PECB ISO-27001-LA Online Practice Questions and Exam Preparation

PECB ISO-27001-LA Online Questions & Answers

• Question 171:

  You are performing an ISO 27001 ISMS surveillance audit at a residential nursing home, ABC Healthcare Services. ABC uses a healthcare mobile app designed and maintained by a supplier, WeCare, to monitor residents' well-being. During the audit, you learn that 90% of the residents' family members regularly receive medical device advertisements from WeCare, by email and SMS once a week. The service agreement between ABC and WeCare prohibits the supplier from using residents' personal data.

  ABC has received many complaints from residents and their family members.

  The Service Manager says that the complaints were investigated as an information security incident which found that they were justified.

  Corrective actions have been planned and implemented according to the nonconformity and corrective action management procedure.

  You write a nonconformity "ABC failed to comply with information security control A.5.34 (Privacy and protection of PII) relating to the personal data of residents' and their family members. A supplier, WeCare, used residents' personal information to send advertisements to family members."

  Select three options of the corrections and corrective actions listed that you would expect ABC to make in response to the nonconformity.

  A. ABC asks an ISMS consultant to test the ABC Healthcare mobile app for protection against cyber- crime.
  B. ABC cancels the service agreement with WeCare.
  C. ABC confirms that information security control A.5.34 is contained in the Statement of Applicability (SoA).
  D. ABC discontinues the use of the ABC Healthcare mobile app.
  E. ABC introduces background checks on information security performance for all suppliers.
  F. ABC periodically monitors compliance with all applicable legislation and contractual requirements involving third parties.
  G. ABC takes legal action against WeCare for breach of contract.
  H. ABC trains all staff on the importance of maintaining information security protocols.
  B. ABC cancels the service agreement with WeCare.
  E. ABC introduces background checks on information security performance for all suppliers.
  F. ABC periodically monitors compliance with all applicable legislation and contractual requirements involving third parties.

  ---

  The three options of the corrections and corrective actions listed that you would expect ABC to make in response to the nonconformity are:

  ABC cancels the service agreement with WeCare.

  ABC introduces background checks on information security performance for all suppliers.

  ABC periodically monitors compliance with all applicable legislation and contractual requirements involving third parties.

  This option is a possible correction and corrective action that ABC could take to address the nonconformity. A correction is the action taken to eliminate a detected nonconformity, while a corrective action is the action taken to eliminate the cause of a nonconformity and to prevent its recurrence1. By cancelling the service agreement with WeCare, ABC could stop the unauthorized use of residents' personal data and protect their privacy and rights. This could also prevent further complaints and legal issues

  from the residents and their family members. However, this option may also have some drawbacks, such as the loss of a service provider, the need to find an alternative solution, and the potential impact on the residents' well-being.

  This option is a possible corrective action that ABC could take to address the nonconformity. By introducing background checks on information security performance for all suppliers, ABC could ensure that they select and work with reliable and trustworthy partners who respect the confidentiality, integrity, and availability of the information they handle. This could also help ABC to comply with information security control A.15.1.1 (Information security policy for supplier relationships), which requires the

  organisation to agree and document information security requirements for mitigating the risks associated with supplier access to the organisation's assets. This option is a possible corrective action that ABC could take to address the nonconformity. By periodically monitoring compliance with all applicable legislation and contractual requirements involving third parties, ABC could verify that the suppliers are fulfilling their obligations and responsibilities regarding information security. This could also help ABC to

  comply with information security control A.18.1.1 (Identification of applicable legislation and contractual requirements), which requires the organisation to identify, document, and keep up to date the relevant legislative, regulatory, contractual, and other requirements to which the organisation is subject.

• Question 172:

  According to ISO/IEC 27001, Clause 5.1 (Leadership and Commitment) , which of the following is NOT a responsibility of top management?

  A. Ensuring the availability of resources for the ISMS and promoting continual improvement
  B. Conducting regular internal audits to assess the effectiveness of the ISMS
  C. Directing and supporting persons to contribute to the effectiveness of the ISMS
  B. Conducting regular internal audits to assess the effectiveness of the ISMS

  ---

  ISO/IEC 27001 Clause 5.1 (Leadership and Commitment) defines top management's role in ensuring the effectiveness of the Information Security Management System (ISMS) . It requires top management to:

  Ensure the availability of resources for the ISMS ( Correct Responsibility ).

  Promote continual improvement of the ISMS ( Correct Responsibility ).

  Direct and support employees to contribute to ISMS effectiveness ( Correct Responsibility ).

  B. Conducting regular internal audits?Incorrect Responsibility:

  Internal audits are not a direct responsibility of top management. Instead, Clause 9.2 (Internal Audit) requires audits to be conducted independently of management .

  Top management is responsible for ensuring audits are conducted but does not need to conduct them personally.

  Thus, top management is responsible for oversight and support but not for conducting internal audits themselves .

  Relevant Standard Reference:

  ISO/IEC 27001:2022 Clause 5.1 (Leadership and Commitment)

  ISO/IEC 27001:2022 Clause 9.2 (Internal Audit)

• Question 173:

  Scenario 8: EsBank provides banking and financial solutions to the Estonian banking sector since September 2010. The company has a network of 30 branches with over 100 ATMs across the country.

  Operating in a highly regulated industry, EsBank must comply with many laws and regulations regarding the security and privacy of data. They need to manage information security across their operations by implementing technical and nontechnical controls. EsBank decided to implement an ISMS based on ISO/IEC 27001 because it provided better security, more risk control, and compliance with key requirements of laws and regulations.

  Nine months after the successful implementation of the ISMS, EsBank decided to pursue certification of their ISMS by an independent certification body against ISO/IEC 27001 .The certification audit included all of EsBank's systems, processes, and technologies.

  The stage 1 and stage 2 audits were conducted jointly and several nonconformities were detected. The first nonconformity was related to EsBank's labeling of information. The company had an information classification scheme but there was no information labeling procedure. As a result, documents requiring the same level of protection would be labeled differently (sometimes as confidential, other times sensitive).

  Considering that all the documents were also stored electronically, the nonconformity also impacted media handling. The audit team used sampling and concluded that 50 of 200 removable media stored sensitive information mistakenly classified as confidential. According to the information classification scheme, confidential information is allowed to be stored in removable media, whereas storing sensitive information is strictly prohibited. This marked the other nonconformity.

  They drafted the nonconformity report and discussed the audit conclusions with EsBank's representatives, who agreed to submit an action plan for the detected nonconformities within two months.

  EsBank accepted the audit team leader's proposed solution. They resolved the nonconformities by drafting a procedure for information labeling based on the classification scheme for both physical and electronic formats. The removable media procedure was also updated based on this procedure.

  Two weeks after the audit completion, EsBank submitted a general action plan. There, they addressed the detected nonconformities and the corrective actions taken, but did not include any details on systems, controls, or operations impacted. The audit team evaluated the action plan and concluded that it would resolve the nonconformities. Yet, EsBank received an unfavorable recommendation for certification.

  Based on the scenario above, answer the following question:

  Which action illustrated in scenario 8 is unacceptable in an external audit?

  A. The audit team leader suggested a specific solution on resolving the nonconformities
  B. Stage 1 audit and stage 2 audits were performed at the same time
  C. The lack of an information labeling procedure existed was marked as a minor nonconformity
  A. The audit team leader suggested a specific solution on resolving the nonconformities

  ---

  The audit team leader suggesting a specific solution on resolving the nonconformities is unacceptable in an external audit. This could compromise the impartiality of the audit process by appearing to assist the auditee in corrective actions, which should independently originate from the auditee to ensure the integrity and effectiveness of the ISMS.

• Question 174:

  CEO sends a mail giving his views on the status of the company and the company's future strategy and the CEO's vision and the employee's part in it. The mail should be classified as

  A. Internal Mail
  B. Public Mail
  C. Confidential Mail
  D. Restricted Mail
  A. Internal Mail

  ---

  The mail sent by the CEO giving his views on the status of the company and the company's future strategy and the CEO's vision and the employee's part in it should be classified as internal mail. Internal mail is a type of classification that indicates that the information is intended for internal use only, and should not be disclosed to external parties without authorization. The mail sent by the CEO contains information that is relevant and important for the employees of the company, but may not be suitable for public disclosure, as it may contain sensitive or confidential information about the company's performance, goals, or plans.

  References: CQI and IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 34. : CQI and IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 37. : [ISO/IEC 27001 LEAD AUDITOR - PECB], page 14.

• Question 175:

  DRAG DROP

  An organisation is looking for management system initial certification. Please identify the sequence of the activities to be undertaken by the organisation.

  To complete the sequence click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the options to the appropriate blank section.

  Select and Place:

  

  

  Explanation:

  The correct sequence of activities is:

  Establish the management system

  Plan the audit programme

  Conduct internal audits

  Hold a Management Review

  Engage a Certification Body for stage 1 and stage 2 audits

  Complete any corrective actions

  Comprehensive but Short = According to the PECB Candidate Handbook - ISO/IEC 27001 Lead Auditor, the steps for achieving certification are as follows1:

  Establish the management system: This involves defining the scope, objectives, policies, procedures, and controls of the ISMS, as well as ensuring the availability of resources and top management commitment.

  Plan the audit programme: This involves defining the audit objectives, criteria, scope, frequency, methods, and responsibilities for conducting internal audits of the ISMS.

  Conduct internal audits: This involves verifying the conformity and effectiveness of the ISMS, as well as identifying any nonconformities or opportunities for improvement.

  Hold a Management Review: This involves reviewing the performance and suitability of the ISMS, as well as deciding on any changes or actions needed to improve it.

  Engage a Certification Body for stage 1 and stage 2 audits: This involves selecting a reputable and accredited certification body to conduct an external audit of the ISMS, consisting of two stages: a documentation review and an on-site assessment.

  Complete any corrective actions: This involves addressing any nonconformities or findings identified by the certification body, and providing evidence of their implementation and effectiveness.

  References: 1: PECB Candidate Handbook - ISO/IEC 27001 Lead Auditor, pages 25-26.

• Question 176:

  You are an experienced audit team leader guiding an auditor in training,

  Your team is currently conducting a third-party surveillance audit of an organisation that stores data on behalf of external clients. The auditor in training has been tasked with reviewing the TECHNOLOGICAL controls listed in the Statement of Applicability (SoA) and implemented at the site.

  Select four controls from the following that would you expect the auditor in training to review.

  A. The development and maintenance of an information asset inventory
  B. Rules for transferring information within the organisation and to other organisations
  C. Confidentiality and nondisclosure agreements
  D. How protection against malware is implemented
  E. Access to and from the loading bay
  F. The conducting of verification checks on personnel
  G. Remote working arrangements
  H. How information security has been addressed within supplier agreements
  I. How the organisation evaluates its exposure to technical vulnerabilities
  J. The organisation's business continuity arrangements K. The organisation's arrangements for information deletion L. Information security awareness, education and training M. How access to source code and development tools are managed N. The operation of the site CCTV and door control systems O. The organisation's arrangements for maintaining equipment P. How power and data cables enter the building
  D. How protection against malware is implemented
  I. How the organisation evaluates its exposure to technical vulnerabilities

  ---

  According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), an organization should select and implement appropriate controls to achieve its information security objectives1. The controls should be derived from the results of risk assessment and risk treatment, and should be consistent with the Statement of Applicability (SoA), which is a document that identifies the controls that are applicable and necessary for the ISMS1. The controls can be selected from various sources, such as ISO/IEC 27002:2013, which provides a code of practice for information security controls2. Therefore, if an auditor in training has been tasked with reviewing the technological controls listed in the SoA and implemented at the site of an organization that stores data on behalf of external clients, four controls that would be expected to review are:

  How protection against malware is implemented: This is a technological control that aims to prevent, detect and remove malicious software (such as viruses, worms, ransomware, etc.) that could compromise the confidentiality, integrity or availability of information or information systems2. This control is related to control A.12.2.1 of ISO/IEC 27002:20132.

  How the organisation evaluates its exposure to technical vulnerabilities: This is a technological control that aims to identify and assess the potential weaknesses or flaws in information systems or networks that could be exploited by malicious actors or cause accidental failures2. This control is related to control A.12.6.1 of ISO/IEC 27002:20132.

  How access to source code and development tools are managed: This is a technological control that aims to protect the intellectual property rights and integrity of software applications or systems that are developed or maintained by the organization or its external providers2. This control is related to control A.14.2.5 of ISO/IEC 27002:20132.

  The operation of the site CCTV and door control systems: This is a technological control that aims to monitor and restrict physical access to the premises or facilities where information or information systems are stored or processed2. This control is related to control A.11.1.4 of ISO/IEC 27002:20132.

  The other options are not examples of technological controls, but rather organizational, legal or procedural controls that may also be relevant for an ISMS audit, but are not within the scope of the auditor in training's task. For example, the development and maintenance of an information asset inventory (related to control A. 8.1.1), rules for transferring information within the organization and to other organizations (related to control A.13.2.1), confidentiality and nondisclosure agreements (related to control A.13.2.4), verification checks on personnel (related to control A.7.1.2), remote working arrangements (related to control A.6.2.1), information security within supplier agreements (related to control A.15.1.1), business continuity arrangements (related to control A.17), information deletion (related to control A.8.3), information security awareness, education and training (related to control A.7.2), equipment maintenance (related to control A.11.2), and how power and data cables enter the building (related to control A.11) are not technological controls, but rather organizational, legal or procedural controls that may also be relevant for an ISMS audit, but are not within the scope of the auditor in training's task.

  References: ISO/IEC 27001:2022 - Information technology Security techniques Information security management systems Requirements, ISO/IEC 27002:2013 - Information technology Security techniques Code of practice for information security controls

• Question 177:

  You are conducting an ISMS audit in the despatch department of an international logistics organisation that provides shipping services to large organisations including local hospitals and government offices. Parcels typically contain pharmaceutical products, biological samples, and documents such as passports and driving licences. You note that the company records show a very large number of returned items with causes including mis-addressed labels and, in 15% of company cases, two or more labels

  for different addresses for the one package. You are interviewing the Shipping Manager (SM).

  You: Are items checked before being dispatched?

  SH: Any obviously damaged items are removed by the duty staff before being dispatched, but the small profit margin makes it uneconomic to implement a formal checking process.

  You: What action is taken when items are returned?

  SM: Most of these contracts are relatively low value, therefore it has been decided that it is easier and more convenient to simply reprint the label and re-send individual parcels than it is to implement an investigation.

  You raise a nonconformity. Referencing the scenario, which six of the following Appendix A controls would you expect the auditee to have implemented when you conduct the follow-up audit?

  A. 5.11 Return of assets
  B. 8.12 Data leakage protection
  C. 5.3 Segregation of duties
  D. 6.3 Information security awareness, education, and training
  E. 7.10 Storage media
  F. 8.3 Information access restriction
  G. 5.6 Contact with special interest groups
  H. 6.4 Disciplinary process
  I. 7.4 Physical security monitoring
  J. 5.13 Labelling of information K. 5.32 Intellectual property rights
  B. 8.12 Data leakage protection
  D. 6.3 Information security awareness, education, and training
  E. 7.10 Storage media
  F. 8.3 Information access restriction
  I. 7.4 Physical security monitoring
  J. 5.13 Labelling of information K. 5.32 Intellectual property rights

  ---

  B. 8.12 Data leakage protection. This is true because the auditee should have implemented measures to prevent unauthorized disclosure of sensitive information, such as personal data, medical records, or official documents, that are contained in the parcels. Data leakage protection could include encryption, authentication, access control, logging, and monitoring of data transfers.

  D. 6.3 Information security awareness, education, and training. This is true because the auditee should have ensured that all employees and contractors involved in the shipping process are aware of the information security policies and procedures, and have received appropriate training on how to handle and protect the information assets in their custody. Information security awareness, education, and training could include induction programmes, periodic refreshers, awareness campaigns, e-learning modules, and feedback mechanisms.

  E. 7.10 Storage media. This is true because the auditee should have implemented controls to protect the storage media that contain information assets from unauthorized access, misuse, theft, loss, or damage. Storage media could include paper documents, optical disks, magnetic tapes, flash drives, or hard disks. Storage media controls could include physical locks, encryption, backup, disposal, or destruction.

  F. 8.3 Information access restriction. This is true because the auditee should have implemented controls to restrict access to information assets based on the principle of least privilege and the need-to-know basis. Information access restriction could include identification, authentication, authorization, accountability, and auditability of users and systems that access information assets.

  I. 7.4 Physical security monitoring. This is true because the auditee should have implemented controls to monitor the physical security of the premises where information assets are stored or processed. Physical security monitoring could include CCTV cameras, alarms, sensors, guards, or patrols. Physical security monitoring could help detect and deter unauthorized physical access or intrusion attempts.

  J. 5.13 Labelling of information. This is true because the auditee should have implemented controls to label information assets according to their classification level and handling instructions. Labelling of information could include markings, tags, stamps, stickers, or barcodes1 . Labelling of information could help identify and protect information assets from unauthorized disclosure or misuse .

  References: ISO/IEC 27002:2022 Information technology -- Security techniques -- Code of practice for information security controls ISO/IEC 27001:2022 Information technology -- Security techniques -- Information security management systems -- Requirements ISO/IEC 27003:2022 Information technology -- Security techniques -- Information security management systems -- Guidance ISO/IEC 27004:2022 Information technology -- Security techniques -- Information security management systems -- Monitoring measurement analysis and evaluation ISO/IEC 27005:2022 Information technology -- Security techniques -- Information security risk management ISO/IEC 27006:2022 Information technology -- Security techniques -- Requirements for bodies providing audit and certification of information security management systems [ISO/IEC 27007:2022 Information technology -- Security techniques -- Guidelines for information security management systems auditing]

• Question 178:

  Scenario 1: Fintive is a distinguished security provider for online payments and protection solutions. Founded in 1999 by Thomas Fin in San Jose, California, Fintive offers services to companies that operate online and want to improve their information security, prevent fraud, and protect user information such as PII. Fintive centers its decision-making and operating process based on previous cases. They gather customer data, classify them depending on the case, and analyze them. The company needed a

  large number of employees to be able to conduct such complex analyses. After some years, however, the technology that assists in conducting such analyses advanced as well. Now, Fintive is planning on using a modern tool, a chatbot, to achieve pattern analyses toward preventing fraud in real-time. This tool would also be used to assist in improving customer service.

  This initial idea was communicated to the software development team, who supported it and were assigned to work on this project. They began integrating the chatbot on their existing system. In addition, the team set an objective regarding the chatbot which was to answer 85% of all chat queries.

  After the successful integration of the chatbot, the company immediately released it to their customers for use.

  The chatbot, however, appeared to have some issues.

  Due to insufficient testing and lack of samples provided to the chatbot during the training phase, in which it was supposed "to learn" the queries pattern, the chatbot failed to address user queries and provide the right answers. Furthermore, the chatbot sent random files to users when it received invalid inputs such as odd patterns of dots and special characters. Therefore, the chatbot was unable to properly answer customer queries and the traditional customer support was overwhelmed with chat queries and

  thus was unable to help customers with their requests.

  Consequently, Fintive established a software development policy. This policy specified that whether the software is developed in-house or outsourced, it will undergo a black box testing prior to its implementation on operational systems.

  Based on this scenario, answer the following question:

  Based on scenario 1, the chatbot was unable to properly answer customer queries. Which principle of information security has been affected in this case?

  A. Availability
  B. Integrity
  C. Confidentiality
  B. Integrity

  ---

  The integrity principle of information security has been affected in this case. The chatbot's inability to provide accurate answers and its unintended behavior (sending random files) due to insufficient testing and lack of proper training samples compromised the integrity of the system.

• Question 179:

  You are performing an ISMS audit at a residential nursing home called ABC that provides healthcare services.

  The next step in your audit plan is to verify the information security of ABC's healthcare mobile app development, support, and lifecycle process. During the audit, you learned the organisation outsourced the mobile app development to a professional software development organisation with CMMI Level 5, ITSM (ISO/IEC 20000-1), BCMS (ISO 22301) and ISMS (ISO/IEC 27001) certified.

  The IT Manager presents the software security management procedure and summarises the process as follows:

  The mobile app development shall adopt "security-by-design" and "security-by-default" principles, as a minimum. The following security functions for personal data protection shall be available:

  Access control.

  Personal data encryption, i.e., Advanced Encryption Standard (AES) algorithm, key lengths: 256 bits; and Personal data pseudonymization.

  Vulnerability checked and no security backdoor

  You sample the latest Mobile App Test report - Reference ID: 0098, details as follows:

  

  You would like to investigate other areas further to collect more audit evidence. Select three options that will not be in your audit trail.

  A. Collect more evidence on how much residents' family members pay to install ABC's healthcare mobile app. (Relevant to clause 4.2)
  B. Collect more evidence by downloading and testing the mobile app on your phone. (Relevant to control 8.1)
  C. Collect more evidence to determine the number of users of ABC's healthcare mobile app. (relevant to clause 4.2)
  D. Collect more evidence on how the organisation performs testing of personal data handling. (Relevant to control A.5.34)
  E. Collect more evidence on the organisation's business continuity policy. (Relevant to control A.5.30)
  F. Collect more evidence on how the organisation manages information security in the selection of an external service provider. (Relevant to control A.5.19)
  G. Collect more evidence on how the developer trains its product support personnel. (Relevant to clause 7.2)
  H. Collect more evidence to verify the developer's CMMI Level 5, ITSM (ISO/IEC 20000-1), BCMS (ISO 22301) and ISMS (ISO/IEC 27001) certification. (Relevant to control A.5.21)
  A. Collect more evidence on how much residents' family members pay to install ABC's healthcare mobile app. (Relevant to clause 4.2)
  C. Collect more evidence to determine the number of users of ABC's healthcare mobile app. (relevant to clause 4.2)
  H. Collect more evidence to verify the developer's CMMI Level 5, ITSM (ISO/IEC 20000-1), BCMS (ISO 22301) and ISMS (ISO/IEC 27001) certification. (Relevant to control A.5.21)

  ---

  The three options that will not be in your audit trail are A, C, and H. These options are either not relevant to the information security of ABC's healthcare mobile app development, support, and lifecycle process, or not within the scope of your audit. The amount of money that residents' family members pay to install the app (A) and the number of users of the app ?are not related to the information security aspects or objectives of the ISMS1. The verification of the developer's certifications (H) is not your

  responsibility as an ISMS auditor, as you should rely on the competence and impartiality of the certification bodies that issued them2. The other options are relevant and within the scope of your audit, as they relate to the security functions, testing, policies, and procedures of the mobile app development, support, and lifecycle process.

  References:

  1: ISO /IEC 27001:2022, Information technology -- Security techniques -- Information security management systems -- Requirements, Clause 4.2

  2: ISO/IEC 27006:2022, Information technology -- Security techniques -- Requirements for bodies providing audit and certification of information security management systems, Clause 4.1

  3: PECB Certified ISO/IEC 27001 Lead Auditor Exam Preparation Guide, Domain 5:Conducting an ISO/IEC 27001 audit

• Question 180:

  DRAG DROP

  Select the words that best complete the sentence:

  "The purpose of maintaining regulatory compliance in a management system is to To complete the sentence with the best word(s), click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.

  Select and Place:

  

  

  Explanation:

  According to ISO 27001:2013, clause 5.2, the top management of an organization must establish, implement and maintain an information security policy that is appropriate to the purpose of the organization and provides a framework for setting information security objectives. The information security policy must also include a commitment to comply with the applicable legal, regulatory and contractual requirements, as well as any other requirements that the organization subscribes to. Therefore, maintaining regulatory compliance is part of fulfilling the management system policy and ensuring its effectiveness and suitability.

  References: ISO/IEC 27001:2013, Information technology -- Security techniques -- Information security management systems -- Requirements, clause 5.2 PECB Candidate Handbook ISO 27001 Lead Auditor, page 10 ISO 27001 Policy: How to write it according to ISO 27001