PECB ISO-IEC-27001 Lead Auditor PECB Certified ISO/IEC 27001 Lead Auditor exam Online Training

Question #71

Which two of the following phrases are ‘objectives’ in relation to a first-party audit?

A . Apply international standards
B . Prepare the audit report for the certification body
C . Confirm the scope of the management system is accurate
D . Complete the audit on time
E . Apply Regulatory requirements
F . Update the management policy

Reveal Solution Hide Solution

Question #72

DRAG DROP

Match the correct responsibility with each participant of a second-party audit:

Reveal Solution Hide Solution

Correct Answer:

Explanation:

The correct responsibility with each participant of a second-party audit is:

Prepares the audit report: Audit Team Leader. The audit team leader is responsible for coordinating the audit activities, communicating with the auditee and the customer, and preparing and delivering the audit report that summarizes the audit findings and conclusions1.

Prepares audit checklists for use during the audit: Auditor. The auditor is responsible for collecting and verifying objective evidence during the audit, using audit checklists as a tool to guide the audit process and ensure that all relevant aspects of the audit criteria are covered1.

Supports an auditor and provides feedback on their experience: Auditor in training. The auditor in training is a person who is learning how to perform audits under the supervision of an experienced auditor. The auditor in training supports the auditor by observing and participating in the audit activities, and provides feedback on their experience to improve their skills and competence1. Follows-up on audit findings within an agreed timeframe: Auditee. The auditee is the organisation that is being audited by the customer or a third party on behalf of the customer. The auditee is

responsible for providing access and cooperation to the auditors, and for following up on the audit findings within an agreed timeframe, by implementing corrective actions or improvement measures as needed1.

Provides an independent account of the audit but does not participate in the audit: Observer. The observer is a person who accompanies the audit team but does not participate in the audit activities. The observer may be a representative of the customer, a regulatory body, or another interested party. The observer provides an independent account of the audit but does not interfere with or influence the audit process or outcome1.

Escorts the auditors but does not participate in the audit: Guide. The guide is a person who is appointed by the auditee to assist the audit team during the audit. The guide may escort the auditors to different locations, facilitate access to information and personnel, or provide clarification or explanation as requested by the auditors. The guide does not participate in the audit or influence its results1.

Question #73

Which one of the following options describes the main purpose of a Stage 1 audit?

A . To determine readiness for Stage 2
B . To check for legal compliance by the organisation
C . To get to know the organisation
D . To compile the audit plan

Reveal Solution Hide Solution

Question #74

Objectives, criteria, and scope are critical features of a third-party ISMS audit.

Which two issues are audit objectives?

A . Evaluate customer processes and functions
B . Assess conformity with ISO/IEC 27001 requirements
C . Fulfil the audit plan
D . Confirm sites operating the ISMS
E . Determine the scope of the ISMS
F . Review organisation efficiency

Reveal Solution Hide Solution

Correct Answer: BD
BD

Explanation:

Audit objectives are the specific purposes or goals that the customer or the certification body wants to achieve through the audit. They define what the audit intends to accomplish and provide the basis for planning and conducting the audit. Audit objectives may vary depending on the type, scope, and criteria of the audit, but they should be clear, measurable, and achievable.

Some examples of audit objectives for a third-party ISMS audit are:

Assess conformity with ISO/IEC 27001 requirements: This objective means that the audit aims to verify that the organisation’s ISMS meets the requirements of the ISO/IEC 27001 standard, which specifies the best practices for establishing, implementing, maintaining, and improving an information security management system. The audit will evaluate the organisation’s ISMS documentation, processes, controls, and performance against the standard’s clauses and annex A controls.

Confirm sites operating the ISMS: This objective means that the audit aims to confirm that the organisation’s ISMS covers all the relevant sites or locations where the organisation operates or provides its services. The audit will verify that the scope of the ISMS is accurate and consistent with the organisation’s context, objectives, and risks.

The other phrases are not audit objectives, but rather:

Evaluate customer processes and functions: This is not an audit objective, but rather a possible audit criterion or a requirement that the organisation’s processes and functions should meet. The audit criterion is the reference against which the audit evidence is compared to determine conformity or nonconformity. The audit criterion may include ISO/IEC 27001 requirements, customer requirements, or other applicable standards or regulations.

Fulfil the audit plan: This is not an audit objective, but rather a task or an activity that the auditor performs during the audit. The audit plan is a document that describes the arrangements and details of the audit, such as the objectives, scope, criteria, schedule, roles, and responsibilities. The auditor should follow and fulfil the audit plan to ensure that the audit is conducted effectively and efficiently. Determine the scope of the ISMS: This is not an audit objective, but rather a prerequisite or an input for conducting the audit. The scope of the ISMS is the extent and boundaries of the information security management system within the organisation. It defines what processes, activities, locations, assets, and stakeholders are included or excluded from the ISMS. The scope of the ISMS should be determined by the organisation before applying for certification or undergoing an audit.

Review organisation efficiency: This is not an audit objective, but rather a possible outcome or a

result of conducting an audit. The organisation efficiency is a measure of how well the organisation

uses its resources to achieve its goals and objectives. The audit may help review and improve the

organisation efficiency by identifying strengths, weaknesses, opportunities, and threats in its

information security management system.

Reference: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) objectives and content from Quality.org and PECB

ISO 19011:2018 Guidelines for auditing management systems [Section 5.3.1]

Question #75

Which two of the following are examples of audit methods that ‘do not’ involve human interaction?

A . Conducting an interview using a teleconferencing platform
B . Performing a review of auditees procedures in preparation for an audit
C . Reviewing the auditee’s response to an audit finding
D . Analysing data by remotely accessing the auditee’s server
E . Observing work performed by remote surveillance
F . Confirming the date and time of the audit

Reveal Solution Hide Solution

Question #76

Select two options that describe an advantage of using a checklist.

A . Using the same checklist for every audit without review
B . Restricting interviews to nominated parties
C . Ensuring relevant audit trails are followed
D . Ensuring the audit plan is implemented
E . Reducing audit duration
F . Not varying from the checklist when necessary

Reveal Solution Hide Solution

Correct Answer: CD
CD

Explanation:

A checklist is a tool that helps auditors to collect and verify information relevant to the audit objectives and scope.

It can provide the following advantages:

Ensuring relevant audit trails are followed: A checklist can help auditors to identify and trace the sources of evidence that support the conformity or nonconformity of the audited criteria. It can also help auditors to avoid missing or overlooking any important aspects of the audit.

Ensuring the audit plan is implemented: A checklist can help auditors to follow and fulfil the audit plan, which describes the arrangements and details of the audit, such as the objectives, scope, criteria, schedule, roles, and responsibilities. It can also help auditors to manage their time and resources effectively and efficiently.

The other options are not advantages of using a checklist, but rather:

Using the same checklist for every audit without review: This is a disadvantage of using a checklist, as it can lead to a rigid and ineffective audit approach. A checklist should be tailored and adapted to each specific audit, taking into account the context, risks, and changes of the auditee and the audit criteria. A checklist should also be reviewed and updated periodically to ensure its validity and relevance.

Restricting interviews to nominated parties: This is a disadvantage of using a checklist, as it can limit the scope and depth of the audit. A checklist should not prevent auditors from interviewing other relevant parties or sources of information that may provide valuable evidence or insights for the audit. A checklist should be used as a guide, not as a constraint.

Reducing audit duration: This is not necessarily an advantage of using a checklist, as it depends on various factors, such as the complexity, size, and maturity of the auditee’s ISMS, the availability and quality of evidence, the competence and experience of the auditors, and the level of cooperation and communication between the auditors and the auditee. A checklist may help reduce audit duration by improving efficiency and organization, but it may also increase audit duration by requiring more evidence or verification.

Not varying from the checklist when necessary: This is a disadvantage of using a checklist, as it can result in a superficial or incomplete audit. A checklist should not prevent auditors from exploring or investigating any issues or concerns that arise during the audit, even if they are not included in the checklist. A checklist should be used as a support, not as a substitute.

Reference: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) objectives and content from Quality.org and PECB

ISO 19011:2018 Guidelines for auditing management systems [Section 6.2.2]

Question #77

Which one of the following statements best describes the purpose of conducting a document review?

A . To reveal whether the documented management system is nonconforming with audit criteria and to gather evidence to support the audit report
B . To decide about the conformity of the documented management system with audit standards and to gather findings to support the audit process
C . To determine the conformity of the management system, as far as documented, with audit criteria and to gather information to support the on-site audit activities
D . To detect any nonconformity of the management system, if documented, with audit criteria and to identify information to support the audit plan

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

A document review is a process of examining the documented information related to the management system before the on-site audit activities. The purpose of a document review is to: 12

Determine the conformity of the management system, as far as documented, with audit criteria, i.e., to check whether the documents are consistent, complete, and compliant with the requirements of ISO/IEC 27001 and any other applicable standards or regulations.

Gather information to support the on-site audit activities, i.e., to identify the scope, objectives, processes, controls, risks, and opportunities of the management system, and to plan the audit methods, techniques, and resources accordingly.

The other statements are not accurate, because:

A document review does not reveal or decide about the conformity or nonconformity of the management system as a whole, but only of the documented information. The conformity or nonconformity of the management system is determined by the on-site audit activities, which include interviews, observations, and tests12

A document review does not gather evidence or findings to support the audit report or process, but information to support the on-site audit activities. The evidence or findings are collected during the on-site audit activities, which are then documented and reported12

A document review does not detect any nonconformity of the management system, if documented, but determines the conformity of the documented information. The nonconformity of the management system is detected by the on-site audit activities, which evaluate the performance and effectiveness of the management system12

A document review does not identify information to support the audit plan, but gathers information to support the on-site audit activities. The audit plan is prepared before the document review, based on the audit scope, objectives, criteria, and program. The document review is part of the audit plan implementation12

Reference: 1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1 2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2

Question #78

DRAG DROP

Reveal Solution Hide Solution

Question #79

During a Stage 1 audit opening meeting, the Management System Representative (MSR) asks to extend the audit scope to include a new site overseas which they have expanded into since the certification application was made.

Select two options for how the auditor should respond.

A . Advise the MSR that an extension of the scope may be incorporated but will have to go through
established procedures
B . Advise the MSR that the audit scope has been determined based on their initial application so the audit has to proceed as planned
C . Suggest that the MSR cancels the audit contract and reapplies for the new situation
D . Determine whether the Management System covers the processes at the new site and, if so, proceed with the audit
E . Advise the MSR that, within the existing scope, the new work area can be included without any problem
F . Confirm that the auditor will advise the auditee that the audit scope will be revised to include the new work area

Reveal Solution Hide Solution

Question #80

You have to carry out a third-party virtual audit.

Which two of the following issues would you need to inform the auditee about before you start conducting the audit?

A . You will ask to see the ID card of the person that is on the screen.
B . You will take photos of every person you interview.
C . You will ask those being interviewed to state their name and position beforehand.
D . You will ask for a 360-degree view of the room where the audit is being carried out.
E . You will not record any part of the audit, unless permitted.
F . You expect the auditee to have assessed all risks associated with online activities.

Reveal Solution Hide Solution

Correct Answer: CD
CD

Explanation:

A third-party virtual audit is an external audit conducted by an independent certification body using remote technology such as video conferencing, screen sharing, and electronic document exchange. The purpose of a third-party virtual audit is to verify the conformity and effectiveness of the information security management system (ISMS) and to issue a certificate of compliance12 Before you start conducting the audit, you would need to inform the auditee about the following issues: 12

You will ask those being interviewed to state their name and position beforehand, i.e., to confirm their identity and role in the ISMS. This is to ensure that you are interviewing the relevant personnel and that they are authorized to provide information and evidence for the audit.

You will ask for a 360-degree view of the room where the audit is being carried out, i.e., to verify the physical and environmental security of the audit location. This is to ensure that there are no unauthorized persons or devices in the vicinity that could compromise the confidentiality, integrity, or availability of the information being audited.

The other issues are not relevant or appropriate for a third-party virtual audit, because:

You will ask to see the ID card of the person that is on the screen, i.e., to verify their identity. This is not necessary if you have already asked them to state their name and position beforehand, and if you have access to the auditee’s organizational chart or staff directory. Asking to see the ID card could also be seen as intrusive or disrespectful by the auditee.

You will take photos of every person you interview, i.e., to document the audit process. This is not advisable as it could violate the privacy or consent of the auditee and the interviewees. Taking photos could also be seen as unprofessional or suspicious by the auditee. You should rely on the audit records and evidence provided by the auditee and the audit tool instead.

You will not record any part of the audit, unless permitted, i.e., to respect the auditee’s preferences and rights. This is not a valid issue to inform the auditee about, as you should always record the audit for quality assurance and verification purposes. Recording the audit is also a requirement of the ISO/IEC 27001 standard and the certification body. You should inform the auditee that you will record the audit and obtain their consent before the audit begins.

You expect the auditee to have assessed all risks associated with online activities, i.e., to ensure the

security of the audit process. This is not an issue to inform the auditee about, as it is part of the

auditee’s responsibility and obligation to have a risk assessment and treatment process for their

ISMS. You should assess the auditee’s risk management practices and controls during the audit, not

before it.

Reference: 1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1 2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2