PECB ISO-27001-LA Online Practice Questions and Exam Preparation

PECB ISO-27001-LA Online Questions & Answers

• Question 81:

  Scenario: FinWave runs an incident response process. An incident occurred, but the organization did not record it because it was "handled quickly." There is no evidence of classification, decision, or lessons learned. Which clause is most directly impacted?

  A. Clause 4.1 Understanding the organization and its context
  B. Clause 7.2 Competence
  C. Clause 9.1 Monitoring, measurement, analysis and evaluation
  D. Clause 10.1 Nonconformity and corrective action
  D. Clause 10.1 Nonconformity and corrective action

  ---

  D is correct. A security incident indicates a nonconformity/event requiring evaluation and learning; lack of recorded evidence and failure to evaluate actions and prevent recurrence aligns most closely with clause 10.1 expectations for reacting, determining causes, implementing actions, and retaining evidence.

  A is incorrect because context determination is not the direct issue.

  B is incorrect because competence may be relevant but not the primary failure described.

  C is incorrect because monitoring/measurement is broader; the scenario emphasizes failure to handle and learn from an adverse event through corrective action discipline.

  References: ISO/IEC 27001:2022 clause 10.1

• Question 82:

  You are an ISMS audit team leader preparing to chair a closing meeting following a third-party surveillance audit. You are drafting a closing meeting agenda setting out the topics you wish to discuss with your auditee. Which one of the following would be appropriate for inclusion?

  A. A detailed explanation of the certification body's complaints process
  B. An explanation of the audit plan and its purpose
  C. A disclaimer that the result of the audit is based on the sampling of evidence
  D. Names of auditees associated with nonconformities
  C. A disclaimer that the result of the audit is based on the sampling of evidence

  ---

  This option is appropriate for inclusion in the closing meeting agenda, as it is a requirement of the ISO 19011 standard, which provides guidelines for auditing management systems, including ISMS12. The standard states that the audit team leader should advise the auditee of any situations encountered during the audit that may decrease the confidence that can be placed in the audit conclusions, such as limitations in the audit scope, access, or sampling3. The standard also states that the audit report

  should include a statement that the audit is based on a sample of the information available at the time of the audit, and that the audit does not provide absolute assurance of the conformity or effectiveness of the audited management system4. Therefore, the audit team leader should include a disclaimer in the closing meeting agenda to inform the auditee of the nature and limitations of the audit, and to avoid any misunderstandings or false expectations. The other options are not appropriate for inclusion in the

  closing meeting agenda, as they are either irrelevant, incorrect, or incomplete. For example:

  A detailed explanation of the certification body's complaints process is not relevant for the closing meeting agenda, as it is not related to the audit findings or conclusions. The certification body's complaints process should be communicated to the auditee before the audit, as part of the audit agreement or contract5.

  An explanation of the audit plan and its purpose is not correct for the closing meeting agenda, as it should have been done at the opening meeting or before the audit. The audit plan is a document that describes the scope, objectives, criteria, and methodology of the audit, as well as the audit schedule, the audit team, the audit locations, and the audit deliverables . The audit plan should be communicated and agreed with the auditee in advance, and any changes or deviations should be notified during the

  audit.

  Names of auditees associated with nonconformities are not complete for the closing meeting agenda, as they do not provide the details or the evidence of the nonconformities. The audit team leader should present the audit findings, which include the description, the audit criteria, and the audit evidence of each nonconformity, as well as the audit conclusions and the audit recommendation . The audit team leader should also avoid naming or blaming individuals, and focus on the processes and the system.

  References: 1: PECB Candidate Handbook - ISO/IEC 27001 Lead Auditor, page 222: ISO 19011:2018 Guidelines for auditing management systems, clause 13: ISO 19011:2018 Guidelines for auditing management systems, clause 6.4.94:

  ISO 19011:2018 Guidelines for auditing management systems, clause 7.5.25: ISO/IEC 17021-1:2015 Conformity assessment -- Requirements for bodies providing audit and certification of management systems -- Part 1: Requirements, clause 9.8. : ISO 19011:2018 Guidelines for auditing management systems, clause 6.4.1. : ISO/IEC 27007:2011 Information technology -- Security techniques -- Guidelines for information security management systems auditing, clause 6.2.1. : ISO 19011:

  2018 Guidelines for auditing management systems, clause 6.4.2. : ISO 19011:2018 Guidelines for auditing management systems, clause 6.4.10. : ISO/IEC 27007:2011 Information technology -- Security techniques -- Guidelines for information security management systems auditing, clause 6.3.3.

• Question 83:

  DRAG DROP

  Please match the following situations to the type of audit required.

  Select and Place:

  

  

  Explanation:

  Top management requests auditors from the organisation's compliance department to audit the production process in order to ensure the final product meets quality requirements = First-party audit Auditors from the buyer's organisation audit their raw material supplier to ensure the supply fulfils the order and contract = Second-party audit Auditors from an independent certification body conduct an audit of the organisation to verify conformity with an ISO Standard for certification purposes = Third-party audit The organisation has been audited against two management system standards in one audit = Combined audit According to the ISO/IEC 27001 standard, there are three main categories of audits: internal, external, and certification1. An internal audit, also known as a first-party audit, is an audit conducted by the organisation itself, or by an external party on its behalf, for management review and other internal purposes12. An external audit, also known as a second-party audit, is an audit conducted by a customer or other interested party on a supplier or contractor to verify compliance with contractual or other requirements. A certification audit, also known as a third-party audit, is an audit conducted by an independent certification body to verify conformity with an ISO standard for certification purposes. A combined audit is an audit where two or more management system standards are audited together.

  References:

  1: PECB Candidate Handbook - ISO/IEC 27001 Lead Auditor, page 19

  2: ISO 27001 Audit Types and How They are Conducted

  3: The Four ISO 27001 Audit Categories, Explained

• Question 84:

  Scenario: During stage 1, the audit team finds that the organization has an SoA but it lists only "applicable controls" and does not indicate excluded Annex A controls nor any justification for exclusion. Does this meet ISO/IEC 27001:2022 requirements for the SoA?

  A. Yes, because the SoA may list only applicable controls
  B. Yes, if the organization's risk assessment is documented elsewhere
  C. No, because the SoA must include justification for inclusions and exclusions
  D. No, because the SoA must include a full copy of Annex A text
  C. No, because the SoA must include justification for inclusions and exclusions

  ---

  C is correct. Clause 6.1.3 requires a Statement of Applicability that includes the necessary controls, and justification for their inclusion, whether controls are implemented, and justification for exclusions of Annex A controls.

  A is incorrect because listing only applicable controls omits required exclusions/justifications.

  B is incorrect because risk assessment documentation does not replace SoA content requirements.

  D is incorrect because the SoA does not need to reproduce Annex A text; it must identify controls and rationales.

  References: ISO/IEC 27001:2022 clause 6.1.3

• Question 85:

  DRAG DROP

  Select a word from the following options that best completes the sentence:

  To complete the sentence with the word(s) click on the blank section you want to complete so that it is highlighted in red, and then click on the application text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.

  Select and Place:

  

  

  Explanation:

  The purpose of a management system audit is to evaluate the performance of an organization's management system.

  A management system audit is an independent and systematic analysis and evaluation of a company's overall activities and performances. It is a valuable tool used to determine the efficiency, functions, accomplishments and achievements of the company. A management system audit can be conducted against a range of audit criteria, including (but not limited to) requirements set of in existing ISO standards. According to ISO 19011:2018, which provides guidelines for auditing management systems, the

  purpose of an audit is to enable the auditor to provide an audit conclusion that is related to the audit objectives. The audit objectives are defined by the audit client and may include determining the extent of conformity or nonconformity of the audited management system against the audit criteria, evaluating the ability of the audited management system to ensure that the organization meets applicable statutory, regulatory and contractual requirements, identifying potential improvement opportunities for the

  audited management system, and facilitating continual improvement of the audited management system.

  Therefore, the correct answer is evaluate, as it best describes the purpose of a management system audit. The other options are not correct because they are not specific enough or do not reflect the intended outcome of an audit. For example, improve implies that the audit itself will enhance the performance of the management system, which is not necessarily true. Manage implies that the audit will control or direct the management system, which is not its role. Research implies that the audit will generate

  new knowledge or information about the management system, which is not its primary aim.

• Question 86:

  Which two risk treatment options are correctly defined?

  A. Risk retention: deciding to accept the risk without further action
  B. Risk avoidance: implementing controls to reduce likelihood or impact
  C. Risk sharing: transferring or sharing part of the risk with another party
  D. Risk modification: eliminating all risk permanently
  A. Risk retention: deciding to accept the risk without further action
  C. Risk sharing: transferring or sharing part of the risk with another party

  ---

  A is correct: retention means accepting residual risk.

  C is correct: sharing includes insurance, outsourcing with contractual allocation, etc.

  B is incorrect because that describes risk modification, not avoidance. Avoidance means stopping the activity or removing the source of risk.

  D is incorrect because modification reduces risk; it does not necessarily eliminate all risk permanently.

  References: ISO/IEC 27001 risk treatment concepts (clause 6.1.3 aligned practices)

• Question 87:

  Phishing is what type of Information Security Incident?

  A. Private Incidents
  B. Cracker/Hacker Attacks
  C. Technical Vulnerabilities
  D. Legal Incidents
  B. Cracker/Hacker Attacks

  ---

  Phishing is a type of information security incident that falls under the category of cracker/hacker attacks. Phishing is a form of fraud that uses deceptive emails or other messages to trick recipients into revealing sensitive information, such as passwords, credit card numbers, bank account details, etc. Phishing emails often impersonate legitimate organizations or individuals and create a sense of urgency or curiosity to lure the victims into clicking on malicious links, opening malicious attachments or providing personal information. Phishing is a common and serious threat to information security, as it can lead to identity theft, financial loss, data breach, malware infection or other damages. ISO/IEC 27001:2022 requires the organization to implement awareness and training programs to make users aware of the risks of social engineering attacks, such as phishing, and how to avoid them (see clause A.7.2.2).

  References: CQI and IRCA Certified ISO/ IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology -- Security techniques -- Information security management systems -- Requirements, What is Phishing?

• Question 88:

  You are carrying out your first third-party ISMS surveillance audit as an Audit Team Leader. You are presently in the auditee's data centre with another member of your audit team.

  You are currently in a large room that is subdivided into several smaller rooms, each of which has a numeric combination lock and swipe card reader on the door. You notice two external contractors using a swipe card and combination number provided by the centre's reception desk to gain access to a client's suite to carry out authorised electrical repairs.

  You go to reception and ask to see the door access record for the client's suite. This indicates only one card was swiped. You ask the receptionist and they reply, "yes it's a common problem.

  We ask everyone to swipe their cards but with contractors especially, one tends to swipe and the rest simply 'tailgate' their way in" but we know who they are from the reception sign-in.

  Based on the scenario above which one of the following actions would you now take?

  A. Raise an opportunity for improvement to have a large sign in reception reminding everyone requiring access must use their swipe card at all times
  B. Determine whether any additional effective arrangements are in place to verify individual access to secure areas e.g. CCTV
  C. Raise a nonconformity against control A.7.1 'security perimiters' as a secure area is not adequately protected
  D. Raise a nonconformity against control A.7.6 'working in secure areas' as security measures for working in secure areas have not been defined
  E. Raise a nonconformity against control A.5.20 'addressing information security in supplier relationships' as information security requirements have not been agreed upon with the supplier
  F. Raise an opportunity for improvement that contractors must be accompanied at all times when accessing secure facilities
  B. Determine whether any additional effective arrangements are in place to verify individual access to secure areas e.g. CCTV

  ---

  The best action to take in this scenario is to determine whether any additional effective arrangements are in place to verify individual access to secure areas, such as CCTV. This action is consistent with the audit principle of evidence-based approach, which requires the auditor to obtain sufficient and appropriate audit evidence to support the audit findings and conclusions1. By verifying the existence and effectiveness of other security controls, the auditor can assess the extent and impact of the

  nonconformity observed, and determine the appropriate audit finding and recommendation.

  The other options are not the best actions to take in this scenario, because they are either premature or inappropriate. For example:

  Option A is inappropriate, because it is not the auditor's role to suggest specific solutions or improvements to the auditee, but rather to report the audit findings and recommendations based on the audit criteria and objectives. A large sign in reception may not be an effective or feasible solution to address the issue of tailgating, and it may not reflect the root cause of the problem.

  Option C is premature, because it assumes that the control A.7.1 `security perimeters' is not adequately implemented, without verifying the existence and effectiveness of other security controls that may compensate for the observed nonconformity. The auditor should not jump to conclusions based on a single observation, but rather gather sufficient and appropriate audit evidence to support the audit finding.

  Option D is premature, because it assumes that the control A.7.6 `working in secure areas' is not adequately implemented, without verifying the existence and effectiveness of other security controls that may compensate for the observed nonconformity. The auditor should not jump to conclusions based on a single observation, but rather gather sufficient and appropriate audit evidence to support the audit finding.

  Option E is inappropriate, because it is not related to the observed nonconformity, which is about the access control to secure areas, not the information security requirements agreed upon with the supplier. The auditor should not raise a nonconformity based on irrelevant or incorrect audit criteria4.

  Option F is inappropriate, because it is not the auditor's role to suggest specific solutions or improvements to the auditee, but rather to report the audit findings and recommendations based on the audit criteria and objectives. Requiring contractors to be accompanied at all times when accessing secure facilities may not be an effective or feasible solution to address the issue of tailgating, and it may not reflect the root cause of the problem.

  References: 1: ISO 19011:2018, 5.2; 2: ISO 19011:2018, 6.6; 3: ISO 19011:2018, 6.2; 4: ISO 19011:2018, 6.3; : ISO 19011:2018; : ISO 19011:2018; : ISO 19011:2018; : ISO 19011:2018

• Question 89:

  Which one of the following is the most appropriate statement to include in a closing meeting for a third-party certification audit?

  A. "The certification body guarantees full compliance across all operations based on this audit."
  B. "Audit conclusions are based on a sample of information available at the time of the audit."
  C. "All nonconformities found will be closed today if the auditee agrees."
  D. "The audit team will recommend certification if no further issues are found next year."
  B. "Audit conclusions are based on a sample of information available at the time of the audit."

  ---

  B is correct. Audits rely on sampling; the closing meeting should communicate limitations that may affect confidence in conclusions.

  A is incorrect because audits do not guarantee full compliance; they provide reasonable assurance based on sampled evidence.

  C is incorrect because closure requires corrective action processes and verification, not same-day closure by agreement alone.

  D is incorrect because certification recommendation must be based on current audit results and certification body processes, not future expectations.

  References: ISO 19011:2018 (closing meeting and reporting considerations)

• Question 90:

  Scenario:

  Techmanic is a Belgian company founded in 1995 and currently operating in Brussels. It provides IT consultancy, software design, and hardware/software services, including deployment and maintenance. The company serves sectors like public services, finance, telecom, energy, healthcare, and education. As a customer-centered company, it prioritizes strong client relationships and leading security practices.

  Techmanic has been ISO/IEC 27001 certified for a year and regards this certification with pride. During the certification audit, the auditor found some inconsistencies in its ISMS implementation. Since the observed situations did not affect the capability of its ISMS to achieve the intended results, Techmanic was certified after auditors followed up on the root cause analysis and corrective actions remotely During that year, the company added hosting to its list of services and requested to expand its certification

  scope to include that area The auditor in charge approved the request and notified Techmanic that the extension audit would be conducted during the surveillance audit Techmanic underwent a surveillance audit to verify its iSMS's continued effectiveness and compliance with ISO/IEC 27001. The surveillance audit aimed to ensure that Techmanic's security practices, including the recent addition of hosting services, aligned seamlessly with the rigorous requirements of the certification

  The auditor strategically utilized the findings from previous surveillance audit reports in the recertification activity with the purpose of replacing the need for additional recertification audits, specifically in the IT consultancy sector. Recognizing the value of continual improvement and learning from past assessments. Techmanic implemented a practice of reviewing previous surveillance audit reports. This proactive approach not only facilitated identifying and resolving potential nonconformities but also aimed to

  streamline the recertification process in the IT consultancy sector.

  During the surveillance audit, several nonconformities were found. The ISMS continued to fulfill the ISO/IEC 27001*s requirements, but Techmanic failed to resolve the nonconformities related to the hosting services, as reported by its internal auditor. In addition, the internal audit report had several inconsistencies, which questioned the independence of the internal auditor during the audit of hosting services. Based on this, the extension certification was not granted. As a result. Techmanic requested a

  transfer to another certification body. In the meantime, the company released a statement to its clients stating that the ISO/IEC 27001 certification covers the IT services, as well as the hosting services.

  Based on the scenario above, answer the following question:

  Question:

  According to ISO/IEC 17021-1 , what is the purpose of surveillance audits?

  A. To assess compliance and grant initial certification
  B. To evaluate the financial performance of the organization
  C. To maintain confidence in the certified management system between audits
  C. To maintain confidence in the certified management system between audits

  ---

  ISO/IEC 17021-1:2015 Clause 9.6.2 (Purpose of Surveillance Audits)