Here are all the actual test exam dumps for IT exams. Most people prepare for the actual exams with our test dumps to pass their exams. So it's critical to choose and actual test pdf to succeed.

Exam ISO-IEC-27001-Lead-Auditor Topic 5 Question 181 Discussion

Actual exam question for PECB's ISO-IEC-27001-Lead-Auditor exam
Question #: 181
Topic #: 5
Scenario:
Northstorm is an online retail shop offering unique vintage and modern accessories. It initially entered a small market but gradually grew thanks to the development of the overall e-commerce landscape. Northstorm works exclusively online and ensures efficient payment processing, inventory management, marketing tools, and shipment orders. It uses prioritized ordering to receive, restock, and ship its most popular products.
Northstorm has traditionally managed its IT operations by hosting its website and maintaining full control over its infrastructure, including hardware, software, and data administration. However, this approach hindered its growth due to the lack of responsive infrastructure. Seeking to enhance its e-commerce and payment systems, Northstorm opted to expand its in-house data centers, completing the expansion in two phases over three months. Initially, the company upgraded its core servers, point-of-sale, ordering, billing, database, and backup systems. The second phase involved improving mail, payment, and network functionalities. Additionally, during this phase, Northstorm adopted an international standard for personally identifiable information (PII) controllers and PII processors regarding PII processing to ensure its data handling practices were secure and compliant with global regulations.
Despite the expansion, Northstorm's upgraded data centers failed to meet its evolving business demands. This inadequacy led to several new challenges, including issues with order prioritization. Customers reported not receiving priority orders, and the company struggled with responsiveness. This was largely due to the main server's inability to process orders from YouDecide, an application designed to prioritize orders and simulate customer interactions. The application, reliant on advanced algorithms, was incompatible with the new operating system (OS) installed during the upgrade.
Faced with urgent compatibility issues, Northstorm quickly patched the application without proper validation, leading to the installation of a compromised version. This security lapse resulted in the main server being affected and the company's website going offline for a week. Recognizing the need for a more reliable solution, the company decided to outsource its website hosting to an e-commerce provider. The company signed a confidentiality agreement concerning product ownership and conducted a thorough review of user access rights to enhance security before transitioning.
Question:
Which of the following situations represents a vulnerability in Northstorm's systems?

Suggested Answer: C Vote an answer

Comprehensive and Detailed In-Depth Explanation:
A vulnerability in information security refers to a weakness in a system, process, or software that can be exploited, leading to security incidents. In this case, the most significant vulnerability in Northstorm's system was the installation of an illegitimate (compromised) version of the application, which directly impacted the main server and resulted in system downtime.
* A. The new version of the application directly affecting the main server is an outcome rather than the vulnerability itself. The reason it affected the server was due to its compromised nature.
* B. The need for a replacement version of the application is not a vulnerability but rather a necessity due to the incompatibility issue introduced by the OS upgrade.
* C. The new version of the application being illegitimate is the true vulnerability because it represents an unauthorized or unverified change that introduced malicious code or other security risks. This could have been mitigated by proper validation, secure software development practices, and adherence to change management policies outlined in ISO/IEC 27001:2022 Annex A controls:
* A.8.8 Management of Technical Vulnerabilities - Ensures that systems and applications are updated and maintained securely.
* A.8.9 Configuration Management - Covers proper software deployment and validation procedures.
* A.8.14 Redundancy of Information Processing Facilities - Ensures resilience to failures like server downtimes.
This incident underscores the importance of implementing rigorous change management processes and software validation measures to prevent the installation of unauthorized software, a key requirement under ISO
/IEC 27001:2022 Clause 8 (Operational Planning and Control).

by Hubery at Jul 02, 2026, 11:01 AM

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Nick name: Submit Cancel
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.