PECB ISO-27001-LA Online Practice Questions and Exam Preparation

PECB ISO-27001-LA Online Questions & Answers

• Question 241:

  Scenario:

  Rebuildy is a construction company located in Bangkok.. Thailand, that specializes in designing, building, and maintaining residential buildings. To ensure the security of sensitive project data and client information, Rebuildy decided to implement an ISMS based on ISO/IEC 27001. This included a comprehensive understanding of information security risks, a defined continual improvement approach, and robust business solutions.

  The ISMS implementation outcomes are presented below

  -

  Information security is achieved by applying a set of security controls and establishing policies, processes, and procedures.

  -

  Security controls are implemented based on risk assessment and aim to eliminate or reduce risks to an acceptable level.

  -

  All processes ensure the continual improvement of the ISMS based on the plan-do-check-act (PDCA) model.

  -

  The information security policy is part of a security manual drafted based on best security practices Therefore, it is not a stand-alone document.

  -

  Information security roles and responsibilities have been clearly stated in every employees job description

  -

  Management reviews of the ISMS are conducted at planned intervals.

  Rebuildy applied for certification after two midterm management reviews and one annual internal audit Before the certification audit one of Rebuildy's former employees approached one of the audit team members to tell them that Rebuildy has several security problems that the company is trying to conceal. The former employee presented the documented evidence to the audit team member Electra, a key client of Rebuildy, also submitted evidence on the same issues, and the auditor determined to retain this

  evidence instead of the former employee's. The audit team member remained in contact with Electra until the audit was completed, discussing the nonconformities found during the audit. Electra provided additional evidence to support these findings.

  At the beginning of the audit, the audit team interviewed the company's top management They discussed, among other things, the top management's commitment to the ISMS implementation. The evidence obtained from these discussions was documented in written confirmation, which was used to determine Rebuildy's conformity to several clauses of ISO/IEC 27001

  The documented evidence obtained from Electra was attached to the audit report, along with the nonconformities report. Among others, the following nonconformities were detected:

  -

  An instance of improper user access control settings was detected within the company's financial reporting system.

  -

  A stand-alone information security policy has not been established. Instead, the company uses a security manual drafted based on best security practices.

  After receiving these documents from the audit team, the team leader met Rebuildy's top management to present the audit findings. The audit team reported the findings related to the financial reporting system and the lack of a stand-alone information security policy. The top management expressed dissatisfaction with the findings and suggested that the audit team leader's conduct was unprofessional, implying they might request a replacement. Under pressure, the audit team leader decided to cooperate

  with top management to downplay the significance of the detected nonconformities. Consequently, the audit team leader adjusted the report to present a more favorable view, thus misrepresenting the true extent of Rebuildy's compliance issues.

  Based on the scenario above, answer the following question:

  Question:

  Did the audit team adhere to audit best practices regarding the situation with the financial reporting system?

  A. Yes, as it is beyond the scope of the audit
  B. No, the audit team should have contacted the certification body and reported the situation
  C. No, the audit team should have withdrawn from the audit due to the illegal nature of the act
  B. No, the audit team should have contacted the certification body and reported the situation

  ---

  B.

  Correct Answer:

  The financial reporting system issue is a critical security concern, and the audit team should have reported the situation to the certification body for further action.

  ISO 19011:2018 mandates auditors to escalate issues that impact compliance.

  A. Incorrect:

  Financial systems fall within ISMS scope if they contain sensitive data--it is not beyond the scope .

  C. Incorrect:

  Withdrawal is unnecessary unless legal violations prevent an effective audit.

  Relevant Standard Reference:

  ISO/IEC 27001:2022 Clause 9.2 (Internal Audit) and ISO 19011:2018 Clause 6.7 (Audit Follow-Up and Reporting of Serious Issues)

• Question 242:

  When multiple offices of a certification body are involved, what must be ensured?

  A. Each office has a separate legally enforceable agreement with the client
  B. A legally enforceable agreement that covers all sites within the certification scope
  C. Only the main office has a legally enforceable agreement with the client
  B. A legally enforceable agreement that covers all sites within the certification scope

  ---

  B.

  Correct Answer:

  A single legally enforceable agreement must cover all sites included in the certification scope to ensure:

  Consistency in audit approach

  Legal clarity between all parties

  Global applicability for multinational companies

  A. Incorrect:

  Separate agreements for each office would create inconsistencies and legal complexities.

  C. Incorrect:

  All sites involved in certification must be covered by the agreement, not just the main office.

  Relevant Standard Reference:

  ISO/IEC 17021-1:2015 Clause 8.2.1 (Legally Enforceable Agreements for Certification)

• Question 243:

  Which of the following statements regarding documented information in an organization's ISMS is incorrect?

  A. The purpose of documented information is to guide the ISMS operation and provide evidence of process effectiveness
  B. The collection of documented information should be a target in itself
  C. Documented information should not be detailed and complex to ensure thoroughness
  B. The collection of documented information should be a target in itself

  ---

  ISO/IEC 27001:2022 Clause 7.5 (Documented Information) defines the role of documentation in an ISMS .

  A. Correct Statement:

  Documented information serves as a guideline for ISMS operations and provides audit evidence .

  B. Incorrect Statement:

  Collecting documented information is not a goal in itself.

  The purpose of documentation is to support the ISMS and ensure compliance, not just to generate paperwork .

  C. Correct Statement:

  Documents should be clear and concise, avoiding unnecessary complexity while still being detailed enough to be useful .

  Thus, documentation should be purposeful and functional, not just a bureaucratic requirement .

  Relevant Standard Reference:

  ISO/IEC 27001:2022 Clause 7.5 (Documented Information)

• Question 244:

  Audit methods can be either with or without interaction with individuals representing the auditee. Which two of the following methods are with interaction?

  A. Sampling (e.g. products)
  B. Observing work performed via live video streaming
  C. Reviewing checklists with auditee
  D. Checking legal compliance with local authorities
  E. Conducting interviews
  F. Analysing documents provided in advance of the audit
  C. Reviewing checklists with auditee
  E. Conducting interviews

  ---

  According to the PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, audit methods can be classified into two categories: with or without interaction with individuals representing the auditee (page 12). Audit methods with interaction include reviewing checklists with auditee and conducting interviews, as they involve direct communication and feedback from the auditee. Audit methods without interaction include sampling (e.g. products), observing work performed via live video streaming, checking legal compliance with local authorities, and analysing documents provided in advance of the audit, as they do not require any dialogue or exchange with the auditee.

  References: PECB Candidate Handbook for ISO/ IEC 27001 Lead Auditor, page 12.

• Question 245:

  OrgXY is an ISO/IEC 27001-certified software development company. A year after being certified, OrgXY's top management informed the certification body that the company was not ready for conducting the surveillance audit. What happens in this case?

  A. The certification is suspended
  B. The current certification is used until the next surveillance audit
  C. OrgXY transfers its registration to another certification body
  A. The certification is suspended

  ---

  If an organization like OrgXY informs the certification body that it is not ready to conduct the surveillance audit as scheduled, the certification may be suspended. This is because the surveillance audit is a critical part of the ongoing certification maintenance, required to ensure continued compliance with the standard.

  References: PECB ISO/IEC 27001 Lead Auditor Course Material; ISO/IEC 27001:2013, general guidelines on certification and surveillance requirements

• Question 246:

  Scenario:

  Tessa. Malik, and Michael are an audit team of independent and qualified experts in the field of security, compliance, and business planning and strategies. They are assigned to conduct a certification audit in Clastus, a large web design company. They have previously shown excellent work ethics, including impartiality and objectiveness, while conducting audits. This time, Clastus is positive that they will be one step ahead if they get certified against ISO/IEC 27001.

  Tessa, the audit team leader, has expertise in auditing and a very successful background in IT-related issues, compliance, and governance. Malik has an organizational planning and risk management background. His expertise relies on the level of synthesis and analysis of an organization's security controls and its risk tolerance in accurately characterizing the risk level within an organization On the other hand, Michael is an expert in the practical security of controls assessment by following rigorous

  standardized programs.

  After performing the required auditing activities, Tessa initiated an audit team meeting They analyzed one of Michael s findings to decide on the issue objectively and accurately. The issue Michael had encountered was a minor nonconformity in the organization's daily operations, which he believed was caused by one of the organization's IT technicians As such, Tessa met with the top management and told them who was responsible for the nonconformity after they inquired about the names of the persons

  responsible

  To facilitate clarity and understanding, Tessa conducted the closing meeting on the last day of the audit. During this meeting, she presented the identified nonconformities to the Clastus management. However, Tessa received advice to avoid providing unnecessary evidence in the audit report for the Clastus certification audit, ensuring that the report remains concise and focused on the critical findings.

  Based on the evidence examined, the audit team drafted the audit conclusions and decided that two areas of the organization must be audited before the certification can be granted. These decisions were later presented to the auditee, who did not accept the findings and proposed to provide additional information. Despite the auditee's comments, the auditors, having already decided on the certification recommendation, did not accept the additional information. The auditee's top management insisted that

  the audit conclusions did not represent reality, but the audit team remained firm in their decision.

  Based on the scenario above, answer the following question:

  Question:

  Tessa was advised to avoid providing unnecessary evidence in the audit report for Clastus's certification audit . Is this recommended?

  A. Yes, to avoid including information that may compromise the audit's confidentiality
  B. Yes, to simplify the report for a better understanding
  C. No, to ensure that all relevant evidence is considered and addressed
  C. No, to ensure that all relevant evidence is considered and addressed

  ---

  C.

  Correct Answer:

  ISO 19011:2018 requires audit reports to include all relevant evidence supporting audit conclusions.

  Omitting evidence for conciseness undermines transparency and credibility.

  A. Incorrect:

  Audit confidentiality is protected through controlled access, not by omitting evidence.

  B. Incorrect:

  Clarity is important, but not at the expense of completeness.

  Relevant Standard Reference:

  ISO 19011:2018 Clause 6.7 (Audit Reporting Best Practices)

• Question 247:

  You are an experienced ISMS audit team leader. You are providing an introduction to ISO/IEC 27001:2022 to a class of Quality Management System Auditors who are seeking to retrain to enable them to carry out information security management system audits.

  You ask them which of the following characteristics of information does an information security management system seek to preserve?

  Which three answers should they provide?

  A. Clarity
  B. Accessibility
  C. Completeness
  D. Importance
  E. Availability
  F. Confidentiality
  G. Integrity
  H. Efficiency
  E. Availability
  F. Confidentiality
  G. Integrity

  ---

  These three characteristics are the fundamental properties of information security, as defined by the ISO/IEC 27000 standard, which provides the overview and vocabulary of information security, cybersecurity, and privacy protection. They are also the basis for the information security objectives and controls of the ISO /IEC 27001 standard, which specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system. The definitions of

  these characteristics are as follows:

  Availability: The property of being accessible and usable upon demand by an authorized entity.

  Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes.

  Integrity: The property of safeguarding the accuracy and completeness of information and processing methods.

  The other characteristics listed in the question, such as clarity, accessibility, completeness, importance, and efficiency, are not directly related to information security, although they may be relevant for other aspects of information management, such as quality, usability, or performance.

  References:

  1: ISO/IEC 27000:2022 Information technology -- Security techniques -- Information security, cybersecurity and privacy protection -- Overview and vocabulary, clause

  2: ISO/IEC 27000:2022 (en), Information security, cybersecurity and privacy protection -- Overview and vocabulary

  3: ISO/IEC 27001:2022 Information technology -- Security techniques -- Information security management systems -- Requirements, clause 6.2

  4: ISO/IEC 27001:2022 (en), Information security, cybersecurity and privacy protection -- Information security management systems -- Requirements

• Question 248:

  Scenario 7: Lawsy is a leading law firm with offices in New Jersey and New York City. It has over 50 attorneys offering sophisticated legal services to clients in business and commercial law, intellectual property, banking, and financial services. They believe they have a comfortable position in the market thanks to their commitment to implement information security best practices and remain up to date with technological developments.

  Lawsy has implemented, evaluated, and conducted internal audits for an ISMS rigorously for two years now. Now, they have applied for ISO/IEC 27001 certification to ISMA, a well-known and trusted certification body.

  During stage 1 audit, the audit team reviewed all the ISMS documents created during the implementation. They also reviewed and evaluated the records from management reviews and internal audits.

  Lawsy submitted records of evidence that corrective actions on nonconformities were performed when necessary, so the audit team interviewed the internal auditor. The interview validated the adequacy and frequency of the internal audits by providing detailed insight into the internal audit plan and procedures.

  The audit team continued with the verification of strategic documents, including the information security policy and risk evaluation criteria. During the information security policy review, the team noticed inconsistencies between the documented information describing governance framework (i.e., the information security policy) and the procedures.

  Although the employees were allowed to take the laptops outside the workplace, Lawsy did not have procedures in place regarding the use of laptops in such cases. The policy only provided general information about the use of laptops. The company relied on employees' common knowledge to protect the confidentiality and integrity of information stored in the laptops. This issue was documented in the stage 1 audit report.

  Upon completing stage 1 audit, the audit team leader prepared the audit plan, which addressed the audit objectives, scope, criteria, and procedures.

  During stage 2 audit, the audit team interviewed the information security manager, who drafted the information security policy. He justified the Issue identified in stage 1 by stating that Lawsy conducts mandatory information security training and awareness sessions every three months.

  Following the interview, the audit team examined 15 employee training records (out of 50) and concluded that Lawsy meets requirements of ISO/IEC 27001 related to training and awareness. To support this conclusion, they photocopied the examined employee training records.

  Based on the scenario above, answer the following question:

  Should the auditor archive the copies of employee training records after the completion of the audit? Refer to scenario 7.

  A. No, copies of files are not generally kept as audit records
  B. Yes, copies of files are in the auditor's possession, as mentioned in the audit agreement
  C. Yes, all the documented information generated during the audit should be kept as audit record
  A. No, copies of files are not generally kept as audit records

  ---

  No, copies of files are not generally kept as audit records unless specifically required and agreed upon in the audit plan. Audit records typically include notes and observations made by auditors, not copies of the auditee's files, unless these are essential and explicitly allowed by the auditee.

  References: ISO 19011:2018, Guidelines for auditing management systems

• Question 249:

  In the context of a third-party certification audit, confidentiality is an issue in an audit programme. Select two options which correctly state the function of confidentiality in an audit

  A. Auditors are forced by regulatory requirements to maintain confidentiality in an audit
  B. Observers in an audit team cannot access any confidential information
  C. Confidentiality is one of the principles of audit conduct
  D. Auditors should obtain the auditee's permission before using a camera or recording equipment
  E. Audit information can be used for improving personal competence by the auditor
  F. As an auditor is always accompanied by a guide, there is no risk to the auditee's sensitive information
  C. Confidentiality is one of the principles of audit conduct
  D. Auditors should obtain the auditee's permission before using a camera or recording equipment

  ---

  Confidentiality is one of the principles of audit conduct that auditors should adhere to when performing audits. Confidentiality means that auditors should exercise discretion in the use and protection of information acquired in the course of their duties3. Auditors should respect the intellectual property rights of the auditee and other parties involved in the audit, and should not disclose any information that is sensitive, proprietary, or confidential without prior approval from the auditee or other authorized parties3. Auditors should also obtain the auditee's permission before using a camera or recording equipment during an audit, as these devices may capture confidential information or infringe on the privacy of individuals3. Therefore, these two options correctly state the function of confidentiality in an audit. The other options are either incorrect or irrelevant to confidentiality. For example, auditors are not forced by regulatory requirements to maintain confidentiality in an audit, but rather by ethical obligations and contractual agreements3. Observers in an audit team can access confidential information if they have signed a confidentiality agreement and have been authorized by the auditee3. Audit information can be used for improving personal competence by the auditor only if it does not compromise confidentiality or conflict with other interests3. As an auditor is always accompanied by a guide, there is still a risk to the auditee's sensitive information if the guide is not trustworthy or authorized to access such information3.

  References: ISO 19011:2018 - Guidelines for auditing management systems

• Question 250:

  You are conducting a third-party surveillance audit when another member of the audit team approaches you seeking clarification. They have been asked to assess the organisation's application of control 5.7 - Threat Intelligence. They are aware that this is one of the new controls introduced in the 2022 edition of ISO/IEC 27001, and they want to make sure they audit the control correctly.

  They have prepared a checklist to assist them with their audit and want you to confirm that their planned activities are aligned with the control's requirements.

  Which three of the following options represent valid audit trails?

  A. I will determine whether internal and external sources of information are used in the production of threat intelligence
  B. I will ensure that the task of producing threat intelligence is assigned to the organisation's internal audit team
  C. I will ensure that the organisation's risk assessment process begins with effective threat intelligence
  D. I will check that the organisation has a fully documented threat intelligence process
  E. I will check that threat intelligence is actively used to protect the confidentiality, integrity and availability of the organisation's information assets
  F. I will speak to top management to make sure all staff are aware of the importance of reporting threats
  G. I will ensure that appropriate measures have been introduced to inform top management as to the effectiveness of current threat intelligence arrangements
  H. I will review how information relating to information security threats is collected and evaluated to produce threat intelligence
  A. I will determine whether internal and external sources of information are used in the production of threat intelligence
  D. I will check that the organisation has a fully documented threat intelligence process
  E. I will check that threat intelligence is actively used to protect the confidentiality, integrity and availability of the organisation's information assets

  ---

  The options that represent valid audit trails for assessing the organisation's application of control 5.7 - Threat Intelligence, according to ISO/IEC 27001:2022, are:

  Option A: I will determine whether internal and external sources of information are used in the production of threat intelligence. This is relevant because effective threat intelligence typically requires gathering information from multiple sources to be comprehensive.

  Option D: I will check that the organisation has a fully documented threat intelligence process. Proper documentation is a core requirement in ISO standards to ensure processes are defined, implemented, and maintained consistently.

  Option E: I will check that threat intelligence is actively used to protect the confidentiality, integrity, and availability of the organisation's information assets. This verifies that the output of threat intelligence is being used effectively within the organisation's information security practices.