PECB ISO-IEC-27001-LEAD-AUDITOR Online Practice Questions and Exam Preparation

PECB ISO-IEC-27001-LEAD-AUDITOR Online Questions & Answers

• Question 1:

  Which six of the following actions are the individual(s) managing the audit programme responsible for?

  A. Selecting the audit team
  B. Retaining documented information of the audit results
  C. Defining the objectives, scope and criteria for an individual audit
  D. Defining the plan of an individual audit
  E. Establishing the extent of the audit programme
  F. Establishing the audit programme
  G. Determining the resources necessary for the audit programme
  H. Communicating with the auditee during the audit
  A. Selecting the audit team
  B. Retaining documented information of the audit results
  C. Defining the objectives, scope and criteria for an individual audit
  D. Defining the plan of an individual audit
  E. Establishing the extent of the audit programme
  F. Establishing the audit programme

  ---

  explanation:

  Explanation/Reference:

  According to ISO 19011:2018, which provides guidelines for auditing management systems, an audit programme is a set of one or more audits planned for a specific time frame and directed towards a specific purpose. The individual(s) managing the audit programme are responsible for establishing, implementing and maintaining the audit programme in accordance with the organization's policies and objectives. This includes defining the extent of the audit programme based on strategic direction, risks and opportunities; establishing the audit programme by defining its objectives, scope and criteria; determining the resources necessary for the audit programme; selecting competent auditors and assigning them to appropriate audits; defining the objectives, scope and criteria for each individual audit; defining the plan of each individual audit; retaining documented information of the audit results; reviewing and improving the performance of the audit programme. Therefore, these six actions are part of the responsibilities of the individual(s) managing the audit programme. The other option, communicating with the auditee during the audit, is not a responsibility of the individual(s) managing the audit programme, but rather a responsibility of the audit team leader1. References: ISO 19011:2018 - Guidelines for auditing management systems

• Question 2:

  The data center at which you work is currently seeking ISO/IEC27001:2022 certification. In preparation for your initial certification visit a number of internal audits have been carried out by a colleague working at another data centre within your Group. They secured their ISO/IEC 27001:2022 certificate earlier in the year.

  You have just qualified as an Internal ISMS auditor and your manager has asked you to review the audit process and audit findings as a final check before the external Certrfication Body arrives.

  Which six of the following would cause you concern in respect of conformity to ISO/IEC 27001:2022 requirements?

  A. The audit programme shows management reviews taking place at irregular intervals during the year
  B. Audit reports are not held in hardcopy (i.e. on paper). They are only stored as ".POF documents on the organisation's intranet
  C. The audit programme does not take into account the relative importance of information security processes
  D. The audit programme mandates auditors must be independent of the areas they audit in order to satisfy the requirements of ISO/IEC 27001:2022
  E. Although the scope for each internal audit has been defined, there are no audit criteria defined for the audits carried out to date
  F. Audit reports to date have used key performance indicator information to focus solely on the efficiency of ISMS processes
  G. The audit programme does not reference audit methods or audit responsibilities
  H. The audit programme does not take into account the results of previous audits
  I. Top management commitment to the ISMS will not be audited before the certification visit, according to the audit programme
  J. The audit process states the results of audits will be made available to 'relevant' managers, not top management
  A. The audit programme shows management reviews taking place at irregular intervals during the year
  C. The audit programme does not take into account the relative importance of information security processes
  E. Although the scope for each internal audit has been defined, there are no audit criteria defined for the audits carried out to date
  F. Audit reports to date have used key performance indicator information to focus solely on the efficiency of ISMS processes
  H. The audit programme does not take into account the results of previous audits
  J. The audit process states the results of audits will be made available to 'relevant' managers, not top management

  ---

  explanation:

  Explanation/Reference:

  According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 9.3 requires top management to review the organization's ISMS at planned intervals to ensure its continuing suitability, adequacy and effectiveness1. Clause 9.2 requires the organization to conduct internal audits at planned intervals to provide information on whether the ISMS conforms to its own requirements and those of ISO/IEC 27001:2022, and is effectively implemented and maintained1. Therefore, when reviewing the audit process and audit findings as a final check before the external certification body arrives, an internal ISMS auditor should verify that these clauses are met in accordance with the audit criteria. Six of the following statements would cause concern in respect of conformity to ISO/IEC 27001:2022 requirements: The audit programme shows management reviews taking place at irregular intervals during the year: This statement would cause concern because it implies that the organization is not conducting management reviews at planned intervals, as required by clause 9.3. This may affect the ability of top management to ensure the continuing suitability, adequacy and effectiveness of the ISMS. The audit programme does not take into account the relative importance of information security processes: This statement would cause concern because it implies that the organization is not applying a risk-based approach to determine the audit frequency, methods, scope and criteria, as recommended by ISO 19011:2018, which provides guidelines for auditing management systems. This may affect the ability of the organization to identify and address the most significant risks and opportunities for its ISMS. Although the scope for each internal audit has been defined, there are no audit criteria defined for the audits carried out to date: This statement would cause concern because it implies that the organization is not establishing audit criteria for each internal audit, as required by clause 9.2. Audit criteria are the set of policies, procedures or requirements used as a reference against which audit evidence is compared. Without audit criteria, it is not possible to determine whether the ISMS conforms to its own requirements and those of ISO/IEC 27001:2022. Audit reports to date have used key performance indicator information to focus solely on the efficiency of ISMS processes: This statement would cause concern because it implies that the organization is not evaluating the effectiveness of ISMS processes, as required by clause 9.1. Effectiveness is the extent to which planned activities are realized and planned results achieved. Efficiency is the relationship between the result achieved and the resources used. Both aspects are important for measuring and evaluating ISMS performance and improvement. The audit programme does not take into account the results of previous audits: This statement would cause concern because it implies that the organization is not using the results of previous audits as an input for planning and conducting subsequent audits, as recommended by ISO 19011:20182. This may affect the ability of the organization to identify and address any recurring or unresolved issues or nonconformities related to its ISMS. Top management commitment to the ISMS will not be audited before the certification visit, according to the audit programme: This statement would cause concern because it implies that the organization is not verifying that top management demonstrates leadership and commitment with respect to its ISMS, as required by clause 5.1. This may affect the ability of top management to ensure that the ISMS policy and objectives are established and compatible with the strategic direction of the organization; that roles, responsibilities and authorities for relevant roles are assigned and communicated; that resources needed for the ISMS are available; that communication about information security matters is established; that continual improvement of the ISMS is promoted; that other relevant management reviews are aligned with those of information security; and that support is provided to other relevant roles1. The other statements would not cause concern in respect of conformity to ISO/IEC 27001:2022 requirements: Audit reports are not held in hardcopy (i.e. on paper). They are only stored as ".POF documents on the organisation's intranet: This statement would not cause concern because it does not imply any nonconformity with ISO/IEC 27001:2022 requirements. The standard does not prescribe any specific format or media for documenting or storing audit reports, as long as they are controlled according to clause 7.5. The audit programme mandates auditors must be independent of the areas they audit in order to satisfy the requirements of ISO/IEC 27001:2022: This statement would not cause concern because it does not imply any nonconformity with ISO/IEC 27001:2022 requirements. The standard does not prescribe any specific requirement for auditor independence, as long as the audit is conducted objectively and impartially, in accordance with ISO 19011:20182. The audit programme does not reference audit methods or audit responsibilities: This statement would not cause concern because it does not imply any nonconformity with ISO/IEC 27001:2022 requirements. The standard does not prescribe any specific requirement for referencing audit methods or audit responsibilities in the audit programme, as long as they are defined and documented according to ISO 19011:20182. The audit process states the results of audits will be made available to `relevant' managers, not top management: This statement would not cause concern because it does not imply any nonconformity with ISO/IEC 27001:2022 requirements. The standard does not prescribe any specific requirement for communicating the results of audits to top management, as long as they are reported to the relevant parties and used as an input for management review, according to clause 9.3. References: ISO/IEC 27001:2022 - Information technology Security techniques ?Information security management systems Requirements, ISO 19011:2018 - Guidelines for auditing management systems

• Question 3:

  You are conducting an ISMS audit in the despatch department of an international logistics organisation that provides shipping services to large organisations including local hospitals and government offices. Parcels typically contain pharmaceutical products, biological samples, and documents such as passports and driving licences. You note that the company records show a very large number of returned items with causes including mis- addressed labels and, in 15% of company cases, two or more labels for different addresses for the one package. You are interviewing the Shipping Manager (SM).

  You: Are items checked before being dispatched?

  SH: Any obviously damaged items are removed by the duty staff before being dispatched, but the small profit margin makes it uneconomic to implement a formal checking process.

  You: What action is taken when items are returned?

  SM: Most of these contracts are relatively low value, therefore it has been decided that it is easier and more convenient to simply reprint the label and re-send individual parcels than it is to implement an investigation.

  You raise a nonconformity. Referencing the scenario, which six of the following Appendix A controls would you expect the auditee to have implemented when you conduct the follow- up audit?

  A. 5.11 Return of assets
  B. 8.12 Data leakage protection
  C. 5.3 Segregation of duties
  D. 6.3 Information security awareness, education, and training
  E. 7.10 Storage media
  F. 8.3 Information access restriction
  G. 5.6 Contact with special interest groups
  H. 6.4 Disciplinary process
  I. 7.4 Physical security monitoring
  J. 5.13 Labelling of information
  B. 8.12 Data leakage protection
  D. 6.3 Information security awareness, education, and training
  E. 7.10 Storage media
  F. 8.3 Information access restriction
  I. 7.4 Physical security monitoring
  J. 5.13 Labelling of information

  ---

  explanation:

  Explanation/Reference:

  8.12 Data leakage protection. This is true because the auditee should have implemented measures to prevent unauthorized disclosure of sensitive information, such as personal data, medical records, or official documents, that are contained in the parcels. Data leakage protection could include encryption, authentication, access control, logging, and monitoring of data transfers.

  6.3

  Information security awareness, education, and training. This is true because the auditee should have ensured that all employees and contractors involved in the shipping process are aware of the information security policies and procedures, and have received appropriate training on how to handle and protect the information assets in their custody. Information security awareness, education, and training could include induction programmes, periodic refreshers, awareness campaigns, e-learning modules, and feedback mechanisms.

  7.10

  Storage media. This is true because the auditee should have implemented controls to protect the storage media that contain information assets from unauthorized access, misuse, theft, loss, or damage. Storage media could include paper documents, optical disks, magnetic tapes, flash drives, or hard disks. Storage media controls could include physical locks, encryption, backup, disposal, or destruction.

  8.3

  Information access restriction. This is true because the auditee should have implemented controls to restrict access to information assets based on the principle of least privilege and the need-to-know basis. Information access restriction could include identification, authentication, authorization, accountability, and auditability of users and systems that access information assets.

  7.4 Physical security monitoring. This is true because the auditee should have implemented controls to monitor the physical security of the premises where information assets are stored or processed. Physical security monitoring could include CCTV cameras, alarms, sensors, guards, or patrols16. Physical security monitoring could help detect and deter unauthorized physical access or intrusion attempts.

  5.13 Labelling of information. This is true because the auditee should have implemented controls to label information assets according to their classification level and handling instructions. Labelling of information could include markings, tags, stamps, stickers, or barcodes . Labelling of information could help identify and protect information assets from unauthorized disclosure or misuse . References: ISO/IEC 27002:2022 Information technology -- Security techniques -- Code of practice for information security controls ISO/IEC 27001:2022 Information technology -- Security techniques -- Information security management systems -- Requirements ISO/IEC 27003:2022 Information technology -- Security techniques -- Information security management systems -- Guidance ISO/IEC 27004:2022 Information technology -- Security techniques -- Information security management systems -- Monitoring measurement analysis and evaluation ISO/IEC 27005:2022 Information technology -- Security techniques -- Information security risk management ISO/IEC 27006:2022 Information technology -- Security techniques -- Requirements for bodies providing audit and certification of information security management systems [ISO/IEC 27007:2022 Information technology -- Security techniques -- Guidelines for information security management systems auditing]

• Question 4:

  OrgXY is an ISO/IEC 27001-certified software development company. A year after being certified, OrgXY's top management informed the certification body that the company was not ready for conducting the surveillance audit. What happens in this case?

  A. The certification is suspended
  B. The current certification is used until the next surveillance audit
  C. OrgXY transfers its registration to another certification body
  A. The certification is suspended

  ---

  explanation:

  Explanation/Reference:

  If an organization like OrgXY informs the certification body that it is not ready to conduct the surveillance audit as scheduled, the certification may be suspended. This is because the surveillance audit is a critical part of the ongoing certification maintenance, required to ensure continued compliance with the standard.

  References: PECB ISO/IEC 27001 Lead Auditor Course Material; ISO/IEC 27001:2013, general guidelines on certification and surveillance requirements

• Question 5:

  Phishing is what type of Information Security Incident?

  A. Private Incidents
  B. Cracker/Hacker Attacks
  C. Technical Vulnerabilities
  D. Legal Incidents
  B. Cracker/Hacker Attacks

  ---

  explanation:

  Explanation/Reference:

  Phishing is a type of information security incident that falls under the category of cracker/hacker attacks. Phishing is a form of fraud that uses deceptive emails or other messages to trick recipients into revealing sensitive information, such as passwords, credit card numbers, bank account details, etc. Phishing emails often impersonate legitimate organizations or individuals and create a sense of urgency or curiosity to lure the victims into clicking on malicious links, opening malicious attachments or providing personal information. Phishing is a common and serious threat to information security, as it can lead to identity theft, financial loss, data breach, malware infection or other damages. ISO/IEC 27001:2022 requires the organization to implement awareness and training programs to make users aware of the risks of social engineering attacks, such as phishing, and how to avoid them (see clause A.7.2.2). References: CQI and IRCA Certified ISO/ IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology -- Security techniques -- Information security management systems -- Requirements, What is Phishing?

• Question 6:

  You are conducting an ISMS audit in the despatch department of an international logistics organisation that provides shipping services to large organisations including local hospitals and government offices. Parcels typically contain pharmaceutical products, biological samples, and documents such as passports and driving licences. You note that the company records show a very large number of returned items with causes including misaddressed labels and, in 15% of cases, two or more labels for different addresses for the one package. You are interviewing the Shipping Manager (SM).

  You: Are items checked before being dispatched?

  SM: Any obviously damaged items are removed by the duty staff before being dispatched, but the small profit margin makes it uneconomic to implement a formal checking process.

  You: What action is taken when items are returned?

  SM: Most of these contracts are relatively low value, therefore it has been decided that it is easier and more convenient to simply reprint the label and re-send individual parcels than it is to implement an investigation.

  You raise a nonconformity against ISO 27001:2022 based on the lack of control of the labelling process. At the closing meeting, the Shipping Manager issues an apology to you that his comments may have been misunderstood.

  He says that he did not realise that there is a background IT process that automatically checks that the right label goes onto the right parcel otherwise the parcel is ejected at labelling. He asks that you withdraw your nonconformity.

  Select three options of the correct responses that you as the audit team leader would make to the request of the Shipping Manager.

  A. Advise the Shipping Manager that his request will be included in the audit report
  B. Advise management that the new information provided will be discussed when the auditors have more time
  C. Inform the Shipping Manager that the nonconformity is minor and should be quickly corrected
  D. Ask the audit team members to state what they think should happen
  E. Inform him of your understanding and withdraw the nonconformity
  F. Thank the Shipping Manager for his honesty but advise that withdrawing the nonconformity is not the right way to proceed
  G. Advise the Shipping Manager that the nonconformity must stand since the evidence obtained for it was dear
  H. Indicate that the nonconformity is evidence of a deeper system failure that needs to be rectified
  A. Advise the Shipping Manager that his request will be included in the audit report
  B. Advise management that the new information provided will be discussed when the auditors have more time
  F. Thank the Shipping Manager for his honesty but advise that withdrawing the nonconformity is not the right way to proceed

  ---

  explanation:

  Explanation/Reference:

  A. Advise the Shipping Manager that his request will be included in the audit report. This is true because the audit report should document all the relevant information and evidence related to the audit, including any requests or objections raised by the auditee. The audit report should also provide the rationale for the audit conclusions and recommendations.

  B. Advise management that the new information provided will be discussed when the auditors have more time. This is true because the auditors should not make hasty decisions based on incomplete or unverified information. The auditors should review and evaluate the new information in a systematic and objective manner, and determine whether it affects the audit findings, nonconformities, or conclusions F. Thank the Shipping Manager for his honesty but advise that withdrawing the nonconformity is not the right way to proceed. This is true because the auditors should acknowledge and appreciate the cooperation and transparency of the auditee, but also maintain their professional integrity and independence. The auditors should not withdraw a nonconformity unless they are satisfied that it was raised in error or that it has been effectively corrected and verified.

  References : ISO 19011:2022 Guidelines for auditing management systems ISO/IEC 17021-1:2022 Conformity assessment -- Requirements for bodies providing audit and certification of management systems -- Part 1: Requirements

• Question 7:

  Auditors should have certain knowledge and skills; while audit team leaders should have some additional knowledge and skills. From the following list, select two that only apply to audit team leaders.

  A. Plan the audit
  B. Understand and apply the risk-based approach to auditing
  C. Apply appropriate sampling techniques
  D. Make effective use of resources provided to the audit
  E. Be aware of cultural and social aspects of the auditee
  F. Verify the relevance and accuracy of collected information
  A. Plan the audit
  D. Make effective use of resources provided to the audit

  ---

  explanation:

  Explanation/Reference:

  According to the PECB Candidate Handbook1, audit team leaders should have the following additional knowledge and skills compared to auditors: Plan the audit, including preparing the audit plan, assigning work to the audit team members and coordinating their activities Make effective use of resources provided to the audit, such as personnel, time, budget and equipment Manage the audit process, including leading the opening and closing meetings, directing the audit team, resolving conflicts and ensuring the audit objectives are achieved Review and approve the audit report and audit findings Communicate with the client and other interested parties throughout the audit References: 1: PECB Candidate Handbook - ISO 27001 Lead Auditor, pages 9-10.

• Question 8:

  You are an experienced audit team leader guiding an auditor in training.

  Your team is currently conducting a third-party surveillance audit of an organisation that stores data on behalf of external clients. The auditor in training has been tasked with reviewing the ORGANISATIONAL controls listed in the Statement of

  Applicability (SoA) and implemented at the site.

  Select four controls from the following that would you expect the auditor in training to review.

  A. Access to and from the loading bay
  B. Confidentiality and nondisclosure agreements
  C. How information security has been addressed within supplier agreements
  D. How power and data cables enter the building
  E. Rules for transferring information within the organisation and to other organisations
  F. The development and maintenance of an information asset inventory
  G. The operation of the site CCTV and door control systems
  H. The organisation's business continuity arrangements
  B. Confidentiality and nondisclosure agreements
  C. How information security has been addressed within supplier agreements
  E. Rules for transferring information within the organisation and to other organisations
  F. The development and maintenance of an information asset inventory

  ---

  explanation:

  Explanation/Reference:

  According to the PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, the auditor in training should review the organisational controls that are related to the information security policy, the roles and responsibilities, the information classification, the information exchange, the supplier relationships, and the information asset management1. These controls are aligned with the ISO/IEC 27001 requirements for clauses 5, 7, 8.2, 8.3, and 8.42. The other controls (A, D, G, and H) are more relevant to the physical and environmental security, the communications security, or the business continuity management, which are not part of the organisational controls3. References: 1: PECB Candidate Handbook for ISO/ IEC 27001 Lead Auditor, page 42, section 5.2.32: ISO/IEC 27001:2022, clauses 5, 7, 8.2, 8.3, and 8.43: ISO/IEC 27001:2022, clauses 8.1, 8.5, and 8.6.

• Question 9:

  You are performing an ISMS audit at a residential nursing home called ABC that provides healthcare services.

  The next step in your audit plan is to verify the information security on ABC's healthcare mobile app development, support, and lifecycle process. During the audit, you learned the organization outsourced the mobile app development to a professional software development company with CMMI Level 5, ITSM (ISO /IEC 20000-1), BCMS (ISO 22301) and ISMS (ISO/IEC 27001) certified. The IT Manager presented the software security management procedure and summarised the process as follows:

  The mobile app development shall adopt "security-by-design" and "security-by-default" principles, as a minimum. The following security functions for personal data protection shall be available: Access control.

  Personal data encryption, i.e., Advanced Encryption Standard (AES) algorithm, key lengths: 256 bits; and Personal data pseudonymization.

  Vulnerability checked and no security backdoor

  You sample the latest Mobile App Test report - details as follows:

  

  You ask the IT Manager why the organisation still uses the mobile app while personal data encryption and pseudonymization tests failed. Also, whether the Service Manager is authorized to approve the test.

  The IT Manager explains the test results should be approved by him according to the software security management procedure. The reason why the encryption and pseudonymization functions failed is that these functions heavily slowed

  down the system and service performance. An extra 150% of resources are needed to cover this. The Service Manager agreed that access control is good enough and acceptable. That's why the Service Manager signed the approval.

  You sample one of the medical staff's mobile and found that ABC's healthcare mobile app, version 1.01 is installed. You found that version 1.01 has no test record.

  The IT Manager explains that because of frequent ransomware attacks, the outsourced mobile app development company gave a free minor update on the tested software, performed an emergency release of the updated software, and gave

  a verbal guarantee that there will be no impact on any security functions. Based on his 20 years of information security experience, there is no need to re-test.

  You are preparing the audit findings Select two options that are correct.

  A. There is a nonconformity (NC). The IT. Manager does not comply with the software security management procedure. (Relevant to clause 8.1, control A.8.30)
  B. There is a nonconformity (NC). The organisation does not control planned changes and review the consequences of unintended changes. (Relevant to clause 8.1)
  C. There is an opportunity for improvement (OI). The IT Manager should make the decision to continue the service based on appropriate testing. (Relevant to clause 8.1, control A.8.30)
  D. There is an opportunity for improvement (OI). The organisation selects an external service provider based on the extent of free services it will provide. (Relevant to clause 8.1, control A.5.21)
  E. There is NO nonconformity (NC). The IT Manager demonstrates good leadership. (Relevant to clause 5.1, control 5.4)
  F. There is NO nonconformity (NC). The IT Manager demonstrates he is fully competent. (Relevant to clause 7.2)
  A. There is a nonconformity (NC). The IT. Manager does not comply with the software security management procedure. (Relevant to clause 8.1, control A.8.30)
  B. There is a nonconformity (NC). The organisation does not control planned changes and review the consequences of unintended changes. (Relevant to clause 8.1)

  ---

  explanation:

  Explanation/Reference:

  According to ISO/IEC 27001, organizations must control planned changes and review the consequences of unintended changes in order to ensure continued alignment with information security requirements. In this scenario, the organization failed to perform appropriate testing after an emergency update to the mobile app, which constitutes a nonconformity with clause 8.1 of the standard.

• Question 10:

  Which two of the following are examples of audit methods that 'do not' involve human interaction?

  A. Conducting an interview using a teleconferencing platform
  B. Performing a review of auditees procedures in preparation for an audit
  C. Reviewing the auditee's response to an audit finding
  D. Analysing data by remotely accessing the auditee's server
  E. Observing work performed by remote surveillance
  F. Confirming the date and time of the audit
  B. Performing a review of auditees procedures in preparation for an audit
  D. Analysing data by remotely accessing the auditee's server

  ---

  explanation:

  Explanation/Reference:

  Audit methods are the techniques and procedures that auditors use to collect and evaluate audit evidence. Audit methods can be classified into two categories: those that involve human interaction and those that do not. Human interaction

  methods are those that require direct or indirect communication with the auditee or other relevant parties, such as interviews, questionnaires, surveys, observations, or walkthroughs. Non-human interaction methods are those that do not

  require any communication with the auditee or other parties, such as document reviews, data analysis, or remote surveillance.

  Some examples of audit methods that do not involve human interaction are:

  Performing a review of auditee's procedures in preparation for an audit: This method involves examining the auditee's documented information, such as policies, processes, records, or reports, to verify their adequacy and effectiveness in

  meeting the audit criteria. The auditor does not need to interact with the auditee or anyone else to perform this method.

  Analysing data by remotely accessing the auditee's server: This method involves accessing and processing the auditee's data, such as performance indicators, logs, metrics, or statistics, to verify their accuracy and reliability in meeting the

  audit criteria. The auditor does not need to interact with the auditee or anyone else to perform this method.

  References:

  ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) objectives and content from Quality.org and PECB

  ISO 19011:2018 Guidelines for auditing management systems [Section 6.2.2]