PECB ISO-27001-LA Online Practice Questions and Exam Preparation

PECB ISO-27001-LA Online Questions & Answers

• Question 121:

  Which two of the following actions are the individual(s) managing the audit programme responsible for?

  A. Determining the resources necessary for the audit programme
  B. Communicating with the auditee during the audit
  C. Determining the legal requirements applicable to each audit
  D. Keping informed the accreditation body on the progress of the audit programme
  E. Defining the objectives, scope and criteria for an individual audit
  F. Defining the plan of an individual audit
  A. Determining the resources necessary for the audit programme
  D. Keping informed the accreditation body on the progress of the audit programme

  ---

  Establishing the audit programme objectives, scope and criteria

  Determining the resources necessary for the audit programme, such as the audit team members, the budget, the time, the tools, etc.

  Selecting and appointing the audit team leaders and auditors

  Reviewing and approving the audit plans and arrangements

  Ensuring the effective communication and coordination among the audit programme stakeholders, such as the auditors, the auditees, the certification bodies, the accreditation bodies, etc. Keeping informed the accreditation body on the progress of the audit programme, especially in case of any significant changes, issues, or nonconformities Monitoring and reviewing the performance and results of the audit programme and the audit teams Evaluating the feedback and satisfaction of the auditees and other

  interested parties

  Identifying and implementing the opportunities for improvement of the audit programme

  The individual(s) managing the audit programme are not responsible for the following tasks, which are delegated to the audit team leaders or the auditors:

  Communicating with the auditee during the audit, such as conducting the opening and closing meetings, resolving any audit-related problems, reporting any audit findings, etc. Determining the legal requirements applicable to each audit, such as the confidentiality, the impartiality, the consent, the liability, etc. Defining the objectives, scope and criteria for an individual audit, which are derived from the audit programme and agreed with the auditee Defining the plan of an individual audit, which includes the audit

  schedule, the audit activities, the audit methods, the audit documents, etc.

  References:

  ISO 19011:2018 - Guidelines for auditing management systems

  PECB Candidate Handbook ISO 27001 Lead Auditor, pages 19-20

• Question 122:

  Which type of audit requires that the auditee and audit team agree on remote access protocols before conducting the audit?

  A. Virtual
  B. Internal
  C. External
  A. Virtual

  ---

  A.

  Correct Answer:

  Virtual audits require predefined remote access protocols to ensure secure, authorized connections for data review.

  ISO 19011:2018 provides guidelines for virtual auditing security measures.

  B. Incorrect:

  Internal audits may use remote access, but agreement is not mandatory.

  C. Incorrect:

  External audits may involve remote access but do not require predefined agreements in all cases.

  Relevant Standard Reference:

  ISO 19011:2018 Clause 6.4.10 (Remote and Virtual Auditing Procedures)

• Question 123:

  Scenario 3: NightCore is a multinational technology company based in the United States that focuses on e- commerce, cloud computing, digital streaming, and artificial intelligence. After having an information security management system (ISMS) implemented for over 8 months, they contracted a certification body to conduct a third party audit in order to get certified against ISO/IEC 27001.

  The certification body set up a team of seven auditors. Jack, the most experienced auditor, was assigned as the audit team leader. Over the years, he received many well known certifications, such as the ISO/IEC 27001 Lead Auditor, CISA, CISSP, and CISM.

  Jack conducted thorough analyses on each phase of the ISMS audit, by studying and evaluating every information security requirement and control that was implemented by NightCore. During stage 2 audit. Jack detected several nonconformities. After comparing the number of purchased invoices for software licenses with the software inventory, Jack found out that the company has been using the illegal versions of a software for many computers. He decided to ask for an explanation from the top

  management about this nonconformity and see whether they were aware about this. His next step was to audit NightCore's IT Department. The top management assigned Tom, NightCore's system administrator, to act as a guide and accompany Jack and the audit team toward the inner workings of their system and their digital assets infrastructure. While interviewing a member of the Department of Finance, the auditors discovered that the company had recently made some unusual large transactions to one

  of their consultants. After gathering all the necessary details regarding the transactions. Jack decided to directly interview the top management.

  When discussing about the first nonconformity, the top management told Jack that they willingly decided to use a copied software over the original one since it was cheaper. Jack explained to the top management of NightCore that using illegal versions of software is against the requirements of ISO/IEC 27001 and the national laws and regulations. However, they seemed to be fine with it.

  Several months after the audit, Jack sold some of NightCore's information that he collected during the audit for a huge amount of money to competitors of NightCore.

  Based on this scenario, answer the following question:

  What type of audit evidence has Jack collected when he identified the first nonconformity regarding the software? Refer to scenario 3.

  A. Analytical evidence
  B. Verbal evidence
  C. Mathematical evidence
  C. Mathematical evidence

  ---

  Jack collected mathematical evidence when he identified nonconformities by comparing the number of purchased invoices for software licenses with the software inventory. This type of evidence involves numerical, quantifiable data that highlights discrepancies and supports findings of compliance or non- compliance.

  References: ISO/IEC 27001:2013 Standard, general guidelines on auditing

• Question 124:

  Scenario: OceanGrid operates a data center. The SoA states that logging is applicable and implemented. The procedure says: "Event logs shall be retained for 90 days and reviewed weekly." During stage 2, no evidence exists of weekly reviews, and retention is only 14 days due to storage limits. Which option best reflects the correct audit conclusion?

  A. Conformity, because logging exists and retention is not mandated by ISO/IEC 27001
  B. Opportunity for improvement, because review frequency is an internal preference
  C. Nonconformity, because implemented practice does not meet the organization's defined requirements and SoA commitment
  D. Observation, because storage constraints justify deviation from procedure
  C. Nonconformity, because implemented practice does not meet the organization's defined requirements and SoA commitment

  ---

  C is correct. The organization defined and committed (via procedure and SoA) to specific retention and review practices, but implementation does not match. This is a failure to fulfil a requirement of the organization's ISMS controls and operational control (clause 8.1), and indicates that "implemented as stated" in the SoA is not supported by evidence.

  A is incorrect because even if the standard is flexible, the organization must meet its own ISMS requirements.

  B is incorrect because weekly review is not merely a preference once defined as a requirement.

  D is incorrect because constraints require change control and updated procedures/risk treatment, not silent deviation.

  References: ISO/IEC 27001:2022 clause 8.1; clause 7.5; clause 6.1.3 (SoA alignment)

• Question 125:

  You are an experienced ISMS audit team leader. You are currently conducting a third-party surveillance audit of an international haulage organisation. You have sampled four internal audit reports which state:

  Report 1 - Auditor: Mr James.

  Over the year the organisation has failed to meet its promised delivery dates on 23 occasions out of 100. This is against a target of '95% of deliveries on time'.

  Grading - Minor

  Corrective Action due: Within 9 months.

  Report 2 - Auditor: Mr James.

  Between January and March, it was noted 125 complaints were received about the Service Desk Team. Clients

  accused them of being rude and unresponsive.

  Grading - Minor

  Corrective Action due: Within 12 months.

  Report 3 - Auditor: Mr James.

  Of the 40 customer orders received last month, 38 were correctly processed. Of the remaining 2, one was missing a signature and one was missing a date.

  Grading Corrections due: Within 3 weeks

  Report 4 - Auditor: Mr Rogers.

  Of the 30 personnel records examined, 26 were found to be fully completed whilst the remaining 4 were all missing the individual's start date.

  Grading Major

  Corrections due: Within 1 week

  Which four of the options demonstrate the concerns you would have about these reports?

  A. I would be concerned as to whether criteria for grading nonconformities are in existence in this organisation
  B. I would be concerned as to whether the auditors understand the difference between corrections and corrective actions
  C. I would be concerned because action taken to address a major nonconformity should always be completed sooner than action taken to address minor nonconformities
  D. I would be concerned that no grading is recorded for Report 3. This could indicate that the auditor did not complete the report correctly or that they failed to make a determination as to severity
  E. I would be concerned that the auditors focussed only on information security processes
  F. I would be concerned that timing for addressing the nonconformities is significantly different in the four reports
  G. I would have a concern that no nonconformity review was conducted
  H. I would have a concern that one auditor appeared to be conducting most of the internal audits
  A. I would be concerned as to whether criteria for grading nonconformities are in existence in this organisation
  B. I would be concerned as to whether the auditors understand the difference between corrections and corrective actions
  D. I would be concerned that no grading is recorded for Report 3. This could indicate that the auditor did not complete the report correctly or that they failed to make a determination as to severity
  F. I would be concerned that timing for addressing the nonconformities is significantly different in the four reports

  ---

• Question 126:

  The following are definitions of Information, except:

  A. accurate and timely data
  B. specific and organized data for a purpose
  C. mature and measurable data
  D. can lead to understanding and decrease in uncertainty
  C. mature and measurable data

  ---

  The definition of information that is not correct is C: mature and measurable data. This is not a valid definition of information, as information does not have to be mature or measurable to be considered as such. Information can be any data that has meaning or value for someone or something in a certain context. Information can be subjective, qualitative, incomplete or uncertain, depending on how it is interpreted or used. Mature and measurable data are characteristics that may apply to some types of information, but not all. The other definitions of information are correct, as they describe different aspects of information, such as accuracy and timeliness (A), specificity and organization (B), and understanding and uncertainty reduction (D). ISO/IEC 27001:2022 defines information as "any data that has meaning" (see clause 3.25).

  References: CQI and IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology -- Security techniques -- Information security management systems -- Requirements, What is Information?

• Question 127:

  You are an ISMS audit team leader tasked with conducting a follow-up audit at a client's data centre. Following two days on-site you conclude that of the original 12 minor and 1 major nonconformities that prompted the follow-up audit, only 1 minor nonconformity still remains outstanding.

  Select four options for the actions you could take.

  A. Agree with the auditee/audit client how the remaining nonconformity will be cleared, by when, and how its clearance will be verified
  B. Recommend that the outstanding minor nonconformity is dealt with at the next surveillance audit
  C. Close the follow-up audit as the organisation has demonstrated it is committed to clearing the nonconformities raised
  D. Recommend suspension of the organisation's certification as they have failed to implement the agreed corrections and corrective actions within the agreed timescale
  E. Advise the auditee that you will arrange for the next audit to be an online audit to deal with the outstanding nonconformity
  F. Note the progress made but hold the audit open until all corrective action has been cleared
  G. Advise the individual managing the audit programme of any decision taken regarding the outstanding nonconformity
  H. Conduct an unannounced follow-up audit on-site to review the one outstanding minor nonconformity once it has been cleared
  A. Agree with the auditee/audit client how the remaining nonconformity will be cleared, by when, and how its clearance will be verified
  C. Close the follow-up audit as the organisation has demonstrated it is committed to clearing the nonconformities raised
  F. Note the progress made but hold the audit open until all corrective action has been cleared
  G. Advise the individual managing the audit programme of any decision taken regarding the outstanding nonconformity

  ---

  The four options for the actions you could take are A, C, F, and G. These options are consistent with the guidance and requirements of ISO 19011:2018, Clause 6.712. You could agree with the auditee/audit client how the remaining nonconformity will be cleared, by when, and how its clearance will be verified (A), and document the agreement in the audit report1. You could close the follow-up audit as the organisation has demonstrated it is committed to clearing the nonconformities raised ? and report the outcome to the audit client and other relevant parties1. You could note the progress made but hold the audit open until all corrective action has been cleared (F), and determine the need for another follow-up audit or other actions1. You could also advise the individual managing the audit programme of any decision taken regarding the outstanding nonconformity (G), as they are responsible for the overall management and coordination of the audit programme3. The other options are either not appropriate or not necessary for the situation. You should not recommend that the outstanding minor nonconformity is dealt with at the next surveillance audit (B), as this may compromise the audit objectives and the audit programme1. You should not recommend suspension of the organisation's certification as they have failed to implement the agreed corrections and corrective actions within the agreed timescale (D), as this is not within your role or authority as an ISMS auditor4. You should not advise the auditee that you will arrange for the next audit to be an online audit to deal with the outstanding nonconformity (E), as this may not be feasible or effective depending on the nature and complexity of the nonconformity1. You should not conduct an unannounced follow-up audit on-site to review the one outstanding minor nonconformity once it has been cleared (H), as this may not be in accordance with the audit agreement or the audit programme1.

  References: 1: ISO 19011:2018, Guidelines for auditing management systems, Clause 6.7 \n2: PECB Certified ISO/IEC 27001 Lead Auditor Exam Preparation Guide, Domain 6: Closing an ISO/IEC 27001 audit \n3: ISO 19011:2018, Guidelines for auditing management systems, Clause 5.3 \n4: ISO/IEC 27006:2022, Information technology -- Security techniques -- Requirements for bodies providing audit and certification of information security management systems, Clause 9.6

• Question 128:

  What is the standard definition of ISMS?

  A. Is an information security systematic approach to achieve business objectives for implementation, establishing, reviewing,operating and maintaining organization's reputation.
  B. A company wide business objectives to achieve information security awareness for establishing, implementing, operating, monitoring, reviewing, maintaining and improving
  C. A project-based approach to achieve business objectives for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization's information security
  D. A systematic approach for establishing, implementing, operating,monitoring, reviewing, maintaining and improving an organization's information security to achieve business objectives.
  D. A systematic approach for establishing, implementing, operating,monitoring, reviewing, maintaining and improving an organization's information security to achieve business objectives.

  ---

  The standard definition of ISMS is a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization's information security to achieve business objectives. This definition is given in clause 3.17 of ISO/IEC 27001:2022, and it describes the main components and purpose of an ISMS. An ISMS is not a project-based approach, as it is an ongoing process that requires continual improvement. An ISMS is not a company wide business objective, as it is a management system that supports the organization's objectives. An ISMS is not an information security systematic approach, as it is a broader concept that encompasses the organization's context, risks, controls, and performance.

  References: CQI and IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 15. : ISO /IEC 27001:2022, clause 3.17.

• Question 129:

  DRAG DROP

  A key audit process is the way auditors gather information and determine the findings' characteristics. Put the actions listed in the correct order to complete this process. The last one has been done for you.

  Select and Place:

  

  

  Explanation:

  Determine source of information Collect by means of appropriate sampling Reviewing Audit evidence Evaluating against audit criteria Audit findings Audit conclusions

  The reviewing step involves checking the accuracy, completeness, and relevance of the collected information. The audit evidence step involves documenting the information in a verifiable and traceable manner. The evaluating against audit criteria step involves comparing the audit evidence with the requirements of the ISO 27001 standard and the organization's own policies and objectives. The audit findings step involves identifying any nonconformities, weaknesses, or opportunities for improvement in the ISMS. The audit conclusions step involves summarizing the audit results and providing recommendations for corrective actions or enhancements.

• Question 130:

  You are performing an ISMS audit at a residential nursing home that provides healthcare services. The next step in your audit plan is to verify the information security incident management process. The IT Security Manager presents the information security incident management procedure (Document reference ID: ISMS_L2_16, version 4) and explains that the process is based on ISO/IEC 27035-1:2016.

  You review the document and notice a statement "any information security weakness, event, and incident should be reported to the Point of Contact (PoC) within 1 hour after identification". When interviewing staff, you found that there were differences in the understanding of the meaning of "weakness, event, and incident".

  The IT Security Manager explained that an online "information security handling" training seminar was conducted 6 months ago. All of the interviewed persons participated in and passed the reporting exercise and course assessment.

  You are preparing the audit findings. Select two options that are correct.

  A. There is a nonconformity (NC). The information security incident training has failed. This is not conforming with clause 7.2 and control A.6.3.
  B. There is a nonconformity (NC). The terminology of the the incident management reporting process is unclear as evidenced by staff misunderstanding of the meaning of "weakness, event and incident". This is not conforming with clause 9.1 and control A.5.24.
  C. There is an opportunity for improvement (OFI). The information security incident training effectiveness can be improved. This is relevant to clause 7.2 and control A.6.3.
  D. There is an opportunity for improvement (OFI). The information security weaknesses, events, and incidents are reported. This is relevant to clause 9.1 and control A.5.24.
  E. There is no nonconformance. The information security handling training has been effective. This conforms with clause 7.2 and control A.6.3.
  F. There is no nonconformance. The information security weaknesses, events, and incidents are reported. This conforms with clause 9.1 and control A.5.24.
  B. There is a nonconformity (NC). The terminology of the the incident management reporting process is unclear as evidenced by staff misunderstanding of the meaning of "weakness, event and incident". This is not conforming with clause 9.1 and control A.5.24.
  C. There is an opportunity for improvement (OFI). The information security incident training effectiveness can be improved. This is relevant to clause 7.2 and control A.6.3.

  ---

  According to ISO/IEC 27001:2022 clause 7.2, the organization must ensure that the persons doing work under its control are aware of the information security policy, their contribution to the effectiveness of the ISMS, the implications of not conforming to the ISMS requirements, and the benefits of improved information security performance. The organization must also provide information security awareness education and training to its personnel and relevant interested parties. According to control A.6.3, the

  organization must ensure that all employees and contractors are made aware of the information security incident management procedures and their expected roles and responsibilities. Therefore, an opportunity for improvement (OFI) can be identified if the information security incident training effectiveness can be improved, as evidenced by the differences in the understanding of the meaning of "weakness, event, and incident" among the staff.

  According to ISO/IEC 27001:2022 clause 9.1, the organization must monitor, measure, analyze and evaluate the information security performance and the effectiveness of the ISMS. The organization must also retain appropriate documented information as evidence of the monitoring and measurement results. According to control A.5.24, the organization must establish and maintain an information security incident management process that includes the following activities:

  Reporting information security events and weaknesses;

  Assessing and deciding on information security events;

  Responding to information security incidents;

  Learning from information security incidents;

  Collecting evidence and disclosing information.

  Therefore, a nonconformity (NC) can be identified if the terminology of the incident management reporting process is unclear, as evidenced by the staff misunderstanding of the meaning of "weakness, event, and incident". This could lead to inconsistent or inaccurate reporting, assessment, response, learning, and disclosure of information security incidents, which could affect the information security performance and the effectiveness of the ISMS.

  References:

  ISO/IEC 27001:2022, clauses 7.2, 9.1, and Annex A controls A.5.24 and A.6.3

  PECB Candidate Handbook ISO/IEC 27001 Lead Auditor], pages 15-16, 18-19, 22-23

  ISO/IEC 27035-1:2016, clauses 4, 5, 6, 7, and 8

  ISO 27001 ?Annex A.16: Information Security Incident Management

  ISO 27001:2022 Annex A Control 5.24 - What's New?