PECB ISO-IEC-27001-LEAD-AUDITOR Online Practice Questions and Exam Preparation

PECB ISO-IEC-27001-LEAD-AUDITOR Online Questions & Answers

• Question 211:

  Which one of the following options describes the main purpose of a Stage 1 audit?

  A. To determine readiness for Stage 2
  B. To check for legal compliance by the organisation
  C. To get to know the organisation
  D. To compile the audit plan
  A. To determine readiness for Stage 2

  ---

  Explanation/Reference:

  The main purpose of a Stage 1 audit is to evaluate the adequacy and effectiveness of the organisation's ISMS documentation, and to assess whether the organisation is prepared for the Stage 2 audit, where the implementation and operation of the ISMS will be verified. The Stage 1 audit also involves verifying the scope, objectives, and context of the ISMS, as well as identifying any areas of concern or nonconformities that need to be addressed before the Stage 2 audit.

  References: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) objectives and content from Quality.org and PECB ISO/IEC 27006:2015 Information technology -- Security techniques -- Requirements for bodies providing audit and certification of information security management systems Section 7.3.1

• Question 212:

  Scenario 6: Sinvestment is an insurance company that offers home, commercial, and life insurance. The company was founded in North Carolina, but have recently expanded in other locations, including Europe and Africa.

  Sinvestment is committed to complying with laws and regulations applicable to their industry and preventing any information security incident. They have implemented an ISMS based on ISO/IEC 27001 and have applied for ISO/IEC 27001 certification.

  Two auditors were assigned by the certification body to conduct the audit. After signing a confidentiality agreement with Sinvestment. they started the audit activities. First, they reviewed the documentation required by the standard, including the declaration of the ISMS scope, information security policies, and internal audits reports. The review process was not easy because, although Sinvestment stated that they had a documentation procedure in place, not all documents had the same format.

  Then, the audit team conducted several interviews with Sinvestment's top management to understand their role in the ISMS implementation. All activities of the stage 1 audit were performed remotely, except the review of documented information, which took place on-site, as requested by Sinvestment.

  During this stage, the auditors found out that there was no documentation related to information security training and awareness program. When asked, Sinvestment's representatives stated that the company has provided information security training sessions to all employees. Stage 1 audit gave the audit team a general understanding of Sinvestment's operations and ISMS.

  The stage 2 audit was conducted three weeks after stage 1 audit. The audit team observed that the marketing department (which was not included in the audit scope) had no procedures in place to control employees' access rights. Since controlling employees' access rights is one of the ISO/IEC 27001 requirements and was included in the information security policy of the company, the issue was included in the audit report. In addition, during stage 2 audit, the audit team observed that Sinvestment did not record logs of user activities. The procedures of the company stated that "Logs recording user activities should be retained and regularly reviewed," yet the company did not present any evidence of the implementation of such procedure.

  During all audit activities, the auditors used observation, interviews, documented information review, analysis, and technical verification to collect information and evidence. All the audit findings during stages 1 and 2 were analyzed and the audit team decided to issue a positive recommendation for certification.

  During stage 1 audit, the audit team found out that Sinvestment did not have records on information security training and awareness. What Sinvestment do in this case? Refer to scenario 6.

  A. Correct the identified issue before the stage 2 audit
  B. Document the identified issue and correct it after the certification audit is completed
  C. Perform a new risk assessment process to understand whether the issue needs modification or not
  A. Correct the identified issue before the stage 2 audit

  ---

  Explanation/Reference:

  Sinvestment should correct the identified issue related to the lack of documentation on information security training and awareness before the stage 2 audit. Addressing this gap promptly ensures that the ISMS is fully compliant and effective when assessed in the subsequent audit stage.

  References: ISO/IEC 27001:2013, Clause 7.2 (Competence)

• Question 213:

  DRAG DROP

  The audit lifecycle describes the ISO 19011 process for conducting an individual audit. Drag and drop the steps of the audit lifecycle into the correct sequence.

  Select and Place:

  

  

  ---

  Explanation/Reference:

  Step 1: Audit initiation Step 2: Audit preparation Step 3: Conducting the audit Step 4: Preparing and distributing the audit report Step 5: Audit completion Step 6: Audit follow-up This sequence reflects the logical order of the audit activities, from establishing the audit objectives, scope and criteria, to verifying the implementation and effectiveness of the corrective actions. However, ISO 19011:2018 also recognizes that some audit activities can be iterative or concurrent, depending on the nature and complexity of the audit. For example, audit preparation and conducting the audit can overlap when new information or changes occur during the audit. Similarly, audit follow-up can be integrated with audit completion when the corrective actions are verified shortly after the audit. Therefore, the audit lifecycle should be adapted to the specific context and needs of each audit.

• Question 214:

  The following are purposes of Information Security, except:

  A. Ensure Business Continuity
  B. Minimize Business Risk
  C. Increase Business Assets
  D. Maximize Return on Investment
  C. Increase Business Assets

  ---

  Explanation/Reference:

  The following are purposes of information security, except increasing business assets. Increasing business assets is not a purpose of information security, as it is not directly related to protecting information and systems from threats and risks. Information security may contribute to increasing business assets by enhancing customer trust, reputation, compliance, and efficiency, but it is not its primary goal. Ensuring business continuity is a purpose of information security, as it aims to prevent or minimize disruptions or losses caused by incidents affecting information and systems. Minimizing business risk is a purpose of information security, as it aims to identify and reduce threats and vulnerabilities that may compromise information and systems. Maximizing return on investment is a purpose of information security, as it aims to optimize the costs and benefits of implementing and maintaining information security controls and measures. References: CQI and IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 23. : [ISO/IEC 27001 Brochures | PECB], page 4.

• Question 215:

  DRAG DROP

  You are an experienced ISMS internal auditor.

  You have just completed a scheduled information security audit of your organisation when the IT Manager approaches you and asks for your assistance in the revision of the company's Statement of Applicability.

  The IT Manager is attempting to update the ISO/IEC 27001:2013 based Statement of Applicability to a Statement aligned to the 4 control themes present in ISO/IEC 27001:2022 (Organizational controls, People Controls, Physical Controls, Technical Controls).

  The IT Manager is happy with their reassignment of controls, with the following exceptions. He asks you which of the four control categories each of the following should appear under.

  Select and Place:

  

  

  ---

  Explanation/Reference:

  8.1 Information stored on, processed by, or accessible via user endpoint devices shall be protected = Technological control 7.8 Equipment shall be sited securely and protected = Physical control 5.2 Information security roles and responsibilities shall be defined and allocated according to the organisation's needs = Organisational control 6.7 Security measures shall be implemented when personnel are working remotely to protect information processed, processed, or stored outside the organisation's premises = People control According to the web search results from my predefined tool, ISO 27001:2022 has restructured and consolidated the Annex A controls into four categories: organisational, people, physical, and technological12. These categories reflect the different aspects and dimensions of information security, and are aligned with the cybersecurity concepts of identify, protect, detect, respond, and recover3. The controls in each category are as follows4:

  Organisational controls: These are controls that relate to the governance, management, and coordination of information security activities within the organisation. They include controls such as information security policies, roles and responsibilities, risk assessment and treatment, performance evaluation, and improvement.

  People controls: These are controls that relate to the behaviour, awareness, and competence of the people involved in information security, both within and outside the organisation. They include controls such as human resource security, training and awareness, access control, incident management, and business continuity.

  Physical controls: These are controls that relate to the protection of physical assets and environments that store, process, or transmit information. They include controls such as physical security, environmental security, equipment security, and media security.

  Technological controls: These are controls that relate to the use of technology to implement, monitor, and maintain information security. They include controls such as cryptography, network security, system security, application security, and threat intelligence.

  Based on these categories, the controls listed in the question can be matched as follows:

  8.1 Information stored on, processed by, or accessible via user endpoint devices shall be protected: This is a technological control, as it involves the use of technology to protect information on devices such as laptops, smartphones, tablets, etc. It may include measures such as encryption, authentication, antivirus, firewall, etc.

  7.8 Equipment shall be sited securely and protected: This is a physical control, as it involves the protection of physical assets and environments that store, process, or transmit information. It may include measures such as locks, alarms, CCTV, fire suppression, etc.

  5.2 Information security roles and responsibilities shall be defined and allocated according to the organisation's needs: This is an organisational control, as it involves the governance, management, and coordination of information security activities within the organisation. It may include measures such as defining the authority and accountability of information security personnel, establishing reporting lines and communication channels, assigning tasks and duties, etc.

  6.7 Security measures shall be implemented when personnel are working remotely to protect information processed, processed, or stored outside the organisation's premises: This is a people control, as it involves the behaviour, awareness, and competence of the people involved in information security, both within and outside the organisation. It may include measures such as providing guidance and training on remote working, enforcing policies and procedures, monitoring and auditing remote activities, etc.

  References:

  1: A Breakdown of ISO 27001:2022 Annex A Controls - BARR Advisory42: ISO 27001:2022 Annex A Controls - What's New? | ISMS.Online13: How many controls are there in ISO 27001:2022?

  Strike Graph: ISO/IEC 27001:2022 Information technology -- Security techniques -- Information security management systems -- Requirements, Annex A.

• Question 216:

  The audit team leader prepares the audit plan for an initial certification stage 2 audit to ISO/IEC 27001:2022.

  Which one of the following statements is true?

  A. The audit team leader should make sure the audit has the support of a Technical Expert
  B. The audit team leader should appoint audit team members with IT experience
  C. The audit team leader should plan to interview each employee within the scope
  D. The organisation should review the audit plan for agreement
  D. The organisation should review the audit plan for agreement

  ---

  Explanation/Reference:

  This statement is true because the audit team leader should communicate the audit plan to the audit client and the auditee, and obtain their approval before conducting the audit. The audit plan should include the audit objectives, scope, criteria, methods, schedule, resources, roles and responsibilities, and other relevant information. The audit plan should also be reviewed and updated as necessary during the audit process, and any changes should be agreed upon by the audit team leader, the audit client, and the auditee. The purpose of reviewing and agreeing on the audit plan is to ensure that the audit is conducted in an efficient and effective manner, and that the audit expectations and requirements are clear and consistent among all parties involved.

  References:

  1: PECB Candidate Handbook - ISO 27001 Lead Auditor, page 23

  2: ISO 19011:2018 - Guidelines for auditing management systems, clause 6.4.2

• Question 217:

  You are conducting an ISMS audit in the despatch department of an international logistics organisation that provides shipping services to large organisations including local hospitals and government offices. Parcels typically contain pharmaceutical products, biological samples, and documents such as passports and driving licences. You note that the company records show a very large number of returned items with causes including mis- addressed labels and, in 15% of company cases, two or more labels for different addresses for the one package. You are interviewing the Shipping Manager (SM).

  You: Are items checked before being dispatched?

  SH: Any obviously damaged items are removed by the duty staff before being dispatched, but the small profit margin makes it uneconomic to implement a formal checking process.

  You: What action is taken when items are returned?

  SM: Most of these contracts are relatively low value, therefore it has been decided that it is easier and more convenient to simply reprint the label and re-send individual parcels than it is to implement an investigation.

  You raise a nonconformity. Referencing the scenario, which six of the following Appendix A controls would you expect the auditee to have implemented when you conduct the follow- up audit?

  A. 5.11 Return of assets
  B. 8.12 Data leakage protection
  C. 5.3 Segregation of duties
  D. 6.3 Information security awareness, education, and training
  E. 7.10 Storage media
  F. 8.3 Information access restriction
  G. 5.6 Contact with special interest groups
  H. 6.4 Disciplinary process
  I. 7.4 Physical security monitoring
  J. 5.13 Labelling of information
  B. 8.12 Data leakage protection
  D. 6.3 Information security awareness, education, and training
  E. 7.10 Storage media
  F. 8.3 Information access restriction
  I. 7.4 Physical security monitoring
  J. 5.13 Labelling of information

  ---

  Explanation/Reference:

  8.12 Data leakage protection. This is true because the auditee should have implemented measures to prevent unauthorized disclosure of sensitive information, such as personal data, medical records, or official documents, that are contained in the parcels. Data leakage protection could include encryption, authentication, access control, logging, and monitoring of data transfers.

  6.3

  Information security awareness, education, and training. This is true because the auditee should have ensured that all employees and contractors involved in the shipping process are aware of the information security policies and procedures, and have received appropriate training on how to handle and protect the information assets in their custody. Information security awareness, education, and training could include induction programmes, periodic refreshers, awareness campaigns, e-learning modules, and feedback mechanisms.

  7.10

  Storage media. This is true because the auditee should have implemented controls to protect the storage media that contain information assets from unauthorized access, misuse, theft, loss, or damage. Storage media could include paper documents, optical disks, magnetic tapes, flash drives, or hard disks. Storage media controls could include physical locks, encryption, backup, disposal, or destruction.

  8.3

  Information access restriction. This is true because the auditee should have implemented controls to restrict access to information assets based on the principle of least privilege and the need-to-know basis. Information access restriction could include identification, authentication, authorization, accountability, and auditability of users and systems that access information assets.

  7.4 Physical security monitoring. This is true because the auditee should have implemented controls to monitor the physical security of the premises where information assets are stored or processed. Physical security monitoring could include CCTV cameras, alarms, sensors, guards, or patrols16. Physical security monitoring could help detect and deter unauthorized physical access or intrusion attempts.

  5.13 Labelling of information. This is true because the auditee should have implemented controls to label information assets according to their classification level and handling instructions. Labelling of information could include markings, tags, stamps, stickers, or barcodes . Labelling of information could help identify and protect information assets from unauthorized disclosure or misuse . References: ISO/IEC 27002:2022 Information technology -- Security techniques -- Code of practice for information security controls ISO/IEC 27001:2022 Information technology -- Security techniques -- Information security management systems -- Requirements ISO/IEC 27003:2022 Information technology -- Security techniques -- Information security management systems -- Guidance ISO/IEC 27004:2022 Information technology -- Security techniques -- Information security management systems -- Monitoring measurement analysis and evaluation ISO/IEC 27005:2022 Information technology -- Security techniques -- Information security risk management ISO/IEC 27006:2022 Information technology -- Security techniques -- Requirements for bodies providing audit and certification of information security management systems [ISO/IEC 27007:2022 Information technology -- Security techniques -- Guidelines for information security management systems auditing]

• Question 218:

  Based on the identified nonconformities. Company A established action plans that included the detected nonconformities, the root causes, and a general statement regarding each action that would be taken. Is this acceptable?

  A. No, the action plans should include information on the systems that will be installed and how these systems will eliminate the root causes
  B. No, the auditee is required to submit action plans that include detailed information on how every corrective action will be implemented
  C. Yes, the auditee is required to submit action plans that include a general statement regarding the actions that will be taken
  B. No, the auditee is required to submit action plans that include detailed information on how every corrective action will be implemented

  ---

  Explanation/Reference:

  The auditee is required to submit action plans that include detailed information on how every corrective action will be implemented. General statements are not sufficient; the action plans must specify the corrective actions in detail to ensure that the root causes of the nonconformities are addressed effectively.

  References: ISO/IEC 27001:2013, Clause 10.1 (General) and ISO 19011:2018, Guidelines for auditing management systems.

• Question 219:

  You are an experienced ISMS auditor conducting a third-party surveillance audit at an organisation which offers ICT reclamation services. ICT equipment which companies no longer require is processed by the organisation. It is either recommissioned and reused or is securely destroyed.

  You notice two servers on a bench in the corner of the room. Both have stickers on them with the server's name, IP address and admin password. You ask the ICT Manager about them, and he tells you they were part of a shipment received yesterday from a regular customer.

  Which one action should you take?

  A. Ask the auditee to remove the labels, then carry on with the audit
  B. Ask the ICT Manager to record an information security incident and initiate the information security incident management process
  C. Note the audit finding and check the process for dealing with incoming shipments relating to customer IT security
  D. Raise a nonconformity against control 5.31 'Legal, staturary, regulatory and contractual requirements'
  E. Raise a nonconformity against control 8.20 'network security' (networks and network devices shall be secured, managed and controlled to protect information in systems and applications)
  F. Record what you have seen in your audit findings, but take no further action
  C. Note the audit finding and check the process for dealing with incoming shipments relating to customer IT security

• Question 220:

  PayBell, a finance corporation, is using an accounting software to track financial transactions. The software can be accessed from anywhere with an internet connection. It also enables PayBell's employees to easily collaborate with each other to ensure accurate financial reporting. What type of services is PayBell using?

  A. Machine learning
  B. Cloud computing
  C. Artificial intelligence
  B. Cloud computing