PECB ISO-IEC-27001 Lead Auditor PECB Certified ISO/IEC 27001 Lead Auditor exam Online Training

Question #91

You are performing an ISMS audit at a residential nursing home railed ABC that provides healthcare services. The next step in your audit plan is to verify the effectiveness of the continual improvement process. During the audit, you learned most of the residents’ family members (90%) receive WeCare medical device promotional advertisements through email and SMS once a week via ABC’s healthcare mobile app. All of them do not agree on the use of the collected personal data (or marketing or any other purposes than nursing and medical care on the signed service agreement with ABC. They have very strong reason to believe that ABC is leaking residents’ and family members’ personal information to a non-relevant third party and they have filed complaints.

The Service Manager says that all these complaints have been treated as nonconformities, and the corrective actions have been planned and implemented according to the Nonconformity and Corrective management procedure. The corrective action involved stopping working with WeCare the medical device manufacturer immediately and asking them to delete all personal data received as well as sending an apology email to all residents and their family members. You are preparing the audit findings. Select one option of the correct finding.

A . Nonconformity: ABC does not follow the signed healthcare service agreement with residents’ family members
B . No nonconformity: I would like to collect more evidence on how the organisation defines the management system scope and see if they covered WeCare medical device manufacture
C . No nonconformity: The Service Manager implemented the corrective actions and the Customer Service Representative evaluates the effectiveness of implemented corrective actions
D . Nonconformity: The management review does not take the feedback from residents’ family members into consideration

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

According to ISO 27001:2022 clause 8.1.4, the organisation shall ensure that externally provided processes, products or services that are relevant to the information security management system are controlled. This includes implementing appropriate contractual requirements related to information security with external providers, such as customers who send ICT equipment for reclamation12

In this case, ABC is a residential nursing home that provides healthcare services to its residents and collects their personal data and their family members’ personal data. ABC has a signed service agreement with the residents’ family members that states that the collected personal data will not be used for marketing or any other purposes than nursing and medical care. However, ABC has violated this contractual requirement by sharing the personal data with WeCare, a medical device manufacturer, who has used the data to send promotional advertisements to the residents’ family members via email and SMS. This has caused dissatisfaction and complaints from the residents’ family members, who have a strong reason to believe that ABC is leaking their personal information to a non-relevant third party.

Therefore, the audit finding is a nonconformity with clause 8.1.4 of ISO 27001:2022, as ABC has failed to control the externally provided processes, products or services that are relevant to the information security management system, and has breached the contractual requirements related to information security with its customers. The fact that ABC has taken corrective actions to stop working with WeCare and to apologise to the customers does not eliminate the nonconformity, but only mitigates its consequences. The nonconformity still needs to be recorded, evaluated, and reviewed for effectiveness and improvement.

Reference: 1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1 2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2

Question #92

You are an ISMS audit team leader who has been assigned by your certification body to carry out a follow-up audit of a client. You are preparing your audit plan for this audit.

Which two of the following statements are true?

A . Verification should focus on whether any action undertaken taken has been undertaken efficiently
B . Corrections should be verified first, followed by corrective actions and finally opportunities for improvement
C . Verification should focus on whether any action undertaken is complete
D . Opportunities for improvement should be verified first, followed by corrections and finally corrective actions
E . Corrective actions should be reviewed first, followed by corrections and finally opportunities for improvement
F . Verification should focus on whether any action undertaken has been undertaken effectively

Reveal Solution Hide Solution

Correct Answer: C, F
C, F

Explanation:

According to ISO 27001:2022 clause 9.1.2, the organisation shall conduct internal audits at planned intervals to provide information on whether the information security management system conforms to the organisation’s own requirements, the requirements of ISO 27001:2022, and is effectively implemented and maintained12

According to ISO 27001:2022 clause 10.1, the organisation shall react to the nonconformities and take action, as applicable, to control and correct them and deal with the consequences. The organisation shall also evaluate the need for action to eliminate the causes of nonconformities, in order to prevent recurrence or occurrence. The organisation shall implement any action needed, review the effectiveness of any corrective action taken, and make changes to the information security management system, if necessary12

A follow-up audit is a type of internal audit that is conducted after a previous audit to verify whether the nonconformities and corrective actions have been addressed and resolved, and whether the information security management system has been improved12

Therefore, the following statements are true for preparing a follow-up audit plan:

Verification should focus on whether any action undertaken is complete. This means that the auditor should check whether the organisation has implemented all the planned actions to correct and prevent the nonconformities, and whether the actions have been documented and communicated as required12

Verification should focus on whether any action undertaken has been undertaken effectively. This means that the auditor should check whether the organisation has achieved the intended results and objectives of the actions, and whether the actions have eliminated or reduced the nonconformities and their causes and consequences12

The following statements are false for preparing a follow-up audit plan:

Verification should focus on whether any action undertaken has been undertaken efficiently. This is false because efficiency is not a criterion for verifying the actions taken to address the nonconformities and corrective actions. Efficiency refers to the optimal use of resources to achieve the desired outcomes, but it is not a requirement of ISO 27001:2022. The auditor should focus on the effectiveness and completeness of the actions, not on the efficiency12

Corrections should be verified first, followed by corrective actions and finally opportunities for improvement. This is false because there is no prescribed order for verifying the corrections, corrective actions, and opportunities for improvement. The auditor should verify all the actions taken by the organisation, regardless of their sequence or priority. The auditor may choose to verify the actions based on their relevance, significance, or impact, but this is not a mandatory requirement12

Opportunities for improvement should be verified first, followed by corrections and finally corrective actions. This is false because there is no prescribed order for verifying the opportunities for improvement, corrections, and corrective actions. The auditor should verify all the actions taken by the organisation, regardless of their sequence or priority. The auditor may choose to verify the actions based on their relevance, significance, or impact, but this is not a mandatory requirement12 Corrective actions should be reviewed first, followed by corrections and finally opportunities for improvement. This is false because there is no prescribed order for reviewing the corrective actions, corrections, and opportunities for improvement. The auditor should review all the actions taken by the organisation, regardless of their sequence or priority. The auditor may choose to review the actions based on their relevance, significance, or impact, but this is not a mandatory requirement12

Reference: 1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1 2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2

Question #93

During a follow-up audit, you notice that a nonconformity identified for completion before the follow-up audit is still outstanding.

Which four of the following actions should you take?

A . Report the failure to address the corrective action for the outstanding nonconformity to the organisation’s top management
B . Immediately raise an nonconformity as the date for completion has been exceeded
C . If the delay is justified agree on a revised date for clearing the nonconformity with the auditee/audit client
D . Contact the individuals) managing the audit programme to seek their advice as to how to proceed
E . Decide whether the delay in addressing the nonconformity is justified
F . Cancel the follow-up audit and return when an assurance has been received that the
nonconformity has been cleared
G . Note the nonconformity is still outstanding and follow audit trails to determine why H. If the delay is unjustified advise the auditee /audit client and agree on remedial action

Reveal Solution Hide Solution

Question #94

You are performing an ISO 27001 ISMS surveillance audit at a residential nursing home, ABC Healthcare Services. ABC uses a healthcare mobile app designed and maintained by a supplier, WeCare, to monitor residents’ well-being. During the audit, you learn that 90% erf the residents’ family members regularly receive medical device advertisements from WeCare, by email and SMS once a week. The service agreement between ABC and WeCare prohibits the supplier from using residents’ personal data. ABC has received many complaints from residents and their family members.

The Service Manager says that the complaints were investigated as an information security incident which found that they were justified. Corrective actions have been planned and implemented according to the nonconformity and corrective action management procedure.

You write a nonconformity "ABC failed to comply with information security control A.5.34 (Privacy and protection of PII) relating to the personal data of residents’ and their family members. A supplier, WeCare, used residents’ personal information to send advertisements to family members"

Select three options of the corrections and corrective actions listed that you would expect ABC to make in response to the nonconformity

A . ABC confirms that information security control A.5.34 is contained in the Statement of Applicability (SoA)
B . The Service Manager provides evidence of analysis of the cause of nonconformity and how the
ABC evaluates the effectiveness of implemented corrective actions
C . ABC instructs all staff to follow the signed healthcare service agreement with residents’ family members
D . ABC conducts a management review to take the feedback from residents’ family members into consideration
E . ABC needs to collect more evidence on how the organisation defines the management system scope and find out if they covered WeCare the medical device manufacturer
F . ABC identifies and checks compliance with all applicable legislation and contractual requirements involving third parties
G . The Service Manager implements the corrective actions and Customer Service Representatives evaluate the effectiveness of implemented corrective actions
H . ABC needs to collect more evidence on how information security risk assessment relates to the identified nonconformities before concluding actions on the nonconformity

Reveal Solution Hide Solution

Correct Answer: B, F, G
B, F, G

Explanation:

According to the ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) course, the following corrections and corrective actions are expected from ABC in response to the nonconformity:

B. The Service Manager provides evidence of analysis of the cause of nonconformity and how the ABC evaluates the effectiveness of implemented corrective actions. This is part of the requirement of clause 10.1 of ISO/IEC 27001:2022, which states that the organization shall determine the causes of nonconformities and evaluate the need for action to ensure that they do not recur or occur elsewhere12. The organization shall also evaluate the effectiveness of any corrective actions taken12.

F. ABC identifies and checks compliance with all applicable legislation and contractual requirements involving third parties. This is part of the requirement of clause 4.2 of ISO/IEC 27001:2022, which states that the organization shall determine the external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system12. This includes the legal and contractual requirements related to the information security aspects of the organization’s activities, products and services12.

G. The Service Manager implements the corrective actions and Customer Service Representatives evaluate the effectiveness of implemented corrective actions. This is part of the requirement of clause 10.1 of ISO/IEC 27001:2022, which states that the organization shall implement any action needed and retain documented information as evidence of the results of any action taken12. The organization shall also monitor, measure, analyze and evaluate the information security performance and the effectiveness of the information security management system12.

Reference: 1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) course, CQI and IRCA Certified Training, 1

2: ISO/IEC 27001 Lead Auditor Training Course, PECB, 2

Question #95

Which one of the following options is the definition of an interested party?

A . A third party can appeal to an organisation when it perceives itself to be affected by a decision or
activity
B . A person or organisation that can affect, be affected by or perceive itself to be affected by a decision or activity
C . A group or organisation that can interfere in or perceive itself to be interfered with by a management decision
D . An individual or organisation that can control, be controlled by, or perceive itself to be controlled by a decision or activity

Reveal Solution Hide Solution

Question #96

Which two of the following statements are true?

A . The benefit of certifying an ISMS is to show the accreditation certificate on the website.
B . The purpose of an ISMS is to demonstrate awareness of information security issues by management.
C . The benefit of certifying an ISMS is to increase the number of customers.
D . The benefits of implementing an ISMS primarily result from a reduction in information security risks.
E . The purpose of an ISMS is to apply a risk management process for preserving information security.
F . The purpose of an ISMS is to demonstrate compliance with regulatory requirements.

Reveal Solution Hide Solution

Correct Answer: DE
DE

Explanation:

The benefits of implementing an ISMS primarily result from a reduction in information security risks.

E. The purpose of an ISMS is to apply a risk management process for preserving information security. Comprehensive and Detailed Explanation

According to the ISO 27001 standard, the benefits of implementing an ISMS include the following1:

Assuring customers and other stakeholders of the confidentiality, integrity and availability of information

Enhancing the ability to respond to information security incidents and minimize their impacts Improving the governance and management of information security

Reducing the costs and losses associated with information security breaches Increasing the competitiveness and reputation of the organization

Complying with legal, regulatory and contractual obligations The purpose of an ISMS is to provide a systematic approach to managing information security risks, based on the Plan-Do-Check-Act (PDCA)

cycle1. The ISMS enables the organization to establish, implement, maintain and continually improve its information security performance, in alignment with its business objectives and the needs and expectations of interested parties1. The ISMS consists of the following elements1: The information security policy and objectives

The scope and boundaries of the ISMS

The processes and procedures for information security risk assessment and treatment

The resources and competencies for information security

The roles and responsibilities for information security

The performance evaluation and improvement of the ISMS

The internal and external communication and awareness of the ISMS

Reference: ISO/IEC 27001:2013, Information technology ― Security techniques ― Information security management systems ― Requirements, clauses 1, 4, 5, 6, 7, 8, 9 and 10

PECB Candidate Handbook ISO 27001 Lead Auditor, pages 9-11 ISO/IEC 27001:2013 Information Security Management Standards 4 Key Benefits of ISO 27001 Implementation | ISMS.online ISO/IEC 27001:2022

An Introduction to the ISO 27001 ISMS | Secureframe

Question #97

DRAG DROP

Select the words that best complete the sentence:

"The purpose of maintaining regulatory compliance in a management system is to.

To complete the sentence with the best word(s), click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.

Reveal Solution Hide Solution

Question #98

Which two of the following phrases would apply to ‘check’ in the Plan-Do-Check-Act cycle for a business process?

A . Making improvements
B . Managing changes
C . Verifying training
D . Resetting objectives
E . Updating the Information Security Policy
F . Auditing processes

Reveal Solution Hide Solution

Question #99

DRAG DROP

Select the words that best complete the sentence:

Reveal Solution Hide Solution

Question #100

Which two of the following actions are the individual(s) managing the audit programme responsible for?

A . Determining the resources necessary for the audit programme
B . Communicating with the auditee during the audit
C . Determining the legal requirements applicable to each audit
D . Keping informed the accreditation body on the progress of the audit programme
E . Defining the objectives, scope and criteria for an individual audit
F . Defining the plan of an individual audit

Reveal Solution Hide Solution