New Year Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70special

PECB ISO-IEC-27001-Lead-Auditor PECB Certified ISO/IEC 27001 2022 Lead Auditor exam Exam Practice Test

PECB Certified ISO/IEC 27001 2022 Lead Auditor exam Questions and Answers

Testing Engine

  • Product Type: Testing Engine
$37.5  $124.99

PDF Study Guide

  • Product Type: PDF Study Guide
$33  $109.99
Question 1

Auditor competence is a combination of knowledge and skills. Which two of the following activities are predominately related to "knowledge"?

Options:

A.

Understanding how to identify findings

B.

Designing a checklist

C.

Follow an audit trail deviating from the prepared checklist

D.

Communicate with the auditee

E.

Determining how to seek evidence from the auditee

F.

Determining what evidence to gather

Question 2

Objectives, criteria, and scope are critical features of a third-party ISMS audit. Which two issues are audit objectives?

Options:

A.

Evaluate customer processes and functions

B.

Assess conformity with ISO/IEC 27001 requirements

C.

Fulfil the audit plan

D.

Confirm sites operating the ISMS

E.

Determine the scope of the ISMS

F.

Review organisation efficiency

Question 3

During a third-party certification audit you are presented with a list of issues by an auditee. Which four of the following constitute 'external' issues in the context of a management system to ISO/IEC 27001:2022?

Options:

A.

A rise in interest rates in response to high inflation

B.

A reduction in grants as a result of a change in government policy

C.

Poor levels of staff competence as a result of cuts in training expenditure

D.

Increased absenteeism as a result of poor management

E.

Higher labour costs as a result of an aging population

F.

Inability to source raw materials due to government sanctions

G.

Poor morale as a result of staff holidays being reduced

Question 4

CMM stands for?

Options:

A.

Capability Maturity Matrix

B.

Capacity Maturity Matrix

C.

Capability Maturity Model

D.

Capable Mature Model

Question 5

You are an experienced ISMS audit team leader, talking to an Auditor in training who has been assigned to your audit team. You want to ensure that they understand the importance of the Check stage of the Plan-Do-Check-Act cycle in respect of the operation of the information security management system.

You do this by asking him to select the words that best complete the sentence:

To complete the sentence with the best word(s), click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.

Options:

Question 6

You are conducting a third-party surveillance audit when another member of the audit team approaches you seeking clarification. They have been asked to assess the organisation's application of control 5.7 - Threat Intelligence. They are aware that this is one of the new controls introduced in the 2022 edition of ISO/IEC 27001, and they want to make sure they audit the control correctly.

They have prepared a checklist to assist them with their audit and want you to confirm that their planned activities are aligned with the control's requirements.

Which three of the following options represent valid audit trails?

Options:

A.

I will review the organisation's threat intelligence process and will ensure that this is fully documented

B.

I will speak to top management to make sure all staff are aware of the importance of reporting threats

C.

I will ensure that the task of producing threat intelligence is assigned to the organisation s internal audit team

D.

I will check that threat intelligence is actively used to protect the confidentiality, integrity and availability of the organisation's information assets

E.

I will ensure that the organisation's risk assessment process begins with effective threat intelligence

F.

I will determine whether internal and external sources of information are used in the production of threat intelligence

G.

I will review how information relating to information security threats is collected and evaluated to produce threat intelligence

Question 7

Which two of the following statements are true?

Options:

A.

The benefits of implementing an ISMS primarily result from a reduction in information security risks

B.

The benefit of certifying an ISMS is to obtain contracts from governmental institutions

C.

The purpose of an ISMS is to apply a risk management process for preserving information security

D.

The purpose of an ISMS is to demonstrate compliance with regulatory requirements

Question 8

You are an experienced ISMS audit team leader providing instruction to a class of auditors in training. The subject of today's lesson is the management of information security risk in accordance with the requirements of ISO/IEC 27001:2022.

You provide the class with a series of activities. You then ask the class to sort these activities into the order in which they appear in the standard.

What is the correct sequence they should report back to you?

Options:

Question 9

Scenario 1: Fintive is a distinguished security provider for online payments and protection solutions. Founded in 1999 by Thomas Fin in San Jose, California, Fintive

offers services to companies that operate online and want to improve their information security, prevent fraud, and protect user information such as PII. Fintive centers

its decision-making and operating process based on previous cases. They gather customer data, classify them depending on the case, and analyze them. The company

needed a large number of employees to be able to conduct such complex analyses. After some years, however, the technology that assists in conducting such analyses

advanced as well. Now, Fintive is planning on using a modern tool, a chatbot, to achieve pattern analyses toward preventing fraud in real-time. This tool would also be

used to assist in improving customer service.

This initial idea was communicated to the software development team, who supported it and were assigned to work on this project. They began integrating the chatbot

on their existing system. In addition, the team set an objective regarding the chatbot which was to answer 85% of all chat queries.

After the successful integration of the chatbot, the company immediately released it to their customers for use. The chatbot, however, appeared to have some issues.

Due to insufficient testing and lack of samples provided to the chatbot during the training phase, in which it was supposed "to learn" the queries pattern, the chatbot

failed to address user queries and provide the right answers. Furthermore, the chatbot sent random files to users when it received invalid inputs such as odd patterns

of dots and special characters. Therefore, the chatbot was unable to properly answer customer queries and the traditional customer support was overwhelmed with

chat queries and thus was unable to help customers with their requests.

Consequently, Fintive established a software development policy. This policy specified that whether the software is developed in-house or outsourced, it will undergo a

black box testing prior to its implementation on operational systems.

According to scenario 1, the chatbot sent random files to users when it received invalid inputs. What impact might that lead to?

Options:

A.

Inability to provide service

B.

Loss of reputation

C.

Leak of confidential information

Question 10

Scenario 9: UpNet, a networking company, has been certified against ISO/IEC 27001. It provides network security, virtualization, cloud computing, network hardware, network management software, and networking technologies.

The company's recognition has increased drastically since gaining ISO/IEC 27001 certification. The certification confirmed the maturity of UpNefs operations and its compliance with a widely recognized and accepted standard.

But not everything ended after the certification. UpNet continually reviewed and enhanced its security controls and the overall effectiveness and efficiency of the ISMS by conducting internal audits. The top management was not willing to employ a full-time team of internal auditors, so they decided to outsource the internal audit function. This form of internal audits ensured independence, objectivity, and that they had an advisory role about the continual improvement of the ISMS.

Not long after the initial certification audit, the company created a new department specialized in data and storage products. They offered routers and switches optimized for data centers and software-based networking devices, such as network virtualization and network security appliances. This caused changes to the operations of the other departments already covered in the ISMS certification scope.

Therefore. UpNet initiated a risk assessment process and an internal audit. Following the internal audit result, the company confirmed the effectiveness and efficiency of the existing and new processes and controls.

The top management decided to include the new department in the certification scope since it complies with ISO/IEC 27001 requirements. UpNet announced that it is ISO/IEC 27001 certified and the certification scope encompasses the whole company.

One year after the initial certification audit, the certification body conducted another audit of UpNefs ISMS. This audit aimed to determine the UpNefs ISMS fulfillment of specified ISO/IEC 27001 requirements and ensure that the ISMS is being continually improved. The audit team confirmed that the certified ISMS continues to fulfill

the requirements of the standard. Nonetheless, the new department caused a significant impact on governing the management system. Moreover, the certification body was not informed about any changes. Thus, the UpNefs certification was suspended.

Based on the scenario above, answer the following question:

What type of audit is illustrated in the last paragraph of scenario 9?

Options:

A.

Surveillance audit

B.

Internal audit

C.

Recertification audit

Question 11

You are performing an ISMS audit at a European-based residential

nursing home called ABC that provides healthcare services. You find all

nursing home residents wear an electronic wristband for monitoring

their location, heartbeat, and blood pressure always. You learned that

the electronic wristband automatically uploads all data to the artificial

intelligence (AI) cloud server for healthcare monitoring and analysis by

healthcare staff.

The next step in your audit plan is to verify that the information security

policy and objectives have been established by top management.

During the audit, you found the following audit evidence.

Match the audit evidence to the corresponding requirement in ISO/IEC 27001:2022.

Options:

Question 12

You are performing an ISO 27001 ISMS surveillance audit at a residential nursing home, ABC Healthcare Services. ABC uses a healthcare mobile app designed and maintained by a supplier, WeCare, to monitor residents' well-being. During the audit, you learn that 90% of the residents' family members regularly receive medical device advertisements from WeCare, by email and SMS once a week. The service agreement between ABC and WeCare prohibits the supplier from using residents' personal data. ABC has received many complaints from residents and their family members.

The Service Manager says that the complaints were investigated as an information security incident which found that they were justified.

Corrective actions have been planned and implemented according to the nonconformity and corrective action management procedure.

You write a nonconformity "ABC failed to comply with information security control A.5.34 (Privacy and protection of PII) relating to the personal data of residents' and their family members. A supplier, WeCare, used residents' personal information to send advertisements to family members."

Select three options of the corrections and corrective actions listed that you would expect ABC to make in response to the nonconformity.

Options:

A.

ABC asks an ISMS consultant to test the ABC Healthcare mobile app for protection against cyber-crime.

B.

ABC cancels the service agreement with WeCare.

C.

ABC confirms that information security control A.5.34 is contained in the Statement of Applicability (SoA).

D.

ABC discontinues the use of the ABC Healthcare mobile app.

E.

ABC introduces background checks on information security performance for all suppliers.

F.

ABC periodically monitors compliance with all applicable legislation and contractual requirements involving third parties.

G.

ABC takes legal action against WeCare for breach of contract.

Question 13

Your organisation is currently seeking ISO/IEC27001:2022 certification. You have just qualified as an Internal ISMS auditor and the ICT Manager wants to use your newly acquired knowledge to assist him with the design of an information security incident management process.

He identifies the following stages in his planned process and asks you to confirm which order they should appear in.

Options:

Question 14

An auditor of organisation A performs an audit of supplier B. Which two of the following actions is likely to represent a breach of confidentiality by the auditor after having identified findings in B's information security management system?

Options:

A.

Shares the findings with other relevant managers in A

B.

Shares the findings with B's Information Security Manager

C.

Shares the findings with A's supplier evaluation team

D.

Shares the findings with B's other customers

E.

Shares the findings with B's certification body

F.

Shares the findings with other relevant managers in B

Question 15

CEO sends a  mail giving his views on the status of the company and the company’s future strategy and the CEO's vision and the employee's part in it. The mail should be classified as

Options:

A.

Internal Mail

B.

Public Mail

C.

Confidential Mail

D.

Restricted Mail

Question 16

Which one of the following options describes the main purpose of a Stage 1 audit?

Options:

A.

To determine readiness for Stage 2

B.

To check for legal compliance by the organisation

C.

To get to know the organisation

D.

To compile the audit plan

Question 17

Scenario 3: NightCore is a multinational technology company based in the United States that focuses on e-commerce, cloud computing, digital streaming, and artificial intelligence. After having an information security management system (ISMS) implemented for over 8 months, they contracted a certification body to conduct a third party audit in order to get certified against ISO/IEC 27001.

The certification body set up a team of seven auditors. Jack, the most experienced auditor, was assigned as the audit team leader. Over the years, he received many well known certifications, such as the ISO/IEC 27001 Lead Auditor, CISA, CISSP, and CISM.

Jack conducted thorough analyses on each phase of the ISMS audit, by studying and evaluating every information security requirement and control that was implemented by NightCore. During stage 2 audit. Jack detected several nonconformities. After comparing the number of purchased invoices for software licenses with the software inventory, Jack found out that the company has been using the illegal versions of a software for many computers. He decided to ask for an explanation from the top management about this nonconformity and see whether they were aware about this. His next step was to audit NightCore's IT Department. The top management assigned Tom, NightCore's system administrator, to act as a guide and accompany Jack and the audit team toward the inner workings of their system and their digital assets infrastructure.

While interviewing a member of the Department of Finance, the auditors discovered that the company had recently made some unusual large transactions to one of their consultants. After gathering all the necessary details regarding the transactions. Jack decided to directly interview the top management.

When discussing about the first nonconformity, the top management told Jack that they willingly decided to use a copied software over the original one since it was cheaper. Jack explained to the top management of NightCore that using illegal versions of software is against the requirements of ISO/IEC 27001 and the national laws and regulations. However, they seemed to be fine with it.

Several months after the audit, Jack sold some of NightCore's information that he collected during the audit for a huge amount of money to competitors of NightCore.

Based on this scenario, answer the following question:

Based on audit principles, should Jack contact the certification body regarding the second nonconformity? Refer to scenario 3.

Options:

A.

Yes, auditors should contact the ethics committee members of the certification body to obtain advice on such situation

B.

Yes, auditors should communicate such situations to the certification body; however, the top management should not be informed

C.

No, situations that may indicate financial crime are not the focus of an ISMS audit

Question 18

You are an experienced audit team leader guiding an auditor in training.

Your team is currently conducting a third-party surveillance audit of an organisation that stores data on behalf of external clients. The auditor in training has been tasked with reviewing the PHYSICAL controls listed in the Statement of Applicability (SoA) and implemented at the site.

Select four controls from the following that would you expect the auditor in training to review.

Options:

A.

Access to and from the loading bay

B.

How power and data cables enter the building

C.

Information security awareness, education, and training

D.

The conducting of verification checks on personnel

E.

The development and maintenance of an information asset inventory

F.

The operation of the site CCTV and door control systems

G.

The organisation's arrangements for maintaining equipment

Question 19

Select two options that describe an advantage of using a checklist.

Options:

A.

Using the same checklist for every audit without review

B.

Restricting interviews to nominated parties

C.

Ensuring relevant audit trails are followed

D.

Ensuring the audit plan is implemented

E.

Reducing audit duration

F.

Not varying from the checklist when necessary

Question 20

You are performing an ISMS audit at a residential nursing home that provides healthcare services. The next step in your audit

plan is to verify the information security of the business continuity management process. During the audit, you learned that

the organisation activated one of the business continuity plans (BCPs) to make sure the nursing service continued during the

recent pandemic. You ask the Service Manager to explain how the organization manages information security during the

business continuity management process.

The Service Manager presented the nursing service continuity plan for a pandemic and summarised the process as follows:

Stop the admission of any NEW residents.

70% of administration staff and 30% of medical staff will work from home.

Regular staff self-testing, including submitting a negative test report 1 day BEFORE they come to the office.

Install ABC's healthcare mobile app, tracking their footprint and presenting a GREEN Health Status QR-Code for checking on the spot.

You ask the Service Manager how to prevent non-relevant family members or interested parties from accessing residents' personal data when staff work from home. The Service Manager cannot answer and suggests the IT Security Manager should help with that.

You would like to further investigate other areas to collect more audit evidence. Select three options that will not be in your audit trail.

Options:

A.

Collect more evidence on how information security protocols are maintained during disruption (relevant to control A.5.29)

B.

Collect more evidence that staff only use IT equipment protected from malware when working from home (relevant to control A.8.7)

C.

Collect more evidence by interviewing additional staff to ensure they are aware of the need to sometimes work from home (Relevant to clause 7.3)

D.

Collect more evidence on how and when the Business Continuity Plan has been tested. (Relevant to control A.5.29)

E.

Collect more evidence on how the organisation makes sure all staff periodically conduct a positive Covid test (Relevant to control A.7.2)

F.

Collect more evidence on how the organisation manages information security on mobile devices and during teleworking (Relevant to control A.6.7)

G.

Collect more evidence on how the organisation performs a business risk assessment to evaluate how fast the existing residents can be discharged from the nursing home. (Relevant to clause 6)

Question 21

Select the words that best complete the sentence:

"The purpose of maintaining regulatory compliance in a management system is to

To complete the sentence with the best word(s), click on the blank section you want to complete so that it is highlighted in red,

and then click on the applicable text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.

Options:

Question 22

Which two of the following standards are used as ISMS third-party certification audit criteria?

Options:

A.

ISO/IEC 27002

B.

ISO/IEC 20000-1

C.

ISO 19011

D.

ISO/IEC 27001

E.

Relavent legal, statutory, and regulatory requirements

F.

ISO/IEC 17021-1

Question 23

You are conducting a third-party surveillance audit when another member of the audit team approaches you seeking clarification. They have been asked to assess the organisation's application of control 5.7 - Threat Intelligence. They are aware that this is one of the new controls introduced in the 2022 edition of ISO/IEC 27001, and they want to make sure they audit the control correctly.

They have prepared a checklist to assist them with their audit and want you to confirm that their planned activities are aligned with the control's requirements.

Which three of the following options represent valid audit trails?

Options:

A.

I will ensure that the task of producing threat intelligence is assigned to the organisation's internal audit team

B.

I will ensure that the organisation's risk assessment process begins with effective threat intelligence

C.

I will speak to top management to make sure all staff are aware of the importance of reporting threats

D.

I will ensure that appropriate measures have been introduced to inform top management as to the effectiveness of current threat intelligence arrangements

E.

I will check that the organisation has a fully documented threat intelligence process

F.

I will check that threat intelligence is actively used to protect the confidentiality, integrity and availability of the organisation's information assets

G.

I will review how information relating to information security threats is collected and evaluated to produce threat intelligence

Question 24

You are an experienced ISMS audit team leader guiding an auditor in training. You are testing her understanding of follow-up audits by asking her a series of questions to which the answer is either "true* or 'false'. Which four of the following questions should the answer be true"'

Options:

A.

A follow-up audit may be carried out where nonconformities are major

B.

A follow-up audit may be carried out where nonconformities are minor

C.

The outcomes of a follow-up audit should be reported to top management and the audit team leader who carried out the audit where the nonconformities were initially identified

D.

The outcome of a follow-up audit could lower a major nonconformity to minor status

E.

The outcome of a follow-up audit could be a recommendabon to suspend the client's certification

F.

The outcomes of a follow-up audit should be reported to the individual managing the audit programme and the audit client

G.

A follow-up audit is required in all instances where nonconformities have been identified

Question 25

Which four of the following statements about audit reports are true?

Options:

A.

Audit reports should be produced by the audit team leader with input from the audit team

B.

Audit reports should include or refer to the audit plan

C.

Audit reports should be sent to the organisation's top management first because their contents could be embarrassing

D.

Audit reports should be assumed suitable for general circulation unless they are specifically marked confidential

E.

Audit reports should only evidence nonconformity

F.

Audit reports should be produced within an agreed timescale

G.

Audit reports that are no longer required can be destroyed as part of the organisation's general waste

Question 26

Which two of the following are examples of audit methods that 'do not' involve human interaction?

Options:

A.

Conducting an interview using a teleconferencing platform

B.

Performing a review of auditees procedures in preparation for an audit

C.

Reviewing the auditee's response to an audit finding

D.

Analysing data by remotely accessing the auditee's server

E.

Observing work performed by remote surveillance

F.

Confirming the date and time of the audit

Question 27

Which one of the following options best describes the main purpose of a Stage 2 third-party audit?

Options:

A.

To determine readiness for certification

B.

To check for legal compliance by the organisation

C.

To identify nonconformances against a standard

D.

To get to know the organisation's management system

Question 28

Scenario 5: Data Grid Inc. is a well-known company that delivers security services across the entire information technology infrastructure. It provides cybersecurity software, including endpoint security, firewalls, and antivirus software. For two decades, Data Grid Inc. has helped various companies secure their networks through advanced products and services. Having achieved reputation in the information and network security field, Data Grid Inc. decided to obtain the ISO/IEC 27001 certification to better secure its internal and customer assets and gain competitive advantage.

Data Grid Inc. appointed the audit team, who agreed on the terms of the audit mandate. In addition, Data Grid Inc. defined the audit scope, specified the audit criteria, and proposed to close the audit within five days. The audit team rejected Data Grid Inc.'s proposal to conduct the audit within five days, since the company has a large number of employees and complex processes. Data Grid Inc. insisted that they have planned to complete the audit within five days, so both parties agreed upon conducting the audit within the defined duration. The audit team followed a risk-based auditing approach.

To gain an overview of the main business processes and controls, the audit team accessed process descriptions and organizational charts. They were unable to perform a deeper analysis of the IT risks and controls because their access to the IT infrastructure and applications was restricted. However, the audit team stated that the risk that a significant defect could occur to Data Grid Inc.'s ISMS was low since most of the company's processes were automated. They therefore evaluated that the ISMS, as a whole, conforms to the standard requirements by asking the representatives of Data Grid Inc. the following questions:

•How are responsibilities for IT and IT controls defined and assigned?

•How does Data Grid Inc. assess whether the controls have achieved the desired results?

•What controls does Data Grid Inc. have in place to protect the operating environment and data from malicious software?

•Are firewall-related controls implemented?

Data Grid Inc.'s representatives provided sufficient and appropriate evidence to address all these questions.

The audit team leader drafted the audit conclusions and reported them to Data Grid Inc.'s top management. Though Data Grid Inc. was recommended for certification by the auditors, misunderstandings were raised between Data Grid Inc. and the certification body in regards to audit objectives. Data Grid Inc. stated that even though the audit objectives included the identification of areas for potential improvement, the audit team did not provide such information.

Based on this scenario, answer the following question:

Data Grid Inc. is responsible for all the actions below, EXCEPT:

Options:

A.

Specifying the audit criteria

B.

Appointing the audit team

C.

Defining the audit scope

Question 29

You are an ISMS audit team leader tasked with conducting a follow-up audit at a client's data centre. Following two days on-site you conclude that of the original 12 minor and 1 major nonconformities that prompted the follow-up audit, only 1 minor nonconformity still remains outstanding.

Select four options for the actions you could take.

Options:

A.

Book another follow-up audit on-site to review the one outstanding minor nonconformity once it has been cleared

B.

Recommend that the outstanding minor nonconformity is dealt with at the next surveillance audit

C.

Advise the auditee that you will arrange an online audit to deal with the outstanding nonconformity

D.

Note the progress made but hold the audit open until all corrective action has been cleared

E.

Agree with the auditee/audit client how the remaining nonconformity will be cleared, by when, and how its clearance will be verified

F.

Advise the individual managing the audit programme of any decision taken regarding the outstanding nonconformity

G.

Recommend suspension of the organisation's certification as they have failed to implement the agreed corrections and corrective actions within the agreed timescale

Question 30

The data centre at which you work is currently seeking ISO/IEC27001:2022 certification. In preparation for your initial certification visit, several internal audits have been carried out by a colleague working at another data centre within your Group. They secured their own ISO/IEC 27001:2022 certificate earlier in the year.

You have just qualified as an Internal ISMS auditor and your manager has asked you to review the audit process and audit findings as a final check before the external Certification Body arrives.

Which four of the following would cause you concern in respect of conformity to ISO/IEC 27001:2022 requirements?

Options:

A.

Although the scope for each internal audit has been defined, there are no audit criteria defined for the audits carried out to date.

B.

Audit reports are not held in hardcopy (i.e. on paper). They are only stored as *. PDF documents on the organisation's intranet.

C.

The audit process states the results of audits will be made available to 'relevant' managers, not top management.

D.

The audit programme does not reference audit methods or audit responsibilities.

E.

The audit programme does not take into account the relative importance of information security processes.

F.

The audit programme does not take into account the results of previous audits.

G.

The audit programme has not been signed as 'approved by Top Management.

Question 31

A decent visitor is roaming around without visitor's ID. As an employee you should do the following, except:

Options:

A.

Say "hi" and offer coffee

B.

Call the receptionist and inform about the visitor

C.

Greet and ask him what is his business

D.

Escort him to his destination

Question 32

An audit team leader is planning a follow-up audit after the completion of a third-party surveillance audit earlier in the year. They have decided they will verify the nonconformities that require corrections before they move on to consider corrective actions.

Based on the descriptions below, which four of the following are corrections for nonconformities identified at the surveillance?

Options:

A.

A signature missing from a client's contract for the supply of data services was added

B.

A software installation guide which had not been sent to the client along with their new system was posted out

C.

An incorrectly dated purchase order for a new network switch was rectified

D.

Data centre staff not carrying out backups in accordance with specified procedures were retrained

E.

Hard drive HD302 which had been colour-coded green (available for use) instead of red (to be destroyed) was removed from the system

F.

Scheduled management reviews, having been missed, were prioritised by the General Manager for holding on a specific date twice each following year

G.

The documented process for product shipment, which did not reflect how this activity was conducted by the despatch team, was re-written and the team trained accordingly

Question 33

After analyzing the audit conclusions, Company X decided to accept the risk related to one of the detected nonconformities. They claimed that no corrective action was necessary; however, their decision was not documented. Is this acceptable?

Options:

A.

Yes, the auditee's management can decide to accept the risk instead of implementing corrective actions and documenting such decision is not necessary

B.

No, the decision of the auditee to accept the risk instead of implementing corrective actions should be justified and documented

C.

No, the auditee must implement corrective actions for all the observations documented during the audit

Question 34

You are carrying out your first third-party ISMS surveillance audit as an audit team leader. You are presently in the auditee's data centre with another member of your audit team and the organisation's guide.

You request access to a locked room protected by a combination lock and iris scanner. The room contains several rows of uninterruptable power supplies along with several data cabinets containing client-supplied

equipment, predominantly servers, and switches.

You note that there is a gas-based fire extinguishing system in place. A label indicates that the system requires testing every 6 months however the most recent test recorded on the label was carried out by the

manufacturer 12 months ago.

Based on the scenario above which two of the following actions would you now take?

Options:

A.

Determine if requirements for recording fire extinguisher checks have been revised within the last year. If so, suggest these are referenced on the existing labels as an opportunity for improvement

B.

Make a note to ask the site maintenance manager for evidence that a fire extinguishing system test was carried out 6 months ago

C.

Providing water-based extinguishers are accessible in the room, take no further action as these provide an alternative means to put out a fire

D.

Raise a nonconformity against control A.5.7 'threat intelligence' as the organisation has not identified the need to take action against the threat of fire

E.

Raise a nonconformity against control A.7.11 'supporting utilities' as information processing facilities are not adequately protected against possible disruption

F.

Require the guide to initiate the organisation's information security incident process

Question 35

As the ISMS audit team leader, you are conducting a second-party audit of an international logistics company on behalf of an online retailer. During the audit, one of your team members reports a nonconformity relating to control 5.18 (Access rights) of Appendix A of ISO/IEC 27001:2022. She found evidence that removing the server access protocols of 20 people who left in the last 3 months took up to 1 week whereas the policy required removing access within 24 hours of their departure.

Complete the sentence with the best word(s), dick on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.

Options:

Question 36

Which one of the following statements best describes the purpose of conducting a document review?

Options:

A.

To reveal whether the documented management system is nonconforming with audit criteria and to gather evidence to support the audit report

B.

To decide about the conformity of the documented management system with audit standards and to gather findings to support the audit process

C.

To determine the conformity of the management system, as far as documented, with audit criteria and to gather information to support the on-site audit activities

D.

To detect any nonconformity of the management system, if documented, with audit criteria and to identify information to support the audit plan

Question 37

Costs related to nonconformities and failures to comply with legal and contractual requirements are assessed when defining:

Options:

A.

Materiality

B.

Audit risks

C.

Reasonable assurance

Question 38

You are performing an ISMS audit at a residential nursing home (ABC) that provides healthcare services. The next step in your audit plan is to verify the information security of ABC's healthcare mobile app development, support, and lifecycle process. During the audit, you learned the organization outsourced the mobile app development to a professional software development company with CMMI Level 5, ITSM (ISO/IEC 20000-1), BCMS (ISO 22301) and ISMS (ISO/IEC 27001) certified.

The IT Manager presented the software security management procedure and summarised the process as following:

The mobile app development shall adopt "security-by-design" and "security-by-default" principles, as a minimum. The following security

functions for personal data protection shall be available:

Access control.

Personal data encryption, i.e., Advanced Encryption Standard (AES) algorithm, key lengths: 256 bits; and

Personal data pseudonymization.

Vulnerability checked and no security backdoor

You sample the latest Mobile App Test report, details as follows:

You ask the IT Manager why the organisation still uses the mobile app while personal data encryption and pseudonymization tests failed. Also, whether the Service Manager is authorised to approve the test.

The IT Manager explains the test results should be approved by him according to the software security management procedure.

The reason why the encryption and pseudonymisation functions failed is that these functions heavily slowed down the system and service performance. An extra 150% of resources are needed to cover this. The Service Manager agreed that access control is good enough and acceptable. That's why the Service Manager signed the approval.

You are preparing the audit findings. Select the correct option.

Options:

A.

There is NO nonconformity (NC). The Service Manager makes a good decision to continue the service. (Relevant to clause 8.1, control A.8.30)

B.

There is a nonconformity (NC). The organisation and developer do not perform acceptance tests. (Relevant to clause 8.1, control A.8.29)

C.

There is a nonconformity (NC). The organisation and developer perform security tests that fail. (Relevant to clause 8.1, control A.8.29)

D.

There is a nonconformity (NC). The Service Manager does not comply with the software security management procedure. (Relevant to clause 8.1, control A.8.30)

Question 39

You are performing an ISMS audit at a residential nursing home that provides healthcare services. The next step in your audit plan is to verify that the Statement of Applicability (SoA) contains the necessary controls. You review the latest SoA (version 5) document, sampling the access control to the source code (A.8.4), and want to know how the organisation secures ABC's healthcare mobile app source code received from an outsourced software developer.

The IT Security Manager explains the received source code will be checked into the SCM system to make sure of its integrity and security. Only authorised users will be able to check out the software to update it. Both check-in and check-out activities will be logged by the system automatically. The version control is managed by the system automatically.

You found a total of 10 user accounts on the SCM. All of them are from the IT department. You further check with the Human Resource manager and confirm that one of the users, Scott, resigned 9 months ago. The SCM System Administrator confirmed Scott's last check-out of the source code was found 1 month ago. He was using one of the authorised desktops from the local network in a secure area.

You check the user de-registration procedure which states "Managers have to make sure of deregistration of the user account and authorisation immediately from the relevant ICT system and/or equipment after resignation approval." There was no deregistration record for user Scott.

The IT Security Manager explains that Scott is a very good software engineer, an ex-colleague, and a friend. He still comes back to the office every month after he resigned to provide support on source code maintenance. That's why his account on SCM still exists. "We know Scott well and he passed all our background checks when he joined us. As such we didn't feel it necessary to agree any further information security requirements with him just because he is now an external provider".

You prepare the audit findings. Select the three correct options.

Options:

A.

There is a nonconformity (NC). Scott should have been advised of applicable information security requirements relevant to his new relationship (external provider) with the nursing home. The IT security manager has however confirmed that this did not take place. This does not conform with control A.5.20.

B.

There is a nonconformity (NC). The organisation's access control arrangements are not operating effectively as an individual who is no longer employed by the organisation is being permitted to access the nursing home's ICT systems. This does not conform with control A.5.15.

C.

There is a nonconformity (NC). The IT Security manager did not make sure the user account for Scott was removed from the SCM and did not complete the user deregistration process after the resignation. This does not conform with clause 9.1 and control A.5.15.

D.

There is a nonconformity (NC). The operating procedures are not well documented. This prevented the SCM System Administrator from being able to remove a user account immediately. This does not conform with clause 9.1 and control A.5.37.

E.

There is a nonconformity (NC). The organisation does not have a documented procedure setting out the use of systematic tools to provide access and version control of the source code. This does not conform with clause 9.1 and control A.8.4.

F.

There is a nonconformity (NC). The organisation has failed to identify the security risks associated with leaving Scott's account open when he was only re-engaged for a short period monthly. This does not conform with clause 8.2.

G.

There is a nonconformity (NC). The SCM is open-source system software. It is not secured and cannot be used for access and version control of the source code. This does not conform with clause 9.1 and control A.8.4.

Question 40

Scenario 6: Sinvestment is an insurance company that offers home, commercial, and life insurance. The company was founded in North Carolina, but have recently expanded in other locations, including Europe and Africa.

Sinvestment is committed to complying with laws and regulations applicable to their industry and preventing any information security incident. They have implemented an ISMS based on ISO/IEC 27001 and have applied for ISO/IEC 27001 certification.

Two auditors were assigned by the certification body to conduct the audit. After signing a confidentiality agreement with Sinvestment. they started the audit activities. First, they reviewed the documentation required by the standard, including the declaration of the ISMS scope, information security policies, and internal audits reports. The review process was not easy because, although Sinvestment stated that they had a documentation procedure in place, not all documents had the same format.

Then, the audit team conducted several interviews with Sinvestment's top management to understand their role in the ISMS implementation. All activities of the stage 1 audit were performed remotely, except the review of documented information, which took place on-site, as requested by Sinvestment.

During this stage, the auditors found out that there was no documentation related to information security training and awareness program. When asked, Sinvestment's representatives stated that the company has provided information security training sessions to all employees. Stage 1 audit gave the audit team a general understanding of Sinvestment's operations and ISMS.

The stage 2 audit was conducted three weeks after stage 1 audit. The audit team observed that the marketing department (which was not included in the audit scope) had no procedures in place to control employees’ access rights. Since controlling employees' access rights is one of the ISO/IEC 27001 requirements and was included in the information security policy of the company, the issue was included in the audit report. In addition, during stage 2 audit, the audit team observed that Sinvestment did not record logs of user activities. The procedures of the company stated that "Logs recording user activities should be retained and regularly reviewed," yet the company did not present any evidence of the implementation of such procedure.

During all audit activities, the auditors used observation, interviews, documented information review, analysis, and technical verification to collect information and evidence. All the audit findings during stages 1 and 2 were analyzed and the audit team decided to issue a positive recommendation for certification.

Based on scenario 6, during stage 1 audit, the auditor found out that some documents regarding the ISMS had different format. What should the auditor do in this case?

Options:

A.

Verify if the documented information has the appropriate format and is in accordance with the company's documentation procedure since this is a requirement of the standard

B.

Verify only if the information required by the standard is documented without taking into account the format since this is not a requirement of the standard

C.

Document this observation as an issue that should be verified during stage 2 audit

Question 41

You are carrying out your first third-party ISMS surveillance audit as an Audit Team Leader. You are presently in

the auditee's data centre with another member of your audit team.

You are currently in a large room that is subdivided into several smaller rooms, each of which has a numeric

combination lock and swipe card reader on the door. You notice two external contractors using a swipe card and

combination number provided by the centre's reception desk to gain access to a client's suite to carry out authorised electrical repairs.

You go to reception and ask to see the door access record for the client's suite. This indicates only one card was

swiped. You ask the receptionist and they reply, "yes it's a common problem. We ask everyone to swipe their

cards but with contractors especially, one tends to swipe and the rest simply 'tailgate' their way in" but we know who they are from the reception sign-in.

Based on the scenario above which one of the following actions would you now take?

Options:

A.

Raise an opportunity for improvement to have a large sign in reception reminding everyone requiring access must use their swipe card at all times

B.

Determine whether any additional effective arrangements are in place to verify individual access to secure areas e.g. CCTV

C.

Raise a nonconformity against control A.7.1 'security perimiters' as a secure area is not adequately protected

D.

Raise a nonconformity against control A.7.6 'working in secure areas' as security measures for working in secure areas have not been defined

E.

Raise a nonconformity against control A.5.20 'addressing information security in supplier relationships' as information security requirements have not been agreed upon with the supplier

F.

Raise an opportunity for improvement that contractors must be accompanied at all times when accessing secure facilities

Question 42

You are a certification body auditor, conducting a surveillance audit to ISO/IEC 27001:2022 of a data centre operated by a client who provides hosting services for ICT facilities.

You and your guide are currently in one of the private suites that the client rents out to customers. Access to each suite is controlled using a combination lock. CCTV is also installed in every suite.

Within each suite are three data cabinets in which the client can locate mission-critical servers and other items of networking equipment such as switches and routers.

You notice that whilst two of the cabinets in your suite are locked, the third is unlocked. You ask the guide why. They reply "This is because the client is currently swapping out a hard drive unit. Their technician is currently on a lunch break".

What three actions should you undertake next?

Options:

A.

Do nothing, the room appears adequately protected so it is unlikely that a security incident has taken place.

B.

Raise a nonconformity against control 5.16 'identity management' as it may not be possible to identify who left the cabinet unlocked.

C.

Raise a nonconformity against control 7.2 'physical entry' as the area where the client's equipment is located is not protected.

D.

Raise a nonconformity against control 7.4 'physical security monitoring' as the private suite is not being continuously monitored for unauthorised physical access.

E.

Raise an opportunity for improvement suggesting cabinet doors are locked whenever clients leave their suites, even if they intend to return within a short time.

F.

Review the CCTV records to ensure that only the client has accessed the cabinet since it was last confirmed as locked.

G.

When the technician returns from lunch, reprimand them for leaving the cabinet open.

Question 43

Which three of the following phrases are objectives' in relation to an audit?

Options:

A.

International Standard

B.

Identify opportunities for improvement

C.

Confirm the scope of the management system

D.

Management policy

E.

Complete audit on time

F.

Regulatory requirements

Question 44

All are prohibited in acceptable use of information assets, except:

Options:

A.

Electronic chain letters

B.

E-mail copies to non-essential readers

C.

Company-wide e-mails with supervisor/TL permission.

D.

Messages with very large attachments or to a large number ofrecipients.

Question 45

Scenario 9: UpNet, a networking company, has been certified against ISO/IEC 27001. It provides network security, virtualization, cloud computing, network hardware, network management software, and networking technologies.

The company's recognition has increased drastically since gaining ISO/IEC 27001 certification. The certification confirmed the maturity of UpNefs operations and its compliance with a widely recognized and accepted standard.

But not everything ended after the certification. UpNet continually reviewed and enhanced its security controls and the overall effectiveness and efficiency of the ISMS by conducting internal audits. The top management was not willing to employ a full-time team of internal auditors, so they decided to outsource the internal audit function. This form of internal audits ensured independence, objectivity, and that they had an advisory role about the continual improvement of the ISMS.

Not long after the initial certification audit, the company created a new department specialized in data and storage products. They offered routers and switches optimized for data centers and software-based networking devices, such as network virtualization and network security appliances. This caused changes to the operations of the other departments already covered in the ISMS certification scope.

Therefore. UpNet initiated a risk assessment process and an internal audit. Following the internal audit result, the company confirmed the effectiveness and efficiency of the existing and new processes and controls.

The top management decided to include the new department in the certification scope since it complies with ISO/IEC 27001 requirements. UpNet announced that it is ISO/IEC 27001 certified and the certification scope encompasses the whole company.

One year after the initial certification audit, the certification body conducted another audit of UpNefs ISMS. This audit aimed to determine the UpNefs ISMS fulfillment of specified ISO/IEC 27001 requirements and ensure that the ISMS is being continually improved. The audit team confirmed that the certified ISMS continues to fulfill

the requirements of the standard. Nonetheless, the new department caused a significant impact on governing the management system. Moreover, the certification body was not informed about any changes. Thus, the UpNefs certification was suspended.

Based on the scenario above, answer the following question:

Based on scenario 9, why was UpNefs certification suspended?

Options:

A.

Because UpNet used and applied the certification out of its scope

B.

Because UpNet outsourced the internal audit function

C.

Because UpNefs ISMS does not fulfill the requirements of the standard

Question 46

Which two of the following phrases would apply to "act" in relation to the Plan-Do-Check-Act cycle for a business process?

Options:

A.

Auditing processes

B.

Planning changes

C.

Measuring objectives

D.

Resetting objectives

E.

Achieving improvements

F.

Verifying training

Question 47

Which two of the following options for information are not required for audit planning of a certification audit?

Options:

A.

A sampling plan

B.

A document review

C.

The working experience of the management system representative

D.

An audit checklist

E.

An organisation's financial statement

F.

An audit plan

Question 48

Audit methods can be either with or without interaction with individuals representing the auditee. Which two of the following methods are with interaction?

Options:

A.

Sampling (e.g. products)

B.

Observing work performed via live video streaming

C.

Reviewing checklists with auditee

D.

Checking legal compliance with local authorities

E.

Conducting interviews

F.

Analysing documents provided in advance of the audit

Question 49

A property of Information that has the ability to prove occurrence of a claimed event.

Options:

A.

Electronic chain letters 

B.

Integrity

C.

Availability

D.

Accessibility

Question 50

You are an ISMS audit team leader who has been assigned by your certification body to carry out a follow-up audit of a client. You are preparing your audit plan for this audit.

Which two of the following statements are true?

Options:

A.

Verification should focus on whether any action undertaken taken has been undertaken efficiently

B.

Corrections should be verified first, followed by corrective actions and finally opportunities for improvement

C.

Verification should focus on whether any action undertaken is complete

D.

Opportunities for improvement should be verified first, followed by corrections and finally corrective actions

E.

Corrective actions should be reviewed first, followed by corrections and finally opportunities for improvement

F.

Verification should focus on whether any action undertaken has been undertaken effectively

Question 51

You are an ISMS auditor conducting a third-party surveillance audit of a telecom's provider. You are in the equipment staging room where network switches are pre-programmed before being despatched to clients. You note that recently there has been a significant increase in the number of switches failing their initial configuration test and being returned for reprogramming.

You ask the Chief Tester why and she says, 'It's a result of the recent ISMS upgrade'. Before the upgrade each technician had their own hard copy work instructions. Now, the eight members of my team have to share two laptops to access the clients' configuration instructions online. These delays put pressure on the technicians, resulting in more mistakes being made'.

Based solely on the information above, which clause of ISO/IEC 27001:2022 would be the most appropriate to raise a nonconformity against? Select one.

Options:

A.

Clause 10.2 - Nonconformity and corrective action

B.

Clause 7.2 - Competence

C.

Clause 7.5 - Documented information

D.

Clause 8.1 - Operational planning and control

Question 52

Select the words that best complete the sentence below to describe audit resources:

Options:

Question 53

You are performing an ISMS audit at a residential nursing home that provides healthcare services. The next step in your audit plan is to verify the information security incident management process. The IT Security Manager presents the information security incident management procedure and explains that the process is based on ISO/IEC 27035-1:2016.

You review the document and notice a statement "any information security weakness, event, and incident should be reported to the Point of Contact (PoC) within 1 hour after identification". When interviewing staff, you found that there were differences in the understanding of the meaning of "weakness, event, and incident".

You sample incident report records from the event tracking system for the last 6 months with summarized results in the following table.

You would like to further investigate other areas to collect more audit evidence. Select two options that will not be in your audit trail.

Options:

A.

Collect more evidence on how and when the Human Resources manager pays the ransom fee to unlock personal mobile data, i.e., credit card, and bank transfer. (Relevant to control A.5.26)

B.

Collect more evidence on what the service requirements of healthcare monitoring are. (Relevant to clause 4.2)

C.

Collect more evidence on how the organization determined no further action was needed after the incident. (Relevant to control A.5.26)

D.

Collect more evidence on how the organisation determined the incident recovery time. (Relevant to control A.5.27)

E.

Collect more evidence on the incident recovery procedures. (Relevant to control A.5.26)

F.

Collect more evidence by interviewing more staff about their understanding of the reporting process. (Relevant to control A.6.8)

G.

Collect more evidence on how and when the company pays the ransom fee to unlock the company's mobile phone and data, i.e., credit card, and bank transfer. (Relevant to control A.5.26)

Question 54

What is the standard definition of ISMS? 

Options:

A.

Is an information security systematic approach to achieve business objectives for implementation, establishing, reviewing,operating and maintaining organization's reputation.

B.

A company wide business objectives to achieve information security awareness for establishing, implementing, operating, monitoring, reviewing, maintaining and improving

C.

A project-based approach to achieve business objectives for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization’s information security

D.

A systematic approach for establishing, implementing, operating,monitoring, reviewing,  maintaining and improving an organization’s information security to achieve business objectives.

Question 55

Match the correct responsibility with each participant of a second-party audit:

Options:

Question 56

Select the words that best complete the sentence:

Options:

Question 57

Select the option which best describes how Information Security Management System audits should be conducted:

Options:

A.

Audit criteria should be used to assess circumstantial evidence in order to generate audit outcomes. Then, the audit report should be created and presented to the audit team at the audit team meeting.

B.

Audit criteria should be used to assess objective evidence in order to generate audit outcomes. Then, the audit report should be created and presented to the audit team leader at the closing meeting.

C.

Audit methods should be used to assess audit evidence in order to generate audit recommendations. Then, the audit recommendations should be created and presented to the auditee at the closing meeting.

D.

Audit methods should be used to assess objective evidence in order to generate audit findings. Then, the audit conclusion should be created and presented to the auditee at the closing meeting.

E.

Audit objectives should be used to assess audit evidence in order to generate audit conclusions. Then, the audit findings should be created and presented to the audit client at the closing meeting.

F.

Audit objectives should be used to assess objective evidence in order to generate audit conclusions. Then, the audit recommendations should be created and presented to top management at management review.

Question 58

You are an ISMS audit team leader assigned by your certification body to carry out a follow-up audit of a Data Centre client.

According to ISO 19011:2018, the purpose of a follow-up audit is to verify which one of the following?

Options:

A.

The effectiveness of the management system

B.

Implementation of ISMS objectives

C.

Implementation of risk treatment plans

D.

Completion and effectiveness of corrective actions

Question 59

Which six of the following actions are the individual(s) managing the audit programme responsible for?

Options:

A.

Selecting the audit team

B.

Retaining documented information of the audit results

C.

Defining the objectives, scope and criteria for an individual audit

D.

Defining the plan of an individual audit

E.

Establishing the extent of the audit programme

F.

Establishing the audit programme

G.

Determining the resources necessary for the audit programme

Question 60

An organisation has ISO/IEC 27001 Information Security Management System (ISMS) certification from a third-party certification body. Which one of the following represents an advantage of having accredited certification?

Options:

A.

An increase in the marketing price of the organisation's products

B.

An increase in the number of clients

C.

Clarity of the audit report

D.

Recognition of the credibility of the certification process.

Question 61

You are an experienced ISMS audit team leader conducting a third-party surveillance visit.

You notice that although the auditee is claiming conformity with ISO/IEC 27001:2022 they are still referring to Improvement as clause 10.2 (as it was in the 2013 edition) when this is now clause 10.1 in

the 2022 edition. You have confirmed they are meeting all of the 2022 requirements set out in the standard.

Select one option of the action you should take.

Options:

A.

Note the issue in the audit report

B.

Raise a nonconformity against clause 7.5.3 - Control of documented information

C.

Raise it as an opportunity for improvement

D.

Bring the matter up at the closing meeting

Question 62

Select a word from the following options that best completes the sentence:

To complete the sentence with the word(s) click on the blank section you want to complete so that it is highlighted in red, and then click on the application text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.

Options:

Question 63

Scenario 2: Knight is an electronics company from Northern California, US that develops video game consoles. Knight has more than 300 employees worldwide. On the

fifth anniversary of their establishment, they have decided to deliver the G-Console, a new generation video game console aimed for worldwide markets. G-Console is

considered to be the ultimate media machine of 2021 which will give the best gaming experience to players. The console pack will include a pair of VR headset, two

games, and other gifts.

Over the years, the company has developed a good reputation by showing integrity, honesty, and respect toward their customers. This good reputation is one of the

reasons why most passionate gamers aim to have Knight's G-console as soon as it is released in the market. Besides being a very customer-oriented company, Knight

also gained wide recognition within the gaming industry because of the developing quality. Their prices are a bit higher than the reasonable standards allow.

Nonetheless, that is not considered an issue for most loyal customers of Knight, as their quality is top-notch.

Being one of the top video game console developers in the world, Knight is also often the center of attention for malicious activities. The company has had an

operational ISMS for over a year. The ISMS scope includes all departments of Knight, except Finance and HR departments.

Recently, a number of Knight's files containing proprietary information were leaked by hackers. Knight's incident response team (IRT) immediately started to analyze

every part of the system and the details of the incident.

The IRT's first suspicion was that Knight's employees used weak passwords and consequently were easily cracked by hackers who gained unauthorized access to their

accounts. However, after carefully investigating the incident, the IRT determined that hackers accessed accounts by capturing the file transfer protocol (FTP) traffic.

FTP is a network protocol for transferring files between accounts. It uses clear text passwords for authentication.

Following the impact of this information security incident and with IRT's suggestion, Knight decided to replace the FTP with Secure Shell (SSH) protocol, so anyone

capturing the traffic can only see encrypted data.

Following these changes, Knight conducted a risk assessment to verify that the implementation of controls had minimized the risk of similar incidents. The results of

the process were approved by the ISMS project manager who claimed that the level of risk after the implementation of new controls was in accordance with the

company's risk acceptance levels.

Based on this scenario, answer the following question:

FTP uses clear text passwords for authentication. This is an FTP:

Options:

A.

Vulnerability

B.

Risk

C.

Threat

Question 64

Which is not a requirement of HR prior to hiring?

Options:

A.

Undergo background verification

B.

Applicant must complete pre-employment documentation requirements

C.

Must undergo Awareness training on information security.

D.

Must successfully pass Background Investigation

Question 65

You are an ISMS audit team leader preparing to chair a closing meeting following a third-party surveillance audit. You are drafting a closing meeting agenda setting out the topics you wish to discuss with your auditee.

Which one of the following would be appropriate for inclusion?

Options:

A.

A detailed explanation of the certification body's complaints process

B.

An explanation of the audit plan and its purpose

C.

A disclaimer that the result of the audit is based on the sampling of evidence

D.

Names of auditees associated with nonconformities

Question 66

ISMS (1)---------------helps determine (2)--------------,

Options:

A.

(1) Continual improvement, (2) the effectiveness of corrective actions

B.

Q (1) Management review, (2) opportunities for continual improvement

C.

(1) Internal audit, (2) the ISMS scope

Question 67

Scenario 8: EsBank provides banking and financial solutions to the Estonian banking sector since September 2010. The company has a network of 30 branches with over 100 ATMs across the country.

Operating in a highly regulated industry, EsBank must comply with many laws and regulations regarding the security and privacy of data. They need to manage information security across their operations by implementing technical and nontechnical controls. EsBank decided to implement an ISMS based on ISO/IEC 27001 because it provided better security, more risk control, and compliance with key requirements of laws and regulations.

Nine months after the successful implementation of the ISMS, EsBank decided to pursue certification of their ISMS by an independent certification body against ISO/IEC 27001 .The certification audit included all of EsBank’s systems, processes, and technologies.

The stage 1 and stage 2 audits were conducted jointly and several nonconformities were detected. The first nonconformity was related to EsBank’s labeling of information. The company had an information classification scheme but there was no information labeling procedure. As a result, documents requiring the same level of protection would be labeled differently (sometimes as confidential, other times sensitive).

Considering that all the documents were also stored electronically, the nonconformity also impacted media handling. The audit team used sampling and concluded that 50 of 200 removable media stored sensitive information mistakenly classified as confidential. According to the information classification scheme, confidential information is allowed to be stored in removable media, whereas storing sensitive information is strictly prohibited. This marked the other nonconformity.

They drafted the nonconformity report and discussed the audit conclusions with EsBank’s representatives, who agreed to submit an action plan for the detected nonconformities within two months.

EsBank accepted the audit team leader's proposed solution. They resolved the nonconformities by drafting a procedure for information labeling based on the classification scheme for both physical and electronic formats. The removable media procedure was also updated based on this procedure.

Two weeks after the audit completion, EsBank submitted a general action plan. There, they addressed the detected nonconformities and the corrective actions taken, but did not include any details on systems, controls, or operations impacted. The audit team evaluated the action plan and concluded that it would resolve the nonconformities. Yet, EsBank received an unfavorable recommendation for certification.

Based on the scenario above, answer the following question:

Which action illustrated in scenario 8 is unacceptable in an external audit?

Options:

A.

The audit team leader suggested a specific solution on resolving the nonconformities

B.

Stage 1 audit and stage 2 audits were performed at the same time

C.

The lack of an information labeling procedure existed was marked as a minor nonconformity

Question 68

The following are purposes of Information Security, except:

Options:

A.

Ensure Business Continuity

B.

Minimize Business Risk

C.

Increase Business Assets

D.

Maximize Return on Investment

Question 69

After completing Stage 1 and in preparation for a Stage 2 initial certification audit, the auditee informs the audit team leader that they wish to extend the audit scope to include two additional sites that have recently been acquired by the organisation.

Considering this information, what action would you expect the audit team leader to take?

Options:

A.

Increase the length of the Stage 2 audit to include the extra sites

B.

Obtain information about the additional sites to inform the certification body

C.

Arrange to complete a remote Stage 1 audit of the two sites using a video conferencing platform

D.

Inform the auditee that the request can be accepted but a full Stage 1 audit must be repeated

Question 70

In the context of a third-party certification audit, it is very important to have effective communication. Select an option that contains the correct answer about communication in an audit context.

Options:

A.

During the audit, each auditor should periodically communicate any concerns to the auditee and audit client

B.

During the audit, the responibility for communication rests with the audit team leader

C.

The formal communication channels between the audit team and the auditee can be established during the opening meeting

D.

There is no need to establish a formal communication arrangement because an auditee can communicate with the auditor at any time during the audit

Question 71

Information or data that are classified as ______ do not require labeling.

Options:

A.

Public

B.

Internal

C.

Confidential

D.

Highly Confidential

Question 72

You are conducting an ISMS audit in the despatch department of an international logistics organisation that provides shipping services to large organisations including local hospitals and government offices. Parcels typically contain pharmaceutical products, biological samples, and documents such as passports and driving licences. You note that the company records show a very large number of returned items with causes including mis-addressed labels and, in 15% of company cases, two or more labels for different addresses for the one package. You are interviewing the Shipping Manager (SM).

You: Are items checked before being dispatched?

SH: Any obviously damaged items are removed by the duty staff before being dispatched, but the small profit margin makes it uneconomic to implement a formal checking process.

You: What action is taken when items are returned?

SM: Most of these contracts are relatively low value, therefore it has been decided that it is easier and more convenient to simply reprint the label and re-send individual parcels than it is to implement an investigation.

You raise a nonconformity. Referencing the scenario, which six of the following Appendix A controls would you expect the auditee to have implemented when you conduct the follow-up audit?

Options:

A.

5.11 Return of assets

B.

8.12 Data leakage protection

C.

5.3 Segregation of duties

D.

6.3 Information security awareness, education, and training

E.

7.10 Storage media

F.

8.3 Information access restriction

G.

5.6 Contact with special interest groups

Question 73

The responsibilities of a------------ include facilitating audit activities, maintaining logistics, ensuring that health and safety policies are observed, and witnessing

the audit process on behalf of the auditee.

Options:

A.

Internal auditor

B.

Observer

C.

Guide

Question 74

You are an experienced ISMS internal auditor.

You have just completed a scheduled information security audit of your organisation when the IT Manager approaches you and asks for your assistance in the revision of the company's Statement of Applicability.

The IT Manager is attempting to update the ISO/IEC 27001:2013 based Statement of Applicability to a Statement aligned to the 4 control themes present in ISO/IEC 27001:2022 (Organizational controls, People Controls, Physical Controls, Technical Controls).

The IT Manager is happy with their reassignment of controls, with the following exceptions. He asks you which of the four control categories each of the following should appear under.

Options:

Question 75

You are carrying out your first third-party ISMS surveillance audit as an audit team leader. You are presently in the auditee's data centre with another member of your audit team and the organisation's guide.

You request access to a locked room protected by a combination lock and iris scanner. In the corner of the room is a collection of hard drives piled on a desk. You ask the guide what the status of

the drives is. He tells you the drives are redundant and awaiting disposal. They should have been picked up last week, but the organisation's external provider of secure destruction services was

unable to source a driver due to staff sickness. He says this has recently become more common though he does not know why. He then presents you with a job ticket that confirms the pickup has

been rescheduled for tomorrow.

Based on the scenario above which three of the following actions would you now take?

Options:

A.

Record a nonconformity against control A.5.13 'labelling of information' as the disk drives' status was unclear

B.

Raise a nonconformity against control A.7.7, 'clear desk and clear screen' because the drives have been left unprotected on the desktop.

C.

Record an opportunity for improvement in respect of the external provider's inventory management arrangements.

D.

Ensure that the organisation's arrangements for the secure disposal and reuse of equipment have been adhered to.

E.

Record the finding but note no further action is required as the pickup has now been rescheduled.

F.

Raise a nonconformity against control A.7.5, 'protecting against physical and environmental threats' because the drives have been left exposed on the desktop.

G.

Ensure that the organisation's arrangements for the life cycle management of storage media have been adhered to.

Question 76

You are performing an ISMS initial certification audit at a residential nursing home that provides healthcare services. The next step in your audit plan is to conduct the closing meeting. During the final audit team meeting, as an audit team leader, you agree to report 2 minor nonconformities and 1 opportunity for improvement as below:

Select one option of the recommendation to the audit programme manager you are going to advise to the auditee at the closing meeting.

Options:

A.

Recommend certification immediately

B.

Recommend that a full scope re-audit is required within 6 months

C.

Recommend that an unannounced audit is carried out at a future date

D.

Recommend certification after your approval of the proposed corrective action plan Recommend that the findings can be closed out at a surveillance audit in 1 year

E.

Recommend that a partial audit is required within 3 months

Question 77

Which one of the following options best describes the main purpose of a Stage 1 third-party audit?

Options:

A.

To introduce the audit team to the client

B.

To learn about the organisation's procurement

C.

To determine redness for a stage 2 audit

D.

To check for legal compliance by the organisation

E.

To prepare an independent audit report

F.

To get to know the organisation's customers

Question 78

You are an ISMS audit team leader tasked with conducting a follow-up audit at a client's data centre. Following two days on-site you conclude that of the original 12 minor and 1 major nonconformities that prompted the follow-up audit, only 1 minor nonconformity still remains outstanding.

Select four options for the actions you could take.

Options:

A.

Agree with the auditee/audit client how the remaining nonconformity will be cleared, by when, and how its clearance will be verified

B.

Recommend that the outstanding minor nonconformity is dealt with at the next surveillance audit

C.

Close the follow-up audit as the organisation has demonstrated it is committed to clearing the nonconformities raised

D.

Recommend suspension of the organisation's certification as they have failed to implement the agreed corrections and corrective actions within the agreed timescale

E.

Advise the auditee that you will arrange for the next audit to be an online audit to deal with the outstanding nonconformity

F.

Note the progress made but hold the audit open until all corrective action has been cleared

G.

Advise the individual managing the audit programme of any decision taken regarding the outstanding nonconformity

Question 79

You are an experienced ISMS audit team leader guiding an auditor in training. Your team has just completed a third-party surveillance audit of a mobile telecom provider. The auditor in training asks you how you intend to prepare for the Closing meeting. Which four of the following are appropriate responses?

Options:

A.

I will advise the auditee that the purpose of the closing meeting is for the audit team to communicate our findings. It is not an opportunity for the auditee to challenge the findings

B.

I will instruct my audit team to wait outside the auditee's offices so we can leave as quickly as possible after the closing meeting. This saves our time and the client's time too

C.

It is not necessary to prepare for the closing meeting. Once you have carried out as many audits as I have you already know what needs to be discussed

D.

I will schedule a closing meeting with the auditee's representatives at which the audit conclusions will be presented

E.

I will contact head office to ensure our invoice has been paid, If not, I will cancel the closing meeting and temporarily withhold the audit report

F.

I will discuss any follow-up required with my audit team

G.

I will review and, as appropriate, approve my teams audit conclusions

Question 80

To verify conformity to control 8.15 Logging of ISO/IEC 27001 Annex A, the audit team verified a sample of server logs to determine if they can be edited or deleted. Which audit procedure was used?

Options:

A.

Analysis

B.

Sampling

C.

Observation

Question 81

You are performing an ISMS audit at a residential nursing home that provides healthcare services and are reviewing the Software Code Management (SCM) system. You found a total of 10 user accounts on the SCM. You confirm that one of the users, Scott, resigned 9-months

ago. The SCM System Administrator confirmed Scott's last check-out of the source code was found 1 month ago. He was using one of the uthorized desktops from the local network in a secure area.

You check with the user de-registration procedure which states "Managers have to make sure of deregistration of the user account and authorisation immediately from the relevant ICT system and/or equipment after resignation approval." There was no deregistration record for user Scott.

The IT Security Manager explains that Scott still comes back to the office every month after he resigned to provide support on source code maintenance. That's why his account on SCM still exists.

You would like to investigate other areas further to collect more audit evidence. Select three options that would not be valid audit trails.

Options:

A.

Collect more evidence on how access controls are periodically reviewed to maintain security (Relevant to control A.5.35)

B.

Collect more evidence on how the transition of Scott from full-time to part-time employment was managed (relevant to control A.6.5)

C.

Collect more evidence from Scott's background verification checks performed by the human resource department under the new employment relationship. (Relevant to control A.6.1)

D.

Collect more evidence of why Scott resigned and whether his re-engagement represents a conflict of interest. (relevant to control A.5.3)

E.

Collect more evidence on how Scott can access the employee's desktop and local network. (Relevant to control A.5.15)

F.

Collect more evidence on how Scott can access the secure area. (Relevant to control A.8.4)

G.

Collect more evidence on how the organization pays for Scott's source code maintenance support service. (Relevant to control A.6.2)

Question 82

Scenario 5: Data Grid Inc. is a well-known company that delivers security services across the entire information technology infrastructure. It provides cybersecurity software, including endpoint security, firewalls, and antivirus software. For two decades, Data Grid Inc. has helped various companies secure their networks through advanced products and services. Having achieved reputation in the information and network security field, Data Grid Inc. decided to obtain the ISO/IEC 27001 certification to better secure its internal and customer assets and gain competitive advantage.

Data Grid Inc. appointed the audit team, who agreed on the terms of the audit mandate. In addition, Data Grid Inc. defined the audit scope, specified the audit criteria, and proposed to close the audit within five days. The audit team rejected Data Grid Inc.'s proposal to conduct the audit within five days, since the company has a large number of employees and complex processes. Data Grid Inc. insisted that they have planned to complete the audit within five days, so both parties agreed upon conducting the audit within the defined duration. The audit team followed a risk-based auditing approach.

To gain an overview of the main business processes and controls, the audit team accessed process descriptions and organizational charts. They were unable to perform a deeper analysis of the IT risks and controls because their access to the IT infrastructure and applications was restricted. However, the audit team stated that the risk that a significant defect could occur to Data Grid Inc.'s ISMS was low since most of the company's processes were automated. They therefore evaluated that the ISMS, as a whole, conforms to the standard requirements by asking the representatives of Data Grid Inc. the following questions:

•How are responsibilities for IT and IT controls defined and assigned?

•How does Data Grid Inc. assess whether the controls have achieved the desired results?

•What controls does Data Grid Inc. have in place to protect the operating environment and data from malicious software?

•Are firewall-related controls implemented?

Data Grid Inc.'s representatives provided sufficient and appropriate evidence to address all these questions.

The audit team leader drafted the audit conclusions and reported them to Data Grid Inc.'s top management. Though Data Grid Inc. was recommended for certification by the auditors, misunderstandings were raised between Data Grid Inc. and the certification body in regards to audit objectives. Data Grid Inc. stated that even though the audit objectives included the identification of areas for potential improvement, the audit team did not provide such information.

Based on this scenario, answer the following question:

Based on scenario 5, the audit team disagreed with the proposed audit duration by Data Grid Inc. for the ISMS audit. How do you describe such a situation?

Options:

A.

Acceptable, auditors have the right to object, even refuse the audit mandate, if they deem that the audit duration is not sufficient

B.

Unacceptable, the audit duration is defined by the auditee and cannot be changed by the auditors

C.

Unacceptable, once the audit mandate is accepted, the audit duration cannot be changed