PECB ISO-27001-LA Online Practice Questions and Exam Preparation

PECB ISO-27001-LA Online Questions & Answers

• Question 1:

  DRAG DROP

  Please match the following situations to the type of audit required.

  Select and Place:

  

  

  Explanation:

  Top management requests auditors from the organisation's compliance department to audit the production process in order to ensure the final product meets quality requirements = First-party audit Auditors from the buyer's organisation audit their raw material supplier to ensure the supply fulfils the order and contract = Second-party audit Auditors from an independent certification body conduct an audit of the organisation to verify conformity with an ISO Standard for certification purposes = Third-party audit The organisation has been audited against two management system standards in one audit = Combined audit According to the ISO/IEC 27001 standard, there are three main categories of audits: internal, external, and certification1. An internal audit, also known as a first-party audit, is an audit conducted by the organisation itself, or by an external party on its behalf, for management review and other internal purposes12. An external audit, also known as a second-party audit, is an audit conducted by a customer or other interested party on a supplier or contractor to verify compliance with contractual or other requirements. A certification audit, also known as a third-party audit, is an audit conducted by an independent certification body to verify conformity with an ISO standard for certification purposes. A combined audit is an audit where two or more management system standards are audited together.

  References:

  1: PECB Candidate Handbook - ISO/IEC 27001 Lead Auditor, page 19

  2: ISO 27001 Audit Types and How They are Conducted

  3: The Four ISO 27001 Audit Categories, Explained

• Question 2:

  DRAG DROP

  You are an experienced ISMS audit team leader, assisting an auditor in training to write their first audit report.

  You want to check the auditor in training's understanding of terminology relating to the contents of an audit report and chose to do this by presenting the following examples.

  For each example, you ask the auditor in training what the correct term is that describes the activity

  Match the activity to the description.

  Select and Place:

  

  

  Explanation:

  1. An auditor using a copy of ISO/IEC 27001:2022 to check that its requirements are met:

  Termed: Reviewing audit criteria.

  Justification: The auditor is comparing the auditee's information security management system (ISMS) against the established criteria outlined in the ISO/IEC 27001:2022 standard. This activity falls under the use of audit criteria to determine conformity or nonconformity.

  2. An auditor's note that the auditee is not adhering to its clear desk policy:

  Termed: Identifying an audit finding.

  Justification: The auditor has observed a deviation from the auditee's established policy on clear desks. This observation is documented as a potential nonconformity, which requires further investigation and evaluation.

  3. An auditor making a decision regarding the auditee's conformity or otherwise to criteria:

  Termed: Determining an audit conclusion.

  Justification: Based on the collected audit evidence and evaluation against the established criteria, the auditor forms an opinion about the overall compliance of the auditee's ISMS. This opinion is the audit conclusion and is a key element of the audit report.

  4. An auditor examining verifiable records relevant to the audit process:

  Termed: Collecting audit evidence.

  Justification: The auditor is gathering objective and verifiable information to support their findings and conclusions. This information comes from various sources, including documents, records, interviews, and observations.

• Question 3:

  DRAG DROP

  Select the word that best completes the sentence:

  Select and Place:

  

  

  Explanation:

  The word that best completes the sentence is "demonstrate". According to ISO/IEC 27001:2022, Clause 7.5, the organization shall retain documented information as evidence of the performance of the processes and the conformity of the products and services with the requirements. The purpose of retaining documented information is to demonstrate conformity with the requirements of the management system standard, not to maintain, audit, or certify it.

  References: 1: ISO/IEC 27001:2022, Information technology -- Security techniques -- Information security management systems -- Requirements, Clause 7.5

• Question 4:

  DRAG DROP Select the correct sequence for the information security risk assessment process in an ISMS. To complete the sequence click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the options to the appropriate blank

  Select and Place:

  

  

  Explanation:

  According to ISO 27001:2022, the standard for information security management systems (ISMS), the correct sequence for the information security risk assessment process is as follows:

  Establish information security criteria

  Identify the information security risks

  Analyse the information security risks

  Evaluate the information security risks

  The first step is to establish the information security criteria, which include the risk assessment methodology, the risk acceptance criteria, and the risk evaluation criteria. These criteria define how the organization will perform the risk assessment, what level of risk is acceptable, and how the risks will be compared and prioritized.

  The second step is to identify the information security risks, which involve identifying the assets, threats, vulnerabilities, and existing controls that are relevant to the ISMS. The organization should also identify the potential consequences and likelihood of each risk scenario.

  The third step is to analyse the information security risks, which involve estimating the level of risk for each risk scenario based on the criteria established in the first step. The organization should also consider the sources of uncertainty and the confidence level of the risk estimation.

  The fourth step is to evaluate the information security risks, which involve comparing the estimated risk levels with the risk acceptance criteria and determining whether the risks are acceptable or need treatment. The organization should also prioritize the risks based on the risk evaluation criteria and the objectives of the ISMS.

  References: ISO 27001:2022 Clause 6.1.2 Information security risk assessment, ISO 27001 Risk Assessment and Risk Treatment: The Complete Guide - Advisera, ISO 27001 Risk Assessment: 7 Step Guide - IT Governance UK Blog

• Question 5:

  DRAG DROP

  You are an experienced ISMS internal auditor.

  You have just completed a scheduled information security audit of your organisation when the IT Manager approaches you and asks for your assistance in the revision of the company's Statement of Applicability.

  The IT Manager is attempting to update the ISO/IEC 27001:2013 based Statement of Applicability to a Statement aligned to the 4 control themes present in ISO/IEC 27001:2022 (Organizational controls, People Controls, Physical Controls, Technical Controls).

  The IT Manager is happy with their reassignment of controls, with the following exceptions. He asks you which of the four control categories each of the following should appear under.

  Select and Place:

  

  

  Explanation:

  8.1 Information stored on, processed by, or accessible via user endpoint devices shall be protected = Technological control 7.8 Equipment shall be sited securely and protected = Physical control 5.2 Information security roles and responsibilities shall be defined and allocated according to the organisation's needs = Organisational control 6.7 Security measures shall be implemented when personnel are working remotely to protect information processed, processed, or stored outside the organisation's

  premises = People control

  According to the web search results from my predefined tool, ISO 27001:2022 has restructured and consolidated the Annex A controls into four categories: organisational, people, physical, and technological12. These categories reflect the different aspects and dimensions of information security, and are aligned with the cybersecurity concepts of identify, protect, detect, respond, and recover3. The controls in each category are as follows4:

  Organisational controls: These are controls that relate to the governance, management, and coordination of information security activities within the organisation. They include controls such as information security policies, roles and responsibilities, risk assessment and treatment, performance evaluation, and improvement.

  People controls: These are controls that relate to the behaviour, awareness, and competence of the people involved in information security, both within and outside the organisation. They include controls such as human resource security, training and awareness, access control, incident management, and business continuity.

  Physical controls: These are controls that relate to the protection of physical assets and environments that store, process, or transmit information. They include controls such as physical security, environmental security, equipment security, and media security.

  Technological controls: These are controls that relate to the use of technology to implement, monitor, and maintain information security. They include controls such as cryptography, network security, system security, application security, and threat intelligence.

  Based on these categories, the controls listed in the question can be matched as follows:

  8.1 Information stored on, processed by, or accessible via user endpoint devices shall be protected: This is a technological control, as it involves the use of technology to protect information on devices such as laptops, smartphones, tablets, etc. It may include measures such as encryption, authentication, antivirus, firewall, etc.

  7.8 Equipment shall be sited securely and protected: This is a physical control, as it involves the protection of physical assets and environments that store, process, or transmit information. It may include measures such as locks, alarms, CCTV, fire suppression, etc.

  5.2

  Information security roles and responsibilities shall be defined and allocated according to the organisation's needs: This is an organisational control, as it involves the governance, management, and coordination of information security activities within the organisation. It may include measures such as defining the authority and accountability of information security personnel, establishing reporting lines and communication channels, assigning tasks and duties, etc.

  6.7

  Security measures shall be implemented when personnel are working remotely to protect information processed, processed, or stored outside the organisation's premises: This is a people control, as it involves the behaviour, awareness, and competence of the people involved in information security, both within and outside the organisation. It may include measures such as providing guidance and training on remote working, enforcing policies and procedures, monitoring and auditing remote activities, etc.

  References:

  1: A Breakdown of ISO 27001:2022 Annex A Controls - BARR Advisory4

  2: ISO 27001:2022 Annex A Controls - What's New? | ISMS.Online1

  3: How many controls are there in ISO 27001:2022?

  Strike Graph: ISO/IEC 27001:2022 Information technology -- Security techniques -- Information security management systems -- Requirements, Annex A.

• Question 6:

  DRAG DROP

  An organisation is looking for management system initial certification. Please identify the sequence of the activities to be undertaken by the organisation.

  To complete the sequence click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the options to the appropriate blank section.

  Select and Place:

  

  

  Explanation:

  The correct sequence of activities is:

  Establish the management system

  Plan the audit programme

  Conduct internal audits

  Hold a Management Review

  Engage a Certification Body for stage 1 and stage 2 audits

  Complete any corrective actions

  Comprehensive but Short = According to the PECB Candidate Handbook - ISO/IEC 27001 Lead Auditor, the steps for achieving certification are as follows1:

  Establish the management system: This involves defining the scope, objectives, policies, procedures, and controls of the ISMS, as well as ensuring the availability of resources and top management commitment.

  Plan the audit programme: This involves defining the audit objectives, criteria, scope, frequency, methods, and responsibilities for conducting internal audits of the ISMS.

  Conduct internal audits: This involves verifying the conformity and effectiveness of the ISMS, as well as identifying any nonconformities or opportunities for improvement.

  Hold a Management Review: This involves reviewing the performance and suitability of the ISMS, as well as deciding on any changes or actions needed to improve it.

  Engage a Certification Body for stage 1 and stage 2 audits: This involves selecting a reputable and accredited certification body to conduct an external audit of the ISMS, consisting of two stages: a documentation review and an on-site assessment.

  Complete any corrective actions: This involves addressing any nonconformities or findings identified by the certification body, and providing evidence of their implementation and effectiveness.

  References: 1: PECB Candidate Handbook - ISO/IEC 27001 Lead Auditor, pages 25-26.

• Question 7:

  DRAG DROP

  Select the words that best complete the sentence below to describe a third-party audit plan.

  To complete the sentence with the best word(s), click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.

  Select and Place:

  

  

  Explanation:

  The words that best complete the sentence are assess and recommendation. The sentence would read as follows:

  "An audit plan is a statement of the intent of the audit team to assess all areas of the company with a view to determining a recommendation for certification approval."

  According to the web search results from my predefined tool, a third-party audit plan is a document that describes the scope, objectives, criteria, and methodology of an external audit conducted by an independent certification body to verify the conformity of an organization's ISMS with the ISO 27001 standard. The audit plan also includes the audit schedule, the audit team, the audit locations, and the audit deliverables. One of the main deliverables of a third-party audit is the audit report, which summarizes

  the audit findings, the audit conclusions, and the audit recommendation. The audit recommendation is the opinion of the audit team on whether the organization's ISMS meets the certification requirements and whether the certification should be granted, maintained, suspended, or withdrawn.

  Therefore, the purpose of the audit plan is to state the intention of the audit team to assess all areas of the company, meaning to evaluate the performance and effectiveness of the ISMS, and to determine a recommendation for certification approval, meaning to provide a judgment on the certification status of the ISMS. The other words in the options, such as verdict, permit, report, inspect, and question, do not accurately reflect the meaning of the audit plan. A verdict is a formal decision made by a judge or a

  jury, not by an audit team. A permit is a legal authorization to do something, not a certification of conformity. A report is a document that presents the audit results, not the audit intention. An inspection is a visual examination of something, not a comprehensive assessment of an ISMS. A question is a request for information, not a determination of a recommendation.

• Question 8:

  DRAG DROP

  You are an experienced ISMS audit team leader providing instruction to a class of auditors in training. The subject of today's lesson is the management of information security risk in accordance with the requirements of ISO/IEC 27001:2022.

  You provide the class with a series of activities. You then ask the class to sort these activities into the order in which they appear in the standard.

  What is the correct sequence they should report back to you?

  Select and Place:

  

  

  Explanation:

  The correct sequence of activities for the management of information security risk in accordance with the requirements of ISO/IEC 27001:2022 is as follows:

  1st: Create and maintain information security risk criteria 2nd: Identify the risks that need to be considered when planning for the information security management system 3rd: Assess the potential consequences that would arise if the risk were to materialise 4th: Select appropriate risk treatment options 5th: Carry out information security risk assessments at planned intervals 6th: Consider the results of risk assessment and the status of the risk treatment plan at management review

  This sequence is based on the information security risk management process described in ISO/IEC 27001:

  2022 clause 6.1, which includes the following activities:

  establishing and maintaining information security risk criteria;

  ensuring that repeated information security risk assessments produce consistent, valid and comparable results;

  identifying the information security risks;

  analyzing the information security risks;

  evaluating the information security risks

  treating the information security risks;

  accepting the information security risks and the residual information security risks;

  communicating and consulting with stakeholders throughout the process;

  monitoring and reviewing the information security risks and the risk treatment plan.

  References:

  ISO/IEC 27001:2022, clause 6.1

  [PECB Candidate Handbook ISO/IEC 27001 Lead Auditor], pages 14-15

  ISO 27001 Risk Management in Plain English

• Question 9:

  DRAG DROP

  Select the words that best complete the sentence:

  Select and Place:

  

  

  Explanation:

  "In a third-party audit an observation can indicate conformity at organisation is not required to take action."

  According to the PECB Candidate Handbook, an observation is "a statement of fact made during an audit and substantiated by objective evidence". An observation can indicate conformity or nonconformity, but it does not require any corrective action from the audited organisation. A recommendation, on the other hand, is "a suggestion for improvement based on an observation". A recommendation may or may not be accepted by the audited organisation.

  According to the Fundamentals Third parties, a third-party audit is "an audit conducted by an external organisation that has the legal right to audit an organisation's processes and procedures". A third-party audit can result in a finding, which is "a conclusion reached by the auditor based on the audit evidence collected". A finding can be positive or negative, depending on whether the audited organisation meets the audit criteria or not. A nonconformity is "a finding that indicates the non-fulfilment of a requirement". A nonconformity requires corrective action from the audited organisation to prevent recurrence.

• Question 10:

  DRAG DROP

  In the context of a management system audit, please identify the sequence of a typical process of collecting and verifying information. The first one has been done for you.

  Select and Place:

  

  

  Explanation:

  Identifying the source of information (already given)

  Gathering audit evidence: This involves collecting information from various sources such as documents, records, interviews, and observations.

  Sampling the available data: Due to the vast amount of information available, auditors typically use sampling techniques to select representative data for closer scrutiny.

  Verifying objective evidence: This involves checking the accuracy, completeness, and reliability of the collected evidence.

  Evaluating evidence against the audit criteria: Auditors compare the collected evidence to the established criteria (e.g., standards, policies, procedures) to assess compliance and effectiveness.

  Recording audit findings: This involves documenting the results of the evaluation, including observations, conclusions, and recommendations.

  Making audit conclusions: Based on the recorded findings, auditors formulate overall conclusions about the status of the management system.

  Therefore, the correct sequence is:

  1. Identifying the source of information

  2. Gathering audit evidence

  3. Sampling the available data

  4. Verifying objective evidence

  5. Evaluating evidence against the audit criteria

  6. Recording audit findings 7.Making audit conclusions