PECB ISO-IEC-27001-LEAD-AUDITOR Online Practice Questions and Exam Preparation

PECB ISO-IEC-27001-LEAD-AUDITOR Online Questions & Answers

• Question 191:

  Information or data that are classified as ______ do not require labeling.

  A. Public
  B. Internal
  C. Confidential
  D. Highly Confidential
  A. Public

  ---

  Explanation/Reference:

  Information or data that are classified as public do not require labeling. Public information or data are those that are intended for general disclosure and have no impact on the organization's operations or reputation if disclosed. Labeling is a method of implementing classification, which is a process of structuring information according to its sensitivity and value for the organization. Labeling helps to identify the level of protection and handling required for each type of information. Information or data that are classified as internal, confidential, or highly confidential require labeling, as they contain information that is not suitable for public disclosure and may cause harm or loss to the organization if disclosed. References: CQI and IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 34. : CQI and IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 37. : [ISO/IEC 27001 LEAD AUDITOR - PECB], page 14.

• Question 192:

  You are performing an ISMS audit at a nursing home where residents always wear an electronic wristband for monitoring their location, heartbeat, and blood pressure. The wristband automatically uploads this data to a cloud server for

  healthcare monitoring and analysis by staff.

  You now wish to verify that the information security policy and objectives have been established by top management. You are sampling the mobile device policy and identify a security objective of this policy is "to ensure the security of

  teleworking and use of mobile devices" The policy states the following controls will be applied in order to achieve this.

  Personal mobile devices are prohibited from connecting to the nursing home network, processing, and storing residents' data.

  The company's mobile devices within the ISMS scope shall be registered in the asset register.

  The company's mobile devices shall implement or enable physical protection, i.e., pin-code protected screen lock/unlock, facial or fingerprint to unlock the device.

  The company's mobile devices shall have a regular backup.

  To verify that the mobile device policy and objectives are implemented and effective, select three options for your audit trail.

  A. Interview the reception personnel to make sure all visitor and employee bags are checked before entering the nursing home
  B. Review visitors' register book to make sure no visitor can have their personal mobile phone in the nursing home
  C. Review the internal audit report to make sure the IT department has been audited
  D. Review the asset register to make sure all personal mobile devices are registered
  E. Sampling some mobile devices from on-duty medical staff and validate the mobile device information with the asset register
  F. Review the asset register to make sure all company's mobile devices are registered
  G. Interview the supplier of the devices to make sure they are aware of the ISMS policy
  H. Interview top management to verify their involvement in establishing the information security policy and the information security objectives
  C. Review the internal audit report to make sure the IT department has been audited
  E. Sampling some mobile devices from on-duty medical staff and validate the mobile device information with the asset register
  F. Review the asset register to make sure all company's mobile devices are registered

  ---

  Explanation/Reference:

  According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 5.2 requires top management to establish an information security policy that provides the framework for setting information security objectives1. Clause 6.2 requires top management to ensure that the information security objectives are established at relevant functions and levels1. Therefore, when verifying that the information security policy and objectives have been established by top management, an ISMS auditor should review relevant documents and records that demonstrate top management's involvement and commitment.

  To verify that the mobile device policy and objectives are implemented and effective, an ISMS auditor should review relevant documents and records that demonstrate how the policy and objectives are communicated, monitored, measured, analyzed, and evaluated. The auditor should also sample and verify the implementation of the controls that are stated in the policy.

  Three options for the audit trail that are relevant to verifying the mobile device policy and objectives are:

  Review the internal audit report to make sure the IT department has been audited: This option is relevant because it can provide evidence of how the IT department, which is responsible for managing the mobile devices and their security, has been evaluated for its conformity and effectiveness in implementing the mobile device policy and objectives. The internal audit report can also reveal any nonconformities, corrective actions, or opportunities for improvement related to the mobile device policy and objectives.

  Sampling some mobile devices from on-duty medical staff and validate the mobile device information with the asset register: This option is relevant because it can provide evidence of how the mobile devices that are used by the medical staff, who are involved in processing and storing residents' data, are registered in the asset register and have physical protection enabled. This can verify the implementation and effectiveness of two of the controls that are stated in the mobile device policy.

  Review the asset register to make sure all company's mobile devices are registered: This option is relevant because it can provide evidence of how the company's mobile devices that are within the ISMS scope are identified and accounted for. This can verify the implementation and effectiveness of one of the controls that are stated in the mobile device policy.

  The other options for the audit trail are not relevant to verifying the mobile device policy and objectives, as they are not related to the policy or objectives or their implementation or effectiveness. For example:

  Interview the reception personnel to make sure all visitor and employee bags are checked before entering the nursing home: This option is not relevant because it does not provide evidence of how the mobile device policy and objectives are implemented or effective. It may be related to another policy or objective regarding physical security or access control, but not specifically to mobile devices.

  Review visitors' register book to make sure no visitor can have their personal mobile phone in the nursing home: This option is not relevant because it does not provide evidence of how the mobile device policy and objectives are implemented or effective. It may be related to another policy or objective regarding information security awareness or compliance, but not specifically to mobile devices.

  Interview the supplier of the devices to make sure they are aware of the ISMS policy: This option is not relevant because it does not provide evidence of how the mobile device policy and objectives are implemented or effective. It may be related to another policy or objective regarding information security within supplier relationships, but not specifically to mobile devices.

  Interview top management to verify their involvement in establishing the information security policy and the information security objectives: This option is not relevant because it does not provide evidence of how the mobile device policy and objectives are implemented or effective. It may be related to verifying that the information security policy and objectives have been established by top management, but not specifically to mobile devices.

  References: ISO/IEC 27001:2022 - Information technology ?Security techniques ?Information security management systems ?Requirements

• Question 193:

  Scenario 6: Sinvestment is an insurance company that offers home, commercial, and life insurance. The company was founded in North Carolina, but have recently expanded in other locations, including Europe and Africa.

  Sinvestment is committed to complying with laws and regulations applicable to their industry and preventing any information security incident. They have implemented an ISMS based on ISO/IEC 27001 and have applied for ISO/IEC 27001 certification. Two auditors were assigned by the certification body to conduct the audit. After signing a confidentiality agreement with Sinvestment. they started the audit activities. First, they reviewed the documentation required by the standard, including the declaration of the ISMS scope, information security policies, and internal audits reports. The review process was not easy because, although Sinvestment stated that they had a documentation procedure in place, not all documents had the same format.

  Then, the audit team conducted several interviews with Sinvestment's top management to understand their role in the ISMS implementation. All activities of the stage 1 audit were performed remotely, except the review of documented information, which took place on-site, as requested by Sinvestment.

  During this stage, the auditors found out that there was no documentation related to information security training and awareness program. When asked, Sinvestment's representatives stated that the company has provided information security training sessions to all employees. Stage 1 audit gave the audit team a general understanding of Sinvestment's operations and ISMS.

  The stage 2 audit was conducted three weeks after stage 1 audit. The audit team observed that the marketing department (which was not included in the audit scope) had no procedures in place to control employees' access rights. Since controlling employees' access rights is one of the ISO/IEC 27001 requirements and was included in the information security policy of the company, the issue was included in the audit report. In addition, during stage 2 audit, the audit team observed that Sinvestment did not record logs of user activities. The procedures of the company stated that "Logs recording user activities should be retained and regularly reviewed," yet the company did not present any evidence of the implementation of such procedure.

  During all audit activities, the auditors used observation, interviews, documented information review, analysis, and technical verification to collect information and evidence. All the audit findings during stages 1 and 2 were analyzed and the audit team decided to issue a positive recommendation for certification.

  Based on scenario 6, during stage 1 audit, the auditor found out that some documents regarding the ISMS had different format. What should the auditor do in this case?

  A. Verify if the documented information has the appropriate format and is in accordance with the company's documentation procedure since this is a requirement of the standard
  B. Verify only if the information required by the standard is documented without taking into account the format since this is not a requirement of the standard
  C. Document this observation as an issue that should be verified during stage 2 audit
  B. Verify only if the information required by the standard is documented without taking into account the format since this is not a requirement of the standard

  ---

  Explanation/Reference:

  The auditor should verify if the information required by the standard is documented, without necessarily focusing on the format, as long as the content meets the requirements of the standard. ISO/IEC 27001 does not mandate a specific format for documentation, only that necessary information is appropriately documented, maintained, and controlled.

  References: ISO/IEC 27001:2013, Clause 7.5 (Documented information)

• Question 194:

  DRAG DROP

  Select the words that best complete the sentence:

  To complete the sentence with the best word(s), click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.

  Select and Place:

  

  

  ---

  Explanation/Reference:

  A third-party audit team leader is a person who leads an audit team that conducts audits on behalf of an external organization, such as a certification body, that provides certification or accreditation services to other organizations. One of the main responsibilities of a third-party audit team leader is to act on behalf of the certification body, which means to represent its interests, policies, and procedures during the audit process.

  Acting on behalf of the certification body involves communicating with the audit client and the auditee, planning and conducting the audit, reporting and evaluating the audit results, and making recommendations for certification or accreditation decisions.

  Acting on behalf of the certification body also requires maintaining professional integrity, impartiality, confidentiality, and competence throughout the audit process.

  References:

  ISO 19011:2022 Guidelines for auditing management systems ISO/IEC 17021-1:2022 Conformity assessment -- Requirements for bodies providing audit and certification of management systems -- Part 1: Requirements

• Question 195:

  After completing Stage 1 and in preparation for a Stage 2 initial certification audit, the auditee informs the audit team leader that they wish to extend the audit scope to include two additional sites that have recently been acquired by the organisation.

  Considering this information, what action would you expect the audit team leader to take?

  A. Arrange to complete a remote Stage 1 audit of the two sites using a video conferencing platform
  B. Increase the length of the Stage 2 audit to include the extra sites
  C. Inform the auditee that the audit team leader accepts the request
  D. Obtain information about the additional sites to inform the individual(s) managing the audit programme
  D. Obtain information about the additional sites to inform the individual(s) managing the audit programme

  ---

  Explanation/Reference:

  According to the PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, the audit team leader should obtain information about the additional sites to inform the individual(s) managing the audit programme, as this may affect the audit objectives, scope, criteria, duration, resources, and risks. The audit team leader should also review the audit plan and make any necessary adjustments in consultation with the auditee and the audit client1. References: 1: PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 27, section 4.3.2.2.

• Question 196:

  DRAG DROP

  You are an experienced ISMS audit team leader providing instruction to a class of auditors in training. The subject of today's lesson is the management of information security risk in accordance with the requirements of ISO/IEC 27001:2022.

  You provide the class with a series of activities. You then ask the class to sort these activities into the order in which they appear in the standard.

  What is the correct sequence they should report back to you?

  Select and Place:

  

  

  ---

  Explanation/Reference:

  The correct sequence of activities for the management of information security risk in accordance with the requirements of ISO/IEC 27001:2022 is as follows:

  1st: Create and maintain information security risk criteria 2nd: Identify the risks that need to be considered when planning for the information security management system 3rd: Assess the potential consequences that would arise if the risk were to materialise 4th: Select appropriate risk treatment options 5th: Carry out information security risk assessments at planned intervals 6th: Consider the results of risk assessment and the status of the risk treatment plan at management review

  This sequence is based on the information security risk management process described in ISO/IEC 27001:

  2022 clause 6.1, which includes the following activities:

  establishing and maintaining information security risk criteria;

  ensuring that repeated information security risk assessments produce consistent, valid and comparable results;

  identifying the information security risks;

  analyzing the information security risks;

  evaluating the information security risks

  treating the information security risks;

  accepting the information security risks and the residual information security risks;

  communicating and consulting with stakeholders throughout the process;

  monitoring and reviewing the information security risks and the risk treatment plan.

  References:

  ISO/IEC 27001:2022, clause 6.1

  [PECB Candidate Handbook ISO/IEC 27001 Lead Auditor], pages 14-15

  ISO 27001 Risk Management in Plain English

• Question 197:

  You are an ISMS audit team leader assigned by your certification body to carry out a follow-up audit of a Data Centre client.

  According to ISO 19011:2018, the purpose of a follow-up audit is to verify which one of the following?

  A. The effectiveness of the management system
  B. Implementation of ISMS objectives
  C. Implementation of risk treatment plans
  D. Completion and effectiveness of corrective actions
  D. Completion and effectiveness of corrective actions

  ---

  Explanation/Reference:

  The purpose of a follow-up audit is to verify the completion and effectiveness of corrective actions taken by the auditee in response to the nonconformities identified in a previous audit. A follow-up audit is a type of audit that is conducted after an initial audit, and it focuses on the specific areas where nonconformities were found and corrective actions were agreed upon. A follow-up audit can be conducted as a separate audit or as part of a scheduled audit, depending on the nature and severity of the nonconformities and the audit programme objectives.

  The other options are not the purpose of a follow-up audit, but rather the purpose of other types of audits. For example:

  Option A is the purpose of a performance audit, which is a type of audit that evaluates the effectiveness of the management system in achieving its intended results. Option B is the purpose of a compliance audit, which is a type of audit that verifies the conformity of the management system with the specified requirements, such as the ISMS objectives. Option C is the purpose of a process audit, which is a type of audit that examines the inputs, activities, outputs, and interactions of a specific process within the management system, such as the risk treatment process.

  References:

  1: ISO 19011:2018, 6.7;

  2: ISO 19011:2018, 3.7;

  3: ISO 19011:2018, 5.5.2;

  4: ISO 19011:2018, 3.6;

  5: ISO 19011:2018, 3.5;

  ISO 19011:2018, 3.4; : ISO 19011:2018; : ISO 19011:2018; : ISO 19011:2018; : ISO 19011:2018; : ISO 19011:2018; : [ISO 19011:2018]

• Question 198:

  DRAG DROP

  In regard to generating an audit finding, select the words that best complete the following sentence.

  To complete the sentence with the best word(s), click on the blank section you want to complete so that it Is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.

  Select and Place:

  

  

  ---

  Explanation/Reference:

  Audit evidence is the information obtained by the auditors during the audit process that is used as a basis for forming an audit opinion or conclusion12. Audit evidence could include records, documents, statements, observations, interviews, or test results. Audit criteria are the set of policies, procedures, standards, regulations, or requirements that are used as a reference against which audit evidence is compared12. Audit criteria could be derived from internal or external sources, such as ISO standards, industry best practices, or legal obligations. Audit findings are the results of a process that evaluates audit evidence and compares it against audit criteria. Audit findings can show that audit criteria are being met (conformity) or that they are not being met (nonconformity). They can also identify best practices or improvement opportunities. References: ISO 19011:2022 Guidelines for auditing management systems ISO/IEC 27001:2022 Information technology -- Security techniques -- Information security management systems -- Requirements Components of Audit Findings - The Institute of Internal Auditors

• Question 199:

  DRAG DROP

  You are performing an ISMS audit at a European-based residential nursing home called ABC that provides healthcare services. You find all nursing home residents wear an electronic wristband for monitoring their location, heartbeat, and blood pressure always. You learned that the electronic wristband automatically uploads all data to the artificial intelligence (AI) cloud server for healthcare monitoring and analysis by healthcare staff.

  The next step in your audit plan is to verify that the information security policy and objectives have been established by top management.

  During the audit, you found the following audit evidence.

  Match the audit evidence to the corresponding requirement in ISO/IEC 27001:2022.

  Select and Place:

  

  

  ---

  Explanation/Reference:

• Question 200:

  Stages of Information

  A. creation, evolution, maintenance, use, disposition
  B. creation, use, disposition, maintenance, evolution
  C. creation, distribution, use, maintenance, disposition
  D. creation, distribution, maintenance, disposition, use
  C. creation, distribution, use, maintenance, disposition

  ---

  Explanation/Reference:

  The stages of information are creation, distribution, use, maintenance, and disposition. These are the phases that information goes through during its lifecycle, from the moment it is generated to the moment it is destroyed or archived. Each stage of information has different security requirements and risks, and should be managed accordingly. Creation, evolution, maintenance, use, and disposition are not the correct stages of information, as evolution is not a distinct stage, but a process that can occur in any stage. Creation, use, disposition, maintenance, and evolution are not the correct stages of information, as they are not in the right order. Creation, distribution, maintenance, disposition, and use are not the correct stages of information, as they are not in the right order.

  References: CQI and IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 32. : [ISO/IEC 27001 LEAD AUDITOR - PECB], page 12.