Practice Free ISO-IEC-27002-Foundation ISO/IEC 27002 Foundation Exam Exam Questions Answers With Explanation

The main purpose of Control 5.12, Classification of information, is to ensure that protection needs are identified and understood based on the importance of information. Classification gives information a defined sensitivity or value level, such as public, internal, confidential, or restricted, depending on the organization’s scheme. This classification then drives handling rules, access restrictions, labelling, retention, transfer methods, storage requirements, encryption decisions, and disposal practices. Option B describes the purpose of Control 5.13, Labelling of information, which communicates classification and can support automated information handling. Option C describes the general purpose of access control, especially Control 5.15 and related access rights controls. Classification is foundational because the organization cannot apply proportionate protection unless it understands the value, sensitivity, criticality, legal status, and business impact of the information. ISO/IEC 27002 expects classification to consider confidentiality, integrity, availability, and relevant interested-party requirements. Therefore, option A is the verified answer because it precisely matches the purpose of classifying information. References/Chapters: ISO/IEC 27002:2022, Control 5.12 Classification of information; Control 5.13 Labelling of information; Control 5.15 Access control.

A PII controller is the privacy stakeholder that determines the purposes and means of processing personally identifiable information. This means the controller decides why PII is processed, what PII is needed, how it is processed, how long it is retained, who receives it, and which controls are required. Option A describes the PII principal, which is the natural person to whom the PII relates. Option C describes a PII processor, which processes PII on behalf of and according to the instructions of the controller. ISO/IEC 27002 includes privacy and PII protection as part of its information security control guidance where privacy obligations apply. The distinction matters because controllers carry decision-making responsibility and accountability for lawful, secure, and appropriate processing. Processors must protect the information but do not independently determine the processing purpose. Relevant controls include privacy and protection of PII, access control, supplier relationships, information deletion, data masking, data leakage prevention, and cloud service controls. The verified answer is therefore option B. References/Chapters: ISO/IEC 27002:2022, Control 5.34 Privacy and protection of PII; Control 5.19 Information security in supplier relationships; Control 8.11 Data masking.

==========

Control 8.19, Installation of software on operational systems, aims to ensure the integrity of operational systems and prevent exploitation of technical vulnerabilities. Software installed in production can introduce malware, insecure configurations, untested functionality, compatibility problems, unauthorized tools, or vulnerable components. ISO/IEC 27002 therefore expects installation on operational systems to be controlled, authorized, tested, and managed. This protects live systems from unauthorized or inappropriate software that could weaken security or disrupt operations. Control 8.15, Logging, records events and supports monitoring, investigation, accountability, and detection, but it does not primarily control software installation. Control 8.17, Clock synchronization, ensures consistent time settings across systems so logs, events, and transactions can be correlated accurately. It is important but not the control aimed at preventing exploitation through software installation weaknesses. The exam phrase “integrity of operational systems” is directly aligned with controlling what software is installed in production. Therefore, option A is verified. References/Chapters: ISO/IEC 27002:2022, Control 8.19 Installation of software on operational systems; Control 8.8 Management of technical vulnerabilities; Control 8.32 Change management.

==========

Control 8.31, Separation of development, testing and operational environments, aims to protect the production environment and production data from unauthorized or inappropriate change, exposure, or disruption. Development and testing activities often involve code changes, debugging, experimental configurations, test accounts, incomplete controls, and simulated transactions. If these activities occur directly in production, they can compromise confidentiality, integrity, and availability. Separation reduces the risk that untested software, test data, developer privileges, or debugging tools affect live systems and real business information. Control 5.13, Labelling of information, supports correct handling by communicating classification and protection needs, but it does not specifically protect production environments. Control 6.6, Confidentiality or non-disclosure agreements, supports legal and people-related confidentiality commitments, but it does not directly separate technical environments. The exam logic focuses on the control whose stated purpose is to protect production systems and data from risks introduced by development and testing. Therefore, option B is correct. References/Chapters: ISO/IEC 27002:2022, Control 8.31 Separation of development, testing and operational environments; Control 8.32 Change management; Control 8.29 Security testing in development and acceptance.

==========

A fire alarm is a detective and technical control. It is detective because it identifies or signals that a fire-related event may be occurring. The alarm does not normally stop the fire from starting, and it does not restore damaged assets after the event. Its purpose is to detect indicators such as smoke, heat, or fire and trigger response actions such as evacuation, suppression, emergency communication, or incident handling. It is technical because it operates through engineered or electronic mechanisms rather than through management approval, legal clauses, or purely administrative processes. ISO/IEC 27002:2022 classifies controls using attributes, including control type. Control types include preventive, detective, and corrective. Fire alarms align with the physical security control area because fire is a physical and environmental threat to information processing facilities, equipment, storage media, and supporting infrastructure. The value of the control is timely detection, reducing the chance that a physical event escalates unnoticed into major damage or service disruption. References/Chapters: ISO/IEC 27002:2022, Clause 4 control attributes; Control 7.4 Physical security monitoring; Control 7.5 Protecting against physical and environmental threats.

==========

Control 5.35, Independent review of information security, is the control intended to ensure that the organization’s approach to managing information security remains suitable, adequate, and effective. Independent reviews provide objective evaluation of whether policies, processes, controls, responsibilities, and implementation remain aligned with business needs, risks, legal requirements, and the organization’s security objectives. The review may consider governance, control design, control operation, risk treatment, compliance, incident trends, technology changes, supplier dependencies, and audit results. Control 5.4, Management responsibilities, is important because management must ensure personnel apply security according to policies and procedures, but it is not the control specifically focused on independent review. Control 5.24 concerns planning and preparation for incident management, which supports response capability but does not broadly assess the continuing suitability of the whole security approach. The phrase “suitable, adequate and effective” is a strong indicator of review and assurance. ISO/IEC 27002 uses independent review to challenge assumptions, detect weaknesses, and support continual improvement. Therefore, option B is the verified answer. References/Chapters: ISO/IEC 27002:2022, Control 5.35 Independent review of information security; Control 5.36 Compliance with policies, rules and standards for information security; Control 5.4 Management responsibilities.

Control 7.9, Security of assets off-premises, belongs to the physical control group. ISO/IEC 27002:2022 organizes controls into four themes: organizational controls, people controls, physical controls, and technological controls. Controls in Clause 7 are physical controls, and Control 7.9 specifically addresses protection of organizational assets when they are outside the organization’s premises. This includes laptops, mobile devices, storage media, documents, portable equipment, and other assets used during travel, remote work, home working, customer visits, supplier sites, or field operations. Off-premises use increases physical risk because assets may be exposed to theft, loss, damage, unauthorized viewing, insecure storage, or uncontrolled environments. Although technological measures such as encryption and remote wipe may support this control, the control itself is placed in the physical theme because its focus is the secure handling and protection of assets outside controlled facilities. Option A is incorrect because organizational controls are in Clause 5. Option C is incorrect because technological controls are in Clause 8. References/Chapters: ISO/IEC 27002:2022, Clause 7 Physical controls; Control 7.9 Security of assets off-premises; Clause 4 Structure of the standard.

==========