ISO/IEC 27032 Lead Cybersecurity Manager Exam

Example questions

Page 1 of 16
 GENERAL INFORMATION TO THE CANDIDATE

1. This exam is Essay type “open book” exam

2. The number of questions is 12

3. Minimum passing score is 70%

4. The exam will last 3 hours. Non-native speakers receive an additional half an

hour.

5. You are only authorized to use the following reference materials:

 A copy of the standard in paper copy

 Course notes from the Participant Handout.

 Any personal notes made by the student during the course.

 A hard copy dictionary.

6. All electronic devices shall be turned off including cellular phones

7. You are allowed to keep and consume non-alcoholic drinks during the exam

8. Please inform the invigilator when you need to use the restroom (more than

one person cannot leave the room at the same time).

9. If you finish early, stay in your seat and raise your hand.

Page 2 of 16
Question 1 (5 points): Please explain why risk management needs to be performed
in cybersecurity management.

Page 3 of 16
Question 2 (5 points): For each of the following ISO/IEC 27001:2013 controls,
indicate if the control is an application level control, a server protection control, an
end-user control, control against social engineering attacks or a cybersecurity
readiness control:

1. A.9.4.2 - Secure log-on procedures

2. A.10.1.2 - Key management

3. A.12.2.1 - Controls against malware

Page 4 of 16
 4. A.9.1.1 - Access control policy

5. A.13.2.3 - Electronic messaging

Question 3 (5 points): Please exmplai why are customers considered as

stakeholders and how can you gain their commitment.

Page 5 of 16
Question 4 (10 points): ISO/IEC 27032 requires risk assessment based on assets.
Other methodologies require risk assessment based on processes. Is there an
added-value to perform asset-based risk assessment for cybersecurity? Wouldn’t
process-based risk assessment be better adapted for cybersecurity? Please justify.

Page 6 of 16
Question 5 (5 points): How can you educate end-users on how they can contribute
to cybersecurity? Please elaborate some of the measures that you would implement
to ensure this.

Page 7 of 16
Question 6 (10 points): For each of the following clauses/controls of the ISO/IEC
27032 standard, please provide an action plan with at least two concrete actions that
would be acceptable to ensure conformity to the clause and fulfill control objectives.

1. 12.2.c - Secure input validation and handling to prevent common attacks such
as SQL-Injection

2. 12.3.g - Perform regular vulnerability assessments and security testing for the
online sites and applications to ensure that their security is adequately maintained

Page 8 of 16
3. 12.4.b - Use of the latest supported software applications, with the most
updated patches installed.

4. 12.4.g - Use other available web browser security features.

5. 12.5.3.2.d - When to report or escalate a suspected event or malicious

application to approach authorities or response agency, and information on
these contacts available.

Page 9 of 16
Question 7 (5 points):
Contrarily to ISO/IEC 27001, ISO/IEC 27032 doesn’t have strong requirements
regarding management commitment. Why do you think it is so? Isn’t management
commitment important for cybersecurity?

Page 10 of
Question 8 (5 points):

ISO/IEC 27032 makes a differentiation between threats and threat agents. Is this
differentiation useful? Why would cybersecurity need such a differentiation?

Page 11 of
Question 9 (5 points): The benefits of a cybersecurity management program
include compliance, marketing edge, decreased costs and optimization of business
processes. Please describe another benefit of implementing a cybersecurity
management program.

Page 12 of
Question 10 (10 points): For each of the following controls of the ISO/IEC 27032
standard, please provide two examples of metrics that would be acceptable to
measure the conformity to the control.

1. 12.2.a - Display of short notices

2. 12.3.c - Monitor the security performance of the server through regular

reviews of the audit trails

3. 12.4.b - Use of the latest supported software applications

Page 13 of
4. 12.5.2 - Administrative policies promoting awareness and understanding of
Cybersecurity risks

5. 12.5.3.3.a Test servers and contents are all within the control and command
of the testing team

Page 14 of
Question 11 (5 points): Clauses 11.2 and 13.6 of the ISO/IEC 27032 standard state
that the organization needs to create cybersecurity objectives. What would be
examples of such cybersecurity objectives and how would you measure them?

Page 15 of
Question 12 (5 points): ISO/IEC 27032 requires that vulnerabilities be considered
when performing a risk assessment (9.3). However, ISO 31000, the risk
management standard, doesn’t even mention vulnerabilities. Should a cybersecurity
risk professional take vulnerabilities into consideration and why?

Page 16 of