PECB ISO-27001-LA Online Practice Questions and Exam Preparation

PECB ISO-27001-LA Online Questions & Answers

• Question 151:

  You are an experienced ISMS audit team leader. During the conducting of a third-party surveillance audit, you decide to test your auditee's knowledge of ISO/IEC 27001's risk management requirements. You ask her a series of questions to which the answer is either 'that is true' or 'that is false'. Which four of the following should she answer 'that is true'?

  A. The results of risk assessments must be maintained
  B. Risk identification is used to determine the severity of an information security risk
  C. ISO/IEC 27001 provides an outline approach for the management of risk
  D. The organisation must produce a risk treatment plan for every business risk identified
  E. The organisation must operate a risk treatment process to eliminate it's information security risks
  F. The initial phase in an organisation's risk management process should be information security risk assessment
  G. Risks assessments should be undertaken at monthly intervals
  H. Risk assessments should be undertaken following significant changes
  A. The results of risk assessments must be maintained
  C. ISO/IEC 27001 provides an outline approach for the management of risk
  D. The organisation must produce a risk treatment plan for every business risk identified
  H. Risk assessments should be undertaken following significant changes

  ---

  The following four statements are true according to ISO/IEC 27001's risk management requirements:

  The results of risk assessments must be maintained. This is true because clause 8.2.3 of ISO/IEC 27001:

  2022 requires the organisation to retain documented information of the information security risk assessment process and the results ISO/IEC 27001 provides an outline approach for the management of risk. This is true because clause 6.1.2 of ISO/IEC 27001:2022 specifies the general steps for the information security risk management process, which include establishing the risk criteria, assessing the risks, treating the risks, and monitoring and reviewing the risks The organisation must produce a risk

  treatment plan for every business risk identified. This is true because clause 6.1.3 of ISO/IEC 27001:2022 requires the organisation to produce a risk treatment plan that defines the actions to be taken to address the unacceptable risks, the responsibilities, the expected dates, and the resources required Risk assessments should be undertaken following significant changes. This is true because clause 8.2.4 of ISO/IEC 27001:2022 requires the organisation to review and update the risk assessment at planned

  intervals or when significant changes occur

  The following four statements are false according to ISO/IEC 27001's risk management requirements:

  Risk identification is used to determine the severity of an information security risk. This is false because risk identification is used to identify the assets, threats, vulnerabilities, and existing controls that are relevant to the information security risk management process. The severity of an information security risk is determined by the risk analysis, which evaluates the likelihood and impact of the risk scenarios

  The organisation must operate a risk treatment process to eliminate its information security risks. This is false because the organisation can choose from four options to treat its information security risks:

  avoid, transfer, mitigate, or accept. The organisation does not have to eliminate all its information security risks, but only those that are unacceptable according to its risk criteria The initial phase in an organisation's risk management process should be information security risk assessment. This is false because the initial phase in an organisation's risk management process should be establishing the risk management framework, which includes defining the risk management policy, objectives, scope, roles, responsibilities, and criteria. The information security risk assessment is the second phase in the risk management process Risks assessments should be undertaken at monthly intervals. This is false because there is no fixed frequency for conducting risk assessments in ISO/IEC 27001. The organisation should determine the appropriate intervals for reviewing and updating the risk assessment based on its risk appetite, risk profile, and operational context

  References:

  1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1

  2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2

• Question 152:

  An organization has completed an ISO/IEC 27001:2022 internal audit and identified two minor nonconformities. The ISMS manager wants to close them by updating the risk assessment results only, without addressing root cause or evaluating effectiveness of actions. Which option below best describes this approach?

  A. Acceptable, because updating risk assessment results is sufficient to demonstrate continual improvement
  B. Unacceptable, because ISO/IEC 27001 requires only corrections, not corrective actions
  C. Unacceptable, because ISO/IEC 27001 requires cause analysis and evaluation of corrective action effectiveness
  D. Acceptable, because minor nonconformities do not require evaluation of effectiveness
  C. Unacceptable, because ISO/IEC 27001 requires cause analysis and evaluation of corrective action effectiveness

  ---

  C is correct. ISO/IEC 27001:2022 clause 10.1 requires the organization to react to nonconformities (including corrections), determine causes, evaluate need for action to prevent recurrence, implement actions, and evaluate the effectiveness of corrective actions. Updating risk assessment results alone does not satisfy cause analysis nor effectiveness evaluation.

  A is incorrect because updating risk assessment results may be part of risk management, but it does not address corrective action requirements.

  B is incorrect because corrective action activities are explicitly required by clause 10.1.

  D is incorrect because the standard does not exempt minor nonconformities from the corrective action process; the depth may vary, but effectiveness evaluation remains required.

  References: ISO/IEC 27001:2022 clause 10.1;

• Question 153:

  Which two of the following statements are true?

  A. The benefits of implementing an ISMS primarily result from a reduction in information security risks
  B. The benefit of certifying an ISMS is to obtain contracts from governmental institutions
  C. The purpose of an ISMS is to apply a risk management process for preserving information security
  D. The purpose of an ISMS is to demonstrate compliance with regulatory requirements
  A. The benefits of implementing an ISMS primarily result from a reduction in information security risks
  C. The purpose of an ISMS is to apply a risk management process for preserving information security

  ---

  The benefits of implementing an ISMS are not limited to a reduction in information security risks, but also include improved business performance, customer satisfaction, legal compliance, and stakeholder confidence. The benefit of certifying an ISMS is not only to obtain contracts from governmental institutions, but also to demonstrate the organisation's commitment to information security to other potential customers, partners, and regulators. The purpose of an ISMS is to apply a risk management process for

  preserving information security, which means identifying, analysing, evaluating, treating, monitoring, and reviewing the information security risks that the organisation faces. The purpose of an ISMS is not to demonstrate compliance with regulatory requirements, but rather to ensure that the organisation meets its own information security objectives and obligations.

  References:

  ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) objectives and content from Quality.org and PECB

  ISO/IEC 27001:2013 Information technology -- Security techniques -- Information security management systems -- Requirements [Section 0.1] and [Section 1]

• Question 154:

  Scenario:

  Northstorm is an online retail shop offering unique vintage and modern accessories. It initially entered a small market but gradually grew thanks to the development of the overall e-commerce landscape. Northstorm works exclusively online and ensures efficient payment processing, inventory management, marketing tools, and shipment orders. It uses prioritized ordering to receive, restock, and ship its most popular products.

  Northstorm has traditionally managed its IT operations by hosting its website and maintaining full control over its infrastructure, including hardware, software, and data administration. However, this approach hindered its growth due to the lack of responsive infrastructure. Seeking to enhance its e-commerce and payment systems, Northstorm opted to expand its in-house data centers, completing the expansion in two phases over three months. Initially, the company upgraded its core servers, point-of-sale,

  ordering, billing, database, and backup systems. The second phase involved improving mail, payment, and network functionalities. Additionally, during this phase, Northstorm adopted an international standard for personally identifiable information (PII) controllers and PII processors regarding PII processing to ensure its data handling practices were secure and compliant with global regulations.

  Despite the expansion, Northstorm's upgraded data centers failed to meet its evolving business demands. This inadequacy led to several new challenges, including issues with order prioritization. Customers reported not receiving priority orders, and the company struggled with responsiveness. This was largely due to the main server's inability to process orders from YouDecide, an application designed to prioritize orders and simulate customer interactions. The application, reliant on advanced algorithms,

  was incompatible with the new operating system (OS) installed during the upgrade.

  Faced with urgent compatibility issues, Northstorm quickly patched the application without proper validation, leading to the installation of a compromised version. This security lapse resulted in the main server being affected and the company's website going offline for a week. Recognizing the need for a more reliable solution, the company decided to outsource its website hosting to an e-commerce provider. The company signed a confidentiality agreement concerning product ownership and conducted a

  thorough review of user access rights to enhance security before transitioning.

  Question:

  Which of the following is a preventive control based on Scenario?

  A. Using an application that prioritized orders based on its prior knowledge
  B. Signing a confidentiality agreement
  C. Expanding the capacity of the in-house data center
  B. Signing a confidentiality agreement

  ---

  A preventive control is a security measure implemented to prevent security incidents or risks from occurring. It proactively protects information systems and mitigates potential threats.

  A. Using an application that prioritized orders based on its prior knowledge?This is an operational enhancement but not a security control. It improves efficiency but does not directly prevent security breaches or risks.

  B. Signing a confidentiality agreement?This is a preventive control because it ensures that sensitive business information remains protected from unauthorized disclosure before transitioning to an outsourced service provider. It mitigates the risk of intellectual property theft or data misuse by legally binding the parties to confidentiality.

  C. Expanding the capacity of the in-house data center?This is a corrective or operational control , as it addresses the issue of insufficient infrastructure but does not prevent security-related threats. This aligns with ISO/IEC 27001:2022 Annex A Control A.5.6 (Contact with Special Interest Groups) , which includes legal agreements and confidentiality measures to protect sensitive information.

• Question 155:

  DRAG DROP

  In the context of a management system audit, please identify the sequence of a typical process of collecting and verifying information. The first one has been done for you.

  Select and Place:

  

  

  Explanation:

  Identifying the source of information (already given)

  Gathering audit evidence: This involves collecting information from various sources such as documents, records, interviews, and observations.

  Sampling the available data: Due to the vast amount of information available, auditors typically use sampling techniques to select representative data for closer scrutiny.

  Verifying objective evidence: This involves checking the accuracy, completeness, and reliability of the collected evidence.

  Evaluating evidence against the audit criteria: Auditors compare the collected evidence to the established criteria (e.g., standards, policies, procedures) to assess compliance and effectiveness.

  Recording audit findings: This involves documenting the results of the evaluation, including observations, conclusions, and recommendations.

  Making audit conclusions: Based on the recorded findings, auditors formulate overall conclusions about the status of the management system.

  Therefore, the correct sequence is:

  1. Identifying the source of information

  2. Gathering audit evidence

  3. Sampling the available data

  4. Verifying objective evidence

  5. Evaluating evidence against the audit criteria

  6. Recording audit findings 7.Making audit conclusions

• Question 156:

  Scenario:

  Branding is a marketing company that works with some of the most famous companies in the US. To reduce internal costs. Branding has outsourced the software development and IT helpdesk operations to Techvology for over two years. Techvology. equipped with the necessary expertise, manages Branding's software, network, and hardware needs. Branding has implemented an information security management system (ISMS) and is certified against ISO/IEC 27001, demonstrating its commitment to

  maintaining high standards of information security. It actively conducts audits on Techvology to ensure that the security of its outsourced operations complies with ISO/IEC 27001 certification requirements.

  During the last audit. Branding's audit team defined the processes to be audited and the audit schedule. They adopted an evidence based approach, particularly in light of two information security incidents reported by Techvology in the past year The focus was on evaluating how these incidents were addressed and ensuring compliance with the terms of the outsourcing agreement

  The audit began with a comprehensive review of Techvology's methods for monitoring the quality of outsourced operations, assessing whether the services provided met Branding's expectations and agreed-upon standards The auditors also verified whether Techvology complied with the contractual requirements established between the two entities This involved thoroughly examining the terms and conditions in the outsourcing agreement to guarantee that all aspects, including information security

  measures, are being adhered to.

  Furthermore, the audit included a critical evaluation of the governance processes Techvology uses to manage its outsourced operations and other organizations. This step is crucial for Branding to verify that proper controls and oversight mechanisms are in place to mitigate potential risks associated with the outsourcing arrangement.

  The auditors conducted interviews with various levels of Techvology's personnel and analyzed the incident resolution records. In addition, Techvology provided the records that served as evidence that they conducted awareness sessions for the staff regarding incident management. Based on the information gathered, they predicted that both information security incidents were caused by incompetent personnel. Therefore, auditors requested to see the personnel files of the employees involved in the

  incidents to review evidence of their competence, such as relevant experience, certificates, and records of attended trainings.

  Branding's auditors performed a critical evaluation of the validity of the evidence obtained and remained alert for evidence that could contradict or question the reliability of the documented information received. During the audit at Techvology, the auditors upheld this approach by critically assessing the incident resolution records and conducting thorough interviews with employees at different levels and functions. They did not merely take the word of Techvology's representatives for facts; instead, they sought

  concrete evidence to support the representatives' claims about the incident management processes.

  Based on the scenario above, answer the following question:

  Question:

  Were the auditors diligent in adhering to the auditing process for outsourced operations?

  A. Yes, they demonstrated diligence and judgment in their auditing practices
  B. No, the auditors did not request a sample of employment contracts until the end of the audit
  C. No, the auditors did not interview any of Techvology's top management during the audit
  A. Yes, they demonstrated diligence and judgment in their auditing practices

  ---

  A.

  Correct Answer:

  ISO 19011:2018 (Guidelines for Auditing Management Systems) outlines diligent audit practices , including evidence-based assessment and professional skepticism .

  The auditors critically reviewed records, interviewed staff, and validated incident response effectiveness .

  They did not rely solely on verbal statements but sought concrete evidence , demonstrating due diligence and judgment .

  B. Incorrect:

  Employment contracts are not primary audit evidence for competence; training and certification records hold greater significance .

  C. Incorrect:

  The scenario does not mention that top management was excluded from interviews . However, their involvement is not mandatory for evaluating incident handling.

  Relevant Standard Reference:

  ISO 19011:2018 Clause 6.4 (Conducting Audit Activities)

• Question 157:

  Scenario:

  Webvue. headquartered in Japan, is a technology company specializing in the development, support, and maintenance of computer software. Webvue provides solutions across various technology fields and business sectors. Its flagship service is CloudWebvue, a comprehensive cloud computing platform offering storage, networking, and virtual computing services. Designed for both businesses and individual users. CloudWebvue is known for its flexibility, scalability, and reliability.

  Webvue has decided to only include CloudWebvue in its ISO/IEC 27001 certification scope. Thus, the stage 1 and 2 audits were performed simultaneously Webvue takes pride in its strictness regarding asset confidentiality They protect the information stored in CloudWebvue by using appropriate cryptographic controls. Every piece of information of any classification level, whether for internal use. restricted, or confidential, is first encrypted with a unique corresponding hash and then stored in the cloud.

  The audit team comprised five persons Keith. Sean. Layla, Sam. and Tina. Keith, the most experienced auditor on the IT and information security auditing team, was the audit team leader. His responsibilities included planning the audit and managing the audit team. Sean and Layla were experienced in project planning, business analysis, and IT systems (hardware and application) Their tasks included audit planning according to Webvue's internal systems and processes Sam and Tina, on the other hand,

  who had recently completed their education, were responsible for completing the day- to-day tasks while developing their audit skills

  While verifying conformity to control 8.24 Use of cryptography of ISO/IEC 27001 Annex A through interviews with the relevant staff, the audit team found out that the cryptographic keys have been initially generated based on random bit generator (RBG) and other best practices for the generation of the cryptographic keys. After checking Webvue's cryptography policy, they concluded that the information obtained by the interviews was true. However, the cryptographic keys are still in use because the policy

  does not address the use and lifetime of cryptographic keys.

  As later agreed upon between Webvue and the certification body, the audit team opted to conduct a virtual audit specifically focused on verifying conformity to control 8.11 Data Masking of ISO/IEC 27001 within Webvue, aligning with the certification scope and audit objectives. They examined the processes involved in protecting data within CloudWebvue. focusing on how the company adhered to its policies and regulatory standards. As part of this process. Keith, the audit team leader, took screenshot

  copies of relevant documents and cryptographic key management procedures to document and analyze the effectiveness of Webvue's practices.

  Webvue uses generated test data for testing purposes. However, as determined by both the interview with the manager of the QA Department and the procedures used by this department, sometimes live system data are used. In such scenarios, large amounts of data are generated while producing more accurate results. The test data is protected and controlled, as verified by the simulation of the encryption process performed by Webvue's personnel during the audit

  While interviewing the manager of the QA Department, Keith observed that employees in the Security Training Department were not following proper procedures, even though this department fell outside the audit scope. Despite the exclusion in the audit scope, the non conformity in the Security Training Department has potential implications for the processes within the audit scope, specifically impacting data security and cryptographic practices in CloudWebvue. Therefore, Keith incorporated this finding into

  the audit report and accordingly informed the auditee.

  Based on the scenario above, answer the following question:

  Question:

  Based on Scenario, the audit team checked Webvue's cryptography policy to obtain reasonable assurance of the information obtained during interviews . Which type of audit procedure has been used?

  A. Observation
  B. Corroboration
  C. Evaluation
  B. Corroboration

  ---

  B.

  Correct Answer:

  Corroboration is the process of validating verbal statements with documented evidence .

  ISO 19011:2018 emphasizes cross-verification of audit evidence to ensure accuracy.

  A. Incorrect:

  Observation involves witnessing real-time processes, but here, the audit team compared interview data with documentation .

  C. Incorrect:

  Evaluation assesses compliance with criteria, but corroboration focuses on evidence validation .

  Relevant Standard Reference:

  ISO 19011:2018 Clause 6.4.7 (Corroboration of Audit Evidence)

• Question 158:

  Scenario: During stage 2, you discover that the organization has not performed management review at planned intervals, but has performed frequent informal leadership meetings without documented outputs. What is the most appropriate audit finding?

  A. Conformity, because informal meetings satisfy leadership involvement
  B. Opportunity for improvement, because management review is optional if leadership meets often
  C. Nonconformity, because management review requires planned intervals and retained documented information
  D. Observation, because this is a documentation-only issue without impact
  C. Nonconformity, because management review requires planned intervals and retained documented information

  ---

  C is correct. Clause 9.3 requires management reviews at planned intervals and requires retaining documented information as evidence of results. Informal meetings without evidence do not demonstrate fulfilment of the management review requirements.

  A and B are incorrect because management review is mandatory, not optional, and requires evidence of outputs.

  D is incorrect because lack of management review evidence is a requirement failure, not merely a documentation preference.

  References: ISO/IEC 27001:2022 clause 9.3

• Question 159:

  During which stage of the audit do auditors identify key processes to be audited and prioritize based on materiality?

  A. Initial contact
  B. Stage 1 audit
  C. Stage 2 audit
  B. Stage 1 audit

  ---

  B.

  Correct Answer:

  The Stage 1 audit (preliminary assessment) focuses on understanding the organization and its processes , identifying key areas for in-depth auditing in Stage 2.

  Materiality-based prioritization occurs in Stage 1 to ensure the Stage 2 audit focuses on critical areas .

  A. Incorrect:

  Initial contact is only for scheduling and preliminary discussions.

  C. Incorrect:

  By Stage 2, the key areas should already be identified and the focus is on detailed auditing .

  Relevant Standard Reference:

  ISO/IEC 27006:2020 Clause 9.2.2 (Stage 1 Audit and Planning for Stage 2 Audit)

• Question 160:

  You are an ISMS audit team leader who has been assigned by your certification body to carry out a follow-up audit of a client. You are preparing your audit plan for this audit. Which two of the following statements are true?

  A. Verification should focus on whether any action undertaken taken has been undertaken efficiently
  B. Corrections should be verified first, followed by corrective actions and finally opportunities for improvement
  C. Verification should focus on whether any action undertaken is complete
  D. Opportunities for improvement should be verified first, followed by corrections and finally corrective actions
  E. Corrective actions should be reviewed first, followed by corrections and finally opportunities for improvement
  F. Verification should focus on whether any action undertaken has been undertaken effectively
  C. Verification should focus on whether any action undertaken is complete
  F. Verification should focus on whether any action undertaken has been undertaken effectively

  ---

  According to ISO 27001:2022 clause 9.1.2, the organisation shall conduct internal audits at planned intervals to provide information on whether the information security management system conforms to the organisation' s own requirements, the requirements of ISO 27001:2022, and is effectively implemented and maintained

  According to ISO 27001:2022 clause 10.1, the organisation shall react to the nonconformities and take action, as applicable, to control and correct them and deal with the consequences. The organisation shall also evaluate the need for action to eliminate the causes of nonconformities, in order to prevent recurrence or occurrence. The organisation shall implement any action needed, review the effectiveness of any corrective action taken, and make changes to the information security management system, if necessary A follow-up audit is a type of internal audit that is conducted after a previous audit to verify whether the nonconformities and corrective actions have been addressed and resolved, and whether the information security management system has been improved Therefore, the following statements are true for preparing a follow-up audit plan: Verification should focus on whether any action undertaken is complete. This means that the auditor should check whether the organisation has implemented all the planned actions to correct and prevent the nonconformities, and whether the actions have been documented and communicated as required Verification should focus on whether any action undertaken has been undertaken effectively. This means that the auditor should check whether the organisation has achieved the intended results and objectives of the actions, and whether the actions have eliminated or reduced the nonconformities and their causes and consequences The following statements are false for preparing a follow-up audit plan: Verification should focus on whether any action undertaken has been undertaken efficiently. This is false because efficiency is not a criterion for verifying the actions taken to address the nonconformities and corrective actions. Efficiency refers to the optimal use of resources to achieve the desired outcomes, but it is not a requirement of ISO 27001:2022. The auditor should focus on the effectiveness and completeness of the actions, not on the efficiency Corrections should be verified first, followed by corrective actions and finally opportunities for improvement. This is false because there is no prescribed order for verifying the corrections, corrective actions, and opportunities for improvement. The auditor should verify all the actions taken by the organisation, regardless of their sequence or priority. The auditor may choose to verify the actions based on their relevance, significance, or impact, but this is not a mandatory requirement Opportunities for improvement should be verified first, followed by corrections and finally corrective actions. This is false because there is no prescribed order for verifying the opportunities for improvement, corrections, and corrective actions. The auditor should verify all the actions taken by the organisation, regardless of their sequence or priority. The auditor may choose to verify the actions based on their relevance, significance, or impact, but this is not a mandatory requirement Corrective actions should be reviewed first, followed by corrections and finally opportunities for improvement. This is false because there is no prescribed order for reviewing the corrective actions, corrections, and opportunities for improvement. The auditor should review all the actions taken by the organisation, regardless of their sequence or priority. The auditor may choose to review the actions based on their relevance, significance, or impact, but this is not a mandatory requirement

  References:

  1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1

  2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2