PECB ISO-IEC-27001-LEAD-AUDITOR Online Practice Questions and Exam Preparation

PECB ISO-IEC-27001-LEAD-AUDITOR Online Questions & Answers

• Question 171:

  DRAG DROP

  Select the words that best complete the sentence below to describe audit resources:

  Select and Place:

  

  

  ---

  Explanation/Reference:

  According to ISO 19011:2018, clause 5.3, the person responsible for managing the audit programme should determine the resources necessary for the audit programme, such as the audit team members, the budget, the time, the tools, etc. The audit resources should be sufficient and appropriate to ensure the quality and effectiveness of the audit programme and the audit results. The audit resources include the following elements: Essential resources: These are the resources that are required to conduct the audit programme and the individual audits, such as the audit documents, the audit methods, the audit tools, the audit schedule, the audit budget, etc. The essential resources should be identified and allocated based on the audit objectives, scope, and criteria, and the availability and cooperation of the auditee. The essential resources should also be reviewed and updated as necessary to reflect any changes or deviations in the audit programme or the individual audits. Competent personnel: These are the audit team members who have the appropriate knowledge, skills, and experience to conduct the audit effectively and efficiently, and to provide credible and reliable audit results and recommendations. The competent personnel should include the audit team leader, the auditors, and any technical experts or observers who support the audit team. The competent personnel should be selected and appointed based on the audit objectives, scope, and criteria, and the specific competence requirements for the audit programme and the individual audits. The competent personnel should also be independent and impartial, and avoid any conflicts of interest or self-interest that may affect the audit results or the audit decisions. References: ISO 19011:2018 - Guidelines for auditing management systems, clause 5.3 PECB Candidate Handbook ISO 27001 Lead Auditor, page 19

• Question 172:

  DRAG DROP

  Please match the following situations to the type of audit required.

  Select and Place:

  

  

  ---

  Explanation/Reference:

  Top management requests auditors from the organisation's compliance department to audit the production process in order to ensure the final product meets quality requirements = First-party audit Auditors from the buyer's organisation audit their raw material supplier to ensure the supply fulfils the order and contract = Second-party audit Auditors from an independent certification body conduct an audit of the organisation to verify conformity with an ISO Standard for certification purposes = Third-party audit The organisation has been audited against two management system standards in one audit = Combined audit According to the ISO/IEC 27001 standard, there are three main categories of audits: internal, external, and certification1. An internal audit, also known as a first-party audit, is an audit conducted by the organisation itself, or by an external party on its behalf, for management review and other internal purposes12. An external audit, also known as a second-party audit, is an audit conducted by a customer or other interested party on a supplier or contractor to verify compliance with contractual or other requirements. A certification audit, also known as a third-party audit, is an audit conducted by an independent certification body to verify conformity with an ISO standard for certification purposes12. A combined audit is an audit where two or more management system standards are audited together.

  References: 1: PECB Candidate Handbook - ISO/IEC 27001 Lead Auditor, page 192: ISO 27001 Audit Types and How They are Conducted23: The Four ISO 27001 Audit Categories, Explained4

• Question 173:

  DRAG DROP

  As the ISMS audit team leader, you are conducting a second-party audit of an international logistics company on behalf of an online retailer. During the audit, one of your team members reports a nonconformity relating to control 5.18 (Access rights) of Appendix A of ISO/IEC 27001:2022. She found evidence that removing the server access protocols of 20 people who left in the last 3 months took up to 1 week whereas the policy required removing access within 24 hours of their departure.

  Complete the sentence with the best word(s), dick on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.

  Select and Place:

  

  

  ---

  Explanation/Reference:

  The purpose of including access rights in an information management system to ISO/IEC 27001:2022 is to provide, review, modify and remove these permissions in accordance with the organisation's policy and rules for access control.

  Access rights are the permissions granted to users or groups of users to access, use, modify, or delete information assets. Access rights should be aligned with the organisation's access control policy, which defines the objectives, principles, roles, and responsibilities for managing access to information systems. Access rights should also follow the organisation's rules for access control, which specify the criteria, procedures, and controls for granting, reviewing, modifying, and revoking access rights. The purpose of including access rights in an information management system is to ensure that only authorised users can access information assets according to their business needs and roles, and to prevent unauthorised or inappropriate access that could compromise the confidentiality, integrity, or availability of information assets. References: ISO/IEC 27001:2022 Annex A Control 5.181 ISO/IEC 27002:2022 Control 5.182 CQI and IRCA Certified ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Training Course3

• Question 174:

  You are an experienced audit team leader guiding an auditor in training.

  Your team is currently conducting a third-party surveillance audit of an organisation that stores data on behalf of external clients. The auditor in training has been tasked with reviewing the ORGANISATIONAL controls listed in the Statement of

  Applicability (SoA) and implemented at the site.

  Select four controls from the following that would you expect the auditor in training to review.

  A. Access to and from the loading bay
  B. Confidentiality and nondisclosure agreements
  C. How information security has been addressed within supplier agreements
  D. How power and data cables enter the building
  E. Rules for transferring information within the organisation and to other organisations
  F. The development and maintenance of an information asset inventory
  G. The operation of the site CCTV and door control systems
  H. The organisation's business continuity arrangements
  B. Confidentiality and nondisclosure agreements
  C. How information security has been addressed within supplier agreements
  E. Rules for transferring information within the organisation and to other organisations
  F. The development and maintenance of an information asset inventory

  ---

  Explanation/Reference:

  According to the PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, the auditor in training should review the organisational controls that are related to the information security policy, the roles and responsibilities, the information classification, the information exchange, the supplier relationships, and the information asset management1. These controls are aligned with the ISO/IEC 27001 requirements for clauses 5, 7, 8.2, 8.3, and 8.42. The other controls (A, D, G, and H) are more relevant to the physical and environmental security, the communications security, or the business continuity management, which are not part of the organisational controls3. References: 1: PECB Candidate Handbook for ISO/ IEC 27001 Lead Auditor, page 42, section 5.2.32: ISO/IEC 27001:2022, clauses 5, 7, 8.2, 8.3, and 8.43: ISO/IEC 27001:2022, clauses 8.1, 8.5, and 8.6.

• Question 175:

  Which is an example of a qualitative evidence?

  A. The documented results of an intrusion-detection test from an information security expert from an external organization
  B. A defined sample analysis of nonconformity reports drafted by the audited organization from the time their ISMS was implemented
  C. An interview with the information security personnel to validate if the information security process complies with the standard requirements
  C. An interview with the information security personnel to validate if the information security process complies with the standard requirements

  ---

  Explanation/Reference:

  Qualitative evidence in an audit typically involves observations, interviews, and reviews that provide insights into the processes and compliance through subjective but informed assessments. An interview with information security personnel to validate compliance with the standard requirements is an example of qualitative evidence, where the quality and effectiveness of processes are assessed based on expert judgments rather than measurable metrics. References: PECB ISO/IEC 27001 Lead Auditor Course Material

• Question 176:

  Integrity of data means

  A. Accuracy and completeness of the data
  B. Data should be viewable at all times
  C. Data should be accessed by only the right people
  A. Accuracy and completeness of the data

  ---

  Explanation/Reference:

  Integrity of data means accuracy and completeness of the data. Integrity is one of the three main objectives of information security, along with confidentiality and availability. Integrity ensures that information and systems are not corrupted, modified, or deleted by unauthorized actions or events. Data should be viewable at all times is not related to integrity, but to availability. Data should be accessed by only the right people is not related to integrity, but to confidentiality. References: CQI and IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 24. : [ISO/IEC 27001 Brochures | PECB], page 4.

• Question 177:

  You received an email requiring you to send information such as name, email, and password in order to continue using your email account. If you do not send such information, your email account will be disabled. What does this scenario present?

  A. A personnel type of vulnerability
  B. An unauthorized action type of threat
  C. A compromise of information type of threat
  B. An unauthorized action type of threat

  ---

  Explanation/Reference:

  The scenario described is a classic example of a phishing attack, which is a type of social engineering threat where attackers masquerade as a trustworthy entity in an electronic communication. The goal is to trick individuals into providing sensitive information. This represents an unauthorized action type of threat because it involves an attacker attempting to gain unauthorized access to personal information. References: = This understanding of phishing as a threat is consistent with the principles of information security management systems and is supported by resources that describe phishing attacks and their prevention

• Question 178:

  You are an audit team leader conducting a third-party surveillance audit of a telecom services provider. You have assigned responsibility for auditing the organisation's information security objectives to a junior member of your audit team. Before they begin their assessment, you ask them the following question to check their understanding of the requirements of ISO /IEC 27001:2022.

  Which four of the following criteria must Information security objectives fulfil?

  A. They must be communicated appropriately
  B. They must be available as documented information
  C. They must always be measured
  D. They must always be monitored
  E. They must be reviewed annually
  F. They must be clear and unambiguous
  G. They must be consistent with the IS Policy
  H. They must be achievable
  A. They must be communicated appropriately
  B. They must be available as documented information
  G. They must be consistent with the IS Policy
  H. They must be achievable

  ---

  Explanation/Reference:

  According to ISO/IEC 27001:2022, clause 6.2, information security objectives are the specific results that an organisation intends to achieve with its information security management system (ISMS). The standard specifies that information security objectives must fulfil the following criteria:

  They must be communicated appropriately (A): The organisation must ensure that the relevant internal and external parties are informed about the information security objectives and their roles and responsibilities in achieving them. This can help to create awareness, commitment, and accountability for information security. This criterion is related to clause 6.2.2 of ISO/IEC 27001:2022. They must be available as documented information (B): The organisation must maintain and retain documented information on the information security objectives, including their scope, level, indicators, and time frame. This can help to provide evidence, traceability, and consistency for information security. This criterion is related to clause 6.2.1 of ISO/IEC 27001:2022.

  They must be consistent with the IS Policy (G): The organisation must ensure that the information security objectives are aligned with the information security policy, which is the top-level statement of the organisation's intentions and direction for information security. This can help to support the strategic objectives and the context of the organisation. This criterion is related to clause 5.2 of ISO/IEC 27001:2022.

  They must be achievable (H): The organisation must ensure that the information security objectives are realistic and attainable, considering the available resources, capabilities, and constraints. This can help to avoid setting unrealistic or unfeasible expectations and to monitor and measure the progress and performance of information security. This criterion is related to clause 6.2.1 of ISO/IEC 27001:2022.

  References: ISO/IEC 27001:2022, Information technology -- Security techniques -- Information security management systems -- Requirements PECB Candidate Handbook ISO/IEC 27001 Lead Auditor2 ISO 27001:2022 Lead Auditor - PECB3 ISO 27001:2022 certified ISMS lead auditor - Jisc4 ISO/IEC 27001:2022 Lead Auditor Transition Training Course5 ISO 27001 - Information Security Lead Auditor Course - PwC Training Academy6

• Question 179:

  DRAG DROP

  You have just completed a scheduled information security audit of your organisation when the IT Manager approaches you and asks for your assistance in the revision of the company's risk management process.

  He is attempting to update the current documentation to make it easier for other managers to understand, however, it is clear from your discussion he is confusing several key terms.

  You ask him to match each of the descriptions with the appropriate risk term. What should the correct answers be?

  Select and Place:

  

  

  ---

  Explanation/Reference:

  The strategy chosen to respond to a specific information security risk: This is a definition of information security risk treatment. According to ISO/IEC 27000:2022, information security risk treatment is "the process of selecting and implementing measures to modify the information security risk" Section 3.33. The effect of uncertainty on information security objectives: This is a definition of information security risk. According to ISO/IEC 27000:2022, information security risk is "the effect of uncertainty on information security objectives" Section 3.32. The requirements against which information security risks are evaluated: This is a definition of information security risk criteria. According to ISO/IEC 27000:2022, information security risk criteria are "the terms of reference by which the significance of information security risks is assessed" Section 3.31. A definition of the overall level of information security risk that is considered to be tolerable: This is a definition of information security risk acceptance criteria. According to ISO/IEC 27000:2022, information security risk acceptance criteria are "the level of information security risk that is acceptable" Section 3.30.

• Question 180:

  As an auditor, you have noticed that ABC Inc. has established a procedure to manage the removable storage media. The procedure is based on the classification scheme adopted by ABC Inc. Thus, if the information stored is classified as "confidential," the procedure applies. On the other hand, the information that is classified as "public," does not have confidentiality requirements: thus, only a procedure for ensuring its integrity and availability applies. What type of audit finding is this?

  A. Nonconformity
  B. Anomaly
  C. Conformity
  C. Conformity

  ---

  Explanation/Reference:

  This scenario represents a conformity because ABC Inc. has implemented procedures for managing removable storage media that align with the classification scheme of the information stored. When information is classified as "confidential," more stringent procedures apply, whereas for "public" information, the procedures focus only on integrity and availability, following the organization's defined information classification policy.

  References: ISO/IEC 27001:2013, Clause A.8.2 (Information classification)