Comprehensive and Detailed Explanation From Exact Extract:

ISO/IEC 27035 and ISO/IEC 27001 emphasize that information security awareness and training must extend to all personnel, not just those in technical roles. Clause 7.3.2 of ISO/IEC 27035-2 specifically states that “training should be made available to all staff,” including non-technical users, third-party service providers, contractors, and any personnel with access to organizational assets or systems.

The rationale is that every user is a potential entry point for cyber threats. Whether through phishing, social engineering, or misconfiguration, untrained staff can unintentionally compromise the organization’s security posture. Therefore, organizations must ensure that everyone—especially new hires, contractors, and third-party partners—is trained on incident reporting procedures, security responsibilities, and escalation paths.

Reference Extracts:

ISO/IEC 27035-2:2016, Clause 7.3.2: “Training and awareness activities should be targeted at all users of the organization ' s systems and services.”

ISO/IEC 27001:2022, Control 6.3: “Ensure that personnel are aware of their information security responsibilities.”

Correct answer: C

—

Comprehensive and Detailed Explanation From Exact Extract:

The ‘detect and report’ phase, as defined in ISO/IEC 27035-1:2016 (Clause 6.2), includes the identification, classification, and initial reporting of information security events. If events meet certain thresholds—such as multiple failed login attempts from unknown IP addresses or matching threat indicators—they can and should be classified as potential incidents.

It is also appropriate to begin collecting supporting information during this phase. Gathering threat intelligence and performing basic vulnerability assessments help in confirming the scope and nature of the threat, allowing faster escalation and response.

Option B is incorrect because while deep forensic collection occurs later, preliminary data collection should begin during detection. Option C is incorrect as incident classification is explicitly allowed and encouraged in this phase.

Comprehensive and Detailed Explanation From Exact Extract:

ISO/IEC 27035-1:2016 encourages organizations to define the scope of incident management based on their own risk environment, business model, and available resources. This scope should be tailored to focus on the systems, services, and personnel that are most critical and relevant to the organization ' s operations.

In this scenario, Leona appropriately aligned the scope with L & K Associates ' specific IT infrastructure and business processes, deliberately including relevant IT systems and associated personnel while excluding unrelated sources. This customization is consistent with best practices and ensures that the incident management process remains focused, efficient, and manageable.

ISO/IEC 27035-2, Clause 4.2, emphasizes that “the scope of incident management should be defined in a way that it supports the organization’s objectives and risk environment.”

Therefore, the correct answer is A: Yes, the incident management scope is customized to align with the organization’s unique needs.

—

Comprehensive and Detailed Explanation From Exact Extract:

Internal exercises, such as simulations, tabletop exercises, and mock drills, are designed primarily to assess the readiness, coordination, and performance of the internal incident response team (IRT). According to ISO/IEC 27035-2:2016, these exercises aim to validate that the IRT understands their roles, follows documented procedures, and can act effectively under pressure.

While external collaboration (Options A and B) may be tested during joint exercises or industry-wide scenarios, the focus of internal exercises is on internal capabilities. These exercises help identify gaps in training, procedures, communication, and escalation pathways.

Reference Extracts:

ISO/IEC 27035-2:2016, Clause 7.3.3: “Exercises and simulations should be conducted to test the readiness of the incident response capability.”

NIST SP 800-84: “Regular exercises increase response efficiency and allow staff to develop incident handling confidence.”

Correct answer: C

—

Comprehensive and Detailed Explanation From Exact Extract:

ISO/IEC 27035-1:2016 is titled “Information security incident management — Part 1: Principles of incident management” . This standard provides a comprehensive framework for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving incident management within an organization.

The scope of ISO/IEC 27035-1 is explicitly broad and designed to be applicable to all organizations, regardless of their size, type, or nature , as stated in the standard’s introduction and scope sections. The principles laid out in the document are intended to be flexible and scalable so that organizations from any sector can adopt and implement incident management processes suitable to their specific context.

The document clearly emphasizes that information security incidents can impact any organization that processes, stores, or transmits information digitally — including law firms like RoLawyers. The guidance addresses the creation of an incident response capability to detect, respond, and recover from information security incidents effectively.

Furthermore, the standard stresses that incident management is a vital part of maintaining information security resilience, minimizing damage, and protecting the confidentiality, integrity, and availability of information assets, which is crucial for organizations handling sensitive data, such as legal firms.

Hence, ISO/IEC 27035-1 is not limited to IT or information security service providers alone; instead, it supports any organization’s need to manage information security incidents systematically. RoLawyers, given its reliance on digital data and the critical nature of its information, can and should apply the standard’s principles to safeguard its assets and clients.

Reference Extracts from ISO/IEC 27035-1:2016:

Scope (Section 1): “The principles provided in this document are intended to be applicable to all organizations, irrespective of type, size or nature.”

Introduction (Section 0.1): “Effective incident management helps organizations to reduce the consequences of incidents and limit the damage caused to information and information systems.”

General (Section 4): “This document provides guidance for establishing, implementing, operating, monitoring, reviewing, maintaining and improving incident management processes within an organization.”

Thus, based on ISO/IEC 27035-1, the guidance is fully applicable to RoLawyers, aligning with their objective to improve information security and incident management practices.

Comprehensive and Detailed Explanation From Exact Extract:

According to ISO/IEC 27005:2018 (which supports ISO/IEC 27035 in risk management and threat assessment processes), vulnerabilities that are not currently associated with known threats do not necessarily need immediate remediation or technical control measures. However, they cannot be ignored entirely either.

Such vulnerabilities may not pose an active risk at the present time, but that can change quickly if a new threat emerges that can exploit them. Therefore, these vulnerabilities should be documented, assessed in context, and monitored over time. This process ensures that if the threat landscape evolves, the organization can respond proactively.

The standard emphasizes a risk-based approach, which includes:

* Analyzing vulnerabilities in relation to assets and threat likelihood

* Monitoring the environment for changes that may introduce new threats

* Avoiding unnecessary or unjustified resource expenditure on low-risk issues

Option A is incorrect because it suggests addressing all vulnerabilities without considering risk context. Option B is risky and contradicts ISO best practices, which emphasize continuous risk monitoring.

Reference Extracts:

* ISO/IEC 27005:2018, Clause 8.2.2: “Vulnerabilities without known threats may not require treatment immediately but should be monitored regularly.”

* ISO/IEC 27001:2022, Annex A, Control A.8.8 – “Management of technical vulnerabilities should be risk-based and responsive to changes.”

Therefore, the correct answer is C: They may not require controls but should be analyzed and monitored for changes.

—

Comprehensive and Detailed Explanation From Exact Extract:

According to ISO/IEC 27035-1 and 27035-2, the incident management plan is activated upon the detection or reporting of a security event, particularly when a vulnerability, threat, or compromise has been identified. The plan ensures structured response and accountability from the very first signs of a potential incident.

Clause 6.4.2 in ISO/IEC 27035-2 explains that incident response activities—including logging, categorization, assessment, and escalation—should begin as soon as a security incident or vulnerability is reported. This proactive trigger allows early containment and mitigation.

Security audits and policy drafts (Options A and B) are part of preventive or governance mechanisms, not operational triggers for activating the plan.

Reference Extracts:

ISO/IEC 27035-2:2016, Clause 6.4.2: “The incident management plan should be activated once a security incident or significant vulnerability is identified and reported.”

Clause 5.1: “Detection and reporting are the initial steps in triggering the formal incident management lifecycle.”

Correct answer: C

Comprehensive and Detailed Explanation:

According to ISO/IEC 27035-2:2016, vulnerabilities identified during incident handling must be assessed and documented before remediation. Immediate patching without evaluating its impact could compromise incident evidence, interfere with ongoing investigations, or unintentionally trigger additional issues.

ISO/IEC 27035-2 recommends that the incident coordinator (or an equivalent role) be responsible for directing how such vulnerabilities are managed and coordinated across relevant teams. This maintains process integrity and avoids uncoordinated actions.

Comprehensive and Detailed Explanation From Exact Extract:

While technical expertise is essential, ISO/IEC 27035 emphasizes that structured incident management must be supported by the awareness and active participation of all personnel across the organization. Effective incident response is not confined to technical teams; human factors—such as early detection, proper escalation, and policy adherence—require engagement from users, management, and third-party stakeholders.

Clause 6.3 of ISO/IEC 27035-1:2016 specifically highlights that staff awareness is critical. Personnel should understand their role in reporting suspicious activity, following defined procedures, and participating in readiness exercises.

Outsourcing (Option C) may support capacity, but it is not a substitute for internal preparedness, awareness, and governance.

Reference Extracts:

ISO/IEC 27035-1:2016, Clause 6.3: “All staff should be aware of their responsibilities in reporting and managing information security incidents.”

ISO/IEC 27001:2022, Control 6.3 and A.6.3.1: “Information security responsibilities must be communicated to and accepted by all personnel.”

Correct answer: B

—

Comprehensive and Detailed Explanation From Exact Extract:

According to ISO/IEC 27035-1:2016 (Information Security Incident Management – Part 1: Principles of Incident Management), one of the core principles of effective communication in incident management is “appropriateness.” This refers to ensuring that the right information is shared with the right stakeholders using the appropriate channels, language, format, and timing. The objective is to guarantee that communication is both understandable and actionable by its recipients.

In the scenario, Alura Hospital recognized that they were not adequately informing stakeholders during security incidents. They identified a gap in providing relevant information using suitable formats, media, or language. This failure points directly to a lack of “appropriateness” in their communication strategy. According to ISO/IEC 27035-1, Section 6.4 (Communication), it is essential to tailor incident communication to stakeholder needs to ensure informed decision-making and engagement.

The other options—credibility and responsiveness—are not indicated as the failing areas. There is no mention that the information provided lacked credibility or that the hospital failed to respond to incidents or communicate in a timely manner. Rather, the issue lies with the medium, clarity, and stakeholder alignment—hallmarks of appropriateness.

Reference Extracts from ISO/IEC 27035-1:2016:

Clause 6.4: “Communication must be timely, relevant, accurate, and appropriate for the target audience.”

Clause 7.2.4: “Stakeholders should be informed using formats and channels that they can easily access and understand.”

Therefore, the principle not adhered to by Alura Hospital is clearly: Appropriateness (C).

—