PECB ISO-27001-LA Online Practice Questions and Exam Preparation

PECB ISO-27001-LA Online Questions & Answers

• Question 231:

  Scenario 4: SendPay is a financial company that provides its services through a network of agents and financial institutions. One of their main services is transferring money worldwide. SendPay, as a new company, seeks to offer top quality services to its clients. Since the company offers international transactions, it requires from their clients to provide personal information, such as their identity, the reason for the transactions, and other details that might be needed to complete the transaction. Therefore,

  SendPay has implemented security measures to protect their clients' information, including detecting, investigating, and responding to any information security threats that may emerge. Their commitment to offering secure services was also reflected during the ISMS implementation where the company invested a lot of time and resources.

  Last year, SendPay unveiled their digital platform that allows money transactions through electronic devices, such as smartphones or laptops, without requiring an additional fee. Through this platform, SendPay's clients can send and receive money from anywhere and at any time. The digital platform helped SendPay to simplify the company's operations and further expand its business. At the time, SendPay was outsourcing its software operations, hence the project was completed by the software

  development team of the outsourced company. The same team was also responsible for maintaining the technology infrastructure of SendPay.

  Recently, the company applied for ISO/IEC 27001 certification after having an ISMS in place for almost a year. They contracted a certification body that fit their criteria. Soon after, the certification body appointed a team of four auditors to audit SendPay's ISMS.

  During the audit, among others, the following situations were observed:

  1.The outsourced software company had terminated the contract with SendPay without prior notice. As a result, SendPay was unable to immediately bring the services back in-house and its operations were disrupted for five days. The auditors requested from SendPay's representatives to provide evidence that they have a plan to follow in cases of contract terminations. The representatives did not provide any documentary evidence but during an interview, they told the auditors that the top management of

  SendPay had identified two other software development companies that could provide services immediately if similar situations happen again. 2.There was no evidence available regarding the monitoring of the activities that were outsourced to the software development company. Once again, the representatives of SendPay told the auditors that they regularly communicate with the software development company and that they are appropriately informed for any possible change that might occur. 3.There was

  no nonconformity found during the firewall testing. The auditors tested the firewall configuration in order to determine the level of security provided by these services. They used a packet analyzer to test the firewall policies which enabled them to check the packets sent or received in real-time.

  Based on this scenario, answer the following question:

  SendPay's representatives stated that the company did not have a plan to follow in case of a contract termination with the company that they outsource activities to. Instead, the top management had identified two other software development companies that could provide the same services. How do you describe this situation?

  A. Unacceptable, SendPay evidence and criteria for identifying alternative software development companies is insufficient
  B. Acceptable, SendPay can decide whether to develop a plan for similar contract terminations or not, hence there is no need for additional evidence
  C. Unacceptable, SendPay must always have a recovery plan in place that states what steps should the company follow
  C. Unacceptable, SendPay must always have a recovery plan in place that states what steps should the company follow

  ---

  ISO/IEC 27001 emphasizes the need for organizations to have a comprehensive incident management and recovery plan for various situations, including the termination of contracts with key service providers. In the case of SendPay, having a specific, documented recovery plan that outlines steps and protocols in case of sudden termination is necessary to ensure business continuity and compliance with the standard.

  References: ISO/IEC 27001:2013 Standard, Clauses 6.1.3, A.16 (Information security incident management)

• Question 232:

  When preparing for an audit, which of the following statements is false?

  A. Each auditor creates their own audit checklist for use during the audit
  B. The audit checklists are shared and agreed with the auditee in advance of the audit
  C. The audit plan is shared with the auditee in advance of the audit
  D. The audit plan may be changed during the audit
  B. The audit checklists are shared and agreed with the auditee in advance of the audit

  ---

• Question 233:

  What is the main difference between qualitative and quantitative evidence?

  A. Qualitative evidence originates from the analysis of a sample related to determining the audit criteria, while quantitative evidence originates from the analysis of unquantifiable information
  B. Qualitative evidence focuses on evaluating if a process or control complies with the audit criteria, while quantitative evidence aims to determine if a process in operation is functional and effective
  C. Qualitative evidence is used to make estimations about the whole population, while quantitative evidence focuses on evaluating if a process complies with standard requirements
  B. Qualitative evidence focuses on evaluating if a process or control complies with the audit criteria, while quantitative evidence aims to determine if a process in operation is functional and effective

  ---

  B.

  Correct Answer:

  Qualitative evidence assesses whether processes comply with audit criteria based on descriptive, observational, and interview-based data .

  Quantitative evidence uses numerical data (e.g., metrics, statistics, or performance indicators) to assess if a process is functional and effective .

  A. Incorrect:

  Qualitative evidence is not limited to sampling and quantitative evidence is based on measurable data .

  C. Incorrect:

  Qualitative evidence does not estimate populations; it is subjective and descriptive .

  Relevant Standard Reference:

  ISO 19011:2018 Clause 6.4.7 (Types of Audit Evidence: Qualitative vs. Quantitative)

• Question 234:

  After completing Stage 1 and in preparation for a Stage 2 initial certification audit, the auditee informs the audit team leader that they wish to extend the audit scope to include two additional sites that have recently been acquired by the organisation.

  Considering this information, what action would you expect the audit team leader to take?

  A. Increase the length of the Stage 2 audit to include the extra sites
  B. Obtain information about the additional sites to inform the certification body
  C. Arrange to complete a remote Stage 1 audit of the two sites using a video conferencing platform
  D. Inform the auditee that the request can be accepted but a full Stage 1 audit must be repeated
  B. Obtain information about the additional sites to inform the certification body

  ---

  According to ISO/IEC 17021-1, which specifies the requirements for bodies providing audit and certification of management systems, a certification body should establish criteria for determining audit time and audit team composition based on factors such as the scope of certification, size and complexity of the organization, risks associated with its activities, etc2. Therefore, if an auditee requests to extend the audit scope to include two additional sites after completing Stage 1 of an initial certification audit, the audit team leader should obtain information about the additional sites to inform the certification body, so that they can review and approve the change in scope and adjust the audit time and audit team accordingly2. The other options are not appropriate actions for the audit team leader to take in this situation. For example, increasing the length of the Stage 2 audit to include the extra sites without informing the certification body may violate their procedures and policies; arranging to complete a remote Stage 1 audit of the two sites using a video conferencing platform may not be feasible or effective depending on the nature and location of the sites; and informing the auditee that the request can be accepted but a full Stage 1 audit must be repeated may not be necessary or reasonable if there are no significant changes in the auditee's ISMS since Stage 12.

  References: ISO/IEC 17021-1:2015 - Conformity assessment ? Requirements for bodies providing audit and certification of management systems ?Part 1: Requirements

• Question 235:

  Which of the options below presents a minor nonconformity?

  A. The risk assessment methodology prevents evaluation of information security risks
  B. The contract of the company with its supplier does not have the appropriate document version control
  C. The backup of data is performed once a month, while the company's procedure requires daily backups
  C. The backup of data is performed once a month, while the company's procedure requires daily backups

  ---

  This is a minor nonconformity. The backup frequency not adhering to the company's procedure of daily backups but occurring once a month represents a deviation from established processes, yet it might not immediately impact the effectiveness of the information security management system.

  References: ISO/IEC 27001:2013, Clause A.12.3 (Backup)

• Question 236:

  You are conducting a third-party surveillance audit when another member of the audit team approaches you seeking clarification. They have been asked to assess the organisation's application of control 5.7 - Threat Intelligence. They are aware that this is one of the new controls introduced in the 2022 edition of ISO/IEC 27001, and they want to make sure they audit the control correctly.

  They have prepared a checklist to assist them with their audit and want you to confirm that their planned activities are aligned with the control's requirements.

  Which three of the following options represent valid audit trails?

  A. I will review the organisation's threat intelligence process and will ensure that this is fully documented
  B. I will speak to top management to make sure all staff are aware of the importance of reporting threats
  C. I will ensure that the task of producing threat intelligence is assigned to the organisation s internal audit team
  D. I will check that threat intelligence is actively used to protect the confidentiality, integrity and availability of the organisation's information assets
  E. I will ensure that the organisation's risk assessment process begins with effective threat intelligence
  F. I will determine whether internal and external sources of information are used in the production of threat intelligence
  G. I will review how information relating to information security threats is collected and evaluated to produce threat intelligence
  H. I will ensure that appropriate measures have been introduced to inform top management as to the effectiveness of current threat intelligence arrangements
  A. I will review the organisation's threat intelligence process and will ensure that this is fully documented
  D. I will check that threat intelligence is actively used to protect the confidentiality, integrity and availability of the organisation's information assets
  F. I will determine whether internal and external sources of information are used in the production of threat intelligence

  ---

  According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), control 5.7 requires an organization to establish and maintain a threat intelligence process to identify and evaluate information security threats that are relevant to its ISMS scope and objectives. The organization should use internal and external sources of information, such as vulnerability databases, threat feeds,

  industry reports, etc., to produce threat intelligence that can be used to support risk assessment and treatment, as well as other information security activities1. Therefore, when auditing the organization's application of control 5.7, an ISMS auditor should verify that these aspects are met in accordance with the audit criteria.

  Three options that represent valid audit trails for verifying control 5.7 are:

  I will review the organisation's threat intelligence process and will ensure that this is fully documented:

  This option is valid because it can provide evidence of how the organization has established and maintained a threat intelligence process that is consistent with its ISMS scope and objectives. It can also verify that the process is documented according to clause 7.5 of ISO/IEC 27001:20221. I will check that threat intelligence is actively used to protect the confidentiality, integrity and availability of the organisation's information assets: This option is valid because it can provide evidence of how the organization

  has used threat intelligence to support its risk assessment and treatment, as well as other information security activities, such as incident response, awareness, or monitoring. It can also verify that the organization has achieved its information security objectives according to clause 6.2 of ISO/IEC 27001:20221.

  I will determine whether internal and external sources of information are used in the production of threat intelligence: This option is valid because it can provide evidence of how the organization has used various sources of information, such as vulnerability databases, threat feeds, industry reports, etc., to produce threat intelligence that is relevant and reliable. It can also verify that the organization has complied with the requirement of control 5.7 of ISO/IEC 27001:20221. The other options are not valid audit

  trails for verifying control 5.7, as they are not related to the control or its requirements. For example:

  I will speak to top management to make sure all staff are aware of the importance of reporting threats:

  This option is not valid because it does not provide evidence of how the organization has established and maintained a threat intelligence process or used threat intelligence to support its ISMS activities. It may be related to another control or requirement regarding information security awareness or communication, but not specifically to control 5.7. I will ensure that the task of producing threat intelligence is assigned to the organisation s internal audit team: This option is not valid because it does not provide

  evidence of how the organization has established and maintained a threat intelligence process or used threat intelligence to support its ISMS activities. It may also contradict the requirement for auditor independence and objectivity, as recommended by ISO 19011:20182, which provides guidelines for auditing management systems.

  I will ensure that the organisation's risk assessment process begins with effective threat intelligence:

  This option is not valid because it does not provide evidence of how the organization has established and maintained a threat intelligence process or used threat intelligence to support its ISMS activities. It may also imply a prescriptive approach to risk assessment that is not consistent with ISO/IEC 27005:

  20183, which provides guidelines for information security risk management.

  I will review how information relating to information security threats is collected and evaluated to produce threat intelligence: This option is not valid because it does not provide evidence of how the organization has established and maintained a threat intelligence process or used threat intelligence to support its ISMS activities. It may also be too vague or broad to be an effective audit trail, as it does not specify what criteria or methods are used for collecting and evaluating information. I will ensure that

  appropriate measures have been introduced to inform top management as to the effectiveness of current threat intelligence arrangements: This option is not valid because it does not provide evidence of how the organization has established and maintained a threat intelligence process or used threat intelligence to support its ISMS activities. It may be related to another control or requirement regarding management review or performance evaluation, but not specifically to control 5.7.

  References: ISO/IEC 27001:2022 - Information technology -Security techniques -Information security management systems

  Requirements, ISO 19011:2018 - Guidelines for auditing management systems, ISO /IEC 27005:2018 - Information technology -Security techniques -Information security risk management

• Question 237:

  Which is an example of a qualitative evidence?

  A. The documented results of an intrusion-detection test from an information security expert from an external organization
  B. A defined sample analysis of nonconformity reports drafted by the audited organization from the time their ISMS was implemented
  C. An interview with the information security personnel to validate if the information security process complies with the standard requirements
  C. An interview with the information security personnel to validate if the information security process complies with the standard requirements

  ---

  Qualitative evidence in an audit typically involves observations, interviews, and reviews that provide insights into the processes and compliance through subjective but informed assessments. An interview with information security personnel to validate compliance with the standard requirements is an example of qualitative evidence, where the quality and effectiveness of processes are assessed based on expert judgments rather than measurable metrics.

  References: PECB ISO/IEC 27001 Lead Auditor Course Material

• Question 238:

  To verify conformity to control 8.15 Logging of ISO/IEC 27001 Annex A, the audit team verified a sample of server logs to determine if they can be edited or deleted. Which audit procedure was used?

  A. Analysis
  B. Sampling
  C. Observation
  A. Analysis

  ---

  The audit procedure used here is "analysis." The audit team analyzed server logs to verify if they can be edited or deleted, focusing on evaluating the logs' properties and the controls over their manipulation to ensure they comply with ISO/IEC 27001 requirements.

  References: ISO 19011:2018, Guidelines for auditing management systems

• Question 239:

  Scenario:

  Webvue. headquartered in Japan, is a technology company specializing in the development, support, and maintenance of computer software. Webvue provides solutions across various technology fields and business sectors. Its flagship service is CloudWebvue, a comprehensive cloud computing platform offering storage, networking, and virtual computing services. Designed for both businesses and individual users. CloudWebvue is known for its flexibility, scalability, and reliability.

  Webvue has decided to only include CloudWebvue in its ISO/IEC 27001 certification scope. Thus, the stage 1 and 2 audits were performed simultaneously Webvue takes pride in its strictness regarding asset confidentiality They protect the information stored in CloudWebvue by using appropriate cryptographic controls. Every piece of information of any classification level, whether for internal use. restricted, or confidential, is first encrypted with a unique corresponding hash and then stored in the cloud

  The audit team comprised five persons Keith. Sean. Layla, Sam. and Tina. Keith, the most experienced auditor on the IT and information security auditing team, was the audit team leader. His responsibilities included planning the audit and managing the audit team. Sean and Layla were experienced in project planning, business analysis, and IT systems (hardware and application) Their tasks included audit planning according to Webvue's internal systems and processes Sam and Tina, on the other hand,

  who had recently completed their education, were responsible for completing the day- to-day tasks while developing their audit skills

  While verifying conformity to control 8.24 Use of cryptography of ISO/IEC 27001 Annex A through interviews with the relevant staff, the audit team found out that the cryptographic keys have been initially generated based on random bit generator (RBG) and other best practices for the generation of the cryptographic keys. After checking Webvue's cryptography policy, they concluded that the information obtained by the interviews was true. However, the cryptographic keys are still in use because the policy

  does not address the use and lifetime of cryptographic keys.

  As later agreed upon between Webvue and the certification body, the audit team opted to conduct a virtual audit specifically focused on verifying conformity to control 8.11 Data Masking of ISO/IEC 27001 within Webvue, aligning with the certification scope and audit objectives. They examined the processes involved in protecting data within CloudWebvue. focusing on how the company adhered to its policies and regulatory standards. As part of this process. Keith, the audit team leader, took screenshot

  copies of relevant documents and cryptographic key management procedures to document and analyze the effectiveness of Webvue's practices.

  Webvue uses generated test data for testing purposes. However, as determined by both the interview with the manager of the QA Department and the procedures used by this department, sometimes live system data are used. In such scenarios, large amounts of data are generated while producing more accurate results. The test data is protected and controlled, as verified by the simulation of the encryption process performed by Webvue's personnel during the audit

  While interviewing the manager of the QA Department, Keith observed that employees in the Security Training Department were not following proper procedures, even though this department fell outside the audit scope. Despite the exclusion in the audit scope, the non conformity in the Security Training Department has potential implications for the processes within the audit scope, specifically impacting data security and cryptographic practices in CloudWebvue. Therefore, Keith incorporated this finding into

  the audit report and accordingly informed the auditee.

  Based on the scenario above, answer the following question:

  Question:

  Based on Scenario, was Keith's choice regarding the incorporation of the Security Training Department in the audit report appropriate?

  A. Yes, he should have incorporated the Security Training Department in the audit report
  B. No, he should have included it without informing the auditee about the observed situation
  C. No, he should not have included it and only informed the auditee about the observed situation
  A. Yes, he should have incorporated the Security Training Department in the audit report

  ---

  A.

  Correct Answer:

  ISO 19011:2018 allows auditors to report significant issues that impact the audit scope, even if they arise outside the predefined scope.

  Security Training Department nonconformities directly affected CloudWebvue's ISMS, justifying its inclusion in the audit report.

  B. Incorrect:

  Transparency is crucial in audits, and Keith correctly informed the auditee before reporting.

  C. Incorrect:

  Issues affecting ISMS implementation must be reported, as they pose risks to the certification scope .

  Relevant Standard Reference:

  ISO 19011:2018 Clause 6.6.1 (Audit Reporting on Nonconformities Outside Scope but with Impact)

• Question 240:

  Which two of the following phrases are 'objectives' in relation to a first-party audit?

  A. Apply international standards
  B. Prepare the audit report for the certification body
  C. Confirm the scope of the management system is accurate
  D. Complete the audit on time
  E. Apply Regulatory requirements
  F. Update the management policy
  C. Confirm the scope of the management system is accurate
  F. Update the management policy

  ---

  A first-party audit is an internal audit conducted by the organization itself or by an external party on its behalf. The objectives of a first-party audit are to:

  Confirm the scope of the management system is accurate, i.e., it covers all the processes, activities, locations, and functions that are relevant to the information security objectives and requirements of the organization.

  Update the management policy, i.e., review and revise the policy statement, roles and responsibilities, and objectives and targets of the information security management system (ISMS) based on the audit findings and feedback.

  The other phrases are not objectives of a first-party audit, but rather:

  Apply international standards: This is a requirement for the ISMS, not an objective of the audit. The ISMS must conform to the ISO/IEC 27001 standard and any other applicable standards or regulations

  Prepare the audit report for the certification body: This is an activity of a third-party audit, not a first- party audit. A third-party audit is an external audit conducted by an independent certification body to verify the conformity and effectiveness of the ISMS and to issue a certificate of compliance12

  Complete the audit on time: This is a performance indicator, not an objective of the audit. The audit should be completed within the planned time frame and budget, but this is not the primary purpose of the audit

  Apply regulatory requirements: This is also a requirement for the ISMS, not an objective of the audit. The ISMS must comply with the legal and contractual obligations of the organization regarding information security

  References:

  1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training

  2: ISO/IEC 27001 Lead Auditor Training Course by PECB