of this SaaS CRM to ensure robust information security?

Accepted Answer

Proactively defining and embedding information security requirements into the acquisition and operational lifecycle of the SaaS CRM, including contractual obligations with the provider.

Question 19

A financial services firm is migrating its customer data to a new cloud-based Customer Relationship Management (CRM) system. The organization must ensure the confidentiality and integrity of this sensitive information, which includes personal identification numbers and transaction histories. The firm has identified a potential cloud service provider but has not yet finalized the contract. What is the most critical step the firm should undertake *before* signing the agreement to align with ISO/IEC 27002:2013 principles for cloud service engagement?

Accepted Answer

Conduct a comprehensive security assessment of the cloud provider's infrastructure and operational practices, and ensure the contract clearly defines security responsibilities and data protection clauses.

Question 20

A financial services firm is migrating its legacy customer database to a new, cloud-hosted customer relationship management (CRM) platform. This platform will be managed by an external vendor. The firm’s compliance officer is concerned about ensuring the confidentiality and integrity of the sensitive customer financial data processed and stored by this new system, particularly regarding how the system is built and configured. Which control from ISO/IEC 27002:2013 most directly addresses the need to embed security into the design and development of such a system, ensuring it is built securely from the ground up?

Accepted Answer

A.14.2.5 Secure system engineering principles

Question 21

A financial institution is evaluating a new cloud service provider to host sensitive customer data. The organization\'s risk assessment has identified significant potential threats related to data breaches and unauthorized access stemming from this third-party relationship. Considering the principles outlined in ISO/IEC 27002:2013, what is the most critical initial action to mitigate these identified risks before the service is fully operational?

Accepted Answer

Ensure the contractual agreement with the cloud provider explicitly details information security requirements and responsibilities.

Question 22

A global financial services firm is migrating its legacy customer data management system to a modern, cloud-hosted Software-as-a-Service (SaaS) platform. The new platform will handle highly sensitive personal and financial information, necessitating robust security measures. To comply with ISO/IEC 27002:2013 guidelines and relevant data protection regulations, what is the most critical initial step the firm must undertake to ensure the security of this new system and its data?

Accepted Answer

Explicitly define and document information security requirements for the cloud-hosted CRM system during the acquisition and implementation phases.

Question 23

A cybersecurity analyst at a global financial institution, Veridian Bank, detects unusual network traffic patterns originating from a critical customer database server. Initial analysis suggests a potential unauthorized access attempt. Considering the immediate need to prevent further compromise and preserve evidence, which of the following actions should Veridian Bank\'s incident response team prioritize as the very first step?

Accepted Answer

Isolate the affected server from the network to prevent further unauthorized access or data exfiltration.

Question 24

A financial services firm is migrating its client onboarding process to a Software as a Service (SaaS) platform hosted by a third-party cloud provider. This platform will store sensitive personally identifiable information (PII) and financial transaction details. The firm\'s legal and compliance departments have identified stringent regulatory requirements under frameworks like GDPR and local financial data protection laws that must be met by any entity handling this data. Which control from ISO/IEC 27002:2013 provides the most direct guidance for ensuring the cloud provider\'s adherence to these security and regulatory obligations throughout the service lifecycle?

Accepted Answer

6.3.1 Supplier relationships

Question 25

A global e-commerce firm is migrating its customer database to a new Software-as-a-Service (SaaS) cloud platform. The database contains personally identifiable information (PII) and transaction histories, subject to stringent data protection regulations like GDPR. The firm\'s chief information security officer (CISO) is tasked with ensuring that the transition and ongoing operation of the cloud CRM system meet the organization\'s information security objectives. Which of the following actions best reflects the application of ISO/IEC 27002:2013 guidance for managing information security in this context?

Accepted Answer

Establish and document comprehensive information security requirements for the cloud CRM system, ensuring these are integrated into the procurement and implementation phases, and verify vendor compliance with these requirements.

Question 26

A global e-commerce firm, \"AstraMart,\" is migrating its customer database to a new, advanced cloud-based Customer Relationship Management (CRM) platform. During the integration and testing phase of this migration, the IT security team is concerned about the potential exposure of sensitive customer Personally Identifiable Information (PII) that might be used in various test scenarios. Considering the principles outlined in ISO/IEC 27002:2013, which control from Annex A is most directly applicable to ensuring the security of this customer data during the testing of the new CRM system, even if the data is a de-identified subset or synthetically generated for testing purposes?

Accepted Answer

Protection of test data

Question 27

A technology firm is embarking on the creation of a novel Software-as-a-Service (SaaS) platform hosted entirely on a public cloud infrastructure. The project involves a multidisciplinary team of developers, testers, and operations personnel. To ensure the integrity and confidentiality of user data processed by this new platform, the organization must embed robust security measures throughout the entire software development lifecycle (SDLC). Which control from ISO/IEC 27002:2013 most directly addresses the foundational requirement to integrate security considerations into the design and build phases of this new cloud-based service?

Accepted Answer

Security requirements of information systems

Question 28

Following the emergency deployment of a critical security patch to the primary customer-facing web application, the organization experienced a significant, albeit brief, outage that impacted service availability. Post-incident analysis revealed that the patch was applied directly by the system administrator on call, bypassing the standard change management workflow which typically involves a change request, risk assessment, testing in a staging environment, and formal approval from the IT steering committee. Which of the following actions would most effectively address the underlying procedural deficiency identified in this incident, in accordance with ISO/IEC 27002:2013 principles?

Accepted Answer

Reiterate and enforce the organization's established change management policy, ensuring all modifications to production systems, including emergency patches, undergo the full documented process of risk assessment, impact analysis, testing, and formal approval.

Question 29

A global financial services firm is migrating its legacy client onboarding platform to a modern, cloud-native microservices architecture. This new architecture involves integrating with multiple external data providers and requires stringent adherence to data privacy regulations like GDPR. The firm\'s chief information security officer (CISO) is tasked with ensuring that the security of the new system is not compromised during this transition and ongoing operation. Considering the principles outlined in ISO/IEC 27002:2013, which control area most directly supports the systematic embedding of security considerations throughout the entire lifecycle of this new, complex system, from design and development to deployment and maintenance, particularly in a distributed and outsourced environment?

Accepted Answer

A.14.2.5 Secure system engineering principles

Question 30

A global financial institution is launching a new customer-facing application hosted on a public cloud platform. This application will process sensitive personal financial data of customers residing in multiple jurisdictions, each with distinct data residency and privacy regulations. The organization must ensure that customer data is not transferred or stored in locations that would violate these stringent legal requirements. Which of the following controls, as guided by ISO/IEC 27002:2013, most directly addresses the risk of non-compliance with data residency laws for this cloud-hosted application?

Accepted Answer

Implementing controls to ensure the cloud service provider's infrastructure is configured to restrict data processing and storage to approved geographical locations.

ISO/IEC 27002:2013 Code of Practice for Information Security Controls Exam Free Practice Test — 30 Questions

A lot more is already mapped out

About the ISO/IEC 27002:2013 Code of Practice for Information Security Controls Exam Certification