PECB ISO-IEC-27001 Lead Auditor PECB Certified ISO/IEC 27001 Lead Auditor exam Online Training

Question #41

Which three of the following options are an advantage of using a sampling plan for the audit?

A . Overrules the auditor’s instincts
B . Use of the plan for consecutive audits
C . Provides a suitable understanding of the ISMS
D . Implements the audit plan efficiently
E . Gives confidence in the audit results
F . Misses key issues

Question #42

After completing Stage 1 and in preparation for a Stage 2 initial certification audit, the auditee informs the audit team leader that they wish to extend the audit scope to include two additional sites that have recently been acquired by the organisation.

Considering this information, what action would you expect the audit team leader to take?

A . Increase the length of the Stage 2 audit to include the extra sites
B . Obtain information about the additional sites to inform the certification body
C . Arrange to complete a remote Stage 1 audit of the two sites using a video conferencing platform
D . Inform the auditee that the request can be accepted but a full Stage 1 audit must be repeated

Reveal Solution Hide Solution

Question #43

DRAG DROP

In regard to generating an audit finding, select the words that best complete the following sentence.

To complete the sentence with the best word(s), click on the blank section you want to complete so that it Is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.

Reveal Solution Hide Solution

Question #44

During discussions with the individual(s) managing the audit programme of a certification body, the Management System Representative of the client organisation asks for a specific auditor for the certification audit. Select two of the following options for how the individual(s) managing the audit programme should respond.

A . Advise the Management System Representative that his request can be accepted
B . Suggest that the Management System Representative chooses another certification body
C . State that his request will be considered but may not be taken up
D . Suggest asking the certification body management to permit the request
E . Advise the Management System Representative that the audit team selection is a decision that the audit programme manager needs to make based on the resources available

Reveal Solution Hide Solution

Question #45

During an opening meeting of a Stage 2 audit, the Managing Director of the client organisation invites the audit team to view a new company video lasting 45 minutes.

Which two of the following responses should the audit team leader make?

A . Advise the Managing Director that the audit team has to keep to the planned schedule
B . State that the audit team leader will stay behind after the opening meeting to view the video on behalf of the team
C . Invite the Managing Director to the auditors’ hotel for a viewing that evening.
D . Suggest that the video could be viewed during a refreshment break
E . State that the audit team will make a decision on the viewing at a later time
F . Advise the Managing Director that the audit team agrees to his request

Reveal Solution Hide Solution

Correct Answer: A, D
A, D

Explanation:

According to ISO 19011:2018, which provides guidelines for auditing management systems, an opening meeting is a formal communication between the audit team and the auditee at the start of an audit1. The purpose of the opening meeting is to confirm the audit objectives, scope and criteria, introduce the audit team and their roles, confirm the audit plan and logistics, explain the audit methods and procedures, and establish the communication channels1. Therefore, if the Managing Director of the client organization invites the audit team to view a new company video lasting 45 minutes during the opening meeting of a Stage 2 audit, the audit team leader should respond in a way that does not compromise the effectiveness and efficiency of the audit or create any misunderstanding or conflict with the auditee. Two possible ways to respond are to advise the Managing Director that the audit team has to keep to the planned schedule, as there may be limited time and resources available for the audit; or to suggest that the video could be viewed during a refreshment break, if it is relevant and useful for the audit and does not interfere with other audit activities1. The other options are not appropriate responses for the audit team leader to make in this situation. For example, stating that the audit team leader will stay behind after the opening meeting to view the video on behalf of the team may imply that the video is not important or relevant for the rest of the audit team; inviting the Managing Director to the auditors’ hotel for a viewing that evening may create an impression of bias or favouritism; stating that the audit team will make a decision on the viewing at a later time may be vague or indecisive; and advising the Managing Director that the audit team agrees to his request may result in wasting valuable audit time or losing focus on the audit objectives1.

Reference: ISO 19011:2018 – Guidelines for auditing management systems

Question #46

DRAG DROP

You are an experienced ISMS audit team leader, talking to an Auditor in training who has been assigned to your audit team. You want to ensure that they understand the importance of the Check stage of the Plan-Do-Check-Act cycle in respect of the operation of the information security management system.

You do this by asking him to select the words that best complete the sentence:

To complete the sentence with the best word(s), click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.

Reveal Solution Hide Solution

Question #47

You are an ISMS auditor conducting a third-party surveillance audit of a telecom’s provider. You are in the equipment staging room where network switches are pre-programmed before being despatched to clients. You note that recently there has been a significant increase in the number of switches failing their initial configuration test and being returned for reprogramming.

You ask the Chief Tester why and she says, ‘It’s a result of the recent ISMS upgrade’. Before the upgrade each technician had their own hard copy work instructions. Now, the eight members of my team have to share two laptops to access the clients’ configuration instructions online. These delays put pressure on the technicians, resulting in more mistakes being made’.

Based solely on the information above, which clause of ISO to raise a nonconformity against’ Select one.

A . Clause 7.5 – Documented information
B . Clause 8.1 – Operational planning and control
C . Clause 10.2 – Nonconformity and corrective action
D . Clause 7.3 – Awareness
E . Clause 7.2 – Competence
F . Clause 7.4 – Communication

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 8.1 requires an organization to plan, implement and control its processes needed to meet ISMS requirements2. This includes determining what needs to be done, how it will be done, who will do it, when it will be done, what resources are required, how performance will be evaluated, etc2.

Therefore, if an ISMS auditor conducting a third-party surveillance audit of a telecom’s provider notes that there has been a significant increase in the number of switches failing their initial configuration test and being returned for reprogramming due to a recent ISMS upgrade that reduced access to work instructions, this indicates a nonconformity against clause 8.1 of ISO/IEC 27001:2022. The organization has failed to plan and control its operational processes effectively to ensure information security and quality2. The other options are not correct clauses to raise a nonconformity against based solely on this information. For example, clause 7.5 deals with documented information required by ISMS or determined by an organization as necessary for its effectiveness2, but it does not specify how many copies or formats of work instructions should be available; clause 10.2 deals with nonconformity and corrective action as a response to an identified problem or incident2, but it does not address how to prevent or avoid such problems or incidents in operational processes; clause 7.3 deals with awareness of ISMS policy, objectives, roles and responsibilities among persons doing work under an organization’s control2, but it does not relate to how work instructions are accessed or followed; clause 7.2 deals with competence of persons doing work under an organization’s control that affects its ISMS performance2, but it does not imply that lack of competence is caused by insufficient work instructions; clause 7.4 deals with communication about ISMS among internal and external interested parties2, but it does not cover how operational information is communicated within an organization.

Reference: ISO/IEC 27001:2022 – Information

technology C Security techniques C Information security management systems C Requirements

Question #48

During a third-party certification audit you are presented with a list of issues by an auditee.

Which four of the following constitute ‘external’ issues in the context of a management system to ISO/IEC 27001:2022?

A . A rise in interest rates in response to high inflation
B . A reduction in grants as a result of a change in government policy
C . Poor levels of staff competence as a result of cuts in training expenditure
D . Increased absenteeism as a result of poor management
E . Higher labour costs as a result of an aging population
F . Inability to source raw materials due to government sanctions
G . Poor morale as a result of staff holidays being reduced
H . A fall in productivity linked to outdated production equipment

Reveal Solution Hide Solution

Correct Answer: A, B, E, F
A, B, E, F

Explanation:

According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 4.1 requires an organization to determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcomes of its ISMS2. External issues are those that originate from outside the organization, such as legal, regulatory, cultural, social, political, economic, natural and competitive factors2. Internal issues are those that originate from within the organization, such as governance, structure, roles and responsibilities, policies, objectives, culture, capabilities, resources and information systems2. Therefore, based on this definition, four examples of external issues in the context of a management system to ISO/IEC 27001:2022 are a rise in interest rates in response to high inflation (which affects the economic environment of the organization), a reduction in grants as a result of a change in government policy (which affects the political and legal environment of the organization), higher labour costs as a result of an aging population (which affects the social and demographic environment of the organization), and inability to source raw materials due to government sanctions (which affects the trade and supply environment of the organization)2. The other options are examples of internal issues, as they originate from within the organization or its activities. For example, poor levels of staff competence as a result of cuts in training expenditure (which affects the capabilities and resources of the organization), increased absenteeism as a result of poor management (which affects the culture and performance of the organization), poor morale as a result of staff holidays being reduced (which affects the motivation and satisfaction of the organization’s personnel), and a fall in productivity linked to outdated production equipment (which affects the efficiency and quality of the organization’s processes)2.

Reference: ISO/IEC 27001:2022 – Information technology C Security techniques C Information security management systems C Requirements

Question #49

You are performing an ISMS audit at a residential nursing home that provides healthcare services. The next step in your audit plan is to verify the information security incident management process. The IT Security Manager presents the information security incident management procedure and explains that the process is based on ISO/IEC 27035-1:2016.

You review the document and notice a statement "any information security weakness, event, and incident should be reported to the Point of Contact (PoC) within 1 hour after identification". When interviewing staff, you found that there were differences in the understanding of the meaning of "weakness, event, and incident".

You sample incident report records from the event tracking system for the last 6 months with summarized results in the following table.

You would like to further investigate other areas to collect more audit evidence. Select two options that will not be in your audit trail.

A . Collect more evidence on how and when the Human Resources manager pays the ransom fee to unlock personal mobile data, i.e., credit card, and bank transfer. (Relevant to control A.5.26)
B . Collect more evidence on what the service requirements of healthcare monitoring are. (Relevant to clause 4.2)
C . Collect more evidence on how the organization determined no further action was needed after the incident. (Relevant to control A.5.26)
D . Collect more evidence on how the organisation determined the incident recovery time. (Relevant to control A.5.27)
E . Collect more evidence on the incident recovery procedures. (Relevant to control A.5.26)
F . Collect more evidence by interviewing more staff about their understanding of the reporting process. (Relevant to control A.6.8)
G . Collect more evidence on how and when the company pays the ransom fee to unlock the company’s mobile phone and data, i.e., credit card, and bank transfer. (Relevant to control A.5.26)

Reveal Solution Hide Solution

Question #50

You are an experienced audit team leader guiding an auditor in training,

Your team is currently conducting a third-party surveillance audit of an organisation that stores data on behalf of external clients. The auditor in training has been tasked with reviewing the TECHNOLOGICAL controls listed in the Statement of Applicability (SoA) and implemented at the site. Select four controls from the following that would you expect the auditor in training to review.

A . The development and maintenance of an information asset inventory
B . Rules for transferring information within the organisation and to other organisations
C . Confidentiality and nondisclosure agreements
D . How protection against malware is implemented
E . Access to and from the loading bay
F . The conducting of verification checks on personnel
G . Remote working arrangements
H . How information security has been addressed within supplier agreements
I . How the organisation evaluates its exposure to technical vulnerabilities
J . The organisation’s business continuity arrangements
K . The organisation’s arrangements for information deletion
L . Information security awareness, education and training
M . How access to source code and development tools are managed
N . The operation of the site CCTV and door control systems
O . The organisation’s arrangements for maintaining equipment
P . How power and data cables enter the building

Reveal Solution Hide Solution

Correct Answer: D, I, M, N
D, I, M, N

Explanation:

According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), an organization should select and implement appropriate controls to achieve its information security objectives1. The controls should be derived from the results of risk assessment and risk treatment, and should be consistent with the Statement of Applicability (SoA), which is a document that identifies the controls that are applicable and necessary for the ISMS1. The controls can be selected from various sources, such as ISO/IEC 27002:2013, which provides a code of practice for information security controls2. Therefore, if an auditor in training has been tasked with reviewing the technological controls listed in the SoA and implemented at the site of an organization that stores data on behalf of external clients, four controls that would be expected to review are:

How protection against malware is implemented: This is a technological control that aims to prevent, detect and remove malicious software (such as viruses, worms, ransomware, etc.) that could compromise the confidentiality, integrity or availability of information or information systems2. This control is related to control A.12.2.1 of ISO/IEC 27002:20132.

How the organisation evaluates its exposure to technical vulnerabilities: This is a technological control that aims to identify and assess the potential weaknesses or flaws in information systems or networks that could be exploited by malicious actors or cause accidental failures2. This control is related to control A.12.6.1 of ISO/IEC 27002:20132.

How access to source code and development tools are managed: This is a technological control that aims to protect the intellectual property rights and integrity of software applications or systems that are developed or maintained by the organization or its external providers2. This control is related to control A.14.2.5 of ISO/IEC 27002:20132.

The operation of the site CCTV and door control systems: This is a technological control that aims to monitor and restrict physical access to the premises or facilities where information or information systems are stored or processed2. This control is related to control A.11.1.4 of ISO/IEC 27002:20132. The other options are not examples of technological controls, but rather organizational, legal or procedural controls that may also be relevant for an ISMS audit, but are not within the scope of the auditor in training’s task. For example, the development and maintenance of an information asset inventory (related to control A.8.1.1), rules for transferring information within the organization and to other organizations (related to control A.13.2.1), confidentiality and nondisclosure agreements (related to control A.13.2.4), verification checks on personnel (related to control A.7.1.2), remote working arrangements (related to control A.6.2.1), information security within supplier agreements (related to control A.15.1.1), business continuity arrangements (related to control A.17), information deletion (related to control A.8.3), information security awareness, education and training (related to control A.7.2), equipment maintenance (related to control A.11.2), and how power and data cables enter the building (related to control A.11) are not technological controls, but rather organizational, legal or procedural controls that may also be relevant for an ISMS audit, but are not within the scope of the auditor in training’s task.

Reference: ISO/IEC 27001:2022 – Information technology C Security techniques C Information security management systems C Requirements, ISO/IEC 27002:2013 – Information technology C Security techniques C Code of practice for information security controls