PECB Lead Implementer (ISO/IEC 27001) — Question 66

Scenario 19: OperazeIT is a software development company that develops applications for various companies worldwide. Recently, the company conducted a risk assessment in response to the evolving digital landscape and emerging information security challenges. Through rigorous testing techniques like penetration testing and code review, the company identified issues in its IT systems, including improper user permissions, misconfigured security settings, and insecure network configurations. To resolve these issues and enhance information security, OperazeIT implemented an information security management system (ISMS) based on ISO/IEC 27001.

In a collaborative effort involving the implementation team, OperazeIT thoroughly assessed its business requirements and internal and external environment, identified its key processes and activities, and identified and analyzed the interested parties to establish the preliminary scope of the ISMS. Following this, the implementation team conducted a comprehensive review of the company’s functional units, opting to include most of the company departments within the ISMS scope. Additionally, the team decided to include internal and external physical locations, both external and internal issues referred to in clause 4.1, the requirements in clause 4.2, and the interfaces and dependencies between activities performed by the company. The IT manager had a pivotal role in approving the final scope, reflecting OperazeIT’s commitment to information security.

OperazeIT’s information security team created a comprehensive information security policy that aligned with the company’s strategic direction and legal requirements, informed by risk assessment findings and business strategies. This policy, alongside specific policies detailing security issues and assigning roles and responsibilities, were communicated internally and shared with external parties. The drafting, review, and approval of these policies involved active participation from top management, ensuring a robust framework for safeguarding information across all interested parties.

As OperazeIT moved forward, the company entered the policy implementation phase, with a detailed plan encompassing security definition, role assignments, and training sessions. Lastly, the policy monitoring and maintenance phase was conducted, where monitoring mechanisms were established to ensure the company’s information security policy is enforced and all employees comply with its requirements.

To further strengthen its information security framework. OperazeIT initiated a comprehensive gap analysis as part of the ISMS implementation process. Rather than relying solely on internal assessments, OperazeIT decided to involve the services of external consultants to assess the state of its ISMS. The company collaborated with external consultants, which brought a fresh perspective and valuable insights to the gap analysis process, enabling OperazeIT to identify vulnerabilities and areas for improvement with a higher degree of objectivity. Lastly, OperazeIT created a committee whose mission includes ensuring the proper operation of the ISMS, overseeing the company’s risk assessment process, managing information security-related issues, recommending solutions to nonconformities, and monitoring the implementation of corrections and corrective actions.

Based on the scenario above, answer the following question:

Which phase of information security policy development at OperazeIT did NOT encompass all the necessary components?

Answer options

Correct answer: A

Explanation

The correct answer is A, as the risk assessment phase primarily focused on identifying vulnerabilities and did not involve the comprehensive development of the policy itself. In contrast, policy construction and implementation phases included the necessary components such as drafting, reviewing, and executing the policies, ensuring that all aspects of information security were addressed.