PECB ISO-IEC-27001-LEAD-AUDITOR Online Practice Questions and Exam Preparation

PECB ISO-IEC-27001-LEAD-AUDITOR Online Questions & Answers

• Question 131:

  Scenario 4: SendPay is a financial company that provides its services through a network of agents and financial institutions. One of their main services is transferring money worldwide. SendPay, as a new company, seeks to offer top quality services to its clients. Since the company offers international transactions, it requires from their clients to provide personal information, such as their identity, the reason for the transactions, and other details that might be needed to complete the transaction. Therefore, SendPay has implemented security measures to protect their clients' information, including detecting, investigating, and responding to any information security threats that may emerge. Their commitment to offering secure services was also reflected during the ISMS implementation where the company invested a lot of time and resources.

  Last year, SendPay unveiled their digital platform that allows money transactions through electronic devices, such as smartphones or laptops, without requiring an additional fee. Through this platform, SendPay's clients can send and receive money from anywhere and at any time. The digital platform helped SendPay to simplify the company's operations and further expand its business. At the time, SendPay was outsourcing its software operations, hence the project was completed by the software development team of the outsourced company. The same team was also responsible for maintaining the technology infrastructure of SendPay.

  Recently, the company applied for ISO/IEC 27001 certification after having an ISMS in place for almost a year. They contracted a certification body that fit their criteria. Soon after, the certification body appointed a team of four auditors to audit SendPay's ISMS.

  During the audit, among others, the following situations were observed:

  1.The outsourced software company had terminated the contract with SendPay without prior notice. As a result, SendPay was unable to immediately bring the services back in-house and its operations were disrupted for five days. The auditors requested from SendPay's representatives to provide evidence that they have a plan to follow in cases of contract terminations. The representatives did not provide any documentary evidence but during an interview, they told the auditors that the top management of SendPay had identified two other software development companies that could provide services immediately if similar situations happen again.

  2.There was no evidence available regarding the monitoring of the activities that were outsourced to the software development company. Once again, the representatives of SendPay told the auditors that they regularly communicate with the software development company and that they are appropriately informed for any possible change that might occur.

  3.There was no nonconformity found during the firewall testing. The auditors tested the firewall configuration in order to determine the level of security provided by these services. They used a packet analyzer to test the firewall policies which enabled them to check the packets sent or received in real-time.

  Based on this scenario, answer the following question:

  How do you evaluate the evidence obtained related to the monitoring process of outsourced operations? Refer to scenario 4.

  A. Irrelevant, monitoring the outsourced operations is not a requirement of the standard
  B. Not reliable. SendPay provided only verbal evidence regarding the monitoring of its outsourced operations
  C. Appropriate and sufficient, verbal confirmation from the SendPay's representatives indicates that the they were aware that outsourced operations must be monitored
  B. Not reliable. SendPay provided only verbal evidence regarding the monitoring of its outsourced operations

  ---

  Explanation/Reference:

  The evidence provided by SendPay, which is solely verbal confirmation about the monitoring of outsourced operations, is not considered reliable under ISO/IEC 27001. The standard requires documented evidence to support claims of effective monitoring and control over outsourced processes.

  References: ISO/IEC 27001:2013 Standard, Clause A.15 (Supplier relationships)

• Question 132:

  Scenario 3: NightCore is a multinational technology company based in the United States that focuses on e- commerce, cloud computing, digital streaming, and artificial intelligence. After having an information security management system (ISMS) implemented for over 8 months, they contracted a certification body to conduct a third party audit in order to get certified against ISO/IEC 27001. The certification body set up a team of seven auditors. Jack, the most experienced auditor, was assigned as the audit team leader. Over the years, he received many well known certifications, such as the ISO/IEC 27001 Lead Auditor, CISA, CISSP, and CISM.

  Jack conducted thorough analyses on each phase of the ISMS audit, by studying and evaluating every information security requirement and control that was implemented by NightCore. During stage 2 audit. Jack detected several nonconformities. After comparing the number of purchased invoices for software licenses with the software inventory, Jack found out that the company has been using the illegal versions of a software for many computers. He decided to ask for an explanation from the top management about this nonconformity and see whether they were aware about this. His next step was to audit NightCore's IT Department. The top management assigned Tom, NightCore's system administrator, to act as a guide and accompany Jack and the audit team toward the inner workings of their system and their digital assets infrastructure.

  While interviewing a member of the Department of Finance, the auditors discovered that the company had recently made some unusual large transactions to one of their consultants. After gathering all the necessary details regarding the transactions. Jack decided to directly interview the top management.

  When discussing about the first nonconformity, the top management told Jack that they willingly decided to use a copied software over the original one since it was cheaper. Jack explained to the top management of NightCore that using illegal versions of software is against the requirements of ISO/IEC 27001 and the national laws and regulations. However, they seemed to be fine with it.

  Several months after the audit, Jack sold some of NightCore's information that he collected during the audit for a huge amount of money to competitors of NightCore.

  Based on this scenario, answer the following question:

  Based on audit principles, should Jack contact the certification body regarding the second nonconformity? Refer to scenario 3.

  A. Yes, auditors should contact the ethics committee members of the certification body to obtain advice on such situation
  B. Yes, auditors should communicate such situations to the certification body; however, the top management should not be informed
  C. No, situations that may indicate financial crime are not the focus of an ISMS audit
  B. Yes, auditors should communicate such situations to the certification body; however, the top management should not be informed

  ---

  Explanation/Reference:

  Yes, Jack should communicate such situations to the certification body. is essential for auditors to report potential nonconformities and ethical breaches to the certification body to maintain the integrity and credibility of the audit process, without necessarily informing top management of these steps.

  References: ISO 19011:2018, Guidelines for auditing management systems

• Question 133:

  As the Information Security Management System audit team leader, you are conducting a second-party audit of an international logistics company on behalf of an online retailer. During the audit, one of your team members reports a

  nonconformity relating to control 5.18 (Access rights) of Appendix A of ISO/IEC 27001:

  2022. She found evidence that removing the server access protocols of 20 people who left in the last 3 months took up to 1 week whereas the policy required removing access within 24 hours of their departure.

  When the auditee was asked why there was a delay in removing access they replied, 'no one was available in the IT department during that period as a result of COVID-19. As soon as an IT officer became available the rights were removed.

  You note that she intends to raise a minor non-conformity against Access rights control (5.18). How should you respond to this?

  A. Agree with the raising of a minor non-conformity but against control 5.15, not 5.18.
  B. Agree with the raising of the minor non-conformity against 5.18.
  C. Disagree with the raising of a minor conformity as appropriate action was taken at the earliest opportunity Take no further action.
  D. Disagree with the raising of the minor nonconformity as appropriate action was taken at the earliest opportunity. Instead raise an opportunity for improvement.
  E. Disagree with the raising of the minor nonconformity, there is sufficient evidence to justify an escalation to a major non-conformity.
  F. Require additional audit evidence to be obtained before determining whether a non-conformity is appropriate.
  A. Agree with the raising of a minor non-conformity but against control 5.15, not 5.18.

• Question 134:

  Which is the glue that ties the triad together

  A. Process
  B. People
  C. Collaboration
  D. Technology
  D. Technology

  ---

  Explanation/Reference:

  The triad refers to the three elements of information security: confidentiality, integrity and availability. Technology is the glue that ties the triad together, as it provides the means to implement various controls and measures to protect information from unauthorized access, modification or loss. References: ISO /IEC 27001:2022 Lead Auditor Training Course - BSI

• Question 135:

  You are a certification body auditor, conducting a surveillance audit to ISO/IEC 27001:2022 of a data centre operated by a client who provides hosting services for ICT facilities.

  You and your guide are currently in one of the private suites that the client rents out to customers. Access to each suite is controlled using a combination lock. CCTV is also installed in every suite.

  Within each suite are three data cabinets in which the client can locate mission-critical servers and other items of networking equipment such as switches and routers.

  You notice that whilst two of the cabinets in your suite are locked, the third is unlocked. You ask the guide why. They reply "This is because the client is currently swapping out a hard drive unit. Their technician is currently on a lunch break".

  What three actions should you undertake next?

  A. Do nothing, the room appears adequately protected so it is unlikely that a security incident has taken place.
  B. Raise a nonconformity against control 5.16 'identity management' as it may not be possible to identify who left the cabinet unlocked.
  C. Raise a nonconformity against control 7.2 'physical entry' as the area where the client's equipment is located is not protected.
  D. Raise a nonconformity against control 7.4 'physical security monitoring' as the private suite is not being continuously monitored for unauthorised physical access.
  E. Raise an opportunity for improvement suggesting cabinet doors are locked whenever clients leave their suites, even if they intend to return within a short time.
  F. Review the CCTV records to ensure that only the client has accessed the cabinet since it was last confirmed as locked.
  G. When the technician returns from lunch, reprimand them for leaving the cabinet open.
  H. With the permission of the guide, speak to the customer to confirm that they are in the process of swapping out a drive.
  E. Raise an opportunity for improvement suggesting cabinet doors are locked whenever clients leave their suites, even if they intend to return within a short time.
  F. Review the CCTV records to ensure that only the client has accessed the cabinet since it was last confirmed as locked.
  H. With the permission of the guide, speak to the customer to confirm that they are in the process of swapping out a drive.

  ---

  Explanation/Reference:

  Leaving the cabinet unlocked while the technician is on a lunch break exposes the client's equipment and data to potential physical security risks, such as theft, damage, or tampering. This is a violation of the ISO/IEC 27001:2022

  requirements for physical entry (control 7.2) and physical security monitoring (control 7.4), which aim to prevent unauthorized access to information processing facilities and assets. Therefore, the appropriate actions for the auditor are:

  Raise an opportunity for improvement (OFI) suggesting that the cabinet doors are locked whenever clients leave their suites, even if they intend to return within a short time. This would enhance the security of the client's equipment and data,

  and reduce the likelihood of security incidents.

  Review the CCTV records to ensure that only the client has accessed the cabinet since it was last confirmed as locked. This would verify the integrity and availability of the client's equipment and data, and identify any possible unauthorized

  access or interference.

  With the permission of the guide, speak to the customer to confirm that they are in the process of swapping out a drive. This would validate the reason for leaving the cabinet unlocked, and assess the impact and risk of the activity on the

  client's information security.

  References:

  ISO/IEC 27001:2022, clause 7.2, Physical entry

  ISO/IEC 27001:2022, clause 7.4, Physical security monitoring

  PECB Candidate Handbook ISO 27001 Lead Auditor, page 19, Audit Process

  PECB Candidate Handbook ISO 27001 Lead Auditor, page 21, Audit Findings

• Question 136:

  You are performing an ISMS audit at a residential nursing home called ABC that provides healthcare services. You find all nursing home residents wear an electronic wristband for monitoring their location, heartbeat, and blood pressure always. You learned that the electronic wristband automatically uploads all data to the artificial intelligence (AI) cloud server for healthcare monitoring and analysis by healthcare staff.

  To verify the scope of ISMS, you interview the management system representative (MSR) who explains that the ISMS scope covers an outsourced data center.

  Select three options for the audit evidence you need to find to verify the scope of the ISMS.

  A. The auditee has identified the resident's needs and expectations on the facility and environmental safety
  B. The auditee has ISO 9001 certification
  C. The auditee has identified the governmental authorities' needs and expectations on healthcare services and patient data handling
  D. The auditee has identified the resident's needs and expectations on how they should protect the resident's personal data
  E. The auditee has identified the resident's needs and expectations on the comfort facility, medical professional's competence, and clean environment
  F. The auditee has identified the resident's needs and expectations on healthcare medical treatment services
  G. The IT service agreement with the data center where the artificial intelligence (AI) cloud server is located
  H. The auditee is considering the purchase of a healthcare monitoring app from an external software company
  C. The auditee has identified the governmental authorities' needs and expectations on healthcare services and patient data handling
  D. The auditee has identified the resident's needs and expectations on how they should protect the resident's personal data
  G. The IT service agreement with the data center where the artificial intelligence (AI) cloud server is located

  ---

  Explanation/Reference:

  According to ISO 27001:2022 clause 4.3, the organisation shall determine the scope of the information security management system (ISMS) by considering the internal and external issues, the requirements of interested parties, and the interfaces and dependencies with other organisations

  In this case, the ISMS scope covers an outsourced data center that hosts the artificial intelligence (AI) cloud server for healthcare monitoring and analysis of the residents' data. Therefore, the audit evidence you need to find to verify the scope of the ISMS should include:

  The auditee has identified the governmental authorities' needs and expectations on healthcare services and patient data handling. This is an external issue and an interested party requirement that affects the ISMS scope, as the auditee has to comply with the relevant laws and regulations regarding the quality, safety, and privacy of healthcare services and patient data

  The auditee has identified the resident's needs and expectations on how they should protect the resident' s personal data. This is an external issue and an interested party requirement that affects the ISMS scope, as the auditee has to ensure the confidentiality, integrity, and availability of the resident's personal data that is collected, processed, and stored by the electronic wristband and the AI cloud server

  The IT service agreement with the data center where the artificial intelligence (AI) cloud server is located. This is an interface and dependency with another organisation that affects the ISMS scope, as the auditee has to control the externally provided processes, products, and services that are relevant to the ISMS, and to implement appropriate contractual requirements related to information security The following options are not relevant or sufficient for verifying the scope of the

  ISMS:

  The auditee has identified the resident's needs and expectations on the facility and environmental safety. This is an external issue and an interested party requirement, but it does not affect the ISMS scope, as it is not related to information security

  The auditee has ISO 9001 certification. This is an indication of the auditee's quality management system, but it does not verify the scope of the ISMS, as it is not related to information security

  The auditee has identified the resident's needs and expectations on the comfort facility, medical professional's competence, and clean environment. These are external issues and interested party requirements, but they do not affect the ISMS scope, as they are not related to information security

  The auditee has identified the resident's needs and expectations on healthcare medical treatment services. These are external issues and interested party requirements, but they do not verify the scope of the ISMS, as they are not specific to information security

  The auditee is considering the purchase of a healthcare monitoring app from an external software company. This is a potential change that may affect the ISMS scope in the future, but it does not verify the current scope of the ISMS, as it is not yet implemented or controlled

  References:

  1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1

  2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2

• Question 137:

  During a follow-up audit, you notice that a nonconformity identified for completion before the follow-up audit is still outstanding.

  Which four of the following actions should you take?

  A. Report the failure to address the corrective action for the outstanding nonconformity to the organisation's top management
  B. Immediately raise an nonconformity as the date for completion has been exceeded
  C. If the delay is justified agree on a revised date for clearing the nonconformity with the auditee/audit client
  D. Contact the individuals) managing the audit programme to seek their advice as to how to proceed
  E. Decide whether the delay in addressing the nonconformity is justified
  F. Cancel the follow-up audit and return when an assurance has been received that the nonconformity has been cleared
  G. Note the nonconformity is still outstanding and follow audit trails to determine why
  H. If the delay is unjustified advise the auditee /audit client and agree on remedial action
  A. Report the failure to address the corrective action for the outstanding nonconformity to the organisation's top management
  C. If the delay is justified agree on a revised date for clearing the nonconformity with the auditee/audit client
  E. Decide whether the delay in addressing the nonconformity is justified
  G. Note the nonconformity is still outstanding and follow audit trails to determine why

  ---

  Explanation/Reference:

  According to the ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) course, the following actions should be taken when a nonconformity identified for completion before the follow-up audit is still outstanding:

  Report the failure to address the corrective action for the outstanding nonconformity to the organisation's top management. This is part of the auditor's responsibility to communicate the audit results and ensure that the audit objectives are

  met.

  If the delay is justified agree on a revised date for clearing the nonconformity with the auditee/audit client. This is part of the auditor's responsibility to verify the effectiveness of the corrective actions taken by the auditee and to close the

  nonconformity when the evidence is satisfactory.

  Decide whether the delay in addressing the nonconformity is justified. This is part of the auditor's responsibility to evaluate the evidence presented by the auditee and to use professional judgement and objectivity to determine the validity of

  the reasons for the delay.

  Note the nonconformity is still outstanding and follow audit trails to determine why. This is part of the auditor's responsibility to collect and verify audit evidence and to identify the root causes of the nonconformity.

  References:

  1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) course, CQI and IRCA Certified Training, 1

  2: ISO/IEC 27001 Lead Auditor Training Course, PECB, 2

• Question 138:

  You are conducting a third-party surveillance audit when another member of the audit team approaches you seeking clarification. They have been asked to assess the organisation's application of control 5.7 - Threat Intelligence. They are aware that this is one of the new controls introduced in the 2022 edition of ISO/IEC 27001, and they want to make sure they audit the control correctly.

  They have prepared a checklist to assist them with their audit and want you to confirm that their planned activities are aligned with the control's requirements.

  Which three of the following options represent valid audit trails?

  A. I will determine whether internal and external sources of information are used in the production of threat intelligence
  B. I will ensure that the task of producing threat intelligence is assigned to the organisation's internal audit team
  C. I will ensure that the organisation's risk assessment process begins with effective threat intelligence
  D. I will check that the organisation has a fully documented threat intelligence process
  E. I will check that threat intelligence is actively used to protect the confidentiality, integrity and availability of the organisation's information assets
  F. I will speak to top management to make sure all staff are aware of the importance of reporting threats
  G. I will ensure that appropriate measures have been introduced to inform top management as to the effectiveness of current threat intelligence arrangements
  H. I will review how information relating to information security threats is collected and evaluated to produce threat intelligence
  A. I will determine whether internal and external sources of information are used in the production of threat intelligence
  D. I will check that the organisation has a fully documented threat intelligence process
  E. I will check that threat intelligence is actively used to protect the confidentiality, integrity and availability of the organisation's information assets

  ---

  Explanation/Reference:

  The options that represent valid audit trails for assessing the organisation's application of control 5.7 - Threat Intelligence, according to ISO/IEC 27001:2022, are:

  Option A: I will determine whether internal and external sources of information are used in the production of threat intelligence. This is relevant because effective threat intelligence typically requires gathering information from multiple sources to be comprehensive.

  Option D: I will check that the organisation has a fully documented threat intelligence process. Proper documentation is a core requirement in ISO standards to ensure processes are defined, implemented, and maintained consistently.

  Option E: I will check that threat intelligence is actively used to protect the confidentiality, integrity, and availability of the organisation's information assets. This verifies that the output of threat intelligence is being used effectively within the organisation's information security practices.

• Question 139:

  DRAG DROP

  You are an experienced ISMS audit team leader providing instruction to an auditor in training. They are unclear in their understanding of risk processes and ask you to provide them with an example of each of the processes detailed below.

  Match each of the descriptions provided to one of the following risk management processes.

  To complete the table click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop each option to the appropriate blank

  section.

  Select and Place:

  

  

  ---

  Explanation/Reference:

  Risk analysis is the process by which the nature of the risk is determined along with its probability and impact. Risk analysis involves estimating the likelihood and consequences of potential events or situations that could affect the organization's information security objectives or requirements. Risk analysis could use qualitative or quantitative methods, or a combination of both. Risk management is the process by which a risk is controlled at all stages of its life cycle by means of the application of organisational policies, procedures and practices. Risk management involves establishing the context, identifying, analyzing, evaluating, treating, monitoring, and reviewing the risks that could affect the organization's information security performance or compliance. Risk management aims to ensure that risks are identified and treated in a timely and effective manner, and that opportunities for improvement are exploited. Risk identification is the process by which a risk is recognised and described. Risk identification involves identifying and documenting the sources, causes, events, scenarios, and potential impacts of risks that could affect the organization's information security objectives or requirements. Risk identification could use various techniques, such as brainstorming, interviews, checklists, surveys, or historical data. Risk evaluation is the process by which the impact and/or probability of a risk is compared against risk criteria to determine if it is tolerable. Risk evaluation involves comparing the results of risk analysis with predefined criteria that reflect the organization's risk appetite, tolerance, or acceptance. Risk evaluation could use various methods, such as ranking, scoring, or matrix. Risk evaluation helps to prioritize and decide on the appropriate risk treatment options. Risk mitigation is the process by which the impact and/or probability of a risk is reduced by means of the application of controls. Risk mitigation involves selecting and implementing measures that are designed to prevent, reduce, transfer, or accept risks that could affect the organization's information security objectives or requirements. Risk mitigation could include various types of controls, such as technical, organizational, legal, or physical. Risk mitigation should be based on a cost-benefit analysis and a residual risk assessment. Risk transfer is the process by which a risk is passed to a third party, for example through obtaining appropriate insurance. Risk transfer involves sharing or shifting some or all of the responsibility or liability for a risk to another party that has more capacity or capability to manage it. Risk transfer could include various methods, such as contracts, agreements, partnerships, outsourcing, or insurance. Risk transfer should not be used as a substitute for effective risk management within the organization. References : ISO/IEC 27001:2022 Information technology -- Security techniques -- Information security management systems -- Requirements ISO/IEC 27005:2022 Information technology -- Security techniques -- Information security risk management

• Question 140:

  You are an experienced audit team leader guiding an auditor in training.

  Your team is currently conducting a third-party surveillance audit of an organisation that stores data on behalf of external clients. The auditor in training has been tasked with reviewing the TECHNOLOGICAL controls listed in the Statement of Applicability (SoA) and implemented at the site.

  Select four controls from the following that would you expect the auditor in training to review.

  A. Confidentiality and nondisclosure agreements
  B. How access to source code and development tools are managed
  C. How power and data cables enter the building
  D. How protection against malware is implemented
  E. How the organisation evaluates its exposure to technical vulnerabilities
  F. Information security awareness, education and training
  G. The organisation's arrangements for information deletion
  H. The organisation's business continuity arrangements
  B. How access to source code and development tools are managed
  D. How protection against malware is implemented
  E. How the organisation evaluates its exposure to technical vulnerabilities
  G. The organisation's arrangements for information deletion

  ---

  Explanation/Reference:

  The four controls from the list that the auditor in training should review are:

  How access to source code and development tools are managed: This control requires the organisation to restrict and monitor the access to the source code and development tools that are used to create, modify, or maintain the software applications and systems that process or store the data of external clients. This is important for ensuring the integrity, confidentiality, and availability of the software and the data, as well as for preventing unauthorized changes, errors, or malicious code injection. How protection against malware is implemented: This control requires the organisation to implement appropriate measures to detect, prevent, and remove malware from the IT systems and devices that process or store the data of external clients. This includes using antivirus software, firewalls, email filtering, web filtering, and other tools to protect against viruses, worms, ransomware, spyware, and other malicious software. This is essential for safeguarding the data and the systems from corruption, theft, or damage caused by malware. How the organisation evaluates its exposure to technical vulnerabilities: This control requires the organisation to identify and assess the technical vulnerabilities that may affect the IT systems and devices that process or store the data of external clients. This includes using vulnerability scanning tools, penetration testing tools, threat intelligence sources, and other methods to discover and evaluate the weaknesses and gaps in the security of the systems and the devices. This is necessary for prioritizing and implementing the appropriate corrective actions and controls to mitigate the risks posed by the vulnerabilities. The organisation's arrangements for information deletion: This control requires the organisation to establish and implement policies and procedures for deleting the data of external clients from the IT systems and devices when it is no longer needed or required. This includes defining the criteria and methods for data deletion, such as secure erasure, encryption, or physical destruction. This is important for complying with the contractual obligations and the legal and regulatory requirements regarding the retention and disposal of the data, as well as for protecting the confidentiality and integrity of the data.

  References: ISO/IEC 27001:2022, Annex A, clauses A.8.9, A.8.10, A.8.11, and A.8.28; Understanding ISO 27001:2022: People, process, and technology, pages 6-7; What are the 11 new security controls in ISO 27001:2022 - Advisera.