PECB ISO-IEC-27001-LEAD-AUDITOR Online Practice Questions and Exam Preparation

PECB ISO-IEC-27001-LEAD-AUDITOR Online Questions & Answers

• Question 151:

  You are an experienced ISMS audit team leader. During the conducting of a third-party surveillance audit, you decide to test your auditee's knowledge of ISO/IEC 27001's risk management requirements. You ask her a series of questions to which the answer is either 'that is true' or 'that is false'. Which four of the following should she answer 'that is true'?

  A. The results of risk assessments must be maintained
  B. Risk identification is used to determine the severity of an information security risk
  C. ISO/IEC 27001 provides an outline approach for the management of risk
  D. The organisation must produce a risk treatment plan for every business risk identified
  E. The organisation must operate a risk treatment process to eliminate it's information security risks
  F. The initial phase in an organisation's risk management process should be information security risk assessment
  G. Risks assessments should be undertaken at monthly intervals
  H. Risk assessments should be undertaken following significant changes
  A. The results of risk assessments must be maintained
  C. ISO/IEC 27001 provides an outline approach for the management of risk
  D. The organisation must produce a risk treatment plan for every business risk identified
  H. Risk assessments should be undertaken following significant changes

  ---

  Explanation/Reference:

  The following four statements are true according to ISO/IEC 27001's risk management requirements:

  The results of risk assessments must be maintained. This is true because clause 8.2.3 of ISO/IEC 27001: 2022 requires the organisation to retain documented information of the information security risk assessment process and the results ISO/IEC 27001 provides an outline approach for the management of risk. This is true because clause 6.1.2 of ISO/IEC 27001:2022 specifies the general steps for the information security risk management process, which include establishing the risk criteria, assessing the risks, treating the risks, and monitoring and reviewing the risks The organisation must produce a risk treatment plan for every business risk identified. This is true because clause 6.1.3 of ISO/IEC 27001:2022 requires the organisation to produce a risk treatment plan that defines the actions to be taken to address the unacceptable risks, the responsibilities, the expected dates, and the resources required Risk assessments should be undertaken following significant changes. This is true because clause 8.2.4 of ISO/IEC 27001:2022 requires the organisation to review and update the risk assessment at planned intervals or when significant changes occur

  The following four statements are false according to ISO/IEC 27001's risk management requirements:

  Risk identification is used to determine the severity of an information security risk. This is false because risk identification is used to identify the assets, threats, vulnerabilities, and existing controls that are relevant to the information security risk management process. The severity of an information security risk is determined by the risk analysis, which evaluates the likelihood and impact of the risk scenarios

  The organisation must operate a risk treatment process to eliminate its information security risks. This is false because the organisation can choose from four options to treat its information security risks: avoid, transfer, mitigate, or accept. The organisation does not have to eliminate all its information security risks, but only those that are unacceptable according to its risk criteria

  The initial phase in an organisation's risk management process should be information security risk assessment. This is false because the initial phase in an organisation's risk management process should be establishing the risk management framework, which includes defining the risk management policy, objectives, scope, roles, responsibilities, and criteria. The information security risk assessment is the second phase in the risk management process

  Risks assessments should be undertaken at monthly intervals. This is false because there is no fixed frequency for conducting risk assessments in ISO/IEC 27001. The organisation should determine the appropriate intervals for reviewing and updating the risk assessment based on its risk appetite, risk profile, and operational context

  References:

  1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1

  2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2

• Question 152:

  You are conducting a third-party surveillance audit when another member of the audit team approaches you seeking clarification. They have been asked to assess the organisation's application of control 5.7 - Threat Intelligence. They are aware that this is one of the new controls introduced in the 2022 edition of ISO/IEC 27001, and they want to make sure they audit the control correctly.

  They have prepared a checklist to assist them with their audit and want you to confirm that their planned activities are aligned with the control's requirements.

  Which three of the following options represent valid audit trails?

  A. I will review the organisation's threat intelligence process and will ensure that this is fully documented
  B. I will speak to top management to make sure all staff are aware of the importance of reporting threats
  C. I will ensure that the task of producing threat intelligence is assigned to the organisation s internal audit team
  D. I will check that threat intelligence is actively used to protect the confidentiality, integrity and availability of the organisation's information assets
  E. I will ensure that the organisation's risk assessment process begins with effective threat intelligence
  F. I will determine whether internal and external sources of information are used in the production of threat intelligence
  G. I will review how information relating to information security threats is collected and evaluated to produce threat intelligence
  H. I will ensure that appropriate measures have been introduced to inform top management as to the effectiveness of current threat intelligence arrangements
  A. I will review the organisation's threat intelligence process and will ensure that this is fully documented
  D. I will check that threat intelligence is actively used to protect the confidentiality, integrity and availability of the organisation's information assets
  F. I will determine whether internal and external sources of information are used in the production of threat intelligence

  ---

  Explanation/Reference:

  According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), control 5.7 requires an organization to establish

  and maintain a threat intelligence process to identify and evaluate information security threats that are relevant to its ISMS scope and objectives. The organization should use internal and external sources of information, such as vulnerability

  databases, threat feeds, industry reports, etc., to produce threat intelligence that can be used to support risk assessment and treatment, as well as other information security activities1. Therefore, when auditing the organization's application

  of control 5.7, an ISMS auditor should verify that these aspects are met in accordance with the audit criteria.

  Three options that represent valid audit trails for verifying control 5.7 are:

  I will review the organisation's threat intelligence process and will ensure that this is fully documented:

  This option is valid because it can provide evidence of how the organization has established and maintained a threat intelligence process that is consistent with its ISMS scope and objectives. It can also verify that the process is documented

  according to clause 7.5 of ISO/IEC 27001:20221.

  I will check that threat intelligence is actively used to protect the confidentiality, integrity and availability of the organisation's information assets: This option is valid because it can provide evidence of how the organization has used threat

  intelligence to support its risk assessment and treatment, as well as other information security activities, such as incident response, awareness, or monitoring. It can also verify that the organization has achieved its information security

  objectives according to clause 6.2 of ISO/IEC 27001:20221.

  I will determine whether internal and external sources of information are used in the production of threat intelligence: This option is valid because it can provide evidence of how the organization has used various sources of information, such

  as vulnerability databases, threat feeds, industry reports, etc., to produce threat intelligence that is relevant and reliable. It can also verify that the organization has complied with the requirement of control 5.7 of ISO/IEC 27001:20221. The

  other options are not valid audit trails for verifying control 5.7, as they are not related to the control or its requirements. For example:

  I will speak to top management to make sure all staff are aware of the importance of reporting threats:

  This option is not valid because it does not provide evidence of how the organization has established and maintained a threat intelligence process or used threat intelligence to support its ISMS activities. It may be related to another control or

  requirement regarding information security awareness or communication, but not specifically to control 5.7.

  I will ensure that the task of producing threat intelligence is assigned to the organisation s internal audit team: This option is not valid because it does not provide evidence of how the organization has established and maintained a threat

  intelligence process or used threat intelligence to support its ISMS activities. It may also contradict the requirement for auditor independence and objectivity, as recommended by ISO 19011:20182, which provides guidelines for auditing

  management systems.

  I will ensure that the organisation's risk assessment process begins with effective threat intelligence:

  This option is not valid because it does not provide evidence of how the organization has established and maintained a threat intelligence process or used threat intelligence to support its ISMS activities. It may also imply a prescriptive

  approach to risk assessment that is not consistent with ISO/IEC 27005:

  20183, which provides guidelines for information security risk management.

  I will review how information relating to information security threats is collected and evaluated to produce threat intelligence: This option is not valid because it does not provide evidence of how the organization has established and maintained

  a threat intelligence process or used threat intelligence to support its ISMS activities. It may also be too vague or broad to be an effective audit trail, as it does not specify what criteria or methods are used for collecting and evaluating

  information.

  I will ensure that appropriate measures have been introduced to inform top management as to the effectiveness of current threat intelligence arrangements: This option is not valid because it does not provide evidence of how the organization

  has established and maintained a threat intelligence process or used threat intelligence to support its ISMS activities. It may be related to another control or requirement regarding management review or performance evaluation, but not

  specifically to control 5.7.

  References: ISO/IEC 27001:2022 - Information technology -Security techniques -Information security management systems

  Requirements, ISO 19011:2018 - Guidelines for auditing management systems, ISO /IEC 27005:2018 - Information technology -Security techniques -Information security risk management

• Question 153:

  You are the audit team leader conducting a third-party audit of an online insurance company. During Stage 1, you found that the organization took a very cautious risk approach and included all the information security controls in ISO/IEC 27001:2022 Appendix A in their Statement of Applicability.

  During the Stage 2 audit, your audit team found that there was no evidence of a risk treatment plan for the implementation of the three controls (5.3 Segregation of duties, 6.1 Screening, 7.12 Cabling security). You raise a nonconformity against clause 6.1.3.e of ISO 27001:2022.

  At the closing meeting, the Technical Director issues an extract from an amended Statement of Applicability (as shown) and asks for the nonconformity to be withdrawn.

  

  Select three options of the correct responses of an audit team leader to the request of the Technical Director.

  A. Advise management that the information provided will be reviewed when the auditors have more time.
  B. Advise the Technical Director that his request will be included in the audit report.
  C. Advise the Technical Director that once a nonconformity is raised it cannot be withdrawn.
  D. Advise the Technical Director that the nonconformity must stand since the evidence obtained for it was clear.
  E. Ask the auditor who raised the issue for their opinion on how you should respond to the request.
  F. Inform the Technical Director that the nonconformity will be changed to an Opportunity for Improvement.
  G. Review the documentation produced and withdraw the nonconformity.
  H. State that a follow up audit will be necessary to review the evidence for the updated Statement of Applicability.
  B. Advise the Technical Director that his request will be included in the audit report.
  D. Advise the Technical Director that the nonconformity must stand since the evidence obtained for it was clear.
  H. State that a follow up audit will be necessary to review the evidence for the updated Statement of Applicability.

  ---

  Explanation/Reference:

  The three options of the correct responses of an audit team leader to the request of the Technical Director are:

  Advise the Technical Director that his request will be included in the audit report.

  Advise the Technical Director that the nonconformity must stand since the evidence obtained for it was clear.

  State that a follow up audit will be necessary to review the evidence for the updated Statement of Applicability.

  This response is correct because the audit team leader should document the request of the Technical Director and include it in the audit report, along with the audit findings and conclusions12. This will ensure transparency and traceability of

  the audit process and the audit results.

  This response is correct because the audit team leader should not withdraw the nonconformity based on the amended Statement of Applicability alone. The nonconformity was raised against clause 6.1.3.e of ISO 27001:2022, which requires

  the organisation to produce and maintain a risk treatment plan that defines how the information security risks are treated, including the controls selected and their implementation status34. The Statement of Applicability is only one part of the

  risk treatment plan, and it does not provide sufficient evidence that the controls have been implemented effectively. The audit team leader should base the nonconformity on the objective evidence obtained during the audit, not on the

  subjective claims of the auditee12.

  This response is correct because the audit team leader should state that a follow up audit will be necessary to review the evidence for the updated Statement of Applicability. A follow up audit is an audit that is conducted after a previous audit

  to verify the implementation and effectiveness of the corrective actions and/or opportunities for improvement that were agreed upon as a result of the previous audit56. The follow up audit should seek to ensure that the nonconformity has

  been effectively addressed and that the ISMS is compliant and effective. The follow up audit should also consider any new or changed risks or requirements that may affect the ISMS.

  References:

  1: PECB Candidate Handbook - ISO 27001 Lead Auditor, page 25

  2: ISO 19011:2018 - Guidelines for auditing management systems, clause 6.7

  3: ISO/IEC 27001:2022 - Information technology -- Security techniques -- Information security management systems -- Requirements, clause 6.1.3.e

  4: ISO/IEC 27005:2022 - Information technology -- Security techniques -- Information security risk management, clause 8.3.2

  5: PECB Candidate Handbook - ISO 27001 Lead Auditor, page 25

  6: ISO 19011:2018 - Guidelines for auditing management systems, clause 6.7

• Question 154:

  You ask the IT Manager why the organisation still uses the mobile app while personal data encryption and pseudonymization tests failed. Also, whether the Service Manager is authorized to approve the test.

  The IT Manager explains the test results should be approved by him according to the software security management procedure. The reason why the encryption and pseudonymization functions failed is that these functions heavily slowed down the system and service performance. An extra 150% of resources are needed to cover this. The Service Manager agreed that access control is good enough and acceptable. That's why the Service Manager signed the approval.

  You sample one of the medical staff's mobile and found that ABC's healthcare mobile app, version 1.01 is installed. You found that version 1.01 has no test record.

  The IT Manager explains that because of frequent ransomware attacks, the outsourced mobile app development company gave a free minor update on the tested software, performed an emergency release of the updated software, and gave a verbal guarantee that there will be no impact on any security functions. Based on his 20 years of information security experience, there is no need to re-test.

  You are preparing the audit findings Select two options that are correct.

  A. There is NO nonconformity (NC). The IT Manager demonstrates he is fully competent. (Relevant to clause 7.2)
  B. There is a nonconformity (NC). The IT Manager does not comply with the software security management procedure. (Relevant to clause 8.1, control A.8.30)
  C. There is a nonconformity (NC). The organisation does not control planned changes and review the consequences of unintended changes. (Relevant to clause 8.1)
  D. There is an opportunity for improvement (OI). The organisation selects an external service provider based on the extent of free services it will provide. (Relevant to clause 8.1, control A.5.21)
  E. There is NO nonconformity (NC). The IT Manager demonstrates good leadership. (Relevant to clause 5.1, control 5.4)
  F. There is an opportunity for improvement (OI). The IT Manager should make the decision to continue the service based on appropriate testing. (Relevant to clause 8.1, control A.8.30)
  B. There is a nonconformity (NC). The IT Manager does not comply with the software security management procedure. (Relevant to clause 8.1, control A.8.30)
  C. There is a nonconformity (NC). The organisation does not control planned changes and review the consequences of unintended changes. (Relevant to clause 8.1)

  ---

  Explanation/Reference:

  According to ISO 27001:2022 Annex A Control 8.30, the organisation shall ensure that externally provided processes, products or services that are relevant to the information security management system are controlled. This includes developing and entering into licensing agreements that cover code ownership and intellectual property rights, and implementing appropriate contractual requirements related to secure design and coding in accordance with Annex A 8.25 and

  In this case, the organisation and the developer have performed security tests that failed, which indicates that the secure design and coding requirements of Annex A 8.29 were not met. The IT Manager explains that the encryption and pseudonymization functions failed because they slowed down the system and service performance, and that an extra 150% of resources are needed to cover this. However, this does not justify the acceptance of the test results by the Service Manager, who is not authorised to approve the test according to the software security management procedure. The Service Manager should have consulted with the IT Manager, who is the owner of the process, and followed the procedure for handling nonconformities and corrective actions. The Service Manager's decision to continue the service based on access control alone exposes the organisation to the risk of compromising the confidentiality, integrity, and availability of personal data processed by the mobile app. Therefore, there is a nonconformity (NC) with clause 8.1, control A.8.30.

  According to ISO 27001:2022 Clause 8.1, the organisation shall plan, implement and control the processes needed to meet information security requirements, and to implement the actions determined in Clause 6.1. The organisation shall also control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary12

  In this case, the organisation has not controlled the planned change of the mobile app from version 1.0 to version 1.01, which was a minor update provided by the outsourced developer in response to frequent ransomware attacks. The IT Manager explains that the developer performed an emergency release of the updated software, and gave a verbal guarantee that there will be no impact on any security functions. However, this is not sufficient to ensure that the change is properly assessed, tested, documented, and approved before deployment. The IT Manager should have followed the change management process and procedure, and verified that the updated software meets the security requirements and does not introduce any new vulnerabilities or risks. The IT Manager's reliance on his 20 years of information security experience and the developer's verbal guarantee is not a valid basis for skipping the re-testing of the software. Therefore, there is a nonconformity (NC) with clause 8.1.

  References:

  1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training

  2: ISO/IEC 27001 Lead Auditor Training Course by PECB

• Question 155:

  You are an ISMS auditor conducting a third-party surveillance audit of a telecom's provider. You are in the equipment staging room where network switches are pre-programmed before being despatched to clients. You note that recently there has been a significant increase in the number of switches failing their initial configuration test and being returned for reprogramming.

  You ask the Chief Tester why and she says, 'It's a result of the recent ISMS upgrade'. Before the upgrade each technician had their own hard copy work instructions. Now, the eight members of my team have to share two laptops to access the clients' configuration instructions online. These delays put pressure on the technicians, resulting in more mistakes being made'.

  Based solely on the information above, which clause of ISO/IEC 27001:2022 would be the most appropriate to raise a nonconformity against? Select one.

  A. Clause 10.2 - Nonconformity and corrective action
  B. Clause 7.2 - Competence
  C. Clause 7.5 - Documented information
  D. Clause 8.1 - Operational planning and control
  D. Clause 8.1 - Operational planning and control

• Question 156:

  How does the use of new technologies such as big data impact auditing?

  A. It presents new challenges, for example, combining structured and unstructured data
  B. It enhances the audit quality by enabling auditors to collect higher quality audit evidence
  C. It causes significant disruptions, for example, introducing data that is too large or complex for processing by traditional database management tools
  A. It presents new challenges, for example, combining structured and unstructured data

  ---

  Explanation/Reference:

  The use of new technologies such as big data presents new challenges in auditing, particularly the issue of combining structured and unstructured data. Big data environments often include diverse data sets that auditors need to understand and interpret, which requires new skills and approaches to ensure effective and comprehensive audit coverage.

  References: ISO/IEC 27001:2013 Standards and supplementary literature on the impact of technology on auditing practices

• Question 157:

  Which one of the following options best describes the main purpose of a Stage 1 third-party audit?

  A. To introduce the audit team to the client
  B. To learn about the organisation's procurement
  C. To determine redness for a stage 2 audit
  D. To check for legal compliance by the organisation
  E. To prepare an independent audit report
  F. To get to know the organisation's customers
  C. To determine redness for a stage 2 audit

  ---

  Explanation/Reference:

  The main purpose of a Stage 1 third-party audit is to determine readiness for a Stage 2 audit. A Stage 1 audit is a preliminary assessment that evaluates the organization's ISMS documentation, scope, context, and objectives, and identifies any major gaps or nonconformities that need to be addressed before the Stage 2 audit. A Stage 1 audit does not introduce the audit team to the client, as this is done during the audit planning phase. A Stage 1 audit does not check for legal compliance by the organization, as this is done during the Stage 2 audit. A Stage 1 audit does not prepare an independent audit report, as this is done after the Stage 2 audit. References: CQI and IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 70. : ISO/IEC 27001 LEAD AUDITOR - PECB, page 23.

• Question 158:

  You are performing an ISMS audit at a residential nursing home that provides healthcare services and are reviewing the Software Code Management (SCM) system. You found a total of 10 user accounts on the SCM. You confirm that one of the users, Scott, resigned 9-months ago. The SCM System Administrator confirmed Scott's last check-out of the source code was found 1 month ago. He was using one of the uthorized desktops from the local network in a secure area.

  You check with the user de-registration procedure which states "Managers have to make sure of deregistration of the user account and authorisation immediately from the relevant ICT system and/or equipment after resignation approval." There was no deregistration record for user Scott.

  The IT Security Manager explains that Scott still comes back to the office every month after he resigned to provide support on source code maintenance. That's why his account on SCM still exists.

  You would like to investigate other areas further to collect more audit evidence. Select three options that would not be valid audit trails.

  A. Collect more evidence on how access controls are periodically reviewed to maintain security (Relevant to control A.5.35)
  B. Collect more evidence on how the transition of Scott from full-time to part-time employment was managed (relevant to control A.6.5)
  C. Collect more evidence from Scott's background verification checks performed by the human resource department under the new employment relationship. (Relevant to control A.6.1)
  D. Collect more evidence of why Scott resigned and whether his re-engagement represents a conflict of interest. (relevant to control A.5.3)
  E. Collect more evidence on how Scott can access the employee's desktop and local network. (Relevant to control A.5.15)
  F. Collect more evidence on how Scott can access the secure area. (Relevant to control A.8.4)
  G. Collect more evidence on how the organization pays for Scott's source code maintenance support service. (Relevant to control A.6.2)
  H. Collect more evidence on where Scott kept the source code that he checked out and how it was secured. (Relevant to control A.8.4)
  B. Collect more evidence on how the transition of Scott from full-time to part-time employment was managed (relevant to control A.6.5)
  D. Collect more evidence of why Scott resigned and whether his re-engagement represents a conflict of interest. (relevant to control A.5.3)
  G. Collect more evidence on how the organization pays for Scott's source code maintenance support service. (Relevant to control A.6.2)

  ---

  Explanation/Reference:

  The options B, D, and G are not valid audit trails because they are not directly related to the ISMS requirements or the audit criteria. They are more relevant to the human resource management or the contractual arrangements of the organization, which are outside the scope of the ISMS audit. The other options are valid audit trails because they can provide evidence of how the organization implements and maintains the ISMS controls related to access control, secure areas, and information security aspects of business continuity management.

  References : PECB Candidate Handbook ISO/IEC 27001 Lead Auditor, page 16, section 4.2.1 ISO/IEC 27001:2013, clauses A.5.3, A.5.15, A.5.35, A.6.1, A.6.2, A.6.5, A.8.4, A.17.1 ISO 19011:2018, clause 6.2.2

• Question 159:

  How are internal audits and external audits related?

  A. Internal audits ensure that the organization regularly monitors the external audit reports and action plans
  B. Internal audits ensure the implementation of the corrective actions before the organization is recommended for certification by the external auditor
  C. Internal audits and external audits are included in the certification cycle, which ensures the monitoring of the management system on a regular basis
  C. Internal audits and external audits are included in the certification cycle, which ensures the monitoring of the management system on a regular basis

  ---

  Explanation/Reference:

  Internal audits and external audits are integral components of the certification cycle, ensuring regular monitoring of the management system. Internal audits help organizations prepare for external audits by identifying and addressing potential nonconformities, while external audits validate the compliance of the management system with ISO/IEC 27001 standards.

  References: PECB ISO/IEC 27001 Lead Auditor Course Material; ISO/IEC 27001:2013, Clauses 9.2 (Internal audit) and 9.3 (Management review)

• Question 160:

  After drafting the audit conclusions, the work documents of the audit team leader were reviewed by another auditor selected by the certification body. Is this acceptable?

  A. Yes, the work documents of the audit team leader must be reviewed by another auditor after reaching audit conclusions
  B. No, the work of the audit team leader must be reviewed before reaching an audit conclusion
  C. No' it is only the audit team leader that reviews the work documents of each auditor
  A. Yes, the work documents of the audit team leader must be reviewed by another auditor after reaching audit conclusions

  ---

  Explanation/Reference:

  Yes, it is acceptable for the work documents of the audit team leader to be reviewed by another auditor after reaching audit conclusions. This is part of the quality control and assurance processes within the audit to ensure the accuracy and reliability of the audit conclusions.

  References: ISO 19011:2018, Guidelines for auditing management systems