PECB ISO-IEC-27001 Lead Auditor PECB Certified ISO/IEC 27001 Lead Auditor exam Online Training

Question #81

DRAG DROP

You have just completed a scheduled information security audit of your organisation when the IT Manager approaches you and asks for your assistance in the revision of the company’s risk management process.

He is attempting to update the current documentation to make it easier for other managers to understand, however, it is clear from your discussion he is confusing several key terms.

You ask him to match each of the descriptions with the appropriate risk term.

What should the correct answers be?

Reveal Solution Hide Solution

Question #82

You ask the IT Manager why the organisation still uses the mobile app while personal data encryption and pseudonymisation tests failed. Also, whether the Service Manager is authorised to approve the test.

The IT Manager explains the test results should be approved by him according to the software security management procedure. The reason why the encryption and pseudonymisation functions failed is that these functions heavily slowed down the system and service performance. An extra 150% of resources are needed to cover this. The Service Manager agreed that access control is good enough and acceptable. That’s why the Service Manager signed the approval. You are preparing the audit findings. Select the correct option.

A . There is a nonconformity (NC). The organisation and developer do not perform acceptance tests. (Relevant to clause 8.1, control A.8.29)
B . There is a nonconformity (NC). The Service Manager does not comply with the software security management procedure. (Relevant to clause 8.1, control A.8.30)
C . There is a nonconformity (NC). The organisation and developer perform security tests that fail. (Relevant to clause 8.1, control A.8.29)
D . There is NO nonconformity (NC). The Service Manager makes a good decision to continue the service. (Relevant to clause 8.1, control A.8.30)

Reveal Solution Hide Solution

Question #83

You ask the IT Manager why the organisation still uses the mobile app while personal data encryption and pseudonymization tests failed. Also, whether the Service Manager is authorized to approve the test.

The IT Manager explains the test results should be approved by him according to the software security management procedure. The reason why the encryption and pseudonymization functions failed is that these functions heavily slowed down the system and service performance. An extra 150% of resources are needed to cover this. The Service Manager agreed that access control is good enough and acceptable. That’s why the Service Manager signed the approval.

You sample one of the medical staff’s mobile and found that ABC’s healthcare mobile app, version 1.01 is installed. You found that version 1.01 has no test record.

The IT Manager explains that because of frequent ransomware attacks, the outsourced mobile app development company gave a free minor update on the tested software, performed an emergency release of the updated software, and gave a verbal guarantee that there will be no impact on any security functions. Based on his 20 years of information security experience, there is no need to re-test.

You are preparing the audit findings Select two options that are correct.

A . There is NO nonconformity (NC). The IT Manager demonstrates he is fully competent. (Relevant to clause 7.2)
B . There is a nonconformity (NC). The IT Manager does not comply with the software security management procedure. (Relevant to clause 8.1, control A.8.30)
C . There is a nonconformity (NC). The organisation does not control planned changes and review the consequences of unintended changes. (Relevant to clause 8.1)
D . There is an opportunity for improvement (OI). The organisation selects an external service provider based on the extent of free services it will provide. (Relevant to clause 8.1, control A.5.21)
E . There is NO nonconformity (NC). The IT Manager demonstrates good leadership. (Relevant to clause 5.1, control 5.4)
F . There is an opportunity for improvement (OI). The IT Manager should make the decision to continue the service based on appropriate testing. (Relevant to clause 8.1, control A.8.30)

Reveal Solution Hide Solution

Correct Answer: BC
BC

Explanation:

According to ISO 27001:2022 Annex A Control 8.30, the organisation shall ensure that externally provided processes, products or services that are relevant to the information security management system are controlled. This includes developing and entering into licensing agreements that cover code ownership and intellectual property rights, and implementing appropriate contractual requirements related to secure design and coding in accordance with Annex A 8.25 and 8.2912

In this case, the organisation and the developer have performed security tests that failed, which indicates that the secure design and coding requirements of Annex A 8.29 were not met. The IT Manager explains that the encryption and pseudonymization functions failed because they slowed down the system and service performance, and that an extra 150% of resources are needed to cover this. However, this does not justify the acceptance of the test results by the Service Manager, who is not authorised to approve the test according to the software security management procedure. The Service Manager should have consulted with the IT Manager, who is the owner of the process, and followed the procedure for handling nonconformities and corrective actions. The Service Manager’s decision to continue the service based on access control alone exposes the organisation to the risk of

compromising the confidentiality, integrity, and availability of personal data processed by the mobile app. Therefore, there is a nonconformity (NC) with clause 8.1, control A.8.30.

According to ISO 27001:2022 Clause 8.1, the organisation shall plan, implement and control the processes needed to meet information security requirements, and to implement the actions determined in Clause 6.1. The organisation shall also control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary12 In this case, the organisation has not controlled the planned change of the mobile app from version 1.0 to version 1.01, which was a minor update provided by the outsourced developer in response to frequent ransomware attacks. The IT Manager explains that the developer performed an emergency release of the updated software, and gave a verbal guarantee that there will be no impact on any security functions. However, this is not sufficient to ensure that the change is properly assessed, tested, documented, and approved before deployment. The IT Manager should have followed the change management process and procedure, and verified that the updated software meets the security requirements and does not introduce any new vulnerabilities or risks. The IT Manager’s reliance on his 20 years of information security experience and the developer’s verbal guarantee is not a valid basis for skipping the re-testing of the software. Therefore, there is a nonconformity (NC) with clause 8.1.

Reference: 1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1 2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2

Question #84

During a third-party certification audit, you are presented with a list of issues by an auditee.

Which four of the following constitute ‘internal’ issues in the context of a management system to ISO 27001:2022?

A . Higher labour costs as a result of an aging population
B . A rise in interest rates in response to high inflation
C . Poor levels of staff competence as a result of cuts in training expenditure
D . Poor morale as a result of staff holidays being reduced
E . Increased absenteeism as a result of poor management
F . A reduction in grants as a result of a change in government policy
G . A fall in productivity linked to outdated production equipment
H . Inability to source raw materials due to government sanctions

Reveal Solution Hide Solution

Correct Answer: C, D, E, G
C, D, E, G

Explanation:

According to ISO 27001:2022 clause 4.1, the organisation shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system (ISMS)12

External issues are factors outside the organisation that it cannot control, but can influence or adapt to. They include political, economic, social, technological, legal, and environmental factors that may affect the organisation’s information security objectives, risks, and opportunities12

Internal issues are factors within the organisation that it can control or change. They include the organisation’s structure, culture, values, policies, objectives, strategies, capabilities, resources, processes, activities, relationships, and performance that may affect the organisation’s information security management system12

Therefore, the following issues are considered ‘internal’ in the context of a management system to ISO 27001:2022:

Poor levels of staff competence as a result of cuts in training expenditure: This is an internal issue because it relates to the organisation’s capability, resource, and process of developing and maintaining the competence of its personnel involved in the ISMS. The organisation can control or change its training expenditure and its impact on staff competence12

Poor morale as a result of staff holidays being reduced: This is an internal issue because it relates to the organisation’s culture, value, and relationship with its employees. The organisation can control or change its staff holiday policy and its impact on staff morale12

Increased absenteeism as a result of poor management: This is an internal issue because it relates to the organisation’s performance, structure, and accountability of its management. The organisation can control or change its management practices and its impact on staff absenteeism12

A fall in productivity linked to outdated production equipment: This is an internal issue because it relates to the organisation’s capability, resource, and process of ensuring the availability and suitability of its production equipment. The organisation can control or change its equipment maintenance and upgrade and its impact on productivity12

The following issues are considered ‘external’ in the context of a management system to ISO 27001:2022:

Higher labour costs as a result of an aging population: This is an external issue because it relates to the social and demographic factor that affects the availability and cost of labour in the market. The organisation cannot control or change the aging population, but can influence or adapt to its impact on labour costs12

A rise in interest rates in response to high inflation: This is an external issue because it relates to the economic and monetary factor that affects the cost and availability of capital in the market. The organisation cannot control or change the interest rates or inflation, but can influence or adapt to its impact on capital costs12

A reduction in grants as a result of a change in government policy: This is an external issue because it relates to the political and legal factor that affects the availability and conditions of public funding for the organisation. The organisation cannot control or change the government policy, but can influence or adapt to its impact on grants12

Inability to source raw materials due to government sanctions: This is an external issue because it relates to the political and legal factor that affects the availability and cost of raw materials in the market. The organisation cannot control or change the government sanctions, but can influence or adapt to its impact on raw materials12

Reference: 1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1 2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2

Question #85

You are an experienced ISMS audit team leader. During the conducting of a third-party surveillance audit, you decide to test your auditee’s knowledge of ISO/IEC 27001’s risk management requirements.

You ask her a series of questions to which the answer is either ‘that is true’ or ‘that is false’.

Which four of the following should she answer ‘that is true’?

A . The results of risk assessments must be maintained
B . Risk identification is used to determine the severity of an information security risk
C . ISO/IEC 27001 provides an outline approach for the management of risk
D . The organisation must produce a risk treatment plan for every business risk identified
E . The organisation must operate a risk treatment process to eliminate it’s information security risks
F . The initial phase in an organisation’s risk management process should be information security risk assessment
G . Risks assessments should be undertaken at monthly intervals
H . Risk assessments should be undertaken following significant changes

Reveal Solution Hide Solution

Correct Answer: ACDH
ACDH

Explanation:

The following four statements are true according to ISO/IEC 27001’s risk management requirements: 12

The results of risk assessments must be maintained. This is true because clause 8.2.3 of ISO/IEC 27001:2022 requires the organisation to retain documented information of the information security risk assessment process and the results12

ISO/IEC 27001 provides an outline approach for the management of risk. This is true because clause 6.1.2 of ISO/IEC 27001:2022 specifies the general steps for the information security risk management process, which include establishing the risk criteria, assessing the risks, treating the risks, and monitoring and reviewing the risks12

The organisation must produce a risk treatment plan for every business risk identified. This is true because clause 6.1.3 of ISO/IEC 27001:2022 requires the organisation to produce a risk treatment plan that defines the actions to be taken to address the unacceptable risks, the responsibilities, the expected dates, and the resources required12

Risk assessments should be undertaken following significant changes. This is true because clause 8.2.4 of ISO/IEC 27001:2022 requires the organisation to review and update the risk assessment at planned intervals or when significant changes occur12

The following four statements are false according to ISO/IEC 27001’s risk management requirements: Risk identification is used to determine the severity of an information security risk. This is false because risk identification is used to identify the assets, threats, vulnerabilities, and existing controls that are relevant to the information security risk management process. The severity of an information security risk is determined by the risk analysis, which evaluates the likelihood and impact of the risk scenarios12

The organisation must operate a risk treatment process to eliminate its information security risks. This is false because the organisation can choose from four options to treat its information security risks: avoid, transfer, mitigate, or accept. The organisation does not have to eliminate all its information security risks, but only those that are unacceptable according to its risk criteria12 The initial phase in an organisation’s risk management process should be information security risk assessment. This is false because the initial phase in an organisation’s risk management process should be establishing the risk management framework, which includes defining the risk management policy, objectives, scope, roles, responsibilities, and criteria. The information security risk assessment is the second phase in the risk management process12

Risks assessments should be undertaken at monthly intervals. This is false because there is no fixed frequency for conducting risk assessments in ISO/IEC 27001. The organisation should determine the appropriate intervals for reviewing and updating the risk assessment based on its risk appetite, risk profile, and operational context12

Reference: 1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1 2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2

Question #86

You are performing an ISMS audit at a residential nursing home called ABC that provides healthcare services. You find all nursing home residents wear an electronic wristband for monitoring their location, heartbeat, and blood pressure always. You learned that the electronic wristband automatically uploads all data to the artificial intelligence (AI) cloud server for healthcare monitoring and analysis by healthcare staff.

To verify the scope of ISMS, you interview the management system representative (MSR) who explains that the ISMS scope covers an outsourced data center.

Select three options for the audit evidence you need to find to verify the scope of the ISMS.

A . The auditee has identified the resident’s needs and expectations on the facility and environmental safety
B . The auditee has ISO 9001 certification
C . The auditee has identified the governmental authorities’ needs and expectations on healthcare services and patient data handling
D . The auditee has identified the resident’s needs and expectations on how they should protect the resident’s personal data
E . The auditee has identified the resident’s needs and expectations on the comfort facility, medical professional’s competence, and clean environment
F . The auditee has identified the resident’s needs and expectations on healthcare medical treatment services
G . The IT service agreement with the data center where the artificial intelligence (AI) cloud server is located
H . The auditee is considering the purchase of a healthcare monitoring app from an external software company

Reveal Solution Hide Solution

Correct Answer: C, D, G
C, D, G

Explanation:

According to ISO 27001:2022 clause 4.3, the organisation shall determine the scope of the information security management system (ISMS) by considering the internal and external issues, the requirements of interested parties, and the interfaces and dependencies with other organisations12 In this case, the ISMS scope covers an outsourced data center that hosts the artificial intelligence (AI) cloud server for healthcare monitoring and analysis of the residents’ data. Therefore, the audit evidence you need to find to verify the scope of the ISMS should include:

The auditee has identified the governmental authorities’ needs and expectations on healthcare services and patient data handling. This is an external issue and an interested party requirement that affects the ISMS scope, as the auditee has to comply with the relevant laws and regulations regarding the quality, safety, and privacy of healthcare services and patient data12

The auditee has identified the resident’s needs and expectations on how they should protect the resident’s personal data. This is an external issue and an interested party requirement that affects the ISMS scope, as the auditee has to ensure the confidentiality, integrity, and availability of the resident’s personal data that is collected, processed, and stored by the electronic wristband and the AI cloud server12

The IT service agreement with the data center where the artificial intelligence (AI) cloud server is located. This is an interface and dependency with another organisation that affects the ISMS scope, as the auditee has to control the externally provided processes, products, and services that are relevant to the ISMS, and to implement appropriate contractual requirements related to information security12

The following options are not relevant or sufficient for verifying the scope of the ISMS:

The auditee has identified the resident’s needs and expectations on the facility and environmental safety. This is an external issue and an interested party requirement, but it does not affect the ISMS scope, as it is not related to information security12

The auditee has ISO 9001 certification. This is an indication of the auditee’s quality management system, but it does not verify the scope of the ISMS, as it is not related to information security12 The auditee has identified the resident’s needs and expectations on the comfort facility, medical professional’s competence, and clean environment. These are external issues and interested party requirements, but they do not affect the ISMS scope, as they are not related to information security12

The auditee has identified the resident’s needs and expectations on healthcare medical treatment services. These are external issues and interested party requirements, but they do not verify the scope of the ISMS, as they are not specific to information security12

The auditee is considering the purchase of a healthcare monitoring app from an external software company. This is a potential change that may affect the ISMS scope in the future, but it does not verify the current scope of the ISMS, as it is not yet implemented or controlled12

Reference: 1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1 2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2

Question #87

You are an experienced ISMS audit team leader providing guidance to an ISMS auditor in training. They have been asked to carry out an assessment of external providers and have prepared a checklist containing the following activities. They have asked you to review their checklist to confirm that the actions they are proposing are appropriate.

The audit they have been invited to participate in is a third-party surveillance audit of a data centre. The data centre agent is part of a wider telecommunication group. Each data centre within the group operates its own ISMS and holds its own certificate.

Select three options that relate to ISO/IEC 27001:2022’s requirements regarding external providers.

A . I will check the other data centres are treated as external providers, even though they are part of the same telecommunication group
B . I will ensure external providers have a documented process in place to notify the organisation of any risks arising from the use of its products or services
C . I will ensure that the organisation has a reserve external provider for each process it has identified as critical to preservation of the confidentiality, integrity and accessibility of its information
D . I will limit my audit activity to externally provided processes as there is no need to audit externally provided products of services
E . I will ensure the organization is regularly monitoring, reviewing and evaluating external provider performance
F . I will ensure the organization is has determined the need to communicate with external providers regarding the ISMS
G . I will ensure that top management have assigned roles and responsibilities for those providing external ISMS processes as well as internal ISMS processes
H . I will ensure that the organisation ranks its external providers and allocates the majority of its work to those providers who are rated the highest

Reveal Solution Hide Solution

Question #87

You are an experienced ISMS audit team leader providing guidance to an ISMS auditor in training. They have been asked to carry out an assessment of external providers and have prepared a checklist containing the following activities. They have asked you to review their checklist to confirm that the actions they are proposing are appropriate.

The audit they have been invited to participate in is a third-party surveillance audit of a data centre. The data centre agent is part of a wider telecommunication group. Each data centre within the group operates its own ISMS and holds its own certificate.

Select three options that relate to ISO/IEC 27001:2022’s requirements regarding external providers.

A . I will check the other data centres are treated as external providers, even though they are part of the same telecommunication group
B . I will ensure external providers have a documented process in place to notify the organisation of any risks arising from the use of its products or services
C . I will ensure that the organisation has a reserve external provider for each process it has identified as critical to preservation of the confidentiality, integrity and accessibility of its information
D . I will limit my audit activity to externally provided processes as there is no need to audit externally provided products of services
E . I will ensure the organization is regularly monitoring, reviewing and evaluating external provider performance
F . I will ensure the organization is has determined the need to communicate with external providers regarding the ISMS
G . I will ensure that top management have assigned roles and responsibilities for those providing external ISMS processes as well as internal ISMS processes
H . I will ensure that the organisation ranks its external providers and allocates the majority of its work to those providers who are rated the highest

Reveal Solution Hide Solution

Question #89

You are an experienced ISMS auditor conducting a third-party surveillance audit at an organisation which offers ICT reclamation services. ICT equipment which companies no longer require is processed by the organisation. It Is either recommissioned and reused or is securely destroyed. You notice two servers on a bench in the corner of the room. Both have stickers on item with the server’s name, IP address and admin password. You ask the ICT Manager about them, and he tells you they were part of a shipment received yesterday from a regular customer.

Which one action should you take?

A . Ask the ICT Manager to record an information security incident and initiate the information security incident management process
B . Note the audit finding and check the process for dealing with incoming shipments relating to customer IT security
C . Record what you have seen in your audit findings, but take no further action
D . Raise a nonconformity against control 5.31 Legal, staturary, regulatory and contractual requirements’
E . Raise a nonconformity against control 8.20 ‘network security’ (networks and network devices shall be secured, managed and controlled to protect information in systems and applications)
F . Ask the auditee to remove the labels, then carry on with the audit

Reveal Solution Hide Solution

Question #90

DRAG DROP

You are an experienced ISMS audit team leader. An auditor in training has approached you to ask you to clarify the different types of audits she may be required to undertake. Match the following audit types to the descriptions.

To complete the table click on the blank section you want to complete so that It is highlighted In fed, and then click on the applicable text from the options below. Alternatively, you may drag and drop each option to the appropriate blank section.

Reveal Solution Hide Solution