PECB ISO-27001-LA Online Practice Questions and Exam Preparation

PECB ISO-27001-LA Online Questions & Answers

• Question 71:

  You ask the IT Manager why the organisation still uses the mobile app while personal data encryption and pseudonymisation tests failed. Also, whether the Service Manager is authorised to approve the test.

  The IT Manager explains the test results should be approved by him according to the software security management procedure. The reason why the encryption and pseudonymisation functions failed is that these functions heavily slowed down the system and service performance. An extra 150% of resources are needed to cover this. The Service Manager agreed that access control is good enough and acceptable. That's why the Service Manager signed the approval.

  You are preparing the audit findings. Select the correct option.

  A. There is a nonconformity (NC). The organisation and developer do not perform acceptance tests.(Relevant to clause 8.1, control A.8.29)
  B. There is a nonconformity (NC). The Service Manager does not comply with the software security management procedure. (Relevant to clause 8.1, control A.8.30)
  C. There is a nonconformity (NC). The organisation and developer perform security tests that fail.(Relevant to clause 8.1, control A.8.29)
  D. There is NO nonconformity (NC). The Service Manager makes a good decision to continue the service.(Relevant to clause 8.1, control A.8.30)
  B. There is a nonconformity (NC). The Service Manager does not comply with the software security management procedure. (Relevant to clause 8.1, control A.8.30)

  ---

  According to ISO 27001:2022 Annex A Control 8.30, the organisation shall ensure that externally provided processes, products or services that are relevant to the information security management system are controlled. This includes developing and entering into licensing agreements that cover code ownership and intellectual property rights, and implementing appropriate contractual requirements related to secure design and coding in accordance with Annex A 8.25 and 8.2912

  In this case, the organisation and the developer have performed security tests that failed, which indicates that the secure design and coding requirements of Annex A 8.29 were not met. The IT Manager explains that the encryption and pseudonymisation functions failed because they slowed down the system and service performance, and that an extra 150% of resources are needed to cover this. However, this does not justify the acceptance of the test results by the Service Manager, who is not authorised to approve the test according to the software security management procedure. The Service Manager should have consulted with the IT Manager, who is the owner of the process, and followed the procedure for handling nonconformities and corrective actions. The Service Manager's decision to continue the service based on access control alone exposes the organisation to the risk of compromising the confidentiality, integrity, and availability of personal data processed by the mobile app. Therefore, there is a nonconformity (NC) with clause 8.1, control A.8.30.

  References:

  1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1

  2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2

• Question 72:

  Scenario 6: Sinvestment is an insurance company that offers home, commercial, and life insurance. The company was founded in North Carolina, but have recently expanded in other locations, including Europe and Africa.

  Sinvestment is committed to complying with laws and regulations applicable to their industry and preventing any information security incident. They have implemented an ISMS based on ISO/IEC 27001 and have applied for ISO/IEC 27001 certification.

  Two auditors were assigned by the certification body to conduct the audit. After signing a confidentiality agreement with Sinvestment. they started the audit activities. First, they reviewed the documentation required by the standard, including the declaration of the ISMS scope, information security policies, and internal audits reports. The review process was not easy because, although Sinvestment stated that they had a documentation procedure in place, not all documents had the same format.

  Then, the audit team conducted several interviews with Sinvestment's top management to understand their role in the ISMS implementation. All activities of the stage 1 audit were performed remotely, except the review of documented information, which took place on-site, as requested by Sinvestment.

  During this stage, the auditors found out that there was no documentation related to information security training and awareness program. When asked, Sinvestment's representatives stated that the company has provided information security training sessions to all employees. Stage 1 audit gave the audit team a general understanding of Sinvestment's operations and ISMS.

  The stage 2 audit was conducted three weeks after stage 1 audit. The audit team observed that the marketing department (which was not included in the audit scope) had no procedures in place to control employees' access rights. Since controlling employees' access rights is one of the ISO/IEC 27001 requirements and was included in the information security policy of the company, the issue was included in the audit report. In addition, during stage 2 audit, the audit team observed that Sinvestment did not

  record logs of user activities. The procedures of the company stated that "Logs recording user activities should be retained and regularly reviewed," yet the company did not present any evidence of the implementation of such procedure.

  During all audit activities, the auditors used observation, interviews, documented information review, analysis, and technical verification to collect information and evidence. All the audit findings during stages 1 and 2 were analyzed and the audit team decided to issue a positive recommendation for certification. Based on scenario 6, during stage 1 audit, the auditor found out that some documents regarding the ISMS had different format. What should the auditor do in this case?

  A. Verify if the documented information has the appropriate format and is in accordance with the company's documentation procedure since this is a requirement of the standard
  B. Verify only if the information required by the standard is documented without taking into account the format since this is not a requirement of the standard
  C. Document this observation as an issue that should be verified during stage 2 audit
  B. Verify only if the information required by the standard is documented without taking into account the format since this is not a requirement of the standard

  ---

  The auditor should verify if the information required by the standard is documented, without necessarily focusing on the format, as long as the content meets the requirements of the standard. ISO/IEC 27001 does not mandate a specific format for documentation, only that necessary information is appropriately documented, maintained, and controlled.

  References: ISO/IEC 27001:2013, Clause 7.5 (Documented information)

• Question 73:

  Based on the identified nonconformities. Company A established action plans that included the detected nonconformities, the root causes, and a general statement regarding each action that would be taken. Is this acceptable?

  A. No, the action plans should include information on the systems that will be installed and how these systems will eliminate the root causes
  B. No, the auditee is required to submit action plans that include detailed information on how every corrective action will be implemented
  C. Yes, the auditee is required to submit action plans that include a general statement regarding the actions that will be taken
  B. No, the auditee is required to submit action plans that include detailed information on how every corrective action will be implemented

  ---

  The auditee is required to submit action plans that include detailed information on how every corrective action will be implemented. General statements are not sufficient; the action plans must specify the corrective actions in detail to ensure that the root causes of the nonconformities are addressed effectively.

  References: ISO/IEC 27001:2013, Clause 10.1 (General) and ISO 19011:2018, Guidelines for auditing management systems.

• Question 74:

  You are performing an ISMS audit at a residential nursing home (ABC) that provides healthcare services. The next step in your audit plan is to verify the information security of ABC's healthcare mobile app development, support, and lifecycle process. During the audit, you learned the organization outsourced the mobile app development to a professional software development company with CMMI Level 5, ITSM (ISO/IEC 20000-1), BCMS (ISO 22301) and ISMS (ISO/IEC 27001) certified.

  The IT Manager presented the software security management procedure and summarised the process as following:

  The mobile app development shall adopt "security-by-design" and "security-by-default" principles, as a minimum. The following security functions for personal data protection shall be available:

  Access control.

  Personal data encryption, i.e., Advanced Encryption Standard (AES) algorithm, key lengths: 256 bits; and Personal data pseudonymization.

  Vulnerability checked and no security backdoor

  You sample the latest Mobile App Test report, details as follows:

  

  You ask the IT Manager why the organisation still uses the mobile app while personal data encryption and pseudonymization tests failed. Also, whether the Service Manager is authorised to approve the test.

  The IT Manager explains the test results should be approved by him according to the software security management procedure.

  The reason why the encryption and pseudonymisation functions failed is that these functions heavily slowed down the system and service performance. An extra 150% of resources are needed to cover this. The Service Manager agreed that access control is good enough and acceptable. That's why the Service Manager signed the approval.

  You are preparing the audit findings. Select the correct option.

  A. There is NO nonconformity (NC). The Service Manager makes a good decision to continue the service.(Relevant to clause 8.1, control A.8.30)
  B. There is a nonconformity (NC). The organisation and developer do not perform acceptance tests.(Relevant to clause 8.1, control A.8.29)
  C. There is a nonconformity (NC). The organisation and developer perform security tests that fail.(Relevant to clause 8.1, control A.8.29)
  D. There is a nonconformity (NC). The Service Manager does not comply with the software security management procedure. (Relevant to clause 8.1, control A.8.30)
  D. There is a nonconformity (NC). The Service Manager does not comply with the software security management procedure. (Relevant to clause 8.1, control A.8.30)

  ---

  There is a nonconformity (NC). The Service Manager does not comply with the software security management procedure. (Relevant to clause 8.1, control A.8.30). The IT Manager should have approved the test results according to the software security management procedure, not the Service Manager. The Service Manager's decision to accept the failed security tests also violates the "security-by- design" and "security-by-default" principles that the organization adopted. The other options are either incorrect or irrelevant. The organization and developer did perform acceptance tests, but they failed (B, C). The Service Manager's decision to continue the service does not justify the nonconformity (A).

  References: 1: ISO/IEC 27001:2022, Information technology -- Security techniques -- Information security management systems -- Requirements, Clause 8.1 \n2: PECB Certified ISO/IEC 27001 Lead Auditor Exam Preparation Guide, Domain

  5: Conducting an ISO/IEC 27001 audit

• Question 75:

  Scenario 9: UpNet, a networking company, has been certified against ISO/IEC 27001. It provides network security, virtualization, cloud computing, network hardware, network management software, and networking technologies. The company's recognition has increased drastically since gaining ISO/IEC 27001 certification. The certification confirmed the maturity of UpNefs operations and its compliance with a widely recognized and accepted standard.

  But not everything ended after the certification. UpNet continually reviewed and enhanced its security controls and the overall effectiveness and efficiency of the ISMS by conducting internal audits. The top management was not willing to employ a full-time team of internal auditors, so they decided to outsource the internal audit function. This form of internal audits ensured independence, objectivity, and that they had an advisory role about the continual improvement of the ISMS.

  Not long after the initial certification audit, the company created a new department specialized in data and storage products. They offered routers and switches optimized for data centers and software-based networking devices, such as network virtualization and network security appliances. This caused changes to the operations of the other departments already covered in the ISMS certification scope.

  Therefore. UpNet initiated a risk assessment process and an internal audit. Following the internal audit result, the company confirmed the effectiveness and efficiency of the existing and new processes and controls.

  The top management decided to include the new department in the certification scope since it complies with ISO/IEC 27001 requirements. UpNet announced that it is ISO/IEC 27001 certified and the certification scope encompasses the whole company.

  One year after the initial certification audit, the certification body conducted another audit of UpNefs ISMS. This audit aimed to determine the UpNefs ISMS fulfillment of specified ISO/IEC 27001 requirements and ensure that the ISMS is being continually improved. The audit team confirmed that the certified ISMS continues to fulfill the requirements of the standard.

  Nonetheless, the new department caused a significant impact on governing the management system. Moreover, the certification body was not informed about any changes. Thus, the UpNefs certification was suspended.

  Based on the scenario above, answer the following question:

  What type of audit is illustrated in the last paragraph of scenario 9?

  A. Surveillance audit
  B. Internal audit
  C. Recertification audit
  A. Surveillance audit

  ---

  The audit described in the last paragraph of scenario 9 is a surveillance audit. This type of audit is conducted periodically to ensure that the certified ISMS continues to fulfill the requirements of the standard after the initial certification.

• Question 76:

  Which one option best describes the purpose of retaining documented information related to the Information Security Management System (ISMS) of an organisation?

  A. To ensure that all workers will follow the established procedure.
  B. To show compliance with legal requirements.
  C. To show objective evidence to third-party auditors.
  D. To the extent necessary, to have confidence that the processes have been carried out as planned.
  D. To the extent necessary, to have confidence that the processes have been carried out as planned.

  ---

  The purpose of retaining documented information related to the ISMS of an organisation is to the extent necessary, to have confidence that the processes have been carried out as planned. This means that the documented information provides evidence of the conformity and effectiveness of the ISMS, as well as the achievement of the information security objectives and the continual improvement of the ISMS. Documented information also supports the analysis and evaluation of the ISMS performance and

  the identification of opportunities for improvement.

  References:ISO/IEC 27001:2022, clause 7.5.1; PECB Candidate Handbook ISO 27001 Lead Auditor, page 17.

• Question 77:

  Scenario: A hospital outsources email services to a provider. The contract includes uptime terms but no information security requirements, no incident notification timelines, and no right-to-audit clauses. Which three areas should the auditor most reasonably expect the organization to have addressed?

  A. Defining information security requirements for supplier services
  B. Monitoring and reviewing supplier performance relevant to information security
  C. Documenting how supplier-related risks are identified and treated
  D. Replacing the supplier immediately during the audit
  E. Removing email from the ISMS scope
  A. Defining information security requirements for supplier services
  B. Monitoring and reviewing supplier performance relevant to information security
  C. Documenting how supplier-related risks are identified and treated

  ---

  A is correct because externally provided services must be controlled with appropriate requirements.

  B is correct because ongoing monitoring/review of supplier performance is necessary for control effectiveness.

  C is correct because supplier risks must be included in risk assessment and treatment.

  D is incorrect because auditors do not mandate immediate operational changes during the audit; they report findings.

  E is incorrect because excluding email from scope does not remove obligations if email is relevant to information security and business operations.

  References: ISO/IEC 27001:2022 clause 8.1 (control of processes); clause 6.1.2 and 6.1.3 (risk and treatment); Annex A supplier-related controls

• Question 78:

  Which two of the following are valid audit conclusions?

  A. ISMS induction training does not provide guidance on malware prevention
  B. The risk register had not been updated since June 202X
  C. Corrective action was outstanding for two internal audits
  D. The ISMS policy has been effectively communicated to the organisation
  E. The organisation's ISMS objectives meet the requirements of ISO/IEC 27001:2022
  F. The schedule of applicability was based on the 2013 edition of ISO/IEC 27001, not the 2022 edition
  D. The ISMS policy has been effectively communicated to the organisation
  E. The organisation's ISMS objectives meet the requirements of ISO/IEC 27001:2022

  ---

  The two statements that are valid audit conclusions are:

  The ISMS policy has been effectively communicated to the organisation The organisation's ISMS objectives meet the requirements of ISO/IEC 27001:2022

  According to ISO 19011:2018, an audit conclusion is the outcome of an audit, provided by the audit team after considering the audit objectives and all audit findings1. An audit conclusion can be positive or negative, depending on whether the audit criteria are fulfilled or not. An audit conclusion can also include recommendations for improvement or recognition of good practices. The statements D and E are valid audit conclusions, because they express the outcome of the audit based on the audit criteria and findings. For example:

  Statement D is a positive audit conclusion, because it indicates that the organisation has fulfilled the requirement of clause 5.2.2 of ISO/IEC 27001:2022, which states that the ISMS policy must be communicated within the organisation and to relevant interested parties2. The audit team must have obtained sufficient and appropriate audit evidence to support this conclusion, such as records of communication, awareness activities, feedback, etc. Statement E is a positive audit conclusion, because it indicates that the organisation has fulfilled the requirement of clause 6.2 of ISO/IEC 27001:2022, which states that the organisation must establish ISMS objectives that are consistent with the ISMS policy and relevant to the information security risks3. The audit team must have obtained sufficient and appropriate audit evidence to support this conclusion, such as records of objective setting, risk assessment, alignment with policy, etc.

  The other statements are not valid audit conclusions, because they do not express the outcome of the audit based on the audit criteria and findings. They are rather examples of audit findings, which are the results of the evaluation of the collected audit evidence against the audit criteria4. Audit findings can indicate either conformity or nonconformity with the audit criteria, or opportunities for improvement. For example:

  Statement A is a negative audit finding, because it indicates a nonconformity with the requirement of clause 7.2.2 of ISO/IEC 27001:2022, which states that the organisation must provide information security awareness education and training to persons under its control5. The audit team must have identified and documented this nonconformity, and reported it to the auditee. Statement B is a negative audit finding, because it indicates a nonconformity with the requirement of clause 6.1.2 of ISO/IEC

  27001:2022, which states that the organisation must maintain and review the information security risk assessment at planned intervals or when significant changes occur6. The audit team must have identified and documented this nonconformity, and reported it to the auditee. Statement C is a negative audit finding, because it indicates a nonconformity with the requirement of clause 10.1 of ISO/IEC 27001:2022, which states that the organisation must take action to eliminate the causes of nonconformities and

  prevent recurrence7. The audit team must have identified and documented this nonconformity, and reported it to the auditee.

  Statement F is a negative audit finding, because it indicates a nonconformity with the requirement of clause 6.1.3 of ISO/IEC 27001:2022, which states that the organisation must determine the controls that are necessary to implement the risk treatment plan, and document them in the statement of applicability8. The audit team must have identified and documented this nonconformity, and reported it to the auditee.

  References: 1: ISO 19011:2018, 3.15; 2: ISO/IEC 27001:2022, 5.2.2; 3: ISO/IEC 27001:2022, 6.2; 4: ISO 19011:2018, 3.14; 5: ISO/IEC 27001:2022, 7.2.2; 6: ISO/IEC 27001:2022, 6.1.2; 7: ISO/IEC 27001:2022, 10.1; 8: ISO/IEC 27001:2022, 6.1.3; : ISO 19011:2018; : ISO/IEC 27001:2022; : ISO/IEC 27001:2022; : ISO 19011:2018; : ISO/IEC 27001:2022; : ISO/IEC 27001:2022; : ISO/IEC 27001:2022; : ISO/IEC 27001:2022

• Question 79:

  An organisation has ISO/IEC 27001 Information Security Management System (ISMS) certification from a third-party certification body. Which one of the following represents an advantage of having accredited certification?

  A. An increase in the marketing price of the organisation's products
  B. An increase in the number of clients
  C. Clarity of the audit report
  D. Recognition of the credibility of the certification process.
  D. Recognition of the credibility of the certification process.

  ---

  One of the advantages of having accredited certification of ISMS to ISO/IEC 27001:2022 is that it demonstrates the recognition of the credibility of the certification process. Accredited certification means that the certification body has been assessed and approved by an accreditation body, which ensures that the certification body operates according to international standards and follows impartiality, competence and consistency principles. Accredited certification also enhances the confidence of the organisation's customers, partners, regulators and other interested parties in the organisation's information security performance and compliance.

  References: ISO/IEC 27001:2022, clause 0.2; [PECB Candidate Handbook ISO 27001 Lead Auditor], page 6; Key Benefits of ISO 27001 Certification - IT Governance.

• Question 80:

  Scenario 3: NightCore is a multinational technology company based in the United States that focuses on e- commerce, cloud computing, digital streaming, and artificial intelligence. After having an information security management system (ISMS) implemented for over 8 months, they contracted a certification body to conduct a third party audit in order to get certified against ISO/IEC 27001.

  The certification body set up a team of seven auditors. Jack, the most experienced auditor, was assigned as the audit team leader. Over the years, he received many well known certifications, such as the ISO/IEC 27001 Lead Auditor, CISA, CISSP, and CISM.

  Jack conducted thorough analyses on each phase of the ISMS audit, by studying and evaluating every information security requirement and control that was implemented by NightCore. During stage 2 audit. Jack detected several nonconformities. After comparing the number of purchased invoices for software licenses with the software inventory, Jack found out that the company has been using the illegal versions of a software for many computers. He decided to ask for an explanation from the top management about this nonconformity and see whether they were aware about this. His next step was to audit NightCore's IT Department. The top management assigned Tom, NightCore's system administrator, to act as a guide and accompany Jack and the audit team toward the inner workings of their system and their digital assets infrastructure.

  While interviewing a member of the Department of Finance, the auditors discovered that the company had recently made some unusual large transactions to one of their consultants. After gathering all the necessary details regarding the transactions. Jack decided to directly interview the top management. When discussing about the first nonconformity, the top management told Jack that they willingly decided to use a copied software over the original one since it was cheaper. Jack explained to the top management of NightCore that using illegal versions of software is against the requirements of ISO/IEC 27001 and the national laws and regulations. However, they seemed to be fine with it.

  Several months after the audit, Jack sold some of NightCore's information that he collected during the audit for a huge amount of money to competitors of NightCore.

  Based on this scenario, answer the following question:

  Based on scenario 3. which ISO/IEC 27001 control has NightCore ignored when they used an illegal version of software?

  A. Annex A 5.1 Policies for information security
  B. Annex A 5.10 Acceptable use of information and other associated assets
  C. Annex A 5.32 Intellectual property rights
  C. Annex A 5.32 Intellectual property rights

  ---

  By using illegal versions of software, NightCore ignored the control about intellectual property rights under Annex A.8.1.1 of ISO/IEC 27001, which requires the protection of organizational records to include intellectual property and personal information held in the form of data or software.

  References: ISO/IEC 27001:2013 Standard, Annex A.8.1.1 (Responsibility for assets)