PECB ISO/IEC 27002 Foundation Exam ISO-IEC-27002-Foundation Exam Dumps: Updated Questions & Answers (June 2026)

Control 8.28, Secure coding, is the correct control because the question focuses on software being written securely and reducing potential vulnerabilities in the code. Secure coding addresses the practices, rules, and techniques developers should use to avoid common software weaknesses. This can include input validation, output encoding, error handling, authentication handling, secure session management, memory safety, protection against injection, secure API use, cryptographic correctness, dependency management, and code review. Control 8.29, Security testing in development and acceptance, verifies whether security requirements and controls are effective, but testing occurs after or during development and does not itself define how code should be written. Control 8.26, Application security requirements, defines security requirements for applications, but secure coding is the specific implementation practice that reduces vulnerabilities during software construction. ISO/IEC 27002 treats secure development as a lifecycle discipline: requirements define what is needed, secure coding implements it safely, and testing validates it. The direct match to the exam wording is Control 8.28. References/Chapters: ISO/IEC 27002:2022, Control 8.28 Secure coding; Control 8.26 Application security requirements; Control 8.29 Security testing in development and acceptance.

==========

A digital customer identity is the best example of an organizational asset in cyberspace because it exists, functions, and is protected within digital systems, networks, applications, and online services. ISO/IEC 27002 treats identities, authentication information, access rights, and digital accounts as critical security subjects because compromise of identity can enable unauthorized access, fraud, impersonation, privacy breaches, and loss of accountability. A digital customer identity can include usernames, identifiers, credentials, account attributes, authentication factors, access permissions, profile data, and linked personal information. Medical data and intellectual property are also important information assets, but the phrase “asset in cyberspace” points most directly to a digitally represented identity used for electronic interaction. ISO/IEC 27002 contains several controls that protect this asset type, including identity management, authentication information, access rights, secure authentication, and access restriction. These controls ensure that identities are created, maintained, verified, modified, disabled, and removed in a controlled manner. The exam logic therefore favors option B because cyberspace emphasizes digital identity and online representation. References/Chapters: ISO/IEC 27002:2022, Control 5.16 Identity management; Control 5.17 Authentication information; Control 5.18 Access rights; Control 8.5 Secure authentication.

==========

Under Control 5.1, information security policies should include statements that define direction, responsibilities, and policy expectations, including how exemptions and exceptions are handled. Exception handling is important because policies cannot be treated casually or bypassed informally. When an exception is necessary, it should be justified, approved, documented, time-bound where appropriate, risk-assessed, and reviewed. This preserves governance and ensures deviations do not become uncontrolled weaknesses. Option A, recovery from a data breach, is important but belongs more naturally to incident management, business continuity, and response planning rather than the general information security policy statement. Option C, procedures for using automated information systems, may be addressed in acceptable use or operational procedures, but it is not the best match for Control 5.1’s policy content. The information security policy establishes the authority and framework for topic-specific policies and procedures. It should include high-level statements on objectives, principles, responsibilities, compliance expectations, and exception management. Therefore, option B is verified. References/Chapters: ISO/IEC 27002:2022, Control 5.1 Policies for information security; Control 5.36 Compliance with policies, rules and standards for information security; Control 5.37 Documented operating procedures.

==========

Control 5.37, Documented operating procedures, aims to ensure the correct and secure operation of information processing facilities. Operating procedures translate security and operational requirements into repeatable instructions for administrators, operators, support teams, and users. They can cover system startup and shutdown, backup, restoration, logging, error handling, media handling, job scheduling, maintenance, incident escalation, access administration, and secure processing steps. Without documented procedures, operations become inconsistent and dependent on individual memory or informal practice, increasing the likelihood of mistakes, outages, unauthorized changes, or insecure handling. Control 7.2, Physical entry, protects secure physical areas by controlling access to facilities, but it does not define operational procedures. Control 5.35, Independent review of information security, assesses whether the information security approach remains suitable, adequate, and effective, but it does not provide the day-to-day operating instructions. ISO/IEC 27002 places documented procedures in the organizational control group because reliable operation requires governance, clarity, and repeatability. Therefore, option B is the verified answer. References/Chapters: ISO/IEC 27002:2022, Control 5.37 Documented operating procedures; Control 7.2 Physical entry; Control 5.35 Independent review of information security.

==========

The “Act” phase is the phase in which an organization maintains and improves the information security management system. In the PDCA logic, “Plan” establishes objectives, policies, processes, risk treatment plans, and controls. “Do” implements and operates the planned processes and controls. “Check” monitors, measures, audits, and reviews performance. “Act” uses the results of checking to correct weaknesses, improve effectiveness, and adapt the ISMS to changing conditions. ISO/IEC 27002 is not itself the PDCA requirements standard, but its controls support the management system lifecycle used by ISO/IEC 27001. Examples include independent review of information security, compliance review, learning from incidents, management of vulnerabilities, and change management. These controls generate findings and lessons that feed improvement actions. “Do” is not the best answer because it focuses on implementation. “Check” is not the best answer because it evaluates performance but does not itself complete improvement. The phase that maintains and improves the ISMS is “Act.” References/Chapters: ISO/IEC 27002:2022, Control 5.35 Independent review of information security; Control 5.27 Learning from information security incidents; ISO/IEC 27001 PDCA-based management system model.

==========

When an employee leaves the organization or changes roles, their information security responsibilities should be identified and transferred appropriately. ISO/IEC 27002 emphasizes that responsibilities must remain clear throughout the employment lifecycle, including changes and termination. Security duties cannot simply disappear when a person leaves a role. Examples include ownership of assets, approval duties, incident response responsibilities, privileged access administration, supplier contact responsibilities, classification decisions, or operational security tasks. The organization should determine which responsibilities the employee holds, remove responsibilities that no longer apply, revoke or adjust access rights, and assign continuing responsibilities to another competent person. Option B is too limited because documenting responsibilities in a termination policy does not ensure that active duties are transferred. Option C is incorrect because outsourcing is not required and may introduce additional supplier risk. The central ISO/IEC 27002 principle is continuity of accountability: responsibilities must be maintained even when personnel move, leave, or change duties. This also supports least privilege because access and responsibilities should match the current role. References/Chapters: ISO/IEC 27002:2022, Control 6.5 Responsibilities after termination or change of employment; Control 5.2 Information security roles and responsibilities; Control 5.18 Access rights.

==========

A PII controller is the privacy stakeholder that determines the purposes and means of processing personally identifiable information. This means the controller decides why PII is processed, what PII is needed, how it is processed, how long it is retained, who receives it, and which controls are required. Option A describes the PII principal, which is the natural person to whom the PII relates. Option C describes a PII processor, which processes PII on behalf of and according to the instructions of the controller. ISO/IEC 27002 includes privacy and PII protection as part of its information security control guidance where privacy obligations apply. The distinction matters because controllers carry decision-making responsibility and accountability for lawful, secure, and appropriate processing. Processors must protect the information but do not independently determine the processing purpose. Relevant controls include privacy and protection of PII, access control, supplier relationships, information deletion, data masking, data leakage prevention, and cloud service controls. The verified answer is therefore option B. References/Chapters: ISO/IEC 27002:2022, Control 5.34 Privacy and protection of PII; Control 5.19 Information security in supplier relationships; Control 8.11 Data masking.

==========

Accidental changes compromise integrity. Integrity is the property that information remains accurate, complete, and protected against unauthorized or improper modification. Even when a change is accidental rather than malicious, the effect is the same from an integrity perspective: the information may no longer be trustworthy. ISO/IEC 27002 supports integrity through many controls, including access control, change management, configuration management, backup, logging, secure coding, malware protection, segregation of duties, and separation of development, test, and production environments. Availability would be affected if information or systems were not accessible or usable when required. Confidentiality would be affected if information were disclosed or made available to unauthorized parties. The question specifically mentions accidental changes, not unavailability or disclosure, so integrity is the correct principle. This distinction is central to information security because different principles require different controls. For example, preventing accidental changes may require access restrictions, validation, change approval, version control, monitoring, and recovery procedures. References/Chapters: ISO/IEC 27002:2022, Clause 4 control attributes; Control 8.32 Change management; Control 8.9 Configuration management; Control 8.13 Information backup.

==========

Control 7.9, Security of assets off-premises, belongs to the physical control group. ISO/IEC 27002:2022 organizes controls into four themes: organizational controls, people controls, physical controls, and technological controls. Controls in Clause 7 are physical controls, and Control 7.9 specifically addresses protection of organizational assets when they are outside the organization’s premises. This includes laptops, mobile devices, storage media, documents, portable equipment, and other assets used during travel, remote work, home working, customer visits, supplier sites, or field operations. Off-premises use increases physical risk because assets may be exposed to theft, loss, damage, unauthorized viewing, insecure storage, or uncontrolled environments. Although technological measures such as encryption and remote wipe may support this control, the control itself is placed in the physical theme because its focus is the secure handling and protection of assets outside controlled facilities. Option A is incorrect because organizational controls are in Clause 5. Option C is incorrect because technological controls are in Clause 8. References/Chapters: ISO/IEC 27002:2022, Clause 7 Physical controls; Control 7.9 Security of assets off-premises; Clause 4 Structure of the standard.

==========

Organizations can manage the security of large networks by dividing them into separate network domains and separating them from the public network where appropriate. This reflects the principle of network segregation, which reduces the ability of an attacker, malware, or unauthorized user to move freely across the environment. Separate domains can be based on trust level, business function, system criticality, data sensitivity, user group, supplier access, development environment, or regulatory requirement. ISO/IEC 27002 supports this through network security, network segregation, access control, and secure architecture practices. Option B is incorrect because including internal domains into the public network would increase exposure and weaken boundaries. Option C is not realistic or aligned with modern enterprise architecture; organizations often need integrated services, users, and systems, but they must integrate them securely. Segmentation allows controlled communication through firewalls, gateways, routing rules, access controls, monitoring, and filtering. The goal is not isolation for its own sake, but risk-based separation and controlled connectivity. Therefore, option A is verified. References/Chapters: ISO/IEC 27002:2022, Control 8.20 Network security; Control 8.22 Segregation of networks; Control 5.15 Access control.

==========