Free PECB ISO-IEC-27035-Lead-Incident-Manager Practice Exam with Questions & Answers

Comprehensive and Detailed Explanation From Exact Extract:

The Incident Cause Analysis Method (ICAM) is a root cause analysis technique used across various industries, including cybersecurity, to understand underlying issues behind incidents. It promotes a holistic and structured approach by examining five critical dimensions:

People (human error, behavior, awareness)

Environment (physical or digital conditions)

Equipment (hardware, software, tools)

Procedures (policies, guidelines, workflows)

Organization (culture, leadership, resourcing)

This comprehensive model helps organizations identify both immediate and systemic causes, allowing them to implement more effective corrective actions and prevent recurrence.

Comprehensive and Detailed Explanation From Exact Extract:

The ‘detect and report’ phase, as defined in ISO/IEC 27035-1:2016 (Clause 6.2), includes the identification, classification, and initial reporting of information security events. If events meet certain thresholds—such as multiple failed login attempts from unknown IP addresses or matching threat indicators—they can and should be classified as potential incidents.

It is also appropriate to begin collecting supporting information during this phase. Gathering threat intelligence and performing basic vulnerability assessments help in confirming the scope and nature of the threat, allowing faster escalation and response.

Option B is incorrect because while deep forensic collection occurs later, preliminary data collection should begin during detection. Option C is incorrect as incident classification is explicitly allowed and encouraged in this phase.

Comprehensive and Detailed Explanation From Exact Extract:

In an Incident Response Team (IRT), analysts and researchers are responsible for threat intelligence, data analysis, malware investigation, and providing in-depth technical insights. Their work directly supports the lead investigator by identifying root causes, attack vectors, indicators of compromise (IOCs), and evaluating threat actor tactics.

According to ISO/IEC 27035-2:2016, these roles are part of the broader support functions within an IRT and are crucial for technical depth and timely resolution of incidents.

Option A (IT support staff) may provide infrastructure-level assistance but typically lacks threat analysis capabilities. Option C (team leader) oversees coordination and communication but is not the primary intelligence resource.

Reference Extracts:

ISO/IEC 27035-2:2016, Clause 7.2.3: “Support roles may include malware analysts, forensic experts, and threat intelligence researchers.”

ENISA CSIRT Training Guide: “Analysts contribute to ongoing investigations by identifying attack patterns and supporting mitigation decisions.”

Correct answer: B

—

Comprehensive and Detailed Explanation From Exact Extract:

When maintaining documentation for information security incident management, test results are critical indicators of how well current plans and controls are functioning. According to ISO/IEC 27035-2:2016 Clause 7.3.3, organizations must update documents based on test outcomes, incident experiences, or environmental changes.

Market trends (Option A) and attendance records (Option B) are not directly relevant to the content or accuracy of incident documentation.

Comprehensive and Detailed Explanation From Exact Extract:

Digital evidence gathering, as outlined in ISO/IEC 27037 and referenced in ISO/IEC 27035-2, must adhere to several core principles—reliability, sufficiency, relevance, and integrity. Relevance, in particular, means that the Digital Evidence First Responder (DEFR) must ensure that any item collected has direct or potential bearing on the investigation.

Relevance also requires:

Clear justification for why an item was acquired

Ability to trace the decision-making process

Alignment with investigation objectives

Option A misrepresents “sufficiency,” which does not mean minimal collection but rather collecting enough evidence to support conclusions without overburdening the investigation. Option B contradicts the principle of reliability, which requires that processes be standardized and reproducible.

Comprehensive and Detailed Explanation From Exact Extract:

ISO/IEC 27035 and ISO/IEC 27001 emphasize that information security awareness and training must extend to all personnel, not just those in technical roles. Clause 7.3.2 of ISO/IEC 27035-2 specifically states that “training should be made available to all staff,” including non-technical users, third-party service providers, contractors, and any personnel with access to organizational assets or systems.

The rationale is that every user is a potential entry point for cyber threats. Whether through phishing, social engineering, or misconfiguration, untrained staff can unintentionally compromise the organization’s security posture. Therefore, organizations must ensure that everyone—especially new hires, contractors, and third-party partners—is trained on incident reporting procedures, security responsibilities, and escalation paths.

Reference Extracts:

ISO/IEC 27035-2:2016, Clause 7.3.2: “Training and awareness activities should be targeted at all users of the organization's systems and services.”

ISO/IEC 27001:2022, Control 6.3: “Ensure that personnel are aware of their information security responsibilities.”

Correct answer: C

—

—

Comprehensive and Detailed Explanation From Exact Extract:

Yes, the use of ISO/IEC 27035-1 to support compliance with ISO/IEC 27001 ISMS requirements is fully acceptable and encouraged. ISO/IEC 27035-1:2016 is explicitly designed to support organizations in establishing and maintaining effective information security incident management processes. These processes are a crucial component of a well-functioning Information Security Management System (ISMS), which is governed by ISO/IEC 27001.

Clause 6.1.3 and Clause A.16.1 of ISO/IEC 27001:2022 (formerly 2013) require that organizations establish and respond to information security incidents, including detection, response, and learning from such events. ISO/IEC 27035-1 directly supports these controls by providing specific guidance on how to identify, manage, and learn from information security incidents in a structured and repeatable way.

Moreover, ISO/IEC 27035-1 is referenced by ISO/IEC 27001 Annex A (specifically A.5.24 to A.5.27 and A.5.31 in the 2022 version), supporting requirements related to incident management, monitoring, and improvement. The ISO 27035 series acts as a detailed implementation guide for these controls, helping organizations meet both the management and operational requirements of the ISMS.

Therefore, Mark’s decision to use ISO/IEC 27035-1 guidelines to align and enhance the incident management aspects of the ISMS is both appropriate and aligned with international best practices.

Reference Extracts:

* ISO/IEC 27035-1:2016, Clause 0.2: “This document also supports the information security requirements defined in ISO/IEC 27001 and provides detailed guidance on incident management activities relevant to an ISMS.”

* ISO/IEC 27001:2022, Annex A (A.5.24–A.5.27): “Information security incident management should be based on established processes for detection, response, and learning.”

* ISO/IEC 27001:2022, Clause 6.1.3: “Information security risks must be identified and treated as part of the ISMS.”

Therefore, the correct answer is A: Yes, another objective associated with ISO/IEC 27035-1 is to provide guidance on meeting the ISMS requirements specified in ISO/IEC 27001.

—

Certainly! Below is your requested content in the structured ISO/IEC format for:

✅ QUESTION NO: 15

Including: full scenario, correct answer option, and a comprehensive explanation based on ISO/IEC 27035-1, 27035-2, and related ISO/IEC standards.

—

Comprehensive and Detailed Explanation:

According to ISO/IEC 27001:2022 and ISO/IEC 27035-2:2016, top management holds accountability for ensuring the alignment of security policies with organizational objectives. Policy approval, particularly for something as critical as incident management, must be authorized by top-level decision-makers to ensure authority, enforcement, and resource support.

Comprehensive and Detailed Explanation From Exact Extract:

In the scenario, EastCyber implemented an “advanced network traffic monitoring system” that “spots and alerts the security team to unauthorized actions.” This aligns closely with the functional characteristics of an Intrusion Detection System (IDS), which monitors traffic or systems for malicious activities and policy violations and sends alerts for review.

While Security Information and Event Management (SIEM) tools and Intrusion Prevention Systems (IPS) offer valuable detection and response capabilities, the scenario specifically describes a system focused on monitoring and alerting—not automatically blocking traffic, which would indicate an IPS.

SIEM platforms correlate and analyze logs from various sources, which wasn’t described. Therefore, IDS is the most accurate interpretation.

—

Comprehensive and Detailed Explanation From Exact Extract:

According to ISO/IEC 27035-1:2016 and ISO/IEC 27035-2:2016, business managers have a vital governance and operational oversight role in relation to information security incident response. Their main function is to ensure that incident management activities align with the organization’s business processes and risk management strategies.

Clause 7.2.1 of ISO/IEC 27035-2 highlights that business managers are responsible for ensuring that the incident response teams (IRTs) understand business priorities, and that response activities reflect the criticality of affected systems and services. Business managers also help define the operational boundaries and authority of IMTs and IRTs when incidents impact key business systems. Their involvement ensures that decisions made during response efforts support overall organizational resilience and legal compliance.

Option A is more aligned with human resources or legal/compliance functions, not core business manager responsibilities. Option B relates more closely to legal counsel or data privacy officers who are tasked with interpreting laws and regulations concerning breach notifications and liability.

Reference Extracts:

ISO/IEC 27035-2:2016, Clause 7.2.1: “Business managers are responsible for ensuring the coordination between business requirements and incident response activities, and for defining authority over the systems under their management.”

Clause 6.1.1: “Incident response activities must be aligned with business continuity plans and critical asset protection priorities.”

Therefore, the correct and most comprehensive answer is: C – Understanding how the IMT and IRTs support business processes and define authority over business systems.

—