PECB ISO-27001-LA Online Practice Questions and Exam Preparation

PECB ISO-27001-LA Online Questions & Answers

• Question 101:

  Scenario 2: Knight is an electronics company from Northern California, US that develops video game consoles. Knight has more than 300 employees worldwide. On the fifth anniversary of their establishment, they have decided to deliver the G-Console, a new generation video game console aimed for worldwide markets. G-Console is considered to be the ultimate media machine of 2021 which will give the best gaming experience to players.

  The console pack will include a pair of VR headset, two games, and other gifts.

  Over the years, the company has developed a good reputation by showing integrity, honesty, and respect toward their customers. This good reputation is one of the reasons why most passionate gamers aim to have Knight's G-console as soon as it is released in the market.

  Besides being a very customer-oriented company, Knight also gained wide recognition within the gaming industry because of the developing quality. Their prices are a bit higher than the reasonable standards allow.

  Nonetheless, that is not considered an issue for most loyal customers of Knight, as their quality is top-notch.

  Being one of the top video game console developers in the world, Knight is also often the center of attention for malicious activities. The company has had an operational ISMS for over a year. The ISMS scope includes all departments of Knight, except Finance and HR departments.

  Recently, a number of Knight's files containing proprietary information were leaked by hackers. Knight's incident response team (IRT) immediately started to analyze every part of the system and the details of the incident.

  The IRT's first suspicion was that Knight's employees used weak passwords and consequently were easily cracked by hackers who gained unauthorized access to their accounts. However, after carefully investigating the incident, the IRT determined that hackers accessed accounts by capturing the file transfer protocol (FTP) traffic.

  FTP is a network protocol for transferring files between accounts. It uses clear text passwords for authentication.

  Following the impact of this information security incident and with IRT's suggestion, Knight decided to replace the FTP with Secure Shell (SSH) protocol, so anyone capturing the traffic can only see encrypted data.

  Following these changes, Knight conducted a risk assessment to verify that the implementation of controls had minimized the risk of similar incidents. The results of the process were approved by the ISMS project manager who claimed that the level of risk after the implementation of new controls was in accordance with the company's risk acceptance levels.

  Based on this scenario, answer the following question:

  Based on scenario 2, the ISMS project manager approved the results of risk assessment. Is this acceptable?

  A. No, the risk remaining after the treatment of risk should be approved by the top management at any stage
  B. No, the risk remaining after the implementation of new controls for the ISMS should be approved by the ISMS team
  C. Yes, the risk remaining after the treatment of risk should be approved by the ISMS project manager
  A. No, the risk remaining after the treatment of risk should be approved by the top management at any stage

  ---

  In the context of ISO/IEC 27001, the approval of the risk assessment and the acceptance of the remaining risk levels after treatment are typically responsibilities of the top management. This is because top management is accountable for the information security management system and its outcomes, and they have the authority to accept risks on behalf of the organization.

  References: The information provided is based on the standard practices of ISO/IEC 27001 risk assessment and treatment processes, which emphasize the role of top management in the approval and acceptance of risks

• Question 102:

  The purpose of a management system audit is to? Select 1

  A. Evaluate the performance of an organisation's management system
  B. Improve the performance of an organisation's management system
  C. Manage the performance of an organisation's management system
  D. Research the performance of an organisation's management system
  A. Evaluate the performance of an organisation's management system

  ---

  A management system audit is a systematic, independent and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled. The audit criteria are a set of requirements that may include policies, procedures, standards, regulations, etc. The purpose of a management system audit is to evaluate the performance of an organisation's management system in terms of its effectiveness, efficiency, compliance, and improvement. A management system audit can also identify strengths, weaknesses, opportunities, and risks of the management system and provide recommendations for improvement.

• Question 103:

  What is the objective of penetration testing in the risk assessment process?

  A. To conduct thorough code reviews
  B. To identify potential failures in the ICT protection schemes
  C. To physically inspect hardware components
  B. To identify potential failures in the ICT protection schemes

  ---

  Penetration testing (pen testing) is a simulated cyberattack used to assess security weaknesses in an ICT system.

  B. Identifying failures in ICT protection schemes?Correct answer . The goal of penetration testing is to find vulnerabilities in networks, applications, and systems before attackers can exploit them. This aligns with ISO/IEC 27001:2022 Annex A Control A.8.16 (Monitoring Activities) and A.8.8 (Management of Technical Vulnerabilities) .

  A. Code reviews are not the primary goal of pen testing; static analysis tools are used for code security.

  C. Physical inspections relate to hardware security audits , which are separate from penetration testing.

• Question 104:

  Scenario 9: UpNet, a networking company, has been certified against ISO/IEC 27001. It provides network security, virtualization, cloud computing, network hardware, network management software, and networking technologies.

  The company's recognition has increased drastically since gaining ISO/IEC 27001 certification. The certification confirmed the maturity of UpNefs operations and its compliance with a widely recognized and accepted standard. But not everything ended after the certification. UpNet continually reviewed and enhanced its security controls and the overall effectiveness and efficiency of the ISMS by conducting internal audits. The top management was not willing to employ a full-time team of internal auditors, so

  they decided to outsource the internal audit function. This form of internal audits ensured independence, objectivity, and that they had an advisory role about the continual improvement of the ISMS.

  Not long after the initial certification audit, the company created a new department specialized in data and storage products. They offered routers and switches optimized for data centers and software-based networking devices, such as network virtualization and network security appliances. This caused changes to the operations of the other departments already covered in the ISMS certification scope.

  Therefore. UpNet initiated a risk assessment process and an internal audit. Following the internal audit result, the company confirmed the effectiveness and efficiency of the existing and new processes and controls.

  The top management decided to include the new department in the certification scope since it complies with ISO/IEC 27001 requirements. UpNet announced that it is ISO/IEC 27001 certified and the certification scope encompasses the whole company.

  One year after the initial certification audit, the certification body conducted another audit of UpNefs ISMS. This audit aimed to determine the UpNefs ISMS fulfillment of specified ISO/IEC 27001 requirements and ensure that the ISMS is being continually improved. The audit team confirmed that the certified ISMS continues to fulfill the requirements of the standard. Nonetheless, the new department caused a significant impact on governing the management system. Moreover, the certification body was not

  informed about any changes. Thus, the UpNefs certification was suspended.

  Based on the scenario above, answer the following question:

  UpNet announced that the ISMS certification scope encompasses the whole company once ensuring that the new department also complies with the ISO/IEC 27001 requirements. How would you classify this situation illustrated in scenario 9?

  A. Unacceptable, the internal auditor should have approved the extension audit, not the top management
  B. Unacceptable, UpNet should have requested and granted an extension audit prior to making the announcement
  C. Acceptable, the internal audit confirmed the effectiveness and efficiency of the existing and new processes and controls
  B. Unacceptable, UpNet should have requested and granted an extension audit prior to making the announcement

  ---

  This situation is unacceptable because UpNet should have requested and been granted an extension audit prior to announcing that the ISMS certification scope encompasses the whole company, including the new department. Proper procedures need to be followed to extend the certification to additional departments or processes.

• Question 105:

  An external auditor received an offer to conduct an ISMS audit at a research development company. Before accepting it, they discussed with the internal auditor of the auditee, who was their friend, about previous audit reports. Is this acceptable?

  A. No, the external auditor should discuss about the auditee's previous audit reports only with the certification body
  B. Yes, the auditor can review and discuss the previous audit reports before accepting an audit mandate
  C. No, the auditor should uphold objectivity even when deciding whether to accept the audit mandate or not
  C. No, the auditor should uphold objectivity even when deciding whether to accept the audit mandate or not

  ---

  No, the auditor should uphold objectivity even when deciding whether to accept the audit mandate or not. Discussing previous audit reports with a friend who is an internal auditor at the auditee may compromise the external auditor's objectivity and independence.

  References: ISO 19011:2018, Guidelines for auditing management systems, which emphasizes the need for auditors to maintain impartiality and confidentiality.

• Question 106:

  Scenario 8: EsBank provides banking and financial solutions to the Estonian banking sector since September 2010. The company has a network of 30 branches with over 100 ATMs across the country.

  Operating in a highly regulated industry, EsBank must comply with many laws and regulations regarding the security and privacy of data. They need to manage information security across their operations by implementing technical and nontechnical controls. EsBank decided to implement an ISMS based on ISO/IEC 27001 because it provided better security, more risk control, and compliance with key requirements of laws and regulations.

  Nine months after the successful implementation of the ISMS, EsBank decided to pursue certification of their ISMS by an independent certification body against ISO/IEC 27001 .The certification audit included all of EsBank's systems, processes, and technologies.

  The stage 1 and stage 2 audits were conducted jointly and several nonconformities were detected. The first nonconformity was related to EsBank's labeling of information. The company had an information classification scheme but there was no information labeling procedure. As a result, documents requiring the same level of protection would be labeled differently (sometimes as confidential, other times sensitive).

  Considering that all the documents were also stored electronically, the nonconformity also impacted media handling. The audit team used sampling and concluded that 50 of 200 removable media stored sensitive information mistakenly classified as confidential. According to the information classification scheme, confidential information is allowed to be stored in removable media, whereas storing sensitive information is strictly prohibited. This marked the other nonconformity.

  They drafted the nonconformity report and discussed the audit conclusions with EsBank's representatives, who agreed to submit an action plan for the detected nonconformities within two months. EsBank accepted the audit team leader's proposed solution. They resolved the nonconformities by drafting a procedure for information labeling based on the classification scheme for both physical and electronic formats. The removable media procedure was also updated based on this procedure.

  Two weeks after the audit completion, EsBank submitted a general action plan. There, they addressed the detected nonconformities and the corrective actions taken, but did not include any details on systems, controls, or operations impacted. The audit team evaluated the action plan and concluded that it would resolve the nonconformities. Yet, EsBank received an unfavorable recommendation for certification.

  Based on the scenario above, answer the following question:

  By drafting a procedure for information labeling, EsBank has:

  A. Submitted an action plan to resolve the nonconformity
  B. Created an information classification scheme
  C. Eliminated the root cause of the nonconformity
  A. Submitted an action plan to resolve the nonconformity

  ---

  By drafting a procedure for information labeling, EsBank has submitted an action plan to resolve the nonconformity. This step addresses the immediate issue identified during the audit by establishing a consistent approach to labeling information according to its classification.

• Question 107:

  DRAG DROP

  The audit lifecycle describes the ISO 19011 process for conducting an individual audit. Drag and drop the steps of the audit lifecycle into the correct sequence.

  Select and Place:

  

  

  Explanation:

  Step 1: Audit initiation Step 2: Audit preparation Step 3: Conducting the audit Step 4: Preparing and distributing the audit report Step 5: Audit completion Step 6: Audit follow-up This sequence reflects the logical order of the audit activities, from establishing the audit objectives, scope and criteria, to verifying the implementation and effectiveness of the corrective actions. However, ISO 19011:2018 also recognizes that some audit activities can be iterative or concurrent, depending on the nature and complexity of the audit. For example, audit preparation and conducting the audit can overlap when new information or changes occur during the audit. Similarly, audit follow-up can be integrated with audit completion when the corrective actions are verified shortly after the audit. Therefore, the audit lifecycle should be adapted to the specific context and needs of each audit.

• Question 108:

  You are an experienced ISMS audit team leader conducting a third-party surveillance visit.

  You notice that although the auditee is claiming conformity with ISO/IEC 27001:2022 they are still referring to Improvement as clause 10.2 (as it was in the 2013 edition) when this is now clause 10.1 in the 2022 edition. You have confirmed they are meeting all of the 2022 requirements set out in the standard.

  Select one option of the action you should take.

  A. Note the issue in the audit report
  B. Raise a nonconformity against clause 7.5.3 - Control of documented information
  C. Raise it as an opportunity for improvement
  D. Bring the matter up at the closing meeting
  C. Raise it as an opportunity for improvement

  ---

  The correct action to take in this situation is to raise it as an opportunity for improvement. This is because the auditee is not violating any requirement of the standard, but rather using outdated terminology that does not reflect the current version of the standard. An opportunity for improvement is a suggestion for enhancing the performance or effectiveness of the ISMS1. It is not a nonconformity, which is a failure to fulfil a requirement2. Therefore, option B is incorrect. Option A is also incorrect, because noting

  the issue in the audit report without raising it as an opportunity for improvement would not provide any value or feedback to the auditee. Option D is also incorrect, because bringing the matter up at the closing meeting without documenting it as an opportunity for improvement would not ensure that the auditee takes any action to address it.

  References:

  1: ISMS Auditing Guideline - ISO27000, page 11;

  2: ISO/IEC 27000:2022, 3.28; :ISMS Auditing Guideline - ISO27000; : ISO/IEC 27000:2022

• Question 109:

  Scenario 4: SendPay is a financial company that provides its services through a network of agents and financial institutions. One of their main services is transferring money worldwide. SendPay, as a new company, seeks to offer top quality services to its clients. Since the company offers international transactions, it requires from their clients to provide personal information, such as their identity, the reason for the transactions, and other details that might be needed to complete the transaction.

  Therefore, SendPay has implemented security measures to protect their clients' information, including detecting, investigating, and responding to any information security threats that may emerge. Their commitment to offering secure services was also reflected during the ISMS implementation where the company invested a lot of time and resources.

  Last year, SendPay unveiled their digital platform that allows money transactions through electronic devices, such as smartphones or laptops, without requiring an additional fee. Through this platform, SendPay's clients can send and receive money from anywhere and at any time. The digital platform helped SendPay to simplify the company's operations and further expand its business. At the time, SendPay was outsourcing its software operations, hence the project was completed by the software

  development team of the outsourced company. The same team was also responsible for maintaining the technology infrastructure of SendPay.

  Recently, the company applied for ISO/IEC 27001 certification after having an ISMS in place for almost a year. They contracted a certification body that fit their criteria. Soon after, the certification body appointed a team of four auditors to audit SendPay's ISMS.

  During the audit, among others, the following situations were observed:

  1.The outsourced software company had terminated the contract with SendPay without prior notice. As a result, SendPay was unable to immediately bring the services back in-house and its operations were disrupted for five days. The auditors requested from SendPay's representatives to provide evidence that they have a plan to follow in cases of contract terminations. The representatives did not provide any documentary evidence but during an interview, they told the auditors that the top management of

  SendPay had identified two other software development companies that could provide services immediately if similar situations happen again.

  2.There was no evidence available regarding the monitoring of the activities that were outsourced to the software development company. Once again, the representatives of SendPay told the auditors that they regularly communicate with the software development company and that they are appropriately informed for any possible change that might occur.

  3.There was no nonconformity found during the firewall testing. The auditors tested the firewall configuration in order to determine the level of security provided by these services. They used a packet analyzer to test the firewall policies which enabled them to check the packets sent or received in real-time.

  Based on this scenario, answer the following question:

  Regarding the third situation observed, auditors themselves tested the configuration of firewalls implemented in SendPay's network. How do you describe this situation? Refer to scenario 4.

  A. Acceptable, technical evidence is required to validate the operation of technical processes
  B. Unacceptable, the auditors should only observe the testing of system or equipment configurations and not test the system themselves
  C. Unacceptable, firewall configurations should not be tested during an audit since this can have an impact systems' operation
  A. Acceptable, technical evidence is required to validate the operation of technical processes

  ---

  It is acceptable and often necessary for auditors to test technical controls such as firewalls to validate the operation and effectiveness of these processes during an ISMS audit. This hands-on testing provides concrete, technical evidence of the security measures' performance.

  References: ISO/IEC 27001:2013 Standard, Clause A.13 (Communications security), ISO 19011:2018, Guidelines for auditing management systems

• Question 110:

  Which three of the following phrases are objectives' in relation to an audit?

  A. International Standard
  B. Identify opportunities for improvement
  C. Confirm the scope of the management system
  D. Management policy
  E. Complete audit on time
  F. Regulatory requirements
  B. Identify opportunities for improvement
  C. Confirm the scope of the management system
  F. Regulatory requirements

  ---

  According to ISO 19011:2018, which provides guidelines for auditing management systems, the audit objectives are defined by the audit client and may include determining the extent of conformity or nonconformity of the audited management system against the audit criteria, evaluating the ability of the audited management system to ensure that the organization meets applicable statutory, regulatory and contractual requirements, identifying potential improvement opportunities for the audited management system, and facilitating continual improvement of the audited management system. Therefore, these three phrases are examples of objectives in relation to an audit. The other options are not objectives, but rather elements or factors that may influence or affect an audit. For example, an international standard is a source of audit criteria, a management policy is a part of the audited management system, and completing an audit on time is a requirement for an effective audit.

  References: ISO 19011:2018 Guidelines for auditing management systems