PECB ISO-27001-LA Online Practice Questions and Exam Preparation

PECB ISO-27001-LA Online Questions & Answers

• Question 321:

  Which two of the following best describe the purpose of a stage 1 audit in an initial certification audit?

  A. To confirm readiness for stage 2 by reviewing documented information and site-specific conditions
  B. To test operational effectiveness of Annex A controls through extensive technical testing
  C. To evaluate internal audit and management review performance for planning stage 2
  D. To issue the certification decision
  A. To confirm readiness for stage 2 by reviewing documented information and site-specific conditions
  C. To evaluate internal audit and management review performance for planning stage 2

  ---

  A is correct: stage 1 focuses on documented information review, understanding scope, processes, site conditions, and readiness for stage 2.

  C is correct: stage 1 evaluates whether internal audits and management reviews are planned/performed and supports stage 2 planning.

  B is incorrect because extensive operational effectiveness testing is primarily stage 2.

  D is incorrect because certification decisions occur after stage 2 and closure processes.

  References: ISO/IEC 17021-1:2015 (audit process); ISO/IEC 27006 (ISMS certification guidance)

• Question 322:

  Scenario 2: Knight is an electronics company from Northern California, US that develops video game consoles. Knight has more than 300 employees worldwide. On the fifth anniversary of their establishment, they have decided to deliver the G-Console, a new generation video game console aimed for worldwide markets. G-Console is considered to be the ultimate media machine of 2021 which will give the best gaming experience to players.

  The console pack will include a pair of VR headset, two games, and other gifts.

  Over the years, the company has developed a good reputation by showing integrity, honesty, and respect toward their customers. This good reputation is one of the reasons why most passionate gamers aim to have Knight's G-console as soon as it is released in the market.

  Besides being a very customer-oriented company, Knight also gained wide recognition within the gaming industry because of the developing quality. Their prices are a bit higher than the reasonable standards allow.

  Nonetheless, that is not considered an issue for most loyal customers of Knight, as their quality is top-notch.

  Being one of the top video game console developers in the world, Knight is also often the center of attention for malicious activities. The company has had an operational ISMS for over a year. The ISMS scope includes all departments of Knight, except Finance and HR departments.

  Recently, a number of Knight's files containing proprietary information were leaked by hackers. Knight's incident response team (IRT) immediately started to analyze every part of the system and the details of the incident.

  The IRT's first suspicion was that Knight's employees used weak passwords and consequently were easily cracked by hackers who gained unauthorized access to their accounts. However, after carefully investigating the incident, the IRT determined that hackers accessed accounts by capturing the file transfer protocol (FTP) traffic.

  FTP is a network protocol for transferring files between accounts. It uses clear text passwords for authentication.

  Following the impact of this information security incident and with IRT's suggestion, Knight decided to replace the FTP with Secure Shell (SSH) protocol, so anyone capturing the traffic can only see encrypted data.

  Following these changes, Knight conducted a risk assessment to verify that the implementation of controls had minimized the risk of similar incidents. The results of the process were approved by the ISMS project manager who claimed that the level of risk after the implementation of new controls was in accordance with the company's risk acceptance levels.

  Based on this scenario, answer the following question:

  Based on scenario 2, Knight decided to replace the FTP with Secure Shell (SSH) protocol. Should the Statement of Applicability (SoA) be updated in this case?

  A. No, the usage of SSH protocol is not an ISO/IEC 27001 requirement and; therefore, does not need to be included in the SoA
  B. No, because the SoA should be updated only when new controls are added, not when old ones are canceled
  C. Yes, the implementation of the new control should be justified and included in the SoA
  C. Yes, the implementation of the new control should be justified and included in the SoA

  ---

  The Statement of Applicability (SoA) is a core document within an ISMS that outlines the security controls an organization implements. When a new control, such as the SSH protocol, is implemented, it should be included in the SoA to reflect the current state of the ISMS. The SoA should be updated to justify the inclusion of the new control and to document how it is implemented within the organization.

  References:

  This guidance is based on the best practices for maintaining the SoA as per ISO/IEC 27001, which requires the SoA to be a living document that accurately reflects the security controls in use by the organization

• Question 323:

  A data processing tool crashed when a user added more data in the buffer than its storage capacity allows. The incident was caused by the tool's inability to bound check arrays. What kind of vulnerability is this?

  A. Intrinsic vulnerability, because inability to bound check arrays is a characteristic of the data processing tool
  B. Extrinsic vulnerability, because inability to bound check arrays is related to external factors
  C. None, the tool's inability to bound check arrays is not a vulnerability, but a threat
  A. Intrinsic vulnerability, because inability to bound check arrays is a characteristic of the data processing tool

  ---

  An intrinsic vulnerability refers to a weakness that is inherent to a system or tool, such as a data processing tool's inability to perform bound checking on arrays. This characteristic makes the system susceptible to issues like buffer overflows, which can lead to crashes or other types of failures.

  References: = The concept of intrinsic vulnerability is based on the understanding that certain vulnerabilities are built into the system and are not influenced by external factors. This aligns with the general principles of information security management systems and the content typically covered in ISMS ISO/IEC 27001 Lead Auditor training and certification programs

• Question 324:

  AppFolk, a software development company, is seeking certification against ISO/IEC 27001. In the initial phases of the external audit, the certification body in discussion with the company excluded the marketing division from the audit scope, although they stated in their ISMS scope that the whole company is included. Is this acceptable?

  A. Yes, audit and ISMS scope do not necessarily need to be the same
  B. No, divisions that are not critical for the industrial sector in which the auditee operates can be excluded from the audit scope
  C. No, audit scope should reflect all of the organization's divisions covered by the ISMS
  C. No, audit scope should reflect all of the organization's divisions covered by the ISMS

  ---

  No, the audit scope should reflect all of the organization's divisions that are covered by the ISMS. If the ISMS scope stated that it includes the whole company, the audit scope should align with this unless specifically justified and agreed upon by all stakeholders.

  References: ISO/IEC 27001:2013, Clause 4.3 (Determining the scope of the information security management system)

• Question 325:

  Scenario 4: SendPay is a financial company that provides its services through a network of agents and financial institutions. One of their main services is transferring money worldwide. SendPay, as a new company, seeks to offer top quality services to its clients. Since the company offers international transactions, it requires from their clients to provide personal information, such as their identity, the reason for the transactions, and other details that might be needed to complete the transaction. Therefore,

  SendPay has implemented security measures to protect their clients' information, including detecting, investigating, and responding to any information security threats that may emerge. Their commitment to offering secure services was also reflected during the ISMS implementation where the company invested a lot of time and resources.

  Last year, SendPay unveiled their digital platform that allows money transactions through electronic devices, such as smartphones or laptops, without requiring an additional fee. Through this platform, SendPay's clients can send and receive money from anywhere and at any time. The digital platform helped SendPay to simplify the company's operations and further expand its business. At the time, SendPay was outsourcing its software operations, hence the project was completed by the software

  development team of the outsourced company. The same team was also responsible for maintaining the technology infrastructure of SendPay.

  Recently, the company applied for ISO/IEC 27001 certification after having an ISMS in place for almost a year. They contracted a certification body that fit their criteria. Soon after, the certification body appointed a team of four auditors to audit SendPay's ISMS.

  During the audit, among others, the following situations were observed:

  1.The outsourced software company had terminated the contract with SendPay without prior notice. As a result, SendPay was unable to immediately bring the services back in-house and its operations were disrupted for five days. The auditors requested from SendPay's representatives to provide evidence that they have a plan to follow in cases of contract terminations. The representatives did not provide any documentary evidence but during an interview, they told the auditors that the top management of

  SendPay had identified two other software development companies that could provide services immediately if similar situations happen again. 2.There was no evidence available regarding the monitoring of the activities that were outsourced to the software development company. Once again, the representatives of SendPay told the auditors that they regularly communicate with the software development company and that they are appropriately informed for any possible change that might occur. 3.There was

  no nonconformity found during the firewall testing. The auditors tested the firewall configuration in order to determine the level of security provided by these services. They used a packet analyzer to test the firewall policies which enabled them to check the packets sent or received in real-time.

  Based on this scenario, answer the following question:

  Based on scenario 4, the auditors requested documentary evidence regarding the monitoring process of outsourced operations. What does this indicate?

  A. The auditors demonstrated professional skepticism
  B. The auditors compromised the confidentiality of outsourced operations
  C. The auditors evaluated the evidence based on a risk-based approach
  A. The auditors demonstrated professional skepticism

  ---

  Based on the provided scenario, the auditors' request for documentary evidence regarding the monitoring process of outsourced operations indicates that the auditors demonstrated professional skepticism. This is because professional skepticism involves a critical assessment of audit evidence and includes a questioning mind and a careful evaluation of the information provided by the auditee.

  Professional skepticism is an essential part of the auditing process, especially in the context of ISO/IEC 27001, which requires auditors to systematically examine an organization's information security risks, including the management of outsourced processes. The auditors' request for evidence suggests that they were not satisfied with verbal assurances alone and sought to verify that SendPay had a formal, documented process for monitoring outsourced activities, which is a requirement for maintaining an effective Information Security Management System (ISMS).

• Question 326:

  You are performing an ISMS audit at a residential nursing home railed ABC that provides healthcare services. The next step in your audit plan is to verify the effectiveness of the continual improvement process. During the audit, you learned most of the residents' family members (90%) receive WeCare medical device promotional advertisements through email and SMS once a week via ABC's healthcare mobile app. All of them do not agree on the use of the collected personal data (or marketing or any other

  purposes than nursing and medical care on the signed service agreement with ABC. They have very strong reason to believe that ABC is leaking residents' and family members' personal information to a non- relevant third party and they have filed complaints.

  The Service Manager says that all these complaints have been treated as nonconformities, and the corrective actions have been planned and implemented according to the Nonconformity and Corrective management procedure. The corrective action involved stopping working with WeCare the medical device manufacturer immediately and asking them to delete all personal data received as well as sending an apology email to all residents and their family members.

  You are preparing the audit findings. Select one option of the correct finding.

  A. Nonconformity: ABC does not follow the signed healthcare service agreement with residents' family members
  B. No nonconformity: I would like to collect more evidence on how the organisation defines the management system scope and see if they covered WeCare medical device manufacture
  C. No nonconformity: The Service Manager implemented the corrective actions and the Customer Service Representative evaluates the effectiveness of implemented corrective actions
  D. Nonconformity: The management review does not take the feedback from residents' family members into consideration
  A. Nonconformity: ABC does not follow the signed healthcare service agreement with residents' family members

  ---

  According to ISO 27001:2022 clause 8.1.4, the organisation shall ensure that externally provided processes, products or services that are relevant to the information security management system are controlled. This includes implementing appropriate contractual requirements related to information security with external providers, such as customers who send ICT equipment for reclamation

  In this case, ABC is a residential nursing home that provides healthcare services to its residents and collects their personal data and their family members' personal data. ABC has a signed service agreement with the residents' family members that states that the collected personal data will not be used for marketing or any other purposes than nursing and medical care. However, ABC has violated this contractual requirement by sharing the personal data with WeCare, a medical device manufacturer, who has used the data to send promotional advertisements to the residents' family members via email and SMS. This has caused dissatisfaction and complaints from the residents' family members, who have a strong reason to believe that ABC is leaking their personal information to a non-relevant third party. Therefore, the audit finding is a nonconformity with clause 8.1.4 of ISO 27001:2022, as ABC has failed to control the externally provided processes, products or services that are relevant to the information security management system, and has breached the contractual requirements related to information security with its customers. The fact that ABC has taken corrective actions to stop working with WeCare and to apologise to the customers does not eliminate the nonconformity, but only mitigates its

  consequences. The nonconformity still needs to be recorded, evaluated, and reviewed for effectiveness and improvement.

  References:

  1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1

  2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2

• Question 327:

  Scenario:

  Branding is a marketing company that works with some of the most famous companies in the US. To reduce internal costs. Branding has outsourced the software development and IT helpdesk operations to Techvology for over two years. Techvology. equipped with the necessary expertise, manages Branding's software, network, and hardware needs. Branding has implemented an information security management system (ISMS) and is certified against ISO/IEC 27001, demonstrating its commitment to

  maintaining high standards of information security. It actively conducts audits on Techvology to ensure that the security of its outsourced operations complies with ISO/IEC 27001 certification requirements. During the last audit. Branding's audit team defined the processes to be audited and the audit schedule. They adopted an evidence based approach, particularly in light of two information security incidents reported by Techvology in the past year The focus was on evaluating how these incidents were addressed and ensuring compliance with the terms of the outsourcing agreement The audit began with a comprehensive review of Techvology's methods for monitoring the quality of outsourced operations, assessing whether the services provided met Branding's expectations and agreed-upon standards The auditors also verified whether Techvology complied with the contractual requirements established between the two entities This involved thoroughly examining the terms and conditions in the outsourcing agreement to guarantee that all aspects, including information security

  measures, are being adhered to.

  Furthermore, the audit included a critical evaluation of the governance processes Techvology uses to manage its outsourced operations and other organizations. This step is crucial for Branding to verify that proper controls and oversight mechanisms are in place to mitigate potential risks associated with the outsourcing arrangement.

  The auditors conducted interviews with various levels of Techvology's personnel and analyzed the incident resolution records. In addition, Techvology provided the records that served as evidence that they conducted awareness sessions for the staff regarding incident management. Based on the information gathered, they predicted that both information security incidents were caused by incompetent personnel. Therefore, auditors requested to see the personnel files of the employees involved in the

  incidents to review evidence of their competence, such as relevant experience, certificates, and records of attended trainings.

  Branding's auditors performed a critical evaluation of the validity of the evidence obtained and remained alert for evidence that could contradict or question the reliability of the documented information received. During the audit at Techvology, the auditors upheld this approach by critically assessing the incident resolution records and conducting thorough interviews with employees at different levels and functions. They did not merely take the word of Techvology's representatives for facts; instead, they sought

  concrete evidence to support the representatives' claims about the incident management processes.

  Based on the scenario above, answer the following question:

  Question:

  According to Scenario, what type of audit evidence did the auditors collect to determine the source of the information security incidents?

  A. Verbal and documentary evidence
  B. Confirmative and technical evidence
  C. Analytical and mathematical evidence
  A. Verbal and documentary evidence

  ---

  A.

  Correct Answer:

  Auditors conducted interviews (verbal evidence) and analyzed incident resolution records, employee training logs, and governance policies (documentary evidence) .

  ISO 19011:2018 (Clause 6.4.7) states that audit evidence can be verbal, documented, observed, or analytical.

  B. Incorrect:

  Confirmative evidence involves third-party validation , which was not explicitly mentioned.

  C. Incorrect:

  Mathematical analysis was not conducted in this audit .

  Relevant Standard Reference:

  ISO 19011:2018 Clause 6.4.7 (Audit Evidence Collection Methods)

• Question 328:

  DRAG DROP

  The following options are key actions involved in a first-party audit. Order the stages to show the sequence in which the actions should take place.

  Select and Place:

  

  

  Explanation:

  The correct order of the stages is:

  Prepare the audit checklist

  Gather objective evidence

  Review audit evidence

  Document findings

  Audit preparation: This stage involves defining the audit objectives, scope, criteria, and plan. The auditor also prepares the audit checklist, which is a list of questions or topics that will be covered during the audit. The audit checklist helps the auditor to ensure that all relevant aspects of the ISMS are addressed and that the audit evidence is collected in a systematic and consistent manner. Audit execution: This stage involves conducting the audit activities, such as opening meeting, interviews, observations,

  document review, and closing meeting. The auditor gathers objective evidence, which is any information that supports the audit findings and conclusions. Objective evidence can be qualitative or quantitative, and can be obtained from various sources, such as records, statements, physical objects, or observations.

  Audit reporting: This stage involves reviewing the audit evidence, evaluating the audit findings, and documenting the audit results. The auditor reviews the audit evidence to determine whether it is sufficient, reliable, and relevant to support the audit findings. The auditor evaluates the audit findings to determine the degree of conformity or nonconformity of the ISMS with the audit criteria. The auditor documents the audit results in an audit report, which is a formal record of the audit process and outcomes. The

  audit report typically includes the following elements:

  Audit follow-up: This stage involves verifying the implementation and effectiveness of the corrective actions taken by the auditee to address the audit findings. The auditor monitors the progress and completion of the corrective actions, and evaluates their impact on the ISMS performance and conformity. The auditor may conduct a follow-up audit to verify the corrective actions on-site, or may rely on other methods, such as document review, remote interviews, or self-assessment by the auditee. The auditor

  documents the follow-up results and updates the audit report accordingly.

  References:

  PECB Candidate Handbook ISO 27001 Lead Auditor, pages 19-25 ISO 19011:2018 - Guidelines for auditing management systems The ISO 27001 audit process | ISMS.online

• Question 329:

  DRAG DROP

  Select the words that best complete the sentence below to describe audit resources:

  Select and Place:

  

  

  Explanation:

  According to ISO 19011:2018, clause 5.3, the person responsible for managing the audit programme should determine the resources necessary for the audit programme, such as the audit team members, the budget, the time, the tools, etc. The audit resources should be sufficient and appropriate to ensure the quality and effectiveness of the audit programme and the audit results. The audit resources include the following elements:

  Essential resources: These are the resources that are required to conduct the audit programme and the individual audits, such as the audit documents, the audit methods, the audit tools, the audit schedule, the audit budget, etc. The essential resources should be identified and allocated based on the audit objectives, scope, and criteria, and the availability and cooperation of the auditee. The essential resources should also be reviewed and updated as necessary to reflect any changes or deviations in the

  audit programme or the individual audits. Competent personnel: These are the audit team members who have the appropriate knowledge, skills, and experience to conduct the audit effectively and efficiently, and to provide credible and reliable audit results and recommendations. The competent personnel should include the audit team leader, the auditors, and any technical experts or observers who support the audit team. The competent personnel should be selected and appointed based on the audit

  objectives, scope, and criteria, and the specific competence requirements for the audit programme and the individual audits. The competent personnel should also be independent and impartial, and avoid any conflicts of interest or self-interest that may affect the audit results or the audit decisions.

  References:

  ISO 19011:2018 - Guidelines for auditing management systems, clause 5.3 PECB Candidate Handbook ISO 27001 Lead Auditor, page 19

• Question 330:

  Review the following statements and determine which two are false:

  A. Conducting a technology check in advance of a virtual audit can improve the effectiveness and efficiency of the audit
  B. During a virtual audit, auditees participating in interviews are strongly recommended to keep their webcam enabled
  C. The number of days assigned to a third-party audit is determined by the auditee's availability
  D. Due to confidentiality and security concerns, screen sharing during a virtual audit is one method by which the audit team can review the auditee's documentation
  E. The selection of onsite, virtual or combination audits should take into consideration historical performance and previous audit results
  F. Auditors approved for conducting onsite audits do not require additional training for virtual audits, as there are no significant differences in the skillset required
  C. The number of days assigned to a third-party audit is determined by the auditee's availability
  F. Auditors approved for conducting onsite audits do not require additional training for virtual audits, as there are no significant differences in the skillset required

  ---

  The number of days assigned to a third-party audit is not determined by the auditee's availability, but by the audit program, which considers the audit scope, objectives, criteria, risks, and resources. The auditee's availability is only one factor that affects the audit planning and scheduling, but not the audit duration. Auditors approved for conducting onsite audits do require additional training for virtual audits, as there are significant differences in the skillset required. Virtual audits pose different challenges and opportunities than onsite audits, such as communication, technology, security, and evidence collection4 . Auditors need to be familiar with the tools and techniques for conducting remote audits, as well as the ethical and professional behavior expected in a virtual environment .

  References: PECB Candidate Handbook - ISO 27001 Lead Auditor, page 18 ISO 19011:2018, Guidelines for auditing management systems, clause 5.3.2 ISO 19011:2018, Guidelines for auditing management systems, clause 6.3.1 Deloitte - Conducting a Virtual Internal Audit, page 1 [A Guide to Conducting Effective and Efficient Remote Audits], page 1 [ISO 19011:2018, Guidelines for auditing management systems], clause 7.2.3 [Remote Auditing Best Practices and Checklist for Regulatory Compliance], page 1