Exam ISO-IEC-27001-Lead-Implementer Topic 3 Question 243 Discussion

Actual exam question for PECB's ISO-IEC-27001-Lead-Implementer exam
Question #: 243
Topic #: 3
During an internal audit, it was found that a junior developer had unrestricted write access to the production source code repository and development tools, with no formal access controls in place. What type of security control should have been implemented to manage this risk?

Suggested Answer: B Vote an answer

The correct and verified answer is B. Technological, because the identified risk-unrestricted write access to production source code and development tools-must be managed through technical enforcement mechanisms, not solely by people or organizational measures.
The scenario describes a failure to restrict access to critical production systems, allowing a junior developer to modify source code without authorization. This is a classic access control and privilege management issue that requires technological controls such as role-based access control (RBAC), privileged access management, repository permissions, and segregation of environments.
ISO/IEC 27001:2022 Annex A categorizes controls into organizational, people, physical, and technological groups. The controls relevant to this scenario fall squarely under technological controls, including:
* A.8.2 - Privileged access rightsRequires restriction and management of elevated access to prevent unauthorized or excessive privileges.
* A.8.3 - Information access restrictionEnsures access to information and systems is limited in accordance with business requirements.
* A.8.4 - Access to source codeExplicitly requires that access to source code is restricted, controlled, and monitored.
* A.8.32 - Change managementEnsures that changes to production systems are authorized, tested, and approved.
While people controls (such as training or awareness) and organizational controls (such as policies) are supportive, they are insufficient on their own. Without technical enforcement, policies cannot prevent unauthorized access in practice.
ISO/IEC 27001:2022 emphasizes defense-in-depth, where technological controls enforce rules automatically, reducing reliance on human behavior alone.

by Sandy at Jan 24, 2026, 03:16 PM

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Nick name: Submit Cancel
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

0
0
0
10