PECB Certified ISO/IEC 27001 2022 Lead Auditor exam Question and Answers

PECB Certified ISO/IEC 27001 2022 Lead Auditor exam

Last Update Feb 28, 2026
Total Questions : 418

We are offering FREE ISO-IEC-27001-Lead-Auditor PECB exam questions. All you do is to just go and sign up. Give your details, prepare ISO-IEC-27001-Lead-Auditor free exam questions and then go for complete pool of PECB Certified ISO/IEC 27001 2022 Lead Auditor exam test questions that will help you more.

ISO-IEC-27001-Lead-Auditor PDF

$36.75 ~~$104.99~~

Add to Cart

ISO-IEC-27001-Lead-Auditor Testing Engine

$43.75 ~~$124.99~~

Add to Cart

ISO-IEC-27001-Lead-Auditor PDF + Testing Engine

$57.75 ~~$164.99~~

Add to Cart

Questions 1

Scenario 2:

Clinic, founded in the 1990s, is a medical device company that specializes in treatments for heart-related conditions and complex surgical interventions. Based in Europe, it serves both patients and healthcare professionals. Clinic collects patient data to tailor treatments, monitor outcomes, and improve device functionality. To enhance data security and build trust, Clinic is implementing an information security management system (ISMS) based on ISO/IEC 27001. This initiative demonstrates Clinic's commitment to securely managing sensitive patient information and proprietary technologies.

Clinic established the scope of its ISMS by solely considering internal issues, interfaces, dependencies between internal and outsourced activities, and the expectations of interested parties. This scope was carefully documented and made accessible. In defining its ISMS, Clinic chose to focus specifically on key processes within critical departments such as Research and Development, Patient Data Management, and Customer Support.

Despite initial challenges, Clinic remained committed to its ISMS implementation, tailoring security controls to its unique needs. The project team excluded certain Annex A controls from ISO/IEC 27001 while incorporating additional sector-specific controls to enhance security. The team evaluated the applicability of these controls against internal and external factors, culminating in the development of a comprehensive Statement of Applicability (SoA) detailing the rationale behind control selection and implementation.

As preparations for certification progressed, Brian, appointed as the team leader, adopted a self-directed risk assessment methodology to identify and evaluate the company’s strategic issues and security practices. This proactive approach ensured that Clinic’s risk assessment aligned with its objectives and mission.

Question:

According to Scenario 2, was the scope of Clinic’s ISMS determined correctly?

Options:

No, Clinic should have also considered external issues

Yes, the scope of Clinic’s ISMS was determined correctly

No, Clinic should have also included exclusions along with justifications for them as part of its ISMS scope

Discussion 0

Questions 2

Which one of the following options describes the main purpose of a Stage 1 audit?

To determine readiness for Stage 2

Options:

To check for legal compliance by the organisation

To get to know the organisation

To compile the audit plan

Discussion 0

Questions 3

Question

An organization scheduled an internal audit to evaluate the ISMS effectiveness. However, it did not define the audit scope and clear audit objectives. As a result, the internal auditor overlooked critical departments handling sensitive information.

What risk associated with the audit program was present in this scenario?

Options:

Planning risk

Communication risk

Resource risk

Discussion 0

Questions 4

You are performing an ISMS audit at a residential nursing home called ABC that provides healthcare services.

The next step in your audit plan is to verify the information security on ABC's healthcare mobile app

development, support, and lifecycle process. During the audit, you learned the organization outsourced the

mobile app development to a professional software development company with CMMI Level 5, ITSM (ISO/IEC

20000-1), BCMS (ISO 22301) and ISMS (ISO/IEC 27001) certified. The IT Manager presented the software

security management procedure and summarised the process as follows:

The mobile app development shall adopt "security-by-design" and "security-by-default" principles, as a

minimum. The following security functions for personal data protection shall be available:

Access control.

Personal data encryption, i.e., Advanced Encryption Standard (AES) algorithm, key lengths: 256 bits; and

Personal data pseudonymization.

Vulnerability checked and no security backdoor

You sample the latest Mobile App Test report - details as follows:

You ask the IT Manager why the organisation still uses the mobile app while personal data

encryption and pseudonymization tests failed. Also, whether the Service Manager is authorized to

approve the test.

The IT Manager explains the test results should be approved by him according to the software

security management procedure. The reason why the encryption and pseudonymization functions

failed is that these functions heavily slowed down the system and service performance. An extra

150% of resources are needed to cover this. The Service Manager agreed that access control is

good enough and acceptable. That's why the Service Manager signed the approval.

You sample one of the medical staff's mobile and found that ABC's healthcare mobile app, version

1.01 is installed. You found that version 1.01 has no test record.

The IT Manager explains that because of frequent ransomware attacks, the outsourced mobile app

development company gave a free minor update on the tested software, performed an emergency

release of the updated software, and gave a verbal guarantee that there will be no impact on any

security functions. Based on his 20 years of information security experience, there is no need to re-

test.

You are preparing the audit findings Select two options that are correct.

Options:

There is a nonconformity (NC). The IT. Manager does not comply with the software security management procedure. (Relevant to clause 8.1, control

8.30)

There is a nonconformity (NC). The organisation does not control planned changes and review the consequences of unintended changes. (Relevant to clause 8.1)

There is an opportunity for improvement (OI). The IT Manager should make the decision to continue the service based on appropriate testing. (Relevant to clause 8.1, control A.8.30)

There is an opportunity for improvement (OI). The organisation selects an external service provider based on the extent of free services it will provide. (Relevant to clause 8.1, control A.5.21)

There is NO nonconformity (NC). The IT Manager demonstrates good leadership. (Relevant to clause 5.1, control 5.4)

There is NO nonconformity (NC). The IT Manager demonstrates he is fully competent. (Relevant to clause 7.2)

Discussion 0

Questions 5

Question:

During which stage of the audit do auditors identify key processes to be audited and prioritize based on materiality?

Options:

Initial contact

Stage 1 audit

Stage 2 audit

Discussion 0

Questions 6

What is the standard definition of ISMS?

Options:

Is an information security systematic approach to achieve business objectives for implementation, establishing, reviewing,operating and maintaining organization's reputation.

A company wide business objectives to achieve information security awareness for establishing, implementing, operating, monitoring, reviewing, maintaining and improving

A project-based approach to achieve business objectives for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization’s information security

A systematic approach for establishing, implementing, operating,monitoring, reviewing, maintaining and improving an organization’s information security to achieve business objectives.

Discussion 0

Questions 7

Scenario 7: Lawsy is a leading law firm with offices in New Jersey and New York City. It has over 50 attorneys offering sophisticated legal services to clients in business and commercial law, intellectual property, banking, and financial services. They believe they have a comfortable position in the market thanks to their commitment to implement information security best practices and remain up to date with technological developments.

Lawsy has implemented, evaluated, and conducted internal audits for an ISMS rigorously for two years now. Now, they have applied for ISO/IEC 27001 certification to ISMA, a well-known and trusted certification body.

During stage 1 audit, the audit team reviewed all the ISMS documents created during the implementation. They also reviewed and evaluated the records from management reviews and internal audits.

Lawsy submitted records of evidence that corrective actions on nonconformities were performed when necessary, so the audit team interviewed the internal auditor. The interview validated the adequacy and frequency of the internal audits by providing detailed insight into the internal audit plan and procedures.

The audit team continued with the verification of strategic documents, including the information security policy and risk evaluation criteria. During the information security policy review, the team noticed inconsistencies between the documented information describing governance framework (i.e., the information security policy) and the procedures.

Although the employees were allowed to take the laptops outside the workplace, Lawsy did not have procedures in place regarding the use of laptops in such cases. The policy only provided general information about the use of laptops. The company relied on employees' common knowledge to protect the confidentiality and integrity of information stored in the laptops. This issue was documented in the stage 1 audit report.

Upon completing stage 1 audit, the audit team leader prepared the audit plan, which addressed the audit objectives, scope, criteria, and procedures.

During stage 2 audit, the audit team interviewed the information security manager, who drafted the information security policy. He justified the Issue identified in stage 1 by stating that Lawsy conducts mandatory information security training and awareness sessions every three months.

Following the interview, the audit team examined 15 employee training records (out of 50) and concluded that Lawsy meets requirements of ISO/IEC 27001 related to training and awareness. To support this conclusion, they photocopied the examined employee training records.

Based on the scenario above, answer the following question:

Should the auditor archive the copies of employee training records after the completion of the audit? Refer to scenario 7.

Options:

No, copies of files are not generally kept as audit records

Yes, copies of files are in the auditor's possession, as mentioned in the audit agreement

Yes, all the documented information generated during the audit should be kept as audit record

Discussion 0

Questions 8

Scenario 4

SendPay is a financial services company specializing in global money transfers through a network of agents and institutions. As a new company in the market, SendPay aims to deliver top-quality services with its fee-free digital platform, launched last year, enabling clients to send and receive money anytime via smartphones and laptops. At that time, SendPay outsourced software operations to an external team, which also managed the company's technology infrastructure.

Recently, the company applied for ISO/IEC 27001 certification after having an ISMS in place for almost a year.

During the audit, the auditors focused on reviewing SendPay’s outsourced operations, specifically looking at the software development and technology infrastructure maintenance handled by the outsourced company. They followed a structured approach, which included reviewing and evaluating SendPay’s processes for monitoring the quality of these outsourced operations. This included verifying if the company met its contractual obligations, ensuring proper governance procedures for engaging outsourced entities, and assessing SendPay’s plans in case of expected or unexpected termination of outsourcing agreements.

However, the auditors subtly noted that SendPay’s protocols did not fully address contingencies for unanticipated cancellations of outsourcing agreements. Additionally, a technical expert appointed by SendPay assisted the auditors, providing specific knowledge and expertise related to the outsourced operations being audited.

The audit team calculated the number of training hours employees received on ISMS to ensure alignment with established objectives. They also computed the average resolution time of information security incidents based on a sample taken during the audit, which provided valuable insights into SendPay’s incident management practices. In addition, the auditors evaluated the reliability of the evidence collected during the audit. They considered several factors influencing the reliability of audit evidence. For example, evidence from surveillance cameras provided more objective proof compared to photos. Timing also played a crucial role in reliability, with mechanisms like transaction recording enhancing the credibility of the evidence.

SendPay uses cloud-based platforms to make its operations more efficient and scalable. However, during the audit, the auditors did not request SendPay to provide an inventory of their cloud activities due to resource limitations, relying instead on SendPay’s representations.

Question

What factor did the audit team primarily consider when evaluating the reliability of evidence during the audit process? Refer to Scenario 4.

Options:

Independence of the source

Objectivity of the evidence

Evidence collection techniques

Discussion 0

Questions 9

Scenario 1: Fintive is a distinguished security provider for online payments and protection solutions. Founded in 1999 by Thomas Fin in San Jose, California, Fintive

offers services to companies that operate online and want to improve their information security, prevent fraud, and protect user information such as PII. Fintive centers

its decision-making and operating process based on previous cases. They gather customer data, classify them depending on the case, and analyze them. The company

needed a large number of employees to be able to conduct such complex analyses. After some years, however, the technology that assists in conducting such analyses

advanced as well. Now, Fintive is planning on using a modern tool, a chatbot, to achieve pattern analyses toward preventing fraud in real-time. This tool would also be

used to assist in improving customer service.

This initial idea was communicated to the software development team, who supported it and were assigned to work on this project. They began integrating the chatbot

on their existing system. In addition, the team set an objective regarding the chatbot which was to answer 85% of all chat queries.

After the successful integration of the chatbot, the company immediately released it to their customers for use. The chatbot, however, appeared to have some issues.

Due to insufficient testing and lack of samples provided to the chatbot during the training phase, in which it was supposed "to learn" the queries pattern, the chatbot

failed to address user queries and provide the right answers. Furthermore, the chatbot sent random files to users when it received invalid inputs such as odd patterns

of dots and special characters. Therefore, the chatbot was unable to properly answer customer queries and the traditional customer support was overwhelmed with

chat queries and thus was unable to help customers with their requests.

Consequently, Fintive established a software development policy. This policy specified that whether the software is developed in-house or outsourced, it will undergo a

black box testing prior to its implementation on operational systems.

Based on this scenario, answer the following question:

Based on scenario 1, the chatbot was unable to properly answer customer queries. Which principle of information security has been affected in this

case?

Options:

Availability

Integrity

Confidentiality

Discussion 0

Questions 10

An organisation is looking for management system initial certification. Please identify the sequence of the activities to be undertaken by the organisation.

To complete the sequence click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the options to the appropriate blank section.

Options:

Discussion 0

Questions 11

Scenario 2:

Question:

Based on Scenario 2, Clinic initially defined its information security objectives and then conducted a risk assessment. Is this acceptable?

Options:

Yes, because objectives can be adjusted later to fit the risk assessment results

No, because the risk assessment should be conducted only once objectives are fully implemented

No, information security objectives must be established, taking into account risk assessment results, as per ISO/IEC 27001 requirements

Discussion 0

Questions 12

During a third-party certification audit you are presented with a list of issues by an auditee. Which four of the following constitute 'external' issues in the context of a management system to ISO/IEC 27001:2022?

Options:

A rise in interest rates in response to high inflation

A reduction in grants as a result of a change in government policy

Poor levels of staff competence as a result of cuts in training expenditure

Increased absenteeism as a result of poor management

Higher labour costs as a result of an aging population

Inability to source raw materials due to government sanctions

Poor morale as a result of staff holidays being reduced

Discussion 0

Answer:

A, B, E, F

Explanation:

According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 4.1 requires an organization to determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcomes of its ISMS2. External issues are those that originate from outside the organization, such as legal, regulatory, cultural, social, political, economic, natural and competitive factors2. Internal issues are those that originate from within the organization, such as governance, structure, roles and responsibilities, policies, objectives, culture, capabilities, resources and information systems2. Therefore, based on this definition, four examples of external issues in the context of a management system to ISO/IEC 27001:2022 are a rise in interest rates in response to high inflation (which affects the economic environment of the organization), a reduction in grants as a result of a change in government policy (which affects the political and legal environment of the organization), higher labour costs as a result of an aging population (which affects the social and demographic environment of the organization), and inability to source raw materials due to government sanctions (which affects the trade and supply environment of the organization)2. The other options are examples of internal issues, as they originate from within the organization or its activities. For example, poor levels of staff competence as a result of cuts in training expenditure (which affects the capabilities and resources of the organization), increased absenteeism as a result of poor management (which affects the culture and performance of the organization), poor morale as a result of staff holidays being reduced (which affects the motivation and satisfaction of the organization’s personnel), and a fall in productivity linked to outdated production equipment (which affects the efficiency and quality of the organization’s processes)2. References: ISO/IEC 27001:2022 - Information technology – Security techniques – Information security management systems – Requirements

Questions 13

Which one of the following options is the definition of an interested party?

A third party can appeal to an organisation when it perceives itself to be affected by a decision or activity

Options:

A person or organisation that can affect, be affected by or perceive itself to be affected by a decision or activity

A group or organisation that can interfere in or perceive itself to be interfered with by a management decision

An individual or organisation that can control, be controlled by, or perceive itself to be controlled by a decision or activity

Discussion 0

Questions 14

You have to carry out a third-party virtual audit. Which two of the following issues would you need to inform the auditee about before you start conducting the audit ?

You will ask to see the ID card of the person that is on the screen.

Options:

You will take photos of every person you interview.

You will ask those being interviewed to state their name and position beforehand.

You will ask for a 360-degree view of the room where the audit is being carried out.

You will not record any part of the audit, unless permitted.

You expect the auditee to have assessed all risks associated with online activities.

Discussion 0

Answer:

C, D

Explanation:

A third-party virtual audit is an external audit conducted by an independent certification body using remote technology such as video conferencing, screen sharing, and electronic document exchange. The purpose of a third-party virtual audit is to verify the conformity and effectiveness of the information security management system (ISMS) and to issue a certificate of compliance12

Before you start conducting the audit, you would need to inform the auditee about the following issues: 12

You will ask those being interviewed to state their name and position beforehand, i.e., to confirm their identity and role in the ISMS. This is to ensure that you are interviewing the relevant personnel and that they are authorized to provide information and evidence for the audit.

You will ask for a 360-degree view of the room where the audit is being carried out, i.e., to verify the physical and environmental security of the audit location. This is to ensure that there are no unauthorized persons or devices in the vicinity that could compromise the confidentiality, integrity, or availability of the information being audited.

The other issues are not relevant or appropriate for a third-party virtual audit, because:

You will ask to see the ID card of the person that is on the screen, i.e., to verify their identity. This is not necessary if you have already asked them to state their name and position beforehand, and if you have access to the auditee’s organizational chart or staff directory. Asking to see the ID card could also be seen as intrusive or disrespectful by the auditee.

You will take photos of every person you interview, i.e., to document the audit process. This is not advisable as it could violate the privacy or consent of the auditee and the interviewees. Taking photos could also be seen as unprofessional or suspicious by the auditee. You should rely on the audit records and evidence provided by the auditee and the audit tool instead.

You will not record any part of the audit, unless permitted, i.e., to respect the auditee’s preferences and rights. This is not a valid issue to inform the auditee about, as you should always record the audit for quality assurance and verification purposes. Recording the audit is also a requirement of the ISO/IEC 27001 standard and the certification body. You should inform the auditee that you will record the audit and obtain their consent before the audit begins.

You expect the auditee to have assessed all risks associated with online activities, i.e., to ensure the security of the audit process. This is not an issue to inform the auditee about, as it is part of the auditee’s responsibility and obligation to have a risk assessment and treatment process for their ISMS. You should assess the auditee’s risk management practices and controls during the audit, not before it.

[References:, 1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1 2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2, , , ]

Questions 15

Scenario 3: NightCore is a multinational technology company based in the United States that focuses on e-commerce, cloud computing, digital streaming, and artificial intelligence. After having an information security management system (ISMS) implemented for over 8 months, they contracted a certification body to conduct a third party audit in order to get certified against ISO/IEC 27001.

The certification body set up a team of seven auditors. Jack, the most experienced auditor, was assigned as the audit team leader. Over the years, he received many well known certifications, such as the ISO/IEC 27001 Lead Auditor, CISA, CISSP, and CISM.

Jack conducted thorough analyses on each phase of the ISMS audit, by studying and evaluating every information security requirement and control that was implemented by NightCore. During stage 2 audit. Jack detected several nonconformities. After comparing the number of purchased invoices for software licenses with the software inventory, Jack found out that the company has been using the illegal versions of a software for many computers. He decided to ask for an explanation from the top management about this nonconformity and see whether they were aware about this. His next step was to audit NightCore's IT Department. The top management assigned Tom, NightCore's system administrator, to act as a guide and accompany Jack and the audit team toward the inner workings of their system and their digital assets infrastructure.

While interviewing a member of the Department of Finance, the auditors discovered that the company had recently made some unusual large transactions to one of their consultants. After gathering all the necessary details regarding the transactions. Jack decided to directly interview the top management.

When discussing about the first nonconformity, the top management told Jack that they willingly decided to use a copied software over the original one since it was cheaper. Jack explained to the top management of NightCore that using illegal versions of software is against the requirements of ISO/IEC 27001 and the national laws and regulations. However, they seemed to be fine with it.

Several months after the audit, Jack sold some of NightCore's information that he collected during the audit for a huge amount of money to competitors of NightCore.

Based on this scenario, answer the following question:

What type of audit evidence has Jack collected when he identified the first nonconformity regarding the software? Refer to scenario 3.

Options:

Analytical evidence

Verbal evidence

Mathematical evidence

Discussion 0

Questions 16

Scenario 6: Sinvestment is an insurance company that offers home, commercial, and life insurance. The company was founded in North Carolina, but have recently expanded in other locations, including Europe and Africa.

Sinvestment is committed to complying with laws and regulations applicable to their industry and preventing any information security incident. They have implemented an ISMS based on ISO/IEC 27001 and have applied for ISO/IEC 27001 certification.

Two auditors were assigned by the certification body to conduct the audit. After signing a confidentiality agreement with Sinvestment. they started the audit activities. First, they reviewed the documentation required by the standard, including the declaration of the ISMS scope, information security policies, and internal audits reports. The review process was not easy because, although Sinvestment stated that they had a documentation procedure in place, not all documents had the same format.

Then, the audit team conducted several interviews with Sinvestment's top management to understand their role in the ISMS implementation. All activities of the stage 1 audit were performed remotely, except the review of documented information, which took place on-site, as requested by Sinvestment.

During this stage, the auditors found out that there was no documentation related to information security training and awareness program. When asked, Sinvestment's representatives stated that the company has provided information security training sessions to all employees. Stage 1 audit gave the audit team a general understanding of Sinvestment's operations and ISMS.

The stage 2 audit was conducted three weeks after stage 1 audit. The audit team observed that the marketing department (which was not included in the audit scope) had no procedures in place to control employees’ access rights. Since controlling employees' access rights is one of the ISO/IEC 27001 requirements and was included in the information security policy of the company, the issue was included in the audit report. In addition, during stage 2 audit, the audit team observed that Sinvestment did not record logs of user activities. The procedures of the company stated that "Logs recording user activities should be retained and regularly reviewed," yet the company did not present any evidence of the implementation of such procedure.

During all audit activities, the auditors used observation, interviews, documented information review, analysis, and technical verification to collect information and evidence. All the audit findings during stages 1 and 2 were analyzed and the audit team decided to issue a positive recommendation for certification.

Based on scenario 6, during stage 1 audit, the auditor found out that some documents regarding the ISMS had different format. What should the auditor do in this case?

Options:

Verify if the documented information has the appropriate format and is in accordance with the company's documentation procedure since this is a requirement of the standard

Verify only if the information required by the standard is documented without taking into account the format since this is not a requirement of the standard

Document this observation as an issue that should be verified during stage 2 audit

Discussion 0

Questions 17

Scenario 6: Cyber ACrypt is a cybersecurity company that provides endpoint protection by offering anti-malware and device security, asset life cycle management, and device encryption. To validate its ISMS against ISO/IEC 27001 and demonstrate its commitment to cybersecurity excellence, the company underwent a meticulous audit process led by John, the appointed audit team leader.

Upon accepting the audit mandate, John promptly organized a meeting to outline the audit plan and team roles This phase was crucial for aligning the team with the audit's objectives and scope However, the initial presentation to Cyber ACrypt’s staff revealed a significant gap in understanding the audit's scope and objectives, indicating potential readiness challenges within the company

As the stage 1 audit commenced, the team prepared for on-site activities. They reviewed Cyber ACrypt's documented information, including the information security policy and operational procedures ensuring each piece conformed to and was standardized in format with author identification, production date, version number, and approval date Additionally, the audit team ensured that each document contained the information required by the respective clause of the standard This phase revealed that a detailed audit of the documentation describing task execution was unnecessary, streamlining the process and focusing the team's efforts on critical areas During the phase of conducting on-site activities, the team evaluated management responsibility for the Cyber Acrypt's policies This thorough examination aimed to ascertain continual improvement and adherence to ISMS requirements Subsequently, in the document, the stage 1 audit outputs phase, the audit team meticulously documented their findings, underscoring their conclusions regarding the fulfillment of the stage 1 objectives. This documentation was vital for the audit team and Cyber ACrypt to understand the preliminary audit outcomes and areas requiring attention.

The audit team also decided to conduct interviews with key interested parties. This decision was motivated by the objective of collecting robust audit evidence to validate the management system’s compliance with ISO/IEC 27001 requirements. Engaging with interested parties across various levels of Cyber ACrypt provided the audit team with invaluable perspectives and an understanding of the ISMS's implementation and effectiveness.

The stage 1 audit report unveiled critical areas of concern. The Statement of Applicability (SoA) and the ISMS policy were found to be lacking in several respects, including insufficient risk assessment, inadequate access controls, and lack of regular policy reviews. This prompted Cyber ACrypt to take immediate action to address these shortcomings. Their prompt response and modifications to the strategic documents reflected a strong commitment to achieving compliance.

The technical expertise introduced to bridge the audit team's cybersecurity knowledge gap played a pivotal role in identifying shortcomings in the risk assessment methodology and reviewing network architecture. This included evaluating firewalls, intrusion detection and prevention systems, and other network security measures, as well as assessing how Cyber ACrypt detects, responds to, and recovers from external and internal threats. Under John's supervision, the technical expert communicated the audit findings to the representatives of Cyber ACrypt. However, the audit team observed that the expert s objectivity might have been compromised due to receiving consultancy fees from the auditee. Considering the behavior of the technical expert during the audit, the audit team leader decided to discuss this concern with the certification body.

Based on the scenario above, answer the following question:

Question:

Based on Scenario 6, was the objective of the interviews during the Stage 1 audit accordingly set by the audit team?

Options:

Yes, the objective of the interviews is to collect audit evidence to validate the management system’s compliance with ISO/IEC 27001 requirements

No, the objective of the interviews was not aligned with the management system’s key performance indicators (KPIs), reducing the audit’s effectiveness

No, the objective of the interviews is to ensure an adequate understanding of the challenges the auditee faces

Discussion 0

Questions 18

You are an experienced audit team leader conducting a third-party surveillance audit of an organisation that designs websites for its clients. You are currently reviewing the organisation's Statement of Applicability.

Based on the requirements of ISO/IEC 27001, which two of the following observations about the Statement of Applicability are true?

Options:

Justification for both the inclusion and exclusion of Annex A controls in the Statement of Applicability is required

The Statement of Applicability is owned and amended by the organisation's top management

The Statement of Applicability must be reviewed at least annually

A Statement of Applicability must be produced by organisations seeking ISO/IEC 27001 conformity

Justification is only required for any controls that the organisations choses to exclude

The Statement of Applicability must be reviewed at Management Review

Discussion 0

Questions 19

You are performing an ISMS audit at a residential nursing home railed ABC that provides healthcare services. The next step in your audit plan is to verify the effectiveness of the continual improvement process. During the audit, you learned most of the residents' family members (90%) receive WeCare medical device promotional advertisements through email and SMS once a week via ABC's healthcare mobile app. All of them do not agree on the use of the collected personal data (or marketing or any other purposes than nursing and medical care on the signed service agreement with ABC. They have very strong reason to believe that ABC is leaking residents' and family members' personal information to a non-relevant third party and they have filed complaints.

The Service Manager says that all these complaints have been treated as nonconformities, and the corrective actions have been planned and implemented according to the Nonconformity and Corrective management procedure. The corrective action involved stopping working with WeCare the medical device manufacturer immediately and asking them to delete all personal data received as well as sending an apology email to all residents and their family members.

You are preparing the audit findings. Select one option of the correct finding.

Options:

Nonconformity: ABC does not follow the signed healthcare service agreement with residents' family members

No nonconformity: I would like to collect more evidence on how the organisation defines the management system scope and see if they covered WeCare medical device manufacture

No nonconformity: The Service Manager implemented the corrective actions and the Customer Service Representative evaluates the effectiveness of implemented corrective actions

Nonconformity: The management review does not take the feedback from residents' family members into consideration

Discussion 0

Questions 20

Question:

An organization is evaluating the materiality of different processes within its ISMS. It is assessing the direct expenses involved with personnel, third-party services, and general fees. Which factor of materiality is the company primarily considering?

Options:

Cost of operations

Cost of the process

Potential cost of errors or nonconformities

Discussion 0

Questions 21

Please match the roles to the following descriptions:

To complete the table click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable test from the options below. Alternatively, you may drag and drop each option to the appropriate blank section.

Options:

Discussion 0

Questions 22

Scenario 6

Sinvestment is an insurance provider that offers a wide range of coverage options, including home, commercial, and life insurance. Originally established in North California, the company has expanded its operations to other locations, including Europe and Africa. In addition to its growth, Sinvestment is committed to complying with laws and regulations applicable to its industry and preventing any information security incident. They have implemented an information security management system (ISMS) based on ISO/IEC 27001 and have applied for certification.

A team of auditors was assigned by the certification body to conduct the audit. After signing a confidentiality agreement with Sinvestment, they started the audit activities. For the activities of the stage 1 audit, it was decided that they would be performed on site, except the review of documented information, which took place remotely, as requested by Sinvestment.

The audit team started the stage 1 audit by reviewing the documentation required, including the declaration of the ISMS scope, information security policies, and internal audit reports. The evaluation of the documented information was based on the content and procedure for managing the documented information.

In addition, the auditors found out that the documentation related to information security training and awareness programs was incomplete and lacked essential details. When asked, Sinvestment’s top management stated that the company has provided information security training sessions to all employees.

The stage 2 audit was conducted three weeks after the stage 1 audit. The audit team observed that the marketing department (not included in the audit scope) had no procedures to control employees’ access rights. Since controlling employees' access rights is one of the ISO/IEC 27001 requirements and was included in the company's information security policy, the issue was included in the audit report.

Question

Based on Scenario 6, when evaluating documented information, what action should the auditor have taken during the stage 1 audit?

Options:

Validate whether the documented information conforms to the appropriate format and aligns with the company's documentation procedure

Disregard the formatting issue and only verify whether the required information is present, since formatting is not required by the standard

Ensure that there is a procedure for managing the documented information

Discussion 0

Questions 23

The scope of an organization certified against ISO/IEC 27001 states that they provide editing and web hosting services. However, due to some changes in the organization, the technical support related to the web hosting services has been outsourced. Should a change in the scope be initiated in this case?

Options:

Yes, because any change in the external environment initiates a change in the scope

No, because the change does not require implementation of new security controls

No, because the organization is already certified for its editing and web hosting services

Discussion 0

Questions 24

Which option below is NOT a role of the audit team leader?

Options:

Preventing and solving conflict during the audit

Setting up an ethics committee

Preparing and explaining the audit conclusions

Discussion 0

Questions 25

Costs related to nonconformities and failures to comply with legal and contractual requirements are assessed when defining:

Options:

Materiality

Audit risks

Reasonable assurance

Discussion 0

Questions 26

Scenario 6

Question

According to Scenario 6, was it appropriate for the audit team to include in the audit report the observed deficiency in the marketing department's access rights control procedures?

Options:

Yes, it is a requirement to include in the audit report any findings.

No, it should have been only communicated to the representatives of the auditee.

No, because the marketing department's activities do not pose a potential risk to the ISMS.

Discussion 0

Questions 27

Scenario 4

Recently, the company applied for ISO/IEC 27001 certification after having an ISMS in place for almost a year.

Question

Based on Scenario 4, is the involvement of all the parties acceptable during the auditing of the outsourced operations?

Options:

Yes, the involvement of all the parties is considered acceptable.

No, the involvement of the technical expert is not acceptable.

No, they should have involved only an observer.

Discussion 0

Questions 28

Question:

What type of sampling was used when the auditor used probability-based sampling for event log reviews?

Options:

Statistical sampling

Judgment-based sampling

Multi-site sampling

Discussion 0

Questions 29

An organisation has ISO/IEC 27001 Information Security Management System (ISMS) certification from a third-party certification body. Which one of the following represents an advantage of having accredited certification?

Options:

An increase in the marketing price of the organisation's products

An increase in the number of clients

Clarity of the audit report

Recognition of the credibility of the certification process.

Discussion 0

Questions 30

You are an experienced ISMS audit team leader. You are currently conducting a third-party surveillance audit of an

international haulage organisation. You have sampled four internal audit reports which state:

Report 1 - Auditor: Mr James.

Over the year the organisation has failed to meet its promised delivery dates on 23 occasions out of 100. This is against a target of '95% of deliveries on time'.

Grading - Minor

Corrective Action due: Within 9 months.

Report 2 - Auditor: Mr James.

Between January and March, it was noted 125 complaints were received about the Service Desk Team. Clients

accused them of being rude and unresponsive.

Grading - Minor

Corrective Action due: Within 12 months.

Report 3 - Auditor: Mr James.

Of the 40 customer orders received last month, 38 were correctly processed. Of the remaining 2, one was missing a

signature and one was missing a date.

Grading -

Corrections due: Within 3 weeks

Report 4 - Auditor: Mr Rogers.

Of the 30 personnel records examined, 26 were found to be fully completed whilst the remaining 4 were all missing

the individual's start date.

Grading – Major

Corrections due: Within 1 week

Which four of the options demonstrate the concerns you would have about these reports?

Options:

I would be concerned as to whether criteria for grading nonconformities are in existence in this organisation

I would be concerned as to whether the auditors understand the difference between corrections and corrective actions

I would be concerned because action taken to address a major nonconformity should always be completed sooner than action taken to address minor nonconformities

I would be concerned that no grading is recorded for Report 3. This could indicate that the auditor did not complete the report correctly or that they failed to make a determination as to severity

I would be concerned that the auditors focussed only on information security processes

I would be concerned that timing for addressing the nonconformities is significantly different in the four reports

I would have a concern that no nonconformity review was conducted

Discussion 0

Questions 31

You see a blue color sticker on certain physical assets. What does this signify?

Options:

The asset is very high critical and its failure affects the entire organization

The asset with blue stickers should be kept air conditioned at all times

The asset is high critical and its failure will affect a group/s/project's work in the organization

The asset is critical and the impact is restricted to an employee only

Discussion 0

Questions 32

Scenario 5: Data Grid Inc. is a well-known company that delivers security services across the entire information technology infrastructure. It provides cybersecurity software, including endpoint security, firewalls, and antivirus software. For two decades, Data Grid Inc. has helped various companies secure their networks through advanced products and services. Having achieved reputation in the information and network security field, Data Grid Inc. decided to obtain the ISO/IEC 27001 certification to better secure its internal and customer assets and gain competitive advantage.

Data Grid Inc. appointed the audit team, who agreed on the terms of the audit mandate. In addition, Data Grid Inc. defined the audit scope, specified the audit criteria, and proposed to close the audit within five days. The audit team rejected Data Grid Inc.'s proposal to conduct the audit within five days, since the company has a large number of employees and complex processes. Data Grid Inc. insisted that they have planned to complete the audit within five days, so both parties agreed upon conducting the audit within the defined duration. The audit team followed a risk-based auditing approach.

To gain an overview of the main business processes and controls, the audit team accessed process descriptions and organizational charts. They were unable to perform a deeper analysis of the IT risks and controls because their access to the IT infrastructure and applications was restricted. However, the audit team stated that the risk that a significant defect could occur to Data Grid Inc.'s ISMS was low since most of the company's processes were automated. They therefore evaluated that the ISMS, as a whole, conforms to the standard requirements by asking the representatives of Data Grid Inc. the following questions:

•How are responsibilities for IT and IT controls defined and assigned?

•How does Data Grid Inc. assess whether the controls have achieved the desired results?

•What controls does Data Grid Inc. have in place to protect the operating environment and data from malicious software?

•Are firewall-related controls implemented?

Data Grid Inc.'s representatives provided sufficient and appropriate evidence to address all these questions.

The audit team leader drafted the audit conclusions and reported them to Data Grid Inc.'s top management. Though Data Grid Inc. was recommended for certification by the auditors, misunderstandings were raised between Data Grid Inc. and the certification body in regards to audit objectives. Data Grid Inc. stated that even though the audit objectives included the identification of areas for potential improvement, the audit team did not provide such information.

Based on this scenario, answer the following question:

What would prevent the misunderstanding between the certification body and the Data Grid Inc.?

Refer to scenario 5.

Options:

Validating the audit offer

Signing the certification agreement

Defining the audit schedule

Discussion 0

Questions 33

Scenario 5: Cobt. an insurance company in London, offers various commercial, industrial, and life insurance solutions. In recent years, the number of Cobt's clients has increased enormously. Having a huge amount of data to process, the company decided that certifying against ISO/IEC 27001 would bring many benefits to securing information and show its commitment to continual improvement. While the company was well-versed in conducting regular risk assessments, implementing an ISMS brought major changes to its daily operations. During the risk assessment process, a risk was identified where significant defects occurred without being detected or prevented by the organizations internal control mechanisms.

The company followed a methodology to implement the ISMS and had an operational ISMS in place after only a few months After successfully implementing the ISMS, Cobt applied for ISO/IEC 27001 certification Sarah, an experienced auditor, was assigned to the audit Upon thoroughly analyzing the audit offer, Sarah accepted her responsibilities as an audit team leader and immediately started to obtain general information about Cobt She established the audit criteria and objective, planned the audit, and assigned the audit team members' responsibilities.

Sarah acknowledged that although Cobt has expanded significantly by offering diverse commercial and insurance solutions, it still relies on some manual processes Therefore, her initial focus was to gather information on how the company manages its information security risks Sarah contacted Cobt's representatives to request access to information related to risk management for the off-site review, as initially agreed upon for part of the audit However, Cobt later refused, claiming that such information is too sensitive to be accessed outside of the company This refusal raised concerns about the audit's feasibility, particularly regarding the availability and cooperation of the auditee and access to evidence Moreover, Cobt raised concerns about the audit schedule, stating that it does not properly reflect the recent changes the company made It pointed out that the actions to be performed during the audit apply only to the initial scope and do not encompass the latest changes made in the audit scope

Sarah also evaluated the materiality of the situation, considering the significance of the information denied for the audit objectives. In this case, the refusal by Cobt raised questions about the completeness of the audit and its ability to provide reasonable assurance. Following these situations, Sarah decided to withdraw from the audit before a certification agreement was signed and communicated her decision to Cobt and the certification body. This decision was made to ensure adherence to audit principles and maintain transparency, highlighting her commitment to consistently upholding these principles.

Based on the scenario above, answer the following question:

Question:

Based on Scenario 5, Sarah decided to withdraw from the audit before a certification agreement was signed. Is this acceptable?

Options:

Yes, Sarah can withdraw from the audit but only if the certification body approves her withdrawal

Yes, there is no relation between Sarah’s withdrawal from the audit and the certification agreement

No, the certification agreement is directly tied to the auditor’s presence

Discussion 0

Questions 34

Select two of the following options that are the responsibility of a legal technical expert on the audit team during a certification audit.

Evaluating the auditee's legal knowledge

Options:

Criticising the organisation's legal compliance issues

Debating complex legal points with the auditee

Advising on legal checkpoints for the audit team

Verifying the legal status of the organisation

Meeting the organisation's legal representative

Discussion 0

Questions 35

You have just completed a scheduled information security audit of your organisation when the IT Manager approaches you and asks for your assistance in the revision of the company's risk management process.

He is attempting to update the current documentation to make it easier for other managers to understand, however, it is clear from your discussion he is confusing several key terms.

You ask him to match each of the descriptions with the appropriate risk term. What should the correct answers be?

Options:

Discussion 0

Questions 36

Question

To verify conformity to control 8.15 Logging of ISO/IEC 27001 Annex A, the audit team studied a sample of server logs to determine if they could be edited or deleted. Which audit procedure did the audit team use?

Options:

Analysis

Technical verification

Observation

Discussion 0

Questions 37

Scenario 8: Tessa. Malik, and Michael are an audit team of independent and qualified experts in the field of security, compliance, and business planning and strategies. They are assigned to conduct a certification audit in Clastus, a large web design company. They have previously shown excellent work ethics, including impartiality and objectiveness, while conducting audits. This time, Clastus is positive that they will be one step ahead if they get certified against ISO/IEC 27001.

Tessa, the audit team leader, has expertise in auditing and a very successful background in IT-related issues, compliance, and governance. Malik has an organizational planning and risk management background. His expertise relies on the level of synthesis and analysis of an organization's security controls and its risk tolerance in accurately characterizing the risk level within an organization On the other hand, Michael is an expert in the practical security of controls assessment by following rigorous standardized programs.

After performing the required auditing activities, Tessa initiated an audit team meeting They analyzed one of Michael s findings to decide on the issue objectively and accurately. The issue Michael had encountered was a minor nonconformity in the organization's daily operations, which he believed was caused by one of the organization's IT technicians As such, Tessa met with the top management and told them who was responsible for the nonconformity after they inquired about the names of the persons responsible

To facilitate clarity and understanding, Tessa conducted the closing meeting on the last day of the audit. During this meeting, she presented the identified nonconformities to the Clastus management. However, Tessa received advice to avoid providing unnecessary evidence in the audit report for the Clastus certification audit, ensuring that the report remains concise and focused on the critical findings.

Based on the evidence examined, the audit team drafted the audit conclusions and decided that two areas of the organization must be audited before the certification can be granted. These decisions were later presented to the auditee, who did not accept the findings and proposed to provide additional information. Despite the auditee's comments, the auditors, having already decided on the certification recommendation, did not accept the additional information. The auditee's top management insisted that the audit conclusions did not represent reality, but the audit team remained firm in their decision.

Based on the scenario above, answer the following question:

Question:

The audit team did not accept Clastus's additional information because they had already made the certification recommendation. Is this acceptable?

Options:

Yes, once the audit team decides on a certification recommendation, they cannot accept any additional information

No, the auditee can provide additional information if they disagree with the certification recommendation

No, the auditor should not consider revisions that resulted from discussions with the auditee in the certification recommendation decision

Discussion 0

Questions 38

You are performing an ISMS audit at a European-based residential nursing home called ABC that provides healthcare services. The next step in your audit plan is to verify the effectiveness of the continual improvement process.

During the audit, you learned most of the residents' family members (90%) receive WeCare medical devices promotion advertisements through email and SMS once a week via ABC's healthcare mobile app. All of them do not agree on the use of the collected personal data for marketing or any other purposes than nursing and medical care on the signed service agreement with ABC. They have very strong reason to believe that ABC is leaking residents' and family members' personal information to a non-relevant third party and they have filed complaints.

The Service Manager says that, after investigation, all these complaints have been treated as nonconformities. The corrective actions have been planned and implemented according to the nonconformity and corrective management procedure (Document reference ID: ISMS_L2_10.1, version 1).

You write a nonconformity which you will follow up on later. Select the words that best complete the sentence:

Options:

Discussion 0

Questions 39

You are carrying out a third-party surveillance audit of a client's ISMS. You are currently in the secure storage area of the data centre where the organisation's customers are able to temporarily locate equipment coming into or going out of the site. The equipment is contained within locked cabinets and each cabinet is allocated to a single, specific client.

Out of the corner of your eye you spot movement near the external door of the storage area. This is followed by a loud noise. You ask the guide what is going on. They tell you that recent high rainfall has raised local river levels and caused an infestation of rats. The noise was a specialist pest control stunning device being triggered. You check the device in the corner and find there is a large immobile rat contained within it.

What three actions would be appropriate to take next?

Options:

Take no further action. This is an ISMS audit, not an environmental management system audit

Investigate whether pest infestation is an identified risk and if so, what risk treatment is to be applied

Determine whether the high levels of rainfall have had other impacts on data centre operations e.g. damage to infrastructure, access issues for clients, invocation of business continuity arrangements

Raise a nonconformity against control 7.4 Physical Security monitoring

Raise a nonconformity against control 7.2 Physical Entry

Check with the guide that they intend to initiate the organisation's information security incident process

Inspect the client cabinets for signs of rodent ingress and record your findings as audit evidence

Discussion 0

Questions 40

You are the person responsible for managing the audit programme and deciding the size and composition of the audit team for a specific audit. Select the two factors that should be considered.

The audit scope and criteria

Options:

Customer relationships

The overall competence of the audit team needed to achieve audit objectives

Seniority of the audit team leader

The cost of the audit

The duration preferred by the auditee

Discussion 0

Answer:

A, C

Explanation:

The overall competence of the12:

The audit scope and criteria: The audit scope defines the extent and boundaries of the audit, such as the locations, processes, functions, and time period to be audited. The audit criteria are the set of policies, procedures, standards, or requirements used as a reference against which the audit evidence is compared. The audit scope and criteria determine the complexity and extent of the audit, and thus influence the number and expertise of the auditors needed to cover all the relevant aspects of the audit.

The overall competence of the audit team needed to achieve audit objectives: The audit team should have the appropriate knowledge, skills, and experience to conduct the audit effectively and efficiently, and to provide credible and reliable audit results. The audit team competence should include the following elements12:

Generic competence: The ability to apply the principles and methods of auditing, such as planning, conducting, reporting, and following up the audit, as well as the personal behaviour and attributes of the auditors, such as ethical conduct, fair presentation, professional care, independence, and impartiality.

Discipline and sector-specific competence: The ability to understand and apply the audit criteria and the relevant technical or industry aspects of the audited organization, such as the information security management system (ISMS) requirements, the information security risks and controls, the legal and regulatory obligations, the organizational context and culture, the processes and activities, the products and services, etc.

Audit team leader competence: The ability to manage the audit team and the audit process, such as coordinating the audit activities, communicating with the audit programme manager and the auditee, resolving any audit-related problems, ensuring the quality and consistency of the audit work and the audit report, etc.

The person responsible for managing the audit programme should not consider the following factors when deciding the size and composition of the audit team for a specific audit, as they are either irrelevant or inappropriate for the audit process12:

Customer relationships: The audit team should not be influenced by any personal or professional relationships with the auditee or other interested parties, as this may compromise the objectivity and impartiality of the audit. The audit team should avoid any conflicts of interest or self-interest that may affect the audit results or the audit decisions.

Seniority of the audit team leader: The audit team leader should be selected based on their competence and experience, not on their seniority or rank within the organization or the audit programme. The audit team leader should have the authority and responsibility to manage the audit team and the audit process, regardless of their seniority or position.

The cost of the audit: The cost of the audit should not be the primary factor for determining the size and composition of the audit team, as this may compromise the quality and effectiveness of the audit. The audit team should have sufficient resources and time to conduct the audit in accordance with the audit objectives, scope, and criteria, and to provide accurate and reliable audit results and recommendations.

The duration preferred by the auditee: The duration of the audit should be based on the audit objectives, scope, and criteria, and the availability and cooperation of the auditee, not on the preference or convenience of the auditee. The audit team should have enough time to conduct the audit in a thorough and systematic manner, and to collect and evaluate sufficient and relevant audit evidence.

[References:, ISO 19011:2018 - Guidelines for auditing management systems, PECB Candidate Handbook ISO 27001 Lead Auditor, pages 19-20, , , ]

Questions 41

Which one of the following options best describes the main purpose of a Stage 2 third-party audit?

Options:

To determine readiness for certification

To check for legal compliance by the organisation

To identify nonconformances against a standard

To get to know the organisation's management system

Discussion 0

Questions 42

The auditor should consider (1)-------when determining the (2)--------

Options:

(1) Standard requirements. (2) audit criteria

(1) Audit risks, (2) audit objectives

(1) Penalties related to legal noncompliance, (2) materiality

Discussion 0

Questions 43

An auditor of organisation A performs an audit of supplier B. Which two of the following actions is likely to represent a breach of confidentiality by the auditor after having identified findings in B's information security management system?

Options:

Shares the findings with other relevant managers in A

Shares the findings with B's Information Security Manager

Shares the findings with A's supplier evaluation team

Shares the findings with B's other customers

Shares the findings with B's certification body

Shares the findings with other relevant managers in B

Discussion 0

Questions 44

Scenario 9: UpNet, a networking company, has been certified against ISO/IEC 27001. It provides network security, virtualization, cloud computing, network hardware, network management software, and networking technologies.

The company's recognition has increased drastically since gaining ISO/IEC 27001 certification. The certification confirmed the maturity of UpNefs operations and its compliance with a widely recognized and accepted standard.

But not everything ended after the certification. UpNet continually reviewed and enhanced its security controls and the overall effectiveness and efficiency of the ISMS by conducting internal audits. The top management was not willing to employ a full-time team of internal auditors, so they decided to outsource the internal audit function. This form of internal audits ensured independence, objectivity, and that they had an advisory role about the continual improvement of the ISMS.

Not long after the initial certification audit, the company created a new department specialized in data and storage products. They offered routers and switches optimized for data centers and software-based networking devices, such as network virtualization and network security appliances. This caused changes to the operations of the other departments already covered in the ISMS certification scope.

Therefore. UpNet initiated a risk assessment process and an internal audit. Following the internal audit result, the company confirmed the effectiveness and efficiency of the existing and new processes and controls.

The top management decided to include the new department in the certification scope since it complies with ISO/IEC 27001 requirements. UpNet announced that it is ISO/IEC 27001 certified and the certification scope encompasses the whole company.

One year after the initial certification audit, the certification body conducted another audit of UpNefs ISMS. This audit aimed to determine the UpNefs ISMS fulfillment of specified ISO/IEC 27001 requirements and ensure that the ISMS is being continually improved. The audit team confirmed that the certified ISMS continues to fulfill

the requirements of the standard. Nonetheless, the new department caused a significant impact on governing the management system. Moreover, the certification body was not informed about any changes. Thus, the UpNefs certification was suspended.

Based on the scenario above, answer the following question:

UpNet announced that the ISMS certification scope encompasses the whole company once ensuring that the new department also complies with the ISO/IEC 27001 requirements. How would you classify this situation illustrated in scenario 9?

Options:

Unacceptable, the internal auditor should have approved the extension audit, not the top management

Unacceptable, UpNet should have requested and granted an extension audit prior to making the announcement

Acceptable, the internal audit confirmed the effectiveness and efficiency of the existing and new processes and controls

Discussion 0

Questions 45

ISMS (1)---------------helps determine (2)--------------,

Options:

(1) Continual improvement, (2) the effectiveness of corrective actions

Q (1) Management review, (2) opportunities for continual improvement

(1) Internal audit, (2) the ISMS scope

Discussion 0

Questions 46

You are conducting an ISMS audit in the despatch department of an international logistics organisation that provides shipping services to large organisations including local hospitals and government offices. Parcels typically contain pharmaceutical products, biological samples, and documents such as passports and driving licences. You note that the company records show a very large number of returned items with causes including mis-addressed labels and, in 15% of company cases, two or more labels for different addresses for the one package. You are interviewing the Shipping Manager (SM).

You: Are items checked before being dispatched?

SH: Any obviously damaged items are removed by the duty staff before being dispatched, but the small profit margin makes it uneconomic to implement a formal checking process.

You: What action is taken when items are returned?

SM: Most of these contracts are relatively low value, therefore it has been decided that it is easier and more convenient to simply reprint the label and re-send individual parcels than it is to implement an investigation.

You raise a nonconformity. Referencing the scenario, which six of the following Appendix A controls would you expect the auditee to have implemented when you conduct the follow-up audit?

Options:

5.11 Return of assets

8.12 Data leakage protection

5.3 Segregation of duties

6.3 Information security awareness, education, and training

7.10 Storage media

8.3 Information access restriction

5.6 Contact with special interest groups

Discussion 0

Answer:

B, D, E, F, I, J

Explanation:

B. 8.12 Data leakage protection. This is true because the auditee should have implemented measures to prevent unauthorized disclosure of sensitive information, such as personal data, medical records, or official documents, that are contained in the parcels. Data leakage protection could include encryption, authentication, access control, logging, and monitoring of data transfers12.

D. 6.3 Information security awareness, education, and training. This is true because the auditee should have ensured that all employees and contractors involved in the shipping process are aware of the information security policies and procedures, and have received appropriate training on how to handle and protect the information assets in their custody. Information security awareness, education, and training could include induction programmes, periodic refreshers, awareness campaigns, e-learning modules, and feedback mechanisms13.

E. 7.10 Storage media. This is true because the auditee should have implemented controls to protect the storage media that contain information assets from unauthorized access, misuse, theft, loss, or damage. Storage media could include paper documents, optical disks, magnetic tapes, flash drives, or hard disks14. Storage media controls could include physical locks, encryption, backup, disposal, or destruction14.

F. 8.3 Information access restriction. This is true because the auditee should have implemented controls to restrict access to information assets based on the principle of least privilege and the need-to-know basis. Information access restriction could include identification, authentication, authorization, accountability, and auditability of users and systems that access information assets15.

I. 7.4 Physical security monitoring. This is true because the auditee should have implemented controls to monitor the physical security of the premises where information assets are stored or processed. Physical security monitoring could include CCTV cameras, alarms, sensors, guards, or patrols16. Physical security monitoring could help detect and deter unauthorized physical access or intrusion attempts16.

J. 5.13 Labelling of information. This is true because the auditee should have implemented controls to label information assets according to their classification level and handling instructions. Labelling of information could include markings, tags, stamps, stickers, or barcodes1 . Labelling of information could help identify and protect information assets from unauthorized disclosure or misuse1 .

References :=

ISO/IEC 27002:2022 Information technology — Security techniques — Code of practice for information security controls

ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements

ISO/IEC 27003:2022 Information technology — Security techniques — Information security management systems — Guidance

ISO/IEC 27004:2022 Information technology — Security techniques — Information security management systems — Monitoring measurement analysis and evaluation

ISO/IEC 27005:2022 Information technology — Security techniques — Information security risk management

ISO/IEC 27006:2022 Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems

[ISO/IEC 27007:2022 Information technology — Security techniques — Guidelines for information security management systems auditing]

Questions 47

Scenario 9

CloudFort, a small networking company, provides network security, cloud computing, and virtualization solutions. The company has recently been certified in an information security management system (ISMS) based on the ISO/IEC 27001 standard, which has resulted in a spike in its recognition, confirming the maturity of CloudFort’s operation.

CloudFort continually reviewed and enhanced its security controls and the overall effectiveness and efficiency of the ISMS by conducting internal audits. Due to its size and desire for greater objectivity, the top management decided to outsource the internal audit function to ensure the internal audit is independent of the audited activities and holds an advisory role in the continual improvement of the ISMS.

After the initial certification audit, the company created a new department specializing in data storage solutions. It offered routers and switches optimized for data centers and software-based networking devices, such as network virtualization and network security appliances. Because of the new department, CloudFort initiated a risk assessment process and an internal audit. Following the internal audit results, the company confirmed the effectiveness and efficiency of the new processes and controls.

After determining that the new department fully complies with ISO/IEC 27001 requirements, top management decided to include it in the certification scope. They submitted a request to the certification body for an extension of the certification scope to ensure that the department’s processes and security measures fully align with the overall ISMS.

One year after the initial certification audit, the certification body conducted another audit of CloudFort's ISMS. This audit aimed to determine CloudFort’s ISMS fulfillment of specified ISO/IEC 27001 requirements and ensure that the ISMS is being continually improved. The audit team confirmed that the certified ISMS fulfills the standard requirements. Nonetheless, the new department introduced changes that significantly affected how the overall management system was governed, requiring updates to existing processes and controls.

Moreover, although CloudFort requested an extension of the certification scope, they failed to provide timely updates on the impact of the new department on the ISMS to the certification body. Thus, CloudFort’s certification was suspended.

Question

CloudFort requested an extension of the certification scope to include the new department. How would you classify this situation? Refer to Scenario 9.

Options:

Unacceptable, because the extension should have been included in the initial certification scope and cannot be added afterward unless a major recertification process is undertaken.

Acceptable, many auditees can define a reduced scope for the first certification and then request for an extension during the following years.

Unacceptable, as expanding the scope requires a complete audit of the organization again.

Discussion 0

Questions 48

Scenario 3

NightCore, a multinational technology enterprise headquartered in the United States, specializes in e-commerce, cloud computing, digital streaming, and artificial intelligence (AI). After having an information security management system (ISMS) implemented for over a year, NightCore contracted a certification body to perform an audit for ISO/IEC 27001 certification.

The certification body formed a team of five auditors, with Jack as a team leader. Jack is renowned for his extensive auditing experience in risk management, information security controls, and incident management. His skill set aligns well with the requirements of auditing principles and processes, enabling him to effectively comprehend the audit scope and apply relevant criteria effectively. Jack also demonstrates a solid understanding of NightCore’s organizational structure, purpose, and management practices and the statutory and regulatory requirements applicable to its activities.

The audit carried out by the audit team followed a rational method to reach reliable and reproducible conclusions systematically. The audit team recognized that only information capable of being verified to some extent should be considered valid evidence. In some rare instances during the audit where the verification of certain information posed challenges and where its degree of verifiability was low, the auditors exercised their professional judgment to assess the reliability and determine the level of reliance that could be placed on such evidence.

During the audit, the auditors documented their observations and inspection notes regarding the operational planning and control of NightCore’s ISMS operations. They also recorded observations of NightCore’s inventory of information and associated assets. Additionally, the auditors reviewed the configuration of firewalls implemented to secure connections to network services.

As the audit approached its final stages, NightCore’s commitment to upholding the highest levels of information security became evident. With ISO/IEC 27001 certification within reach, NightCore is well-positioned to achieve ISO/IEC 27001 certification, enhancing its reputation in the technology sector.

Question

During the audit at NightCore, the auditors focused on key areas of ISMS operations, including operational planning, asset inventory, and firewall configurations. What type of evidence did the auditors collect during the audit conducted at NightCore?

Options:

Analytical and documentary evidence

Physical and technical evidence

Mathematical evidence

Discussion 0

Questions 49

Scenario 4

Recently, the company applied for ISO/IEC 27001 certification after having an ISMS in place for almost a year.

Question

Which type of evidence did the auditors utilize to validate various aspects of SendPay’s ISMS during the audit process? Refer to Scenario 4.

Options:

Analytical evidence

Mathematical evidence

Technical evidence

Discussion 0

Questions 50

You receive the following mail from the IT support team: Dear User,Starting next week, we will be deleting all inactive email accounts in order to create spaceshare the below details in order to continue using your account. In case of no response,

Name:

Email ID:

Password:

DOB:

Kindly contact the webmail team for any further support. Thanks for your attention.

Which of the following is the best response?

Options:

Ignore the email

Respond it by saying that one should not share the password with anyone

One should not respond to these mails and report such email to your supervisor

Discussion 0

Questions 51

During an opening meeting of a Stage 2 audit, the Managing Director of the client organisation invites the audit team to view a new organisation video lasting 45 minutes.

Which two of the following responses should the audit team leader make?

Options:

State that the audit team leader will stay behind after the opening meeting to view the video on behalf of the team

Advise the Managing Director that the audit team agrees to his request

Advise the Managing Director that the audit team has to keep to the planned schedule

Invite the Managing Director to the auditors' hotel for a viewing that evening.

Suggest that the last five minutes of the video could be viewed to provide a flavour of its content

Suggest that the video could be viewed during a refreshment break

Discussion 0

Answer:

C, F

Explanation:

From Exact Extract:

Explanation for C (Correct Response):

The audit team leader's primary responsibility is to manage the audit process effectively and efficiently according to the agreed-upon audit plan and schedule. A Stage 2 audit schedule is typically tightly managed to ensure all required elements of the management system are sampled within the allocated time. A 45-minute video presentation is a significant time commitment that would disrupt the planned audit activities. Politely but firmly stating the need to adhere to the schedule is professional and critical for maintaining audit integrity and achieving the audit objectives.

[Reference:, ISO/IEC 17021-1:2015, Clause 9.1.5 "Establishing the audit plan": This clause emphasizes that "The audit plan shall be designed to achieve the objectives of the audit... and effectively use the available audit time." Deviating for a 45-minute video directly contradicts effective time use., ISO 19011:2018, Clause 6.4.2 "Conducting the opening meeting": While the opening meeting covers introductions and confirming the audit plan, it does not include extensive presentations unrelated to the audit. The audit team leader is expected to manage the meeting effectively., General Auditing Principle of Time Management: Auditors are bound by the agreed-upon audit duration. Unplanned lengthy activities compromise the ability to complete the audit scope., Explanation for F (Correct Response - as a polite alternative/compromise):, While watching the full 45-minute video is not feasible, suggesting it be viewed during a refreshment break is a diplomatic way of indicating that audit time cannot be used for this purpose. Refreshment breaks are informal and typically short; this suggestion subtly implies that only a very brief, informal viewing might be possible (or that the video's length makes it unsuitable even for a break), reinforcing that core audit activities take precedence. It's a polite refusal of the main request while showing a slight willingness to accommodate if feasible, without compromising the audit schedule., , Reference:, ISO 19011:2018, Clause 6.4.8 "Conducting audit activities": This clause emphasizes that audit activities should be focused on collecting objective evidence relevant to the audit criteria. Viewing a general organizational video is generally not an audit activity., Professional Conduct: An audit team leader should be professional and polite, seeking to maintain good client relations while ensuring audit objectives are met. This option balances politeness with adherence to audit principles., Explanation for A (Incorrect Response):, It is not appropriate for the audit team leader to stay behind after the meeting to view the video. This implies the video is a necessary part of the audit, which it isn't. More importantly, it uses the auditor's time inefficiently and could impact subsequent audit activities or the auditor's personal time. The entire team does not need to view general promotional material., Explanation for B (Incorrect Response):, Agreeing to watch a 45-minute video would significantly disrupt the pre-planned Stage 2 audit schedule. This would be a failure in audit planning and time management, potentially preventing the team from completing the necessary audit activities and gathering sufficient evidence for certification., , Reference:, ISO/IEC 17021-1:2015, Clause 9.1.5 "Establishing the audit plan": Directly contradicts the principle of effective time use., Explanation for D (Incorrect Response):, Inviting the Managing Director to the auditors' hotel is highly unprofessional and inappropriate. Auditor-client interactions should remain professional and generally occur on the client's premises during business hours related to the audit. This blurs professional boundaries and is outside the scope of acceptable auditor conduct., , Reference:, ISO 19011:2018, Clause 5 "Principles of auditing" (Ethical Conduct): Maintaining professionalism and appropriate boundaries is a core ethical principle for auditors., Explanation for E (Incorrect Response - less ideal than C or F):, While this might seem like a compromise, suggesting to watch only the last five minutes still consumes audit time (even if brief) and can set an expectation for other non-audit-related requests. It's generally better to politely decline outright due to schedule constraints (as in C) or offer a less formal, non-audit-time option (as in F). It still risks implying that this type of material is relevant to the audit., , , , ]

Questions 52

Scenario 8

Trustingo has been providing banking and financial services in Estonia since 2010. The company has a network of 30 branches with over 100 ATMs nationwide. To meet strict data security and privacy regulations, Trustingo implemented an information security management system (ISMS) based on ISO/IEC 27001, ensuring better security, improved risk management, and compliance with legal requirements.

Nine months after the successful implementation of the ISMS, Trustingo decided to pursue certification for their ISMS based on ISO/IEC 27001 by an independent certification body. The certification audit included Trustingo's systems, processes, and technologies.

The audit team conducted the Stage 1 and Stage 2 audits jointly, and several nonconformities were detected. The first nonconformity was related to Trustingo's labeling of information. The company had an information classification scheme but no information labeling procedure. As a result, documents requiring the same level of protection would be labeled differently.

The nonconformity also impacted media handling. The audit team used sampling and concluded that 50 of 200 removable media stored sensitive information mistakenly classified as confidential. According to the information classification scheme, confidential information can be stored in removable media, whereas storing sensitive information is strictly prohibited.

The audit team drafted the nonconformity report and discussed the audit conclusions with Trustingo's representatives, who agreed to submit an action plan for the detected nonconformities within two months. Since the certification recommendation is conditional upon filing corrective actions, Trustingo must submit corrective action plans to show how they will address and resolve these nonconformities. Trustingo accepted the audit team leader's proposed solution and addressed the nonconformities by drafting an information labeling procedure and updating the removable media procedure.

Two weeks after the audit completion, Trustingo submitted a general action plan. Although the plan addressed the detected nonconformities and corrective actions taken, it lacked detailed action steps for each nonconformity and did not include specific details on the impacted systems, controls, or operations. The audit team evaluated the action plan. Nevertheless, Trustingo received an unfavorable recommendation for certification.

Question

Which option justifies the unfavorable recommendation for certification? Refer to Scenario 8.

Options:

The major nonconformity related to storing sensitive information in removable media

The minor nonconformity related to the lack of information labeling procedure

The company's decision to submit the action plan in two weeks despite having a different timeline available

Discussion 0

Questions 53

You are an experienced audit team leader guiding an auditor in training.

Your team is currently conducting a third-party surveillance audit of an organisation that stores data on behalf of external clients. The auditor in training has been tasked with reviewing the ORGANISATIONAL controls listed in the Statement of Applicability (SoA) and implemented at the site.

Select four controls from the following that would you expect the auditor in training to review.

Options:

Access to and from the loading bay

Confidentiality and nondisclosure agreements

How information security has been addressed within supplier agreements

How power and data cables enter the building

Rules for transferring information within the organisation and to other organisations

The development and maintenance of an information asset inventory

The operation of the site CCTV and door control systems

Discussion 0

Questions 54

Question

What should the auditors consider for judgement-based sampling?

Options:

The results of monitoring activities from the period prior to the ISMS implementation

Previous audit experience within the audit scope

The auditee's experience with implementing management systems

Discussion 0

Questions 55

A property of Information that has the ability to prove occurrence of a claimed event.

Options:

Electronic chain letters

Integrity

Availability

Accessibility

Discussion 0

Questions 56

During an audit, the audit team leader reached timely conclusions based on logical reasoning and analysis. What professional behaviour was displayed by the audit team leader?

Options:

Decisive

Open minded

Ethical

Perceptive

Discussion 0

Questions 57

Scenario 8: EsBank provides banking and financial solutions to the Estonian banking sector since September 2010. The company has a network of 30 branches with over 100 ATMs across the country.

Operating in a highly regulated industry, EsBank must comply with many laws and regulations regarding the security and privacy of data. They need to manage information security across their operations by implementing technical and nontechnical controls. EsBank decided to implement an ISMS based on ISO/IEC 27001 because it provided better security, more risk control, and compliance with key requirements of laws and regulations.

Nine months after the successful implementation of the ISMS, EsBank decided to pursue certification of their ISMS by an independent certification body against ISO/IEC 27001 .The certification audit included all of EsBank’s systems, processes, and technologies.

The stage 1 and stage 2 audits were conducted jointly and several nonconformities were detected. The first nonconformity was related to EsBank’s labeling of information. The company had an information classification scheme but there was no information labeling procedure. As a result, documents requiring the same level of protection would be labeled differently (sometimes as confidential, other times sensitive).

Considering that all the documents were also stored electronically, the nonconformity also impacted media handling. The audit team used sampling and concluded that 50 of 200 removable media stored sensitive information mistakenly classified as confidential. According to the information classification scheme, confidential information is allowed to be stored in removable media, whereas storing sensitive information is strictly prohibited. This marked the other nonconformity.

They drafted the nonconformity report and discussed the audit conclusions with EsBank’s representatives, who agreed to submit an action plan for the detected nonconformities within two months.

EsBank accepted the audit team leader's proposed solution. They resolved the nonconformities by drafting a procedure for information labeling based on the classification scheme for both physical and electronic formats. The removable media procedure was also updated based on this procedure.

Two weeks after the audit completion, EsBank submitted a general action plan. There, they addressed the detected nonconformities and the corrective actions taken, but did not include any details on systems, controls, or operations impacted. The audit team evaluated the action plan and concluded that it would resolve the nonconformities. Yet, EsBank received an unfavorable recommendation for certification.

Based on the scenario above, answer the following question:

By drafting a procedure for information labeling, EsBank has:

Options:

Submitted an action plan to resolve the nonconformity

Created an information classification scheme

Eliminated the root cause of the nonconformity

Discussion 0

Questions 58

You are conducting a third-party surveillance audit when another member of the audit team approaches you seeking clarification. They have been asked to assess the organisation's application of control 5.7 - Threat Intelligence. They are aware that this is one of the new controls introduced in the 2022 edition of ISO/IEC 27001, and they want to make sure they audit the control correctly.

They have prepared a checklist to assist them with their audit and want you to confirm that their planned activities are aligned with the control's requirements.

Which three of the following options represent valid audit trails?

Options:

I will review the organisation's threat intelligence process and will ensure that this is fully documented

I will speak to top management to make sure all staff are aware of the importance of reporting threats

I will ensure that the task of producing threat intelligence is assigned to the organisation s internal audit team

I will check that threat intelligence is actively used to protect the confidentiality, integrity and availability of the organisation's information assets

I will ensure that the organisation's risk assessment process begins with effective threat intelligence

I will determine whether internal and external sources of information are used in the production of threat intelligence

I will review how information relating to information security threats is collected and evaluated to produce threat intelligence

Discussion 0

Answer:

A, D, F

Explanation:

According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), control 5.7 requires an organization to establish and maintain a threat intelligence process to identify and evaluate information security threats that are relevant to its ISMS scope and objectives1. The organization should use internal and external sources of information, such as vulnerability databases, threat feeds, industry reports, etc., to produce threat intelligence that can be used to support risk assessment and treatment, as well as other information security activities1. Therefore, when auditing the organization’s application of control 5.7, an ISMS auditor should verify that these aspects are met in accordance with the audit criteria.

Three options that represent valid audit trails for verifying control 5.7 are:

I will review the organisation’s threat intelligence process and will ensure that this is fully documented: This option is valid because it can provide evidence of how the organization has established and maintained a threat intelligence process that is consistent with its ISMS scope and objectives. It can also verify that the process is documented according to clause 7.5 of ISO/IEC 27001:20221.

I will check that threat intelligence is actively used to protect the confidentiality, integrity and availability of the organisation’s information assets: This option is valid because it can provide evidence of how the organization has used threat intelligence to support its risk assessment and treatment, as well as other information security activities, such as incident response, awareness, or monitoring. It can also verify that the organization has achieved its information security objectives according to clause 6.2 of ISO/IEC 27001:20221.

I will determine whether internal and external sources of information are used in the production of threat intelligence: This option is valid because it can provide evidence of how the organization has used various sources of information, such as vulnerability databases, threat feeds, industry reports, etc., to produce threat intelligence that is relevant and reliable. It can also verify that the organization has complied with the requirement of control 5.7 of ISO/IEC 27001:20221.

The other options are not valid audit trails for verifying control 5.7, as they are not related to the control or its requirements. For example:

I will speak to top management to make sure all staff are aware of the importance of reporting threats: This option is not valid because it does not provide evidence of how the organization has established and maintained a threat intelligence process or used threat intelligence to support its ISMS activities. It may be related to another control or requirement regarding information security awareness or communication, but not specifically to control 5.7.

I will ensure that the task of producing threat intelligence is assigned to the organisation s internal audit team: This option is not valid because it does not provide evidence of how the organization has established and maintained a threat intelligence process or used threat intelligence to support its ISMS activities. It may also contradict the requirement for auditor independence and objectivity, as recommended by ISO 19011:20182, which provides guidelines for auditing management systems.

I will ensure that the organisation’s risk assessment process begins with effective threat intelligence: This option is not valid because it does not provide evidence of how the organization has established and maintained a threat intelligence process or used threat intelligence to support its ISMS activities. It may also imply a prescriptive approach to risk assessment that is not consistent with ISO/IEC 27005:20183, which provides guidelines for information security risk management.

I will review how information relating to information security threats is collected and evaluated to produce threat intelligence: This option is not valid because it does not provide evidence of how the organization has established and maintained a threat intelligence process or used threat intelligence to support its ISMS activities. It may also be too vague or broad to be an effective audit trail, as it does not specify what criteria or methods are used for collecting and evaluating information.

I will ensure that appropriate measures have been introduced to inform top management as to the effectiveness of current threat intelligence arrangements: This option is not valid because it does not provide evidence of how the organization has established and maintained a threat intelligence process or used threat intelligence to support its ISMS activities. It may be related to another control or requirement regarding management review or performance evaluation, but not specifically to control 5.7.

[References: ISO/IEC 27001:2022 - Information technology – Security techniques – Information security management systems – Requirements, ISO 19011:2018 - Guidelines for auditing management systems, ISO/IEC 27005:2018 - Information technology – Security techniques – Information security risk management, , , ]

Questions 59

During an opening meeting of a Stage 2 audit, the Managing Director of the client organisation invites the audit team to view a new company video lasting 45 minutes. Which two of the following responses should the audit team leader make?

Options:

Advise the Managing Director that the audit team has to keep to the planned schedule

State that the audit team leader will stay behind after the opening meeting to view the video on behalf of the team

Invite the Managing Director to the auditors' hotel for a viewing that evening.

Suggest that the video could be viewed during a refreshment break

State that the audit team will make a decision on the viewing at a later time

Advise the Managing Director that the audit team agrees to his request

Discussion 0

Answer:

A, D

Explanation:

According to ISO 19011:2018, which provides guidelines for auditing management systems, an opening meeting is a formal communication between the audit team and the auditee at the start of an audit1. The purpose of the opening meeting is to confirm the audit objectives, scope and criteria, introduce the audit team and their roles, confirm the audit plan and logistics, explain the audit methods and procedures, and establish the communication channels1. Therefore, if the Managing Director of the client organization invites the audit team to view a new company video lasting 45 minutes during the opening meeting of a Stage 2 audit, the audit team leader should respond in a way that does not compromise the effectiveness and efficiency of the audit or create any misunderstanding or conflict with the auditee. Two possible ways to respond are to advise the Managing Director that the audit team has to keep to the planned schedule, as there may be limited time and resources available for the audit; or to suggest that the video could be viewed during a refreshment break, if it is relevant and useful for the audit and does not interfere with other audit activities1. The other options are not appropriate responses for the audit team leader to make in this situation. For example, stating that the audit team leader will stay behind after the opening meeting to view the video on behalf of the team may imply that the video is not important or relevant for the rest of the audit team; inviting the Managing Director to the auditors’ hotel for a viewing that evening may create an impression of bias or favouritism; stating that the audit team will make a decision on the viewing at a later time may be vague or indecisive; and advising the Managing Director that the audit team agrees to his request may result in wasting valuable audit time or losing focus on the audit objectives1. References: ISO 19011:2018 - Guidelines for auditing management systems

Questions 60

Question:

According to ISO/IEC 27001, Clause 5.1 (Leadership and Commitment), which of the following is NOT a responsibility of top management?

Options:

Ensuring the availability of resources for the ISMS and promoting continual improvement

Conducting regular internal audits to assess the effectiveness of the ISMS

Directing and supporting persons to contribute to the effectiveness of the ISMS

Discussion 0

Questions 61

In the context of a management system audit, please identify the sequence of a typical process of collecting and verifying information. The first one has been done for you.

Options:

Discussion 0

Questions 62

Audit methods can be either with or without interaction with individuals representing the auditee. Which two of the following methods are with interaction?

Options:

Sampling (e.g. products)

Observing work performed via live video streaming

Reviewing checklists with auditee

Checking legal compliance with local authorities

Conducting interviews

Analysing documents provided in advance of the audit

Discussion 0

Questions 63

Which statement below best describes the relationship between information security aspects?

Options:

Threats exploit vulnerabilities to damage or destroy assets

Controls protect assets by reducing threats

Risk is a function of vulnerabilities that harm assets

Discussion 0

Questions 64

After completing Stage 1 and in preparation for a Stage 2 initial certification audit, the auditee informs the audit team leader that they wish to extend the audit scope to include two additional sites that have recently been acquired by the organisation.

Considering this information, what action would you expect the audit team leader to take?

Options:

Arrange to complete a remote Stage 1 audit of the two sites using a video conferencing platform

Increase the length of the Stage 2 audit to include the extra sites

Inform the auditee that the audit team leader accepts the request

Obtain information about the additional sites to inform the individual(s) managing the audit programme

Discussion 0

Questions 65

Scenario 4: SendPay is a financial company that provides its services through a network of agents and financial institutions. One of their main services is transferring money worldwide. SendPay, as a new company, seeks to offer top quality services to its clients. Since the company offers international transactions, it requires from their clients to provide personal information, such as their identity, the reason for the transactions, and other details that might be needed to complete the transaction. Therefore, SendPay has implemented security measures to protect their clients' information, including detecting, investigating, and responding to any information security threats that may emerge. Their commitment to offering secure services was also reflected during the ISMS implementation where the company invested a lot of time and resources.

Last year, SendPay unveiled their digital platform that allows money transactions through electronic devices, such as smartphones or laptops, without requiring an additional fee. Through this platform, SendPay's clients can send and receive money from anywhere and at any time. The digital platform helped SendPay to simplify the company's operations and further expand its business. At the time, SendPay was outsourcing its software operations, hence the project was completed by the software development team of the outsourced company. The same team was also responsible for maintaining the technology infrastructure of SendPay.

Recently, the company applied for ISO/IEC 27001 certification after having an ISMS in place for almost a year. They contracted a certification body that fit their criteria. Soon after, the certification body appointed a team of four auditors to audit SendPay's ISMS.

During the audit, among others, the following situations were observed:

1.The outsourced software company had terminated the contract with SendPay without prior notice. As a result, SendPay was unable to immediately bring the services back in-house and its operations were disrupted for five days. The auditors requested from SendPay's representatives to provide evidence that they have a plan to follow in cases of contract terminations. The representatives did not provide any documentary evidence but during an interview, they told the auditors that the top management of SendPay had identified two other software development companies that could provide services immediately if similar situations happen again.

2.There was no evidence available regarding the monitoring of the activities that were outsourced to the software development company. Once again, the representatives of SendPay told the auditors that they regularly communicate with the software development company and that they are appropriately informed for any possible change that might occur.

3.There was no nonconformity found during the firewall testing. The auditors tested the firewall configuration in order to determine the level of security provided by

these services. They used a packet analyzer to test the firewall policies which enabled them to check the packets sent or received in real-time.

Based on this scenario, answer the following question:

Regarding the third situation observed, auditors themselves tested the configuration of firewalls implemented in SendPay's network. How do you describe this situation? Refer to scenario 4.

Options:

Acceptable, technical evidence is required to validate the operation of technical processes

Unacceptable, the auditors should only observe the testing of system or equipment configurations and not test the system themselves

Unacceptable, firewall configurations should not be tested during an audit since this can have an impact systems' operation

Discussion 0

Questions 66

You are an experienced ISMS audit team leader, assisting an auditor in training to write their first audit report.

You want to check the auditor in training's understanding of terminology relating to the contents of an audit report and chose to do this by presenting the following examples.

For each example, you ask the auditor in training what the correct term is that describes the activity

Match the activity to the description.

Options:

Discussion 0

Questions 67

Scenario:

Northstorm is an online retail shop offering unique vintage and modern accessories. It initially entered a small market but gradually grew thanks to the development of the overall e-commerce landscape. Northstorm works exclusively online and ensures efficient payment processing, inventory management, marketing tools, and shipment orders. It uses prioritized ordering to receive, restock, and ship its most popular products.

Northstorm has traditionally managed its IT operations by hosting its website and maintaining full control over its infrastructure, including hardware, software, and data administration. However, this approach hindered its growth due to the lack of responsive infrastructure. Seeking to enhance its e-commerce and payment systems, Northstorm opted to expand its in-house data centers, completing the expansion in two phases over three months. Initially, the company upgraded its core servers, point-of-sale, ordering, billing, database, and backup systems. The second phase involved improving mail, payment, and network functionalities. Additionally, during this phase, Northstorm adopted an international standard for personally identifiable information (PII) controllers and PII processors regarding PII processing to ensure its data handling practices were secure and compliant with global regulations.

Despite the expansion, Northstorm's upgraded data centers failed to meet its evolving business demands. This inadequacy led to several new challenges, including issues with order prioritization. Customers reported not receiving priority orders, and the company struggled with responsiveness. This was largely due to the main server's inability to process orders from YouDecide, an application designed to prioritize orders and simulate customer interactions. The application, reliant on advanced algorithms, was incompatible with the new operating system (OS) installed during the upgrade.

Faced with urgent compatibility issues, Northstorm quickly patched the application without proper validation, leading to the installation of a compromised version. This security lapse resulted in the main server being affected and the company's website going offline for a week. Recognizing the need for a more reliable solution, the company decided to outsource its website hosting to an e-commerce provider. The company signed a confidentiality agreement concerning product ownership and conducted a thorough review of user access rights to enhance security before transitioning.

Question:

Based on Scenario 1, which international standard did Northstorm adopt during the second phase of expansion?

Options:

ISO/IEC 27701

ISO/IEC 27009

ISO/IEC 27003

Discussion 0

Questions 68

Scenario 9: Techmanic is a Belgian company founded in 1995 and currently operating in Brussels. It provides IT consultancy, software design, and hardware/software services, including deployment and maintenance. The company serves sectors like public services, finance, telecom, energy, healthcare, and education. As a customer-centered company, it prioritizes strong client relationships and leading security practices.

Techmanic has been ISO/IEC 27001 certified for a year and regards this certification with pride. During the certification audit, the auditor found some inconsistencies in its ISMS implementation. Since the observed situations did not affect the capability of its ISMS to achieve the intended results, Techmanic was certified after auditors followed up on the root cause analysis and corrective actions remotely During that year, the company added hosting to its list of services and requested to expand its certification scope to include that area The auditor in charge approved the request and notified Techmanic that the extension audit would be conducted during the surveillance audit

Techmanic underwent a surveillance audit to verify its iSMS's continued effectiveness and compliance with ISO/IEC 27001. The surveillance audit aimed to ensure that Techmanic’s security practices, including the recent addition of hosting services, aligned seamlessly with the rigorous requirements of the certification

The auditor strategically utilized the findings from previous surveillance audit reports in the recertification activity with the purpose of replacing the need for additional recertification audits, specifically in the IT consultancy sector. Recognizing the value of continual improvement and learning from past assessments. Techmanic implemented a practice of reviewing previous surveillance audit reports. This proactive approach not only facilitated identifying and resolving potential nonconformities but also aimed to streamline the recertification process in the IT consultancy sector.

During the surveillance audit, several nonconformities were found. The ISMS continued to fulfill the ISO/IEC 27001*s requirements, but Techmanic failed to resolve the nonconformities related to the hosting services, as reported by its internal auditor. In addition, the internal audit report had several inconsistencies, which questioned the independence of the internal auditor during the audit of hosting services. Based on this, the extension certification was not granted. As a result. Techmanic requested a transfer to another certification body. In the meantime, the company released a statement to its clients stating that the ISO/IEC 27001 certification covers the IT services, as well as the hosting services.

Based on the scenario above, answer the following question:

Question:

Is the internal auditor responsible for following up on action plans resulting from external audits?

Options:

No, the internal auditor should follow up on action plans submitted in response to nonconformities resulting only from internal audits

Yes, only if minor nonconformities have been detected during the external audit

Yes, the internal auditor should follow up on action plans submitted during internal and external audits

Discussion 0

Questions 69

Integrity of data means

Options:

Accuracy and completeness of the data

Data should be viewable at all times

Data should be accessed by only the right people

Discussion 0

Questions 70

Question

Which statement best describes how internal audits and external audits complement each other in an organization?

Options:

Internal audits regularly review the organization’s processes to identify issues and improvements, providing input that supports preparation for external audits

Internal audits mainly monitor external auditors' reports and action plans without conducting their own assessments

External audits focus on ongoing internal improvements while internal audits verify certification readiness

Discussion 0

Questions 71

Question:

Which of the following can be considered a minor nonconformity?

Options:

Employees lack training to recognize phishing attempts, increasing malware risks

Lack of multi-factor authentication leaves accounts vulnerable to unauthorized access

The information security policy lacks reference to continual ISMS improvement

Discussion 0

Questions 72

Scenario 8: EsBank provides banking and financial solutions to the Estonian banking sector since September 2010. The company has a network of 30 branches with over 100 ATMs across the country.

They drafted the nonconformity report and discussed the audit conclusions with EsBank’s representatives, who agreed to submit an action plan for the detected nonconformities within two months.

Based on the scenario above, answer the following question:

Which option justifies the unfavorable recommendation for certification? Refer to scenario 8.

Options:

The major nonconformity related to storing sensitive information in removable media

The minor nonconformity related to the lack of information labeling procedure

The unrealistic date of the submitted action plan (two weeks)

Discussion 0

Questions 73

You are an experienced ISMS audit team leader conducting a third-party surveillance visit.

You notice that although the auditee is claiming conformity with ISO/IEC 27001:2022 they are still referring to Improvement as clause 10.2 (as it was in the 2013 edition) when this is now clause 10.1 in

the 2022 edition. You have confirmed they are meeting all of the 2022 requirements set out in the standard.

Select one option of the action you should take.

Options:

Note the issue in the audit report

Raise a nonconformity against clause 7.5.3 - Control of documented information

Raise it as an opportunity for improvement

Bring the matter up at the closing meeting

Discussion 0

Questions 74

Several months after the audit, Jack sold some of NightCore's information that he collected during the audit for a huge amount of money to competitors of NightCore.

Based on this scenario, answer the following question:

Does ISO/IEC 27001 require organizations to comply with national laws and regulations?

Options:

Yes, but relevant legal and contractual requirements do not need to be explicitly identified

No, there is no clear indication in the standard as to whether the organization should comply with the national laws and regulations

Yes, complying with the applicable legislation is a requirement of ISO/IEC 27001

Discussion 0

Questions 75

Please match the following situations to the type of audit required.

Options:

Discussion 0

Questions 76

You are an experienced ISMS audit team leader providing instruction to an auditor in training. They are unclear in their understanding of risk processes and ask you to provide them with an example of each of the processes detailed below.

Match each of the descriptions provided to one of the following risk management processes.

To complete the table click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop each option to the appropriate blank section.

Options:

Discussion 0

Answer:

Explanation:

Risk analysis is the process by which the nature of the risk is determined along with its probability and impact. Risk analysis involves estimating the likelihood and consequences of potential events or situations that could affect the organization’s information security objectives or requirements12. Risk analysis could use qualitative or quantitative methods, or a combination of both12.

Risk management is the process by which a risk is controlled at all stages of its life cycle by means of the application of organisational policies, procedures and practices. Risk management involves establishing the context, identifying, analyzing, evaluating, treating, monitoring, and reviewing the risks that could affect the organization’s information security performance or compliance12. Risk management aims to ensure that risks are identified and treated in a timely and effective manner, and that opportunities for improvement are exploited12.

Risk identification is the process by which a risk is recognised and described. Risk identification involves identifying and documenting the sources, causes, events, scenarios, and potential impacts of risks that could affect the organization’s information security objectives or requirements12. Risk identification could use various techniques, such as brainstorming, interviews, checklists, surveys, or historical data12.

Risk evaluation is the process by which the impact and/or probability of a risk is compared against risk criteria to determine if it is tolerable. Risk evaluation involves comparing the results of risk analysis with predefined criteria that reflect the organization’s risk appetite, tolerance, or acceptance12. Risk evaluation could use various methods, such as ranking, scoring, or matrix12. Risk evaluation helps to prioritize and decide on the appropriate risk treatment options12.

Risk mitigation is the process by which the impact and/or probability of a risk is reduced by means of the application of controls. Risk mitigation involves selecting and implementing measures that are designed to prevent, reduce, transfer, or accept risks that could affect the organization’s information security objectives or requirements12. Risk mitigation could include various types of controls, such as technical, organizational, legal, or physical12. Risk mitigation should be based on a cost-benefit analysis and a residual risk assessment12.

Risk transfer is the process by which a risk is passed to a third party, for example through obtaining appropriate insurance. Risk transfer involves sharing or shifting some or all of the responsibility or liability for a risk to another party that has more capacity or capability to manage it12. Risk transfer could include various methods, such as contracts, agreements, partnerships, outsourcing, or insurance12. Risk transfer should not be used as a substitute for effective risk management within the organization12.

References :=

ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements

ISO/IEC 27005:2022 Information technology — Security techniques — Information security risk management

Questions 77

Why should materiality be considered during the initial contact?

Options:

To determine the audit duration

To obtain reasonable assurance that the audit can be successfully completed

To define processes for minimizing detection risks

Discussion 0

Questions 78

Scenario 9

CloudFort continually reviewed and enhanced its security controls and the overall effectiveness and efficiency of the ISMS by conducting internal audits. Due to its size and desire for greater objectivity, top management decided to outsource the internal audit function to ensure the internal audit is independent of the audited activities and holds an advisory role in the continual improvement of the ISMS.

One year after the initial certification audit, the certification body conducted another audit of CloudFort's ISMS. This audit aimed to determine CloudFort’s ISMS fulfillment of specified ISO/IEC 27001 requirements and ensure continual improvement. The audit team confirmed that the certified ISMS fulfills the standard requirements. Nonetheless, the new department introduced changes that significantly affected how the overall management system was governed, requiring updates to existing processes and controls.

Question

Based on Scenario 9, why was CloudFort’s certification suspended?

Options:

Because it applied the certification beyond its approved scope, despite submitting a request for scope extension

Because it outsourced the internal audit function

Because its ISMS does not fulfill the requirements of the standard

Discussion 0

Questions 79

Scenario 7: Webvue. headquartered in Japan, is a technology company specializing in the development, support, and maintenance of computer software. Webvue provides solutions across various technology fields and business sectors. Its flagship service is CloudWebvue, a comprehensive cloud computing platform offering storage, networking, and virtual computing services. Designed for both businesses and individual users. CloudWebvue is known for its flexibility, scalability, and reliability.

Webvue has decided to only include CloudWebvue in its ISO/IEC 27001 certification scope. Thus, the stage 1 and 2 audits were performed simultaneously Webvue takes pride in its strictness regarding asset confidentiality They protect the information stored in CloudWebvue by using appropriate cryptographic controls. Every piece of information of any classification level, whether for internal use. restricted, or confidential, is first encrypted with a unique corresponding hash and then stored in the cloud

The audit team comprised five persons Keith. Sean. Layla, Sam. and Tina. Keith, the most experienced auditor on the IT and information security auditing team, was the audit team leader. His responsibilities included planning the audit and managing the audit team. Sean and Layla were experienced in project planning, business analysis, and IT systems (hardware and application) Their tasks included audit planning according to Webvue’s internal systems and processes Sam and Tina, on the other hand, who had recently completed their education, were responsible for completing the day-to-day tasks while developing their audit skills

While verifying conformity to control 8.24 Use of cryptography of ISO/IEC 27001 Annex A through interviews with the relevant staff, the audit team found out that the cryptographic keys have been initially generated based on random bit generator (RBG) and other best practices for the generation of the cryptographic keys. After checking Webvue's cryptography policy, they concluded that the information obtained by the interviews was true. However, the cryptographic keys are still in use because the policy does not address the use and lifetime of cryptographic keys.

As later agreed upon between Webvue and the certification body, the audit team opted to conduct a virtual audit specifically focused on verifying conformity to control 8.11 Data Masking of ISO/IEC 27001 within Webvue, aligning with the certification scope and audit objectives. They examined the processes involved in protecting data within CloudWebvue. focusing on how the company adhered to its policies and regulatory standards. As part of this process. Keith, the audit team leader, took screenshot copies of relevant documents and cryptographic key management procedures to document and analyze the effectiveness of Webvue's practices.

Webvue uses generated test data for testing purposes. However, as determined by both the interview with the manager of the QA Department and the procedures used by this department, sometimes live system data are used. In such scenarios, large amounts of data are generated while producing more accurate results. The test data is protected and controlled, as verified by the simulation of the encryption process performed by Webvue's personnel during the audit

While interviewing the manager of the QA Department, Keith observed that employees in the Security Training Department were not following proper procedures, even though this department fell outside the audit scope. Despite the exclusion in the audit scope, the non conformity in the Security Training Department has potential implications for the processes within the audit scope, specifically impacting data security and cryptographic practices in CloudWebvue. Therefore, Keith incorporated this finding into the audit report and accordingly informed the auditee.

Based on the scenario above, answer the following question:

Question:

Based on Scenario 7, the audit team checked Webvue’s cryptography policy to obtain reasonable assurance of the information obtained during interviews. Which type of audit procedure has been used?

Options:

Observation

Corroboration

Evaluation

Discussion 0

Questions 80

Scenario 4

Recently, the company applied for ISO/IEC 27001 certification after having an ISMS in place for almost a year.

Question

Did the audit at SendPay include all the necessary steps for auditing outsourced operations?

Options:

Yes, the audit examined all aspects of outsourced operations.

No, the audit overlooked crucial steps, such as reviewing termination plans.

No, as the audit team only focused on the steps related to monitoring the quality of outsourced operations.

Discussion 0

Questions 81

You are an experienced audit team leader guiding an auditor in training.

the Statement of Applicability (SoA) and implemented at the site.

Select four controls from the following that would you expect the auditor in training to review.

Options:

Confidentiality and nondisclosure agreements

How access to source code and development tools are managed

How power and data cables enter the building

How protection against malware is implemented

How the organisation evaluates its exposure to technical vulnerabilities

Information security awareness, education and training

The organisation's arrangements for information deletion

Discussion 0

Answer:

B, D, E, G

Explanation:

The four controls from the list that the auditor in training should review are:

•B. How access to source code and development tools are managed: This control requires the organisation to restrict and monitor the access to the source code and development tools that are used to create, modify, or maintain the software applications and systems that process or store the data of external clients. This is important for ensuring the integrity, confidentiality, and availability of the software and the data, as well as for preventing unauthorized changes, errors, or malicious code injection.

•D. How protection against malware is implemented: This control requires the organisation to implement appropriate measures to detect, prevent, and remove malware from the IT systems and devices that process or store the data of external clients. This includes using antivirus software, firewalls, email filtering, web filtering, and other tools to protect against viruses, worms, ransomware, spyware, and other malicious software. This is essential for safeguarding the data and the systems from corruption, theft, or damage caused by malware.

•E. How the organisation evaluates its exposure to technical vulnerabilities: This control requires the organisation to identify and assess the technical vulnerabilities that may affect the IT systems and devices that process or store the data of external clients. This includes using vulnerability scanning tools, penetration testing tools, threat intelligence sources, and other methods to discover and evaluate the weaknesses and gaps in the security of the systems and the devices. This is necessary for prioritizing and implementing the appropriate corrective actions and controls to mitigate the risks posed by the vulnerabilities.

•G. The organisation’s arrangements for information deletion: This control requires the organisation to establish and implement policies and procedures for deleting the data of external clients from the IT systems and devices when it is no longer needed or required. This includes defining the criteria and methods for data deletion, such as secure erasure, encryption, or physical destruction. This is important for complying with the contractual obligations and the legal and regulatory requirements regarding the retention and disposal of the data, as well as for protecting the confidentiality and integrity of the data.

[References: = ISO/IEC 27001:2022, Annex A, clauses A.8.9, A.8.10, A.8.11, and A.8.28; Understanding ISO 27001:2022: People, process, and technology, pages 6-7; What are the 11 new security controls in ISO 27001:2022? - Advisera., , , ]

Questions 82

During stage 1 audit, the audit team reviewed all the ISMS documents created during the implementation. They also reviewed and evaluated the records from management reviews and internal audits.

Upon completing stage 1 audit, the audit team leader prepared the audit plan, which addressed the audit objectives, scope, criteria, and procedures.

Based on the scenario above, answer the following question:

The audit team photocopied the examined employee training records to support their conclusion. Should the audit team obtain an approval from Lawsy before taking this action? Refer to scenario 7.

Options:

Yes. the audit team should obtain the approval of the auditee when verifying the existence of a process in all cases, including when taking notes and photocopying documents

Yes, the audit team can photocopy documents observed during the audit if the auditee agrees to it

No, the audit team has the authority to photocopy documents in order to verify the conformity of a certain document to the audit criteria

Discussion 0

Questions 83