PECB ISO-IEC-27001-LEAD-AUDITOR Online Practice Questions and Exam Preparation

PECB ISO-IEC-27001-LEAD-AUDITOR Online Questions & Answers

• Question 91:

  -------------------------is an asset like other important business assets has value to an organization and consequently needs to be protected.

  A. Infrastructure
  B. Data
  C. Information
  D. Security
  C. Information

  ---

  Explanation/Reference:

  Information is an asset like other important business assets, as it has value to an organization and consequently needs to be protected. Information can be in any form, such as electronic, paper, or verbal. Information security is the protection of information from unauthorized access, use, disclosure, modification, or destruction2. References: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) | CQI | IRCA

• Question 92:

  Which option below about the ISMS scope is correct?

  A. ISMS scope should be available as documented information
  B. ISMS scope should ensure continual improvement
  C. ISMS scope should be compatible with the strategic orientation of the organization
  A. ISMS scope should be available as documented information

  ---

  Explanation/Reference:

  According to ISO/IEC 27001, the scope of an ISMS must be defined and documented. This documentation should include the boundaries and applicability of the information security management system, which helps in defining what information, locations, and assets are covered under the ISMS.

  References: ISO/IEC 27001:2013 Standard, Clause 4.3 (Determining the scope of the information security management system)

• Question 93:

  DRAG DROP

  You are an experienced ISMS audit team leader. An auditor in training has approached you to ask you to clarify the different types of audits she may be required to undertake.

  Match the following audit types to the descriptions.

  To complete the table click on the blank section you want to complete so that It is highlighted In fed, and then click on the applicable text from the options below. Alternatively, you may drag and drop each option to the appropriate blank section.

  Select and Place:

  

  

  ---

  Explanation/Reference:

• Question 94:

  All are prohibited in acceptable use of information assets, except:

  A. Electronic chain letters
  B. E-mail copies to non-essential readers
  C. Company-wide e-mails with supervisor/TL permission.
  D. Messages with very large attachments or to a large number ofrecipients.
  C. Company-wide e-mails with supervisor/TL permission.

  ---

  Explanation/Reference:

  The only option that is not prohibited in acceptable use of information assets is C: company-wide e-mails with supervisor/TL permission. This option implies that the sender has obtained the necessary authorization from their supervisor or team leader to send an e-mail to all employees in the organization. This could be done for legitimate business purposes, such as announcing important news, events or updates that are relevant to everyone. However, this option should still be used sparingly and responsibly, as it could cause unnecessary disruption or annoyance to the recipients if abused or misused. The other options are prohibited in acceptable use of information assets, as they could violate the information security policies and procedures of the organization, as well as waste resources and bandwidth. Electronic chain letters (A) are messages that urge recipients to forward them to multiple other people, often with false or misleading claims or promises. They are considered spam and could contain malicious links or attachments that could compromise information security. E-mail copies to non-essential readers (B) are messages that are sent to recipients who do not need to receive them or have no interest in them. They are considered unnecessary and could clutter the inbox and distract the recipients from more important messages. Messages with very large attachments or to a large number of recipients (D) are messages that consume a lot of network resources and could affect the performance or availability of the information systems. They could also exceed the storage capacity or quota limits of the recipients' mailboxes and cause problems for them. ISO/IEC 27001:2022 requires the organization to implement rules for acceptable use of assets (see clause A.8.1.3). References: CQI and IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology -- Security techniques -- Information security management systems -- Requirements, What is Acceptable Use?

• Question 95:

  You are an ISMS audit team leader preparing to chair a closing meeting following a third-party surveillance audit. You are drafting a closing meeting agenda setting out the topics you wish to discuss with your auditee. Which one of the following would be appropriate for inclusion?

  A. A detailed explanation of the certification body's complaints process
  B. An explanation of the audit plan and its purpose
  C. A disclaimer that the result of the audit is based on the sampling of evidence
  D. Names of auditees associated with nonconformities
  C. A disclaimer that the result of the audit is based on the sampling of evidence

  ---

  Explanation/Reference:

  This option is appropriate for inclusion in the closing meeting agenda, as it is a requirement of the ISO 19011 standard, which provides guidelines for auditing management systems, including ISMS12. The standard states that the audit team leader should advise the auditee of any situations encountered during the audit that may decrease the confidence that can be placed in the audit conclusions, such as limitations in the audit scope, access, or sampling3. The standard also states that the audit report should include a statement that the audit is based on a sample of the information available at the time of the audit, and that the audit does not provide absolute assurance of the conformity or effectiveness of the audited management system4. Therefore, the audit team leader should include a disclaimer in the closing meeting agenda to inform the auditee of the nature and limitations of the audit, and to avoid any misunderstandings or false expectations. The other options are not appropriate for inclusion in the closing meeting agenda, as they are either irrelevant, incorrect, or incomplete. For example:

  A detailed explanation of the certification body's complaints process is not relevant for the closing meeting agenda, as it is not related to the audit findings or conclusions. The certification body's complaints process should be communicated to the auditee before the audit, as part of the audit agreement or contract5.

  An explanation of the audit plan and its purpose is not correct for the closing meeting agenda, as it should have been done at the opening meeting or before the audit. The audit plan is a document that describes the scope, objectives, criteria, and methodology of the audit, as well as the audit schedule, the audit team, the audit locations, and the audit deliverables . The audit plan should be communicated and agreed with the auditee in advance, and any changes or deviations should be notified during the audit.

  Names of auditees associated with nonconformities are not complete for the closing meeting agenda, as they do not provide the details or the evidence of the nonconformities. The audit team leader should present the audit findings, which include the description, the audit criteria, and the audit evidence of each nonconformity, as well as the audit conclusions and the audit recommendation . The audit team leader should also avoid naming or blaming individuals, and focus on the processes and the system.

  References: 1: PECB Candidate Handbook - ISO/IEC 27001 Lead Auditor, page 222: ISO 19011:2018 Guidelines for auditing management systems, clause 13: ISO 19011:2018 Guidelines for auditing management systems, clause 6.4.94: ISO 19011:2018 Guidelines for auditing management systems, clause 7.5.25: ISO/IEC 17021-1:2015 Conformity assessment -- Requirements for bodies providing audit and certification of management systems -- Part 1: Requirements, clause 9.8. : ISO 19011:2018 Guidelines for auditing management systems, clause 6.4.1. : ISO/IEC 27007:2011 Information technology -- Security techniques -- Guidelines for information security management systems auditing, clause

  6.2.1. : ISO 19011:

  2018 Guidelines for auditing management systems, clause 6.4.2. : ISO 19011:2018 Guidelines for auditing management systems, clause 6.4.10. : ISO/IEC 27007:2011 Information technology -- Security techniques -- Guidelines for

  information security management systems auditing, clause 6.3.3.

• Question 96:

  You ask the IT Manager why the organisation still uses the mobile app while personal data encryption and pseudonymisation tests failed. Also, whether the Service Manager is authorised to approve the test.

  The IT Manager explains the test results should be approved by him according to the software security management procedure. The reason why the encryption and pseudonymisation functions failed is that these functions heavily slowed down the system and service performance. An extra 150% of resources are needed to cover this. The Service Manager agreed that access control is good enough and acceptable. That's why the Service Manager signed the approval.

  You are preparing the audit findings. Select the correct option.

  A. There is a nonconformity (NC). The organisation and developer do not perform acceptance tests.(Relevant to clause 8.1, control A.8.29)
  B. There is a nonconformity (NC). The Service Manager does not comply with the software security management procedure. (Relevant to clause 8.1, control A.8.30)
  C. There is a nonconformity (NC). The organisation and developer perform security tests that fail.(Relevant to clause 8.1, control A.8.29)
  D. There is NO nonconformity (NC). The Service Manager makes a good decision to continue the service.(Relevant to clause 8.1, control A.8.30)
  B. There is a nonconformity (NC). The Service Manager does not comply with the software security management procedure. (Relevant to clause 8.1, control A.8.30)

  ---

  Explanation/Reference:

  According to ISO 27001:2022 Annex A Control 8.30, the organisation shall ensure that externally provided processes, products or services that are relevant to the information security management system are controlled. This includes developing and entering into licensing agreements that cover code ownership and intellectual property rights, and implementing appropriate contractual requirements related to secure design and coding in accordance with Annex A 8.25 and 8.2912

  In this case, the organisation and the developer have performed security tests that failed, which indicates that the secure design and coding requirements of Annex A 8.29 were not met. The IT Manager explains that the encryption and pseudonymisation functions failed because they slowed down the system and service performance, and that an extra 150% of resources are needed to cover this. However, this does not justify the acceptance of the test results by the Service Manager, who is not authorised to approve the test according to the software security management procedure. The Service Manager should have consulted with the IT Manager, who is the owner of the process, and followed the procedure for handling nonconformities and corrective actions. The Service Manager's decision to continue the service based on access control alone exposes the organisation to the risk of compromising the confidentiality, integrity, and availability of personal data processed by the mobile app. Therefore, there is a nonconformity (NC) with clause 8.1, control A.8.30.

  References:

  1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1

  2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2

• Question 97:

  You are an experienced audit team leader guiding an auditor in training.

  Your team is currently conducting a third-party surveillance audit of an organisation that stores data on behalf of external clients. The auditor in training has been tasked with reviewing the PEOPLE controls listed in the

  Statement of Applicability (SoA) and implemented at the site.

  Select four controls from the following that would you expect the auditor in training to review.

  A. Confidentiality and nondisclosure agreements
  B. How protection against malware is implemented
  C. Information security awareness, education and training
  D. Remote working arrangements
  E. The conducting of verification checks on personnel
  F. The operation of the site CCTV and door control systems
  G. The organisation's arrangements for information deletion
  H. The organisation's business continuity arrangements
  A. Confidentiality and nondisclosure agreements
  C. Information security awareness, education and training
  D. Remote working arrangements
  E. The conducting of verification checks on personnel

  ---

  Explanation/Reference:

  The four controls from the list that the auditor in training should review are:

  Confidentiality and nondisclosure agreements: This control requires the organisation to ensure that all employees, contractors, and third parties who have access to sensitive information sign appropriate agreements that oblige them to protect

  the confidentiality and integrity of such information. This is especially important for an organisation that stores data on behalf of external clients, as it demonstrates its commitment to safeguarding their information assets and complying with

  their contractual obligations.

  Information security awareness, education and training: This control requires the organisation to provide regular and relevant information security awareness, education and training to all employees, contractors, and third parties who have

  access to the organisation's information systems and information assets. This is essential for ensuring that they are aware of their roles and responsibilities, the information security policies and procedures, the potential threats and risks, and

  the best practices for preventing and responding to information security incidents.

  Remote working arrangements: This control requires the organisation to establish and implement policies and procedures for managing the information security risks associated with remote working arrangements, such as teleworking, mobile

  working, or working from home. This includes defining the conditions and requirements for remote working, such as the authorised devices, applications, and networks, the encryption and authentication methods, the backup and recovery

  procedures, and the reporting and monitoring mechanisms. This is important for an organisation that stores data on behalf of external clients, as it ensures that the information security level is maintained regardless of the location of the

  workers and the devices they use.

  The conducting of verification checks on personnel: This control requires the organisation to conduct appropriate verification checks on the background, qualifications, and references of all employees, contractors, and third parties who have

  access to the organisation's information systems and information assets. This is necessary for verifying their identity, suitability, and trustworthiness, and for preventing the hiring of unauthorised or malicious individuals who could compromise

  the information security of the organisation and its clients.

  References:

  ISO/IEC 27001:2022, Annex A, clauses A.5.7, A.7.2, A.7.3, and A.7.4; ISO 27001 People Controls: How personnel ensures information security; What are the 11 new security controls in ISO 27001:2022? - Advisera.

• Question 98:

  You are performing an ISMS audit at a residential nursing home that provides healthcare services. The next step in your audit plan is to verify the information security incident management process. The IT Security Manager presents the

  information security incident management procedure (Document reference ID:

  ISMS_L2_16, version 4).

  You review the document and notice a statement "Any information security weakness, event, and incident should be reported to the Point of Contact (PoC) within 1 hour after identification". When interviewing staff, you found that there were

  differences in the understanding of the meaning of the phrase "weakness, event, and incident".

  The IT Security Manager explained that an online "information security handling" training seminar was conducted 6 months ago. All the people interviewed participated in and passed the reporting exercise and course assessment.

  You would like to investigate other areas further to collect more audit evidence. Select three options that would not be valid audit trails.

  A. Collect more evidence on how areas subject to information security incidents are quarantined to maintain information security during disruption (relevant to control A.5.29)
  B. Collect more evidence on how information security incidents are reported via appropriate channels (relevant to control A.6.8)
  C. Collect more evidence on how the organisation conducts information security incident training and evaluates its effectiveness. (Relevant to clause 7.2)
  D. Collect more evidence on how the organisation learns from information security incidents and makes improvements. (Relevant to control A.5.27)
  E. Collect more evidence on how the organisation manages the Point of Contact (PoC) which monitors vulnerabilities. (Relevant to clause 8.1)
  F. Collect more evidence on how the organisation tests the business continuity plan. (Relevant to control 5.30)
  G. Collect more evidence on whether terms and definitions are contained in the information security policy. (Relevant to control 5.32)
  H. Collect more evidence to determine if ISO 27035 (Information security incident management) is used as internal audit criteria. (Relevant to clause 8.13)
  E. Collect more evidence on how the organisation manages the Point of Contact (PoC) which monitors vulnerabilities. (Relevant to clause 8.1)
  G. Collect more evidence on whether terms and definitions are contained in the information security policy. (Relevant to control 5.32)
  H. Collect more evidence to determine if ISO 27035 (Information security incident management) is used as internal audit criteria. (Relevant to clause 8.13)

  ---

  Explanation/Reference:

  The three options that would not be valid audit trails are:

  Collect more evidence on how the organisation manages the Point of Contact (PoC) which monitors vulnerabilities. (Relevant to clause 8.1) Collect more evidence on whether terms and definitions are contained in the information security policy. (Relevant to control 5.32) Collect more evidence to determine if ISO 27035 (Information security incident management) is used as internal audit criteria. (Relevant to clause 8.13)

  These options are not valid audit trails because they are not directly related to the information security incident management process, which is the focus of the audit. The audit trails should be relevant to the objectives, scope, and criteria of the audit, and should provide sufficient and reliable evidence to support the audit findings and conclusions.

  Option E is not valid because the PoC is not a part of the information security incident management process, but rather a role that is responsible for reporting and escalating information security incidents to the appropriate authorities. The audit trail should focus on how the PoC performs this function, not how the organisation manages the PoC. Option G is not valid because the terms and definitions are not a part of the information security incident management process, but rather a part of the information security policy, which is a high-level document that defines the organisation's information security objectives, principles, and responsibilities. The audit trail should focus on how the information security policy is communicated, implemented, and reviewed, not whether it contains terms and definitions. Option H is not valid because ISO 27035 is not a part of the information security incident management process, but rather a guidance document that provides best practices for managing information security incidents. The audit trail should focus on how the organisation follows the requirements of ISO/IEC 27001:2022 for information security incident management, not whether it uses ISO 27035 as an internal audit criteria.

  The other options are valid audit trails because they are related to the information security incident management process, and they can provide useful evidence to evaluate the conformity and effectiveness of the process. For example:

  Option A is valid because it relates to control A.5.29, which requires the organisation to establish procedures to isolate and quarantine areas subject to information security incidents, in order to prevent further damage and preserve evidence. The audit trail should collect evidence on how the organisation implements and tests these procedures, and how they ensure the continuity of information security during disruption. Option B is valid because it relates to control A.6.8, which requires the organisation to establish mechanisms for reporting information security events and weaknesses, and to ensure that they are communicated in a timely manner to the appropriate levels within the organisation6. The audit trail should collect evidence on how the organisation defines and uses these mechanisms, and how they monitor and review the reporting process. Option C is valid because it relates to clause 7.2, which requires the organisation to provide information security awareness, education, and training to all persons under its control, and to evaluate the effectiveness of these activities. The audit trail should collect evidence on how the organisation identifies the information security training needs, how they deliver and record the training, and how they measure the learning outcomes and feedback. Option D is valid because it relates to control A.5.27, which requires the organisation to learn from information security incidents and to implement corrective actions to prevent recurrence or reduce impact. The audit trail should collect evidence on how the organisation analyses and documents the root causes and consequences of information security incidents, how they identify and implement corrective actions, and how they verify the effectiveness of these actions. Option F is valid because it relates to control A.5.30, which requires the organisation to establish and maintain a business continuity plan to ensure the availability of information and information processing facilities in the event of a severe information security incident. The audit trail should collect evidence on how the organisation develops and updates the business continuity plan, how they test and review the plan, and how they communicate and train the relevant personnel on the plan.

  References:

  1: ISO 19011:2018, 6.2;

  2: ISO/IEC 27001:2022, A.6.8.1;

  3: ISO/IEC 27001:2022, 5.2;

  4: ISO /IEC 27035:2016, Introduction;

  5: ISO/IEC 27001:2022, A.5.29;

  6: ISO/IEC 27001:2022, A.6.8;

  7: ISO/IEC 27001:2022, 7.2;

  8: ISO/IEC 27001:2022, A.5.27;

  9: ISO/IEC 27001:2022, A.5.30;

  ISO 19011:2018; : ISO /IEC 27001:2022; : ISO/IEC 27001:2022; : ISO/IEC 27035:2016; : ISO/IEC 27001:2022; : ISO/IEC 27001:2022; : ISO/IEC 27001:2022; : ISO/IEC 27001:2022; : ISO/IEC 27001:2022

• Question 99:

  You are an experienced audit team leader conducting a third-party surveillance audit of an organisation that designs websites for its clients. You are currently reviewing the organisation's Statement of Applicability.

  Based on the requirements of ISO/IEC 27001, which two of the following observations about the Statement of Applicability are false?

  A. A Statement of Applicability must be produced by organisations seeking ISO/IEC 27001 conformity
  B. Justification is only required for any controls that the organisations choses to exclude
  C. Justification for both the inclusion and exclusion of Annex A controls in the Statement of Applicability is required
  D. The Statement of Applicability is owned and amended by the organisation's top management
  E. Additional controls not included in Appendix A may be added to the Statement of Applicability if the organisation choses to do so
  F. The Statement of Applicability must include Organisational, Physical, People and Technological controls that are necessary
  B. Justification is only required for any controls that the organisations choses to exclude
  D. The Statement of Applicability is owned and amended by the organisation's top management

• Question 100:

  Which one of the following conclusions in the audit report is not required by the certification body when deciding to grant certification?

  A. The corrections taken by the organisation related to major nonconformities have been accepted.
  B. The organisation fully complies with all legal and other requirements applicable to the Information Security Management System.
  C. The plans to address corrective actions related to minor nonconformities have been accepted
  D. The scope of certification has been fulfilled
  B. The organisation fully complies with all legal and other requirements applicable to the Information Security Management System.

  ---

  Explanation/Reference:

  The conclusion in the audit report that is not required by the certification body when deciding to grant certification is that the organisation fully complies with all legal and other requirements applicable to the ISMS. This is because the certification body does not have the authority or the responsibility to verify the legal compliance of the organisation, as this is outside the scope of ISO/IEC 27001:2022. The certification body only evaluates the conformity of the organisation's ISMS with the requirements of the standard, which include the establishment of a process to identify and evaluate the legal and other requirements that are relevant to the ISMS. The organisation is responsible for ensuring its own legal compliance and for providing evidence of such compliance to the certification body if requested. References: ISO/IEC 27001:2022, clause 6.1.3; ISO/IEC 27006:2022, clause 9.2.2.4; PECB Candidate Handbook ISO 27001 Lead Auditor, page

  29.