ISO-IEC-27035-Lead-Incident-Manager PECB Certified ISO/IEC 27035 Lead Incident Manager Questions and Answers

Comprehensive and Detailed Explanation:

ISO/IEC 27035-2:2016 outlines comprehensive responsibilities for an incident response team, which include not just response and mitigation but also:

Assessing and classifying reported events

Determining if they qualify as incidents

Coordinating containment, eradication, and recovery actions

Conducting root cause analysis and lessons learned

While the scenario highlights the team’s strengths in root cause analysis and resolution, it omits one key responsibility: the proper assessment and classification of the anomaly before response. This makes option C the most accurate.

Comprehensive and Detailed Explanation From Exact Extract:

The incident coordinator plays a vital managerial and operational role in guiding and synchronizing the efforts of Incident Response Teams (IRTs). ISO/IEC 27035-2:2016, Clause 7.2.2 describes the role as one that involves coordination of resources, communication, and oversight to ensure that all phases of the response are executed according to procedure and within acceptable timelines.

Responsibilities include:

Assigning roles and responsibilities

Overseeing containment, eradication, and recovery efforts

Communicating with stakeholders

Tracking incident metrics and resolution progress

Initiating the response (Option B) is typically a decision taken collectively or by senior management or the IMT after classification. Assessing the nature of an event (Option C) falls under the detection and classification phase, not the coordinator's primary role during response.

—

Comprehensive and Detailed Explanation From Exact Extract:

According to ISO/IEC 27035-1:2016 and ISO/IEC 27035-2:2016, business managers have a vital governance and operational oversight role in relation to information security incident response. Their main function is to ensure that incident management activities align with the organization’s business processes and risk management strategies.

Clause 7.2.1 of ISO/IEC 27035-2 highlights that business managers are responsible for ensuring that the incident response teams (IRTs) understand business priorities, and that response activities reflect the criticality of affected systems and services. Business managers also help define the operational boundaries and authority of IMTs and IRTs when incidents impact key business systems. Their involvement ensures that decisions made during response efforts support overall organizational resilience and legal compliance.

Option A is more aligned with human resources or legal/compliance functions, not core business manager responsibilities. Option B relates more closely to legal counsel or data privacy officers who are tasked with interpreting laws and regulations concerning breach notifications and liability.

Reference Extracts:

ISO/IEC 27035-2:2016, Clause 7.2.1: “Business managers are responsible for ensuring the coordination between business requirements and incident response activities, and for defining authority over the systems under their management.”

Clause 6.1.1: “Incident response activities must be aligned with business continuity plans and critical asset protection priorities.”

Therefore, the correct and most comprehensive answer is: C – Understanding how the IMT and IRTs support business processes and define authority over business systems.

—

Comprehensive and Detailed Explanation:

Gap analysis is a structured method used to compare the current state of processes, capabilities, or systems against a desired or required state (such as compliance with ISO standards). The main goal is to determine what needs to change to achieve that future state. While identifying gaps (A) and assessing risks (C) may occur during the process, the primary purpose is strategic planning and improvement.

Comprehensive and Detailed Explanation From Exact Extract:

Indicators of Compromise (IOCs) are critical elements in incident management. They are forensic artifacts—such as file hashes, IP addresses, registry changes, or specific malware behavior—that help security analysts detect the presence of malicious activity. According to ISO/IEC 27035-2:2016 and supported by ISO/IEC 27043:2015, IOCs are used in the detection, containment, and analysis phases of incident handling.

Their primary role is to uncover evidence of malicious activity by:

Matching known patterns to suspected compromise

Supporting threat hunting and detection rules

Enabling faster identification of affected systems

While IOCs can support forensic analysis (Option A), their main purpose is to identify malicious behavior. Option B (assessing isolation measures) may be influenced by IOCs but is not their primary function.

Comprehensive and Detailed Explanation From Exact Extract:

ISO/IEC 27035-2:2016 is titled “Information security incident management — Part 2: Guidelines to plan and prepare for incident response.” This document provides detailed guidance on establishing an incident response capability, planning for incident response, and implementing effective response actions. It also emphasizes the importance of post-incident analysis and lessons learned to improve future incident handling.

Key activities covered in ISO/IEC 27035-2 include:

* Planning and preparing for incident handling (e.g., policy development, roles and responsibilities)

* Establishing and training the incident response team (IRT)

* Developing communication strategies and escalation procedures

* Conducting root cause analysis and collecting lessons learned

* Applying improvements to prevent recurrence

By contrast:

* ISO/IEC 27035-1 provides high-level principles of incident management (Part 1: Principles).

* ISO/IEC 27037 relates to the handling of digital evidence and is focused more on forensic practices than incident response preparation.

Reference Extracts:

* ISO/IEC 27035-2:2016, Introduction: “This part provides guidance on the planning and preparation necessary for effective incident response and for learning lessons from incidents.”

* ISO/IEC 27035-2:2016, Clause 6.5: “Lessons learned and reporting can help improve future incident response and provide input to risk assessments and control improvements.”

Comprehensive and Detailed Explanation From Exact Extract:

According to ISO/IEC 27035 and industry best practices, a Security Operations Center (SOC) is the central hub for an organization’s cybersecurity operations. Its responsibilities go beyond pure incident response. SOCs continuously monitor the organization’s network and systems for suspicious activity and threats, providing real-time threat detection, incident response coordination, vulnerability management, and overall security infrastructure oversight.

While CSIRTs and CERTs specialize in handling and managing security incidents, their roles are generally more narrowly focused on the detection, reporting, and resolution of security events. SOCs, on the other hand, manage the broader spectrum of operations, including:

Real-time monitoring and logging

Threat hunting and intelligence

Security incident analysis and triage

Coordinating CSIRT activities

Supporting policy compliance and auditing

Integration with vulnerability management and security infrastructure

Reference Extracts:

ISO/IEC 27035-2:2016, Clause 7.3.1: “Monitoring systems and activities should be established, operated and maintained to identify deviations from normal behavior.”

NIST SP 800-61 Revision 2 and industry alignment with ISO/IEC 27035 recognize the SOC as the broader operational environment that houses or interacts with the CSIRT/CERT.

Therefore, the correct answer is: B – Security Operations Center (SOC)

—

Comprehensive and Detailed Explanation:

According to ISO/IEC 27035-1:2016 and ISO/IEC 27001:2022, when defining the scope of an information security incident management system, organizations must consider all forms of information—whether digital or physical—that are relevant to the business. Incidents can affect hardcopy (e.g., paper-based records) and electronic data (e.g., emails, files), so both must be included in the scope assessment.

Comprehensive and Detailed Explanation:

According to ISO/IEC 27035-2:2016, vulnerabilities identified during incident handling must be assessed and documented before remediation. Immediate patching without evaluating its impact could compromise incident evidence, interfere with ongoing investigations, or unintentionally trigger additional issues.

ISO/IEC 27035-2 recommends that the incident coordinator (or an equivalent role) be responsible for directing how such vulnerabilities are managed and coordinated across relevant teams. This maintains process integrity and avoids uncoordinated actions.

Comprehensive and Detailed Explanation From Exact Extract:

ISO/IEC 27035-2:2016 Clause 7.4.3 emphasizes the role of lessons learned reviews as key evaluation activities for assessing the performance of incident response teams. This activity involves post-incident debriefs to evaluate what went right or wrong and how response processes or team functions could improve.

While options A and C are related to broader security or deployment procedures, Option B directly reflects a formal evaluation mechanism used to gauge incident team effectiveness.

Comprehensive and Detailed Explanation From Exact Extract:

ISO/IEC 27035-1 encourages organizations to monitor metrics, such as the frequency of incident types, as part of continual improvement (Clause 7.3). A decreasing mean time between incidents (MTBI) may indicate increased threat frequency, weakened controls, or emerging vulnerabilities. Ignoring such trends can prevent timely corrective actions and weaken overall resilience.

Instead of assuming the incidents are less significant, ISO guidance suggests conducting root cause analysis and trend evaluations when patterns like this emerge.

—

Comprehensive and Detailed Explanation From Exact Extract:

Yes, Mark’s approach to developing NoSpace’s information security incident management policy was aligned with the structured guidelines outlined in ISO/IEC 27035-1 and ISO/IEC 27035-2. These standards emphasize the importance of establishing an effective and realistic policy framework that supports the identification, management, and learning from information security incidents.

ISO/IEC 27035-1:2016, Clause 6.1, outlines the core components of the “Prepare” phase of the incident management lifecycle. A well-developed incident management policy should:

* Define the purpose, scope, and applicability of the policy

* Focus on critical assets and threats identified through a formal risk assessment

* Be shaped by stakeholder input

* Be realistic, enforceable, and capable of being integrated across departments

* Include training and awareness tailored to relevant personnel

In this scenario, Mark held a strategic session with stakeholders, ensured the policy was risk-based, and tailored training initiatives to critical roles only — which aligns precisely with ISO guidance on optimizing resource allocation and ensuring enforceability.

Option A is incorrect because the scenario clearly states that Mark implemented training and awareness initiatives tailored to critical response roles, which meets ISO/IEC 27035-1 expectations.

Option B is incorrect because ISO/IEC 27035-1 emphasizes prioritization of high-risk threats rather than attempting to address all potential threats equally. A focused and actionable policy that targets the most significant risks is more practical and aligns with international best practices.

Reference Extracts:

* ISO/IEC 27035-1:2016, Clause 6.1: “The preparation phase should include the definition of incident management policy, development of procedures, and awareness/training initiatives.”

* ISO/IEC 27035-2:2016, Clause 5.1: “The policy should be concise, focused on relevant threats, and shaped by organizational structure and risk appetite.”

* ISO/IEC 27001:2022, Annex A.5.25 & A.5.27: “Clear roles, responsibilities, and awareness should be assigned and supported through training.”

Therefore, the correct answer is: C. Yes, the information security incident management policy was appropriately developed.

—

Let me know when you’re ready for QUESTION NO: 16.

—

Comprehensive and Detailed Explanation From Exact Extract:

ISO/IEC 27035 strongly encourages information sharing among trusted parties to enhance collective incident response capabilities and reduce the broader impact of cyber threats. Clause 6.5.6 in ISO/IEC 27035-1 highlights the importance of cooperation and communication with external parties, including industry-specific information-sharing forums, CERTs/CSIRTs, and trusted partners.

The practice of proactive information exchange allows organizations to:

Detect coordinated or widespread attacks

Accelerate response through shared indicators of compromise (IOCs)

Benefit from collective intelligence and incident analysis

Build sector-wide resilience

However, such exchanges must occur within well-defined protocols that preserve confidentiality, legal compliance, and operational integrity.

Option B and C reflect overly cautious or siloed approaches that may delay response or reduce the effectiveness of collaborative efforts.

Reference Extracts:

ISO/IEC 27035-1:2016, Clause 6.5.6: “Incident management should consider the importance of trusted collaboration, sharing of incident information, and threat intelligence between relevant entities.”

ENISA and FIRST.org also support this collaborative approach in their best practices.

Correct answer: A

—

Comprehensive and Detailed Explanation From Exact Extract:

The deployment of an Intrusion Detection System (IDS) by RoLawyers following the incident is a classic example of implementing a detective control. According to ISO/IEC 27002:2022 (formerly 27002:2013), detective controls are designed to identify and report the occurrence of information security events in a timely manner. They help organizations discover that an event has occurred so that an appropriate response can be initiated.

The IDS mentioned in the scenario monitors the network for suspicious activity and alerts the IT security team when anomalies or intrusion attempts are detected. This aligns directly with the definition of detective controls.

By contrast:

Preventive controls are designed to prevent incidents from occurring in the first place (e.g., firewalls, access controls).

Corrective controls are actions taken after an incident to restore systems or data and prevent recurrence (e.g., patch management, backups).

Reference Extracts:

ISO/IEC 27002:2022, Clause 5.27 – “Detection controls should be implemented to identify incidents and anomalies in a timely manner.”

ISO/IEC 27035-1:2016, Clause 4.3.2 – “Detecting and reporting information security events and weaknesses are the first steps in the incident response process.”

RoLawyers' use of an IDS matches the description of a detective control designed to provide early warning signs of potential threats, making it easier for the organization to take timely action.

Therefore, the correct answer is B: Detective controls.

Comprehensive and Detailed Explanation From Exact Extract:

Internal exercises, such as simulations, tabletop exercises, and mock drills, are designed primarily to assess the readiness, coordination, and performance of the internal incident response team (IRT). According to ISO/IEC 27035-2:2016, these exercises aim to validate that the IRT understands their roles, follows documented procedures, and can act effectively under pressure.

While external collaboration (Options A and B) may be tested during joint exercises or industry-wide scenarios, the focus of internal exercises is on internal capabilities. These exercises help identify gaps in training, procedures, communication, and escalation pathways.

Reference Extracts:

ISO/IEC 27035-2:2016, Clause 7.3.3: “Exercises and simulations should be conducted to test the readiness of the incident response capability.”

NIST SP 800-84: “Regular exercises increase response efficiency and allow staff to develop incident handling confidence.”

Correct answer: C

—

Comprehensive and Detailed Explanation From Exact Extract:

According to ISO/IEC 27035-2:2016, one of the technical requirements to support effective incident management is the capability to rapidly detect, collect, and process information about security events, incidents, and vulnerabilities. Timely acquisition of this data allows the organization to assess threats, determine the scope of incidents, and execute response measures quickly.

Clause 7.4.1 emphasizes the need for adequate tools and infrastructure to support the detection and acquisition of information security events and vulnerability reports. The collected data becomes the foundation for risk assessment, root cause analysis, and corrective action planning.

Option A (public disclosure of contact details) might be relevant for CERT/CSIRT public coordination but is not a core requirement in technical incident response. Option B (immediate deletion of reports) is contrary to best practices, as incident reports are critical for audits, compliance, and continuous improvement.

Reference Extracts:

ISO/IEC 27035-2:2016, Clause 7.4.1: “Organizations should ensure that technical means are in place to allow quick acquisition and analysis of information related to events, incidents, and vulnerabilities.”

Correct answer: C

—

Comprehensive and Detailed Explanation From Exact Extract:

In ISO/IEC 27035-2:2016, the planning phase of incident response starts with establishing a classification system. Response classification is essential to ensure that incidents are assessed and categorized in a consistent manner, allowing appropriate response measures to be applied. This classification forms the foundation for selecting the right procedures, team involvement, and communication protocols.

Assigning a response class (Option A) is a subsequent step that occurs once an incident is analyzed and matched to a pre-defined category. Developing response processes (Option B) is important but comes after the classification model is defined.

Reference Extracts:

ISO/IEC 27035-2:2016, Clause 6.3.2: “The response planning process begins with the classification of potential incidents to determine the required actions and responsibilities.”

Clause 7.2.2: “Defining response classes helps the organization decide how to handle specific categories of incidents.”

Correct answer: C

—

—

Comprehensive and Detailed Explanation From Exact Extract:

Yes, the use of ISO/IEC 27035-1 to support compliance with ISO/IEC 27001 ISMS requirements is fully acceptable and encouraged. ISO/IEC 27035-1:2016 is explicitly designed to support organizations in establishing and maintaining effective information security incident management processes. These processes are a crucial component of a well-functioning Information Security Management System (ISMS), which is governed by ISO/IEC 27001.

Clause 6.1.3 and Clause A.16.1 of ISO/IEC 27001:2022 (formerly 2013) require that organizations establish and respond to information security incidents, including detection, response, and learning from such events. ISO/IEC 27035-1 directly supports these controls by providing specific guidance on how to identify, manage, and learn from information security incidents in a structured and repeatable way.

Moreover, ISO/IEC 27035-1 is referenced by ISO/IEC 27001 Annex A (specifically A.5.24 to A.5.27 and A.5.31 in the 2022 version), supporting requirements related to incident management, monitoring, and improvement. The ISO 27035 series acts as a detailed implementation guide for these controls, helping organizations meet both the management and operational requirements of the ISMS.

Therefore, Mark’s decision to use ISO/IEC 27035-1 guidelines to align and enhance the incident management aspects of the ISMS is both appropriate and aligned with international best practices.

Reference Extracts:

* ISO/IEC 27035-1:2016, Clause 0.2: “This document also supports the information security requirements defined in ISO/IEC 27001 and provides detailed guidance on incident management activities relevant to an ISMS.”

* ISO/IEC 27001:2022, Annex A (A.5.24–A.5.27): “Information security incident management should be based on established processes for detection, response, and learning.”

* ISO/IEC 27001:2022, Clause 6.1.3: “Information security risks must be identified and treated as part of the ISMS.”

Therefore, the correct answer is A: Yes, another objective associated with ISO/IEC 27035-1 is to provide guidance on meeting the ISMS requirements specified in ISO/IEC 27001.

—

Certainly! Below is your requested content in the structured ISO/IEC format for:

✅ QUESTION NO: 15

Including: full scenario, correct answer option, and a comprehensive explanation based on ISO/IEC 27035-1, 27035-2, and related ISO/IEC standards.

—

Comprehensive and Detailed Explanation:

According to ISO/IEC 27035-2:2016, incident response exercises (including simulations such as phishing campaigns) must be carefully controlled to avoid confusion, escalation, or reputational damage. If an exercise is misunderstood by employees or external parties, it could lead to unintended consequences including external escalation, customer concern, or media involvement.

The best practice is to ensure that all involved—especially external stakeholders—are informed as soon as possible if they are exposed to simulated elements. Transparency ensures the organization maintains trust and mitigates potential fallout. This is part of effective communication during planned exercises.

Comprehensive and Detailed Explanation From Exact Extract:

According to ISO/IEC 27035-1:2016, an information security event should be documented and communicated as soon as it is identified—particularly if it has the potential to escalate into an incident. Timely documentation and escalation enable the organization to take immediate and coordinated actions, which are essential to managing risk effectively.

Clause 6.2.1 of ISO/IEC 27035-1 states that events, even before confirmation as incidents, must be logged and assessed to determine appropriate response measures. Waiting until after a breach occurs or delaying documentation may violate both internal policies and regulatory requirements, especially in high-risk domains like cryptocurrency.

Therefore, Noah’s actions align fully with the recommended practices outlined in ISO/IEC 27035.

Comprehensive and Detailed Explanation:

According to ISO/IEC 27005:2018, the risk treatment process begins after risk analysis and evaluation. The main input to this phase is a prioritized set of identified and assessed risks, chosen based on the organization’s risk acceptance criteria. These risks are then assigned treatments such as mitigation, avoidance, or acceptance.