New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

PECB ISO-IEC-27005-Risk-Manager Exam - Topic 1 Question 18 Discussion

Actual exam question for PECB's ISO-IEC-27005-Risk-Manager exam
Question #: 18
Topic #: 1
[All ISO-IEC-27005-Risk-Manager Questions]

Scenario 1

The risk assessment process was led by Henry, Bontton's risk manager. The first step that Henry took was identifying the company's assets. Afterward, Henry created various potential incident scenarios. One of the main concerns regarding the use of the application was the possibility of being targeted by cyber attackers, as a great number of organizations were experiencing cyberattacks during that time. After analyzing the identified risks, Henry evaluated them and concluded that new controls must be implemented if the company wants to use the application. Among others, he stated that training should be provided to personnel regarding the use of the application and that awareness sessions should be conducted regarding the importance of protecting customers' personal data.

Lastly, Henry communicated the risk assessment results to the top management. They decided that the application will be used only after treating the identified risks.

Based on scenario 1, Bontton used ISO/IEC 27005 to ensure effective implementation of all ISO/IEC 27001 requirements. Is this appropriate?

Show Suggested Answer Hide Answer
Suggested Answer: B

A rootkit installed in software due to an attacker gaining administrator access is considered a threat resulting from human actions. In this scenario, the attacker deliberately exploited a vulnerability to install the rootkit and gain unauthorized access to sensitive data. ISO/IEC 27005 categorizes threats into three main types: technical failures, human actions, and environmental events. Since this threat is a result of intentional malicious activity by an individual (human), it falls under the category of human actions. Option A (Technical failures) would refer to failures in hardware or software that are not caused by deliberate actions, while Option C (Organizational threats) would relate to internal organizational issues, neither of which apply to this case.


by Malissa at Mar 08, 2025, 03:14 PM

Limited Time Offer

25%

Off

Get Premium ISO-IEC-27005-Risk-Manager Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Tijuana
2 months ago
Sounds like a solid approach, but I'm skeptical about its completeness.
upvoted 0 times
...
Minna
3 months ago
Wait, does it really cover all requirements?
upvoted 0 times
...
Beatriz
3 months ago
I think it provides good methodologies, but not everything.
upvoted 0 times
...
Salena
3 months ago
Totally agree, it helps with ISO/IEC 27001 too.
upvoted 0 times
...
Darell
3 months ago
ISO/IEC 27005 is all about risk management!
upvoted 0 times
...
Theresia
4 months ago
I practiced a similar question where we discussed the relationship between these two standards, and I think B is the right choice since it emphasizes methodologies.
upvoted 0 times
...
Lettie
4 months ago
I feel like I read somewhere that ISO/IEC 27005 doesn't cover every detail of ISO/IEC 27001, so I might lean towards option C.
upvoted 0 times
...
Alpha
4 months ago
I think option B makes sense because ISO/IEC 27005 does provide methodologies for risk management, which could help in implementing ISO/IEC 27001.
upvoted 0 times
...
Lelia
4 months ago
I remember that ISO/IEC 27005 is focused on risk management, but I'm not sure if it directly guides all ISO/IEC 27001 requirements.
upvoted 0 times
...
Pok
4 months ago
I feel pretty confident about this one. The scenario describes a risk assessment process that aligns with the guidance in ISO/IEC 27005, and it mentions that the company wants to implement the requirements of ISO/IEC 27001. So option B seems like the best answer, as ISO/IEC 27005 can provide methodologies to support that implementation.
upvoted 0 times
...
Avery
5 months ago
Okay, based on the information provided, it seems like ISO/IEC 27005 is focused on risk management, which could support the implementation of the requirements in ISO/IEC 27001. I'm leaning towards option B, but I'll double-check the details to make sure I'm understanding this correctly.
upvoted 0 times
...
Deeanna
5 months ago
Hmm, I'm a bit confused about the connection between these two standards. The scenario talks about risk assessment, but I'm not sure how that relates to the implementation of all ISO/IEC 27001 requirements. I'll need to think this through carefully.
upvoted 0 times
...
Veronika
5 months ago
This seems like a straightforward question about the relationship between ISO/IEC 27005 and ISO/IEC 27001. I think I can approach it by carefully reviewing the details in the scenario and then considering how the two standards might work together.
upvoted 0 times
...
Lamonica
10 months ago
I'm with the majority on this one - C is the way to go. ISO/IEC 27005 is like a trusty map, but you still need the GPS (ISO/IEC 27001) to get you to your destination.
upvoted 0 times
Kina
9 months ago
C) No, ISO/IEC 27005 does not contain direct guidance on the implementation of all requirements given in ISO/IEC 27001
upvoted 0 times
...
Christoper
9 months ago
B) Yes, ISO/IEC 27005 provides a number of methodologies that can be used under the risk management framework for implementing all requirements given in ISO/IEC 27001
upvoted 0 times
...
Tarra
10 months ago
A) Yes, ISO/IEC 27005 provides direct guidance on the implementation of the requirements given in ISO/IEC 27001
upvoted 0 times
...
...
Lelia
10 months ago
Haha, I bet Henry was feeling like a superhero leading that risk assessment! But yeah, C is the right answer - ISO/IEC 27005 is more of a sidekick, not the main event when it comes to implementing ISO/IEC 27001.
upvoted 0 times
Laura
9 months ago
Totally, it's important to use the right tools for effective implementation.
upvoted 0 times
...
Rosita
9 months ago
C is the right answer - ISO/IEC 27005 is more of a sidekick in implementing ISO/IEC 27001.
upvoted 0 times
...
Omer
9 months ago
Yeah, he did a great job identifying and evaluating the risks.
upvoted 0 times
...
Truman
10 months ago
Henry definitely had his superhero moment during the risk assessment!
upvoted 0 times
...
...
Laurel
10 months ago
I agree with C. ISO/IEC 27005 is a risk management standard, not a direct implementation guide for ISO/IEC 27001. Bontton should have used both standards together to ensure effective implementation.
upvoted 0 times
...
Carry
10 months ago
I'm not sure about that. I think ISO/IEC 27005 does not contain direct guidance on implementing all ISO/IEC 27001 requirements.
upvoted 0 times
...
Salome
10 months ago
The correct answer is C. ISO/IEC 27005 provides guidance on risk management, but it does not directly cover the implementation of all ISO/IEC 27001 requirements. Bontton should have used ISO/IEC 27001 itself for that purpose.
upvoted 0 times
Merissa
10 months ago
User 2: Yes, ISO/IEC 27005 focuses on risk management, not the direct implementation of ISO/IEC 27001 requirements.
upvoted 0 times
...
Hayley
10 months ago
User 1: I think Bontton should have used ISO/IEC 27001 instead of ISO/IEC 27005 for implementing the requirements.
upvoted 0 times
...
...
Mary
10 months ago
I agree with Vincent. ISO/IEC 27005 offers methodologies for implementing requirements under the risk management framework.
upvoted 0 times
...
Vincent
11 months ago
I think using ISO/IEC 27005 is appropriate because it provides direct guidance on implementing ISO/IEC 27001 requirements.
upvoted 0 times
...

Save Cancel