PECB ISO-27001-LA Online Practice Questions and Exam Preparation

PECB ISO-27001-LA Online Questions & Answers

• Question 331:

  Scenario:

  Tessa. Malik, and Michael are an audit team of independent and qualified experts in the field of security, compliance, and business planning and strategies. They are assigned to conduct a certification audit in Clastus, a large web design company. They have previously shown excellent work ethics, including impartiality and objectiveness, while conducting audits. This time, Clastus is positive that they will be one step ahead if they get certified against ISO/IEC 27001.

  Tessa, the audit team leader, has expertise in auditing and a very successful background in IT-related issues, compliance, and governance. Malik has an organizational planning and risk management background. His expertise relies on the level of synthesis and analysis of an organization's security controls and its risk tolerance in accurately characterizing the risk level within an organization On the other hand, Michael is an expert in the practical security of controls assessment by following rigorous

  standardized programs.

  After performing the required auditing activities, Tessa initiated an audit team meeting They analyzed one of Michael s findings to decide on the issue objectively and accurately. The issue Michael had encountered was a minor nonconformity in the organization's daily operations, which he believed was caused by one of the organization's IT technicians As such, Tessa met with the top management and told them who was responsible for the nonconformity after they inquired about the names of the persons

  responsible

  To facilitate clarity and understanding, Tessa conducted the closing meeting on the last day of the audit. During this meeting, she presented the identified nonconformities to the Clastus management. However, Tessa received advice to avoid providing unnecessary evidence in the audit report for the Clastus certification audit, ensuring that the report remains concise and focused on the critical findings.

  Based on the evidence examined, the audit team drafted the audit conclusions and decided that two areas of the organization must be audited before the certification can be granted. These decisions were later presented to the auditee, who did not accept the findings and proposed to provide additional information. Despite the auditee's comments, the auditors, having already decided on the certification recommendation, did not accept the additional information. The auditee's top management insisted that

  the audit conclusions did not represent reality, but the audit team remained firm in their decision.

  Based on the scenario above, answer the following question:

  Question:

  Who is primarily responsible for the preparation and content of the audit report?

  A. Audit team leader
  B. Audit team member
  C. Certification body
  A. Audit team leader

  ---

  A.

  Correct Answer:

  ISO 19011:2018 states that the audit team leader is responsible for compiling and finalizing the audit report.

  B. Incorrect:

  Team members contribute findings, but the leader ensures finalization.

  C. Incorrect:

  The certification body reviews but does not prepare the report.

  Relevant Standard Reference:

  ISO 19011:2018 Clause 6.7.1 (Audit Report Preparation and Approval)

• Question 332:

  After completing Stage 1 and in preparation for a Stage 2 initial certification audit, the auditee informs the audit team leader that they wish to extend the audit scope to include two additional sites that have recently been acquired by the organisation. Considering this information, what action would you expect the audit team leader to take?

  A. Arrange to complete a remote Stage 1 audit of the two sites using a video conferencing platform
  B. Increase the length of the Stage 2 audit to include the extra sites
  C. Inform the auditee that the audit team leader accepts the request
  D. Obtain information about the additional sites to inform the individual(s) managing the audit programme
  D. Obtain information about the additional sites to inform the individual(s) managing the audit programme

  ---

  According to the PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, the audit team leader should obtain information about the additional sites to inform the individual(s) managing the audit programme, as this may affect the audit objectives, scope, criteria, duration, resources, and risks. The audit team leader should also review the audit plan and make any necessary adjustments in consultation with the auditee and the audit client1.

  References: 1: PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 27, section 4.3.2.2.

• Question 333:

  Scenario:

  Cyber ACrypt is a cybersecurity company that provides endpoint protection by offering anti-malware and device security, asset life cycle management, and device encryption. To validate its ISMS against ISO/IEC 27001 and demonstrate its commitment to cybersecurity excellence, the company underwent a meticulous audit process led by John, the appointed audit team leader.

  Upon accepting the audit mandate, John promptly organized a meeting to outline the audit plan and team roles This phase was crucial for aligning the team with the audit's objectives and scope However, the initial presentation to Cyber ACrypt's staff revealed a significant gap in understanding the audit's scope and objectives, indicating potential readiness challenges within the company

  As the stage 1 audit commenced, the team prepared for on-site activities. They reviewed Cyber ACrypt' s documented information, including the information security policy and operational procedures ensuring each piece conformed to and was standardized in format with author identification, production date, version number, and approval date Additionally, the audit team ensured that each document contained the information required by the respective clause of the standard This phase revealed that a

  detailed audit of the documentation describing task execution was unnecessary, streamlining the process and focusing the team's efforts on critical areas During the phase of conducting on-site activities, the team evaluated management responsibility for the Cyber Acrypt's policies This thorough examination aimed to ascertain continual improvement and adherence to ISMS requirements Subsequently, in the document, the stage 1 audit outputs phase, the audit team meticulously documented their findings,

  underscoring their conclusions regarding the fulfillment of the stage 1 objectives. This documentation was vital for the audit team and Cyber ACrypt to understand the preliminary audit outcomes and areas requiring attention.

  The audit team also decided to conduct interviews with key interested parties. This decision was motivated by the objective of collecting robust audit evidence to validate the management system's compliance with ISO/IEC 27001 requirements. Engaging with interested parties across various levels of Cyber ACrypt provided the audit team with invaluable perspectives and an understanding of the ISMS' s implementation and effectiveness.

  The stage 1 audit report unveiled critical areas of concern. The Statement of Applicability (SoA) and the ISMS policy were found to be lacking in several respects, including insufficient risk assessment, inadequate access controls, and lack of regular policy reviews. This prompted Cyber ACrypt to take immediate action to address these shortcomings. Their prompt response and modifications to the strategic documents reflected a strong commitment to achieving compliance.

  The technical expertise introduced to bridge the audit team's cybersecurity knowledge gap played a pivotal role in identifying shortcomings in the risk assessment methodology and reviewing network architecture. This included evaluating firewalls, intrusion detection and prevention systems, and other network security measures, as well as assessing how Cyber ACrypt detects, responds to, and recovers from external and internal threats. Under John's supervision, the technical expert communicated the audit

  findings to the representatives of Cyber ACrypt. However, the audit team observed that the expert s objectivity might have been compromised due to receiving consultancy fees from the auditee. Considering the behavior of the technical expert during the audit, the audit team leader decided to discuss this concern with the certification body.

  Based on the scenario above, answer the following question:

  Question:

  Based on Scenario, was the objective of the interviews during the Stage 1 audit accordingly set by the audit team?

  A. Yes, the objective of the interviews is to collect audit evidence to validate the management system' s compliance with ISO/IEC 27001 requirements
  B. No, the objective of the interviews was not aligned with the management system's key performance indicators (KPIs), reducing the audit's effectiveness
  C. No, the objective of the interviews is to ensure an adequate understanding of the challenges the auditee faces
  A. Yes, the objective of the interviews is to collect audit evidence to validate the management system' s compliance with ISO/IEC 27001 requirements

  ---

  A.

  Correct Answer:

  The primary goal of audit interviews is to validate compliance with ISO/IEC 27001 .

  ISO 19011:2018 states that interviews are a method to gather audit evidence.

  B. Incorrect:

  KPIs are relevant for performance measurement, but interviews focus on compliance validation .

  C. Incorrect:

  Understanding business challenges is secondary; the primary objective is ISO/IEC 27001 compliance verification .

  Relevant Standard Reference:

  ISO 19011:2018 Clause 6.4.6 (Interviewing Techniques in Auditing)

• Question 334:

  You are the audit team leader conducting a third-party audit of an online insurance organisation. During Stage 1, you found that the organisation took a very cautious risk approach and included all the information security controls in ISO/IEC 27001:2022 Appendix A in their Statement of Applicability.

  During the Stage 2 audit, your audit team found that there was no evidence of the implementation of the three controls (5.3 Segregation of duties, 6.1 Screening, 7.12 Cabling security) shown in the extract from the Statement of Applicability. No risk treatment plan was found.

  

  Select three options for the actions you would expect the auditee to take in response to a nonconformity against clause 6.1.3.e of ISO/IEC 27001:2022.

  A. Allocate responsibility for producing evidence to prove to auditors that the controls are implemented.
  B. Compile plans for the periodic assessment of the risks associated with the controls.
  C. Implement the appropriate risk treatment for each of the applicable controls.
  D. Incorporate written procedures for the controls into the organisation's Security Manual.
  E. Remove the three controls from the Statement of Applicability.
  F. Revise the relevant content in the Statement of Applicability to justify their exclusion.
  G. Revisit the risk assessment process relating to the three controls.
  H. Undertake a survey of customers to find out if the controls are needed by them.
  C. Implement the appropriate risk treatment for each of the applicable controls.
  F. Revise the relevant content in the Statement of Applicability to justify their exclusion.
  G. Revisit the risk assessment process relating to the three controls.

  ---

  According to the PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, the auditee should take the following actions in response to a nonconformity against clause 6.1.3.e of ISO/IEC 27001:20221:

  Implement the appropriate risk treatment for each of the applicable controls, as this is the main requirement of clause 6.1.3.e and the objective of the risk treatment process.

  Revise the relevant content in the Statement of Applicability to justify their exclusion, as this is the expected output of the risk treatment process and the evidence of the risk-based decisions.

  Revisit the risk assessment process relating to the three controls, as this is the input for the risk treatment process and the source of identifying the risks and the controls.

  The other options are not correct because:

  Allocating responsibility for producing evidence to prove to auditors that the controls are implemented is not a valid action, as the audit team already found that there was no evidence of the implementation of the three controls.

  Compiling plans for the periodic assessment of the risks associated with the controls is not a valid action, as this is part of the risk monitoring and review process, not the risk treatment process.

  Incorporating written procedures for the controls into the organisation's Security Manual is not a valid action, as this is part of the documentation and operation of the ISMS, not the risk treatment process.

  Removing the three controls from the Statement of Applicability is not a valid action, as this is not a sufficient justification for their exclusion and does not reflect the risk treatment process.

  Undertaking a survey of customers to find out if the controls are needed by them is not a valid action, as this is not a relevant criterion for the risk assessment and treatment process, which should be based on the organisation's own context and objectives.

• Question 335:

  Auditors should have certain knowledge and skills; while audit team leaders should have some additional knowledge and skills. From the following list, select two that only apply to audit team leaders.

  A. Plan the audit
  B. Understand and apply the risk-based approach to auditing
  C. Apply appropriate sampling techniques
  D. Make effective use of resources provided to the audit
  E. Be aware of cultural and social aspects of the auditee
  F. Verify the relevance and accuracy of collected information
  A. Plan the audit
  D. Make effective use of resources provided to the audit

  ---

  According to the PECB Candidate Handbook1, audit team leaders should have the following additional knowledge and skills compared to auditors: Plan the audit, including preparing the audit plan, assigning work to the audit team members and coordinating their activities Make effective use of resources provided to the audit, such as personnel, time, budget and equipment Manage the audit process, including leading the opening and closing meetings, directing the audit team, resolving conflicts and ensuring the audit objectives are achieved Review and approve the audit report and audit findings Communicate with the client and other interested parties throughout the audit

  References: 1: PECB Candidate Handbook - ISO 27001 Lead Auditor, pages 9-10.

• Question 336:

  Scenario:

  Techmanic is a Belgian company founded in 1995 and currently operating in Brussels. It provides IT consultancy, software design, and hardware/software services, including deployment and maintenance. The company serves sectors like public services, finance, telecom, energy, healthcare, and education. As a customer-centered company, it prioritizes strong client relationships and leading security practices.

  Techmanic has been ISO/IEC 27001 certified for a year and regards this certification with pride. During the certification audit, the auditor found some inconsistencies in its ISMS implementation. Since the observed situations did not affect the capability of its ISMS to achieve the intended results, Techmanic was certified after auditors followed up on the root cause analysis and corrective actions remotely During that year, the company added hosting to its list of services and requested to expand its certification

  scope to include that area The auditor in charge approved the request and notified Techmanic that the extension audit would be conducted during the surveillance audit

  Techmanic underwent a surveillance audit to verify its iSMS's continued effectiveness and compliance with ISO/IEC 27001. The surveillance audit aimed to ensure that Techmanic's security practices, including the recent addition of hosting services, aligned seamlessly with the rigorous requirements of the certification

  The auditor strategically utilized the findings from previous surveillance audit reports in the recertification activity with the purpose of replacing the need for additional recertification audits, specifically in the IT consultancy sector. Recognizing the value of continual improvement and learning from past assessments. Techmanic implemented a practice of reviewing previous surveillance audit reports. This proactive approach not only facilitated identifying and resolving potential nonconformities but also aimed to

  streamline the recertification process in the IT consultancy sector.

  During the surveillance audit, several nonconformities were found. The ISMS continued to fulfill the ISO/IEC 27001*s requirements, but Techmanic failed to resolve the nonconformities related to the hosting services, as reported by its internal auditor. In addition, the internal audit report had several inconsistencies, which questioned the independence of the internal auditor during the audit of hosting services. Based on this, the extension certification was not granted. As a result. Techmanic requested a

  transfer to another certification body. In the meantime, the company released a statement to its clients stating that the ISO/IEC 27001 certification covers the IT services, as well as the hosting services.

  Based on the scenario above, answer the following question:

  Question:

  Is the internal auditor responsible for following up on action plans resulting from external audits?

  A. No, the internal auditor should follow up on action plans submitted in response to nonconformities resulting only from internal audits
  B. Yes, only if minor nonconformities have been detected during the external audit
  C. Yes, the internal auditor should follow up on action plans submitted during internal and external audits
  A. No, the internal auditor should follow up on action plans submitted in response to nonconformities resulting only from internal audits

  ---

  A.

  Correct Answer:

  Internal auditors focus on internal audit nonconformities, while external auditors oversee external audit follow-ups.

  B. Incorrect:

  Minor nonconformities do not change the role of internal auditors.

  C. Incorrect:

  Internal auditors do not follow up on external audit findings--this is the certification body' s responsibility.

  Relevant Standard Reference:

  ISO/IEC 27001:2022 Clause 9.2.2 (Internal Audit Responsibilities)

• Question 337:

  DRAG DROP

  You are an experienced ISMS audit team leader providing instruction to an auditor in training. They are unclear in their understanding of risk processes and ask you to provide them with an example of each of the processes detailed below.

  Match each of the descriptions provided to one of the following risk management processes.

  To complete the table click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop each option to the appropriate blank section.

  Select and Place:

  

  

  Explanation:

  Risk analysis is the process by which the nature of the risk is determined along with its probability and impact. Risk analysis involves estimating the likelihood and consequences of potential events or situations that could affect the organization's information security objectives or requirements. Risk analysis could use qualitative or quantitative methods, or a combination of both. Risk management is the process by which a risk is controlled at all stages of its life cycle by means of the application of organisational policies, procedures and practices. Risk management involves establishing the context, identifying, analyzing, evaluating, treating, monitoring, and reviewing the risks that could affect the organization's information security performance or compliance. Risk management aims to ensure that risks are identified and treated in a timely and effective manner, and that opportunities for improvement are exploited. Risk identification is the process by which a risk is recognised and described. Risk identification involves identifying and documenting the sources, causes, events, scenarios, and potential impacts of risks that could affect the organization's information security objectives or requirements. Risk identification could use various techniques, such as brainstorming, interviews, checklists, surveys, or historical data. Risk evaluation is the process by which the impact and/or probability of a risk is compared against risk criteria to determine if it is tolerable. Risk evaluation involves comparing the results of risk analysis with predefined criteria that reflect the organization's risk appetite, tolerance, or acceptance. Risk evaluation could use various methods, such as ranking, scoring, or matrix. Risk evaluation helps to prioritize and decide on the appropriate risk treatment options. Risk mitigation is the process by which the impact and/or probability of a risk is reduced by means of the application of controls. Risk mitigation involves selecting and implementing measures that are designed to prevent, reduce, transfer, or accept risks that could affect the organization's information security objectives or requirements. Risk mitigation could include various types of controls, such as technical, organizational, legal, or physical. Risk mitigation should be based on a cost-benefit analysis and a residual risk assessment. Risk transfer is the process by which a risk is passed to a third party, for example through obtaining appropriate insurance. Risk transfer involves sharing or shifting some or all of the responsibility or liability for a risk to another party that has more capacity or capability to manage it. Risk transfer could include various methods, such as contracts, agreements, partnerships, outsourcing, or insurance. Risk transfer should not be used as a substitute for effective risk management within the organization. References : ISO/IEC 27001:2022 Information technology -- Security techniques -- Information security management systems -- Requirements ISO/IEC 27005:2022 Information technology -- Security techniques -- Information security risk management

• Question 338:

  You are conducting an Information Security Management System audit in the despatch department of an international logistics organisation that provides shipping services to large organisations including local hospitals and government offices.

  Parcels typically contain pharmaceutical products, biological samples and documents such as passports and driving licences.

  You note that the company records show a very large number of returned items with causes including misaddressed labels and, in 15% of cases, two or more labels for different addresses for the one package. You are interviewing the Shipping Manager (SM).

  You: Are items checked before being dispatched?

  SM: Any obviously damaged items are removed by the duty staff before being dispatched, but the small profit margin makes it uneconomic to implement a formal checking process.

  You: What action is taken when items are returned?

  SM: Most of these contracts are relatively low value, therefore it has been decided that it is easier and more convenient to simply reprint the label and re-send individual parcels than it is to implement an investigation.

  You raise a non-conformity against clause 8.1 of ISO 27001:2022.

  Which one option below that best describes the non-conformity you have identified?

  A. The organisation does not have an approved process in place that ensures service requirements and regulatory requirements for data protection are met. Records show that 15% of returned parcels have corrected information intended for another party to the recipient (which may include sensitive medical information or government department communications) without adequate operational methods to meet information security requirements.
  B. The organisation does not have an audited process in place that ensures service requirements and regulatory requirements for data protection are met. Records show that 15% of returned parcels have inaccurate information intended for another party to the recipient (which may include sensitive medical information or government department communications) without adequate operational rules to meet information security requirements.
  C. The organisation does not have an effective process in place that ensures service requirements and regulatory requirements for data protection are met. Records show that 15% of returned parcels have disclosed information intended for another party to the recipient (which may include sensitive medical information or government department communications) without adequate operational controls to meet information security requirements.
  D. The organisation does not have an efficient process in place that ensures service requirements and regulatory requirements for data protection are met. Records show that 15% of returned parcels have detailed information intended for another party to the recipient (which may include sensitive medical information or government department communications) without adequate operational procedures to meet information security requirements.
  E. The organisation does not have an efficient process in place that ensures service requirements and regulatory requirements for data protection are met. Records show that 15% of returned parcels have protected information intended for another party to the recipient (which may include sensitive medical information or government department communications) without adequate operational processes to meet information security requirements.
  C. The organisation does not have an effective process in place that ensures service requirements and regulatory requirements for data protection are met. Records show that 15% of returned parcels have disclosed information intended for another party to the recipient (which may include sensitive medical information or government department communications) without adequate operational controls to meet information security requirements.

  ---

  The non-conformity you have identified relates to the organization's failure to implement adequate operational controls to ensure that service and regulatory requirements for data protection are met. This situation is particularly critical given the nature of the items being shipped, which include sensitive medical information and government documents. The fact that 15% of returned parcels have labels for different addresses, potentially exposing sensitive information to incorrect recipients, underscores the lack of effective information security practices.

  The best description of the non-conformity, based on the details provided and the requirements of ISO/IEC 27001:2022, particularly clause 8.1 which deals with operational planning and control, would be:

  C. The organisation does not have an effective process in place that ensures service requirements and regulatory requirements for data protection are met. Records show that 15% of returned parcels have disclosed information intended for another party to the recipient (which may include sensitive medical information or government department communications) without adequate operational controls to meet information security requirements.

  This option accurately captures the essence of the non-conformity by highlighting the lack of effective operational controls to protect sensitive information, leading to potential unauthorized disclosure of information intended for another party. This is a direct violation of information security management principles, particularly those related to the protection of confidentiality and integrity of information as mandated by ISO/IEC 27001:2022.

• Question 339:

  Scenario:

  Tessa. Malik, and Michael are an audit team of independent and qualified experts in the field of security, compliance, and business planning and strategies. They are assigned to conduct a certification audit in Clastus, a large web design company. They have previously shown excellent work ethics, including impartiality and objectiveness, while conducting audits. This time, Clastus is positive that they will be one step ahead if they get certified against ISO/IEC 27001.

  Tessa, the audit team leader, has expertise in auditing and a very successful background in IT-related issues, compliance, and governance. Malik has an organizational planning and risk management background. His expertise relies on the level of synthesis and analysis of an organization's security controls and its risk tolerance in accurately characterizing the risk level within an organization On the other hand, Michael is an expert in the practical security of controls assessment by following rigorous

  standardized programs.

  After performing the required auditing activities, Tessa initiated an audit team meeting They analyzed one of Michael s findings to decide on the issue objectively and accurately. The issue Michael had encountered was a minor nonconformity in the organization's daily operations, which he believed was caused by one of the organization's IT technicians As such, Tessa met with the top management and told them who was responsible for the nonconformity after they inquired about the names of the persons

  responsible

  To facilitate clarity and understanding, Tessa conducted the closing meeting on the last day of the audit. During this meeting, she presented the identified nonconformities to the Clastus management. However, Tessa received advice to avoid providing unnecessary evidence in the audit report for the Clastus certification audit, ensuring that the report remains concise and focused on the critical findings.

  Based on the evidence examined, the audit team drafted the audit conclusions and decided that two areas of the organization must be audited before the certification can be granted. These decisions were later presented to the auditee, who did not accept the findings and proposed to provide additional information. Despite the auditee's comments, the auditors, having already decided on the certification recommendation, did not accept the additional information. The auditee's top management insisted that

  the audit conclusions did not represent reality, but the audit team remained firm in their decision.

  Based on the scenario above, answer the following question:

  Question:

  The audit team did not accept Clastus's additional information because they had already made the certification recommendation . Is this acceptable?

  A. Yes, once the audit team decides on a certification recommendation, they cannot accept any additional information
  B. No, the auditee can provide additional information if they disagree with the certification recommendation
  C. No, the auditor should not consider revisions that resulted from discussions with the auditee in the certification recommendation decision
  B. No, the auditee can provide additional information if they disagree with the certification recommendation

  ---

  B.

  Correct Answer:

  ISO 19011:2018 (Guidelines for Auditing) requires auditors to consider all relevant evidence before making a final recommendation.

  Clastus has the right to present additional evidence if they disagree with findings.

  A. Incorrect:

  Certification recommendations should remain open to valid new evidence until officially finalized.

  C. Incorrect:

  Auditors must consider revisions if they provide relevant clarification or evidence.

  Relevant Standard Reference:

  ISO 19011:2018 Clause 6.6.3 (Handling Disputes and Additional Evidence in Audits)

• Question 340:

  Who are allowed to access highly confidential files?

  A. Employees with a business need-to-know
  B. Contractors with a business need-to-know
  C. Employees with signed NDA have a business need-to-know
  D. Non-employees designated with approved access and have signed NDA
  A. Employees with a business need-to-know

  ---

  According to ISO/IEC 27001:2022, clause 8.2.1, the organization shall ensure that access to information and information processing facilities is limited to authorized users based on the access control policy and in accordance with the business requirements of access control2. Therefore, only employees with a business need-to-know are allowed to access highly confidential files, and not contractors, non-employees or employees with signed NDA.

  References: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) | CQI | IRCA