PECB ISO-27001-LA Online Practice Questions and Exam Preparation

PECB ISO-27001-LA Online Questions & Answers

• Question 221:

  DRAG DROP

  You are an experienced ISMS audit team leader, assisting an auditor in training to write their first audit report.

  You want to check the auditor in training's understanding of terminology relating to the contents of an audit report and chose to do this by presenting the following examples.

  For each example, you ask the auditor in training what the correct term is that describes the activity

  Match the activity to the description.

  Select and Place:

  

  

  Explanation:

  1. An auditor using a copy of ISO/IEC 27001:2022 to check that its requirements are met:

  Termed: Reviewing audit criteria.

  Justification: The auditor is comparing the auditee's information security management system (ISMS) against the established criteria outlined in the ISO/IEC 27001:2022 standard. This activity falls under the use of audit criteria to determine conformity or nonconformity.

  2. An auditor's note that the auditee is not adhering to its clear desk policy:

  Termed: Identifying an audit finding.

  Justification: The auditor has observed a deviation from the auditee's established policy on clear desks. This observation is documented as a potential nonconformity, which requires further investigation and evaluation.

  3. An auditor making a decision regarding the auditee's conformity or otherwise to criteria:

  Termed: Determining an audit conclusion.

  Justification: Based on the collected audit evidence and evaluation against the established criteria, the auditor forms an opinion about the overall compliance of the auditee's ISMS. This opinion is the audit conclusion and is a key element of the audit report.

  4. An auditor examining verifiable records relevant to the audit process:

  Termed: Collecting audit evidence.

  Justification: The auditor is gathering objective and verifiable information to support their findings and conclusions. This information comes from various sources, including documents, records, interviews, and observations.

• Question 222:

  A property of Information that has the ability to prove occurrence of a claimed event.

  A. Electronic chain letters
  B. Integrity
  C. Availability
  D. Accessibility
  B. Integrity

  ---

  A property of information that has the ability to prove occurrence of a claimed event is integrity. Integrity is one of the three main objectives of information security, along with confidentiality and availability. Integrity ensures that information and systems are not corrupted, modified, or deleted by unauthorized actions or events. Integrity also implies that information and systems can be verified and validated as authentic and accurate. Electronic chain letters are not a property of information, but a type of spam or hoax message that may contain malicious or misleading content. Availability means that service should be accessible at the required time and usable only by the authorized entity. Accessibility is not a property of information, but a characteristic of usability that refers to how easy it is for users to access and interact with information and systems.

  References: CQI and IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 24. : [ISO/IEC 27001 Brochures | PECB], page 4. : [ISO/IEC 27001 LEAD AUDITOR

  -PECB], page 13.

• Question 223:

  You are performing an ISMS audit at a residential nursing home that provides healthcare services. The next step in your audit plan is to verify the information security incident management process. The IT Security Manager presents the information security incident management procedure and explains that the process is based on ISO/IEC 27035-1:2016.

  You review the document and notice a statement "any information security weakness, event, and incident should be reported to the Point of Contact (PoC) within 1 hour after identification". When interviewing staff, you found that there were differences in the understanding of the meaning of "weakness, event, and incident".

  You sample incident report records from the event tracking system for the last 6 months with summarized results in the following table.

  

  You would like to further investigate other areas to collect more audit evidence. Select two options that will not be in your audit trail.

  A. Collect more evidence on how and when the Human Resources manager pays the ransom fee to unlock personal mobile data, i.e., credit card, and bank transfer. (Relevant to control A.5.26)
  B. Collect more evidence on what the service requirements of healthcare monitoring are. (Relevant to clause 4.2)
  C. Collect more evidence on how the organization determined no further action was needed after the incident. (Relevant to control A.5.26)
  D. Collect more evidence on how the organisation determined the incident recovery time. (Relevant to control A.5.27)
  E. Collect more evidence on the incident recovery procedures. (Relevant to control A.5.26)
  F. Collect more evidence by interviewing more staff about their understanding of the reporting process.(Relevant to control A.6.8)
  G. Collect more evidence on how and when the company pays the ransom fee to unlock the company's mobile phone and data, i.e., credit card, and bank transfer. (Relevant to control A.5.26)
  B. Collect more evidence on what the service requirements of healthcare monitoring are. (Relevant to clause 4.2)
  G. Collect more evidence on how and when the company pays the ransom fee to unlock the company's mobile phone and data, i.e., credit card, and bank transfer. (Relevant to control A.5.26)

  ---

  According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 4.2 requires an organization to determine the needs and expectations of interested parties that are relevant to its ISMS. This includes identifying the legal, regulatory, contractual and other requirements that apply to its information security activities. Therefore, collecting more evidence on what the service requirements of healthcare monitoring are may not be relevant to verifying the information security incident management process, as it is not directly related to the audit objective or criteria. This option will not be in the audit trail.

• Question 224:

  You are an experienced audit team leader guiding an auditor in training.

  Your team is currently conducting a third-party surveillance audit of an organisation that stores data on behalf of external clients. The auditor in training has been tasked with reviewing the PEOPLE controls listed in the Statement of Applicability (SoA) and mplemented at the site.

  Select four controls from the following that would you expect the auditor in training to review.

  A. Confidentiality and nondisclosure agreements
  B. How protection against malware is implemented
  C. Information security awareness, education and training
  D. Remote working arrangements
  E. The conducting of verification checks on personnel
  F. The operation of the site CCTV and door control systems
  G. The organisation's arrangements for information deletion
  H. The organisation's business continuity arrangements
  A. Confidentiality and nondisclosure agreements
  C. Information security awareness, education and training
  D. Remote working arrangements
  E. The conducting of verification checks on personnel

  ---

  The PEOPLE controls are related to the human aspects of information security, such as roles and responsibilities, awareness and training, screening and contracts, and remote working. The auditor in training should review the following controls:

  Confidentiality and nondisclosure agreements (A): These are contractual obligations that bind the employees and contractors of the organisation to protect the confidentiality of the information they handle, especially the data of external clients. The auditor should check if these agreements are signed, updated, and enforced by the organisation. This control is related to clause A.7.2.1 of ISO/IEC 27001:2022.

  Information security awareness, education and training. These are activities that aim to enhance the knowledge, skills, and behaviour of the employees and contractors regarding information security. The auditor should check if these activities are planned, implemented, evaluated, and improved by the organisation. This control is related to clause A.7.2.2 of ISO/IEC 27001:2022.

  Remote working arrangements (D): These are policies and procedures that govern the information security aspects of working from locations other than the organisation's premises, such as home or public places. The auditor should check if these arrangements are defined, approved, and monitored by the organisation. This control is related to clause A.6.2.1 of ISO/IEC 27001:2022.

  The conducting of verification checks on personnel (E): These are background checks that verify the identity, qualifications, and suitability of the employees and contractors who have access to sensitive information or systems. The auditor should check if these checks are conducted, documented, and reviewed by the organisation. This control is related to clause A.7.1.1 of ISO/IEC 27001:2022.

  References: ISO/IEC 27001:2022, Information technology -- Security techniques -- Information security management systems -- Requirements PECB Candidate Handbook ISO/IEC 27001 Lead Auditor, 1 ISO 27001:2022 Lead Auditor - IECB, 2 ISO 27001:2022 certified ISMS lead auditor - Jisc, 3 ISO/IEC 27001:2022 Lead Auditor Transition Training Course, 4 ISO 27001 - Information Security Lead Auditor Course - PwC Training Academy, 5

• Question 225:

  Three auditors were assigned to conduct a certification audit in Company X . Before the audit commenced, the certification body provided the auditors' names and background information to Company X. Company X requested the replacement of one of the auditors because they are a former employee. Is this acceptable?

  A. A situation of conflict of interest is a valid reason to request the replacement of the auditor
  B. No, the auditee can request the replacement of the auditor only if a valid reason is presented such as unprofessional conduct or situations with real conflict of interest
  C. No, the auditee cannot request the replacement of auditors
  B. No, the auditee can request the replacement of the auditor only if a valid reason is presented such as unprofessional conduct or situations with real conflict of interest

  ---

  B.

  Correct Answer:

  ISO/IEC 17021-1 (Conformity assessment?Requirements for bodies providing audit and certification of management systems) states that the auditee may request a replacement of an auditor only for valid reasons .

  A former employee of the company serving as an auditor presents a potential conflict of interest (real or perceived).

  Therefore, Company X's request is valid .

  A. Incorrect:

  While a conflict of interest is a valid reason , the replacement must be based on an objective, justified claim , and not just personal preference.

  C. Incorrect:

  Auditees can request an auditor's replacement, but only under justified circumstances .

  Relevant Standard Reference:

  ISO/IEC 17021-1:2015 Clause 9.1.3 (Impartiality and Objectivity of Auditors)

• Question 226:

  Scenario 7: Lawsy is a leading law firm with offices in New Jersey and New York City. It has over 50 attorneys offering sophisticated legal services to clients in business and commercial law, intellectual property, banking, and financial services. They believe they have a comfortable position in the market thanks to their commitment to implement information security best practices and remain up to date with technological developments.

  Lawsy has implemented, evaluated, and conducted internal audits for an ISMS rigorously for two years now. Now, they have applied for ISO/IEC 27001 certification to ISMA, a well-known and trusted certification body.

  During stage 1 audit, the audit team reviewed all the ISMS documents created during the implementation. They also reviewed and evaluated the records from management reviews and internal audits.

  Lawsy submitted records of evidence that corrective actions on nonconformities were performed when necessary, so the audit team interviewed the internal auditor. The interview validated the adequacy and frequency of the internal audits by providing detailed insight into the internal audit plan and procedures.

  The audit team continued with the verification of strategic documents, including the information security policy and risk evaluation criteria. During the information security policy review, the team noticed inconsistencies between the documented information describing governance framework (i.e., the information security policy) and the procedures.

  Although the employees were allowed to take the laptops outside the workplace, Lawsy did not have procedures in place regarding the use of laptops in such cases. The policy only provided general information about the use of laptops. The company relied on employees' common knowledge to protect the confidentiality and integrity of information stored in the laptops. This issue was documented in the stage 1 audit report.

  Upon completing stage 1 audit, the audit team leader prepared the audit plan, which addressed the audit objectives, scope, criteria, and procedures.

  During stage 2 audit, the audit team interviewed the information security manager, who drafted the information security policy. He justified the Issue identified in stage 1 by stating that Lawsy conducts mandatory information security training and awareness sessions every three months.

  Following the interview, the audit team examined 15 employee training records (out of 50) and concluded that Lawsy meets requirements of ISO/IEC 27001 related to training and awareness. To support this conclusion, they photocopied the examined employee training records.

  Based on the scenario above, answer the following question:

  Lawsy lacks a procedure regarding the use of laptops outside the workplace and it relies on employees' common knowledge to protect the confidentiality of information stored in the laptops. This presents:

  A. An anomaly
  B. A nonconformity
  C. A conformity
  B. A nonconformity

  ---

  Lawsy's lack of specific procedures for the use of laptops outside the workplace, despite allowing such use, represents a nonconformity. ISO/IEC 27001 requires that security controls and management processes be clearly defined, documented, and implemented. Relying solely on employees' common knowledge does not fulfill the standard's requirements for managing information security risks associated with mobile and teleworking.

  References: ISO/IEC 27001:2013, Clause A.6.2 (Mobile device and teleworking management)

• Question 227:

  You are performing an ISMS audit at a residential nursing home that provides healthcare services. The next step in your audit plan is to verify the information security of the business continuity management process. During the audit, you learned that the organisation activated one of the business continuity plans (BCPs) to make sure the nursing service continued during the recent pandemic. You ask Service Manager to explain how the organisation manages information security during the business continuity

  management process.

  The Service Manager presents the nursing service continuity plan for a pandemic and summarises the process as follows:

  Stop the admission of any NEW residents.

  70% of administration staff and 30% of medical staff will work from home.

  Regular staff self-testing including submitting a negative test report 1 day BEFORE they come to the office.

  Install ABC's healthcare mobile app, tracking their footprint and presenting a GREEN Health Status QR-Code for checking on the spot.

  You ask the Service Manager how to prevent non-relevant family members or interested parties from accessing residents' personal data when staff work from home. The Service Manager cannot answer and suggests the n" Security Manager should help with that. You would like to further investigate other areas to collect more audit evidence Select three options that will be in your audit trail.

  A. Collect more evidence on how the organisation manages information security on mobile devices and during teleworking (Relevant to control A.6.7)
  B. Collect more evidence by interviewing more staff about their feeling about working from home.(Relevant to clause 4.2)
  C. Collect more evidence on what resources the organisation provides to support the staff working from home. (Relevant to clause 7.1)
  D. Collect more evidence on how the organisation performs a business risk assessment to evaluate how fast the existing residents can be discharged from the nursing home. (Relevant to clause 6)
  E. Collect more evidence on how and when the Business Continuity Wan has been tested. (Relevant to control A.5.29)
  F. Collect more evidence on how the organisation makes sure only staff with a negative test result can enter the organisation (Relevant to control A.7.2)
  A. Collect more evidence on how the organisation manages information security on mobile devices and during teleworking (Relevant to control A.6.7)
  E. Collect more evidence on how and when the Business Continuity Wan has been tested. (Relevant to control A.5.29)
  F. Collect more evidence on how the organisation makes sure only staff with a negative test result can enter the organisation (Relevant to control A.7.2)

  ---

  According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), control A.5.29 requires an organization to establish and maintain a business continuity management process to ensure the continued availability of information and information systems at the required level following disruptive incidents1. The organization should identify and prioritize critical information assets and

  processes, assess the risks and impacts of disruptive incidents, develop and implement business continuity plans (BCPs), test and review the BCPs, and ensure that relevant parties are aware of their roles and responsibilities1. Therefore, when verifying the information security of the business continuity management process, an ISMS auditor should verify that these aspects are met in accordance with the audit criteria.

  Three options that will be in the audit trail for verifying control A.5.29 are:

  Collect more evidence on how the organisation manages information security on mobile devices and during teleworking (Relevant to control A.6.7): This option is relevant because it can provide evidence of how the organization has implemented appropriate controls to protect the confidentiality, integrity and availability of information and information systems when staff work from home using mobile devices, such as laptops, tablets or smartphones. This is related to control A.6.7, which requires an

  organization to establish a policy and procedures for teleworking and use of mobile devices.

  Collect more evidence on how and when the Business Continuity Plan has been tested (Relevant to control A.5.29): This option is relevant because it can provide evidence of how the organization has tested and reviewed the BCPs to ensure their effectiveness and suitability for different scenarios, such as a pandemic. This is related to control A.5.29, which requires an organization to test and review the BCPs at planned intervals or when significant changes occur.

  Collect more evidence on how the organisation makes sure only staff with a negative test result can enter the organisation (Relevant to control A.7.2): This option is relevant because it can provide evidence of how the organization has implemented appropriate controls to prevent or reduce the risk of infection or transmission of diseases among staff or residents, such as requiring regular staff self-testing and using a health status app. This is related to control A.7.2, which requires an organization to ensure

  that all employees and contractors are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational policies and procedures in this respect.

  The other options are not relevant to verifying control A.5.29, as they are not related to the control or its requirements. For example:

  Collect more evidence by interviewing more staff about their feeling about working from home (Relevant to clause 4.2): This option is not relevant because it does not provide evidence of how the organization has established and maintained a business continuity management process or ensured the continued availability of information and information systems following disruptive incidents. It may be related to clause 4.2, which requires an organization to understand the needs and expectations of interested

  parties, but not specifically to control A.5.29.

  Collect more evidence on what resources the organisation provides to support the staff working from home (Relevant to clause 7.1): This option is not relevant because it does not provide evidence of how the organization has established and maintained a business continuity management process or ensured the continued availability of information and information systems following disruptive incidents. It may be related to clause 7.1, which requires an organization to determine and provide the resources

  needed for its ISMS, but not specifically to control A.5.29.

  Collect more evidence on how the organisation performs a business risk assessment to evaluate how fast the existing residents can be discharged from the nursing home (Relevant to clause 6): This option is not relevant because it does not provide evidence of how the organization has established and maintained a business continuity management process or ensured the continued availability of information and information systems following disruptive incidents. It may be related to clause 6, which requires

  an organization to plan actions to address risks and opportunities for its ISMS, but not specifically to control A.5.29.

  References: ISO/IEC 27001:2022 - Information technology ?Security techniques ?Information security management systems ?Requirements

• Question 228:

  Scenario 8: EsBank provides banking and financial solutions to the Estonian banking sector since September 2010. The company has a network of 30 branches with over 100 ATMs across the country.

  Operating in a highly regulated industry, EsBank must comply with many laws and regulations regarding the security and privacy of data. They need to manage information security across their operations by implementing technical and nontechnical controls. EsBank decided to implement an ISMS based on ISO/IEC 27001 because it provided better security, more risk control, and compliance with key requirements of laws and regulations.

  Nine months after the successful implementation of the ISMS, EsBank decided to pursue certification of their ISMS by an independent certification body against ISO/IEC 27001 .The certification audit included all of EsBank's systems, processes, and technologies.

  The stage 1 and stage 2 audits were conducted jointly and several nonconformities were detected. The first nonconformity was related to EsBank's labeling of information. The company had an information classification scheme but there was no information labeling procedure. As a result, documents requiring the same level of protection would be labeled differently (sometimes as confidential, other times sensitive).

  Considering that all the documents were also stored electronically, the nonconformity also impacted media handling. The audit team used sampling and concluded that 50 of 200 removable media stored sensitive information mistakenly classified as confidential. According to the information classification scheme, confidential information is allowed to be stored in removable media, whereas storing sensitive information is strictly prohibited. This marked the other nonconformity.

  They drafted the nonconformity report and discussed the audit conclusions with EsBank's representatives, who agreed to submit an action plan for the detected nonconformities within two months.

  EsBank accepted the audit team leader's proposed solution. They resolved the nonconformities by drafting a procedure for information labeling based on the classification scheme for both physical and electronic formats. The removable media procedure was also updated based on this procedure.

  Two weeks after the audit completion, EsBank submitted a general action plan. There, they addressed the detected nonconformities and the corrective actions taken, but did not include any details on systems, controls, or operations impacted. The audit team evaluated the action plan and concluded that it would resolve the nonconformities. Yet, EsBank received an unfavorable recommendation for certification.

  Based on the scenario above, answer the following question:

  Which option justifies the unfavorable recommendation for certification? Refer to scenario 8.

  A. The major nonconformity related to storing sensitive information in removable media
  B. The minor nonconformity related to the lack of information labeling procedure
  C. The unrealistic date of the submitted action plan (two weeks)
  A. The major nonconformity related to storing sensitive information in removable media

  ---

  The major nonconformity related to storing sensitive information in removable media justifies the unfavorable recommendation for certification. This issue directly contradicts the information classification scheme's stipulations, indicating a significant oversight in enforcing the ISMS policies.

• Question 229:

  Finnco, a subsidiary of a certification body, provided ISMS consultancy services to an organization. Considering this scenario, when can the certification body certify the organization?

  A. There is no time constraint in such a situation
  B. At no time, since it presents a conflict of interest
  C. If a minimum period of two years has passed since the last consulting activities
  B. At no time, since it presents a conflict of interest

  ---

  A certification body cannot certify an organization if it has provided consultancy services to that organization. This situation presents a conflict of interest, as the certification body is required to maintain impartiality and objectivity. The ISO/IEC 17021-1 standard, which sets out requirements for bodies providing audit and certification of management systems, specifies that providing both services to the same client is incompatible.

  References: ISO/IEC 17021-1:2015 Conformity assessment -- Requirements for bodies providing audit and certification of management systems

• Question 230:

  Scenario 1: Fintive is a distinguished security provider for online payments and protection solutions. Founded in 1999 by Thomas Fin in San Jose, California, Fintive offers services to companies that operate online and want to improve their information security, prevent fraud, and protect user information such as PII. Fintive centers its decision-making and operating process based on previous cases. They gather customer data, classify them depending on the case, and analyze them. The company needed a

  large number of employees to be able to conduct such complex analyses. After some years, however, the technology that assists in conducting such analyses advanced as well. Now, Fintive is planning on using a modern tool, a chatbot, to achieve pattern analyses toward preventing fraud in real-time. This tool would also be used to assist in improving customer service.

  This initial idea was communicated to the software development team, who supported it and were assigned to work on this project. They began integrating the chatbot on their existing system. In addition, the team set an objective regarding the chatbot which was to answer 85% of all chat queries.

  After the successful integration of the chatbot, the company immediately released it to their customers for use.

  The chatbot, however, appeared to have some issues.

  Due to insufficient testing and lack of samples provided to the chatbot during the training phase, in which it was supposed "to learn" the queries pattern, the chatbot failed to address user queries and provide the right answers. Furthermore, the chatbot sent random files to users when it received invalid inputs such as odd patterns of dots and special characters. Therefore, the chatbot was unable to properly answer customer queries and the traditional customer support was overwhelmed with chat queries and

  thus was unable to help customers with their requests.

  Consequently, Fintive established a software development policy. This policy specified that whether the software is developed in-house or outsourced, it will undergo a black box testing prior to its implementation on operational systems.

  Based on this scenario, answer the following question:

  The chatbot was supposed "to learn" the queries pattern to address user queries and provide the right answers.

  What type of technology enables this?

  A. Artificial intelligence
  B. Cloud computing
  C. Machine learning
  C. Machine learning

  ---

  Machine learning is a subset of artificial intelligence that involves the use of algorithms and statistical models to enable systems to improve their performance on a specific task over time with experience or data, without being explicitly programmed. In the context of the scenario, machine learning would be the technology that allows the chatbot to learn from patterns in queries to provide the right answers.