ISO-IEC-27035-Lead-Incident-Manager Exam Dumps - PECB Certified ISO/IEC 27035 Lead Incident Manager

Comprehensive and Detailed Explanation From Exact Extract:

ISO/IEC 27035-2:2016 is titled “Information security incident management — Part 2: Guidelines to plan and prepare for incident response.” This document provides detailed guidance on establishing an incident response capability, planning for incident response, and implementing effective response actions. It also emphasizes the importance of post-incident analysis and lessons learned to improve future incident handling.

Key activities covered in ISO/IEC 27035-2 include:

* Planning and preparing for incident handling (e.g., policy development, roles and responsibilities)

* Establishing and training the incident response team (IRT)

* Developing communication strategies and escalation procedures

* Conducting root cause analysis and collecting lessons learned

* Applying improvements to prevent recurrence

By contrast:

* ISO/IEC 27035-1 provides high-level principles of incident management (Part 1: Principles).

* ISO/IEC 27037 relates to the handling of digital evidence and is focused more on forensic practices than incident response preparation.

Reference Extracts:

* ISO/IEC 27035-2:2016, Introduction: “This part provides guidance on the planning and preparation necessary for effective incident response and for learning lessons from incidents.”

* ISO/IEC 27035-2:2016, Clause 6.5: “Lessons learned and reporting can help improve future incident response and provide input to risk assessments and control improvements.”

Comprehensive and Detailed Explanation:

Gap analysis is a structured method used to compare the current state of processes, capabilities, or systems against a desired or required state (such as compliance with ISO standards). The main goal is to determine what needs to change to achieve that future state. While identifying gaps (A) and assessing risks (C) may occur during the process, the primary purpose is strategic planning and improvement.

Comprehensive and Detailed Explanation From Exact Extract:

Internal exercises, such as simulations, tabletop exercises, and mock drills, are designed primarily to assess the readiness, coordination, and performance of the internal incident response team (IRT). According to ISO/IEC 27035-2:2016, these exercises aim to validate that the IRT understands their roles, follows documented procedures, and can act effectively under pressure.

While external collaboration (Options A and B) may be tested during joint exercises or industry-wide scenarios, the focus of internal exercises is on internal capabilities. These exercises help identify gaps in training, procedures, communication, and escalation pathways.

Reference Extracts:

ISO/IEC 27035-2:2016, Clause 7.3.3: “Exercises and simulations should be conducted to test the readiness of the incident response capability.”

NIST SP 800-84: “Regular exercises increase response efficiency and allow staff to develop incident handling confidence.”

Correct answer: C

—

Comprehensive and Detailed Explanation From Exact Extract:

The ‘detect and report’ phase, as defined in ISO/IEC 27035-1:2016 (Clause 6.2), includes the identification, classification, and initial reporting of information security events. If events meet certain thresholds—such as multiple failed login attempts from unknown IP addresses or matching threat indicators—they can and should be classified as potential incidents.

It is also appropriate to begin collecting supporting information during this phase. Gathering threat intelligence and performing basic vulnerability assessments help in confirming the scope and nature of the threat, allowing faster escalation and response.

Option B is incorrect because while deep forensic collection occurs later, preliminary data collection should begin during detection. Option C is incorrect as incident classification is explicitly allowed and encouraged in this phase.

Comprehensive and Detailed Explanation From Exact Extract:

Documenting recovery options and estimating recovery time objectives (RTOs) and data loss tolerances (Recovery Point Objectives – RPOs) is a crucial planning activity that supports decision-making during the containment and recovery phases. ISO/IEC 27035-2:2016, Clause 6.4.6 emphasizes that such documentation allows teams to:

Evaluate trade-offs between containment scope and data loss

Determine acceptable downtime for critical services

Select the most appropriate recovery strategy based on business impact

This documentation supports strategic thinking rather than rushed action, reducing the likelihood of costly decisions. It does not necessarily accelerate the process (Option C), nor is it designed to optimize performance (Option A).