PECB ISO-27001-LA Online Practice Questions and Exam Preparation

PECB ISO-27001-LA Online Questions & Answers

• Question 261:

  Which one of the following statements best describes the purpose of conducting a document review?

  A. To reveal whether the documented management system is nonconforming with audit criteria and to gather evidence to support the audit report
  B. To decide about the conformity of the documented management system with audit standards and to gather findings to support the audit process
  C. To determine the conformity of the management system, as far as documented, with audit criteria and to gather information to support the on-site audit activities
  D. To detect any nonconformity of the management system, if documented, with audit criteria and to identify information to support the audit plan
  C. To determine the conformity of the management system, as far as documented, with audit criteria and to gather information to support the on-site audit activities

  ---

  A document review is a process of examining the documented information related to the management system before the on-site audit activities. The purpose of a document review is to:

  Determine the conformity of the management system, as far as documented, with audit criteria, i.e., to check whether the documents are consistent, complete, and compliant with the requirements of ISO /IEC 27001 and any other applicable standards or regulations.

  Gather information to support the on-site audit activities, i.e., to identify the scope, objectives, processes, controls, risks, and opportunities of the management system, and to plan the audit methods, techniques, and resources accordingly.

  The other statements are not accurate, because: A document review does not reveal or decide about the conformity or nonconformity of the management system as a whole, but only of the documented information. The conformity or nonconformity of the management system is determined by the on-site audit activities, which include interviews, observations, and tests A document review does not gather evidence or findings to support the audit report or process, but information to support the on-site audit activities. The evidence or findings are collected during the on- site audit activities, which are then documented and reported A document review does not detect any nonconformity of the management system, if documented, but determines the conformity of the documented information. The nonconformity of the management system is detected by the on-site audit activities, which evaluate the performance and effectiveness of the management system A document review does not identify information to support the audit plan, but gathers information to support the on-site audit activities. The audit plan is prepared before the document review, based on the audit scope, objectives, criteria, and program. The document review is part of the audit plan implementation

  References:

  1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1

  2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2

• Question 262:

  You are an experienced audit team leader guiding an auditor in training.

  Your team is currently conducting a third-party surveillance audit of an organisation that stores data on behalf of external clients. The auditor in training has been tasked with reviewing the TECHNOLOGICAL controls listed in the Statement of Applicability (SoA) and implemented at the site.

  Select four controls from the following that would you expect the auditor in training to review.

  A. Confidentiality and nondisclosure agreements
  B. How access to source code and development tools are managed
  C. How power and data cables enter the building
  D. How protection against malware is implemented
  E. How the organisation evaluates its exposure to technical vulnerabilities
  F. Information security awareness, education and training
  G. The organisation's arrangements for information deletion
  H. The organisation's business continuity arrangements
  B. How access to source code and development tools are managed
  D. How protection against malware is implemented
  E. How the organisation evaluates its exposure to technical vulnerabilities
  G. The organisation's arrangements for information deletion

  ---

  The four controls from the list that the auditor in training should review are:

  How access to source code and development tools are managed: This control requires the organisation to restrict and monitor the access to the source code and development tools that are used to create, modify, or maintain the software applications and systems that process or store the data of external clients. This is important for ensuring the integrity, confidentiality, and availability of the software and the data, as well as for preventing unauthorized changes, errors, or malicious code injection. How protection against malware is implemented: This control requires the organisation to implement appropriate measures to detect, prevent, and remove malware from the IT systems and devices that process or store the data of external clients. This includes using antivirus software, firewalls, email filtering, web filtering, and other tools to protect against viruses, worms, ransomware, spyware, and other malicious software. This is essential for safeguarding the data and the systems from corruption, theft, or damage caused by malware. How the organisation evaluates its exposure to technical vulnerabilities: This control requires the organisation to identify and assess the technical vulnerabilities that may affect the IT systems and devices that process or store the data of external clients. This includes using vulnerability scanning tools, penetration testing tools, threat intelligence sources, and other methods to discover and evaluate the weaknesses and gaps in the security of the systems and the devices. This is necessary for prioritizing and implementing the appropriate corrective actions and controls to mitigate the risks posed by the vulnerabilities. The organisation's arrangements for information deletion: This control requires the organisation to establish and implement policies and procedures for deleting the data of external clients from the IT systems and devices when it is no longer needed or required. This includes defining the criteria and methods for data deletion, such as secure erasure, encryption, or physical destruction. This is important for complying with the contractual obligations and the legal and regulatory requirements regarding the retention and disposal of the data, as well as for protecting the confidentiality and integrity of the data.

  References: ISO/IEC 27001:2022, Annex A, clauses A.8.9, A.8.10, A.8.11, and A.8.28; Understanding ISO 27001:2022: People, process, and technology, pages 6-7; What are the 11 new security controls in ISO 27001:2022 - Advisera.

• Question 263:

  Which option below about the ISMS scope is correct?

  A. ISMS scope should be available as documented information
  B. ISMS scope should ensure continual improvement
  C. ISMS scope should be compatible with the strategic orientation of the organization
  A. ISMS scope should be available as documented information

  ---

  According to ISO/IEC 27001, the scope of an ISMS must be defined and documented. This documentation should include the boundaries and applicability of the information security management system, which helps in defining what information, locations, and assets are covered under the ISMS.

  References: ISO/IEC 27001:2013 Standard, Clause 4.3 (Determining the scope of the information security management system)

• Question 264:

  You are performing an ISMS initial certification audit at a residential nursing home that provides healthcare services. The next step in your audit plan is to conduct the closing meeting. During the final audit team meeting, as an audit team leader, you agree to report 2 minor nonconformities and 1 opportunity for improvement as below: Select one option of the recommendation to the audit programme manager you are going to advise to the auditee at the closing meeting.

  

  A. Recommend certification after your approval of the proposed corrective action plan
  B. Recommend that a full scope re-audit is required within 6 months
  C. Recommend that a partial audit is required within 3 months
  D. Recommend that the findings can be closed out at a surveillance audit in 1 year
  C. Recommend that a partial audit is required within 3 months

  ---

  Minor Nonconformities: The identified nonconformities are minor, meaning they don't pose a significant risk to the information security management system (ISMS). They are likely to be easily rectified with focused corrective actions. Opportunity for Improvement: This is not a nonconformity but a suggestion for enhancing the ISMS. It doesn't require immediate corrective action but should be addressed in the organization's continual improvement efforts. Initial Certification: As this is an initial certification audit,

  the organization is expected to demonstrate its commitment to addressing any gaps identified. A partial audit allows for a focused follow-up on the specific areas of nonconformity, ensuring they have been adequately addressed.

  Why other options are not suitable:

  Recommend certification after your approval of the proposed corrective action plan: While certification is the goal, it's premature to recommend it before verifying the effectiveness of the corrective actions. Recommend that a full scope re-audit is required within 6 months: This is too extensive for minor nonconformities. A full re-audit is usually reserved for major nonconformities or systemic issues. Recommend that the findings can be closed out at a surveillance audit in 1 year: This is too long a timeframe for

  addressing the nonconformities. Prompt corrective action is necessary to demonstrate commitment to the ISMS.

  In summary, recommending a partial audit within 3 months strikes the right balance between allowing the organization time to implement corrective actions and ensuring timely verification of their effectiveness. This approach aligns with the principles of ISO 27001 and supports the organization's journey towards certification.

• Question 265:

  Scenario 1: Fintive is a distinguished security provider for online payments and protection solutions. Founded in 1999 by Thomas Fin in San Jose, California, Fintive offers services to companies that operate online and want to improve their information security, prevent fraud, and protect user information such as PII. Fintive centers its decision-making and operating process based on previous cases.

  They gather customer data, classify them depending on the case, and analyze them. The company needed a large number of employees to be able to conduct such complex analyses. After some years, however, the technology that assists in conducting such analyses advanced as well. Now, Fintive is planning on using a modern tool, a chatbot, to achieve pattern analyses toward preventing fraud in real-time. This tool would also be used to assist in improving customer service.

  This initial idea was communicated to the software development team, who supported it and were assigned to work on this project. They began integrating the chatbot on their existing system. In addition, the team set an objective regarding the chatbot which was to answer 85% of all chat queries.

  After the successful integration of the chatbot, the company immediately released it to their customers for use.

  The chatbot, however, appeared to have some issues.

  Due to insufficient testing and lack of samples provided to the chatbot during the training phase, in which it was supposed "to learn" the queries pattern, the chatbot failed to address user queries and provide the right answers. Furthermore, the chatbot sent random files to users when it received invalid inputs such as odd patterns of dots and special characters. Therefore, the chatbot was unable to properly answer customer queries and the traditional customer support was overwhelmed with chat queries and

  thus was unable to help customers with their requests.

  Consequently, Fintive established a software development policy. This policy specified that whether the software is developed in-house or outsourced, it will undergo a black box testing prior to its implementation on operational systems.

  According to scenario 1, the chatbot sent random files to users when it received invalid inputs. What impact might that lead to?

  A. Inability to provide service
  B. Loss of reputation
  C. Leak of confidential information
  B. Loss of reputation

  ---

• Question 266:

  Scenario:

  Cobt. an insurance company in London, offers various commercial, industrial, and life insurance solutions. In recent years, the number of Cobt's clients has increased enormously. Having a huge amount of data to process, the company decided that certifying against ISO/IEC 27001 would bring many benefits to securing information and show its commitment to continual improvement. While the company was well-versed in conducting regular risk assessments, implementing an ISMS brought major changes to

  its daily operations. During the risk assessment process, a risk was identified where significant defects occurred without being detected or prevented by the organizations internal control mechanisms.

  The company followed a methodology to implement the ISMS and had an operational ISMS in place after only a few months After successfully implementing the ISMS, Cobt applied for ISO/IEC 27001 certification Sarah, an experienced auditor, was assigned to the audit Upon thoroughly analyzing the audit offer, Sarah accepted her responsibilities as an audit team leader and immediately started to obtain general information about Cobt She established the audit criteria and objective, planned the audit, and

  assigned the audit team members' responsibilities.

  Sarah acknowledged that although Cobt has expanded significantly by offering diverse commercial and insurance solutions, it still relies on some manual processes Therefore, her initial focus was to gather information on how the company manages its information security risks Sarah contacted Cobt's representatives to request access to information related to risk management for the off-site review, as initially agreed upon for part of the audit However, Cobt later refused, claiming that such information is too

  sensitive to be accessed outside of the company This refusal raised concerns about the audit's feasibility, particularly regarding the availability and cooperation of the auditee and access to evidence Moreover, Cobt raised concerns about the audit schedule, stating that it does not properly reflect the recent changes the company made It pointed out that the actions to be performed during the audit apply only to the initial scope and do not encompass the latest changes made in the audit scope

  Sarah also evaluated the materiality of the situation, considering the significance of the information denied for the audit objectives. In this case, the refusal by Cobt raised questions about the completeness of the audit and its ability to provide reasonable assurance. Following these situations, Sarah decided to withdraw from the audit before a certification agreement was signed and communicated her decision to Cobt and the certification body. This decision was made to ensure adherence to audit principles

  and maintain transparency, highlighting her commitment to consistently upholding these principles.

  Based on the scenario above, answer the following question:

  Question:

  Based on Scenario, Cobt stated that the audit schedule did not properly reflect the recent changes they made in the audit scope. What should Sarah do in this case?

  A. Change the audit schedule as requested by Cobt as the scope should reflect the status and importance of the activities to be audited
  B. Continue the audit with the initial scope since Cobt can request a change in the audit scope only if there are recent changes in technologies in place
  C. Change the audit schedule only if Cobt, Sarah, and the certification body agree on the changes in the audit scope
  C. Change the audit schedule only if Cobt, Sarah, and the certification body agree on the changes in the audit scope

  ---

  C.

  Correct Answer: Changes to the audit scope must be approved by the auditee, the auditor, and the certification body . This ensures fairness and maintains compliance with ISO 19011 guidelines on audit planning .

  A. Incorrect: The audit schedule cannot be changed solely at Cobt's request --approval is required.

  B. Incorrect: Audit scope is not limited to technological changes but includes organizational and procedural changes as well .

  Relevant Standard Reference:

  ISO 19011:2018 Clause 5.5.2 (Determining the Audit Scope and Schedule)

• Question 267:

  In a joint audit involving multiple audit teams, how many audit team leaders are typically designated per audit?

  A. One audit team leader per audit, regardless of the number of audit teams involved
  B. Each audit team appoints its own audit team leader
  C. There are no designated audit team leaders in joint audits
  A. One audit team leader per audit, regardless of the number of audit teams involved

  ---

  A.

  Correct Answer:

  Joint audits involve multiple teams but require only one designated audit team leader to ensure:

  Consistent audit methodology

  Coordination among teams

  Unified reporting structure

  B. Incorrect:

  While each team may have a coordinator , there is only one main leader responsible for the audit .

  C. Incorrect:

  ISO 19011 mandates the presence of a designated audit team leader in all audits .

  Relevant Standard Reference:

  ISO 19011:2018 Clause 5.5.5 (Assigning Responsibility to the Audit Team Leader)

• Question 268:

  DRAG DROP

  You are an experienced ISMS internal auditor.

  You have just completed a scheduled information security audit of your organisation when the IT Manager approaches you and asks for your assistance in the revision of the company's Statement of Applicability.

  The IT Manager is attempting to update the ISO/IEC 27001:2013 based Statement of Applicability to a Statement aligned to the 4 control themes present in ISO/IEC 27001:2022 (Organizational controls, People Controls, Physical Controls, Technical Controls).

  The IT Manager is happy with their reassignment of controls, with the following exceptions. He asks you which of the four control categories each of the following should appear under.

  Select and Place:

  

  

  Explanation:

  8.1 Information stored on, processed by, or accessible via user endpoint devices shall be protected = Technological control 7.8 Equipment shall be sited securely and protected = Physical control 5.2 Information security roles and responsibilities shall be defined and allocated according to the organisation's needs = Organisational control 6.7 Security measures shall be implemented when personnel are working remotely to protect information processed, processed, or stored outside the organisation's

  premises = People control

  According to the web search results from my predefined tool, ISO 27001:2022 has restructured and consolidated the Annex A controls into four categories: organisational, people, physical, and technological12. These categories reflect the different aspects and dimensions of information security, and are aligned with the cybersecurity concepts of identify, protect, detect, respond, and recover3. The controls in each category are as follows4:

  Organisational controls: These are controls that relate to the governance, management, and coordination of information security activities within the organisation. They include controls such as information security policies, roles and responsibilities, risk assessment and treatment, performance evaluation, and improvement.

  People controls: These are controls that relate to the behaviour, awareness, and competence of the people involved in information security, both within and outside the organisation. They include controls such as human resource security, training and awareness, access control, incident management, and business continuity.

  Physical controls: These are controls that relate to the protection of physical assets and environments that store, process, or transmit information. They include controls such as physical security, environmental security, equipment security, and media security.

  Technological controls: These are controls that relate to the use of technology to implement, monitor, and maintain information security. They include controls such as cryptography, network security, system security, application security, and threat intelligence.

  Based on these categories, the controls listed in the question can be matched as follows:

  8.1 Information stored on, processed by, or accessible via user endpoint devices shall be protected: This is a technological control, as it involves the use of technology to protect information on devices such as laptops, smartphones, tablets, etc. It may include measures such as encryption, authentication, antivirus, firewall, etc.

  7.8 Equipment shall be sited securely and protected: This is a physical control, as it involves the protection of physical assets and environments that store, process, or transmit information. It may include measures such as locks, alarms, CCTV, fire suppression, etc.

  5.2

  Information security roles and responsibilities shall be defined and allocated according to the organisation's needs: This is an organisational control, as it involves the governance, management, and coordination of information security activities within the organisation. It may include measures such as defining the authority and accountability of information security personnel, establishing reporting lines and communication channels, assigning tasks and duties, etc.

  6.7

  Security measures shall be implemented when personnel are working remotely to protect information processed, processed, or stored outside the organisation's premises: This is a people control, as it involves the behaviour, awareness, and competence of the people involved in information security, both within and outside the organisation. It may include measures such as providing guidance and training on remote working, enforcing policies and procedures, monitoring and auditing remote activities, etc.

  References:

  1: A Breakdown of ISO 27001:2022 Annex A Controls - BARR Advisory4

  2: ISO 27001:2022 Annex A Controls - What's New? | ISMS.Online1

  3: How many controls are there in ISO 27001:2022?

  Strike Graph: ISO/IEC 27001:2022 Information technology -- Security techniques -- Information security management systems -- Requirements, Annex A.

• Question 269:

  You are an experienced ISMS auditor conducting a third-party surveillance audit at an organisation which offers ICT reclamation services. ICT equipment which companies no longer require is processed by the organisation. It Is either recommissioned and reused or is securely destroyed. You notice two servers on a bench in the corner of the room. Both have stickers on item with the server's name, IP address and admin password. You ask the ICT Manager about them, and he tells you they were part of a shipment received yesterday from a regular customer.

  Which one action should you take?

  A. Ask the ICT Manager to record an information security incident and initiate the information security incident management process
  B. Note the audit finding and check the process for dealing with incoming shipments relating to customer IT security
  C. Record what you have seen in your audit findings, but take no further action
  D. Raise a nonconformity against control 5.31 Legal, staturary, regulatory and contractual requirements'
  E. Raise a nonconformity against control 8.20 'network security' (networks and network devices shall be secured, managed and controlled to protect information in systems and applications)
  F. Ask the auditee to remove the labels, then carry on with the audit
  B. Note the audit finding and check the process for dealing with incoming shipments relating to customer IT security

  ---

  According to ISO 27001:2022 clause 8.1.4, the organisation shall ensure that externally provided processes, products or services that are relevant to the information security management system are controlled. This includes implementing appropriate contractual requirements related to information security with external providers, such as customers who send ICT equipment for reclamation

  In this case, the organisation offers ICT reclamation services, which involves processing customer ICT equipment that may contain sensitive or confidential information. The organisation should have a process in place to ensure that the customer ICT equipment is handled securely and in accordance with the customer's information security requirements. The process should include steps such as verifying the customer's identity and authorisation, checking the inventory and condition of the equipment, removing or destroying any labels or stickers that contain information about the equipment or the customer, wiping or erasing any data stored on the equipment, and documenting the actions taken and the results achieved The fact that the auditor noticed two servers on a bench with stickers that reveal the server's name, IP address and admin password indicates that the process for dealing with incoming shipments relating to customer IT security is not effective or not followed. This could pose a risk of unauthorised access, disclosure, or modification of the customer's information or systems. Therefore, the auditor should note the audit finding and check the process for dealing with incoming shipments relating to customer IT

  security, and determine whether there is a nonconformity with clause 8.1.4 of ISO 27001:2022 The other actions are not appropriate for the following reasons:

  A. Asking the ICT Manager to record an information security incident and initiate the information security incident management process is not appropriate because this is not an information security incident that affects the organisation's own information or systems. An information security incident is defined as a single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security12 In this case, the information security event affects the customer's information or systems, not the organisation's. Therefore, the organisation should follow the process for dealing with incoming shipments relating to customer IT security, not the process for information security incident management. C. Recording what the auditor has seen in the audit findings, but taking no further action is not appropriate because this would not address the root cause or the impact of the issue. The auditor has a responsibility to verify the effectiveness and compliance of the organisation's information security management system, and to report any nonconformities or opportunities for improvement Therefore, the auditor should check the process for dealing with incoming shipments relating to customer IT security, and determine whether there is a nonconformity with clause 8.1.4 of ISO 27001:2022.

  D. Raising a nonconformity against control 5.31 Legal, statutory, regulatory and contractual requirements is not appropriate because this control is not relevant to the issue. Control 5.31 requires the organisation to identify and comply with the legal, statutory, regulatory and contractual requirements that are applicable to the information security management system In this case, the issue is not about the organisation's compliance with the legal, statutory, regulatory and contractual requirements, but about the organisation's control of the externally provided processes, products or services that are relevant to the information security management system. Therefore, the auditor should check the process for dealing with incoming shipments relating to customer IT security, and determine whether there is a nonconformity with clause 8.1.4 of ISO 27001:2022. E. Raising a nonconformity against control 8.20 'network security' (networks and network devices shall be secured, managed and controlled to protect information in systems and applications) is not appropriate because this control is not relevant to the issue. Control 8.20 requires the organisation to secure, manage and control its own networks and network devices to protect the information in its systems and applications In this case, the issue is not about the organisation's network security, but about the organisation's control of the externally provided processes, products or services that are relevant to the information security management system. Therefore, the auditor should check the process for dealing with incoming shipments relating to customer IT security, and determine whether there is a nonconformity with clause 8.1.4 of ISO 27001:2022. F. Asking the auditee to remove the labels, then carry on with the audit is not appropriate because this would not address the root cause or the impact of the issue. The auditor should not interfere with the auditee's operations or suggest corrective actions during the audit, as this would compromise the auditor's objectivity and impartiality The auditor should check the process for dealing with incoming shipments relating to customer IT security, and determine whether there is a nonconformity with clause 8.1.4 of ISO 27001:2022.

  References:

  1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1

  2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2

• Question 270:

  You are an experienced ISMS audit team leader providing guidance to an ISMS auditor in training. They have been asked to carry out an assessment of external providers and have prepared a checklist containing the following activities. They have asked you to review their checklist to confirm that the actions they are proposing are appropriate.

  The audit they have been invited to participate in is a third-party surveillance audit of a data centre . The data centre agent is part of a wider telecommunication group. Each data centre within the group operates its own ISMS and holds its own certificate.

  Select three options that relate to ISO/IEC 27001:2022's requirements regarding external providers.

  A. I will check the other data centres are treated as external providers, even though they are part of the same telecommunication group
  B. I will ensure external providers have a documented process in place to notify the organisation of any risks arising from the use of its products or services
  C. I will ensure that the organisation has a reserve external provider for each process it has identified as critical to preservation of the confidentiality, integrity and accessibility of its information
  D. I will limit my audit activity to externally provided processes as there is no need to audit externally provided products of services
  E. I will ensure the organization is regularly monitoring, reviewing and evaluating external provider performance
  F. I will ensure the organization is has determined the need to communicate with external providers regarding the ISMS
  G. I will ensure that top management have assigned roles and responsibilities for those providing external ISMS processes as well as internal ISMS processes
  H. I will ensure that the organisation ranks its external providers and allocates the majority of its work to those providers who are rated the highest
  A. I will check the other data centres are treated as external providers, even though they are part of the same telecommunication group
  B. I will ensure external providers have a documented process in place to notify the organisation of any risks arising from the use of its products or services
  E. I will ensure the organization is regularly monitoring, reviewing and evaluating external provider performance

  ---

  A. I will check the other data centres are treated as external providers, even though they are part of the same telecommunication group. This is appropriate because clause 8.1.4 of ISO 27001:2022 requires the organisation to ensure that externally provided processes, products or services that are relevant to the information security management system are controlled. Externally provided processes, products or services are those that are provided by any external party, regardless of the degree of its relationship with the organisation. Therefore, the other data centres within the same telecommunication group should be treated as external providers and subject to the same controls as any other external provide

  B. I will ensure external providers have a documented process in place to notify the organisation of any risks arising from the use of its products or services. This is appropriate because clause 8.1.4 of ISO 27001:2022 requires the organisation to implement appropriate contractual requirements related to information security with external providers. One of the contractual requirements could be the obligation of the external provider to notify the organisation of any risks arising from the use of its products or services, such as security incidents, vulnerabilities, or changes that could affect the information security of the organisation. The external provider should have a documented process in place to ensure that such notification is timely, accurate, and complete

  E. I will ensure the organisation is regularly monitoring, reviewing and evaluating external provider performance. This is appropriate because clause 8.1.4 of ISO 27001:2022 requires the organisation to monitor, review and evaluate the performance and effectiveness of the externally provided processes, products or services. The organisation should have a process in place to measure and verify the conformity and suitability of the external provider's deliverables and activities, and to provide feedback and improvement actions as necessary. The organisation should also maintain records of the monitoring, review and evaluation results F. I will ensure the organisation has determined the need to communicate with external providers regarding the ISMS. This is appropriate because clause 7.4.2 of ISO 27001:2022 requires the organisation to determine the need for internal and external communications relevant to the information security management system, including the communication with external providers. The organisation should define the purpose, content, frequency, methods, and responsibilities for such communication, and ensure that it is consistent with the information security policy and objectives. The organisation should also retain documented information of the communication as evidence of its implementation The following activities are not appropriate for the assessment of external providers according to ISO 27001:2022:

  C. I will ensure that the organisation has a reserve external provider for each process it has identified as critical to preservation of the confidentiality, integrity and accessibility of its information. This is not appropriate because ISO 27001:2022 does not require the organisation to have a reserve external provider for each critical process. The organisation may choose to have a contingency plan or a backup solution in case of failure or disruption of the external provider, but this is not a mandatory requirement. The organisation should assess the risks and opportunities associated with the external provider and determine the appropriate treatment options, which may or may not include having a reserve external provider D. I will limit my audit activity to externally provided processes as there is no need to audit externally provided products or services. This is not appropriate because clause 8.1.4 of ISO 27001:2022 requires the organisation to control the externally provided processes, products or services that are relevant to the information security management system. Externally provided products or services may include software, hardware, data, or cloud services that could affect the information security of the organisation. Therefore, the audit activity should cover both externally provided processes and products or services, as applicable G. I will ensure that top management have assigned roles and responsibilities for those providing external ISMS processes as well as internal ISMS processes. This is not appropriate because clause 5.3 of ISO 27001:2022 requires the top management to assign the roles and responsibilities for the information security management system within the organisation, not for the external providers. The external providers are responsible for assigning their own roles and responsibilities for the processes, products or services they provide to the organisation. The organisation should ensure that the external providers have adequate competence and awareness for their roles and responsibilities, and that they are contractually bound to comply with the information security requirements of the organisation

  H. I will ensure that the organisation ranks its external providers and allocates the majority of its work to those providers who are rated the highest. This is not appropriate because ISO 27001:2022 does not require the organisation to rank its external providers or to allocate its work based on such ranking. The organisation may choose to evaluate and compare the performance and effectiveness of its external providers, but this is not a mandatory requirement. The organisation should select and use its external providers based on the information security criteria and objectives that are relevant to the organisation

  References:

  1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1

  2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2