ISO-IEC-27035-Lead-Incident-Manager Questions and Answers

Comprehensive and Detailed Explanation:

According to ISO/IEC 27035-2:2016, vulnerabilities identified during incident handling must be assessed and documented before remediation. Immediate patching without evaluating its impact could compromise incident evidence, interfere with ongoing investigations, or unintentionally trigger additional issues.

ISO/IEC 27035-2 recommends that the incident coordinator (or an equivalent role) be responsible for directing how such vulnerabilities are managed and coordinated across relevant teams. This maintains process integrity and avoids uncoordinated actions.

Comprehensive and Detailed Explanation From Exact Extract:

According to ISO/IEC 27035-1:2016 (Information Security Incident Management – Part 1: Principles of Incident Management), one of the core principles of effective communication in incident management is “appropriateness.” This refers to ensuring that the right information is shared with the right stakeholders using the appropriate channels, language, format, and timing. The objective is to guarantee that communication is both understandable and actionable by its recipients.

In the scenario, Alura Hospital recognized that they were not adequately informing stakeholders during security incidents. They identified a gap in providing relevant information using suitable formats, media, or language. This failure points directly to a lack of “appropriateness” in their communication strategy. According to ISO/IEC 27035-1, Section 6.4 (Communication), it is essential to tailor incident communication to stakeholder needs to ensure informed decision-making and engagement.

The other options—credibility and responsiveness—are not indicated as the failing areas. There is no mention that the information provided lacked credibility or that the hospital failed to respond to incidents or communicate in a timely manner. Rather, the issue lies with the medium, clarity, and stakeholder alignment—hallmarks of appropriateness.

Reference Extracts from ISO/IEC 27035-1:2016:

Clause 6.4: “Communication must be timely, relevant, accurate, and appropriate for the target audience.”

Clause 7.2.4: “Stakeholders should be informed using formats and channels that they can easily access and understand.”

Therefore, the principle not adhered to by Alura Hospital is clearly: Appropriateness (C).

—

Comprehensive and Detailed Explanation From Exact Extract:

The impact of an information security event is assessed by evaluating how the event affects the CIA triad—Confidentiality, Integrity, and Availability—of information assets. This fundamental concept underpins all ISO/IEC 27000-series standards, including ISO/IEC 27035.

ISO/IEC 27035-1:2016, Clause 6.2.3 explicitly states that an event's severity and urgency are to be assessed by evaluating its actual or potential impact on the organization’s information security objectives, namely:

Confidentiality: Protection from unauthorized disclosure

Integrity: Protection from unauthorized modification

Availability: Assurance of timely and reliable access

This approach ensures consistent and risk-based decision-making during incident assessment. Options A and B are important steps, but they are part of the broader process; they do not directly measure impact.

Comprehensive and Detailed Explanation:

According to ISO/IEC 27005:2018, the risk treatment process begins after risk analysis and evaluation. The main input to this phase is a prioritized set of identified and assessed risks, chosen based on the organization’s risk acceptance criteria. These risks are then assigned treatments such as mitigation, avoidance, or acceptance.

Comprehensive and Detailed Explanation From Exact Extract:

Documenting recovery options and estimating recovery time objectives (RTOs) and data loss tolerances (Recovery Point Objectives – RPOs) is a crucial planning activity that supports decision-making during the containment and recovery phases. ISO/IEC 27035-2:2016, Clause 6.4.6 emphasizes that such documentation allows teams to:

Evaluate trade-offs between containment scope and data loss

Determine acceptable downtime for critical services

Select the most appropriate recovery strategy based on business impact

This documentation supports strategic thinking rather than rushed action, reducing the likelihood of costly decisions. It does not necessarily accelerate the process (Option C), nor is it designed to optimize performance (Option A).

Comprehensive and Detailed Explanation From Exact Extract:

ISO/IEC 27035-1:2016 encourages organizations to define the scope of incident management based on their own risk environment, business model, and available resources. This scope should be tailored to focus on the systems, services, and personnel that are most critical and relevant to the organization's operations.

In this scenario, Leona appropriately aligned the scope with L&K Associates' specific IT infrastructure and business processes, deliberately including relevant IT systems and associated personnel while excluding unrelated sources. This customization is consistent with best practices and ensures that the incident management process remains focused, efficient, and manageable.

ISO/IEC 27035-2, Clause 4.2, emphasizes that “the scope of incident management should be defined in a way that it supports the organization’s objectives and risk environment.”

Therefore, the correct answer is A: Yes, the incident management scope is customized to align with the organization’s unique needs.

—

Comprehensive and Detailed Explanation From Exact Extract:

L&K Associates employed two distinct approaches as described in ISO/IEC 27005:2018 and referenced in ISO/IEC 27035-2:

Strategic scenario identification, which involves analyzing sources of risk and their impact on stakeholders and objectives. This is aligned with the event-based approach, which focuses on risk sources and events that may lead to incidents.

Operational scenario identification, which involves a thorough assessment of assets, threats, and vulnerabilities — aligning with the asset-based approach, where the focus is on critical assets and the threats that may exploit their weaknesses.

ISO/IEC 27005:2018, Clause 8.2.2, identifies multiple methods for risk identification, including:

Asset-based approach

Event-based (or threat-based) approach

Vulnerability-centered approach

In this scenario, both the asset- and event-based methods were clearly applied by Leona, which is encouraged in ISO risk management practices to provide a holistic view of risk.

Therefore, the correct answer is C: Both A and B.

Comprehensive and Detailed Explanation From Exact Extract:

In ISO/IEC 27035-2:2016, the planning phase of incident response starts with establishing a classification system. Response classification is essential to ensure that incidents are assessed and categorized in a consistent manner, allowing appropriate response measures to be applied. This classification forms the foundation for selecting the right procedures, team involvement, and communication protocols.

Assigning a response class (Option A) is a subsequent step that occurs once an incident is analyzed and matched to a pre-defined category. Developing response processes (Option B) is important but comes after the classification model is defined.

Reference Extracts:

ISO/IEC 27035-2:2016, Clause 6.3.2: “The response planning process begins with the classification of potential incidents to determine the required actions and responsibilities.”

Clause 7.2.2: “Defining response classes helps the organization decide how to handle specific categories of incidents.”

Correct answer: C

—

Comprehensive and Detailed Explanation From Exact Extract:

Internal exercises, such as simulations, tabletop exercises, and mock drills, are designed primarily to assess the readiness, coordination, and performance of the internal incident response team (IRT). According to ISO/IEC 27035-2:2016, these exercises aim to validate that the IRT understands their roles, follows documented procedures, and can act effectively under pressure.

While external collaboration (Options A and B) may be tested during joint exercises or industry-wide scenarios, the focus of internal exercises is on internal capabilities. These exercises help identify gaps in training, procedures, communication, and escalation pathways.

Reference Extracts:

ISO/IEC 27035-2:2016, Clause 7.3.3: “Exercises and simulations should be conducted to test the readiness of the incident response capability.”

NIST SP 800-84: “Regular exercises increase response efficiency and allow staff to develop incident handling confidence.”

Correct answer: C

—

Comprehensive and Detailed Explanation From Exact Extract:

As detailed in scenario 7 and reinforced in the previous question, Paulina began her forensic work after the system was restored—missing the critical Collection phase as defined in ISO/IEC 27043 and referenced in ISO/IEC 27035-2.

Forensic collection involves gathering volatile and non-volatile data (e.g., logs, RAM dumps, file artifacts) at the earliest possible moment in the incident lifecycle to avoid data loss. By waiting until after recovery, she likely compromised the chain of custody and the completeness of her evidence.

The scenario notes that her analysis and reporting were thorough, providing valuable insights and mitigation strategies. Thus, the failure lies in the timing and execution of the Collection phase.

Comprehensive and Detailed Explanation From Exact Extract:

When maintaining documentation for information security incident management, test results are critical indicators of how well current plans and controls are functioning. According to ISO/IEC 27035-2:2016 Clause 7.3.3, organizations must update documents based on test outcomes, incident experiences, or environmental changes.

Market trends (Option A) and attendance records (Option B) are not directly relevant to the content or accuracy of incident documentation.

Comprehensive and Detailed Explanation From Exact Extract:

During the response phase, one of the most critical activities—according to ISO/IEC 27035-1 and 27035-2—is the documentation of actions, decisions, and results. Clause 6.4.6 of ISO/IEC 27035-1 emphasizes that all activities must be logged to support post-incident analysis, audit trails, and lessons learned. This ensures that:

Accountability is maintained

Decisions can be reviewed

Investigations are legally sound (especially in regulated environments)

While restoring systems (Option C) typically occurs in the recovery phase, logging activities and outcomes is essential during the actual response. Change control processes (Option B) are supporting functions but are not core to the immediate response phase.

Comprehensive and Detailed Explanation:

XDR (Extended Detection and Response) is a security solution that integrates and correlates data across multiple domains including endpoints, networks, cloud workloads, and more. In the scenario, the tool is described as capable of covering network traffic, cloud environments, and beyond—characteristics that align directly with the capabilities of XDR.

IPS (Intrusion Prevention System) focuses narrowly on network perimeter security.

SIEM (Security Information and Event Management) is primarily focused on log aggregation and analysis rather than real-time detection and automated response across multiple layers.

Comprehensive and Detailed Explanation From Exact Extract:

The incident coordinator plays a vital managerial and operational role in guiding and synchronizing the efforts of Incident Response Teams (IRTs). ISO/IEC 27035-2:2016, Clause 7.2.2 describes the role as one that involves coordination of resources, communication, and oversight to ensure that all phases of the response are executed according to procedure and within acceptable timelines.

Responsibilities include:

Assigning roles and responsibilities

Overseeing containment, eradication, and recovery efforts

Communicating with stakeholders

Tracking incident metrics and resolution progress

Initiating the response (Option B) is typically a decision taken collectively or by senior management or the IMT after classification. Assessing the nature of an event (Option C) falls under the detection and classification phase, not the coordinator's primary role during response.

Comprehensive and Detailed Explanation From Exact Extract:

According to ISO/IEC 27035-1:2016 and ISO/IEC 27035-2:2016, the eradication phase of incident management is defined as the stage in which the causes and components of the incident—such as malware, unauthorized access points, or system vulnerabilities—are completely removed or neutralized.

Clause 6.4.5 of ISO/IEC 27035-2 clearly outlines that the eradication phase includes actions to eliminate the root causes of incidents, which may include fixing exploited vulnerabilities and removing malicious code. This ensures that the underlying issues that allowed the incident to occur are effectively resolved, reducing the risk of recurrence.

While containment aims to limit the damage and prevent the spread of an incident, it is not intended for remediation of vulnerabilities. Similarly, the recovery phase focuses on restoring services and returning systems to normal operations after the threat has been eradicated.

Reference Extracts:

ISO/IEC 27035-2:2016, Clause 6.4.5: “The eradication phase includes removing the root cause of the incident (e.g., patching vulnerabilities, deleting malware, and closing open ports).”

Clause 6.4.3: “Containment is primarily focused on limiting the scope and impact, not resolving root causes.”

Correct answer: A

Comprehensive and Detailed Explanation From Exact Extract:

According to ISO/IEC 27035-1:2016 and ISO/IEC 27035-2:2016, incident categorization is a vital step in the incident management lifecycle. Its primary purpose is to sort and group incidents based on specific criteria so that appropriate actions and escalation paths can be taken.

One of the core objectives of categorization is to sort incidents by the domain or system affected — whether it’s a database, email system, network, or physical server. This enables organizations to assign incidents to relevant subject matter experts and apply the right procedures, based on the affected business function or IT component.

While categorization can influence prioritization (option A), the main intent is classification based on nature and domain. Automatic technician assignment (option B) may be supported by some service management platforms but is not the foundational purpose of incident categorization under ISO 27035.

Reference Extracts:

ISO/IEC 27035-1:2016, Clause 6.1.2 – “Categorization should identify the domain or component affected to enable appropriate response and escalation.”

ISO/IEC 27035-2:2016, Clause 7.3 – “Incidents should be categorized based on the type of disruption they cause and the business or technical domain they impact.”

Therefore, the correct answer is C: To sort incidents based on the disrupted IT or business domain.

—

Comprehensive and Detailed Explanation From Exact Extract:

According to ISO/IEC 27002:2022 (and earlier versions), information security controls can be broadly categorized into three types: technical (also called logical), physical, and administrative (or organizational) controls.

Technical controls (also known as logical controls) involve the use of software and hardware to protect assets. Examples include:

Firewalls

Intrusion detection systems

Encryption

Access control mechanisms

Physical controls are designed to prevent physical access to IT systems and include things such as:

Surveillance cameras

Security guards

Biometric access systems

Administrative controls, also called management or procedural controls, include the policies, procedures, and guidelines that govern the organization’s security practices. These include:

Security awareness training

Acceptable use policies

Password policies

Option A, “Implementing a policy for regular password changes,” is an administrative control, not a technical one. It dictates user behavior through rules and policy enforcement, but does not technically enforce the change itself unless paired with technical enforcement (like system settings).

Option B, surveillance cameras, are physical controls, and option C, installing a firewall, is a classic example of a technical control.

Reference Extracts:

ISO/IEC 27002:2022, Clause 5.1 – “Information security controls can be administrative (policy-based), technical, or physical depending on their form and implementation.”

NIST SP 800-53, Control Families – Differentiates between management, operational, and technical controls.

Therefore, the correct answer is A: Implementing a policy for regular password changes.

—

Comprehensive and Detailed Explanation From Exact Extract:

ISO/IEC 27035-2:2016 is titled “Information security incident management — Part 2: Guidelines to plan and prepare for incident response.” This document provides detailed guidance on establishing an incident response capability, planning for incident response, and implementing effective response actions. It also emphasizes the importance of post-incident analysis and lessons learned to improve future incident handling.

Key activities covered in ISO/IEC 27035-2 include:

* Planning and preparing for incident handling (e.g., policy development, roles and responsibilities)

* Establishing and training the incident response team (IRT)

* Developing communication strategies and escalation procedures

* Conducting root cause analysis and collecting lessons learned

* Applying improvements to prevent recurrence

By contrast:

* ISO/IEC 27035-1 provides high-level principles of incident management (Part 1: Principles).

* ISO/IEC 27037 relates to the handling of digital evidence and is focused more on forensic practices than incident response preparation.

Reference Extracts:

* ISO/IEC 27035-2:2016, Introduction: “This part provides guidance on the planning and preparation necessary for effective incident response and for learning lessons from incidents.”

* ISO/IEC 27035-2:2016, Clause 6.5: “Lessons learned and reporting can help improve future incident response and provide input to risk assessments and control improvements.”

—

Comprehensive and Detailed Explanation From Exact Extract:

Yes, Mark’s approach to developing NoSpace’s information security incident management policy was aligned with the structured guidelines outlined in ISO/IEC 27035-1 and ISO/IEC 27035-2. These standards emphasize the importance of establishing an effective and realistic policy framework that supports the identification, management, and learning from information security incidents.

ISO/IEC 27035-1:2016, Clause 6.1, outlines the core components of the “Prepare” phase of the incident management lifecycle. A well-developed incident management policy should:

* Define the purpose, scope, and applicability of the policy

* Focus on critical assets and threats identified through a formal risk assessment

* Be shaped by stakeholder input

* Be realistic, enforceable, and capable of being integrated across departments

* Include training and awareness tailored to relevant personnel

In this scenario, Mark held a strategic session with stakeholders, ensured the policy was risk-based, and tailored training initiatives to critical roles only — which aligns precisely with ISO guidance on optimizing resource allocation and ensuring enforceability.

Option A is incorrect because the scenario clearly states that Mark implemented training and awareness initiatives tailored to critical response roles, which meets ISO/IEC 27035-1 expectations.

Option B is incorrect because ISO/IEC 27035-1 emphasizes prioritization of high-risk threats rather than attempting to address all potential threats equally. A focused and actionable policy that targets the most significant risks is more practical and aligns with international best practices.

Reference Extracts:

* ISO/IEC 27035-1:2016, Clause 6.1: “The preparation phase should include the definition of incident management policy, development of procedures, and awareness/training initiatives.”

* ISO/IEC 27035-2:2016, Clause 5.1: “The policy should be concise, focused on relevant threats, and shaped by organizational structure and risk appetite.”

* ISO/IEC 27001:2022, Annex A.5.25 & A.5.27: “Clear roles, responsibilities, and awareness should be assigned and supported through training.”

Therefore, the correct answer is: C. Yes, the information security incident management policy was appropriately developed.

—

Let me know when you’re ready for QUESTION NO: 16.

—