PECB ISO-IEC-27001-LEAD-AUDITOR Online Practice Questions and Exam Preparation

PECB ISO-IEC-27001-LEAD-AUDITOR Online Questions & Answers

• Question 141:

  You are performing an ISMS audit at a residential nursing home (ABC) that provides healthcare services. The next step in your audit plan is to verify the information security of ABC's healthcare mobile app development, support, and lifecycle process. During the audit, you learned the organization outsourced the mobile app development to a professional software development company with CMMI Level 5, ITSM (ISO/IEC 20000-1), BCMS (ISO 22301) and ISMS (ISO/IEC 27001) certified.

  The IT Manager presented the software security management procedure and summarised the process as following:

  The mobile app development shall adopt "security-by-design" and "security-by-default" principles, as a minimum. The following security functions for personal data protection shall be available:

  Access control.

  Personal data encryption, i.e., Advanced Encryption Standard (AES) algorithm, key lengths: 256 bits; and Personal data pseudonymization.

  Vulnerability checked and no security backdoor

  You sample the latest Mobile App Test report, details as follows:

  

  You ask the IT Manager why the organisation still uses the mobile app while personal data encryption and pseudonymization tests failed. Also, whether the Service Manager is authorised to approve the test.

  The IT Manager explains the test results should be approved by him according to the software security management procedure.

  The reason why the encryption and pseudonymisation functions failed is that these functions heavily slowed down the system and service performance. An extra 150% of resources are needed to cover this. The Service Manager agreed that

  access control is good enough and acceptable. That's why the Service Manager signed the approval.

  You are preparing the audit findings. Select the correct option.

  A. There is NO nonconformity (NC). The Service Manager makes a good decision to continue the service.(Relevant to clause 8.1, control A.8.30)
  B. There is a nonconformity (NC). The organisation and developer do not perform acceptance tests.(Relevant to clause 8.1, control A.8.29)
  C. There is a nonconformity (NC). The organisation and developer perform security tests that fail.(Relevant to clause 8.1, control A.8.29)
  D. There is a nonconformity (NC). The Service Manager does not comply with the software security management procedure. (Relevant to clause 8.1, control A.8.30)
  A. There is NO nonconformity (NC). The Service Manager makes a good decision to continue the service.(Relevant to clause 8.1, control A.8.30)
  B. There is a nonconformity (NC). The organisation and developer do not perform acceptance tests.(Relevant to clause 8.1, control A.8.29)
  C. There is a nonconformity (NC). The organisation and developer perform security tests that fail.(Relevant to clause 8.1, control A.8.29)
  D. There is a nonconformity (NC). The Service Manager does not comply with the software security management procedure. (Relevant to clause 8.1, control A.8.30)

  ---

  5: Conducting an ISO/IEC 27001 audit

• Question 142:

  You are an experienced ISMS audit team leader conducting a third-party surveillance visit.

  You notice that although the auditee is claiming conformity with ISO/IEC 27001:2022 they are still referring to Improvement as clause 10.2 (as it was in the 2013 edition) when this is now clause 10.1 in the 2022 edition. You have confirmed they are meeting all of the 2022 requirements set out in the standard.

  Select one option of the action you should take.

  A. Note the issue in the audit report
  B. Raise a nonconformity against clause 7.5.3 - Control of documented information
  C. Raise it as an opportunity for improvement
  D. Bring the matter up at the closing meeting
  C. Raise it as an opportunity for improvement

  ---

  Explanation/Reference:

  The correct action to take in this situation is to raise it as an opportunity for improvement. This is because the auditee is not violating any requirement of the standard, but rather using outdated terminology that does not reflect the current version of the standard. An opportunity for improvement is a suggestion for enhancing the performance or effectiveness of the ISMS1. It is not a nonconformity, which is a failure to fulfil a requirement2. Therefore, option B is incorrect. Option A is also incorrect, because noting the issue in the audit report without raising it as an opportunity for improvement would not provide any value or feedback to the auditee. Option D is also incorrect, because bringing the matter up at the closing meeting without documenting it as an opportunity for improvement would not ensure that the auditee takes any action to address it. References:

  1: ISMS Auditing Guideline - ISO27000, page 11;

  2: ISO/IEC 27000:2022, 3.28; :ISMS Auditing Guideline - ISO27000; : ISO/IEC 27000:2022

• Question 143:

  DRAG DROP Please match the roles to the following descriptions: To complete the table click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable test from the options below. Alternatively, you may drag and drop each option to the appropriate blank

  section.

  Select and Place:

  

  

  ---

  Explanation/Reference:

  The auditee is the organization or part of it that is subject to the audit. The auditee could be internal or external to the audit client. The auditee should cooperate with the audit team and provide them with access to relevant information, documents, records, personnel, and facilities.

  The audit client is the organization or person that requests an audit. The audit client could be internal or external to the auditee. The audit client should define the audit objectives, scope, criteria, and programme, and appoint the audit team leader.

  The technical expert is a person who provides specific knowledge or expertise relating to the organization, activity, process, product, service, or discipline to be audited. The technical expert could be internal or external to the audit team. The technical expert should support the audit team in collecting and evaluating audit evidence, but should not act as an auditor.

  The observer is a person who accompanies the audit team but does not act as an auditor. The observer could be internal or external to the audit team. The observer should observe the audit activities without interfering or influencing them, unless agreed otherwise by the audit team leader and the auditee.

  References:

  [ISO 19011:2022 Guidelines for auditing management systems] [ISO/IEC 17021-1:2022 Conformity assessment -- Requirements for bodies providing audit and certification of management systems -- Part 1: Requirements]

• Question 144:

  Scenario 6: Sinvestment is an insurance company that offers home, commercial, and life insurance. The company was founded in North Carolina, but have recently expanded in other locations, including Europe and Africa.

  Sinvestment is committed to complying with laws and regulations applicable to their industry and preventing any information security incident. They have implemented an ISMS based on ISO/IEC 27001 and have applied for ISO/IEC 27001 certification.

  Two auditors were assigned by the certification body to conduct the audit. After signing a confidentiality agreement with Sinvestment. they started the audit activities. First, they reviewed the documentation required by the standard, including the declaration of the ISMS scope, information security policies, and internal audits reports. The review process was not easy because, although Sinvestment stated that they had a documentation procedure in place, not all documents had the same format.

  Then, the audit team conducted several interviews with Sinvestment's top management to understand their role in the ISMS implementation. All activities of the stage 1 audit were performed remotely, except the review of documented information, which took place on-site, as requested by Sinvestment.

  During this stage, the auditors found out that there was no documentation related to information security training and awareness program. When asked, Sinvestment's representatives stated that the company has provided information security training sessions to all employees. Stage 1 audit gave the audit team a general understanding of Sinvestment's operations and ISMS.

  The stage 2 audit was conducted three weeks after stage 1 audit. The audit team observed that the marketing department (which was not included in the audit scope) had no procedures in place to control employees' access rights. Since controlling employees' access rights is one of the ISO/IEC 27001 requirements and was included in the information security policy of the company, the issue was included in the audit report. In addition, during stage 2 audit, the audit team observed that Sinvestment did not record logs of user activities. The procedures of the company stated that "Logs recording user activities should be retained and regularly reviewed," yet the company did not present any evidence of the implementation of such procedure.

  During all audit activities, the auditors used observation, interviews, documented information review, analysis, and technical verification to collect information and evidence. All the audit findings during stages 1 and 2 were analyzed and the audit team decided to issue a positive recommendation for certification.

  Based on the scenario above, answer the following question:

  The audit team reviewed Sinvestment's documented information on-site, as requested by the company. Is this acceptable?

  A. Yes, Sinvestment has the right to require that no document is carried off-site during the documented information review
  B. No, Sinvestment cannot decide where the documentation review take place, since a confidentiality agreement was signed prior to stage 1 audit
  C. No, the combination of on-site and off-site activities can impact the audit negatively
  A. Yes, Sinvestment has the right to require that no document is carried off-site during the documented information review

  ---

  Explanation/Reference:

  Yes, it is acceptable for Sinvestment to request that the review of documented information occur on-site. The company has the right to stipulate that no documents be carried off-site, especially to maintain control over sensitive information and ensure confidentiality, which aligns with the security controls expected in ISO/IEC 27001.

  References: ISO/IEC 27001:2013, Clause 7.5 (Documented information)

• Question 145:

  You are an experienced audit team leader conducting a third-party surveillance audit of an organisation that designs websites for its clients. You are currently reviewing the organisation's Statement of Applicability.

  Based on the requirements of ISO/IEC 27001, which two of the following observations about the Statement of Applicability are true?

  A. Justification for both the inclusion and exclusion of Annex A controls in the Statement of Applicability is required
  B. The Statement of Applicability is owned and amended by the organisation's top management
  C. The Statement of Applicability must be reviewed at least annually
  D. A Statement of Applicability must be produced by organisations seeking ISO/IEC 27001 conformity
  E. Justification is only required for any controls that the organisations choses to exclude
  F. The Statement of Applicability must be reviewed at Management Review
  A. Justification for both the inclusion and exclusion of Annex A controls in the Statement of Applicability is required
  D. A Statement of Applicability must be produced by organisations seeking ISO/IEC 27001 conformity

• Question 146:

  Implement plan on a test basis - this comes under which section of PDCA

  A. Plan
  B. Do
  C. Act
  D. Check
  B. Do

  ---

  Explanation/Reference:

  The PDCA cycle is a four-step method for managing and improving processes. The steps are Plan, Do, Check, and Act. In the Plan phase, the objectives and scope of the process are defined, and the resources and activities are planned. In the Do phase, the process is implemented on a test basis, and the results are recorded and analyzed.

  References: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) | CQI | IRCA

• Question 147:

  Which two of the following are valid audit conclusions?

  A. ISMS induction training does not provide guidance on malware prevention
  B. The risk register had not been updated since June 202X
  C. Corrective action was outstanding for two internal audits
  D. The ISMS policy has been effectively communicated to the organisation
  E. The organisation's ISMS objectives meet the requirements of ISO/IEC 27001:2022
  F. The schedule of applicability was based on the 2013 edition of ISO/IEC 27001, not the 2022 edition
  D. The ISMS policy has been effectively communicated to the organisation
  E. The organisation's ISMS objectives meet the requirements of ISO/IEC 27001:2022

  ---

  Explanation/Reference:

  The two statements that are valid audit conclusions are:

  The ISMS policy has been effectively communicated to the organisation The organisation's ISMS objectives meet the requirements of ISO/IEC 27001:2022

  According to ISO 19011:2018, an audit conclusion is the outcome of an audit, provided by the audit team after considering the audit objectives and all audit findings1. An audit conclusion can be positive or negative, depending on whether the audit criteria are fulfilled or not. An audit conclusion can also include recommendations for improvement or recognition of good practices.

  The statements D and E are valid audit conclusions, because they express the outcome of the audit based on the audit criteria and findings. For example:

  Statement D is a positive audit conclusion, because it indicates that the organisation has fulfilled the requirement of clause 5.2.2 of ISO/IEC 27001:2022, which states that the ISMS policy must be communicated within the organisation and to relevant interested parties2. The audit team must have obtained sufficient and appropriate audit evidence to support this conclusion, such as records of communication, awareness activities, feedback, etc. Statement E is a positive audit conclusion, because it indicates that the organisation has fulfilled the requirement of clause 6.2 of ISO/IEC 27001:2022, which states that the organisation must establish ISMS objectives that are consistent with the ISMS policy and relevant to the information security risks3. The audit team must have obtained sufficient and appropriate audit evidence to support this conclusion, such as records of objective setting, risk assessment, alignment with policy, etc.

  The other statements are not valid audit conclusions, because they do not express the outcome of the audit based on the audit criteria and findings. They are rather examples of audit findings, which are the results of the evaluation of the collected audit evidence against the audit criteria4. Audit findings can indicate either conformity or nonconformity with the audit criteria, or opportunities for improvement. For example:

  Statement A is a negative audit finding, because it indicates a nonconformity with the requirement of clause 7.2.2 of ISO/IEC 27001:2022, which states that the organisation must provide information security awareness education and training to persons under its control5. The audit team must have identified and documented this nonconformity, and reported it to the auditee. Statement B is a negative audit finding, because it indicates a nonconformity with the requirement of clause

  6.1.2 of ISO/IEC 27001:2022, which states that the organisation must maintain and review the information security risk assessment at planned intervals or when significant changes occur6. The audit team must have identified and documented this nonconformity, and reported it to the auditee. Statement C is a negative audit finding, because it indicates a nonconformity with the requirement of clause 10.1 of ISO/IEC 27001:2022, which states that the organisation must take action to eliminate the causes of nonconformities and prevent recurrence7. The audit team must have identified and documented this nonconformity, and reported it to the auditee. Statement F is a negative audit finding, because it indicates a nonconformity with the requirement of clause 6.1.3 of ISO/IEC 27001:2022, which states that the organisation must determine the controls that are necessary to implement the risk treatment plan, and document them in the statement of applicability8. The audit team must have identified and documented this nonconformity, and reported it to the auditee.

  References: 1: ISO 19011:2018, 3.15; 2: ISO/IEC 27001:2022, 5.2.2; 3: ISO/IEC 27001:2022, 6.2; 4: ISO 19011:2018, 3.14; 5: ISO/IEC 27001:2022, 7.2.2; 6: ISO/IEC 27001:2022, 6.1.2; 7: ISO/IEC 27001:2022, 10.1; 8: ISO/IEC 27001:2022, 6.1.3; : ISO 19011:2018; : ISO/IEC 27001:2022; : ISO/IEC 27001:2022; : ISO 19011:2018; : ISO/IEC 27001:2022; : ISO/IEC 27001:2022; : ISO/IEC 27001:2022; : ISO/IEC 27001:2022

• Question 148:

  DRAG DROP

  Select the words that best complete the sentence:

  Select and Place:

  

  

  ---

  Explanation/Reference:

  A third-party audit is an independent assessment of an organisation's management system by an external auditor, who is not affiliated with the organisation or its customers. The auditor verifies that the management system meets the requirements of a specific standard, such as ISO 27001, and evaluates its effectiveness and performance. The auditor also identifies any strengths, weaknesses, opportunities, or risks of the management system, and provides recommendations for improvement. The purpose of a third-party audit is to provide an objective and impartial evaluation of the organisation's management system, and to inform a certification decision by a certification body. A certification body is an organisation that grants a certificate of conformity to the organisation, after reviewing the audit report and evidence, and confirming that the management system meets the certification criteria. A certification decision is the outcome of the certification process, which can be positive (granting, maintaining, renewing, or expanding the scope of certification) or negative (suspending, withdrawing, or reducing the scope of certification). References: PECB Candidate Handbook ISO 27001 Lead Auditor, pages 19-25 ISO 19011:2018 - Guidelines for auditing management systems The ISO 27001 audit process | ISMS.online

• Question 149:

  Phishing is what type of Information Security Incident?

  A. Private Incidents
  B. Cracker/Hacker Attacks
  C. Technical Vulnerabilities
  D. Legal Incidents
  B. Cracker/Hacker Attacks

  ---

  Explanation/Reference:

  Phishing is a type of information security incident that falls under the category of cracker/hacker attacks. Phishing is a form of fraud that uses deceptive emails or other messages to trick recipients into revealing sensitive information, such as passwords, credit card numbers, bank account details, etc. Phishing emails often impersonate legitimate organizations or individuals and create a sense of urgency or curiosity to lure the victims into clicking on malicious links, opening malicious attachments or providing personal information. Phishing is a common and serious threat to information security, as it can lead to identity theft, financial loss, data breach, malware infection or other damages. ISO/IEC 27001:2022 requires the organization to implement awareness and training programs to make users aware of the risks of social engineering attacks, such as phishing, and how to avoid them (see clause A.7.2.2). References: CQI and IRCA Certified ISO/ IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology -- Security techniques -- Information security management systems -- Requirements, What is Phishing?

• Question 150:

  Audit methods can be either with or without interaction with individuals representing the auditee. Which two of the following methods are with interaction?

  A. Sampling (e.g. products)
  B. Observing work performed via live video streaming
  C. Reviewing checklists with auditee
  D. Checking legal compliance with local authorities
  E. Conducting interviews
  F. Analysing documents provided in advance of the audit
  C. Reviewing checklists with auditee
  E. Conducting interviews

  ---

  Explanation/Reference:

  According to the PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, audit methods can be classified into two categories: with or without interaction with individuals representing the auditee (page 12). Audit methods with interaction include reviewing checklists with auditee and conducting interviews, as they involve direct communication and feedback from the auditee. Audit methods without interaction include sampling (e.g. products), observing work performed via live video streaming, checking legal compliance with local authorities, and analysing documents provided in advance of the audit, as they do not require any dialogue or exchange with the auditee. References: PECB Candidate Handbook for ISO/ IEC 27001 Lead Auditor, page 12.