ISO-IEC-27035-Lead-Incident-Manager PECB Certified ISO/IEC 27035 Lead Incident Manager Questions and Answers

Comprehensive and Detailed Explanation From Exact Extract:

Documenting recovery options and estimating recovery time objectives (RTOs) and data loss tolerances (Recovery Point Objectives – RPOs) is a crucial planning activity that supports decision-making during the containment and recovery phases. ISO/IEC 27035-2:2016, Clause 6.4.6 emphasizes that such documentation allows teams to:

Evaluate trade-offs between containment scope and data loss

Determine acceptable downtime for critical services

Select the most appropriate recovery strategy based on business impact

This documentation supports strategic thinking rather than rushed action, reducing the likelihood of costly decisions. It does not necessarily accelerate the process (Option C), nor is it designed to optimize performance (Option A).

Comprehensive and Detailed Explanation From Exact Extract:

According to ISO/IEC 27035-1:2016, an information security event should be documented and communicated as soon as it is identified—particularly if it has the potential to escalate into an incident. Timely documentation and escalation enable the organization to take immediate and coordinated actions, which are essential to managing risk effectively.

Clause 6.2.1 of ISO/IEC 27035-1 states that events, even before confirmation as incidents, must be logged and assessed to determine appropriate response measures. Waiting until after a breach occurs or delaying documentation may violate both internal policies and regulatory requirements, especially in high-risk domains like cryptocurrency.

Therefore, Noah’s actions align fully with the recommended practices outlined in ISO/IEC 27035.

Comprehensive and Detailed Explanation From Exact Extract:

The impact of an information security event is assessed by evaluating how the event affects the CIA triad—Confidentiality, Integrity, and Availability—of information assets. This fundamental concept underpins all ISO/IEC 27000-series standards, including ISO/IEC 27035.

ISO/IEC 27035-1:2016, Clause 6.2.3 explicitly states that an event's severity and urgency are to be assessed by evaluating its actual or potential impact on the organization’s information security objectives, namely:

Confidentiality: Protection from unauthorized disclosure

Integrity: Protection from unauthorized modification

Availability: Assurance of timely and reliable access

This approach ensures consistent and risk-based decision-making during incident assessment. Options A and B are important steps, but they are part of the broader process; they do not directly measure impact.

Comprehensive and Detailed Explanation From Exact Extract:

According to ISO/IEC 27035-1 and 27035-2, the incident management plan is activated upon the detection or reporting of a security event, particularly when a vulnerability, threat, or compromise has been identified. The plan ensures structured response and accountability from the very first signs of a potential incident.

Clause 6.4.2 in ISO/IEC 27035-2 explains that incident response activities—including logging, categorization, assessment, and escalation—should begin as soon as a security incident or vulnerability is reported. This proactive trigger allows early containment and mitigation.

Security audits and policy drafts (Options A and B) are part of preventive or governance mechanisms, not operational triggers for activating the plan.

Reference Extracts:

ISO/IEC 27035-2:2016, Clause 6.4.2: “The incident management plan should be activated once a security incident or significant vulnerability is identified and reported.”

Clause 5.1: “Detection and reporting are the initial steps in triggering the formal incident management lifecycle.”

Correct answer: C

Comprehensive and Detailed Explanation From Exact Extract:

ISO/IEC 27035-1:2016 is titled “Information security incident management — Part 1: Principles of incident management”. This standard provides a comprehensive framework for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving incident management within an organization.

The scope of ISO/IEC 27035-1 is explicitly broad and designed to be applicable to all organizations, regardless of their size, type, or nature, as stated in the standard’s introduction and scope sections. The principles laid out in the document are intended to be flexible and scalable so that organizations from any sector can adopt and implement incident management processes suitable to their specific context.

The document clearly emphasizes that information security incidents can impact any organization that processes, stores, or transmits information digitally — including law firms like RoLawyers. The guidance addresses the creation of an incident response capability to detect, respond, and recover from information security incidents effectively.

Furthermore, the standard stresses that incident management is a vital part of maintaining information security resilience, minimizing damage, and protecting the confidentiality, integrity, and availability of information assets, which is crucial for organizations handling sensitive data, such as legal firms.

Hence, ISO/IEC 27035-1 is not limited to IT or information security service providers alone; instead, it supports any organization’s need to manage information security incidents systematically. RoLawyers, given its reliance on digital data and the critical nature of its information, can and should apply the standard’s principles to safeguard its assets and clients.

Reference Extracts from ISO/IEC 27035-1:2016:

Scope (Section 1): “The principles provided in this document are intended to be applicable to all organizations, irrespective of type, size or nature.”

Introduction (Section 0.1): “Effective incident management helps organizations to reduce the consequences of incidents and limit the damage caused to information and information systems.”

General (Section 4): “This document provides guidance for establishing, implementing, operating, monitoring, reviewing, maintaining and improving incident management processes within an organization.”

Thus, based on ISO/IEC 27035-1, the guidance is fully applicable to RoLawyers, aligning with their objective to improve information security and incident management practices.

Comprehensive and Detailed Explanation:

According to ISO/IEC 27001:2022 and ISO/IEC 27035-2:2016, top management holds accountability for ensuring the alignment of security policies with organizational objectives. Policy approval, particularly for something as critical as incident management, must be authorized by top-level decision-makers to ensure authority, enforcement, and resource support.

Comprehensive and Detailed Explanation:

According to ISO/IEC 27035-1:2016 and ISO/IEC 27001:2022, when defining the scope of an information security incident management system, organizations must consider all forms of information—whether digital or physical—that are relevant to the business. Incidents can affect hardcopy (e.g., paper-based records) and electronic data (e.g., emails, files), so both must be included in the scope assessment.

Comprehensive and Detailed Explanation From Exact Extract:

ISO/IEC 27035 strongly encourages information sharing among trusted parties to enhance collective incident response capabilities and reduce the broader impact of cyber threats. Clause 6.5.6 in ISO/IEC 27035-1 highlights the importance of cooperation and communication with external parties, including industry-specific information-sharing forums, CERTs/CSIRTs, and trusted partners.

The practice of proactive information exchange allows organizations to:

Detect coordinated or widespread attacks

Accelerate response through shared indicators of compromise (IOCs)

Benefit from collective intelligence and incident analysis

Build sector-wide resilience

However, such exchanges must occur within well-defined protocols that preserve confidentiality, legal compliance, and operational integrity.

Option B and C reflect overly cautious or siloed approaches that may delay response or reduce the effectiveness of collaborative efforts.

Reference Extracts:

ISO/IEC 27035-1:2016, Clause 6.5.6: “Incident management should consider the importance of trusted collaboration, sharing of incident information, and threat intelligence between relevant entities.”

ENISA and FIRST.org also support this collaborative approach in their best practices.

Correct answer: A

—

Comprehensive and Detailed Explanation From Exact Extract:

The “count down” process introduced by Mark in the scenario is intended to expedite the evaluation and classification of information security events — determining whether they are actual incidents or not. This aligns precisely with the “Assess and Decide” phase in ISO/IEC 27035-1 and ISO/IEC 27035-2.

The “Assess and Decide” phase, as defined in ISO/IEC 27035-1:2016, involves the timely assessment of events, classification of vulnerabilities, and making decisions about appropriate handling paths. Speed is essential here, as delays in classifying and responding to potential incidents can increase risk exposure.

Mark’s innovation—a “count down” timer—demonstrates a procedural enhancement to ensure incidents are not left unreviewed. This mechanism improves the timeliness and structure of incident classification and decision-making, which is a key objective of the “Assess and Decide” phase.

Reference Extracts:

ISO/IEC 27035-1:2016, Clause 6.2.2: “Assess and decide phase aims to determine the significance of reported events and decide how to treat them.”

ISO/IEC 27035-2:2016, Clause 7.3: “Assessment of events involves determining whether they constitute an incident and the urgency of response.”

Therefore, the correct answer is C: Assess and Decide.

Certainly! Below is your requested content in the exact structured format for:

✅ QUESTION NO: 13

Including: full scenario context, answer option, and comprehensive explanation based on ISO/IEC 27035-1 and 27035-2 standards.

—

Comprehensive and Detailed Explanation From Exact Extract:

Behavioral analytics refers to using baselines of user or system behavior to identify anomalies that may indicate potential threats. According to ISO/IEC 27035-2, behavioral monitoring is an essential proactive technique for detecting insider threats, account compromise, and lateral movement by attackers.

Once a baseline for “normal behavior” is established (e.g., login patterns, file access, network usage), deviations can trigger alerts or investigations. This allows earlier detection of suspicious activities before they escalate into full-blown incidents.

Option A is a separate initiative related to awareness programs. Option B is more aligned with the response phase, not monitoring.

Comprehensive and Detailed Explanation From Exact Extract:

According to ISO/IEC 27035-2:2016, one of the technical requirements to support effective incident management is the capability to rapidly detect, collect, and process information about security events, incidents, and vulnerabilities. Timely acquisition of this data allows the organization to assess threats, determine the scope of incidents, and execute response measures quickly.

Clause 7.4.1 emphasizes the need for adequate tools and infrastructure to support the detection and acquisition of information security events and vulnerability reports. The collected data becomes the foundation for risk assessment, root cause analysis, and corrective action planning.

Option A (public disclosure of contact details) might be relevant for CERT/CSIRT public coordination but is not a core requirement in technical incident response. Option B (immediate deletion of reports) is contrary to best practices, as incident reports are critical for audits, compliance, and continuous improvement.

Reference Extracts:

ISO/IEC 27035-2:2016, Clause 7.4.1: “Organizations should ensure that technical means are in place to allow quick acquisition and analysis of information related to events, incidents, and vulnerabilities.”

Correct answer: C

—

Comprehensive and Detailed Explanation From Exact Extract:

A single-type Incident Response Team (IRT), as defined in ISO/IEC 27035-1:2016, is responsible for managing and coordinating incident response within a specific organization or business unit. Its scope typically covers the entire lifecycle of incident handling—preparation, detection, containment, response, recovery, and lessons learned—focused solely on the needs of that particular entity.

This contrasts with a coordinating or multi-party IRT, which may support multiple organizations or coordinate between units. While Option A is a byproduct of a well-functioning IRT, it is not its core function. Option B (monitoring) may fall under a SOC, but not the primary function of a single IRT.

Reference Extracts:

ISO/IEC 27035-1:2016, Clause 6.5.1: “An organization may establish a single IRT responsible for handling all incidents affecting the organization.”

ISO/IEC 27035-2:2016, Clause 6.2.3: “Single IRTs typically manage incidents internally and directly support the organization's response processes.”

Correct answer: C

—

Comprehensive and Detailed Explanation From Exact Extract:

According to ISO/IEC 27035-1:2016, a structured approach to incident management involves a phased and deliberate process: detect and report, assess and decide, respond, and learn lessons. Each phase has specific objectives, especially the “Assess and Decide” phase, which is critical in determining whether an event is a real security incident and what level of response it necessitates.

The decision by NoSpace’s IRT to escalate a minor anomaly directly to crisis management without performing a structured assessment contradicts this methodology. Crisis management is typically reserved for severe incidents that have already been assessed and confirmed to be of high impact.

Escalating prematurely not only bypasses the formal classification and analysis phase but also risks wasting resources and causing unnecessary alarm. ISO/IEC 27035-1, Clause 6.2.3, specifically outlines that incidents must first be categorized and assessed to determine their significance before involving higher-level response mechanisms such as crisis management.

Reference Extracts:

ISO/IEC 27035-1:2016, Clause 6.2.2: “Assess and decide involves analyzing reported events to determine whether they are to be classified as incidents, and how they should be handled.”

ISO/IEC 27035-2:2016, Clause 6.4: “Crisis management should be triggered only in cases of major incidents where organizational impact is high.”

Therefore, the correct answer is A: No, escalating a minor anomaly directly to crisis management without further assessment deviates from the objectives of a structured incident management approach.

—

Comprehensive and Detailed Explanation:

According to ISO/IEC 27035-1:2016, effective communication of the incident management policy must include not only policy content, roles, and responsibilities but also specific procedural aspects—such as how to report an incident and who to contact. This ensures that all stakeholders clearly understand their responsibilities in the event of an incident and know how to respond.

In the scenario, Leona communicated the outcomes of incidents, mitigation strategies, personnel obligations, and policy content. However, she did not include the incident reporting procedures or contact points, which are essential components of incident communication as per ISO guidelines.

—

Comprehensive and Detailed Explanation From Exact Extract:

ISO/IEC 27035-1:2016 outlines a structured five-phase approach to information security incident management, which includes:

1. Prepare

2. Identify (or detect and report)

3. Assess and Decide

4. Respond

5. Lessons Learned

According to the standard, the “Assess and Decide” phase must include the collection, review, and analysis of information associated with the occurrence of a potential incident. This phase ensures that the organization bases its classification decisions on factual data and contextual analysis, allowing the organization to determine whether the event should be categorized as a formal security incident.

In the scenario, Mark does introduce an accelerated “count down” process to evaluate and classify incidents, which is a commendable improvement in efficiency. However, there is no mention of gathering or documenting the actual event data prior to classification. This oversight fails to fully align with the standard.

Option A is incorrect because not all phases were implemented as defined—specifically, phase 3 (“Assess and Decide”) lacks an essential component: the collection of evidence/information from the anomaly or event.

Option C is also incorrect. According to ISO/IEC 27035, assessment and classification take place within the formal incident management process—not before it. The initiation of the process includes the evaluation of whether a security event becomes an incident.

Reference Extracts:

* ISO/IEC 27035-1:2016, Clause 6.2.2: “The assessment and decision process involves analyzing the information associated with reported events to decide whether they should be treated as incidents.”

* ISO/IEC 27035-2:2016, Clause 7.3: “This phase includes collecting information from available sources... such as logs, reports, and alerts, to support classification and response decisions.”

Therefore, the correct answer is B: No, the second phase of the incident management process should include the collection of information associated with the occurrences of information security events.

—

Certainly! Below is the full response in your requested format for:

✅ QUESTION NO: 14

Including: scenario, correct answer option, and a comprehensive explanation referencing ISO/IEC 27035-1 and ISO/IEC 27001 standards.

—

Comprehensive and Detailed Explanation From Exact Extract:

While technical expertise is essential, ISO/IEC 27035 emphasizes that structured incident management must be supported by the awareness and active participation of all personnel across the organization. Effective incident response is not confined to technical teams; human factors—such as early detection, proper escalation, and policy adherence—require engagement from users, management, and third-party stakeholders.

Clause 6.3 of ISO/IEC 27035-1:2016 specifically highlights that staff awareness is critical. Personnel should understand their role in reporting suspicious activity, following defined procedures, and participating in readiness exercises.

Outsourcing (Option C) may support capacity, but it is not a substitute for internal preparedness, awareness, and governance.

Reference Extracts:

ISO/IEC 27035-1:2016, Clause 6.3: “All staff should be aware of their responsibilities in reporting and managing information security incidents.”

ISO/IEC 27001:2022, Control 6.3 and A.6.3.1: “Information security responsibilities must be communicated to and accepted by all personnel.”

Correct answer: B

—

Comprehensive and Detailed Explanation From Exact Extract:

ISO/IEC 27035-1:2016 and ISO/IEC 27035-2:2016 emphasize the importance of monitoring not only internal systems but also third-party or outsourced services. Clause 7.3.2 of ISO/IEC 27035-2 specifically recommends that organizations establish mechanisms for the continuous monitoring of service providers and outsourced systems, particularly when such services process or store sensitive information.

In the scenario, Konzolo suffered an incident due to a failure by a third-party service provider to uphold security controls. This indicates that Konzolo had insufficient or no effective monitoring of outsourced services in place, which directly contributed to the breach and system downtime.

On the other hand:

Option A is incorrect because Konzolo did conduct a vulnerability scan, identifying and addressing cryptographic weaknesses.

Option B is also incorrect, as Paulina conducted forensic and behavioral analysis (both manual and automated) as part of the investigation process.

Reference Extracts:

ISO/IEC 27035-2:2016, Clause 7.3.2: “Monitoring should not be limited to internal infrastructure but should include third-party and outsourced services to ensure that they are operating within defined security parameters.”

ISO/IEC 27002:2022, Control 5.23: “Information security should be addressed in agreements with third parties.”

Correct answer: C

—

Comprehensive and Detailed Explanation From Exact Extract:

ISO/IEC 27035-1:2016 emphasizes that part of the incident handling process—particularly during assessment and documentation—must include evaluation of both the seriousness (severity) and urgency (criticality) of the incident.

Clause 6.4.2 requires that an incident’s potential impact and required response timelines be assessed promptly to determine appropriate action. Nate’s omission of this evaluation, despite creating a technically sound report, means that the organization could misjudge the incident’s risk, delay appropriate response, or fail to meet notification obligations.

Option A is incorrect because ISO/IEC 27035 explicitly lists impact and urgency as required analysis elements. Option C, while possibly helpful in forensic analysis, is not a required component per the standard.

Comprehensive and Detailed Explanation From Exact Extract:

In the scenario, Leona used a methodology that estimates “practical values for consequences and their probabilities,” which clearly points to a quantitative risk analysis approach.

Quantitative risk analysis, as defined in ISO/IEC 27005:2018, involves assigning numerical values (e.g., monetary impact, frequency rates) to both the probability and consequence of risks. This allows for risk prioritization based on actual or estimated figures, enabling data-driven decisions on mitigation strategies.

Qualitative analysis uses descriptive categories (e.g., high/medium/low), and semi-quantitative methods mix ranking scales with partial numeric estimations — neither of which are described in this scenario.

Comprehensive and Detailed Explanation From Exact Extract:

During the response phase, one of the most critical activities—according to ISO/IEC 27035-1 and 27035-2—is the documentation of actions, decisions, and results. Clause 6.4.6 of ISO/IEC 27035-1 emphasizes that all activities must be logged to support post-incident analysis, audit trails, and lessons learned. This ensures that:

Accountability is maintained

Decisions can be reviewed

Investigations are legally sound (especially in regulated environments)

While restoring systems (Option C) typically occurs in the recovery phase, logging activities and outcomes is essential during the actual response. Change control processes (Option B) are supporting functions but are not core to the immediate response phase.

—

Comprehensive and Detailed Explanation From Exact Extract:

Yes, Mark’s approach to developing NoSpace’s information security incident management policy was aligned with the structured guidelines outlined in ISO/IEC 27035-1 and ISO/IEC 27035-2. These standards emphasize the importance of establishing an effective and realistic policy framework that supports the identification, management, and learning from information security incidents.

ISO/IEC 27035-1:2016, Clause 6.1, outlines the core components of the “Prepare” phase of the incident management lifecycle. A well-developed incident management policy should:

* Define the purpose, scope, and applicability of the policy

* Focus on critical assets and threats identified through a formal risk assessment

* Be shaped by stakeholder input

* Be realistic, enforceable, and capable of being integrated across departments

* Include training and awareness tailored to relevant personnel

In this scenario, Mark held a strategic session with stakeholders, ensured the policy was risk-based, and tailored training initiatives to critical roles only — which aligns precisely with ISO guidance on optimizing resource allocation and ensuring enforceability.

Option A is incorrect because the scenario clearly states that Mark implemented training and awareness initiatives tailored to critical response roles, which meets ISO/IEC 27035-1 expectations.

Option B is incorrect because ISO/IEC 27035-1 emphasizes prioritization of high-risk threats rather than attempting to address all potential threats equally. A focused and actionable policy that targets the most significant risks is more practical and aligns with international best practices.

Reference Extracts:

* ISO/IEC 27035-1:2016, Clause 6.1: “The preparation phase should include the definition of incident management policy, development of procedures, and awareness/training initiatives.”

* ISO/IEC 27035-2:2016, Clause 5.1: “The policy should be concise, focused on relevant threats, and shaped by organizational structure and risk appetite.”

* ISO/IEC 27001:2022, Annex A.5.25 & A.5.27: “Clear roles, responsibilities, and awareness should be assigned and supported through training.”

Therefore, the correct answer is: C. Yes, the information security incident management policy was appropriately developed.

—

Let me know when you’re ready for QUESTION NO: 16.

—