ISO-IEC-27002-Foundation Exam Dumps - ISO/IEC 27002 Foundation Exam

A fire alarm is a detective and technical control. It is detective because it identifies or signals that a fire-related event may be occurring. The alarm does not normally stop the fire from starting, and it does not restore damaged assets after the event. Its purpose is to detect indicators such as smoke, heat, or fire and trigger response actions such as evacuation, suppression, emergency communication, or incident handling. It is technical because it operates through engineered or electronic mechanisms rather than through management approval, legal clauses, or purely administrative processes. ISO/IEC 27002:2022 classifies controls using attributes, including control type. Control types include preventive, detective, and corrective. Fire alarms align with the physical security control area because fire is a physical and environmental threat to information processing facilities, equipment, storage media, and supporting infrastructure. The value of the control is timely detection, reducing the chance that a physical event escalates unnoticed into major damage or service disruption. References/Chapters: ISO/IEC 27002:2022, Clause 4 control attributes; Control 7.4 Physical security monitoring; Control 7.5 Protecting against physical and environmental threats.

==========

ISO/IEC 27002 recommends that audit testing should be planned and agreed upon between the tester and appropriate management. The purpose is to obtain assurance without creating unnecessary disruption, exposure, or operational risk. Audit tests can involve access attempts, vulnerability checks, sampling, transaction tracing, configuration review, log review, or control validation. If such activities are unmanaged, they may overload systems, expose sensitive information, interrupt services, conflict with change windows, or create false incident signals. Option B is incorrect because ad hoc assurance testing can be risky and inconsistent unless properly authorized and controlled. Option C is incorrect because audits should not normally require stopping operational systems and business processes; rather, they should be designed to minimize disruption while preserving evidence quality. ISO/IEC 27002 treats audit and assurance activities as important but controlled. Planning should define scope, timing, method, responsibilities, data handling, access requirements, and communication. The verified answer is option A because it balances assurance with operational security and business continuity. References/Chapters: ISO/IEC 27002:2022, Control 8.34 Protection of information systems during audit testing; Control 5.35 Independent review of information security.

==========

Control 5.35, Independent review of information security, is the control intended to ensure that the organization’s approach to managing information security remains suitable, adequate, and effective. Independent reviews provide objective evaluation of whether policies, processes, controls, responsibilities, and implementation remain aligned with business needs, risks, legal requirements, and the organization’s security objectives. The review may consider governance, control design, control operation, risk treatment, compliance, incident trends, technology changes, supplier dependencies, and audit results. Control 5.4, Management responsibilities, is important because management must ensure personnel apply security according to policies and procedures, but it is not the control specifically focused on independent review. Control 5.24 concerns planning and preparation for incident management, which supports response capability but does not broadly assess the continuing suitability of the whole security approach. The phrase “suitable, adequate and effective” is a strong indicator of review and assurance. ISO/IEC 27002 uses independent review to challenge assumptions, detect weaknesses, and support continual improvement. Therefore, option B is the verified answer. References/Chapters: ISO/IEC 27002:2022, Control 5.35 Independent review of information security; Control 5.36 Compliance with policies, rules and standards for information security; Control 5.4 Management responsibilities.

Control 7.2, Physical entry, is the correct control because the problem is unauthorized physical access to a server room. ISO/IEC 27002 expects secure areas to be protected by appropriate entry controls so that only authorized persons can enter. Authentication of identity at entry points may include badges, access cards, biometric verification, PINs, visitor registration, security guards, turnstiles, logs, escorts, or electronic access systems. The server room contains information processing facilities, and unauthorized physical access could lead to theft, tampering, cable disconnection, hardware compromise, installation of rogue devices, or direct access to consoles and storage media. Control 8.6, Capacity management, concerns resource capacity for information processing facilities, not physical access. Control 8.4, Access to source code, concerns protecting program source code from unauthorized access, not entry into a secure physical room. Because the scenario specifically says people can enter the server room without identity authentication, the matching ISO/IEC 27002 physical control is Control 7.2. References/Chapters: ISO/IEC 27002:2022, Control 7.2 Physical entry; Control 7.1 Physical security perimeter; Control 7.4 Physical security monitoring.

==========