Free ISO-IEC-27001-Lead-Implementer Exam Braindumps

HealthGenic is a pediatric clinic that monitors the health and growth of individuals from infancy to early adulthood using a web-based medical software. The software is also used to schedule appointments, create customized medical reports, store patients’ data and medical history, and communicate with all the involved parties, including parents, other physicians, and the medical laboratory staff.
Last month, HealthGenic experienced a number of service interruptions due to the increased number of users accessing the software. Another issue the company faced while using the software was the complicated user interface, which the untrained personnel found challenging to use.
The top management of HealthGenic immediately informed the company that had developed the software about the issue. The software company fixed the issue; however, in the process of doing so, it modified some files that comprised sensitive information related to HealthGenic’s patients. The modifications that were made resulted in incomplete and incorrect medical reports and, more importantly, invaded the patients’ privacy.

HealthGenic is a Swedish pharmaceutical company that specializes in developing human therapeutics. The development process of human therapeutics requires analyzing the medical history of many patients. As the company handles sensitive information of millions of patients, an information security management system (ISMS) was critical to ensure the protection of their assets and improve their information security.
HealthGenic has had an ISMS in place for the past two years. Once the ISMS was implemented, HealthGenic changed its approach from correcting to preventing information security incidents. Since no issues were faced during the last two years, the top management of HealthGenic decided not to conduct a management review, nor did they appoint a team to perform the internal audits as planned. In addition, the IT team totally neglected the regular monitoring and measurement and performance evaluation processes.
Just before the recertification audit, the company asked most of their staff to compile the written individual reports of the past two years. This left the production sector with less than the optimum workforce, which decreased the company's stock.
Emma, HealthGenic's information security officer, was assigned by the top management to conduct the internal audit. As an employee of the company, Emma had access to all offices and documentation of HealthGenic. With hundreds of report pages written by 50 different employees, the internal audit process took much longer than planned, was very inconsistent, and had no qualitative measures whatsoever. Emma concluded that HealthGenic must have a better plan on monitoring the progress of their ISMS. In addition, she concluded that monitoring and measurement, performance evaluation, and management reviews should be conducted at planned intervals. She defined SunDee's negligence of ISMS performance evaluation as a major nonconformity, so she wrote a nonconformity report including the description of the nonconformity, the audit findings, and recommendations.

Texas H&H Inc. is a multinational corporation headquartered in Boston, MA, which provides professional electronics, gaming, and entertainment services. The company decided to utilize cloud storage services which best suited its needs, due to the large amount of data that the company processes daily. Recently, Texas H&H Inc. learned that the cloud storage provider that it uses has been publicly compromised.
Being aware of the high risk of data exposure, the security administrators of Texas H&H Inc. decided to undertake actions that could prevent a potential attack. In the absence of an information security incident management policy, their response was based on their knowledge gained from previous incidents. They tested their systems for any malicious activity or violation and checked if the cloud-based email settings were changed. By quickly responding to the exploited vulnerability that was found, the team was able to prevent the attack.
Once they made sure that the attackers do not have access in their system, the security administrators decided to proceed with the forensic analysis. They concluded that their access security system was not designed for threat detection, including the detection of malicious files which could be the cause of possible future attacks
Based on these findings, Texas H&H Inc. decided to modify its access security system to avoid future incidents and integrate an incident management policy in their information security policy that could serve as guidance for employees on how to respond to similar incidents.

TradeB is a consulting company headquartered in California. With years of expertise in creating business strategies, TradeB enables organizations to grow and build a competitive advantage through management consulting, technology, and design solutions. Since the company provides consultancy for many organizations performing in different sectors, it has established different teams with experts from various fields, including data scientists, designers, engineers, architects, linguists, which help organizations transform their business and achieve better results.
Due to the confidential nature of the information it handles, TradeB is obliged to ensure information security. To improve their information security, TradeB implemented an ISMS based on ISO/IEC 27001.
During the implementation process, TradeB was committed in ensuring that all staff members understand the importance of information security within the company. The information security training program was designed to ensure that employees of the company will consider the security aspects of their actions in their daily work.
Knowing that security threats are perpetual, TradeB decided to conduct weekly security awareness sessions at the beginning of the ISMS implementation process. Those awareness sessions were held by Alex, one of the information security experts contracted by TradeB. The training program was available for every employee of the company; however, its focus was to train employees outside the information security sector. Therefore, employees of the Finance Department were the first to be trained.
The training program covered threats faced by TradeB as well as best practices to be followed to mitigate those threats. Employees were trained to come up with and use strong passwords. In addition, by simulating realistic scenarios, employees were trained to recognize phishing or social engineering attacks. That way, they were able to put their skills into practice. The awareness sessions were also used to communicate information security processes and procedures within the company taking into account the confidentiality of the company's information.
However, the awareness sessions did not result successful as expected. Most of the employees of the Finance Department lacked information security expertise, so they found it challenging to understand some of the concepts and terminology used. They claimed that some of the issues being discussed were too technical and as such, they did not understand the sessions fully. Moreover, they claimed that their questions were not answered appropriately from the trainer, Alex.

Socket Inc. is a telecommunications company offering mainly wireless products and services. As it promote openness and sharing of data, it is quite challenging to protect the information resources that support its operations. For this reason, it uses a defined risk assessment process to ensure that the information security controls in place comply with the requirements of ISO/IEC 27001. The top management decided that all risks should be categorized based on the likelihood and impact, and risks categorized as "medium” and "high" are unacceptable and should be treated. In addition, they required to conduct a risk assessment prior to the development of new computer systems, the improvement of security features for any of their systems, and the use of third-party services.
Socket Inc. decided to use a cloud-based storage to store the customers’ personal data, but before starting the migration process they conducted a risk assessment. An excerpt of this risk assessment is presented in the table below:
Upon the risk assessment outcomes, Socket Inc. decided to:
• Require the use of passwords with at least 12 characters containing uppercase and lowercase letters, symbols, and numbers
• Require the change of passwords at least once every 60 days
• Keep backup copies of files on IT-provided network drives
• Assign users to a separate network when they have access to cloud storage files storing customers' personal data

Solena is an online retailer that offers technological products, such as desktops, laptops, and smartphones. Last year, Solena launched a new payment application which has improved the customer experience through the usage of machine learning algorithms which help the company to automatically charge customers.
Last month, attackers managed to breach the database and exposed the information of thousands Solena customers, including their names, addresses, and encrypted passwords.
Following the incident, the company received an increasingly high number of complaints. One of them involved Lucas, a loyal customer. He complained about not being able to access the website with his credentials and was continually asked to change his password. He would encounter the same problem every week and filed seven complaints toward Solena.
To address the complaints, Solena decided to deliver a press release, in which the representatives of Solena denied the attack. They claimed that the problem was technical and they were working toward a solution. The company asked for understanding from their customers and advised them to change their passwords every week until further notice. In the meantime, the attacker still had access to the data. After Solena investigated the incident, it was understood that the attackers used the credentials of the data-entry personnel to make the breach.

Antiques is the biggest online antique shop in Scotland. Their products include jewelry, clothing, furniture, and technology. They decided to build their own custom platform in-house and outsource the payment process to PayPal, a company operating online payment systems that supports online money transfers.
Due to this transformation of the business model, a number of security controls were implemented based on the identified threats and vulnerabilities associated to critical assets. To protect customers' information, employees of Antiques had to sign a confidentiality agreement. In addition, the company reviewed all user access rights so that only authorized personnel can have access to sensitive files and drafted a new segregation of duties chart.
However, the transition was difficult for the IT team, who had to deal with a security incident not long after transitioning to the e-commerce model. After investigating the incident, the team concluded that due to the out-of-date anti-malware software, an attacker gained access to their files and exposed customers' information, including their names and home addresses.
The IT team decided to stop using the old anti-malware software and install a new one which would automatically remove malicious code in case of similar incidents. The new software was installed in every workstation within the company. After installing the new software, the team updated it with the latest malware definitions and enabled the automatic update feature to keep it up to date at all times. Additionally, they established an authentication process that requires a user identification and password when accessing sensitive information.
In addition, Antiques conducted a number of information security awareness sessions for the IT team and other employees that have access to confidential information in order to raise awareness on the importance of system and network security.

NetworkFuse develops, manufactures, and sells network hardware. The company has had an operational information security management system (ISMS) based on ISO/IEC 27001 requirements and a quality management system (QMS) based on ISO 9001 for approximately two years. Recently, it has applied for a combined certification audit in order to obtain certification against ISO/IEC 27001 and ISO 9001.
After selecting the certification body, NetworkFuse prepared the employees for the audit. The company decided to not conduct a self-evaluation before the audit since, according to the top management, it was not necessary. In addition, it ensured the availability of documented information, including internal audit reports and management reviews, technologies in place, and the general operations of the ISMS and the QMS. However, the company requested from the certification body that the documentation could not be carried off-site.
However, the audit was not performed within the scheduled days because NetworkFuse rejected the audit team leader assigned and requested their replacement. The company asserted that the same audit team leader issued a recommendation for certification to its mam competitor, which, for the company’s top management, was a potential conflict of interest. The request was not accepted by the certification body.

OpenTech provides IT and communications services. It helps data communication enterprises and network operators become multi-service providers. During an internal audit, its internal auditor, Tim, has identified nonconformities related to the monitoring procedures. He identified and evaluated several system vulnerabilities.
Tim found out that user IDs for systems and services that process sensitive information have been reused and the access control policy has not been followed. After analyzing the root causes of this nonconformity, the ISMS project manager developed a list of possible actions to resolve the nonconformity. Then, the ISMS project manager analyzed the list and selected the activities that would allow the elimination of the root cause and the prevention of a similar situation in the future. These activities were included in an action plan. The action plan, approved by the top management, was written as follows:
A new version of the access control policy will be established and new restrictions will be created to ensure that network access is effectively managed and monitored by the Information and Communication Technology (ICT) Department.
The approved action plan was implemented and all actions described in the plan were documented.

SunDee is an American biopharmaceutical company, headquartered in California, the US. It specializes in developing novel human therapeutics, with a focus on cardiovascular diseases, oncology, bone health, and inflammation. The company has had an information security management system (ISMS) based on ISO/IEC 27001 in place for the past two years. However, it has not monitored or measured the performance and effectiveness of its ISMS and conducted management reviews regularly.
Just before the recertification audit, the company decided to conduct an internal audit. It also asked most of their staff to compile the written individual reports of the past two years for their departments. This left the Production Department with less than the optimum workforce, which decreased the company’s stock.
Tessa was SunDee’s internal auditor. With multiple reports written by 50 different employees, the internal audit process took much longer than planned, was very inconsistent, and had no qualitative measures whatsoever. Tessa concluded that SunDee must evaluate the performance of the ISMS adequately. She defined SunDee’s negligence of ISMS performance evaluation as a major nonconformity, so she wrote a nonconformity report including the description of the nonconformity, the audit findings, and recommendations. Additionally, Tessa created a new plan which would enable SunDee to resolve these issues and presented it to the top management.

InfoSec is a multinational corporation headquartered in Boston, MA, which provides professional electronics, gaming, and entertainment services. After facing numerous information security incidents, InfoSec has decided to establish teams and implement measures to prevent potential incidents in the future.
Emma, Bob, and Anna were hired as the new members of InfoSec’s information security team, which consists of a security architecture team, an incident response team (IRT) and a forensics team. Emma’s job is to create information security plans, policies, protocols, and training to prepare InfoSec to respond to incidents effectively. Emma and Bob would be full-time employees of InfoSec, whereas Anna was contracted as an external consultant.
Bob, a network expert, will deploy a screened subnet network architecture. This architecture will isolate the demilitarized zone (DMZ) to which hosted public services are attached and InfoSec’s publicly accessible resources from their private network. Thus, InfoSec will be able to block potential attackers from causing unwanted events inside the company’s network. Bob is also responsible for ensuring that a thorough evaluation of the nature of an unexpected event is conducted, including the details on how the event happened and what or whom it might affect.
Anna will create records of the data, reviews, analysis, and reports in order to keep evidence for the purpose of disciplinary and legal action, and use them to prevent future incidents. To do the work accordingly, she should be aware of the company’s information security incident management policy beforehand.
Among others, this policy specifies the type of records to be created, the place where they should be kept, and the format and content that specific record types should have.

Skyver offers worldwide shipping of electronic products, including gaming consoles, flat-screen TVs, computers, and printers. In order to ensure information security, the company has decided to implement an information security management system (ISMS) based on the requirements of ISO/IEC 27001.
Colin, the company’s best information security expert, decided to hold a training and awareness session for the personnel of the company regarding the information security challenges and other information security-related controls. The session included topics such as Skyver’s information security approaches and techniques for mitigating phishing and malware.
One of the participants in the session is Lisa, who works in the HR Department. Although Colin explains the existing Skyver’s information security policies and procedures in an honest and fair manner, she finds some of the issues being discussed too technical and does not fully understand the session. Therefore, in a lot of cases, she requests additional help from the trainer and her colleagues.

Operaze is a small software development company that develops applications for various companies around the world. Recently, the company conducted a risk assessment to assess the information security risks that could arise from operating in a digital landscape. Using different testing methods, including penetration testing and code review, the company identified some issues in its ICT systems, including improper user permissions, misconfigured security settings, and insecure network configurations. To resolve these issues and enhance information security. Operaze decided to implement an information security management system (ISMS) based on ISO/IEC 27001.
Considering that Operaze is a small company, the entire IT team was involved in the ISMS implementation project. Initially, the company analyzed the business requirements and the internal and external environment, identified its key processes and activities, and identified and analyzed the interested parties. In addition, the top management of Operaze decided to include most of the company’s departments within the ISMS scope. The defined scope included the organizational and physical boundaries. The IT team drafted an information security policy and communicated it to all relevant interested parties. In addition, other specific policies were developed to elaborate on security issues and the roles and responsibilities were assigned to all interested parties.
Following that, the HR manager claimed that the paperwork created by ISMS does not justify its value and the implementation of the ISMS should be canceled. However, the top management determined that this claim was invalid and organized an awareness session to explain the benefits of the ISMS to all interested parties.
Operaze decided to migrate its physical servers to their virtual servers on third-party infrastructure. The new cloud computing solution brought additional changes to the company. Operaze’s top management, on the other hand, aimed to not only implement an effective ISMS but also ensure the smooth running of the ISMS operations. In this situation, Operaze’s top management concluded that the services of external experts were required to implement their information security strategies. The IT team, on the other hand, decided to initiate a change in the ISMS scope and implemented the required modifications to the processes of the company.

TradeB, a commercial bank that has just entered the market, accepts deposits from its clients and offers basic financial services and loans for investments. TradeB has decided to implement an information security management system (ISMS) based on ISO/IEC 27001. Having no experience of a management system implementation, TradeB’s top management contracted two experts to direct and manage the ISMS implementation project.
First, the project team analyzed the 93 controls of ISO/IEC 27001 Annex A and listed only the security controls deemed applicable to the company and their objectives. Based on this analysis, they drafted the Statement of Applicability Afterward, they conducted a risk assessment, during which they identified assets, such as hardware, software, and networks, as well as threats and vulnerabilities, assessed potential consequences and likelihood, and determined the level of risks based on three nonnumerical categories (low, medium, and high). They evaluated the risks based on the risk evaluation criteria and decided to treat only the high-risk category. They also decided to focus primarily on the unauthorized use of administrator rights and system interruptions due to several hardware failures by establishing a new version of the access control policy, implementing controls to manage and control user access, and implementing a control for ICT readiness for business continuity.
Lastly, they drafted a risk assessment report, in which they wrote that if after the implementation of these security controls the level of risk is below the acceptable level, the risks will be accepted.

Socket Inc. is a telecommunications company offering mainly wireless products and services. It uses MongoDB, a document model database that offers high availability, scalability, and flexibility.
Last month, Socket Inc. reported an information security incident. A group of hackers compromised its MongoDB database, because the database administrators did not change its default settings, leaving it without a password and publicly accessible.
Fortunately, Socket Inc. performed regular information backups in their MongoDB database, so no information was lost during the incident. In addition, a syslog server allowed Socket Inc. to centralize all logs in one server. The company found out that no persistent backdoor was placed and that the attack was not initiated from an employee inside the company by reviewing the event logs that record user faults and exceptions.
To prevent similar incidents in the future, Socket Inc. decided to use an access control system that grants access to authorized personnel only. The company also implemented a control in order to define and implement rules for the effective use of cryptography, including cryptographic key management, to protect the database from unauthorized access. The implementation was based on all relevant agreements, legislation, and regulations, and the information classification scheme. To improve security and reduce the administrative efforts, network segregation using VPNs was proposed.
Lastly, Socket Inc. implemented a new system to maintain, collect, and analyze information related to information security threats, and integrate information security into project management.

Beauty is a cosmetics company that has recently switched to an e-commerce model, leaving the traditional retail. The top management has decided to build their own custom platform in-house and outsource the payment process to an external provider operating online payments systems that support online money transfers.
Due to this transformation of the business model, a number of security controls were implemented based on the identified threats and vulnerabilities associated to critical assets. To protect customers’ information. Beauty’s employees had to sign a confidentiality agreement. In addition, the company reviewed all user access rights so that only authorized personnel can have access to sensitive files and drafted a new segregation of duties chart.
However, the transition was difficult for the IT team, who had to deal with a security incident not long after transitioning to the e-commerce model. After investigating the incident, the team concluded that due to the out-of-date anti-malware software, an attacker gained access to their files and exposed customers’ information, including their names and home addresses.
The IT team decided to stop using the old anti-malware software and install a new one which would automatically remove malicious code in case of similar incidents. The new software was installed in every workstation within the company. After installing the new software, the team updated it with the latest malware definitions and enabled the automatic update feature to keep it up to date at all times. Additionally, they established an authentication process that requires a user identification and password when accessing sensitive information.
In addition, Beauty conducted a number of information security awareness sessions for the IT team and other employees that have access to confidential information in order to raise awareness on the importance of system and network security.

InVid Electric is an American company that specializes in manufacturing, developing, and selling network hardware. The company has had an operational information security management system (ISMS) based on ISO/IEC 27001 requirements and a quality management system (QMS) based on ISO 9001 for approximately two years. Recently, it has applied for a combined certification audit in order to obtain certification against ISO/IEC 27001 and ISO 9001.
After selecting the certification body, InVid Electric prepared the employees for the audit. The company decided to not conduct a self-evaluation before the audit since, according to the top management, it was not necessary. In addition, it ensured the availability of documented information, including internal audit reports and management reviews, technologies in place, and the general operations of the ISMS and the QMS. However, the company requested from the certification body that the documentation could not be carried off-site.
Nonetheless, the audit was not performed within the scheduled time frame because InVid Electric rejected the assigned audit team leader and requested their replacement. According to the top management reasoning, the audit team leader represented a potential conflict of interest as the same audit team leader issued a recommendation for certification to InVid Electric’s main competitor.

TroNicon SPEC provides IT and communications services. It helps data communication enterprises and network operators become multi-service providers. Due to the confidential nature of the information it handles, the company is obliged to ensure information security through globally recognized compliance frameworks; hence the decision to seek ISO/IEC 27001 certification.
TroNicon SPEC adopted a new approach to the privacy and security of information with a focus on preventing information security incidents, which before the ISMS implementation was based on informal information security practices.
The ISMS implementation helped TroNicon SPEC to reduce information security risks and formalize the company's operations. Even though the company remained confident that its ISO/IEC 27001 certification will be granted, some minor nonconformities were reported after a third-party audit was conducted and TroNicon SPEC was required to submit an action plan for each minor nonconformity within a period of three months.
One of the nonconformities related to control 8.13 Information backup was analyzed and after using a cause-and-effect diagram, TroNicon SPEC concluded that the backup was not performed on a daily basis as required by their backup procedure, because of improper formatting of the information backup medium. To resolve this nonconformity, TroNicon SPEC submitted the following action plan: “The backup procedure will be updated to ensure that information backup is effectively managed by the Information and Communication Technology (ICT) Department (time frame: three weeks).”
On the other hand, after analyzing the implementation costs of corrective actions related to a nonconformity to control 5.17 Authentication information, the top management decided to accept the risk; hence drafting an action plan was unnecessary. They informed the internal auditor about this decision.