PECB Certified ISO/IEC 27005 Risk Manager
EXAM PREPARATION GUIDEPECB Certified ISO/IEC 27005 Risk Manager
PECB-820-7- ISO/IEC 27005 RM Exam Preparation GuideThe objective of the “Certified ISO/IEC 27005 Risk Manager” examination is to ensure that thecandidate has the knowledge and the skills to master the basic risk management elementsrelated to all assets of relevance for information security using the ISO/IEC 27005:2011standard as a reference framework.The target population for this examination is: Risk managersPersons responsible for information security or conformity within an organizationMember of the information security teamIT consultantsStaff implementing or seeking to comply with ISO/IEC 27001 or involved in a riskmanagement programThe exam content covers the following domains: Domain 1:Fundamental Concepts, Approaches, Methods and Techniques of InformationSecurity Risk ManagementDomain 2: Implementation of an Information Security Risk Management ProgramDomain 3: Information Security Risk Assessment Based on ISO/IEC 27005Page 2 of 10
PECB-820-7- ISO/IEC 27005 RM Exam Preparation GuideThe content of the exam is divided as follows:Domain 1: Fundamental Concepts, Approaches, Methods andTechniques of Information Security Risk ManagementMain objective: To ensure that the ISO/IEC 27005 Risk Manager candidate can understand,interpret and illustrate the main risk management guidelines and concepts related to an riskmanagement frameworks based on ISO/IEC 27005.CompetenciesKnowledge statements1. Understand and explain theoperations of the ISO organizationand the development of riskmanagement standards.1. Knowledge of the application of the eight ISOmanagement principles to information securityrisk management.2. Knowledge of the main standards in riskmanagement.3. Knowledge of the different sources of riskmanagement frameworks for an organization:laws, regulations, international and industrystandards, contracts, market practices, internalpolicies.4. Knowledge of the main information securityconcepts and terminology as described in ISO27000.5. Knowledge of the concept of risk and itsapplication in information security.6. Knowledge of the relationship between theconcepts of asset, vulnerability, threat, impactand controls.7. Knowledge of the difference between preventive,detective and corrective controls and theircharacteristics.8. Knowledge of relationship and differencesbetween ISO/IEC 27005, ISO/IEC 27001,ISO/IEC 27002 and ISO 31000.2. Ability to identify, analyze andevaluate the guidance coming fromrisk management frameworks for anorganization.3. Ability to explain and illustrate themain concepts in informationsecurity and information securityrisk management.4. Ability to distinguish and explain thedifference between informationasset, data and record.5. Understand, interpret and illustratethe relationship between theconcepts of asset, vulnerability,threat, impact and controls.6. Ability to distinguish relationshipbetween ISO/IEC 27005, ISO/IEC27001, ISO/IEC 27002 and ISO31000.Page 3 of 10
PECB-820-7- ISO/IEC 27005 RM Exam Preparation GuideDomain 2: Implementation of an Information Security Risk ManagementProgramMain objective: To ensure that the ISO/IEC 27005 Risk Manager candidate can implement theprocesses of a risk management reference framework based on ISO/IEC 27005.CompetenciesKnowledge statements1. Ability to understand, analyze needs andprovide guidance on the attribution of rolesand responsibilities in the context of theimplementation and management of a riskmanagement framework.2.3.4.5.6.7.8.1. Knowledge of the roles and responsibilitiesof the key actors during the implementationof a risk management framework and in itsoperation after the end of theimplementation project.2. Knowledge of the main organizationalAbility to define the document and recordstructures applicable for an organization tomanagement processes needed to supportmanage its risk.the implementation and the operations of a3. Knowledge of the best practices onrisk management framework.document and record managementprocesses and the document managementlife cycle.Ability to define and design controls &4. Knowledge of the characteristics and theprocesses and document them.differences between the differentdocuments related to policy, procedure,Ability to define and write policies andguideline, standard, baseline, worksheet,procedures.etc.5. Knowledge of model-building controls andprocesses techniques and best practices.Ability to implement the required processes6.Knowledge of controls and processesof a risk management framework.deployment techniques and best practices.7. Knowledge of techniques and bestAbility to define and implement appropriatepractices to write policies, procedures andrisk management training, awareness andothers types of documents.communication plans.8. Knowledge of the characteristics and thebest practices to implement riskmanagement training, awareness andAbility to define and implement an incidentcommunication plans.management process based on best9.Knowledge of the characteristics and mainpractices.processes of an information security riskmanagement incident management processAbility to transfer a project to operationsbased on best practices.and manage the change management 10. Knowledge of change managementprocess.techniques best practices.Page 4 of 10
PECB-820-7- ISO/IEC 27005 RM Exam Preparation GuideDomain 3: Information security risk assessment based on ISO/IEC27005 and ISOMain objective: To ensure that the ISO/IEC 27005 Risk Manager candidate can perform riskassessment in the context of an ISO/IEC 27005.CompetenciesKnowledge statements1. Ability to understand and interpretInformation Security Risk Managementprocesses according to ISO/IEC 27005.1. Knowledge of the guidelines and processesfrom information security risk managementguidelines and frameworks based onISO/IEC 27005.2. Ability to know and describe severalrecognized risk assessment methodologies.3. Ability to identify, review and select a RiskAssessment Approach appropriate for aspecific organization.4. Ability to plan activities for Risk Assessmentand integrate risk assessment to informationsecurity risk management framework andISMS.2. General knowledge of the main riskassessment methodologies, includingEBIOS and MEHARI.3. Knowledge on planning risk assessmentprojects and activities by ensuring theparticipation and support of stakeholdersthroughout the risk assessment process.4. Knowledge of the guidelines and bestpractices to integrate risk assessment toinformation security risk managementframework and ISMS.5. Ability to lead assessment projects andmanage multidisciplinary team.5. Knowledge of the best practices on how toperform validation of the project plan.6. Knowledge on risk assessment projects of amore global and more complex nature andrely on a multidisciplinary team.Page 5 of 10
PECB-820-7- ISO/IEC 27005 RM Exam Preparation GuideBased on these three domains and their relevance, five questions are included on the exam, assummarized in the following table:Competency DomainsPoints perQuestionFundamentalconcepts,approaches,methods andtechniques ofinformationsecurity riskmanagementImplementationof an informationsecurity riskmanagementprogram10Informationsecurity riskassessment basedon ISO 2700510Total pointsLevel of Understanding(Cognitive/Taxonomy) RequiredQuestionsNumber of% of testNumber ofthat measureQuestions thatQuestions per devoted to each Points perComprehension,measure SynthesiscompetencycompetencycompetencyApplication andand EvaluationdomaindomaindomainAnalysis5x5x20x% of Points .001020.0050Number of Questions per level of understanding% of Test Devoted to each level ofunderstanding (cognitive/taxonomy)3260.0040.00The passing score is established at 70%.After successfully passing the exam, candidates will be able to apply for the credentials ofCertified ISO/IEC 27005 Risk Manager, depending on their level of experience.Page 6 of 10
PECB-820-7- ISO/IEC 27005 RM Exam Preparation GuideTAKE A CERTIFICATION EXAMCandidates will be required to arrive at least thirty (30) minutes before the beginning of thecertification exam. Candidates arriving late will not be given additional time to compensate forthe late arrival and may be denied entry to the exam room (if they arrive more than 5 minutesafter the beginning of the exam scheduled time).All candidates will need to present a valid identity card with a picture such as a driver’s licenseor a government ID to the proctor and the exam confirmation letter.The exam duration is two (2) hours.The questions are essay type questions. This type of format was chosen because the intentis to determine whether an examinee can write a clear coherent answer/argument and toassess problem solving techniques. Because of this particularity, the exam is set to be “openbook” and does not measure the recall of data or information. The examination evaluates,instead, comprehension, application, analysis, synthesis and evaluation, which mean that evenif the answer is in the course material, candidates will have to justify and give explanations, toshow they really understood the concepts. At the end of this document, you will find sampleexam questions and their possible answers.As the exams are “open book”; candidates are authorized to use the following referencematerials: A copy of the ISO/IEC 27005:2011 standard,Course notes from the Participant Handout,Any personal notes made by the student during the course andA hard copy dictionary.The use of electronic devices, such as laptops, cell phones, etc., is not allowed.All attempt to copy, collude or otherwise cheat during the exam will automatically lead to theexam’s failure.PECB exams are available in English. For availability of the exam in a language other thanEnglish, please contact examination@pecb.com.Page 7 of 10
PECB-820-7- ISO/IEC 27005 RM Exam Preparation GuideRECEIVE YOUR EXAM RESULTSResults will be communicated by email in a period of 6 to 8 weeks, after taking the exam. Theresults will not include the exact grade of the candidate, only a mention of pass or fail.Candidates who successfully complete the examination will be able to apply for a certifiedscheme.In the case of a failure, the results will be accompanied with the list of domains in which thecandidate had a low grade, to provide guidance for exams’ retake preparation.Candidates who disagree with the exam results may file a complaint. For more information,please refer to www.pecb.comEXAM RETAKE POLICYThere is no limitation on how many times a candidate can retake the same exam. However,there are some limitations in terms of allowed time-frame in between exams.When candidates fail the examination, they are only allowed to retake the examination oncewithin 12 months after the first attempt. If second examination is unsuccessful, candidates willbe allowed to retake the exam only after 1 year (12 months). Retake fee applies.Only candidates, who have completed a full PECB training but fail the written exam, are eligibleto retake the exam for free, under one condition:“A candidate can only retake the exam once and this retake must occur within 12 months fromthe initial exam’s date.”When candidates fail the same examination for the second time, their file is automatically closedfor 1 year.CLOSING FILESClosing a file is equivalent to rejecting a candidate’s application. As a result, when candidatesrequest that their file be reopened, PECB will no longer be bound by the conditions, standards,policies, candidate handbook or exam preparation guide that were in effect before their file wasclosed.Candidates who want to request that their file be reopened must do so in writing, and pay therequired fees.Page 8 of 10
PECB-820-7- ISO/IEC 27005 RM Exam Preparation GuideEXAMINATION SECURITYA significant component of a successful and respected professional certification credential ismaintaining the security and confidentiality of the examination. PECB relies upon the ethicalbehaviour of certificate holders and applicants to maintain the security and confidentiality ofPECB examinations. When someone who holds PECB credentials reveals information aboutPECB examination content, they violate the PECB Code of Ethics. PECB will take actionagainst individuals who violate PECB Policies and the Code of Ethics. Actions taken mayinclude permanently barring individuals from pursuing PECB credentials and revokingcertifications from those who have been awarded the credential. PECB will also pursue legalaction against individuals or organizations who infringe upon its copyrights, proprietary rights,and intellectual property.Page 9 of 10
PECB-820-7- ISO/IEC 27005 RM Exam Preparation GuideSAMPLE EXAM QUESTIONS AND POSSIBLE ANSWERS1. Identification of assetsExplain why these are the assets with the highest value to the organization. Please also identifywhether the following are primary or supporting assets:Possible answers:Asset 1: website (primary asset)Justification of the value: The website of the company is the main marketing tool and supportsthe selling process.Asset 2: The two owners (supporting asset)Justification of the value: They are the ones creating original and innovative products.2. Identification of risk associated with information securityIdentify threats, vulnerabilities and impacts associated with the incident scenarios below andindicate if it is possible that the impacts affect the availability, integrity and/or the confidentialityof the information. Complete the risk matrix.Possible answers:StatementsVulnerabilitiesThreats1. Thewebmasterwho designedthe corporateWebsite takescare of theupdates andthe uploadingof the siteAbsence ofsegregation of duties.Treatment errorsMalicious actOnly one person isavailable for thisfunctionWebmasterleaves thecompany orbecomes sickPage 10 of 10CIXAPotential ImpactsWebsite containingerroneousinformation: loss ofcredibilityUnavailable website:X loss in revenues
PECB-820-7- ISO/IEC 27005 RM Exam Preparation Guide Page 5 of 10 Domain 3: Information security risk assessment based on ISO/IEC 27005 and ISO Main objective: To ensure that the ISO/IEC 27005 Risk Manager candidate can perform risk assessment in the context of an ISO/IEC 27005.
ISO/IEC 27000 family of standards ISO/IEC 27005 is a supporting and informative standard to other standards, and especially those related to 27000 27005 Information Security Link with other information security standards and methods ISO 31000
IEC 61215 IEC 61730 PV Modules Manufacturer IEC 62941 IEC 62093 IEC 62109 Solar TrackerIEC 62817 PV Modules PV inverters IEC 62548 or IEC/TS 62738 Applicable Standard IEC 62446-1 IEC 61724-1 IEC 61724-2 IEC 62548 or IEC/TS 62738 IEC 62548 or IEC/TS 62738 IEC 62548 or IEC/TS 62738 IEC 62548 or IEC/
The PECB Certified ISO 37001 Lead Auditor training course provides the necessary knowledge and skills that enable you to perform anti-bribery management system (ABMS) audits by applying widely recognized audit principles, procedures, and . The PECB Certified ISO 37001 Lead Auditor exam fully meets the requirements of the PECB Examination and .
PECB-820-18 ISO/IEC 17025 LA Exam Preparation Guide Page 8 of 14 Domain 6: Conclusion and follow-up of an ISO/IEC 17025 audit Main objective: To ensure that the ISO/IEC 17025 Lead Auditor candidate can conclude a TCL audit and conduct follow-up activities in the context of ISO/IEC 17025 Competencies 1.
PECB -820 18 ISO/IEC 17025 LI Exam Preparation Guide Page 8 of 14 Domain 6: Continual improvement of a LMS based on ISO/IEC 17025 Main objective: To ensure that the ISO/IEC 17025 Lead Implementer candidate can provide guidance on the continual improvement of a LMS in the context of ISO/IEC 17025 Competencies 1.
PECB-820-18 ISO/IEC 17025 LA Exam Preparation Guide Page 6 of 14 Domain 4: Preparation of an ISO/IEC 17025 assessment Main objective: To ensure that the ISO/IEC 17025 Lead Assessor candidate can prepare appropriately a TCL assessment in the context of ISO/IEC 17025 Competencies 1. Understand and explain the steps and activities
ISO/IEC 27005:2018(E) Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical
Fjalët kyce : Administrim publik, Demokraci, Qeverisje, Burokraci, Korrupsion. 3 Abstract. Public administration, and as a result all the other institutions that are involved in the spectrum of its concept, is a field of study that are mounted on many debates. First, it is not determined whether the public administration ca be called a discipline in itself, because it is still a heated debate .
