PECB ISO-27001-LA Online Practice Questions and Exam Preparation

PECB ISO-27001-LA Online Questions & Answers

• Question 131:

  You are the audit team leader conducting a third-party audit of an online insurance company. During Stage 1, you found that the organization took a very cautious risk approach and included all the information security controls in ISO/IEC 27001:2022 Appendix A in their Statement of Applicability.

  During the Stage 2 audit, your audit team found that there was no evidence of a risk treatment plan for the implementation of the three controls (5.3 Segregation of duties, 6.1 Screening, 7.12 Cabling security). You raise a nonconformity against clause 6.1.3.e of ISO 27001:2022.

  At the closing meeting, the Technical Director issues an extract from an amended Statement of Applicability (as shown) and asks for the nonconformity to be withdrawn.

  

  Select three options of the correct responses of an audit team leader to the request of the Technical Director.

  A. Advise management that the information provided will be reviewed when the auditors have more time.
  B. Advise the Technical Director that his request will be included in the audit report.
  C. Advise the Technical Director that once a nonconformity is raised it cannot be withdrawn.
  D. Advise the Technical Director that the nonconformity must stand since the evidence obtained for it was clear.
  E. Ask the auditor who raised the issue for their opinion on how you should respond to the request.
  F. Inform the Technical Director that the nonconformity will be changed to an Opportunity for Improvement.
  G. Review the documentation produced and withdraw the nonconformity.
  H. State that a follow up audit will be necessary to review the evidence for the updated Statement of Applicability.
  B. Advise the Technical Director that his request will be included in the audit report.
  D. Advise the Technical Director that the nonconformity must stand since the evidence obtained for it was clear.
  H. State that a follow up audit will be necessary to review the evidence for the updated Statement of Applicability.

  ---

  The three options of the correct responses of an audit team leader to the request of the Technical Director are:

  Advise the Technical Director that his request will be included in the audit report.

  Advise the Technical Director that the nonconformity must stand since the evidence obtained for it was clear.

  State that a follow up audit will be necessary to review the evidence for the updated Statement of Applicability.

  This response is correct because the audit team leader should document the request of the Technical Director and include it in the audit report, along with the audit findings and conclusions12. This will ensure transparency and traceability of the audit process and the audit results. This response is correct because the audit team leader should not withdraw the nonconformity based on the amended Statement of Applicability alone. The nonconformity was raised against clause 6.1.3.e of ISO 27001:2022,

  which requires the organisation to produce and maintain a risk treatment plan that defines how the information security risks are treated, including the controls selected and their implementation status34. The Statement of Applicability is only one part of the risk treatment plan, and it does not provide sufficient evidence that the controls have been implemented effectively. The audit team leader should base the nonconformity on the objective evidence obtained during the audit, not on the subjective claims of

  the auditee12.

  This response is correct because the audit team leader should state that a follow up audit will be necessary to review the evidence for the updated Statement of Applicability. A follow up audit is an audit that is conducted after a previous audit to verify the implementation and effectiveness of the corrective actions and/or opportunities for improvement that were agreed upon as a result of the previous audit56. The follow up audit should seek to ensure that the nonconformity has been effectively addressed and

  that the ISMS is compliant and effective. The follow up audit should also consider any new or changed risks or requirements that may affect the ISMS.

  References:

  1: PECB Candidate Handbook - ISO 27001 Lead Auditor, page 25

  2: ISO 19011:2018 - Guidelines for auditing management systems, clause 6.7

  3: ISO/IEC 27001:2022 - Information technology -- Security techniques -- Information security management systems -- Requirements, clause 6.1.3.e

  4: ISO/IEC 27005:2022 - Information technology -- Security techniques -- Information security risk management, clause 8.3.2

  5: PECB Candidate Handbook - ISO 27001 Lead Auditor, page 25

  6: ISO 19011:2018 - Guidelines for auditing management systems, clause 6.7

• Question 132:

  Scenario 4: SendPay is a financial company that provides its services through a network of agents and financial institutions. One of their main services is transferring money worldwide. SendPay, as a new company, seeks to offer top quality services to its clients. Since the company offers international transactions, it requires from their clients to provide personal information, such as their identity, the reason for the transactions, and other details that might be needed to complete the transaction. Therefore,

  SendPay has implemented security measures to protect their clients' information, including detecting, investigating, and responding to any information security threats that may emerge. Their commitment to offering secure services was also reflected during the ISMS implementation where the company invested a lot of time and resources.

  Last year, SendPay unveiled their digital platform that allows money transactions through electronic devices, such as smartphones or laptops, without requiring an additional fee. Through this platform, SendPay's clients can send and receive money from anywhere and at any time. The digital platform helped SendPay to simplify the company's operations and further expand its business. At the time, SendPay was outsourcing its software operations, hence the project was completed by the software

  development team of the outsourced company. The same team was also responsible for maintaining the technology infrastructure of SendPay.

  Recently, the company applied for ISO/IEC 27001 certification after having an ISMS in place for almost a year. They contracted a certification body that fit their criteria. Soon after, the certification body appointed a team of four auditors to audit SendPay's ISMS.

  During the audit, among others, the following situations were observed:

  1.The outsourced software company had terminated the contract with SendPay without prior notice. As a result, SendPay was unable to immediately bring the services back in-house and its operations were disrupted for five days. The auditors requested from SendPay's representatives to provide evidence that they have a plan to follow in cases of contract terminations. The representatives did not provide any documentary evidence but during an interview, they told the auditors that the top management of

  SendPay had identified two other software development companies that could provide services immediately if similar situations happen again.

  2.There was no evidence available regarding the monitoring of the activities that were outsourced to the software development company. Once again, the representatives of SendPay told the auditors that they regularly communicate with the software development company and that they are appropriately informed for any possible change that might occur.

  3.There was no nonconformity found during the firewall testing. The auditors tested the firewall configuration in order to determine the level of security provided by these services. They used a packet analyzer to test the firewall policies which enabled them to check the packets sent or received in real-time.

  Based on this scenario, answer the following question:

  How do you evaluate the evidence obtained related to the monitoring process of outsourced operations? Refer to scenario 4.

  A. Irrelevant, monitoring the outsourced operations is not a requirement of the standard
  B. Not reliable. SendPay provided only verbal evidence regarding the monitoring of its outsourced operations
  C. Appropriate and sufficient, verbal confirmation from the SendPay's representatives indicates that the they were aware that outsourced operations must be monitored
  B. Not reliable. SendPay provided only verbal evidence regarding the monitoring of its outsourced operations

  ---

  The evidence provided by SendPay, which is solely verbal confirmation about the monitoring of outsourced operations, is not considered reliable under ISO/IEC 27001. The standard requires documented evidence to support claims of effective monitoring and control over outsourced processes.

  References: ISO/IEC 27001:2013 Standard, Clause A.15 (Supplier relationships)

• Question 133:

  Select two options that describe an advantage of using a checklist.

  A. Using the same checklist for every audit without review
  B. Restricting interviews to nominated parties
  C. Ensuring relevant audit trails are followed
  D. Ensuring the audit plan is implemented
  E. Reducing audit duration
  F. Not varying from the checklist when necessary
  C. Ensuring relevant audit trails are followed
  D. Ensuring the audit plan is implemented

  ---

  A checklist is a tool that helps auditors to collect and verify information relevant to the audit objectives and scope. It can provide the following advantages:

  Ensuring relevant audit trails are followed: A checklist can help auditors to identify and trace the sources of evidence that support the conformity or nonconformity of the audited criteria. It can also help auditors to avoid missing or overlooking any important aspects of the audit. Ensuring the audit plan is implemented: A checklist can help auditors to follow and fulfil the audit plan, which describes the arrangements and details of the audit, such as the objectives, scope, criteria, schedule, roles, and

  responsibilities. It can also help auditors to manage their time and resources effectively and efficiently.

  The other options are not advantages of using a checklist, but rather:

  Using the same checklist for every audit without review: This is a disadvantage of using a checklist, as it can lead to a rigid and ineffective audit approach. A checklist should be tailored and adapted to each specific audit, taking into account the context, risks, and changes of the auditee and the audit criteria. A checklist should also be reviewed and updated periodically to ensure its validity and relevance. Restricting interviews to nominated parties: This is a disadvantage of using a checklist, as it can limit the

  scope and depth of the audit. A checklist should not prevent auditors from interviewing other relevant parties or sources of information that may provide valuable evidence or insights for the audit. A checklist should be used as a guide, not as a constraint.

  Reducing audit duration: This is not necessarily an advantage of using a checklist, as it depends on various factors, such as the complexity, size, and maturity of the auditee's ISMS, the availability and quality of evidence, the competence and experience of the auditors, and the level of cooperation and communication between the auditors and the auditee. A checklist may help reduce audit duration by improving efficiency and organization, but it may also increase audit duration by requiring more evidence or

  verification.

  Not varying from the checklist when necessary: This is a disadvantage of using a checklist, as it can result in a superficial or incomplete audit. A checklist should not prevent auditors from exploring or investigating any issues or concerns that arise during the audit, even if they are not included in the checklist. A checklist should be used as a support, not as a substitute.

  References:

  ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) objectives and content from Quality.org and PECB

  ISO 19011:2018 Guidelines for auditing management systems [Section 6.2.2]

• Question 134:

  Scenario: BrightLink is a SaaS provider offering HR payroll services to multiple clients. BrightLink defines its ISMS scope as "Payroll SaaS platform operations," but excludes the customer support process. Customer support agents can reset user passwords and access customer tickets containing PII. According to ISO/IEC 27001:2022, what is the most appropriate audit conclusion regarding scope?

  A. Acceptable, because scope may exclude any department if documented
  B. Acceptable, because customer support is not part of the payroll platform
  C. Unacceptable, because scope determination must consider interfaces and dependencies relevant to information security
  D. Unacceptable, because ISO/IEC 27001 requires all departments to be included in scope without exception
  C. Unacceptable, because scope determination must consider interfaces and dependencies relevant to information security

  ---

  C is correct. Clause 4.3 requires the organization to determine the scope considering issues, interested parties' requirements, and interfaces/dependencies with other processes. Customer support performs security-relevant activities (password resets, access to PII), so excluding it without justification indicates the scope may not cover activities relevant to information security.

  A is incorrect because documentation alone does not make a scope appropriate; it must meet clause 4.3 considerations.

  B is incorrect because customer support interacts directly with the ISMS-relevant information and access controls.

  D is incorrect because ISO/IEC 27001 does not mandate that every department be included; however, activities relevant to information security must be appropriately covered.

  References: ISO/IEC 27001:2022 clause 4.3

• Question 135:

  You are performing an ISMS audit at a residential nursing home that provides healthcare services and are reviewing the Software Code Management (SCM) system. You found a total of 10 user accounts on the SCM. You confirm that one of the users, Scott, resigned 9-months ago. The SCM System Administrator confirmed Scott's last check-out of the source code was found 1 month ago. He was using one of the uthorized desktops from the local network in a secure area.

  You check with the user de-registration procedure which states "Managers have to make sure of deregistration of the user account and authorisation immediately from the relevant ICT system and/or equipment after resignation approval." There was no deregistration record for user Scott.

  The IT Security Manager explains that Scott still comes back to the office every month after he resigned to provide support on source code maintenance. That's why his account on SCM still exists.

  You would like to investigate other areas further to collect more audit evidence. Select three options that would not be valid audit trails.

  A. Collect more evidence on how access controls are periodically reviewed to maintain security (Relevant to control A.5.35)
  B. Collect more evidence on how the transition of Scott from full-time to part-time employment was managed (relevant to control A.6.5)
  C. Collect more evidence from Scott's background verification checks performed by the human resource department under the new employment relationship. (Relevant to control A.6.1)
  D. Collect more evidence of why Scott resigned and whether his re-engagement represents a conflict of interest. (relevant to control A.5.3)
  E. Collect more evidence on how Scott can access the employee's desktop and local network. (Relevant to control A.5.15)
  F. Collect more evidence on how Scott can access the secure area. (Relevant to control A.8.4)
  G. Collect more evidence on how the organization pays for Scott's source code maintenance support service. (Relevant to control A.6.2)
  H. Collect more evidence on where Scott kept the source code that he checked out and how it was secured. (Relevant to control A.8.4)
  B. Collect more evidence on how the transition of Scott from full-time to part-time employment was managed (relevant to control A.6.5)
  D. Collect more evidence of why Scott resigned and whether his re-engagement represents a conflict of interest. (relevant to control A.5.3)
  G. Collect more evidence on how the organization pays for Scott's source code maintenance support service. (Relevant to control A.6.2)

  ---

  The options B, D, and G are not valid audit trails because they are not directly related to the ISMS requirements or the audit criteria. They are more relevant to the human resource management or the contractual arrangements of the organization, which are outside the scope of the ISMS audit. The other options are valid audit trails because they can provide evidence of how the organization implements and maintains the ISMS controls related to access control, secure areas, and information security aspects of business continuity management.

  References : PECB Candidate Handbook ISO/IEC 27001 Lead Auditor, page 16, section 4.2.1 ISO/IEC 27001:2013, clauses A.5.3, A.5.15, A.5.35, A.6.1, A.6.2, A.6.5, A.8.4, A.17.1 ISO 19011:2018, clause 6.2.2

• Question 136:

  Scenario:

  Clinic, founded in the 1990s, is a medical device company that specializes in treatments for heart-related conditions and complex surgical interventions. Based in Europe, it serves both patients and healthcare professionals. Clinic collects patient data to tailor treatments, monitor outcomes, and improve device functionality. To enhance data security and build trust, Clinic is implementing an information security management system (ISMS) based on ISO/IEC 27001 . This initiative demonstrates Clinic's

  commitment to securely managing sensitive patient information and proprietary technologies .

  Clinic established the scope of its ISMS by solely considering internal issues, interfaces, dependencies between internal and outsourced activities, and the expectations of interested parties . This scope was carefully documented and made accessible. In defining its ISMS, Clinic chose to focus specifically on key processes within critical departments such as Research and Development, Patient Data Management, and Customer Support .

  Despite initial challenges, Clinic remained committed to its ISMS implementation, tailoring security controls to its unique needs. The project team excluded certain Annex A controls from ISO/IEC 27001 while incorporating additional sector-specific controls to enhance security. The team evaluated the applicability of these controls against internal and external factors, culminating in the development of a comprehensive Statement of Applicability (SoA) detailing the rationale behind control selection and

  implementation.

  As preparations for certification progressed, Brian, appointed as the team leader , adopted a self-directed risk assessment methodology to identify and evaluate the company's strategic issues and security practices . This proactive approach ensured that Clinic's risk assessment aligned with its objectives and mission.

  Question:

  Based on Scenario, Clinic initially defined its information security objectives and then conducted a risk assessment. Is this acceptable?

  A. Yes, because objectives can be adjusted later to fit the risk assessment results
  B. No, because the risk assessment should be conducted only once objectives are fully implemented
  C. No, information security objectives must be established, taking into account risk assessment results, as per ISO/IEC 27001 requirements
  C. No, information security objectives must be established, taking into account risk assessment results, as per ISO/IEC 27001 requirements

  ---

  C.

  Correct Answer: ISO/IEC 27001 Clause 6.2 (Information Security Objectives and Planning to Achieve Them) requires information security objectives to be based on risk assessment results .

  A. Incorrect: While objectives can be revised, they must be initially established based on risk assessment findings .

  B. Incorrect: Objectives should be set after risk assessment, but security objectives are not dependent on full implementation . Thus, Clinic did not follow the correct sequence in establishing security objectives before conducting a risk assessment .

• Question 137:

  Scenario:

  Techmanic is a Belgian company founded in 1995 and currently operating in Brussels. It provides IT consultancy, software design, and hardware/software services, including deployment and maintenance. The company serves sectors like public services, finance, telecom, energy, healthcare, and education. As a customer-centered company, it prioritizes strong client relationships and leading security practices.

  Techmanic has been ISO/IEC 27001 certified for a year and regards this certification with pride. During the certification audit, the auditor found some inconsistencies in its ISMS implementation. Since the observed situations did not affect the capability of its ISMS to achieve the intended results, Techmanic was certified after auditors followed up on the root cause analysis and corrective actions remotely During that year, the company added hosting to its list of services and requested to expand its certification

  scope to include that area The auditor in charge approved the request and notified Techmanic that the extension audit would be conducted during the surveillance audit

  Techmanic underwent a surveillance audit to verify its iSMS's continued effectiveness and compliance with ISO/IEC 27001. The surveillance audit aimed to ensure that Techmanic's security practices, including the recent addition of hosting services, aligned seamlessly with the rigorous requirements of the certification

  The auditor strategically utilized the findings from previous surveillance audit reports in the recertification activity with the purpose of replacing the need for additional recertification audits, specifically in the IT consultancy sector. Recognizing the value of continual improvement and learning from past assessments. Techmanic implemented a practice of reviewing previous surveillance audit reports. This proactive approach not only facilitated identifying and resolving potential nonconformities but also aimed to

  streamline the recertification process in the IT consultancy sector.

  During the surveillance audit, several nonconformities were found. The ISMS continued to fulfill the ISO/IEC 27001*s requirements, but Techmanic failed to resolve the nonconformities related to the hosting services, as reported by its internal auditor. In addition, the internal audit report had several inconsistencies, which questioned the independence of the internal auditor during the audit of hosting services. Based on this, the extension certification was not granted. As a result. Techmanic requested a

  transfer to another certification body. In the meantime, the company released a statement to its clients stating that the ISO/IEC 27001 certification covers the IT services, as well as the hosting services.

  Based on the scenario above, answer the following question:

  Question:

  Which of the options below does an internal audit program NOT allow?

  A. Verification of the effectiveness of corrective actions
  B. The reduction of manual audit tasks
  C. The prevention of nonconformities
  C. The prevention of nonconformities

  ---

  C.

  Correct Answer:

  Internal audits detect nonconformities but do not actively prevent them.

  A. Incorrect:

  Internal audits verify corrective actions.

  B. Incorrect:

  Technology can reduce manual tasks in internal audits.

  Relevant Standard Reference:

  ISO 19011:2018 Clause 6.4.7 (Audit Program Limitations)

• Question 138:

  Which of the following can be considered a minor nonconformity?

  A. Employees lack training to recognize phishing attempts, increasing malware risks
  B. Lack of multi-factor authentication leaves accounts vulnerable to unauthorized access
  C. The information security policy lacks reference to continual ISMS improvement
  C. The information security policy lacks reference to continual ISMS improvement

  ---

  C.

  Correct Answer:

  A missing reference to continual improvement is a documentation issue, not an immediate security risk, making it a minor nonconformity .

  A. Incorrect:

  Lack of employee training poses a direct security risk (major nonconformity).

  B. Incorrect:

  Missing multi-factor authentication significantly weakens security (major nonconformity).

  Relevant Standard Reference:

  ISO/IEC 27001:2022 Clause 10.1 (Continual Improvement)

• Question 139:

  Scenario:

  Clinic, founded in the 1990s, is a medical device company that specializes in treatments for heart-related conditions and complex surgical interventions. Based in Europe, it serves both patients and healthcare professionals. Clinic collects patient data to tailor treatments, monitor outcomes, and improve device functionality. To enhance data security and build trust, Clinic is implementing an information security management system (ISMS) based on ISO/IEC 27001 . This initiative demonstrates Clinic's

  commitment to securely managing sensitive patient information and proprietary technologies .

  Clinic established the scope of its ISMS by solely considering internal issues, interfaces, dependencies between internal and outsourced activities, and the expectations of interested parties . This scope was carefully documented and made accessible. In defining its ISMS, Clinic chose to focus specifically on key processes within critical departments such as Research and Development, Patient Data Management, and Customer Support .

  Despite initial challenges, Clinic remained committed to its ISMS implementation, tailoring security controls to its unique needs. The project team excluded certain Annex A controls from ISO/IEC 27001 while incorporating additional sector-specific controls to enhance security. The team evaluated the applicability of these controls against internal and external factors, culminating in the development of a comprehensive Statement of Applicability (SoA) detailing the rationale behind control selection and

  implementation. As preparations for certification progressed, Brian, appointed as the team leader , adopted a self-directed risk assessment methodology to identify and evaluate the company's strategic issues and security practices . This proactive approach ensured that Clinic's risk assessment aligned with its objectives and mission.

  Question:

  Based on Scenario 2, the Clinic decided that the ISMS would cover only key processes and departments. Is this acceptable?

  A. Yes, but the decision to exclude other processes and departments must be justified
  B. Yes, organizations may limit the scope of the ISMS, but they cannot request a certification audit if the ISMS scope does not include all processes and departments
  C. No, Clinic must include all processes and departments in the scope, regardless of their importance or relevance to the ISMS
  A. Yes, but the decision to exclude other processes and departments must be justified

  ---

  A.

  Correct Answer: ISO/IEC 27001 Clause 4.3 (Determining the Scope of the ISMS) allows organizations to limit the scope , provided that exclusions do not undermine security effectiveness and are justified .

  B. Incorrect: Organizations can request certification even if the ISMS scope is limited , as long as it is justified.

  C. Incorrect: ISO/IEC 27001 does not mandate full inclusion of all departments in the ISMS. Clinic's decision is acceptable only if the exclusions are justified .

• Question 140:

  Which one of the following conclusions in the audit report is not required by the certification body when deciding to grant certification?

  A. The corrections taken by the organisation related to major nonconformities have been accepted.
  B. The organisation fully complies with all legal and other requirements applicable to the Information Security Management System.
  C. The plans to address corrective actions related to minor nonconformities have been accepted
  D. The scope of certification has been fulfilled
  B. The organisation fully complies with all legal and other requirements applicable to the Information Security Management System.

  ---

  The conclusion in the audit report that is not required by the certification body when deciding to grant certification is that the organisation fully complies with all legal and other requirements applicable to the ISMS. This is because the certification body does not have the authority or the responsibility to verify the legal compliance of the organisation, as this is outside the scope of ISO/IEC 27001:2022. The certification body only evaluates the conformity of the organisation's ISMS with the requirements of the standard, which include the establishment of a process to identify and evaluate the legal and other requirements that are relevant to the ISMS. The organisation is responsible for ensuring its own legal compliance and for providing evidence of such compliance to the certification body if requested.

  References: ISO/IEC 27001:2022, clause 6.1.3; ISO/IEC 27006:2022, clause 9.2.2.4; PECB Candidate Handbook ISO 27001 Lead Auditor, page 29.