ISO/IEC 27002:2022 - Information Security Controls Foundation Free Practice Test — 30 Questions

Question 1

A multinational corporation, \"Aethelred Dynamics,\" has migrated a significant portion of its sensitive research and development data to a public cloud infrastructure. The organization\'s Chief Information Security Officer (CISO) is reviewing the contractual agreements and internal policies to ensure compliance with ISO/IEC 27002:2022 principles regarding cloud service usage. Considering the shared responsibility model inherent in cloud computing, what is the primary and non-delegable security obligation of Aethelred Dynamics as the customer organization in this scenario?

Accepted Answer

Ensuring the cloud service provider implements robust physical security measures for the data centers hosting their data.

Question 2

A multinational corporation, \"Aethelred Dynamics,\" has formalized a comprehensive set of directives outlining the acceptable use, classification, and disposal of all digital and physical information assets. This policy document is now being integrated into the onboarding process for all new employees and is accessible on the company\'s internal portal. Which of the ISO/IEC 27002:2022 control themes would this initiative primarily fall under?

Accepted Answer

Organizational controls

Question 3

A global logistics firm, \"SwiftShip Solutions,\" has migrated its primary customer relationship management (CRM) system to a Software as a Service (SaaS) platform provided by \"CloudConnect Inc.\" SwiftShip Solutions handles sensitive client shipping manifests and personal contact information. Following a recent data breach incident at CloudConnect Inc. that exposed some of SwiftShip Solutions\' customer data, an internal audit revealed that SwiftShip Solutions had not implemented any specific data encryption mechanisms or granular access controls within the SaaS application itself, relying solely on CloudConnect Inc.\'s stated security measures. Which of the following best describes SwiftShip Solutions\' primary responsibility regarding the security of its data within the SaaS environment, as per the principles outlined in ISO/IEC 27002:2022?

Accepted Answer

SwiftShip Solutions is primarily responsible for implementing controls to protect its data within the SaaS application, including data encryption and access management, irrespective of the provider's security posture.

Question 4

A financial services firm is migrating its customer onboarding process to a new Software-as-a-Service (SaaS) platform. This platform will store and process significant volumes of personally identifiable information (PII) and sensitive financial transaction details. The firm\'s chief information security officer (CISO) is concerned about the potential for unauthorized access, data leakage, and the integrity of the data stored within the SaaS environment. Considering the principles outlined in ISO/IEC 27002:2022, which control objective most directly addresses the overarching need to safeguard the confidentiality, integrity, and availability of this sensitive customer data within the new SaaS system?

Accepted Answer

Ensure the security of information processing facilities.

Question 5

An enterprise is migrating its critical customer data to a Software as a Service (SaaS) platform for enhanced collaboration and accessibility. The organization operates under stringent data privacy regulations, requiring robust protection of personally identifiable information (PII). During the vendor selection process, the organization identified that the SaaS provider\'s data center locations and security certifications were not fully transparent, and the contractual terms regarding data breach notification were vague. Which control category from ISO/IEC 27002:2022 most directly addresses the need to ensure the security of this outsourced service and the data it processes, considering the regulatory environment?

Accepted Answer

Controls related to monitoring and review of supplier services

Question 6

A financial services firm is migrating its customer onboarding process to a Software as a Service (SaaS) platform hosted by a third-party vendor. This platform will handle personally identifiable information (PII) and sensitive financial transaction details. Considering the shared responsibility model of cloud computing and the firm\'s obligation to comply with stringent data protection regulations such as the General Data Protection Regulation (GDPR), which of the following actions would be the most critical initial step to ensure the security and compliance of this new system?

Accepted Answer

Verifying the SaaS provider's adherence to recognized security standards through independent audits and ensuring contractual clauses explicitly address data protection responsibilities and breach notification procedures.

Question 7

A software development firm, \"Innovate Solutions,\" is experiencing a series of subtle intellectual property leaks, with proprietary algorithms for their next-generation AI platform appearing in competitor forums. Investigations reveal that several developers, including the lead architect, Anya Sharma, have been using personal cloud storage services and unencrypted messaging applications to share code snippets and design documents, bypassing the company\'s secure development environment. This practice, while intended to facilitate rapid collaboration, has inadvertently created avenues for sensitive information to be exfiltrated. Considering the principles outlined in ISO/IEC 27002:2022, which control area would be most critical for Innovate Solutions to strengthen to proactively identify and mitigate such unauthorized disclosures of intellectual property?

Accepted Answer

Implementing comprehensive monitoring activities to detect unusual data transfer patterns and unauthorized access to sensitive information.

Question 8

A cybersecurity analyst at a global financial institution, known for its stringent data protection regulations, detects an unusual pattern of outbound network traffic from a critical server housing customer financial data. This anomaly suggests a potential data exfiltration event. Considering the principles outlined in ISO/IEC 27002:2022 for managing information security incidents, what is the most prudent immediate course of action to mitigate the potential impact of this detected anomaly?

Accepted Answer

Isolate the affected server from the network to prevent further data leakage and then initiate a forensic investigation.

Question 9

A global e-commerce firm, \"Aethelred\'s Emporium,\" is migrating its extensive customer database, containing purchase histories, contact details, and payment preferences, to a Software-as-a-Service (SaaS) CRM platform. The firm operates under stringent data protection regulations, such as the GDPR, which mandate the safeguarding of personal data. The primary objective is to prevent unauthorized disclosure and modification of this sensitive information. Which combination of security controls, drawn from the principles outlined in ISO/IEC 27002:2022, would most effectively address the firm\'s data protection requirements in this cloud-based scenario?

Accepted Answer

Implementing a robust role-based access control (RBAC) mechanism for the CRM platform and employing end-to-end encryption for all data transmitted to and stored within the SaaS environment.

Question 10

A global e-commerce firm, \"AstroGoods,\" is migrating its customer database to a Software-as-a-Service (SaaS) cloud provider. The database contains personally identifiable information (PII) and transaction histories. AstroGoods needs to ensure that access to and usage of this data within the SaaS environment is appropriately governed and auditable, in line with its internal information security policies and potential regulatory obligations such as the California Consumer Privacy Act (CCPA). Which of the following actions would best address the need for ongoing oversight and accountability for data within the cloud CRM system?

Accepted Answer

Implement comprehensive monitoring and logging of all activities within the cloud CRM system, ensuring logs are retained and analyzed for security events and policy violations.

Question 11

A financial services firm is migrating its customer onboarding process to a Software-as-a-Service (SaaS) platform hosted by a third-party vendor. This platform will process and store personally identifiable information (PII) and sensitive financial details of its clientele. The firm\'s internal audit team has raised concerns about ensuring the security and privacy of this data, given the reliance on an external entity. Which ISO/IEC 27002:2022 control is most directly applicable to establishing the necessary security assurances for this specific scenario?

Accepted Answer

5.23 Information security for use of cloud services

Question 12

A global technology firm has transitioned to a permanent hybrid work model, with a significant portion of its workforce operating remotely and accessing sensitive corporate data from a variety of locations, including home offices and public Wi-Fi networks. The firm is updating its information security policies to align with the latest ISO/IEC 27002:2022 standard and needs to categorize the primary security considerations for this new operational paradigm. Which of the ISO/IEC 27002:2022 control categories most directly encompasses the security requirements for protecting organizational information accessed and processed on employee-owned or company-issued devices used outside of the traditional secure office environment?

Accepted Answer

User endpoint devices

Question 13

A financial services firm is migrating its legacy customer database to a new Software-as-a-Service (SaaS) platform for enhanced analytics and client engagement. The database contains highly sensitive personally identifiable information (PII) and transaction details, subject to strict regulatory compliance under frameworks like GDPR and CCPA. The firm\'s chief information security officer (CISO) needs to ensure that the security of this data is maintained throughout the migration and ongoing operation of the SaaS platform. Which of the following approaches best addresses the core security considerations for this transition, aligning with ISO/IEC 27002:2022 principles for managing cloud services and access?

Accepted Answer

Implement granular role-based access controls within the SaaS platform and establish a comprehensive service level agreement (SLA) with the SaaS provider that explicitly details data protection obligations and audit rights.

Question 14

A burgeoning fintech company, \"QuantumLeap Finance,\" offers a cloud-based platform for managing high-frequency trading data. The platform processes and stores vast amounts of sensitive financial information, including customer transaction histories and proprietary trading algorithms. A recent internal audit identified a significant risk of unauthorized access and potential data manipulation by privileged users who have broad access to the system. The company is currently reviewing its information security control framework, aligned with ISO/IEC 27002:2022, to mitigate this identified risk. Which control, or combination of controls, would be most effective in directly addressing the risk of unauthorized access and manipulation of sensitive financial data by privileged users within this cloud environment?

Accepted Answer

Implementing stringent access control mechanisms, including role-based access, multi-factor authentication for all privileged accounts, and regular access reviews to enforce the principle of least privilege.

Question 15

Aether Dynamics, a mid-sized enterprise, has transitioned to a hybrid cloud infrastructure, leveraging a public cloud provider for scalable data analytics and a private cloud for sensitive intellectual property. Following a recent security incident where unauthorized access to customer personally identifiable information (PII) occurred on the public cloud segment, Aether Dynamics\' Chief Information Security Officer (CISO) has initiated a review of their cloud security posture. The CISO\'s immediate actions include the development of a comprehensive cloud security policy that explicitly outlines data classification requirements, mandates rigorous security assessments of all cloud service providers, and establishes clear lines of responsibility for data protection and incident response between Aether Dynamics and its vendors. Considering the control objectives and implementation guidance provided by ISO/IEC 27002:2022, which of the following control categories most directly and comprehensively encompasses the CISO\'s proactive measures to enhance governance and oversight in this cloud-centric environment?

Accepted Answer

Organizational controls

Question 16

A global financial institution, \"Aethelred Capital,\" has migrated a significant portion of its customer data processing to a public cloud infrastructure. While the cloud provider offers robust security features, Aethelred Capital\'s internal audit team has identified a potential gap in ensuring continuous compliance with evolving data residency regulations and the precise allocation of responsibilities for data breach notification. Considering the principles outlined in ISO/IEC 27002:2022, what is the most critical action Aethelred Capital must undertake to address this identified gap and maintain its information security posture?

Accepted Answer

Proactively renegotiate the service agreement with the cloud provider to explicitly define granular responsibilities for data breach notification timelines and procedures, alongside detailed clauses on data residency assurance and audit rights.

Question 17

A global logistics firm, \"SwiftShip Logistics,\" has recently transitioned its internal project management and document sharing to a suite of cloud-based Software as a Service (SaaS) platforms. While this has significantly improved inter-departmental collaboration and data accessibility across its various international branches, the Chief Information Security Officer (CISO) has raised concerns about the lack of clearly defined security responsibilities between SwiftShip and the SaaS providers, as well as the absence of specific clauses in their service agreements addressing data residency and incident response protocols. Which of the following ISO/IEC 27002:2022 control themes most directly addresses the CISO\'s concerns regarding the firm\'s use of these cloud services?

Accepted Answer

Organizational controls

Question 18

A multinational corporation, \"Aethelred Innovations,\" has migrated a significant portion of its sensitive research and development data to a Software as a Service (SaaS) platform provided by a third-party vendor. The contractual agreement with the vendor outlines the vendor\'s responsibilities for the security of the underlying infrastructure and the SaaS application itself. However, Aethelred Innovations\' internal audit team has raised concerns about the potential for unauthorized access to the R&D data due to inadequate access controls configured by Aethelred\'s own IT department. Which of the following best reflects Aethelred Innovations\' primary responsibility for information security in this cloud-based scenario, according to the principles of ISO/IEC 27002:2022?

Accepted Answer

Ensuring that appropriate access controls are implemented and managed for the R&D data within the SaaS platform, regardless of the vendor's security obligations.

Question 19

A global e-commerce firm, \"AstroGoods,\" is migrating its entire customer database to a Software-as-a-Service (SaaS) CRM platform. This platform will store personally identifiable information (PII), transaction histories, and marketing preferences. AstroGoods\' legal department has flagged potential compliance risks under various data privacy regulations, including the California Consumer Privacy Act (CCPA) and the European Union\'s General Data Protection Regulation (GDPR), which mandate robust data protection measures. Given the shared responsibility model of SaaS, what is the most critical initial step AstroGoods must undertake to ensure the security and compliance of its customer data within the new CRM system?

Accepted Answer

Perform a comprehensive due diligence review of the SaaS provider's security certifications, audit reports, and contractual terms to verify alignment with AstroGoods' security policies and regulatory obligations.

Question 20

Aether Dynamics, a multinational corporation, has recently migrated a significant portion of its customer relationship management (CRM) system to a public cloud infrastructure. A critical aspect of their operations involves processing the personal data of European Union citizens, necessitating strict adherence to the General Data Protection Regulation (GDPR), which mandates that such data generally remains within the European Economic Area (EEA). The organization is seeking to implement an appropriate control from ISO/IEC 27002:2022 to manage the information security risks associated with this cloud deployment, specifically concerning data sovereignty and regulatory compliance. Which control, or aspect of a control, would be most effective in ensuring Aether Dynamics meets its data residency obligations with its chosen cloud service provider?

Accepted Answer

Establishing a contractual agreement with the cloud service provider that explicitly defines and restricts the geographical locations where customer personal data is processed and stored, and requiring the provider to provide verifiable evidence of compliance.

Question 21

A global e-commerce firm is migrating its customer database to a new Software-as-a-Service (SaaS) platform. This database contains personally identifiable information (PII) and transaction histories, subject to stringent data privacy regulations like the California Consumer Privacy Act (CCPA). The firm\'s chief information security officer (CISO) is tasked with ensuring the security of this data in the new environment, aligning with ISO/IEC 27002:2022 guidelines. Which control, when effectively implemented, forms the bedrock for determining the appropriate security measures for this sensitive customer data within the SaaS platform?

Accepted Answer

Information classification

Question 22

A global e-commerce firm, \"AstroGoods,\" is migrating its customer database to a Software-as-a-Service (SaaS) CRM platform. This platform will house personally identifiable information (PII) and transaction histories for millions of customers. AstroGoods must ensure that the data remains protected according to stringent data privacy regulations, such as GDPR and CCPA, and that the service provider\'s security posture aligns with their own risk appetite. Which ISO/IEC 27002:2022 control provides the most foundational guidance for establishing the necessary security framework for managing this cloud-based information asset?

Accepted Answer

5.23 Information security for use of cloud services

Question 23

A multinational corporation, \"Aether Dynamics,\" is transitioning a critical customer relationship management (CRM) system to a new cloud service provider, \"Nebula Solutions.\" Aether Dynamics operates under stringent data privacy regulations, including GDPR. Before the full migration and integration of Nebula Solutions\' services, what is the most crucial step Aether Dynamics must undertake to ensure compliance and robust information security, as guided by ISO/IEC 27002:2022 principles for managing ICT supply chain risks?

Accepted Answer

Formally document and agree upon specific information security requirements with Nebula Solutions in a legally binding contract, and conduct a pre-engagement security assessment of Nebula Solutions' infrastructure and processes.

Question 24

A global e-commerce firm, \"AstroGoods,\" is migrating its entire customer database, containing personally identifiable information (PII) and payment card details, to a Software-as-a-Service (SaaS) cloud platform. The firm\'s chief information security officer (CISO) is tasked with ensuring the confidentiality and integrity of this data in the new environment, adhering to principles outlined in ISO/IEC 27002:2022. Considering the potential risks associated with data exposure in a multi-tenant cloud environment and the regulatory requirements like GDPR, which control theme and specific control, when implemented effectively, would provide the most robust protection for the customer data at rest and in transit within the SaaS CRM?

Accepted Answer

Cryptography (Theme: Cryptography, Control 8.23)

Question 25

A global logistics firm, \"TransGlobal Freight,\" is migrating its critical shipment tracking data to a third-party cloud infrastructure provider. To ensure the integrity and confidentiality of this sensitive data, TransGlobal Freight is establishing stringent contractual clauses, conducting thorough vendor risk assessments, and implementing ongoing performance monitoring mechanisms for the cloud provider\'s security practices. Which of the following ISO/IEC 27002:2022 control themes most directly encompasses the proactive measures TransGlobal Freight is undertaking to manage information security within this external partnership?

Accepted Answer

Organizational controls

Question 26

A global e-commerce firm, \"AstroMart,\" has recently migrated its customer database to a Software-as-a-Service (SaaS) cloud platform. The primary objective of this migration was to enhance scalability and accessibility for its sales and support teams. However, a significant concern has emerged regarding the continuous assurance of data confidentiality and integrity for millions of customer records, including personal identification information and transaction histories. AstroMart\'s internal audit team has identified a gap in their current security posture, specifically in proactively detecting and responding to potential unauthorized data exfiltration or modification attempts within the cloud environment. Considering the principles outlined in ISO/IEC 27002:2022, which control, when effectively implemented, would most directly address AstroMart\'s need for ongoing vigilance and the detection of anomalous activities within their cloud-hosted CRM system to maintain data protection?

Accepted Answer

Monitoring activities

Question 27

An enterprise is migrating its customer database to a Software-as-a-Service (SaaS) CRM platform. The organization must ensure that the sensitive personal data of its clients, as mandated by regulations like GDPR, remains protected throughout this transition and ongoing operation. Given the shared responsibility model of SaaS, which ISO/IEC 27002:2022 control provides the most fundamental guidance for establishing and maintaining an appropriate security posture for this cloud-based service, encompassing the need to define responsibilities and manage risks associated with the provider?

Accepted Answer

5.10 Information security in the cloud

Question 28

An organization, \"Aethelred Analytics,\" utilizes a Software-as-a-Service (SaaS) platform hosted by \"NimbusCloud Solutions\" to store sensitive customer data. A security incident at NimbusCloud Solutions results in unauthorized access to Aethelred Analytics\' customer database. Considering the principles outlined in ISO/IEC 27002:2022, what is Aethelred Analytics\' paramount responsibility in the immediate aftermath of discovering this breach?

Accepted Answer

Ensuring the cloud service provider adheres to contractual security obligations and initiating the organization's own incident response procedures in coordination with the provider.

Question 29

An organization is developing a new software product and wants to ensure that security is a fundamental consideration from the initial planning phases through to deployment and ongoing maintenance. They are reviewing the ISO/IEC 27002:2022 standard to identify relevant controls. Which of the following controls, categorized by its primary theme, best addresses the systematic integration of information security requirements into the entire lifecycle of an organizational project?

Accepted Answer

Organizational - Information security in the project management processes

Question 30

A financial services firm, \"FinSecure,\" is migrating its legacy customer onboarding platform to a Software-as-a-Service (SaaS) cloud-based solution. This new platform will store and process highly sensitive Personally Identifiable Information (PII) and financial transaction details. FinSecure\'s internal audit team has raised concerns about maintaining compliance with data protection regulations, such as GDPR, and ensuring the confidentiality and integrity of customer data in the new environment. Which of the following actions, aligned with ISO/IEC 27002:2022 principles, would be most critical for FinSecure to undertake to effectively manage information security risks associated with this SaaS adoption?

Accepted Answer

Thoroughly review and negotiate the cloud service provider's contractual terms to clearly define security responsibilities, data handling procedures, and audit rights, while also implementing FinSecure's own robust access controls and data encryption mechanisms for the data it manages within the SaaS platform.

ISO/IEC 27002:2022 - Information Security Controls Foundation Free Practice Test — 30 Questions

A lot more is already mapped out

About the ISO/IEC 27002:2022 - Information Security Controls Foundation Certification