PECB ISO-27001-LA Online Practice Questions and Exam Preparation

PECB ISO-27001-LA Online Questions & Answers

• Question 271:

  During a certification audit, an auditor photocopies employee training attendance records containing personal identifiers and takes the copies off-site without the auditee's authorization. Which auditing principle is most directly at risk?

  A. Integrity
  B. Confidentiality
  C. Fair presentation
  D. Due professional care
  B. Confidentiality

  ---

  B is correct. Handling copies of sensitive records without authorization risks violating confidentiality obligations and agreed audit arrangements. Auditors must protect information obtained during audits and comply with confidentiality requirements.

  A is incorrect because integrity relates to honest and responsible conduct, but the direct risk described is unauthorized disclosure/handling of confidential information.

  C is incorrect because fair presentation concerns truthful and accurate reporting, not primarily information protection.

  D is incorrect because due professional care is relevant, but confidentiality is the most directly impacted principle in this scenario.

  References: ISO 19011:2018 auditing principles (Confidentiality)

• Question 272:

  Scenario 5: Data Grid Inc. is a well-known company that delivers security services across the entire information technology infrastructure. It provides cybersecurity software, including endpoint security, firewalls, and antivirus software. For two decades, Data Grid Inc. has helped various companies secure their networks through advanced products and services. Having achieved reputation in the information and network security field, Data Grid Inc. decided to obtain the ISO/IEC 27001 certification to better

  secure its internal and customer assets and gain competitive advantage.

  Data Grid Inc. appointed the audit team, who agreed on the terms of the audit mandate. In addition, Data Grid Inc. defined the audit scope, specified the audit criteria, and proposed to close the audit within five days. The audit team rejected Data Grid Inc.'s proposal to conduct the audit within five days, since the company has a large number of employees and complex processes. Data Grid Inc. insisted that they have planned to complete the audit within five days, so both parties agreed upon conducting the

  audit within the defined duration. The audit team followed a risk-based auditing approach.

  To gain an overview of the main business processes and controls, the audit team accessed process descriptions and organizational charts. They were unable to perform a deeper analysis of the IT risks and controls because their access to the IT infrastructure and applications was restricted. However, the audit team stated that the risk that a significant defect could occur to Data Grid Inc.'s ISMS was low since most of the company's processes were automated. They therefore evaluated that the ISMS, as a

  whole, conforms to the standard requirements by asking the representatives of Data Grid Inc. the following questions:

  How are responsibilities for IT and IT controls defined and assigned?

  How does Data Grid Inc. assess whether the controls have achieved the desired results?

  What controls does Data Grid Inc. have in place to protect the operating environment and data from malicious software?

  Are firewall-related controls implemented?

  Data Grid Inc.'s representatives provided sufficient and appropriate evidence to address all these questions.

  The audit team leader drafted the audit conclusions and reported them to Data Grid Inc.'s top management. Though Data Grid Inc. was recommended for certification by the auditors, misunderstandings were raised between Data Grid Inc. and the certification body in regards to audit objectives. Data Grid Inc. stated that even though the audit objectives included the identification of areas for potential improvement, the audit team did not provide such information.

  Based on this scenario, answer the following question:

  Data Grid Inc. is responsible for all the actions below, EXCEPT:

  A. Specifying the audit criteria
  B. Appointing the audit team
  C. Defining the audit scope
  B. Appointing the audit team

  ---

  In the context of ISO/IEC 27001 audits, the audit team is appointed by the certification body, not by the organization being audited. Data Grid Inc. is responsible for specifying the audit criteria and defining the audit scope, but not for appointing the audit team.

  References: ISO 19011:2018, Guidelines for auditing management systems

• Question 273:

  Scenario:

  Techmanic is a Belgian company founded in 1995 and currently operating in Brussels. It provides IT consultancy, software design, and hardware/software services, including deployment and maintenance. The company serves sectors like public services, finance, telecom, energy, healthcare, and education. As a customer-centered company, it prioritizes strong client relationships and leading security practices.

  Techmanic has been ISO/IEC 27001 certified for a year and regards this certification with pride. During the certification audit, the auditor found some inconsistencies in its ISMS implementation. Since the observed situations did not affect the capability of its ISMS to achieve the intended results, Techmanic was certified after auditors followed up on the root cause analysis and corrective actions remotely During that year, the company added hosting to its list of services and requested to expand its certification

  scope to include that area The auditor in charge approved the request and notified Techmanic that the extension audit would be conducted during the surveillance audit

  Techmanic underwent a surveillance audit to verify its iSMS's continued effectiveness and compliance with ISO/IEC 27001. The surveillance audit aimed to ensure that Techmanic's security practices, including the recent addition of hosting services, aligned seamlessly with the rigorous requirements of the certification

  The auditor strategically utilized the findings from previous surveillance audit reports in the recertification activity with the purpose of replacing the need for additional recertification audits, specifically in the IT consultancy sector. Recognizing the value of continual improvement and learning from past assessments. Techmanic implemented a practice of reviewing previous surveillance audit reports. This proactive approach not only facilitated identifying and resolving potential nonconformities but also aimed to

  streamline the recertification process in the IT consultancy sector.

  During the surveillance audit, several nonconformities were found. The ISMS continued to fulfill the ISO/IEC 27001*s requirements, but Techmanic failed to resolve the nonconformities related to the hosting services, as reported by its internal auditor. In addition, the internal audit report had several inconsistencies, which questioned the independence of the internal auditor during the audit of hosting services. Based on this, the extension certification was not granted. As a result. Techmanic requested a

  transfer to another certification body. In the meantime, the company released a statement to its clients stating that the ISO/IEC 27001 certification covers the IT services, as well as the hosting services.

  Based on the scenario above, answer the following question:

  Question:

  Auditors recommended Techmanic for certification after following up on corrective actions remotely . Is this acceptable?

  A. Yes, auditors may follow up on action plans remotely since minor nonconformities were detected
  B. No, an audit follow-up must be performed since the audit report contained nonconformities
  C. No, an audit follow-up must be performed on-site since an extension was requested
  A. Yes, auditors may follow up on action plans remotely since minor nonconformities were detected

  ---

  A.

  Correct Answer:

  Remote follow-ups are acceptable for minor nonconformities, as long as auditors can verify corrective actions.

  ISO/IEC 17021-1:2015 allows remote follow-ups when the effectiveness of corrective actions can be demonstrated.

  B. Incorrect:

  Follow-ups are required, but remote verification is acceptable for minor issues .

  C. Incorrect:

  An on-site follow-up is not mandatory unless major nonconformities are present.

  Relevant Standard Reference:

  ISO/IEC 17021-1:2015 Clause 9.6.8 (Remote Audit Follow-Ups)

• Question 274:

  DRAG DROP

  You are performing an ISMS audit at a European-based residential nursing home called ABC that provides healthcare services. You find all nursing home residents wear an electronic wristband for monitoring their location, heartbeat, and blood pressure always. You learned that the electronic wristband automatically uploads all data to the artificial intelligence (AI) cloud server for healthcare monitoring and analysis by healthcare staff.

  The next step in your audit plan is to verify that the information security policy and objectives have been established by top management.

  During the audit, you found the following audit evidence.

  Match the audit evidence to the corresponding requirement in ISO/IEC 27001:2022.

  Select and Place:

  

  

  Explanation:

• Question 275:

  Scenario: SunPort Logistics uses removable drives to transfer shipping manifests. The procedure states "Sensitive manifests shall not be stored on removable media." During the audit, you find 2 out of 80 removable drives contain sensitive manifests due to mislabeling. Which two Annex A controls are most directly implicated?

  A. 5.13 Labelling of information
  B. 6.3 Information security awareness, education and training
  C. 7.10 Storage media
  D. 8.15 Logging
  A. 5.13 Labelling of information
  C. 7.10 Storage media

  ---

  A is correct because mislabeling caused incorrect handling decisions.

  C is correct because the issue involves control over storage media usage and restrictions.

  B may be a contributing factor, but the finding directly concerns labeling and storage media handling.

  D is not directly implicated because the issue is not primarily about event logging.

  References: ISO/IEC 27001:2022 Annex A controls 5.13 and 7.10

• Question 276:

  DRAG DROP

  In regard to generating an audit finding, select the words that best complete the following sentence.

  To complete the sentence with the best word(s), click on the blank section you want to complete so that it Is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.

  Select and Place:

  

  

  Explanation:

  Audit evidence is the information obtained by the auditors during the audit process that is used as a basis for forming an audit opinion or conclusion12. Audit evidence could include records, documents, statements, observations, interviews, or test results.

  Audit criteria are the set of policies, procedures, standards, regulations, or requirements that are used as a reference against which audit evidence is compared12. Audit criteria could be derived from internal or external sources, such as ISO standards, industry best practices, or legal obligations. Audit findings are the results of a process that evaluates audit evidence and compares it against audit criteria. Audit findings can show that audit criteria are being met (conformity) or that they are not being met

  (nonconformity). They can also identify best practices or improvement opportunities.

  References:

  ISO 19011:2022 Guidelines for auditing management systems ISO/IEC 27001:2022 Information technology -- Security techniques -- Information security management systems -- Requirements

  Components of Audit Findings - The Institute of Internal Auditors

• Question 277:

  You are an experienced ISMS audit team leader guiding an auditor in training. You are testing her understanding of follow-up audits by asking her a series of questions to which the answer is either "true* or 'false'. Which four of the following questions should the answer be true"'

  A. A follow-up audit may be carried out where nonconformities are major
  B. A follow-up audit may be carried out where nonconformities are minor
  C. The outcomes of a follow-up audit should be reported to top management and the audit team leader who carried out the audit where the nonconformities were initially identified
  D. The outcome of a follow-up audit could lower a major nonconformity to minor status
  E. The outcome of a follow-up audit could be a recommendabon to suspend the client's certification
  F. The outcomes of a follow-up audit should be reported to the individual managing the audit programme and the audit client
  G. A follow-up audit is required in all instances where nonconformities have been identified
  H. A follow-up audit is required only in instances where a major nonconformity has been identified
  A. A follow-up audit may be carried out where nonconformities are major
  B. A follow-up audit may be carried out where nonconformities are minor
  C. The outcomes of a follow-up audit should be reported to top management and the audit team leader who carried out the audit where the nonconformities were initially identified
  F. The outcomes of a follow-up audit should be reported to the individual managing the audit programme and the audit client

  ---

  A follow-up audit may be carried out where nonconformities are major. This is true because a major nonconformity is a situation that raises significant doubt about the ability of the organization's management system to achieve its intended results, and therefore requires immediate corrective action. A follow-up audit is necessary to verify the effectiveness of the corrective action and the conformity of the management system.

  A follow-up audit may be carried out where nonconformities are minor. This is true because a minor nonconformity is a situation that does not affect the capability of the management system to achieve its intended results, but represents a deviation from the specified requirements. A follow-up audit may be conducted to check the implementation of the corrective action and the improvement of the management system.

  The outcomes of a follow-up audit should be reported to top management and the audit team leader who carried out the audit where the nonconformities were initially identified. This is true because the top management is responsible for ensuring the effectiveness and continual improvement of the management system, and the audit team leader is accountable for the audit process and the audit conclusions. The follow-up audit report should provide them with objective evidence of the status of the nonconformities and the corrective actions taken by the auditee13.

  The outcomes of a follow-up audit should be reported to the individual managing the audit programme and the audit client. This is true because the individual managing the audit programme is responsible for planning, implementing, monitoring and reviewing the audit activities, and the audit client is the organization or person requesting an audit. The follow-up audit report should inform them of the results of the follow-up audit and any changes in the certification status of the auditee.

  References: ISO 19011:2022 Guidelines for auditing management systems ISO/IEC 27001:2022 Information technology -- Security techniques -- Information security management systems -- Requirements ISO/IEC 17021-1:2022 Conformity assessment -- Requirements for bodies providing audit and certification of management systems -- Part 1: Requirements

• Question 278:

  DRAG DROP

  You have just completed a scheduled information security audit of your organisation when the IT Manager approaches you and asks for your assistance in the revision of the company's risk management process.

  He is attempting to update the current documentation to make it easier for other managers to understand, however, it is clear from your discussion he is confusing several key terms.

  You ask him to match each of the descriptions with the appropriate risk term. What should the correct answers be?

  Select and Place:

  

  

  Explanation:

  The strategy chosen to respond to a specific information security risk: This is a definition of information security risk treatment. According to ISO/IEC 27000:2022, information security risk treatment is "the process of selecting and implementing measures to modify the information security risk" Section 3.33. The effect of uncertainty on information security objectives: This is a definition of information security risk. According to ISO/IEC 27000:2022, information security risk is "the effect of uncertainty on information security objectives" Section 3.32. The requirements against which information security risks are evaluated: This is a definition of information security risk criteria. According to ISO/IEC 27000:2022, information security risk criteria are "the terms of reference by which the significance of information security risks is assessed" Section 3.31. A definition of the overall level of information security risk that is considered to be tolerable: This is a definition of information security risk acceptance criteria. According to ISO/IEC 27000:2022, information security risk acceptance criteria are "the level of information security risk that is acceptable" Section 3.30.

• Question 279:

  DRAG DROP

  You are performing an ISMS audit at a European-based residential nursing home called ABC that provides healthcare services. The next step in your audit plan is to verify the effectiveness of the continual improvement process.

  During the audit, you learned most of the residents' family members (90%) receive WeCare medical devices promotion advertisements through email and SMS once a week via ABC's healthcare mobile app. All of them do not agree on the use of the collected personal data for marketing or any other purposes than nursing and medical care on the signed service agreement with ABC. They have very strong reason to believe that ABC is leaking residents' and family members' personal information to a non-relevant third party and they have filed complaints.

  The Service Manager says that, after investigation, all these complaints have been treated as nonconformities. The corrective actions have been planned and implemented according to the nonconformity and corrective management procedure (Document reference ID: ISMS_L2_10.1, version 1).

  You write a nonconformity which you will follow up on later. Select the words that best complete the sentence:

  Select and Place:

  

  

  Explanation:

  "When reviewing the effectiveness of action taken in response to a nonconformity, an auditor seeks evidence of change that will prevent recurrence of the issue."

  According to ISO/IEC 27001:2022, clause 10.1, the organization shall continually improve the suitability, adequacy, and effectiveness of the ISMS by evaluating the performance and the effectiveness of the ISMS, ensuring that the policy and objectives are aligned with the strategic direction of the organization, and taking actions to achieve the intended outcomes of the ISMS. One of the ways to achieve continual improvement is to identify and correct nonconformities and take actions to eliminate their causes and prevent their recurrence. Therefore, when reviewing the effectiveness of the corrective actions, an auditor should look for evidence that the organization has analyzed the root cause of the nonconformity, implemented appropriate changes to the ISMS, and verified that the changes have resulted in the desired improvement and prevented the recurrence of the issue.

  References: = ISO/IEC 27001:2022, clause 10.1, Nonconformity and corrective action ISO/IEC 27001:2022, clause 10.2, Continual improvement PECB Candidate Handbook ISO 27001 Lead Auditor, page 19, Audit Process PECB Candidate Handbook ISO 27001 Lead Auditor, page 21, Audit Findings

• Question 280:

  Scenario 8: EsBank provides banking and financial solutions to the Estonian banking sector since September 2010. The company has a network of 30 branches with over 100 ATMs across the country.

  Operating in a highly regulated industry, EsBank must comply with many laws and regulations regarding the security and privacy of data. They need to manage information security across their operations by implementing technical and nontechnical controls. EsBank decided to implement an ISMS based on ISO/IEC 27001 because it provided better security, more risk control, and compliance with key requirements of laws and regulations.

  Nine months after the successful implementation of the ISMS, EsBank decided to pursue certification of their ISMS by an independent certification body against ISO/IEC 27001 .The certification audit included all of EsBank's systems, processes, and technologies.

  The stage 1 and stage 2 audits were conducted jointly and several nonconformities were detected. The first nonconformity was related to EsBank's labeling of information. The company had an information classification scheme but there was no information labeling procedure. As a result, documents requiring the same level of protection would be labeled differently (sometimes as confidential, other times sensitive).

  Considering that all the documents were also stored electronically, the nonconformity also impacted media handling. The audit team used sampling and concluded that 50 of 200 removable media stored sensitive information mistakenly classified as confidential. According to the information classification scheme, confidential information is allowed to be stored in removable media, whereas storing sensitive information is strictly prohibited. This marked the other nonconformity.

  They drafted the nonconformity report and discussed the audit conclusions with EsBank's representatives, who agreed to submit an action plan for the detected nonconformities within two months.

  EsBank accepted the audit team leader's proposed solution. They resolved the nonconformities by drafting a procedure for information labeling based on the classification scheme for both physical and electronic formats. The removable media procedure was also updated based on this procedure.

  Two weeks after the audit completion, EsBank submitted a general action plan. There, they addressed the detected nonconformities and the corrective actions taken, but did not include any details on systems, controls, or operations impacted. The audit team evaluated the action plan and concluded that it would resolve the nonconformities. Yet, EsBank received an unfavorable recommendation for certification.

  Based on the scenario above, answer the following question:

  Based on scenario 8, EsBank submitted a general action plan. Is this acceptable?

  A. Yes, nonconformities with the same root cause should have a general action plan
  B. No, an action plan should only address one nonconformity
  C. No, a general action plan does not enable the correction of nonconformities
  C. No, a general action plan does not enable the correction of nonconformities

  ---

  No, a general action plan is not acceptable in this context because it lacks specific details on systems, controls, or operations impacted by the nonconformities. An effective action plan should detail the specific corrective actions for each nonconformity to ensure comprehensive resolution and prevent recurrence.