PECB PECB Certified ISO/IEC 27035 Lead Incident Manager ISO-IEC-27035-Lead-Incident-Manager Exam Dumps: Updated Questions & Answers (September 2025)

Comprehensive and Detailed Explanation From Exact Extract:

ISO/IEC 27035-2:2016 Clause 7.4.3 emphasizes the role of lessons learned reviews as key evaluation activities for assessing the performance of incident response teams. This activity involves post-incident debriefs to evaluate what went right or wrong and how response processes or team functions could improve.

While options A and C are related to broader security or deployment procedures, Option B directly reflects a formal evaluation mechanism used to gauge incident team effectiveness.

Comprehensive and Detailed Explanation From Exact Extract:

ISO/IEC 27035 strongly encourages information sharing among trusted parties to enhance collective incident response capabilities and reduce the broader impact of cyber threats. Clause 6.5.6 in ISO/IEC 27035-1 highlights the importance of cooperation and communication with external parties, including industry-specific information-sharing forums, CERTs/CSIRTs, and trusted partners.

The practice of proactive information exchange allows organizations to:

Detect coordinated or widespread attacks

Accelerate response through shared indicators of compromise (IOCs)

Benefit from collective intelligence and incident analysis

Build sector-wide resilience

However, such exchanges must occur within well-defined protocols that preserve confidentiality, legal compliance, and operational integrity.

Option B and C reflect overly cautious or siloed approaches that may delay response or reduce the effectiveness of collaborative efforts.

Reference Extracts:

ISO/IEC 27035-1:2016, Clause 6.5.6: “Incident management should consider the importance of trusted collaboration, sharing of incident information, and threat intelligence between relevant entities.”

ENISA and FIRST.org also support this collaborative approach in their best practices.

Correct answer: A

—

Comprehensive and Detailed Explanation From Exact Extract:

Improving controls in incident management is a proactive activity focused on directly adjusting and strengthening existing defenses. As per ISO/IEC 27035-2:2016, Clause 7.4, this process typically involves identifying deficiencies, updating or implementing new technical or procedural controls, and revising policies.

While risk assessments inform control decisions, simply documenting their results does not constitute direct improvement of controls. Hence, Option A is not part of the control improvement process itself.

Comprehensive and Detailed Explanation:

According to ISO/IEC 27035-1:2016 and ISO/IEC 27001:2022, when defining the scope of an information security incident management system, organizations must consider all forms of information—whether digital or physical—that are relevant to the business. Incidents can affect hardcopy (e.g., paper-based records) and electronic data (e.g., emails, files), so both must be included in the scope assessment.

Comprehensive and Detailed Explanation From Exact Extract:

According to ISO/IEC 27035-1:2016, an information security incident is any event that compromises the confidentiality, integrity, or availability of information. In this scenario, RoLawyers experienced an attack where their online database was overloaded with excessive traffic, resulting in a system crash. This incident made it impossible for employees to access the database for several hours.

This type of event is characteristic of a Denial-of-Service (DoS) attack. ISO/IEC 27035-1 Annex B provides examples of typical incidents, and one example includes “network-based attacks, including denial-of-service attacks.” A DoS attack typically aims to make a service or resource unavailable to its intended users by overwhelming it with traffic.

There is no indication in the scenario that the attackers were intercepting communications (as would be seen in a Man-in-the-Middle attack) or installing malware to damage or steal data. The nature of the attack—excess traffic causing a crash—clearly aligns with the definition of a DoS attack.

Reference Extracts:

ISO/IEC 27035-1:2016, Clause B.2.1 (Examples of incident types): “Denial-of-service (DoS) attacks cause disruption or degradation of services.”

ISO/IEC 27035-1:2016, Clause 4.1: “An incident can result from deliberate attacks such as DoS, malicious code, or unauthorized access.”

Therefore, the incident faced by RoLawyers was a Denial-of-Service attack.

—

Comprehensive and Detailed Explanation From Exact Extract:

ISO/IEC 27035-2:2016 is titled “Information security incident management — Part 2: Guidelines to plan and prepare for incident response.” This document provides detailed guidance on establishing an incident response capability, planning for incident response, and implementing effective response actions. It also emphasizes the importance of post-incident analysis and lessons learned to improve future incident handling.

Key activities covered in ISO/IEC 27035-2 include:

* Planning and preparing for incident handling (e.g., policy development, roles and responsibilities)

* Establishing and training the incident response team (IRT)

* Developing communication strategies and escalation procedures

* Conducting root cause analysis and collecting lessons learned

* Applying improvements to prevent recurrence

By contrast:

* ISO/IEC 27035-1 provides high-level principles of incident management (Part 1: Principles).

* ISO/IEC 27037 relates to the handling of digital evidence and is focused more on forensic practices than incident response preparation.

Reference Extracts:

* ISO/IEC 27035-2:2016, Introduction: “This part provides guidance on the planning and preparation necessary for effective incident response and for learning lessons from incidents.”

* ISO/IEC 27035-2:2016, Clause 6.5: “Lessons learned and reporting can help improve future incident response and provide input to risk assessments and control improvements.”

Comprehensive and Detailed Explanation From Exact Extract:

In an Incident Response Team (IRT), analysts and researchers are responsible for threat intelligence, data analysis, malware investigation, and providing in-depth technical insights. Their work directly supports the lead investigator by identifying root causes, attack vectors, indicators of compromise (IOCs), and evaluating threat actor tactics.

According to ISO/IEC 27035-2:2016, these roles are part of the broader support functions within an IRT and are crucial for technical depth and timely resolution of incidents.

Option A (IT support staff) may provide infrastructure-level assistance but typically lacks threat analysis capabilities. Option C (team leader) oversees coordination and communication but is not the primary intelligence resource.

Reference Extracts:

ISO/IEC 27035-2:2016, Clause 7.2.3: “Support roles may include malware analysts, forensic experts, and threat intelligence researchers.”

ENISA CSIRT Training Guide: “Analysts contribute to ongoing investigations by identifying attack patterns and supporting mitigation decisions.”

Correct answer: B

—

Comprehensive and Detailed Explanation From Exact Extract:

Indicators of Compromise (IOCs) are critical elements in incident management. They are forensic artifacts—such as file hashes, IP addresses, registry changes, or specific malware behavior—that help security analysts detect the presence of malicious activity. According to ISO/IEC 27035-2:2016 and supported by ISO/IEC 27043:2015, IOCs are used in the detection, containment, and analysis phases of incident handling.

Their primary role is to uncover evidence of malicious activity by:

Matching known patterns to suspected compromise

Supporting threat hunting and detection rules

Enabling faster identification of affected systems

While IOCs can support forensic analysis (Option A), their main purpose is to identify malicious behavior. Option B (assessing isolation measures) may be influenced by IOCs but is not their primary function.

Comprehensive and Detailed Explanation From Exact Extract:

ISO/IEC 27035-1:2016 clearly states that documentation is essential for all information security incidents, regardless of severity. While prioritization is necessary, the standard recommends that events meeting the threshold of an information security incident (based on classification and assessment) must be recorded, along with the corresponding actions taken.

The practice described—documenting only high-severity incidents—may result in overlooking patterns in lower-priority events that could lead to significant issues if repeated or correlated.

Clause 6.4.5 of ISO/IEC 27035-1:2016 emphasizes that documentation should be thorough and begin from the detection phase through to response and lessons learned.

Option A is incorrect, as the standard does not permit selective documentation only for severe incidents. Option C misrepresents the intent of documentation, which must be concurrent with or shortly after incident handling—not only post-event.

Comprehensive and Detailed Explanation From Exact Extract:

During the response phase, one of the most critical activities—according to ISO/IEC 27035-1 and 27035-2—is the documentation of actions, decisions, and results. Clause 6.4.6 of ISO/IEC 27035-1 emphasizes that all activities must be logged to support post-incident analysis, audit trails, and lessons learned. This ensures that:

Accountability is maintained

Decisions can be reviewed

Investigations are legally sound (especially in regulated environments)

While restoring systems (Option C) typically occurs in the recovery phase, logging activities and outcomes is essential during the actual response. Change control processes (Option B) are supporting functions but are not core to the immediate response phase.