PECB ISO-27001-LA Online Practice Questions and Exam Preparation

PECB ISO-27001-LA Online Questions & Answers

• Question 91:

  Scenario: Branding is a marketing company that works with some of the most famous companies in the US. To reduce internal costs. Branding has outsourced the software development and IT helpdesk operations to Techvology for over two years. Techvology. equipped with the necessary expertise, manages Branding's software, network, and hardware needs. Branding has implemented an information security management system (ISMS) and is certified against ISO/IEC 27001, demonstrating its commitment to maintaining high standards of information security. It actively conducts audits on Techvology to ensure that the security of its outsourced operations complies with ISO/IEC 27001 certification requirements.

  During the last audit. Branding's audit team defined the processes to be audited and the audit schedule. They adopted an evidence based approach, particularly in light of two information security incidents reported by Techvology in the past year The focus was on evaluating how these incidents were addressed and ensuring compliance with the terms of the outsourcing agreement The audit began with a comprehensive review of Techvology's methods for monitoring the quality of outsourced operations, assessing whether the services provided met Branding's expectations and agreed-upon standards The auditors also verified whether Techvology complied with the contractual requirements established between the two entities This involved thoroughly examining the terms and conditions in the outsourcing agreement to guarantee that all aspects, including information security measures, are being adhered to.

  Furthermore, the audit included a critical evaluation of the governance processes Techvology uses to manage its outsourced operations and other organizations. This step is crucial for Branding to verify that proper controls and oversight mechanisms are in place to mitigate potential risks associated with the outsourcing arrangement.

  The auditors conducted interviews with various levels of Techvology's personnel and analyzed the incident resolution records. In addition, Techvology provided the records that served as evidence that they conducted awareness sessions for the staff regarding incident management. Based on the information gathered, they predicted that both information security incidents were caused by incompetent personnel. Therefore, auditors requested to see the personnel files of the employees involved in the

  incidents to review evidence of their competence, such as relevant experience, certificates, and records of attended trainings.

  Branding's auditors performed a critical evaluation of the validity of the evidence obtained and remained alert for evidence that could contradict or question the reliability of the documented information received. During the audit at Techvology, the auditors upheld this approach by critically assessing the incident resolution records and conducting thorough interviews with employees at different levels and functions. They did not merely take the word of Techvology's representatives for facts; instead, they sought

  concrete evidence to support the representatives' claims about the incident management processes.

  Based on the scenario above, answer the following question:

  Question:

  According to ISO/IEC 27001 requirements , is Branding required to control the services offered by Techvology continually?

  A. Yes, Branding is responsible for controlling and monitoring the quality of Techvology's services
  B. Yes, only if this is a requirement specified in the contractual agreement between the two companies
  C. No, Branding is not responsible for controlling the services offered by Techvology, but is responsible for monitoring them
  A. Yes, Branding is responsible for controlling and monitoring the quality of Techvology's services

  ---

  A.

  Correct Answer:

  ISO/IEC 27001:2022 Annex A Control A.5.19 (Information Security in Supplier Relationships) requires organizations to monitor and control their suppliers to ensure compliance with security requirements.

  Branding must monitor, assess, and ensure Techvology maintains compliance with ISO/IEC 27001 and outsourcing agreements.

  B. Incorrect:

  Even if not explicitly stated in the contract ISO/IEC 27001 requires continual supplier , monitoring .

  C. Incorrect:

  Branding is responsible for both controlling and monitoring outsourced services, not just monitoring them.

  Relevant Standard Reference:

  ISO/IEC 27001:2022 Annex A Control A.5.19 (Supplier Security Compliance)

  ISO/IEC 27001:2022 Clause 8.2 (Outsourced Service Controls)

• Question 92:

  Which two of the following options for information are not required for audit planning of a certification audit?

  A. A sampling plan
  B. A document review
  C. The working experience of the management system representative
  D. An audit checklist
  E. An organisation's financial statement
  F. An audit plan
  C. The working experience of the management system representative
  E. An organisation's financial statement

  ---

  These two options are not required for audit planning of a certification audit, as they are not relevant to the audit objectives, scope, criteria, and methods. The working experience of the management system representative is not a requirement of ISO/IEC 27001, nor does it affect the conformity or effectiveness of the ISMS. The organisation's financial statement is not part of the ISMS documentation, nor does it provide evidence of the ISMS performance or improvement. The other options are required for audit planning, as they help to determine the audit activities, resources, schedule, and sampling strategy.

  References: PECB Candidate Handbook1, page 19-20; ISO 9001 Auditing Practices Group Guidance on2, page 1-2; ISO/IEC 27001:2022 (en)3, clause 9.2.

• Question 93:

  During a follow-up audit, you notice that a nonconformity identified for completion before the follow-up audit is still outstanding. Which four of the following actions should you take?

  A. Report the failure to address the corrective action for the outstanding nonconformity to the organisation's top management
  B. Immediately raise an nonconformity as the date for completion has been exceeded
  C. If the delay is justified agree on a revised date for clearing the nonconformity with the auditee/audit client
  D. Contact the individuals) managing the audit programme to seek their advice as to how to proceed
  E. Decide whether the delay in addressing the nonconformity is justified
  F. Cancel the follow-up audit and return when an assurance has been received that the nonconformity has been cleared
  G. Note the nonconformity is still outstanding and follow audit trails to determine why
  H. If the delay is unjustified advise the auditee /audit client and agree on remedial action
  A. Report the failure to address the corrective action for the outstanding nonconformity to the organisation's top management
  C. If the delay is justified agree on a revised date for clearing the nonconformity with the auditee/audit client
  E. Decide whether the delay in addressing the nonconformity is justified
  G. Note the nonconformity is still outstanding and follow audit trails to determine why

  ---

  According to the ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) course, the following actions should be taken when a nonconformity identified for completion before the follow-up audit is still outstanding:

  Report the failure to address the corrective action for the outstanding nonconformity to the organisation's top management. This is part of the auditor's responsibility to communicate the audit results and ensure that the audit objectives are met.

  If the delay is justified agree on a revised date for clearing the nonconformity with the auditee/audit client. This is part of the auditor's responsibility to verify the effectiveness of the corrective actions taken by the auditee and to close the nonconformity when the evidence is satisfactory. Decide whether the delay in addressing the nonconformity is justified. This is part of the auditor's responsibility to evaluate the evidence presented by the auditee and to use professional judgement and objectivity to determine

  the validity of the reasons for the delay.

  Note the nonconformity is still outstanding and follow audit trails to determine why. This is part of the auditor's responsibility to collect and verify audit evidence and to identify the root causes of the nonconformity.

  References:

  1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) course, CQI and IRCA Certified Training, 1

  2: ISO/IEC 27001 Lead Auditor Training Course, PECB, 2

• Question 94:

  Scenario:

  Cyber ACrypt is a cybersecurity company that provides endpoint protection by offering anti-malware and device security, asset life cycle management, and device encryption. To validate its ISMS against ISO/IEC 27001 and demonstrate its commitment to cybersecurity excellence, the company underwent a meticulous audit process led by John, the appointed audit team leader.

  Upon accepting the audit mandate, John promptly organized a meeting to outline the audit plan and team roles This phase was crucial for aligning the team with the audit's objectives and scope However, the initial presentation to Cyber ACrypt's staff revealed a significant gap in understanding the audit's scope and objectives, indicating potential readiness challenges within the company

  As the stage 1 audit commenced, the team prepared for on-site activities. They reviewed Cyber ACrypt' s documented information, including the information security policy and operational procedures ensuring each piece conformed to and was standardized in format with author identification, production date, version number, and approval date Additionally, the audit team ensured that each document contained the information required by the respective clause of the standard This phase revealed that a

  detailed audit of the documentation describing task execution was unnecessary, streamlining the process and focusing the team's efforts on critical areas During the phase of conducting on-site activities, the team evaluated management responsibility for the Cyber Acrypt's policies This thorough examination aimed to ascertain continual improvement and adherence to ISMS requirements Subsequently, in the document, the stage 1 audit outputs phase, the audit team meticulously documented their findings,

  underscoring their conclusions regarding the fulfillment of the stage 1 objectives. This documentation was vital for the audit team and Cyber ACrypt to understand the preliminary audit outcomes and areas requiring attention.

  The audit team also decided to conduct interviews with key interested parties. This decision was motivated by the objective of collecting robust audit evidence to validate the management system's compliance with ISO/IEC 27001 requirements. Engaging with interested parties across various levels of Cyber ACrypt provided the audit team with invaluable perspectives and an understanding of the ISMS' s implementation and effectiveness.

  The stage 1 audit report unveiled critical areas of concern. The Statement of Applicability (SoA) and the ISMS policy were found to be lacking in several respects, including insufficient risk assessment, inadequate access controls, and lack of regular policy reviews. This prompted Cyber ACrypt to take immediate action to address these shortcomings. Their prompt response and modifications to the strategic documents reflected a strong commitment to achieving compliance.

  The technical expertise introduced to bridge the audit team's cybersecurity knowledge gap played a pivotal role in identifying shortcomings in the risk assessment methodology and reviewing network architecture. This included evaluating firewalls, intrusion detection and prevention systems, and other network security measures, as well as assessing how Cyber ACrypt detects, responds to, and recovers from external and internal threats. Under John's supervision, the technical expert communicated the audit

  findings to the representatives of Cyber ACrypt. However, the audit team observed that the expert s objectivity might have been compromised due to receiving consultancy fees from the auditee. Considering the behavior of the technical expert during the audit, the audit team leader decided to discuss this concern with the certification body.

  Based on the scenario above, answer the following question:

  Question:

  According to Scenario, Cyber ACrypt modified the SoA and the ISMS policy after the Stage 1 audit report . How do you define this situation?

  A. Unacceptable, once the external audit passes Stage 1, the SoA and the ISMS policy cannot be modified
  B. Acceptable, situations that lead to major nonconformities during the Stage 2 audit should be corrected
  C. Acceptable, minor modifications to the SoA and ISMS policy can be made until the submission of the final audit report
  B. Acceptable, situations that lead to major nonconformities during the Stage 2 audit should be corrected

  ---

  B.

  Correct Answer:

  Stage 1 audits identify gaps and allow the organization to correct major nonconformities before Stage 2 certification . ISO/IEC 27006 requires organizations to address major nonconformities before proceeding to Stage 2.

  A. Incorrect:

  Organizations are allowed to correct nonconformities identified in Stage 1.

  C. Incorrect:

  Major changes must be addressed, not just minor modifications.

  Relevant Standard Reference:

  ISO/IEC 27006:2020 Clause 9.2.3 (Stage 1 and Stage 2 Audit Process)

• Question 95:

  You are an experienced ISMS Audit Team Leader, talking to an Auditor in training who has been assigned to your audit team. You want to ensure that they understand the importance of the Check stage of the Plan-

  Do-Check-Act cycle in respect of the operation of the information security management system.

  You do this by asking him to select the answer which best describes the purpose of the check activity 'management review.

  The purpose of the management review is to: Select 1

  A. Assess the information security management system at random intervals to ensure its continuing efficiency, adequacy and effectiveness.
  B. Consider the information security management system at regular intervals to ensure its continuing compliance, adequacy and effectiveness.
  C. Review the information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness.
  D. Update the information security management system at documented intervals to ensure its continuing conformity, adequacy and effectiveness.
  C. Review the information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness.

  ---

  The management review is a key component of the "Check" stage in the Plan-Do-Check-Act (PDCA) cycle. Its primary purpose is to evaluate the overall ISMS and make strategic decisions for improvement. Here's why the other options are less accurate:

  Random intervals: Reviews should be conducted at planned intervals for consistency and tracking progress.

  Compliance: While compliance is a consideration, the main focus is on the system's suitability for the organization's needs, its adequacy in managing risks, and its overall effectiveness in achieving information security objectives.

  Update: The management review might lead to updates, but its primary goal is evaluation, not immediate modification.

  References:

  ISO/IEC 27001:2022, Section 9.3 (Management Review): Outlines the purpose and requirement for conducting management reviews.

  PECB Candidate Handbook, ISO/IEC 27001 Lead Auditor: Emphasizes the management review's role in evaluating the ISMS's suitability, adequacy, and effectiveness, driving continuous improvement.

• Question 96:

  Scenario:

  Northstorm is an online retail shop offering unique vintage and modern accessories. It initially entered a small market but gradually grew thanks to the development of the overall e-commerce landscape. Northstorm works exclusively online and ensures efficient payment processing, inventory management, marketing tools, and shipment orders. It uses prioritized ordering to receive, restock, and ship its most popular products.

  Northstorm has traditionally managed its IT operations by hosting its website and maintaining full control over its infrastructure, including hardware, software, and data administration. However, this approach hindered its growth due to the lack of responsive infrastructure. Seeking to enhance its e-commerce and payment systems, Northstorm opted to expand its in-house data centers, completing the expansion in two phases over three months. Initially, the company upgraded its core servers, point-of-sale,

  ordering, billing, database, and backup systems. The second phase involved improving mail, payment, and network functionalities. Additionally, during this phase, Northstorm adopted an international standard for personally identifiable information (PII) controllers and PII processors regarding PII processing to ensure its data handling practices were secure and compliant with global regulations.

  Despite the expansion, Northstorm's upgraded data centers failed to meet its evolving business demands. This inadequacy led to several new challenges, including issues with order prioritization. Customers reported not receiving priority orders, and the company struggled with responsiveness. This was largely due to the main server's inability to process orders from YouDecide, an application designed to prioritize orders and simulate customer interactions. The application, reliant on advanced algorithms,

  was incompatible with the new operating system (OS) installed during the upgrade.

  Faced with urgent compatibility issues, Northstorm quickly patched the application without proper validation, leading to the installation of a compromised version. This security lapse resulted in the main server being affected and the company's website going offline for a week. Recognizing the need for a more reliable solution, the company decided to outsource its website hosting to an e-commerce provider. The company signed a confidentiality agreement concerning product ownership and conducted a

  thorough review of user access rights to enhance security before transitioning. Question: According to Scenario, Northstorm reviewed users' access rights. What is the type and function of this security control?

  A. Detective and administrative
  B. Corrective and managerial
  C. Legal and technical
  A. Detective and administrative

  ---

  Security controls can be classified by type (administrative, technical, physical) and function (preventive, detective, corrective).

  A. Detective and administrative?Correct Answer. Reviewing access rights is an administrative control because it involves procedural security measures (such as policy enforcement and auditing). It is also a detective control because it helps identify inappropriate or unauthorized access by auditing and verifying user permissions.

  B. Corrective and managerial?Incorrect because reviewing user access rights does not correct an issue but rather detects potential unauthorized access. It is also administrative , not managerial.

  C. Legal and technical?Incorrect because reviewing user access rights is an administrative policy- based action , not a legal or technical control.

  This aligns with ISO/IEC 27001:2022 Annex A Control A.5.18 (Access Rights) , which mandates regular review of user access to prevent unauthorized access and enforce security policies.

• Question 97:

  You are performing an ISMS initial certification audit at a residential nursing home that provides healthcare services. The next step in your audit plan is to conduct the closing meeting. During the final audit team meeting, as an audit team leader, you agree to report 2 minor nonconformities and 1 opportunity for improvement as below:

  

  During the closing meeting, the Management System Representative (MSR) updates you with the information that ABC is going to merge with WeCare medical devices manufacture within the next 3 months. ABC will be the organisation's name after the merger. He asks if it is possible to include WeCare medical devices manufacture location in the follow-up audit so that the certification will include it. He says that WeCare is certified to ISO/IEC 27001:2022. Select one option for the correct response to the request of the MSR.

  A. Advise that an initial audit would need to be carried out on WeCare but this could be combined with a follow-up audit of ABC
  B. Advise that any changes will impact the certified scope of the initial audit. The organisation has the responsibility to update the certification body within an agreed timeframe so that a decision can be taken about incorporating WeCare.
  C. Advise that there are no issues. The new business can be included within the certified scope immediately if WeCare can obtain the agreement of their certification body
  D. Suggest it would be better to postpone the certification process and wait until the business acquisitior is completed
  B. Advise that any changes will impact the certified scope of the initial audit. The organisation has the responsibility to update the certification body within an agreed timeframe so that a decision can be taken about incorporating WeCare.

  ---

  According to ISO/IEC 27001 guidelines, any significant changes to the scope of the ISMS, such as a merger, must be communicated to the certification body. This ensures that the certification remains valid and that all locations and processes are included in the scope. The certification body will then decide the appropriate actions to incorporate the new entity into the existing certification.

  References: ISO/IEC 27001 Lead Auditor Reference Materials PECB Candidate Handbook for ISO 27001 Lead Auditor

• Question 98:

  After drafting the audit conclusions, the work documents of the audit team leader were reviewed by another auditor selected by the certification body. Is this acceptable?

  A. Yes, the work documents of the audit team leader must be reviewed by another auditor after reaching audit conclusions
  B. No, the work of the audit team leader must be reviewed before reaching an audit conclusion
  C. No' it is only the audit team leader that reviews the work documents of each auditor
  A. Yes, the work documents of the audit team leader must be reviewed by another auditor after reaching audit conclusions

  ---

  Yes, it is acceptable for the work documents of the audit team leader to be reviewed by another auditor after reaching audit conclusions. This is part of the quality control and assurance processes within the audit to ensure the accuracy and reliability of the audit conclusions.

  References: ISO 19011:2018, Guidelines for auditing management systems

• Question 99:

  Scenario: GreenForge Manufacturing conducted an internal audit, but the internal auditors audited their own departments and signed off their own corrective actions. What is the best audit conclusion regarding internal audit requirements?

  A. Acceptable, because internal auditors are trained and know their departments best
  B. Acceptable, because independence is required only for certification audits
  C. Unacceptable, because internal audits must ensure objectivity and impartiality
  D. Unacceptable, because internal audits are not required by ISO/IEC 27001
  C. Unacceptable, because internal audits must ensure objectivity and impartiality

  ---

  C is correct. Clause 9.2 requires internal audits to be conducted in a way that ensures objectivity and impartiality. Auditing one's own work threatens independence and objectivity.

  A is incorrect because competence does not replace objectivity requirements.

  B is incorrect because internal audits also require impartiality.

  D is incorrect because internal audits are explicitly required by clause 9.2.

  References: ISO/IEC 27001:2022 clause 9.2

• Question 100:

  Scenario 6: Sinvestment is an insurance company that offers home, commercial, and life insurance. The company was founded in North Carolina, but have recently expanded in other locations, including Europe and Africa.

  Sinvestment is committed to complying with laws and regulations applicable to their industry and preventing any information security incident. They have implemented an ISMS based on ISO/IEC 27001 and have applied for ISO/IEC 27001 certification.

  Two auditors were assigned by the certification body to conduct the audit. After signing a confidentiality agreement with Sinvestment. they started the audit activities. First, they reviewed the documentation required by the standard, including the declaration of the ISMS scope, information security policies, and internal audits reports. The review process was not easy because, although Sinvestment stated that they had a documentation procedure in place, not all documents had the same format.

  Then, the audit team conducted several interviews with Sinvestment's top management to understand their role in the ISMS implementation. All activities of the stage 1 audit were performed remotely, except the review of documented information, which took place on-site, as requested by Sinvestment.

  During this stage, the auditors found out that there was no documentation related to information security training and awareness program. When asked, Sinvestment's representatives stated that the company has provided information security training sessions to all employees. Stage 1 audit gave the audit team a general understanding of Sinvestment's operations and ISMS.

  The stage 2 audit was conducted three weeks after stage 1 audit. The audit team observed that the marketing department (which was not included in the audit scope) had no procedures in place to control employees' access rights. Since controlling employees' access rights is one of the ISO/IEC 27001 requirements and was included in the information security policy of the company, the issue was included in the audit report. In addition, during stage 2 audit, the audit team observed that Sinvestment did not

  record logs of user activities. The procedures of the company stated that "Logs recording user activities should be retained and regularly reviewed," yet the company did not present any evidence of the implementation of such procedure.

  During all audit activities, the auditors used observation, interviews, documented information review, analysis, and technical verification to collect information and evidence. All the audit findings during stages 1 and 2 were analyzed and the audit team decided to issue a positive recommendation for certification.

  According to ISO/IEC 27001 requirements, does the company need to provide evidence of implementation of the procedure regarding logs recording user activities? Refer to scenario 6.

  A. Yes, event logs recording user activities must be kept and regularly reviewed
  B. No, because the implementation of this procedure is not a requirement of the standard
  C. No, the company only recommended implementing this procedure
  A. Yes, event logs recording user activities must be kept and regularly reviewed

  ---

  According to ISO/IEC 27001, the company needs to provide evidence of the implementation of procedures regarding the logging of user activities. This requirement is essential to ensure that events are recorded and regularly reviewed, supporting the detection and prevention of security incidents.

  References: ISO/IEC 27001:2013, Clause A.12.4 (Logging and monitoring)