What is the difference between a restricted and confidential document?
- A . Restricted – to be shared among an authorized group
Confidential – to be shared among named individuals - B . Restricted – to be shared among named individuals
Confidential – to be shared among an authorized group - C . Restricted – to be shared among named individuals
Confidential – to be shared across the organization only - D . Restricted – to be shared among named individuals
Confidential – to be shared with friends and family
B
Explanation:
The difference between a restricted and confidential document is that a restricted document is to be shared among named individuals, while a confidential document is to be shared among an authorized group. Restricted and confidential are examples of information classification levels that indicate the sensitivity and value of information and the degree of protection required for it. Restricted documents contain information that could cause serious damage or harm to the organization or its stakeholders if disclosed to unauthorized persons. Therefore, they should only be accessed by specific individuals who have a legitimate need to know and are authorized by the information owner. Confidential documents contain information that could cause damage or harm to the organization or its stakeholders if disclosed to unauthorized persons. Therefore, they should only be accessed by a defined group of people who have a legitimate need to know and are authorized by the information owner. ISO/IEC 27001:2022 requires the organization to classify information in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification (see clause A.8.2.1).
Reference: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training
Course, ISO/IEC 27001:2022 Information technology ― Security techniques ― Information security management systems ― Requirements, What is Information Classification?
CEO sends a mail giving his views on the status of the company and the company’s future strategy and the CEO’s vision and the employee’s part in it. The mail should be classified as
- A . Internal Mail
- B . Public Mail
- C . Confidential Mail
- D . Restricted Mail
A
Explanation:
The mail sent by the CEO giving his views on the status of the company and the company’s future strategy and the CEO’s vision and the employee’s part in it should be classified as internal mail. Internal mail is a type of classification that indicates that the information is intended for internal use only, and should not be disclosed to external parties without authorization. The mail sent by the CEO contains information that is relevant and important for the employees of the company, but may not be suitable for public disclosure, as it may contain sensitive or confidential information about the company’s performance, goals, or plans.
Reference: CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 34. : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 37. : [ISO/IEC 27001 LEAD AUDITOR – PECB], page 14.
You see a blue color sticker on certain physical assets.
What does this signify?
- A . The asset is very high critical and its failure affects the entire organization
- B . The asset with blue stickers should be kept air conditioned at all times
- C . The asset is high critical and its failure will affect a group/s/project’s work in the organization
- D . The asset is critical and the impact is restricted to an employee only
C
Explanation:
You see a blue color sticker on certain physical assets. This signifies that the asset is high critical and its failure will affect a group/s/project’s work in the organization. A blue color sticker is a type of label that indicates the level of criticality of an asset, which is a measure of how important an asset is for the organization’s operations and objectives. A high critical asset is an asset that has a significant impact on the organization’s activities, and its loss or damage would cause major disruption or loss of service. A blue color sticker also implies that the asset requires a high level of protection and security, and should be handled with care.
Reference: CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 36. : [ISO/IEC 27001 Brochures | PECB], page 6.
Integrity of data means
- A . Accuracy and completeness of the data
- B . Data should be viewable at all times
- C . Data should be accessed by only the right people
A
Explanation:
Integrity of data means accuracy and completeness of the data. Integrity is one of the three main objectives of information security, along with confidentiality and availability. Integrity ensures that information and systems are not corrupted, modified, or deleted by unauthorized actions or events. Data should be viewable at all times is not related to integrity, but to availability. Data should be accessed by only the right people is not related to integrity, but to confidentiality.
Reference: CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 24. : [ISO/IEC 27001 Brochures | PECB], page 4.
You have a hard copy of a customer design document that you want to dispose off.
What would you do
- A . Throw it in any dustbin
- B . Shred it using a shredder
- C . Give it to the office boy to reuse it for other purposes
- D . Be environment friendly and reuse it for writing
B
Explanation:
The best way to dispose of a hard copy of a customer design document is to shred it using a shredder. This is because shredding ensures that the document is destroyed and cannot be reconstructed or accessed by unauthorized persons. A customer design document may contain sensitive or confidential information that could cause harm or damage to the customer or the organization if disclosed. Therefore, it is important to protect the confidentiality and integrity of the document until it is securely disposed of. Throwing it in any dustbin, giving it to the office boy to reuse it for other purposes, or reusing it for writing are not secure ways of disposing of the document, as they could expose the document to unauthorized access, theft, loss or damage. ISO/IEC 27001:2022 requires the organization to implement procedures for the secure disposal of media containing information (see clause A.8.3.2).
Reference: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training
Course, ISO/IEC 27001:2022 Information technology ― Security techniques ― Information security management systems ― Requirements, What is Secure Disposal?
You receive the following mail from the IT support team: Dear User,Starting next week, we will be deleting all inactive email accounts in order to create spaceshare the below details in order to continue using your account. In case of no response,
Name:
Email ID:
Password:
DOB:
Kindly contact the webmail team for any further support. Thanks for your attention.
Which of the following is the best response?
- A . Ignore the email
- B . Respond it by saying that one should not share the password with anyone
- C . One should not respond to these mails and report such email to your supervisor
C
Explanation:
The best response to the email from the IT support team asking for personal details is to not respond to the email and report it to your supervisor. The email is likely a phishing attempt, which is a form of social engineering that uses deceptive emails or other messages to trick recipients into revealing sensitive information, such as passwords, credit card numbers, bank account details, etc. Phishing emails often impersonate legitimate organizations or individuals and create a sense of urgency or curiosity to lure the victims into clicking on malicious links, opening malicious attachments or providing personal information. The IT support team should never ask for your password or other personal details via email, as this is a violation of information security policies and best practices. Ignoring the email or responding to it by saying that one should not share the password with anyone are not sufficient responses, as they do not alert the IT support team or your supervisor about the phishing attempt, which could affect other users as well. Reporting the email to your supervisor is a responsible action that could help prevent further damage or compromise of information. ISO/IEC 27001:2022 requires the organization to implement awareness and training programs to make users aware of the risks of social engineering attacks, such as phishing, and how to avoid them (see clause A.7.2.2).
Reference: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology ― Security techniques ― Information security management systems ― Requirements, What is Phishing?
The following are definitions of Information, except:
- A . accurate and timely data
- B . specific and organized data for a purpose
- C . mature and measurable data
- D . can lead to understanding and decrease in uncertainty
C
Explanation:
The definition of information that is not correct is C: mature and measurable data. This is not a valid definition of information, as information does not have to be mature or measurable to be considered as such. Information can be any data that has meaning or value for someone or something in a certain context. Information can be subjective, qualitative, incomplete or uncertain, depending on how it is interpreted or used. Mature and measurable data are characteristics that may apply to some types of information, but not all. The other definitions of information are correct, as they describe different aspects of information, such as accuracy and timeliness (A), specificity and organization (B), and understanding and uncertainty reduction (D). ISO/IEC 27001:2022 defines information as “any data that has meaning” (see clause 3.25).
Reference: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology ― Security techniques ― Information security management systems ― Requirements, What is Information?
In the event of an Information security incident, system users’ roles and responsibilities are to be observed, except:
- A . Report suspected or known incidents upon discovery through the Servicedesk
- B . Preserve evidence if necessary
- C . Cooperate with investigative personnel during investigation if needed
- D . Make the information security incident details known to all employees
D
Explanation:
The role and responsibility that system users should not observe in the event of an information security incident is D: make the information security incident details known to all employees. This is not a proper role or responsibility for system users, as it could cause unnecessary panic, confusion or speculation among employees who are not involved in the incident response process. It could also compromise the confidentiality and integrity of the incident information, which could be sensitive or confidential in nature. Making the information security incident details known to all employees could also violate the information security policies and procedures of the organization, which may require a certain level of discretion and confidentiality when dealing with incidents. The other roles and responsibilities are correct, as they describe what system users should do in the event of an information security incident, such as reporting the incident to the Servicedesk (A), preserving evidence if necessary (B), and cooperating with investigative personnel if needed ©. These roles and responsibilities help to ensure a quick, effective and orderly response to information security incidents. ISO/IEC 27001:2022 requires the organization to implement procedures for reporting and managing information security incidents (see clause A.16.1).
Reference: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology ― Security techniques ― Information security management systems ― Requirements, What is Information Security Incident Management?
What is the standard definition of ISMS?
- A . Is an information security systematic approach to achieve business objectives for implementation, establishing, reviewing,operating and maintaining organization’s reputation.
- B . A company wide business objectives to achieve information security awareness for establishing, implementing, operating, monitoring, reviewing, maintaining and improving
- C . A project-based approach to achieve business objectives for establishing,
implementing, operating, monitoring, reviewing, maintaining and improving an organization’s information security - D . A systematic approach for establishing, implementing, operating,monitoring, reviewing, maintaining and improving an organization’s information security to achieve business objectives.
D
Explanation:
The standard definition of ISMS is a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization’s information security to achieve business objectives. This definition is given in clause 3.17 of ISO/IEC 27001:2022, and it describes the main components and purpose of an ISMS. An ISMS is not a project-based approach, as it is an ongoing process that requires continual improvement. An ISMS is not a company wide business objective, as it is a management system that supports the organization’s objectives. An ISMS is not an information security systematic approach, as it is a broader concept that encompasses the organization’s context, risks, controls, and performance.
Reference: CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 15. : ISO/IEC 27001:2022, clause 3.17.
Information or data that are classified as ______ do not require labeling.
- A . Public
- B . Internal
- C . Confidential
- D . Highly Confidential
A
Explanation:
Information or data that are classified as public do not require labeling. Public information or data are those that are intended for general disclosure and have no impact on the organization’s operations or reputation if disclosed. Labeling is a method of implementing classification, which is a process of structuring information according to its sensitivity and value for the organization. Labeling helps to identify the level of protection and handling required for each type of information. Information or data that are classified as internal, confidential, or highly confidential require labeling, as they contain information that is not suitable for public disclosure and may cause harm or loss to the organization if disclosed.
Reference: CQI & IRCA ISO 27001:2022 Lead Auditor Course
Handbook, page 34. : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 37. : [ISO/IEC 27001 LEAD AUDITOR – PECB], page 14.
A property of Information that has the ability to prove occurrence of a claimed event.
- A . Electronic chain letters
- B . Integrity
- C . Availability
- D . Accessibility
B
Explanation:
A property of information that has the ability to prove occurrence of a claimed event is integrity. Integrity is one of the three main objectives of information security, along with confidentiality and availability. Integrity ensures that information and systems are not corrupted, modified, or deleted by unauthorized actions or events. Integrity also implies that information and systems can be verified and validated as authentic and accurate. Electronic chain letters are not a property of information, but a type of spam or hoax message that may contain malicious or misleading content. Availability means that service should be accessible at the required time and usable only by the authorized entity. Accessibility is not a property of information, but a characteristic of usability that refers to how easy it is for users to access and interact with information and systems.
Reference: CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 24. : [ISO/IEC 27001 Brochures | PECB], page 4. : [ISO/IEC 27001 LEAD AUDITOR – PECB], page 13.
Stages of Information
- A . creation, evolution, maintenance, use, disposition
- B . creation, use, disposition, maintenance, evolution
- C . creation, distribution, use, maintenance, disposition
- D . creation, distribution, maintenance, disposition, use
C
Explanation:
The stages of information are creation, distribution, use, maintenance, and disposition. These are the phases that information goes through during its lifecycle, from the moment it is generated to the moment it is destroyed or archived. Each stage of information has different security requirements and risks, and should be managed accordingly. Creation, evolution, maintenance, use, and disposition are not the correct stages of information, as evolution is not a distinct stage, but a process that can occur in any stage. Creation, use, disposition, maintenance, and evolution are not the correct stages of information, as they are not in the right order. Creation, distribution, maintenance, disposition, and use are not the correct stages of information, as they are not in the right order.
Reference: CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 32. : [ISO/IEC 27001 LEAD AUDITOR – PECB], page 12.
A decent visitor is roaming around without visitor’s ID. As an employee you should do the following, except:
- A . Say "hi" and offer coffee
- B . Call the receptionist and inform about the visitor
- C . Greet and ask him what is his business
- D . Escort him to his destination
A
Explanation:
As an employee, you should do the following when you see a visitor roaming around without visitor’s ID, except saying “hi” and offering coffee. Saying “hi” and offering coffee is not an appropriate action, as it may imply that you are welcoming or endorsing the visitor without verifying their identity or purpose. This may also give the visitor an opportunity to gain your trust or exploit your kindness. Calling the receptionist and informing about the visitor is an appropriate action, as it alerts the responsible staff to handle the situation and ensure that the visitor is authorized and registered. Greeting and asking him what is his business is an appropriate action, as it shows your concern and curiosity about the visitor’s presence and intention. Escorting him to his destination is an appropriate action, as it prevents the visitor from wandering around unattended and accessing unauthorized areas or information.
Reference: CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 42. : [ISO/IEC 27001 LEAD AUDITOR – PECB], page 15.
Which of the following is not a type of Information Security attack?
- A . Legal Incidents
- B . Vehicular Incidents
- C . Technical Vulnerabilities
- D . Privacy Incidents
B
Explanation:
Vehicular incidents are not a type of information security attack. A vehicular incident is an event that involves a vehicle or its driver causing damage or injury to people or property. A vehicular incident may have an impact on information security if it affects the availability or integrity of information or systems that are transported or accessed by vehicles, but it is not an intentional or malicious attack on information security. Legal incidents are a type of information security attack that involve legal actions or disputes that may compromise the confidentiality or integrity of information or systems. Technical vulnerabilities are a type of information security attack that exploit weaknesses or flaws in software or hardware that may compromise the confidentiality, integrity, or availability of information or systems. Privacy incidents are a type of information security attack that involve unauthorized access or disclosure of personal or sensitive information that may compromise the confidentiality or integrity of information or systems.
Reference: CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 25. : [ISO/IEC 27001 LEAD AUDITOR – PECB], page 13.
The following are purposes of Information Security, except:
- A . Ensure Business Continuity
- B . Minimize Business Risk
- C . Increase Business Assets
- D . Maximize Return on Investment
C
Explanation:
The following are purposes of information security, except increasing business assets. Increasing business assets is not a purpose of information security, as it is not directly related to protecting information and systems from threats and risks. Information security may contribute to increasing business assets by enhancing customer trust, reputation, compliance, and efficiency, but it is not its primary goal. Ensuring business continuity is a purpose of information security, as it aims to prevent or minimize disruptions or losses caused by incidents affecting information and systems. Minimizing business risk is a purpose of information security, as it aims to identify and reduce threats and vulnerabilities that may compromise information and systems. Maximizing return on investment is a purpose of information security, as it aims to optimize the costs and benefits of implementing and maintaining information security controls and measures.
Reference: CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 23. : [ISO/IEC 27001 Brochures | PECB], page 4.
The following are the guidelines to protect your password, except:
- A . Don’t use the same password for various company system security access
- B . Do not share passwords with anyone
- C . For easy recall, use the same password for company and personal accounts
- D . Change a temporary password on first log-on
B,C
Explanation:
The following are guidelines to protect your password, except for easy recall use the same password for company and personal accounts; do not share passwords with anyone. Using the same password for company and personal accounts is not a guideline to protect your password, as it increases the risk of compromising your password if one of your accounts is hacked or breached. You should use different and unique passwords for each account, and change them regularly. Sharing passwords with anyone is not a guideline to protect your password, as it reduces the security and accountability of your password. You should keep your password confidential and never disclose it to anyone, even if they claim to be authorized or trustworthy. Don’t use the same password for various company system security access is a guideline to protect your password, as it prevents unauthorized access or misuse of your password if one of the systems is compromised or breached. You should use different and complex passwords for each system, and follow the password policies and standards of the organization. Change a temporary password on first log-on is a guideline to protect your password, as it prevents unauthorized access or misuse of your password if the temporary password is intercepted or leaked. You should change the temporary password to a personal and secure password as soon as possible, and avoid using default or predictable passwords.
Reference: CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 43. : [ISO/IEC 27001 LEAD AUDITOR – PECB], page 15.
Phishing is what type of Information Security Incident?
- A . Private Incidents
- B . Cracker/Hacker Attacks
- C . Technical Vulnerabilities
- D . Legal Incidents
B
Explanation:
Phishing is a type of information security incident that falls under the category of cracker/hacker attacks. Phishing is a form of fraud that uses deceptive emails or other messages to trick recipients into revealing sensitive information, such as passwords, credit card numbers, bank account details, etc. Phishing emails often impersonate legitimate organizations or individuals and create a sense of urgency or curiosity to lure the victims into clicking on malicious links, opening malicious attachments or providing personal information. Phishing is a common and serious threat to information security, as it can lead to identity theft, financial loss, data breach, malware infection or other damages. ISO/IEC 27001:2022 requires the organization to implement awareness and training programs to make users aware of the risks of social engineering attacks, such as phishing, and how to avoid them (see clause A.7.2.2).
Reference: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology ― Security techniques ― Information security management systems ― Requirements, What is Phishing?
Information Security is a matter of building and maintaining ________.
- A . Confidentiality
- B . Trust
- C . Protection
- D . Firewalls
B
Explanation:
Information security is a matter of building and maintaining trust. Trust is the confidence that information and information processing facilities are protected from unauthorized or malicious actions that could compromise their confidentiality, integrity or availability. Trust is essential for establishing and maintaining relationships with customers, partners, suppliers, employees and other stakeholders who rely on the organization’s information and services. Trust is also a key factor for achieving compliance with legal, regulatory and contractual obligations, as well as meeting the organization’s own information security objectives and policies. ISO/IEC 27001:2022 defines information security as “preservation of confidentiality, integrity and availability of information” (see clause 3.28) and states that “the purpose of an information security management system is to provide a framework for managing activities that influence the trustworthiness of information” (see Introduction).
Reference: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training
Course, ISO/IEC 27001:2022 Information technology ― Security techniques ― Information security management systems ― Requirements, What is Trust?
All are prohibited in acceptable use of information assets, except:
- A . Electronic chain letters
- B . E-mail copies to non-essential readers
- C . Company-wide e-mails with supervisor/TL permission.
- D . Messages with very large attachments or to a large number ofrecipients.
C
Explanation:
The only option that is not prohibited in acceptable use of information assets is C: company-wide e-mails with supervisor/TL permission. This option implies that the sender has obtained the necessary authorization from their supervisor or team leader to send an e-mail to all employees in the organization. This could be done for legitimate business purposes, such as announcing important news, events or updates that are relevant to everyone. However, this option should still be used sparingly and responsibly, as it could cause unnecessary disruption or annoyance to the recipients if abused or misused. The other options are prohibited in acceptable use of information assets, as they could violate the information security policies and procedures of the organization, as well as waste resources and bandwidth. Electronic chain letters (A) are messages that urge recipients to forward them to multiple other people, often with false or misleading claims or promises. They are considered spam and could contain malicious links or attachments that could compromise information security. E-mail copies to non-essential readers (B) are messages that are sent to recipients who do not need to receive them or have no interest in them. They are considered unnecessary and could clutter the inbox and distract the recipients from more important messages. Messages with very large attachments or to a large number of recipients (D) are messages that consume a lot of network resources and could affect the performance or availability of the information systems. They could also exceed the storage capacity or quota limits of the recipients’ mailboxes and cause problems for them. ISO/IEC 27001:2022 requires the organization to implement rules for acceptable use of assets (see clause A.8.1.3).
Reference: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology ― Security techniques ― Information security management systems ― Requirements, What is Acceptable Use?
In acceptable use of Information Assets, which is the best practice?
- A . Access to information and communication systems are provided for business purpose only
- B . Interfering with or denying service to any user other than the employee’s host
- C . Playing any computer games during office hours
- D . Accessing phone or network transmissions, including wireless or wifi transmissions
A
Explanation:
The best practice in acceptable use of information assets is A: access to information and communication systems are provided for business purpose only. This means that the organization grants access to its information and communication systems only to authorized users who need to use them for legitimate and approved business activities. The organization does not allow or tolerate any unauthorized, inappropriate or personal use of its information and communication systems, as this could compromise information security, violate policies or laws, or cause damage or harm to the organization or its stakeholders. The other options are not best practices in acceptable use of information assets, as they could violate information security policies and procedures, as well as ethical or legal standards. Interfering with or denying service to any user other than the employee’s host (B) is a malicious act that could disrupt the availability or performance of the information systems or services of another user or organization. Playing any computer games during office hours © is a personal and unprofessional use of the information and communication systems that could distract the employee from their work duties, waste resources and bandwidth, or expose the systems to malware or other risks. Accessing phone or network transmissions, including wireless or wifi transmissions (D) is a potential breach of confidentiality or privacy that could intercept, monitor or modify the information transmitted by another user or organization without their consent or authorization. ISO/IEC 27001:2022 requires the organization to implement rules for acceptable use of assets (see clause A.8.1.3).
Reference: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology ― Security techniques ― Information security management systems ― Requirements, What is Acceptable Use?
CMM stands for?
- A . Capability Maturity Matrix
- B . Capacity Maturity Matrix
- C . Capability Maturity Model
- D . Capable Mature Model
C
Explanation:
Capability Maturity Model (CMM) is a framework that describes the key elements of an effective software process. It defines five levels of maturity for software development organizations, from initial to optimized. The CMM helps organizations to assess their current level of process capability and identify the areas for improvement1.
Reference: ISO/IEC 27001:2022 Lead Auditor – IECB
Which is not a requirement of HR prior to hiring?
- A . Undergo background verification
- B . Applicant must complete pre-employment documentation requirements
- C . Must undergo Awareness training on information security.
- D . Must successfully pass Background Investigation
C
Explanation:
According to ISO/IEC 27001:2022, clause 7.2.2, the organization shall ensure that all persons who have access to information are aware of the information security policy and their contribution to the effectiveness of the ISMS, including the benefits of improved information security performance2. Therefore, awareness training on information security is a requirement for all persons, not just new hires.
Reference: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) | CQI | IRCA
Who are allowed to access highly confidential files?
- A . Employees with a business need-to-know
- B . Contractors with a business need-to-know
- C . Employees with signed NDA have a business need-to-know
- D . Non-employees designated with approved access and have signed NDA
A
Explanation:
According to ISO/IEC 27001:2022, clause 8.2.1, the organization shall ensure that access to information and information processing facilities is limited to authorized users based on the access control policy and in accordance with the business requirements of access control2. Therefore, only employees with a business need-to-know are allowed to access highly confidential files, and not contractors, non-employees or employees with signed NDA.
Reference: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) | CQI | IRCA
Which is the glue that ties the triad together
- A . Process
- B . People
- C . Collaboration
- D . Technology
D
Explanation:
The triad refers to the three elements of information security: confidentiality, integrity and availability3. Technology is the glue that ties the triad together, as it provides the means to implement various controls and measures to protect information from unauthorized access, modification or loss3.
Reference: ISO/IEC 27001:2022 Lead Auditor Training Course – BSI
Implement plan on a test basis – this comes under which section of PDCA
- A . Plan
- B . Do
- C . Act
- D . Check
B
Explanation:
The PDCA cycle is a four-step method for managing and improving processes. The steps are Plan, Do, Check, and Act. In the Plan phase, the objectives and scope of the process are defined, and the resources and activities are planned. In the Do phase, the process is implemented on a test basis, and the results are recorded and analyzed1.
Reference: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) | CQI | IRCA
What is we do in ACT – From PDCA cycle
- A . Take actions to continually monitor process performance
- B . Take actions to continually improve process performance
- C . Take actions to continually monitor process performance
- D . Take actions to continually improve people performance
B
Explanation:
In the Act phase of the PDCA cycle, the process is reviewed and evaluated based on the results from the Check phase. The actions taken in this phase aim to continually improve the process performance by addressing the root causes of problems, implementing corrective and preventive actions, and updating the process documentation1.
Reference: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) | CQI | IRCA
————————-is an asset like other important business assets has value to an organization and consequently needs to be protected.
- A . Infrastructure
- B . Data
- C . Information
- D . Security
C
Explanation:
Information is an asset like other important business assets, as it has value to an organization and consequently needs to be protected. Information can be in any form, such as electronic, paper, or verbal. Information security is the protection of information from unauthorized access, use, disclosure, modification, or destruction2.
Reference: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) | CQI | IRCA
Below is Purpose of "Integrity", which is one of the Basic Components of Information Security
- A . the property that information is not made available or disclosed to unauthorized individuals
- B . the property of safeguarding the accuracy and completeness of assets.
- C . the property that information is not made available or disclosed to unauthorized individuals
- D . the property of being accessible and usable upon demand by an authorized entity.
B
Explanation:
Integrity is one of the basic components of information security, along with confidentiality and availability. Integrity means that information is safeguarded from unauthorized or accidental changes that could affect its accuracy and completeness. Integrity ensures that information is reliable and trustworthy3.
Reference: ISO/IEC 27001:2022 Lead Auditor Training Course – BSI
Which one of the following options best describes the main purpose of a Stage 1 third-party audit?
- A . To introduce the audit team to the client
- B . To learn about the organisation’s procurement
- C . To determine redness for a stage 2 audit
- D . To check for legal compliance by the organisation
- E . To prepare an independent audit report
- F . To get to know the organisation’s customers
C
Explanation:
The main purpose of a Stage 1 third-party audit is to determine readiness for a Stage 2 audit. A Stage 1 audit is a preliminary assessment that evaluates the organization’s ISMS documentation, scope, context, and objectives, and identifies any major gaps or nonconformities that need to be addressed before the Stage 2 audit. A Stage 1 audit does not introduce the audit team to the client, as this is done during the audit planning phase. A Stage 1 audit does not check for legal compliance by the organization, as this is done during the Stage 2 audit. A Stage 1 audit does not prepare an independent audit report, as this is done after the Stage 2 audit.
Reference: CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 70. : ISO/IEC 27001 LEAD AUDITOR – PECB, page 23.
Which two of the following statements are true?
- A . The role of a certification body auditor involves evaluating the organisation’s processes for ensuring compliance with their legal requirements
- B . Curing a third-party audit, the auditor evaluates how the organisation ensures that 4 6 made aware of changes to the legal requirements
- C . As part of a certification body audit the auditor is resporable for verifying the organisation’s legal compliance status
AB
Explanation:
The following statements are true:
The role of a certification body auditor involves evaluating the organization’s processes for ensuring compliance with their legal requirements. This is part of the auditor’s responsibility to assess the effectiveness and conformity of the organization’s ISMS against the ISO/IEC 27001:2022 standard and the applicable legal and regulatory requirements.
During a third-party audit, the auditor evaluates how the organization ensures that they are made aware of changes to the legal requirements. This is part of the auditor’s responsibility to verify that the organization has established and maintained a process for identifying and updating their legal and other requirements related to information security.
The following statement is false:
As part of a certification body audit, the auditor is responsible for verifying the organization’s legal compliance status. This is not true, as the auditor is not authorized or qualified to provide legal advice or judgment on the organization’s compliance status. The auditor can only report on the evidence of compliance or noncompliance observed during the audit, but the ultimate responsibility for ensuring legal compliance lies with the organization.
Reference: CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 66. : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 67. : ISO/IEC 27001 LEAD AUDITOR – PECB, page 22.
DRAG DROP
Select the words that best complete the sentence:
To complete the sentence with the word(s) click on the blank section you want to complete so that it is highlighted in red, and then click on the application text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.
Explanation:
competence of the audit team and decision made by the certification body
According to ISO/IEC 17021-1, which specifies the requirements for bodies providing audit and certification of management systems, an accredited certification means that the certification body has been evaluated by an accreditation body against recognized standards to demonstrate its competence, impartiality and performance capability1. Therefore, an accredited certification assures the competence of the audit team that conducts the audit in accordance with ISO 19011 and ISO/IEC 27001:2022, and the decision made by the certification body that grants or maintains the certification based on the audit evidence and findings2.
Reference: ISO/IEC 17021-1:2015 – Conformity assessment C Requirements for bodies providing audit and certification of management systems C Part 1: Requirements, ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) | CQI | IRCA
DRAG DROP
Select a word from the following options that best completes the sentence:
To complete the sentence with the word(s) click on the blank section you want to complete so that it is highlighted in red, and then click on the application text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.
Explanation:
The purpose of a management system audit is to evaluate the performance of an organization’s management system.
A management system audit is an independent and systematic analysis and evaluation of a company’s overall activities and performances1. It is a valuable tool used to determine the efficiency, functions, accomplishments and achievements of the company1. A management system audit can be conducted against a range of audit criteria, including (but not limited to) requirements set of in existing ISO standards2.
According to ISO 19011:2018, which provides guidelines for auditing management systems, the purpose of an audit is to enable the auditor to provide an audit conclusion that is related to the audit objectives2. The audit objectives are defined by the audit client and may include determining the extent of conformity or nonconformity of the audited management system against the audit criteria, evaluating the ability of the audited management system to ensure that the organization meets applicable statutory, regulatory and contractual requirements, identifying potential improvement opportunities for the audited management system, and facilitating continual improvement of the audited management system2.
Therefore, the correct answer is evaluate, as it best describes the purpose of a management system audit. The other options are not correct because they are not specific enough or do not reflect the intended outcome of an audit. For example, improve implies that the audit itself will enhance the performance of the management system, which is not necessarily true. Manage implies that the audit will control or direct the management system, which is not its role. Research implies that the audit will generate new knowledge or information about the management system, which is not its primary aim.
Which two activities align with the “Check’’ stage of the Plan-Do-Check-Act cycle when applied to the process of managing an internal audit program as described in ISO 19011?
- A . Retains records of internal audits
- B . Define audit criteria and scope for each internal audit
- C . Update the internal audit programme
- D . Establish a risk-based internal audit programme
- E . Conduct internal audits
- F . Verify effectiveness of the internal audit programme
- G . Review trends in internal audit result
F, G
Explanation:
The Check stage of the PDCA cycle involves monitoring and measuring the performance of the process and comparing it with the planned objectives and criteria. In the context of managing an internal audit programme, this stage includes verifying the effectiveness of the internal audit programme by evaluating whether it meets its objectives, scope, and criteria, and whether it is implemented in accordance with ISO 19011 guidelines1. It also includes reviewing the trends in internal audit results by analyzing the data collected from the audits, such as audit findings, nonconformities, corrective actions, opportunities for improvement, and customer feedback1.
Reference: ISO 19011:2018 – Guidelines for auditing management systems
DRAG DROP
Please match the roles to the following descriptions:
To complete the table click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable test from the options below. Alternatively, you may drag and drop each option to the appropriate blank section.
Explanation:
The auditee is the organization or part of it that is subject to the audit. The auditee could be internal or external to the audit client. The auditee should cooperate with the audit team and provide them with access to relevant information, documents, records, personnel, and facilities.
The audit client is the organization or person that requests an audit. The audit client could be internal or external to the auditee. The audit client should define the audit objectives, scope, criteria, and programme, and appoint the audit team leader.
The technical expert is a person who provides specific knowledge or expertise relating to the organization, activity, process, product, service, or discipline to be audited. The technical expert could be internal or external to the audit team. The technical expert should support the audit team in collecting and evaluating audit evidence, but should not act as an auditor.
The observer is a person who accompanies the audit team but does not act as an auditor. The
observer could be internal or external to the audit team. The observer should observe the audit
activities without interfering or influencing them, unless agreed otherwise by the audit team leader
and the auditee.
Reference: =
[ISO 19011:2022 Guidelines for auditing management systems]
[ISO/IEC 17021-1:2022 Conformity assessment ― Requirements for bodies providing audit and certification of management systems ― Part 1: Requirements]
Which two of the following are examples of audit methods that ‘do’ involve human interaction?
- A . Performing an independent review of procedures in preparation for an audit
- B . Reviewing the auditee’s response to an audit finding
- C . Analysing data by remotely accessing the auditee’s server
- D . Observing work performed by remote surveillance
- E . Analysing data by remotely accessing the auditee’s server
AB
Explanation:
Audit methods are techniques used by auditors to obtain audit evidence. Audit methods can be classified into two categories: those that involve human interaction and those that do not2. Audit methods that involve human interaction require direct communication between the auditor and the auditee or other relevant parties, such as interviews, questionnaires, surveys, meetings, etc. Audit methods that do not involve human interaction rely on observation, inspection, measurement, testing, sampling, analysis, etc., without requiring any verbal or written exchange2. Therefore, performing an independent review of procedures in preparation for an audit and reviewing the auditee’s response to an audit finding are examples of audit methods that involve human interaction, as they require reading and evaluating documents provided by the auditee or other sources. On the other hand, analysing data by remotely accessing the auditee’s server and observing work performed by remote surveillance are examples of audit methods that do not involve human interaction, as they do not require any direct communication with the auditee or other parties.
Reference: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) |
CQI | IRCA
In the context of a third-party certification audit, confidentiality is an issue in an audit programme.
Select two options which correctly state the function of confidentiality in an audit
- A . Auditors are forced by regulatory requirements to maintain confidentiality in an audit
- B . Observers in an audit team cannot access any confidential information
- C . Confidentiality is one of the principles of audit conduct
- D . Auditors should obtain the auditee’s permission before using a camera or recording equipment
- E . Audit information can be used for improving personal competence by the auditor
- F . As an auditor is always accompanied by a guide, there is no risk to the auditee’s sensitive information
C, D
Explanation:
Confidentiality is one of the principles of audit conduct that auditors should adhere to when performing audits. Confidentiality means that auditors should exercise discretion in the use and protection of information acquired in the course of their duties3. Auditors should respect the intellectual property rights of the auditee and other parties involved in the audit, and should not disclose any information that is sensitive, proprietary, or confidential without prior approval from the auditee or other authorized parties3. Auditors should also obtain the auditee’s permission before using a camera or recording equipment during an audit, as these devices may capture confidential information or infringe on the privacy of individuals3. Therefore, these two options correctly state the function of confidentiality in an audit. The other options are either incorrect or irrelevant to confidentiality. For example, auditors are not forced by regulatory requirements to maintain confidentiality in an audit, but rather by ethical obligations and contractual agreements3. Observers in an audit team can access confidential information if they have signed a confidentiality agreement and have been authorized by the auditee3. Audit information can be used for improving personal competence by the auditor only if it does not compromise confidentiality or conflict with other interests3. As an auditor is always accompanied by a guide, there is still a risk to the auditee’s sensitive information if the guide is not trustworthy or authorized to access such information3.
Reference: ISO 19011:2018 – Guidelines for auditing management systems
DRAG DROP
Select the words that best complete the sentence:
To complete the sentence with the best word(s), click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.
Explanation:
A third-party audit team leader is a person who leads an audit team that conducts audits on behalf of an external organization, such as a certification body, that provides certification or accreditation services to other organizations12.
One of the main responsibilities of a third-party audit team leader is to act on behalf of the certification body, which means to represent its interests, policies, and procedures during the audit process12.
Acting on behalf of the certification body involves communicating with the audit client and the auditee, planning and conducting the audit, reporting and evaluating the audit results, and making recommendations for certification or accreditation decisions12.
Acting on behalf of the certification body also requires maintaining professional integrity, impartiality, confidentiality, and competence throughout the audit process12.
Reference: =
ISO 19011:2022 Guidelines for auditing management systems
ISO/IEC 17021-1:2022 Conformity assessment ― Requirements for bodies providing audit and certification of management systems ― Part 1: Requirements
Which three of the following phrases are objectives’ in relation to an audit?
- A . International Standard
- B . Identify opportunities for improvement
- C . Confirm the scope of the management system
- D . Management policy
- E . Complete audit on time
- F . Regulatory requirements
B, C, F
Explanation:
According to ISO 19011:2018, which provides guidelines for auditing management systems, the audit objectives are defined by the audit client and may include determining the extent of conformity or nonconformity of the audited management system against the audit criteria, evaluating the ability of the audited management system to ensure that the organization meets applicable statutory, regulatory and contractual requirements, identifying potential improvement opportunities for the audited management system, and facilitating continual improvement of the audited management system1. Therefore, these three phrases are examples of objectives in relation to an audit. The other options are not objectives, but rather elements or factors that may influence or affect an audit. For example, an international standard is a source of audit criteria, a management policy is a part of the audited management system, and completing an audit on time is a requirement for an effective audit.
Reference: ISO 19011:2018 – Guidelines for auditing management systems
Which six of the following actions are the individual(s) managing the audit programme responsible
for?
- A . Selecting the audit team
- B . Retaining documented information of the audit results
- C . Defining the objectives, scope and criteria for an individual audit
- D . Defining the plan of an individual audit
- E . Establishing the extent of the audit programme
- F . Establishing the audit programme
- G . Determining the resources necessary for the audit programme
- H . Communicating with the auditee during the audit
A, B, C, D, E,
F
Explanation:
According to ISO 19011:2018, which provides guidelines for auditing management systems, an audit programme is a set of one or more audits planned for a specific time frame and directed towards a specific purpose1. The individual(s) managing the audit programme are responsible for establishing, implementing and maintaining the audit programme in accordance with the organization’s policies and objectives1. This includes defining the extent of the audit programme based on strategic direction, risks and opportunities; establishing the audit programme by defining its objectives, scope and criteria; determining the resources necessary for the audit programme; selecting competent auditors and assigning them to appropriate audits; defining the objectives, scope and criteria for each individual audit; defining the plan of each individual audit; retaining documented information of the audit results; reviewing and improving the performance of the audit programme1. Therefore, these six actions are part of the responsibilities of the individual(s) managing the audit programme. The other option, communicating with the auditee during the audit, is not a responsibility of the individual(s) managing the audit programme, but rather a responsibility of the audit team leader1.
Reference: ISO 19011:2018 – Guidelines for auditing management systems
Which three of the following work documents are not required for audit planning by an auditor conducting a certification audit?
- A . An audit plan
- B . A sample plan
- C . An organisation’s financial statement
- D . A checklist
- E . A career history of the IT manager
- F . A list of external providers
C, E, F
Explanation:
According to ISO 19011:2018, which provides guidelines for auditing management systems, an auditor conducting a certification audit should prepare for an audit by reviewing relevant information about the auditee’s context and processes1. This may include reviewing documented information related to the audited management system (such as policies, procedures, manuals), previous audit reports and records (such as findings, nonconformities, corrective actions), relevant legal and regulatory requirements (such as laws, standards), relevant risks and opportunities (such as internal and external issues), relevant performance indicators (such as objectives, targets), etc1. Therefore, an auditor may need work documents such as an audit plan (which defines what will be done during an audit), a sample plan (which defines how many samples will be taken from a population), and a checklist (which helps to ensure that all relevant aspects are covered during an audit)1. However, an auditor does not need work documents such as an organisation’s financial statement (which is not directly related to information security management), a career history of the IT manager (which is not relevant to assessing conformity with ISO/IEC 27001:2022), or a list of external providers (which is not necessary for planning an audit)1.
Reference: ISO 19011:2018 – Guidelines for auditing management systems
Which three of the following options are an advantage of using a sampling plan for the audit?
- A . Overrules the auditor’s instincts
- B . Use of the plan for consecutive audits
- C . Provides a suitable understanding of the ISMS
- D . Implements the audit plan efficiently
- E . Gives confidence in the audit results
- F . Misses key issues
C, D, E
Explanation:
According to ISO 19011:2018, which provides guidelines for auditing management systems, a sampling plan is a method for selecting a representative subset of the audit evidence from a defined population1. A sampling plan can have several advantages for the audit, such as providing a suitable understanding of the ISMS by covering its key processes, activities, and controls; implementing the audit plan efficiently by optimizing the use of time and resources; and giving confidence in the audit results by ensuring that the sample is sufficient, reliable, and unbiased1. Therefore, these three options are examples of advantages of using a sampling plan for the audit. The other options are not advantages, but rather disadvantages or risks of using a sampling plan. For example, overruling the auditor’s instincts may lead to missing important evidence or issues that are not covered by the sampling plan; using the same plan for consecutive audits may reduce the effectiveness and validity of the audit results; and missing key issues may result from an inadequate or inappropriate sampling plan1.
Reference: ISO 19011:2018 – Guidelines for auditing management systems
After completing Stage 1 and in preparation for a Stage 2 initial certification audit, the auditee informs the audit team leader that they wish to extend the audit scope to include two additional sites that have recently been acquired by the organisation.
Considering this information, what action would you expect the audit team leader to take?
- A . Increase the length of the Stage 2 audit to include the extra sites
- B . Obtain information about the additional sites to inform the certification body
- C . Arrange to complete a remote Stage 1 audit of the two sites using a video conferencing platform
- D . Inform the auditee that the request can be accepted but a full Stage 1 audit must be repeated
B
Explanation:
According to ISO/IEC 17021-1, which specifies the requirements for bodies providing audit and certification of management systems, a certification body should establish criteria for determining audit time and audit team composition based on factors such as the scope of certification, size and complexity of the organization, risks associated with its activities, etc2. Therefore, if an auditee requests to extend the audit scope to include two additional sites after completing Stage 1 of an initial certification audit, the audit team leader should obtain information about the additional sites to inform the certification body, so that they can review and approve the change in scope and adjust the audit time and audit team accordingly2. The other options are not appropriate actions for the audit team leader to take in this situation. For example, increasing the length of the Stage 2 audit to include the extra sites without informing the certification body may violate their procedures and policies; arranging to complete a remote Stage 1 audit of the two sites using a video conferencing platform may not be feasible or effective depending on the nature and location of the sites; and informing the auditee that the request can be accepted but a full Stage 1 audit must be repeated may not be necessary or reasonable if there are no significant changes in the auditee’s ISMS since Stage 12.
Reference: ISO/IEC 17021-1:2015 – Conformity assessment C Requirements for bodies providing audit and certification of management systems C Part 1: Requirements
DRAG DROP
In regard to generating an audit finding, select the words that best complete the following sentence.
To complete the sentence with the best word(s), click on the blank section you want to complete so that it Is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.
Explanation:
Audit evidence should be evaluated against the audit criteria in order to determine audit findings.
Audit evidence is the information obtained by the auditors during the audit process that is used as a basis for forming an audit opinion or conclusion12. Audit evidence could include records, documents, statements, observations, interviews, or test results12.
Audit criteria are the set of policies, procedures, standards, regulations, or requirements that are used as a reference against which audit evidence is compared12. Audit criteria could be derived from internal or external sources, such as ISO standards, industry best practices, or legal obligations12. Audit findings are the results of a process that evaluates audit evidence and compares it against audit criteria13. Audit findings can show that audit criteria are being met (conformity) or that they are not being met (nonconformity). They can also identify best practices or improvement opportunities13.
Reference: =
ISO 19011:2022 Guidelines for auditing management systems
ISO/IEC 27001:2022 Information technology ― Security techniques ― Information security management systems ― Requirements
Components of Audit Findings – The Institute of Internal Auditors
During discussions with the individual(s) managing the audit programme of a certification body, the Management System Representative of the client organisation asks for a specific auditor for the certification audit. Select two of the following options for how the individual(s) managing the audit programme should respond.
- A . Advise the Management System Representative that his request can be accepted
- B . Suggest that the Management System Representative chooses another certification body
- C . State that his request will be considered but may not be taken up
- D . Suggest asking the certification body management to permit the request
- E . Advise the Management System Representative that the audit team selection is a decision that the audit programme manager needs to make based on the resources available
C, E
Explanation:
According to ISO/IEC 17021-1, which specifies the requirements for bodies providing audit and certification of management systems, a certification body should ensure that its auditors are competent, impartial, and independent from the auditee organization2. Therefore, if a Management System Representative of a client organization asks for a specific auditor for the certification audit, the individual(s) managing the audit programme should respond in a way that does not compromise these principles or create any conflict of interest or undue influence2. Two possible ways to respond are to state that his request will be considered but may not be taken up, as there may be other factors that affect the auditor selection process; or to advise him that the audit team selection is a decision that the audit programme manager needs to make based on the resources available, such as auditor availability, competence, location, etc2. The other options are not suitable ways to respond in this situation. For example, advising him that his request can be accepted may raise doubts about the objectivity and credibility of the auditor and the certification body; suggesting that he chooses another certification body may imply that his request is unreasonable or unethical; and suggesting asking the certification body management to permit his request may suggest that there is room for negotiation or manipulation in auditor selection2.
Reference: ISO/IEC 17021-1:2015 – Conformity assessment C Requirements for bodies providing audit and certification of management systems C Part 1: Requirements
During an opening meeting of a Stage 2 audit, the Managing Director of the client organisation invites the audit team to view a new company video lasting 45 minutes.
Which two of the following responses should the audit team leader make?
- A . Advise the Managing Director that the audit team has to keep to the planned schedule
- B . State that the audit team leader will stay behind after the opening meeting to view the video on behalf of the team
- C . Invite the Managing Director to the auditors’ hotel for a viewing that evening.
- D . Suggest that the video could be viewed during a refreshment break
- E . State that the audit team will make a decision on the viewing at a later time
- F . Advise the Managing Director that the audit team agrees to his request
A, D
Explanation:
According to ISO 19011:2018, which provides guidelines for auditing management systems, an opening meeting is a formal communication between the audit team and the auditee at the start of an audit1. The purpose of the opening meeting is to confirm the audit objectives, scope and criteria, introduce the audit team and their roles, confirm the audit plan and logistics, explain the audit methods and procedures, and establish the communication channels1. Therefore, if the Managing Director of the client organization invites the audit team to view a new company video lasting 45 minutes during the opening meeting of a Stage 2 audit, the audit team leader should respond in a way that does not compromise the effectiveness and efficiency of the audit or create any misunderstanding or conflict with the auditee. Two possible ways to respond are to advise the Managing Director that the audit team has to keep to the planned schedule, as there may be limited time and resources available for the audit; or to suggest that the video could be viewed during a refreshment break, if it is relevant and useful for the audit and does not interfere with other audit activities1. The other options are not appropriate responses for the audit team leader to make in this situation. For example, stating that the audit team leader will stay behind after the opening meeting to view the video on behalf of the team may imply that the video is not important or relevant for the rest of the audit team; inviting the Managing Director to the auditors’ hotel for a viewing that evening may create an impression of bias or favouritism; stating that the audit team will make a decision on the viewing at a later time may be vague or indecisive; and advising the Managing Director that the audit team agrees to his request may result in wasting valuable audit time or losing focus on the audit objectives1.
Reference: ISO 19011:2018 – Guidelines for auditing management systems
DRAG DROP
You are an experienced ISMS audit team leader, talking to an Auditor in training who has been assigned to your audit team. You want to ensure that they understand the importance of the Check stage of the Plan-Do-Check-Act cycle in respect of the operation of the information security management system.
You do this by asking him to select the words that best complete the sentence:
To complete the sentence with the best word(s), click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.
Explanation:
Review is the third stage of the Plan-Do-Check-Act (PDCA) cycle, which is a four-step model for implementing and improving an information security management system (ISMS) according to ISO/IEC 27001:202212. Review involves assessing and measuring the performance of the ISMS against the established policies, objectives, and criteria12.
Assess is the verb that describes the action of reviewing the ISMS. Assess means to evaluate, analyze, or measure something in a systematic and objective manner3. Assessing the ISMS involves collecting and verifying audit evidence, identifying strengths and weaknesses, and determining the degree of conformity or nonconformity12.
Regular is the adjective that describes the frequency or interval of reviewing the ISMS. Regular means occurring or done at fixed or uniform intervals4. Reviewing the ISMS at regular intervals means conducting internal audits and management reviews periodically, such as annually, quarterly, or monthly, depending on the needs and risks of the organization12.
Suitability is one of the attributes that describes the quality or outcome of reviewing the ISMS. Suitability means being appropriate or fitting for a particular purpose, person, or situation5. Reviewing the ISMS for suitability means ensuring that it is aligned with the organization’s strategic direction, business objectives, and information security requirements12.
Reference: =
ISO/IEC 27001:2022 Information technology ― Security techniques ― Information security management systems ― Requirements
ISO/IEC 27003:2022 Information technology ― Security techniques ― Information security management systems ― Guidance
Assess | Definition of Assess by Merriam-Webster Regular | Definition of Regular by Merriam-Webster Suitability | Definition of Suitability by Merriam-Webster
You are an ISMS auditor conducting a third-party surveillance audit of a telecom’s provider. You are in the equipment staging room where network switches are pre-programmed before being despatched to clients. You note that recently there has been a significant increase in the number of switches failing their initial configuration test and being returned for reprogramming.
You ask the Chief Tester why and she says, ‘It’s a result of the recent ISMS upgrade’. Before the upgrade each technician had their own hard copy work instructions. Now, the eight members of my team have to share two laptops to access the clients’ configuration instructions online. These delays put pressure on the technicians, resulting in more mistakes being made’.
Based solely on the information above, which clause of ISO to raise a nonconformity against’ Select one.
- A . Clause 7.5 – Documented information
- B . Clause 8.1 – Operational planning and control
- C . Clause 10.2 – Nonconformity and corrective action
- D . Clause 7.3 – Awareness
- E . Clause 7.2 – Competence
- F . Clause 7.4 – Communication
B
Explanation:
According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 8.1 requires an organization to plan, implement and control its processes needed to meet ISMS requirements2. This includes determining what needs to be done, how it will be done, who will do it, when it will be done, what resources are required, how performance will be evaluated, etc2.
Therefore, if an ISMS auditor conducting a third-party surveillance audit of a telecom’s provider notes that there has been a significant increase in the number of switches failing their initial configuration test and being returned for reprogramming due to a recent ISMS upgrade that reduced access to work instructions, this indicates a nonconformity against clause 8.1 of ISO/IEC 27001:2022. The organization has failed to plan and control its operational processes effectively to ensure information security and quality2. The other options are not correct clauses to raise a nonconformity against based solely on this information. For example, clause 7.5 deals with documented information required by ISMS or determined by an organization as necessary for its effectiveness2, but it does not specify how many copies or formats of work instructions should be available; clause 10.2 deals with nonconformity and corrective action as a response to an identified problem or incident2, but it does not address how to prevent or avoid such problems or incidents in operational processes; clause 7.3 deals with awareness of ISMS policy, objectives, roles and responsibilities among persons doing work under an organization’s control2, but it does not relate to how work instructions are accessed or followed; clause 7.2 deals with competence of persons doing work under an organization’s control that affects its ISMS performance2, but it does not imply that lack of competence is caused by insufficient work instructions; clause 7.4 deals with communication about ISMS among internal and external interested parties2, but it does not cover how operational information is communicated within an organization.
Reference: ISO/IEC 27001:2022 – Information
technology C Security techniques C Information security management systems C Requirements
During a third-party certification audit you are presented with a list of issues by an auditee.
Which four of the following constitute ‘external’ issues in the context of a management system to ISO/IEC 27001:2022?
- A . A rise in interest rates in response to high inflation
- B . A reduction in grants as a result of a change in government policy
- C . Poor levels of staff competence as a result of cuts in training expenditure
- D . Increased absenteeism as a result of poor management
- E . Higher labour costs as a result of an aging population
- F . Inability to source raw materials due to government sanctions
- G . Poor morale as a result of staff holidays being reduced
- H . A fall in productivity linked to outdated production equipment
A, B, E, F
Explanation:
According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 4.1 requires an organization to determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcomes of its ISMS2. External issues are those that originate from outside the organization, such as legal, regulatory, cultural, social, political, economic, natural and competitive factors2. Internal issues are those that originate from within the organization, such as governance, structure, roles and responsibilities, policies, objectives, culture, capabilities, resources and information systems2. Therefore, based on this definition, four examples of external issues in the context of a management system to ISO/IEC 27001:2022 are a rise in interest rates in response to high inflation (which affects the economic environment of the organization), a reduction in grants as a result of a change in government policy (which affects the political and legal environment of the organization), higher labour costs as a result of an aging population (which affects the social and demographic environment of the organization), and inability to source raw materials due to government sanctions (which affects the trade and supply environment of the organization)2. The other options are examples of internal issues, as they originate from within the organization or its activities. For example, poor levels of staff competence as a result of cuts in training expenditure (which affects the capabilities and resources of the organization), increased absenteeism as a result of poor management (which affects the culture and performance of the organization), poor morale as a result of staff holidays being reduced (which affects the motivation and satisfaction of the organization’s personnel), and a fall in productivity linked to outdated production equipment (which affects the efficiency and quality of the organization’s processes)2.
Reference: ISO/IEC 27001:2022 – Information technology C Security techniques C Information security management systems C Requirements
You are performing an ISMS audit at a residential nursing home that provides healthcare services. The next step in your audit plan is to verify the information security incident management process. The IT Security Manager presents the information security incident management procedure and explains that the process is based on ISO/IEC 27035-1:2016.
You review the document and notice a statement "any information security weakness, event, and incident should be reported to the Point of Contact (PoC) within 1 hour after identification". When interviewing staff, you found that there were differences in the understanding of the meaning of "weakness, event, and incident".
You sample incident report records from the event tracking system for the last 6 months with summarized results in the following table.
You would like to further investigate other areas to collect more audit evidence. Select two options that will not be in your audit trail.
- A . Collect more evidence on how and when the Human Resources manager pays the ransom fee to unlock personal mobile data, i.e., credit card, and bank transfer. (Relevant to control A.5.26)
- B . Collect more evidence on what the service requirements of healthcare monitoring are. (Relevant to clause 4.2)
- C . Collect more evidence on how the organization determined no further action was needed after the incident. (Relevant to control A.5.26)
- D . Collect more evidence on how the organisation determined the incident recovery time. (Relevant to control A.5.27)
- E . Collect more evidence on the incident recovery procedures. (Relevant to control A.5.26)
- F . Collect more evidence by interviewing more staff about their understanding of the reporting process. (Relevant to control A.6.8)
- G . Collect more evidence on how and when the company pays the ransom fee to unlock the company’s mobile phone and data, i.e., credit card, and bank transfer. (Relevant to control A.5.26)
B, G
Explanation:
According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 4.2 requires an organization to determine the needs and expectations of interested parties that are relevant to its ISMS1. This includes identifying the legal, regulatory, contractual and other requirements that apply to its information security activities1. Therefore, collecting more evidence on what the service requirements of healthcare monitoring are may not be relevant to verifying the information security incident management process, as it is not directly related to the audit objective or criteria. This option will not be in the audit trail.
You are an experienced audit team leader guiding an auditor in training,
Your team is currently conducting a third-party surveillance audit of an organisation that stores data on behalf of external clients. The auditor in training has been tasked with reviewing the TECHNOLOGICAL controls listed in the Statement of Applicability (SoA) and implemented at the site. Select four controls from the following that would you expect the auditor in training to review.
- A . The development and maintenance of an information asset inventory
- B . Rules for transferring information within the organisation and to other organisations
- C . Confidentiality and nondisclosure agreements
- D . How protection against malware is implemented
- E . Access to and from the loading bay
- F . The conducting of verification checks on personnel
- G . Remote working arrangements
- H . How information security has been addressed within supplier agreements
- I . How the organisation evaluates its exposure to technical vulnerabilities
- J . The organisation’s business continuity arrangements
- K . The organisation’s arrangements for information deletion
- L . Information security awareness, education and training
- M . How access to source code and development tools are managed
- N . The operation of the site CCTV and door control systems
- O . The organisation’s arrangements for maintaining equipment
- P . How power and data cables enter the building
D, I, M, N
Explanation:
According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), an organization should select and implement appropriate controls to achieve its information security objectives1. The controls should be derived from the results of risk assessment and risk treatment, and should be consistent with the Statement of Applicability (SoA), which is a document that identifies the controls that are applicable and necessary for the ISMS1. The controls can be selected from various sources, such as ISO/IEC 27002:2013, which provides a code of practice for information security controls2. Therefore, if an auditor in training has been tasked with reviewing the technological controls listed in the SoA and implemented at the site of an organization that stores data on behalf of external clients, four controls that would be expected to review are:
How protection against malware is implemented: This is a technological control that aims to prevent, detect and remove malicious software (such as viruses, worms, ransomware, etc.) that could compromise the confidentiality, integrity or availability of information or information systems2. This control is related to control A.12.2.1 of ISO/IEC 27002:20132.
How the organisation evaluates its exposure to technical vulnerabilities: This is a technological control that aims to identify and assess the potential weaknesses or flaws in information systems or networks that could be exploited by malicious actors or cause accidental failures2. This control is related to control A.12.6.1 of ISO/IEC 27002:20132.
How access to source code and development tools are managed: This is a technological control that aims to protect the intellectual property rights and integrity of software applications or systems that are developed or maintained by the organization or its external providers2. This control is related to control A.14.2.5 of ISO/IEC 27002:20132.
The operation of the site CCTV and door control systems: This is a technological control that aims to monitor and restrict physical access to the premises or facilities where information or information systems are stored or processed2. This control is related to control A.11.1.4 of ISO/IEC 27002:20132. The other options are not examples of technological controls, but rather organizational, legal or procedural controls that may also be relevant for an ISMS audit, but are not within the scope of the auditor in training’s task. For example, the development and maintenance of an information asset inventory (related to control A.8.1.1), rules for transferring information within the organization and to other organizations (related to control A.13.2.1), confidentiality and nondisclosure agreements (related to control A.13.2.4), verification checks on personnel (related to control A.7.1.2), remote working arrangements (related to control A.6.2.1), information security within supplier agreements (related to control A.15.1.1), business continuity arrangements (related to control A.17), information deletion (related to control A.8.3), information security awareness, education and training (related to control A.7.2), equipment maintenance (related to control A.11.2), and how power and data cables enter the building (related to control A.11) are not technological controls, but rather organizational, legal or procedural controls that may also be relevant for an ISMS audit, but are not within the scope of the auditor in training’s task.
Reference: ISO/IEC 27001:2022 – Information technology C Security techniques C Information security management systems C Requirements, ISO/IEC 27002:2013 – Information technology C Security techniques C Code of practice for information security controls
You are preparing the audit findings. Select two options that are correct.
- A . There is an opportunity for improvement (OFI). The iLiirmation security incident training effectiveness can be improved. This is relevant to clause 7.2 and control A.6.3.
- B . There is no nonconformance. The information security weaknesses, events, and incidents are reported. This conforms with clause 9.1 and control A.5.24.
- C . There is no nonconformance. The information security handling training has performed, and its effectiveness was evaluated. This conforms with clause 7.2 and control A.6.3.
- D . There is a nonconformity (NC). Based on sampling interview results, none of the interviewees were able to describe the incident management procedure reporting process including the role and responsibilities of personnel. This is not conforming with clause 9.1 and control A.5.24.
- E . There is a nonconformity (NC). The information security incident training has failed. This is not conforming with clause 7.2 and control A.6.3.
- F . There is an opportunity for improvement (OFI). The information security weaknesses, events, and madents are reported. This is relevant to clause 9.1 and control A.5.24.
A, D
Explanation:
According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 7.2 requires an organization to determine the necessary competence of persons doing work under its control that affects its ISMS performance, and to provide training or take other actions to acquire or maintain the necessary competence1. Control A.6.3 requires an organization to ensure that all employees and contractors are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational policies and procedures in this respect2. Therefore, if an ISMS auditor finds that the information security incident training effectiveness can be improved, this indicates an opportunity for improvement (OFI) that is relevant to clause 7.2 and control A.6.3.
According to ISO/IEC 27001:2022, clause 9.1 requires an organization to monitor, measure, analyze and evaluate its ISMS performance and effectiveness1. Control A.5.24 requires an organization to define and apply procedures for reporting information security events and weaknesses2. Therefore, if an ISMS auditor finds that based on sampling interview results, none of the interviewees were able to describe the incident management procedure reporting process including the role and responsibilities of personnel, this indicates a nonconformity (NC) that is not conforming with clause 9.1 and control A.5.24.
The other options are not correct options for preparing the audit findings based on the given information. For example, there is no nonconformance if the information security weaknesses, events, and incidents are reported, as this conforms with clause 9.1 and control A.5.24; there is no nonconformance if the information security handling training has performed, and its effectiveness was evaluated, as this conforms with clause 7.2 and control A.6.3; there is no nonconformity if the information security incident training has failed, as this may not necessarily indicate a lack of conformity with clause 7.2 or control A.6.3; there is no opportunity for improvement if the information security weaknesses, events, and incidents are reported, as this is already conforming with clause 9.1 and control A.5.24.
Reference: ISO/IEC 27001:2022 – Information technology C Security techniques C Information security management systems C Requirements, ISO/IEC 27002:2013 – Information technology C Security techniques C Code of practice for information security controls
You are an experienced ISMS auditor, currently providing support to an ISMS auditor in training who is carrying out her first initial certification audit. She asks you what she should be verifying when auditing an organisation’s Information Security objectives. You ask her what she has included in her audit checklist and she provides the following replies.
Which three of these responses would you cause you concern in relation to conformity with ISO/IEC 27001:2022?
- A . I am going to check how each Information Security objective has been communicated to those who need to be aware of it in order for the objective to be achieved
- B . I am going to check that top management have determined the Information Security objectives for the current year. If not, I will check that this task has been programmed to be completed
- C . I am going to check that the Information Security objectives are written down on paper so that everyone is clear on what needs to be achieved, how it will be achieved, and by when it will be achieved
- D . I am going to check that there is a process in place to periodically revisit Information Security objectives, with a view to amending or cancelling them if circumstances necessitate this
- E . I am going to check that a completion date has been set for each objective and that there are no objectives with missing ‘achieve by’ dates
- F . I am going to check that the necessary budget, manpower and materials to achieve each objective has been determined
- G . I am going to check that all the Information Security objectives are measurable. If they are not measurable the organisation will not be able to track progress against them
B, C, E
Explanation:
According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 6.2 requires an organization to establish information security objectives at relevant functions and levels1. The objectives should be consistent with the information security policy; measurable (if practicable) or capable of being evaluated; monitored; communicated; updated as appropriate1. Therefore, when auditing an organization’s information security objectives, an ISMS auditor should verify these aspects in accordance with the audit criteria.
Three responses from the ISMS auditor in training that would cause concern in relation to conformity with ISO/IEC 27001:2022 are:
I am going to check that top management have determined the Information Security objectives for the current year. If not, I will check that this task has been programmed to be completed: This response would cause concern because it implies that the auditor in training is not aware of the requirement to establish information security objectives at relevant functions and levels, not just at the top management level. It also implies that the auditor in training is willing to accept a delay or postponement in determining the information security objectives, which may affect the ISMS performance and effectiveness.
I am going to check that the Information Security objectives are written down on paper so that everyone is clear on what needs to be achieved, how it will be achieved, and by when it will be achieved: This response would cause concern because it implies that the auditor in training is not aware of the requirement to establish information security objectives that are measurable (if practicable) or capable of being evaluated, not just written down on paper. It also implies that the auditor in training is not aware of the flexibility and suitability of different media or formats for documenting and communicating information security objectives, such as electronic or digital records, posters, newsletters, etc.
I am going to check that a completion date has been set for each objective and that there are no objectives with missing ‘achieve by’ dates: This response would cause concern because it implies that the auditor in training is not aware of the requirement to establish information security objectives that are monitored, not just completed by a certain date. It also implies that the auditor in training is not aware of the possibility and necessity of updating information security objectives as appropriate, such as when changes occur in the internal or external context of the organization, or when new risks or opportunities arise.
The other responses from the ISMS auditor in training are acceptable and do not cause concern in relation to conformity with ISO/IEC 27001:2022. For example, checking how each Information Security objective has been communicated to those who need to be aware of it in order for the objective to be achieved is relevant to verifying the communication aspect of clause 6.2; checking that there is a process in place to periodically revisit Information Security objectives, with a view to amending or cancelling them if circumstances necessitate this is relevant to verifying the updating aspect of clause 6.2; checking that the necessary budget, manpower and materials to achieve each objective has been determined is relevant to verifying the planning aspect of clause 6.2; checking that all the Information Security objectives are measurable. If they are not measurable the organisation will not be able to track progress against them is relevant to verifying the measurability aspect of clause 6.2.
Reference: ISO/IEC 27001:2022 – Information technology C Security techniques C Information security management systems C Requirements
You are carrying out your first third-party ISMS surveillance audit as an Audit Team Leader. You are presently in the auditee’s data centre with another member of your audit team.
Your colleague seems unsure as to the difference between an information security event and an information security incident. You attempt to explain the difference by providing examples.
Which three of the following scenarios can be defined as information security incidents?
- A . The organisation’s malware protection software prevents a virus
- B . A hard drive is used after its recommended replacement date
- C . The organisation receives a phishing email
- D . An employee fails to clear their desk at the end of their shift
- E . A contractor who has not been paid deletes top management ICT accounts
- F . An unhappy employee changes payroll records without permission
- G . The organisation fails a third-party penetration test
- H . The organisation’s marketing data is copied by hackers and sold to a competitor
E, F, H
Explanation:
According to ISO/IEC 27000:2018, which provides an overview and vocabulary of information security management systems, an information security event is an identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation that may be security relevant1. An information security incident is a single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security1. Therefore, based on this definition, three examples of information security incidents are: A contractor who has not been paid deletes top management ICT accounts: This is an example of an unwanted or unexpected information security event that has a significant probability of compromising business operations and threatening information security, as it may result in loss of access, data, or functionality for the top management.
An unhappy employee changes payroll records without permission: This is an example of an unwanted or unexpected information security event that has a significant probability of compromising business operations and threatening information security, as it may result in financial fraud, legal liability, or reputational damage for the organization.
The organisation’s marketing data is copied by hackers and sold to a competitor: This is an example of an unwanted or unexpected information security event that has a significant probability of compromising business operations and threatening information security, as it may result in loss of confidentiality, competitive advantage, or customer trust for the organization.
The other options are not examples of information security incidents, but rather information security events that may or may not lead to incidents depending on their impact and severity. For example: The organisation’s malware protection software prevents a virus: This is an example of an identified occurrence of a system state indicating a possible breach of information security policy or failure of safeguards, but it does not have a significant probability of compromising business operations and threatening information security, as it is prevented by the malware protection software.
A hard drive is used after its recommended replacement date: This is an example of an identified occurrence of a system state indicating a possible breach of information security policy or failure of safeguards, but it does not have a significant probability of compromising business operations and threatening information security, unless it fails or causes other problems.
The organisation receives a phishing email: This is an example of an identified occurrence of a network state indicating a possible breach of information security policy or failure of safeguards, but it does not have a significant probability of compromising business operations and threatening information security, unless it is opened or responded to by the recipient.
An employee fails to clear their desk at the end of their shift: This is an example of an identified occurrence of a service state indicating a possible breach of information security policy or failure of safeguards, but it does not have a significant probability of compromising business operations and threatening information security, unless the desk contains sensitive or confidential information that is accessed by unauthorized persons.
The organisation fails a third-party penetration test: This is an example of an identified occurrence of a system state indicating a possible breach of information security policy or failure of safeguards, but it does not have a significant probability of compromising business operations and threatening information security, unless the penetration test reveals serious vulnerabilities that are exploited by malicious actors.
Reference: ISO/IEC 27000:2018 – Information technology C Security techniques C Information security management systems C Overview and vocabulary
You are performing an ISMS audit at a nursing home where residents always wear an electronic wristband for monitoring their location, heartbeat, and blood pressure. The wristband automatically uploads this data to a cloud server for healthcare monitoring and analysis by staff.
You now wish to verify that the information security policy and objectives have been established by top management. You are sampling the mobile device policy and identify a security objective of this policy is "to ensure the security of teleworking and use of mobile devices" The policy states the following controls will be applied in order to achieve this.
Personal mobile devices are prohibited from connecting to the nursing home network, processing, and storing residents’ data.
The company’s mobile devices within the ISMS scope shall be registered in the asset register. The company’s mobile devices shall implement or enable physical protection, i.e., pin-code protected screen lock/unlock, facial or fingerprint to unlock the device.
The company’s mobile devices shall have a regular backup.
To verify that the mobile device policy and objectives are implemented and effective, select three options for your audit trail.
- A . Interview the reception personnel to make sure all visitor and employee bags are checked before entering the nursing home
- B . Review visitors’ register book to make sure no visitor can have their personal mobile phone in the nursing home
- C . Review the internal audit report to make sure the IT department has been audited
- D . Review the asset register to make sure all personal mobile devices are registered
- E . Sampling some mobile devices from on-duty medical staff and validate the mobile device information with the asset register
- F . Review the asset register to make sure all company’s mobile devices are registered
- G . Interview the supplier of the devices to make sure they are aware of the ISMS policy
- H . Interview top management to verify their involvement in establishing the information security policy and the information security objectives
CEF
Explanation:
According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 5.2 requires top management to establish an information security policy that provides the framework for setting information security objectives1. Clause 6.2 requires top management to ensure that the information security objectives are established at relevant functions and levels1. Therefore, when verifying that the information security policy and objectives have been established by top management, an ISMS auditor should review relevant documents and records that demonstrate top management’s involvement and commitment.
To verify that the mobile device policy and objectives are implemented and effective, an ISMS auditor should review relevant documents and records that demonstrate how the policy and objectives are communicated, monitored, measured, analyzed, and evaluated. The auditor should also sample and verify the implementation of the controls that are stated in the policy.
Three options for the audit trail that are relevant to verifying the mobile device policy and objectives are:
Review the internal audit report to make sure the IT department has been audited: This option is relevant because it can provide evidence of how the IT department, which is responsible for managing the mobile devices and their security, has been evaluated for its conformity and effectiveness in implementing the mobile device policy and objectives. The internal audit report can also reveal any nonconformities, corrective actions, or opportunities for improvement related to the mobile device policy and objectives.
Sampling some mobile devices from on-duty medical staff and validate the mobile device information with the asset register: This option is relevant because it can provide evidence of how the mobile devices that are used by the medical staff, who are involved in processing and storing residents’ data, are registered in the asset register and have physical protection enabled. This can verify the implementation and effectiveness of two of the controls that are stated in the mobile device policy.
Review the asset register to make sure all company’s mobile devices are registered: This option is relevant because it can provide evidence of how the company’s mobile devices that are within the ISMS scope are identified and accounted for. This can verify the implementation and effectiveness of one of the controls that are stated in the mobile device policy.
The other options for the audit trail are not relevant to verifying the mobile device policy and objectives, as they are not related to the policy or objectives or their implementation or effectiveness.
For example:
Interview the reception personnel to make sure all visitor and employee bags are checked before entering the nursing home: This option is not relevant because it does not provide evidence of how the mobile device policy and objectives are implemented or effective. It may be related to another policy or objective regarding physical security or access control, but not specifically to mobile devices.
Review visitors’ register book to make sure no visitor can have their personal mobile phone in the nursing home: This option is not relevant because it does not provide evidence of how the mobile device policy and objectives are implemented or effective. It may be related to another policy or objective regarding information security awareness or compliance, but not specifically to mobile devices.
Interview the supplier of the devices to make sure they are aware of the ISMS policy: This option is not relevant because it does not provide evidence of how the mobile device policy and objectives are implemented or effective. It may be related to another policy or objective regarding information security within supplier relationships, but not specifically to mobile devices.
Interview top management to verify their involvement in establishing the information security policy and the information security objectives: This option is not relevant because it does not provide evidence of how the mobile device policy and objectives are implemented or effective. It may be related to verifying that the information security policy and objectives have been established by top management, but not specifically to mobile devices.
Reference: ISO/IEC 27001:2022 – Information technology C Security techniques C Information security management systems C Requirements
The data center at which you work is currently seeking ISO/IEC27001:2022 certification. In preparation for your initial certification visit a number of internal audits have been carried out by a colleague working at another data centre within your Group. They secured their ISO/IEC 27001:2022 certificate earlier in the year.
You have just qualified as an Internal ISMS auditor and your manager has asked you to review the audit process and audit findings as a final check before the external Certrfication Body arrives.
Which six of the following would cause you concern in respect of conformity to ISO/IEC 27001:2022 requirements?
- A . The audit programme shows management reviews taking place at irregular intervals during the year
- B . Audit reports are not held in hardcopy (i.e. on paper). They are only stored as ".POF documents on the organisation’s intranet
- C . The audit programme does not take into account the relative importance of information security processes
- D . The audit programme mandates auditors must be independent of the areas they audit in order to satisfy the requirements of ISO/IEC 27001:2022
- E . Although the scope for each internal audit has been defined, there are no audit criteria defined for the audits carried out to date
- F . Audit reports to date have used key performance indicator information to focus solely on the efficiency of ISMS processes
- G . The audit programme does not reference audit methods or audit responsibilities
- H . The audit programme does not take into account the results of previous audits
- I . Top management commitment to the ISMS will not be audited before the certification visit, according to the audit programme
- J . The audit process states the results of audits will be made available to ‘relevant’ managers, not top management
A, C, E, F, H, I
Explanation:
According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 9.3 requires top management to review the organization’s ISMS at planned intervals to ensure its continuing suitability, adequacy and effectiveness1. Clause 9.2 requires the organization to conduct internal audits at planned intervals to provide information on whether the ISMS conforms to its own requirements and those of ISO/IEC 27001:2022, and is effectively implemented and maintained1.
Therefore, when reviewing the audit process and audit findings as a final check before the external certification body arrives, an internal ISMS auditor should verify that these clauses are met in accordance with the audit criteria.
Six of the following statements would cause concern in respect of conformity to ISO/IEC 27001:2022 requirements:
The audit programme shows management reviews taking place at irregular intervals during the year: This statement would cause concern because it implies that the organization is not conducting management reviews at planned intervals, as required by clause 9.3. This may affect the ability of top management to ensure the continuing suitability, adequacy and effectiveness of the ISMS.
The audit programme does not take into account the relative importance of information security processes: This statement would cause concern because it implies that the organization is not applying a risk-based approach to determine the audit frequency, methods, scope and criteria, as recommended by ISO 19011:2018, which provides guidelines for auditing management systems2. This may affect the ability of the organization to identify and address the most significant risks and opportunities for its ISMS.
Although the scope for each internal audit has been defined, there are no audit criteria defined for the audits carried out to date: This statement would cause concern because it implies that the organization is not establishing audit criteria for each internal audit, as required by clause 9.2. Audit criteria are the set of policies, procedures or requirements used as a reference against which audit evidence is compared2. Without audit criteria, it is not possible to determine whether the ISMS conforms to its own requirements and those of ISO/IEC 27001:2022.
Audit reports to date have used key performance indicator information to focus solely on the efficiency of ISMS processes: This statement would cause concern because it implies that the organization is not evaluating the effectiveness of ISMS processes, as required by clause
The data center at which you work is currently seeking ISO/IEC27001:2022 certification. In preparation for your initial certification visit a number of internal audits have been carried out by a colleague working at another data centre within your Group. They secured their ISO/IEC 27001:2022 certificate earlier in the year.
You have just qualified as an Internal ISMS auditor and your manager has asked you to review the audit process and audit findings as a final check before the external Certrfication Body arrives.
Which six of the following would cause you concern in respect of conformity to ISO/IEC 27001:2022 requirements?
- A . The audit programme shows management reviews taking place at irregular intervals during the year
- B . Audit reports are not held in hardcopy (i.e. on paper). They are only stored as ".POF documents on the organisation’s intranet
- C . The audit programme does not take into account the relative importance of information security processes
- D . The audit programme mandates auditors must be independent of the areas they audit in order to satisfy the requirements of ISO/IEC 27001:2022
- E . Although the scope for each internal audit has been defined, there are no audit criteria defined for the audits carried out to date
- F . Audit reports to date have used key performance indicator information to focus solely on the efficiency of ISMS processes
- G . The audit programme does not reference audit methods or audit responsibilities
- H . The audit programme does not take into account the results of previous audits
- I . Top management commitment to the ISMS will not be audited before the certification visit, according to the audit programme
- J . The audit process states the results of audits will be made available to ‘relevant’ managers, not top management
A, C, E, F, H, I
Explanation:
According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 9.3 requires top management to review the organization’s ISMS at planned intervals to ensure its continuing suitability, adequacy and effectiveness1. Clause 9.2 requires the organization to conduct internal audits at planned intervals to provide information on whether the ISMS conforms to its own requirements and those of ISO/IEC 27001:2022, and is effectively implemented and maintained1.
Therefore, when reviewing the audit process and audit findings as a final check before the external certification body arrives, an internal ISMS auditor should verify that these clauses are met in accordance with the audit criteria.
Six of the following statements would cause concern in respect of conformity to ISO/IEC 27001:2022 requirements:
The audit programme shows management reviews taking place at irregular intervals during the year: This statement would cause concern because it implies that the organization is not conducting management reviews at planned intervals, as required by clause 9.3. This may affect the ability of top management to ensure the continuing suitability, adequacy and effectiveness of the ISMS.
The audit programme does not take into account the relative importance of information security processes: This statement would cause concern because it implies that the organization is not applying a risk-based approach to determine the audit frequency, methods, scope and criteria, as recommended by ISO 19011:2018, which provides guidelines for auditing management systems2. This may affect the ability of the organization to identify and address the most significant risks and opportunities for its ISMS.
Although the scope for each internal audit has been defined, there are no audit criteria defined for the audits carried out to date: This statement would cause concern because it implies that the organization is not establishing audit criteria for each internal audit, as required by clause 9.2. Audit criteria are the set of policies, procedures or requirements used as a reference against which audit evidence is compared2. Without audit criteria, it is not possible to determine whether the ISMS conforms to its own requirements and those of ISO/IEC 27001:2022.
Audit reports to date have used key performance indicator information to focus solely on the efficiency of ISMS processes: This statement would cause concern because it implies that the organization is not evaluating the effectiveness of ISMS processes, as required by clause
You are conducting a third-party surveillance audit when another member of the audit team approaches you seeking clarification. They have been asked to assess the organisation’s application of control 5.7 – Threat Intelligence. They are aware that this is one of the new controls introduced in the 2022 edition of ISO/IEC 27001, and they want to make sure they audit the control correctly. They have prepared a checklist to assist them with their audit and want you to confirm that their planned activities are aligned with the control’s requirements.
Which three of the following options represent valid audit trails?
- A . I will review the organisation’s threat intelligence process and will ensure that this is fully documented
- B . I will speak to top management to make sure all staff are aware of the importance of reporting threats
- C . I will ensure that the task of producing threat intelligence is assigned to the organisation s internal audit team
- D . I will check that threat intelligence is actively used to protect the confidentiality, integrity and availability of the organisation’s information assets
- E . I will ensure that the organisation’s risk assessment process begins with effective threat intelligence
- F . I will determine whether internal and external sources of information are used in the production of threat intelligence
- G . I will review how information relating to information security threats is collected and evaluated to produce threat intelligence
- H . I will ensure that appropriate measures have been introduced to inform top management as to the effectiveness of current threat intelligence arrangements
ADF
Explanation:
According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), control 5.7 requires an organization to establish and maintain a threat intelligence process to identify and evaluate information security threats that are relevant to its ISMS scope and objectives1. The organization should use internal and external sources of information, such as vulnerability databases, threat feeds, industry reports, etc., to produce threat intelligence that can be used to support risk assessment and treatment, as well as other information security activities1. Therefore, when auditing the organization’s application of control 5.7, an ISMS auditor should verify that these aspects are met in accordance with the audit criteria.
Three options that represent valid audit trails for verifying control 5.7 are:
I will review the organisation’s threat intelligence process and will ensure that this is fully documented: This option is valid because it can provide evidence of how the organization has established and maintained a threat intelligence process that is consistent with its ISMS scope and objectives. It can also verify that the process is documented according to clause 7.5 of ISO/IEC 27001:20221.
I will check that threat intelligence is actively used to protect the confidentiality, integrity and availability of the organisation’s information assets: This option is valid because it can provide evidence of how the organization has used threat intelligence to support its risk assessment and treatment, as well as other information security activities, such as incident response, awareness, or monitoring. It can also verify that the organization has achieved its information security objectives according to clause 6.2 of ISO/IEC 27001:20221.
I will determine whether internal and external sources of information are used in the production of threat intelligence: This option is valid because it can provide evidence of how the organization has used various sources of information, such as vulnerability databases, threat feeds, industry reports, etc., to produce threat intelligence that is relevant and reliable. It can also verify that the organization has complied with the requirement of control 5.7 of ISO/IEC 27001:20221.
The other options are not valid audit trails for verifying control 5.7, as they are not related to the control or its requirements.
For example:
I will speak to top management to make sure all staff are aware of the importance of reporting threats: This option is not valid because it does not provide evidence of how the organization has established and maintained a threat intelligence process or used threat intelligence to support its ISMS activities. It may be related to another control or requirement regarding information security awareness or communication, but not specifically to control 5.7.
I will ensure that the task of producing threat intelligence is assigned to the organisation s internal audit team: This option is not valid because it does not provide evidence of how the organization has established and maintained a threat intelligence process or used threat intelligence to support its ISMS activities. It may also contradict the requirement for auditor independence and objectivity, as recommended by ISO 19011:20182, which provides guidelines for auditing management systems.
I will ensure that the organisation’s risk assessment process begins with effective threat intelligence: This option is not valid because it does not provide evidence of how the organization has established and maintained a threat intelligence process or used threat intelligence to support its ISMS activities. It may also imply a prescriptive approach to risk assessment that is not consistent with ISO/IEC 27005:20183, which provides guidelines for information security risk management.
I will review how information relating to information security threats is collected and evaluated to produce threat intelligence: This option is not valid because it does not provide evidence of how the organization has established and maintained a threat intelligence process or used threat intelligence to support its ISMS activities. It may also be too vague or broad to be an effective audit trail, as it does not specify what criteria or methods are used for collecting and evaluating information.
I will ensure that appropriate measures have been introduced to inform top management as to the effectiveness of current threat intelligence arrangements: This option is not valid because it does not provide evidence of how the organization has established and maintained a threat intelligence process or used threat intelligence to support its ISMS activities. It may be related to another control or requirement regarding management review or performance evaluation, but not specifically to control 5.7.
Reference: ISO/IEC 27001:2022 – Information technology C Security techniques C Information security management systems C Requirements, ISO 19011:2018 – Guidelines for auditing management systems, ISO/IEC 27005:2018 – Information technology C Security techniques C Information security risk management
You are performing an ISMS audit at a residential nursing home that provides healthcare services. The next step in your audit plan is to verify the information security of the business continuity management process. During the audit, you learned that the organisation activated one of the business continuity plans (BCPs) to make sure the nursing service continued during the recent pandemic. You ask Service Manager to explain how the organisation manages information security during the business continuity management process.
The Service Manager presents the nursing service continuity plan for a pandemic and summarises the process as follows:
Stop the admission of any NEW residents.
70% of administration staff and 30% of medical staff will work from home.
Regular staff self-testing including submitting a negative test report 1 day BEFORE they come to the office.
Install ABC’s healthcare mobile app, tracking their footprint and presenting a GREEN Health Status QR-Code for checking on the spot.
You ask the Service Manager how to prevent non-relevant family members or interested parties from accessing residents’ personal data when staff work from home. The Service Manager cannot answer and suggests the n" Security Manager should help with that.
You would like to further investigate other areas to collect more audit evidence Select three options that will be in your audit trail.
- A . Collect more evidence on how the organisation manages information security on mobile devices and during teleworking (Relevant to control A.6.7)
- B . Collect more evidence by interviewing more staff about their feeling about working from home. (Relevant to clause 4.2)
- C . Collect more evidence on what resources the organisation provides to support the staff working from home. (Relevant to clause 7.1)
- D . Collect more evidence on how the organisation performs a business risk assessment to evaluate how fast the existing residents can be discharged from the nursing home. (Relevant to clause 6)
- E . Collect more evidence on how and when the Business Continuity Wan has been tested. (Relevant to control A.5.29)
- F . Collect more evidence on how the organisation makes sure only staff with a negative test result can enter the organisation (Relevant to control A.7.2)
A, E, F
Explanation:
According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), control A.5.29 requires an organization to establish and maintain a business continuity management process to ensure the continued availability of information and information systems at the required level following disruptive incidents1. The organization should identify and prioritize critical information assets and processes, assess the risks and impacts of disruptive incidents, develop and implement business continuity plans (BCPs), test and review the BCPs, and ensure that relevant parties are aware of their roles and responsibilities1. Therefore, when verifying the information security of the business continuity management process, an ISMS auditor should verify that these aspects are met in accordance with the audit criteria.
Three options that will be in the audit trail for verifying control A.5.29 are:
Collect more evidence on how the organisation manages information security on mobile devices and during teleworking (Relevant to control A.6.7): This option is relevant because it can provide evidence of how the organization has implemented appropriate controls to protect the confidentiality, integrity and availability of information and information systems when staff work from home using mobile devices, such as laptops, tablets or smartphones. This is related to control A.6.7, which requires an organization to establish a policy and procedures for teleworking and use of mobile devices1.
Collect more evidence on how and when the Business Continuity Plan has been tested (Relevant to control A.5.29): This option is relevant because it can provide evidence of how the organization has tested and reviewed the BCPs to ensure their effectiveness and suitability for different scenarios, such as a pandemic. This is related to control A.5.29, which requires an organization to test and review the BCPs at planned intervals or when significant changes occur1.
Collect more evidence on how the organisation makes sure only staff with a negative test result can enter the organisation (Relevant to control A.7.2): This option is relevant because it can provide evidence of how the organization has implemented appropriate controls to prevent or reduce the risk of infection or transmission of diseases among staff or residents, such as requiring regular staff self-testing and using a health status app. This is related to control A.7.2, which requires an organization to ensure that all employees and contractors are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational policies and procedures in this respect1.
The other options are not relevant to verifying control A.5.29, as they are not related to the control or its requirements.
For example:
Collect more evidence by interviewing more staff about their feeling about working from home (Relevant to clause 4.2): This option is not relevant because it does not provide evidence of how the organization has established and maintained a business continuity management process or ensured the continued availability of information and information systems following disruptive incidents. It may be related to clause 4.2, which requires an organization to understand the needs and expectations of interested parties, but not specifically to control A.5.29.
Collect more evidence on what resources the organisation provides to support the staff working from home (Relevant to clause 7.1): This option is not relevant because it does not provide evidence of how the organization has established and maintained a business continuity management process or ensured the continued availability of information and information systems following disruptive incidents. It may be related to clause 7.1, which requires an organization to determine and provide the resources needed for its ISMS, but not specifically to control A.5.29.
Collect more evidence on how the organisation performs a business risk assessment to evaluate how fast the existing residents can be discharged from the nursing home (Relevant to clause 6): This option is not relevant because it does not provide evidence of how the organization has established and maintained a business continuity management process or ensured the continued availability of information and information systems following disruptive incidents. It may be related to clause 6, which requires an organization to plan actions to address risks and opportunities for its ISMS, but not specifically to control A.5.29.
Reference: ISO/IEC 27001:2022 – Information technology C Security techniques C Information security management systems C Requirements
You are carrying out your first third-party ISMS surveillance audit as an Audit Team Leader. You are presently in the auditee’s data centre with another member of your audit team.
You are currently in a large room that is subdivided into several smaller rooms, each of which has a numeric combination lock and swipe card reader on the door. You notice two external contractors using a swipe card and combination number provided by the centre’s reception desk to gain access to a client’s suite to carry out authorised electrical repairs.
You go to reception and ask to see the door access record for the client’s suite. This indicates only one card was swiped. You ask the receptionist and they reply, "yes it’s a common problem. We ask everyone to swipe their cards but with contractors especially, one tends to swipe and the rest simply ‘tailgate’ their way in" but we know who they are from the reception sign-in.
Based on the scenario above which one of the following actions would you now take?
- A . Take no action. Irrespective of any recommendations, contractors will always act in this way
- B . Raise a nonconformity against control A.5.20 ‘addressing information security in supplier relationships’ as information security requirements have not been agreed upon with the supplier
- C . Raise a nonconformity against control A.7.6 ‘working in secure areas’ as security measures for working in secure areas have not been defined
- D . Determine whether any additional effective arrangements are in place to verify individual access to secure areas e.g. CCTV
- E . Raise an opportunity for improvement that contractors must be accompanied at all times when accessing secure facilities
- F . Raise an opportunity for improvement to have a large sign in reception reminding everyone requiring access must use their swipe card at all times
- G . Raise a nonconformity against control A.7.2 ‘physical entry’ as a secure area is not adequately protected
- H . Tell the organisation they must write to their contractors, reminding them of the need to use access cards appropriately
G
Explanation:
According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), control
DRAG DROP
You are an experienced ISMS audit team leader providing instruction to an auditor in training. They are unclear in their understanding of risk processes and ask you to provide them with an example of each of the processes detailed below.
Match each of the descriptions provided to one of the following risk management processes.
To complete the table click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop each option to the appropriate blank section.
Explanation:
Risk analysis is the process by which the nature of the risk is determined along with its probability and impact. Risk analysis involves estimating the likelihood and consequences of potential events or situations that could affect the organization’s information security objectives or requirements12. Risk analysis could use qualitative or quantitative methods, or a combination of both12.
Risk management is the process by which a risk is controlled at all stages of its life cycle by means of the application of organisational policies, procedures and practices. Risk management involves establishing the context, identifying, analyzing, evaluating, treating, monitoring, and reviewing the risks that could affect the organization’s information security performance or compliance12. Risk management aims to ensure that risks are identified and treated in a timely and effective manner, and that opportunities for improvement are exploited12.
Risk identification is the process by which a risk is recognised and described. Risk identification involves identifying and documenting the sources, causes, events, scenarios, and potential impacts of risks that could affect the organization’s information security objectives or requirements12. Risk identification could use various techniques, such as brainstorming, interviews, checklists, surveys, or historical data12.
Risk evaluation is the process by which the impact and/or probability of a risk is compared against risk criteria to determine if it is tolerable. Risk evaluation involves comparing the results of risk analysis with predefined criteria that reflect the organization’s risk appetite, tolerance, or acceptance12. Risk evaluation could use various methods, such as ranking, scoring, or matrix12. Risk evaluation helps to prioritize and decide on the appropriate risk treatment options12.
Risk mitigation is the process by which the impact and/or probability of a risk is reduced by means of the application of controls. Risk mitigation involves selecting and implementing measures that are designed to prevent, reduce, transfer, or accept risks that could affect the organization’s information security objectives or requirements12. Risk mitigation could include various types of controls, such as technical, organizational, legal, or physical12. Risk mitigation should be based on a cost-benefit analysis and a residual risk assessment12.
Risk transfer is the process by which a risk is passed to a third party, for example through obtaining
appropriate insurance. Risk transfer involves sharing or shifting some or all of the responsibility or
liability for a risk to another party that has more capacity or capability to manage it12. Risk transfer
could include various methods, such as contracts, agreements, partnerships, outsourcing, or
insurance12. Risk transfer should not be used as a substitute for effective risk management within
the organization12.
Reference: =
ISO/IEC 27001:2022 Information technology ― Security techniques ― Information security management systems ― Requirements
ISO/IEC 27005:2022 Information technology ― Security techniques ― Information security risk management
You are performing an ISMS initial certification audit at a residential nursing home that provides healthcare services. The next step in your audit plan is to conduct the closing meeting.
During the final audit team meeting, as an audit team leader, you agree to report 2 minor nonconformities and 1 opportunity for improvement as below:
Select one option of the recommendation to the audit programme manager you are going to advise to the auditee at the closing meeting.
- A . Recommend certification immediately
- B . Recommend that a full scope re-audit is required within 6 months
- C . Recommend that an unannounced audit is carried out at a future date
- D . Recommend certification after your approval of the proposed corrective action plan Recommend that the findings can be closed out at a surveillance audit in 1 year
- E . Recommend that a partial audit is required within 3 months
D
Explanation:
According to ISO/IEC 17021-1:2015, which specifies the requirements for bodies providing audit and certification of management systems, clause 9.4.9 requires the certification body to make a certification decision based on the information obtained during the audit and any other relevant information1. The certification body should also consider the effectiveness of the corrective actions taken by the auditee to address any nonconformities identified during the audit1. Therefore, when making a recommendation to the audit programme manager, an ISMS auditor should consider the nature and severity of the nonconformities and the proposed corrective actions.
Based on the scenario above, the auditor should recommend certification after their approval of the proposed corrective action plan and recommend that the findings can be closed out at a surveillance audit in 1 year. The auditor should provide the following justification for their recommendation:
Justification: This recommendation is appropriate because it reflects the fact that the auditee has only two minor nonconformities and one opportunity for improvement, which do not indicate a significant or systemic failure of their ISMS. A minor nonconformity is defined as a failure to achieve one or more requirements of ISO/IEC 27001:2022 or a situation which raises significant doubt about the ability of an ISMS process to achieve its intended output, but does not affect its overall effectiveness or conformity2. An opportunity for improvement is defined as a suggestion for improvement beyond what is required by ISO/IEC 27001:20222. Therefore, these findings do not prevent or preclude certification, as long as they are addressed by appropriate corrective actions within a reasonable time frame. The auditor should approve the proposed corrective action plan before recommending certification, to ensure that it is realistic, achievable, and effective. The auditor should also recommend that the findings can be closed out at a surveillance audit in 1 year, to verify that the corrective actions have been implemented and are working as intended.
The other options are not valid recommendations for the audit programme manager, as they are either too lenient or too strict for the given scenario.
For example:
Recommend certification immediately: This option is not valid because it implies that the auditor ignores or accepts the nonconformities, which is contrary to the audit principles and objectives of ISO 19011:20182, which provides guidelines for auditing management systems. It also contradicts the requirement of ISO/IEC 17021-1:20151, which requires the certification body to consider the effectiveness of the corrective actions taken by the auditee before making a certification decision. Recommend that a full scope re-audit is required within 6 months: This option is not valid because it implies that the auditor overreacts or exaggerates the nonconformities, which is contrary to the audit principles and objectives of ISO 19011:20182. It also contradicts the requirement of ISO/IEC 17021-1:20151, which requires the certification body to determine whether a re-audit is necessary based on the nature and extent of nonconformities and other relevant factors. A full scope re-audit is usually reserved for major nonconformities or multiple minor nonconformities that indicate a serious
or widespread failure of an ISMS.
Recommend that an unannounced audit is carried out at a future date: This option is not valid because it implies that the auditor distrusts or doubts the auditee’s commitment or capability to implement corrective actions, which is contrary to the audit principles and objectives of ISO 19011:20182. It also contradicts the requirement of ISO/IEC 17021-1:20151, which requires the certification body to conduct unannounced audits only under certain conditions, such as when there are indications of serious problems with an ISMS or when required by sector-specific schemes. Recommend that a partial audit is required within 3 months: This option is not valid because it implies that the auditor imposes or prescribes a specific time frame or scope for verifying corrective actions, which is contrary to the audit principles and objectives of ISO 19011:20182. It also contradicts the requirement of ISO/IEC 17021-1:20151, which requires the certification body to determine whether a partial audit is necessary based on the nature and extent of nonconformities and other relevant factors. A partial audit may be appropriate for minor nonconformities, but the time frame and scope should be agreed upon with the auditee and based on the proposed corrective action plan.
Reference: ISO/IEC 17021-1:2015 – Conformity assessment C Requirements for bodies providing audit
and certification of management systems C Part 1: Requirements, ISO 19011:2018 – Guidelines for auditing management systems
You are an ISMS audit team leader tasked with conducting a follow-up audit at a client’s data centre. Following two days on-site you conclude that of the original 12 minor and 1 major nonconformities that prompted the follow-up audit, only 1 minor nonconformity still remains outstanding. Select four options for the actions you could take.
- A . Book another follow-up audit on-site to review the one outstanding minor nonconformity once it has been cleared
- B . Recommend that the outstanding minor nonconformity is dealt with at the next surveillance audit
- C . Advise the auditee that you will arrange an online audit to deal with the outstanding nonconformity
- D . Note the progress made but hold the audit open until all corrective action has been cleared
- E . Agree with the auditee/audit client how the remaining nonconformity will be cleared, by when, and how its clearance will be verified
- F . Advise the individual managing the audit programme of any decision taken regarding the outstanding nonconformity
- G . Recommend suspension of the organisation’s certification as they have failed to implement the agreed corrections and corrective actions within the agreed timescale
- H . Close the follow-up audit as the organisation has demonstrated it is committed to clearing the nonconformities raised
B, E, F, H
Explanation:
According to ISO 19011:2018, which provides guidelines for auditing management systems, clause 6.7 requires the audit team leader to conduct a follow-up audit to verify the implementation and effectiveness of the corrective actions taken by the auditee in response to the nonconformities identified during a previous audit1. The follow-up audit should be conducted in accordance with the same principles and processes as the initial audit, and should result in a conclusion on the status of the nonconformities and any remaining issues1. Therefore, when conducting a follow-up audit, an ISMS auditor should consider the following actions:
Recommend that the outstanding minor nonconformity is dealt with at the next surveillance audit: This action is appropriate because it reflects the fact that the auditee has cleared most of the nonconformities, including the major one, and only one minor nonconformity remains outstanding. A minor nonconformity is defined as a failure to achieve one or more requirements of ISO/IEC 27001:2022 or a situation which raises significant doubt about the ability of an ISMS process to achieve its intended output, but does not affect its overall effectiveness or conformity2. Therefore, this finding does not prevent or preclude the continuation of certification, as long as it is addressed by appropriate corrective actions within a reasonable time frame. The auditor should recommend that the outstanding minor nonconformity is dealt with at the next surveillance audit, which is a regular audit conducted by the certification body to confirm the ongoing conformity and effectiveness of an ISMS3.
Agree with the auditee/audit client how the remaining nonconformity will be cleared, by when, and how its clearance will be verified: This action is appropriate because it reflects the fact that the auditee has demonstrated commitment and capability to implement corrective actions for the nonconformities identified during the previous audit. The auditor should agree with the auditee/audit client on a realistic, achievable, and effective corrective action plan for the remaining nonconformity, including a clear deadline and verification method. The auditor should also document this agreement in the follow-up audit report1.
Advise the individual managing the audit programme of any decision taken regarding the outstanding nonconformity: This action is appropriate because it reflects the fact that the auditor has followed a systematic and consistent approach to conducting and reporting the follow-up audit. The auditor should advise the individual managing the audit programme of any decision taken regarding the outstanding nonconformity, such as recommending its closure at the next surveillance audit or agreeing on a corrective action plan with the auditee/audit client. The auditor should also provide sufficient information and evidence to support their decision1.
Close the follow-up audit as the organisation has demonstrated it is committed to clearing the nonconformities raised: This action is appropriate because it reflects the fact that the organisation has achieved satisfactory results in the follow-up audit. The auditor should close the follow-up audit as the organisation has demonstrated it is committed to clearing the nonconformities raised by implementing effective corrective actions for most of them and agreeing on a plan for the remaining one. The auditor should also communicate the follow-up audit conclusion to the auditee/audit client and other relevant parties1.
You are an experienced ISMS audit team leader guiding an auditor in training. Your team has just completed a third-party surveillance audit of a mobile telecom provider. The auditor in training asks you how you intend to prepare for the Closing meeting.
Which four of the following are appropriate responses?
- A . I will advise the auditee that the purpose of the closing meeting is for the audit team to communicate our findings. It is not an opportunity for the auditee to challenge the findings
- B . I will instruct my audit team to wait outside the auditee’s offices so we can leave as quickly as possible after the closing meeting. This saves our time and the client’s time too
- C . It is not necessary to prepare for the closing meeting. Once you have carried out as many audits as
I have you already know what needs to be discussed - D . I will schedule a closing meeting with the auditee’s representatives at which the audit conclusions will be presented
- E . I will contact head office to ensure our invoice has been paid, If not, I will cancel the closing meeting and temporarily withhold the audit report
- F . I will discuss any follow-up required with my audit team
- G . I will review and, as appropriate, approve my teams audit conclusions
- H . I will review the audit evidence and the audit findings with the rest of the team
ADFH
Explanation:
According to ISO 19011:2018, which provides guidelines for auditing management systems, clause 6.6 requires the audit team leader to conduct a closing meeting with the auditee’s representatives at the end of the audit to present the audit conclusions and any findings1. The closing meeting should also provide an opportunity for the auditee to ask questions, clarify issues, acknowledge the findings, and comment on the audit process1.
Therefore, when preparing for the closing meeting, an ISMS auditor should consider the following actions:
I will advise the auditee that the purpose of the closing meeting is for the audit team to communicate our findings. It is not an opportunity for the auditee to challenge these: This action is appropriate because it reflects the fact that the auditor has followed a systematic and consistent approach to collecting and evaluating audit evidence and reaching audit conclusions. The auditor should advise the auditee that the purpose of the closing meeting is for the audit team to communicate their findings, which are based on objective evidence and professional judgement. The auditor should also explain that it is not an opportunity for the auditee to challenge these findings, as they have already been discussed and confirmed during the audit. However, the auditor should also invite the auditee to ask questions, clarify issues, acknowledge the findings, and comment on the audit process1.
I will schedule a closing meeting with the auditee’s representatives at which the audit conclusions will be presented: This action is appropriate because it reflects the fact that the auditor has followed a planned and agreed audit programme and schedule. The auditor should schedule a closing meeting with the auditee’s representatives at which the audit conclusions will be presented, in accordance with clause 6.6 of ISO 19011:20181. The auditor should also ensure that the closing meeting is attended by those responsible for managing or implementing the ISMS, as well as any other relevant parties1.
I will discuss any follow-up required with my audit team: This action is appropriate because it reflects the fact that the auditor has followed a risk-based approach to determining and reporting any follow-up actions required by the auditee or the certification body. The auditor should discuss any follow-up required with their audit team, such as verifying corrective actions for nonconformities or conducting a subsequent audit1. The auditor should also document any follow-up actions in the audit report1. I will review and, as appropriate, approve my teams audit conclusions: This action is appropriate because it reflects the fact that the auditor has followed a rigorous and professional process to reaching and reporting audit conclusions. The auditor should review and, as appropriate, approve their teams audit conclusions, which are based on objective evidence and professional judgement. The auditor should also ensure that their teams audit conclusions are consistent with the audit objectives and scope, and reflect the overall performance and conformity of the ISMS1.
You are an experienced ISMS audit team leader guiding an auditor in training. You are testing her understanding of follow-up audits by asking her a series of questions to which the answer is either "true* or ‘false’.
Which four of the following questions should the answer be true"’
- A . A follow-up audit may be carried out where nonconformities are major
- B . A follow-up audit may be carried out where nonconformities are minor
- C . The outcomes of a follow-up audit should be reported to top management and the audit team leader who carried out the audit where the nonconformities were initially identified
- D . The outcome of a follow-up audit could lower a major nonconformity to minor status
- E . The outcome of a follow-up audit could be a recommendabon to suspend the client’s certification
- F . The outcomes of a follow-up audit should be reported to the individual managing the audit programme and the audit client
- G . A follow-up audit is required in all instances where nonconformities have been identified
- H . A follow-up audit is required only in instances where a major nonconformity has been identified
A, B, C, F
Explanation:
A follow-up audit may be carried out where nonconformities are major. This is true because a major nonconformity is a situation that raises significant doubt about the ability of the organization’s management system to achieve its intended results, and therefore requires immediate corrective action. A follow-up audit is necessary to verify the effectiveness of the corrective action and the conformity of the management system12.
A follow-up audit may be carried out where nonconformities are minor. This is true because a minor nonconformity is a situation that does not affect the capability of the management system to achieve its intended results, but represents a deviation from the specified requirements. A follow-up audit may be conducted to check the implementation of the corrective action and the improvement of the management system12.
The outcomes of a follow-up audit should be reported to top management and the audit team leader who carried out the audit where the nonconformities were initially identified. This is true because the top management is responsible for ensuring the effectiveness and continual improvement of the management system, and the audit team leader is accountable for the audit process and the audit conclusions. The follow-up audit report should provide them with objective evidence of the status of the nonconformities and the corrective actions taken by the auditee13.
The outcomes of a follow-up audit should be reported to the individual managing the audit programme and the audit client. This is true because the individual managing the audit programme is responsible for planning, implementing, monitoring and reviewing the audit activities, and the audit client is the organization or person requesting an audit. The follow-up audit report should inform them of the results of the follow-up audit and any changes in the certification status of the auditee13.
Reference: =
ISO 19011:2022 Guidelines for auditing management systems
ISO/IEC 27001:2022 Information technology ― Security techniques ― Information security management systems ― Requirements
ISO/IEC 17021-1:2022 Conformity assessment ― Requirements for bodies providing audit and certification of management systems ― Part 1: Requirements
DRAG DROP
As the ISMS audit team leader, you are conducting a second-party audit of an international logistics company on behalf of an online retailer. During the audit, one of your team members reports a nonconformity relating to control 5.18 (Access rights) of Appendix A of ISO/IEC 27001:2022. She found evidence that removing the server access protocols of 20 people who left in the last 3 months took up to 1 week whereas the policy required removing access within 24 hours of their departure.
Complete the sentence with the best word(s), dick on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.
Explanation:
The purpose of including access rights in an information management system to ISO/IEC 27001:2022 is to provide, review, modify and remove these permissions in accordance with the organisation’s policy and rules for access control.
Access rights are the permissions granted to users or groups of users to access, use, modify, or delete information assets. Access rights should be aligned with the organisation’s access control policy, which defines the objectives, principles, roles, and responsibilities for managing access to information systems. Access rights should also follow the organisation’s rules for access control, which specify the criteria, procedures, and controls for granting, reviewing, modifying, and revoking access rights. The purpose of including access rights in an information management system is to ensure that only authorised users can access information assets according to their business needs and roles, and to prevent unauthorised or inappropriate access that could compromise the confidentiality, integrity, or availability of information assets.
Reference: ISO/IEC 27001:2022 Annex A Control 5.181
ISO/IEC 27002:2022 Control 5.182
CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Training Course3
You are conducting an ISMS audit in the despatch department of an international logistics organisation that provides shipping services to large organisations including local hospitals and government offices. Parcels typically contain pharmaceutical products, biological samples, and documents such as passports and driving licences. You note that the company records show a very large number of returned items with causes including mis-addressed labels and, in 15% of company cases, two or more labels for different addresses for the one package. You are interviewing the Shipping Manager (SM).
You: Are items checked before being dispatched?
SH: Any obviously damaged items are removed by the duty staff before being dispatched, but the small profit margin makes it uneconomic to implement a formal checking process. You: What action is taken when items are returned?
SM: Most of these contracts are relatively low value, therefore it has been decided that it is easier and more convenient to simply reprint the label and re-send individual parcels than it is to implement an investigation.
You raise a nonconformity. Referencing the scenario, which six of the following Appendix A controls would you expect the auditee to have implemented when you conduct the follow-up audit?
- A . 5.11 Return of assets
- B . 8.12 Data leakage protection
- C . 5.3 Segregation of duties
- D . 6.3 Information security awareness, education, and training
- E . 7.10 Storage media
- F . 8.3 Information access restriction
- G . 5.6 Contact with special interest groups
- H . 6.4 Disciplinary process
- I . 7.4 Physical security monitoring
- J . 5.13 Labelling of information
- K . 5.32 Intellectual property rights
BDEFIJ
Explanation:
B. 8.12 Data leakage protection. This is true because the auditee should have implemented measures to prevent unauthorized disclosure of sensitive information, such as personal data, medical records, or official documents, that are contained in the parcels. Data leakage protection could include encryption, authentication, access control, logging, and monitoring of data transfers12. D. 6.3 Information security awareness, education, and training. This is true because the auditee should have ensured that all employees and contractors involved in the shipping process are aware of the information security policies and procedures, and have received appropriate training on how to handle and protect the information assets in their custody. Information security awareness, education, and training could include induction programmes, periodic refreshers, awareness campaigns, e-learning modules, and feedback mechanisms13.
E. 7.10 Storage media. This is true because the auditee should have implemented controls to protect the storage media that contain information assets from unauthorized access, misuse, theft, loss, or damage. Storage media could include paper documents, optical disks, magnetic tapes, flash drives, or hard disks14. Storage media controls could include physical locks, encryption, backup, disposal, or destruction14.
F. 8.3 Information access restriction. This is true because the auditee should have implemented controls to restrict access to information assets based on the principle of least privilege and the need-to-know basis. Information access restriction could include identification, authentication, authorization, accountability, and auditability of users and systems that access information assets15. I. 7.4 Physical security monitoring. This is true because the auditee should have implemented controls to monitor the physical security of the premises where information assets are stored or processed. Physical security monitoring could include CCTV cameras, alarms, sensors, guards, or patrols16. Physical security monitoring could help detect and deter unauthorized physical access or intrusion attempts16.
J. 5.13 Labelling of information. This is true because the auditee should have implemented controls to label information assets according to their classification level and handling instructions. Labelling of information could include markings, tags, stamps, stickers, or barcodes1. Labelling of information could help identify and protect information assets from unauthorized disclosure or misuse1.
Reference: =
ISO/IEC 27002:2022 Information technology ― Security techniques ― Code of practice for information security controls
ISO/IEC 27001:2022 Information technology ― Security techniques ― Information security management systems ― Requirements
ISO/IEC 27003:2022 Information technology ― Security techniques ― Information security management systems ― Guidance
ISO/IEC 27004:2022 Information technology ― Security techniques ― Information security management systems ― Monitoring measurement analysis and evaluation
ISO/IEC 27005:2022 Information technology ― Security techniques ― Information security risk management
ISO/IEC 27006:2022 Information technology ― Security techniques ― Requirements for bodies providing audit and certification of information security management systems
[ISO/IEC 27007:2022 Information technology ― Security techniques ― Guidelines for information security management systems auditing]
You are conducting an ISMS audit in the despatch department of an international logistics organisation that provides shipping services to large organisations including local hospitals and government offices. Parcels typically contain pharmaceutical products, biological samples, and documents such as passports and driving licences. You note that the company records show a very large number of returned items with causes including misaddressed labels and, in 15% of cases, two or more labels for different addresses for the one package. You are interviewing the Shipping Manager (SM).
You: Are items checked before being dispatched?
SM: Any obviously damaged items are removed by the duty staff before being dispatched, but the small profit margin makes it uneconomic to implement a formal checking process.
You: What action is taken when items are returned?
SM: Most of these contracts are relatively low value, therefore it has been decided that it is easier and more convenient to simply reprint the label and re-send individual parcels than it is to implement an investigation.
You raise a nonconformity against ISO 27001:2022 based on the lack of control of the labelling process.
At the closing meeting, the Shipping Manager issues an apology to you that his comments may have been misunderstood. He says that he did not realise that there is a background IT process that automatically checks that the right label goes onto the right parcel otherwise the parcel is ejected at labelling. He asks that you withdraw your nonconformity.
Select three options of the correct responses that you as the audit team leader would make to the request of the Shipping Manager.
- A . Advise the Shipping Manager that his request will be included in the audit report
- B . Advise management that the new information provided will be discussed when the auditors have more time
- C . Inform the Shipping Manager that the nonconformity is minor and should be quickly corrected
- D . Ask the audit team members to state what they think should happen
- E . Inform him of your understanding and withdraw the nonconformity
- F . Thank the Shipping Manager for his honesty but advise that withdrawing the nonconformity is not the right way to proceed
- G . Advise the Shipping Manager that the nonconformity must stand since the evidence obtained for it was dear
- H . Indicate that the nonconformity is evidence of a deeper system failure that needs to be rectified
ABF
Explanation:
Which two of the following statements are true?
- A . The benefits of implementing an ISMS primarily result from a reduction in information security risks
- B . The benefit of certifying an ISMS is to obtain contracts from governmental institutions
- C . The purpose of an ISMS is to apply a risk management process for preserving information security
- D . The purpose of an ISMS is to demonstrate compliance with regulatory requirements
AC
Explanation:
The benefits of implementing an ISMS are not limited to a reduction in information security risks, but also include improved business performance, customer satisfaction, legal compliance, and stakeholder confidence. The benefit of certifying an ISMS is not only to obtain contracts from governmental institutions, but also to demonstrate the organisation’s commitment to information security to other potential customers, partners, and regulators. The purpose of an ISMS is to apply a risk management process for preserving information security, which means identifying, analysing, evaluating, treating, monitoring, and reviewing the information security risks that the organisation faces. The purpose of an ISMS is not to demonstrate compliance with regulatory requirements, but rather to ensure that the organisation meets its own information security objectives and obligations.
Reference: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) objectives and content from Quality.org and PECB
ISO/IEC 27001:2013 Information technology ― Security techniques ― Information security management systems ― Requirements [Section 0.1] and [Section 1]
DRAG DROP
The following options are key actions involved in a first-party audit.
Order the stages to show the sequence in which the actions should take place.
Explanation:
The correct order of the stages is:
Prepare the audit checklist
Gather objective evidence
Review audit evidence
Document findings
Audit preparation: This stage involves defining the audit objectives, scope, criteria, and plan. The auditor also prepares the audit checklist, which is a list of questions or topics that will be covered during the audit. The audit checklist helps the auditor to ensure that all relevant aspects of the ISMS are addressed and that the audit evidence is collected in a systematic and consistent manner12. Audit execution: This stage involves conducting the audit activities, such as opening meeting, interviews, observations, document review, and closing meeting. The auditor gathers objective evidence, which is any information that supports the audit findings and conclusions. Objective evidence can be qualitative or quantitative, and can be obtained from various sources, such as records, statements, physical objects, or observations123.
Audit reporting: This stage involves reviewing the audit evidence, evaluating the audit findings, and documenting the audit results. The auditor reviews the audit evidence to determine whether it is sufficient, reliable, and relevant to support the audit findings. The auditor evaluates the audit findings to determine the degree of conformity or nonconformity of the ISMS with the audit criteria. The auditor documents the audit results in an audit report, which is a formal record of the audit process and outcomes. The audit report typically includes the following elements123:
An introduction clarifying the scope, objectives, timing and extent of the work performed An executive summary indicating the key findings, a brief analysis and a conclusion
The intended report recipients and, where appropriate, guidelines on classification and circulation Detailed findings and analysis
Recommendations for improvement, where applicable
A statement of conformity or nonconformity with the audit criteria
Any limitations or exclusions of the audit scope or evidence
Any deviations from the audit plan or procedures
Any unresolved issues or disagreements between the auditor and the auditee A list of references, abbreviations, and definitions used in the report
A list of appendices, such as audit plan, audit checklist, audit evidence, audit team members, etc. Audit follow-up: This stage involves verifying the implementation and effectiveness of the corrective actions taken by the auditee to address the audit findings. The auditor monitors the progress and completion of the corrective actions, and evaluates their impact on the ISMS performance and conformity. The auditor may conduct a follow-up audit to verify the corrective actions on-site, or may rely on other methods, such as document review, remote interviews, or self-assessment by the auditee. The auditor documents the follow-up results and updates the audit report accordingly123.
Reference: PECB Candidate Handbook ISO 27001 Lead Auditor, pages 19-25 ISO 19011:2018 – Guidelines for auditing management systems The ISO 27001 audit process | ISMS.online
Which two of the following phrases would apply to "plan" in relation to the Plan-Do-Check-Act cycle for a business process?
- A . Retaining documentation
- B . Retaining documentation
- C . Organising changes
- D . Setting objectives
- E . Training staff
- F . Providing ICT assets
DE
Explanation:
The Plan-Do-Check-Act (PDCA) cycle is a four-step method for implementing and improving processes, products, or services. The “plan” phase involves establishing the objectives and processes necessary to deliver the desired results. This may include setting SMART goals, identifying resources, defining roles and responsibilities, conducting risk assessments, and developing plans for training, communication, and monitoring.
Reference: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) objectives and content from Quality.org and PECB
ISO 19011:2018 Guidelines for auditing management systems [Section 5.3.1]
Which two of the following phrases are ‘objectives’ in relation to a first-party audit?
- A . Apply international standards
- B . Prepare the audit report for the certification body
- C . Confirm the scope of the management system is accurate
- D . Complete the audit on time
- E . Apply Regulatory requirements
- F . Update the management policy
CF
Explanation:
A first-party audit is an internal audit conducted by the organization itself or by an external party on its behalf. The objectives of a first-party audit are to: 12
Confirm the scope of the management system is accurate, i.e., it covers all the processes, activities, locations, and functions that are relevant to the information security objectives and requirements of the organization.
Update the management policy, i.e., review and revise the policy statement, roles and responsibilities, and objectives and targets of the information security management system (ISMS) based on the audit findings and feedback.
The other phrases are not objectives of a first-party audit, but rather:
Apply international standards: This is a requirement for the ISMS, not an objective of the audit. The ISMS must conform to the ISO/IEC 27001 standard and any other applicable standards or regulations12
Prepare the audit report for the certification body: This is an activity of a third-party audit, not a first-party audit. A third-party audit is an external audit conducted by an independent certification body to verify the conformity and effectiveness of the ISMS and to issue a certificate of compliance12 Complete the audit on time: This is a performance indicator, not an objective of the audit. The audit should be completed within the planned time frame and budget, but this is not the primary purpose of the audit12
Apply regulatory requirements: This is also a requirement for the ISMS, not an objective of the audit. The ISMS must comply with the legal and contractual obligations of the organization regarding information security12
Reference: 1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1 2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2
DRAG DROP
Match the correct responsibility with each participant of a second-party audit:
Explanation:
The correct responsibility with each participant of a second-party audit is:
Prepares the audit report: Audit Team Leader. The audit team leader is responsible for coordinating the audit activities, communicating with the auditee and the customer, and preparing and delivering the audit report that summarizes the audit findings and conclusions1.
Prepares audit checklists for use during the audit: Auditor. The auditor is responsible for collecting and verifying objective evidence during the audit, using audit checklists as a tool to guide the audit process and ensure that all relevant aspects of the audit criteria are covered1.
Supports an auditor and provides feedback on their experience: Auditor in training. The auditor in training is a person who is learning how to perform audits under the supervision of an experienced auditor. The auditor in training supports the auditor by observing and participating in the audit activities, and provides feedback on their experience to improve their skills and competence1. Follows-up on audit findings within an agreed timeframe: Auditee. The auditee is the organisation that is being audited by the customer or a third party on behalf of the customer. The auditee is
responsible for providing access and cooperation to the auditors, and for following up on the audit findings within an agreed timeframe, by implementing corrective actions or improvement measures as needed1.
Provides an independent account of the audit but does not participate in the audit: Observer. The observer is a person who accompanies the audit team but does not participate in the audit activities. The observer may be a representative of the customer, a regulatory body, or another interested party. The observer provides an independent account of the audit but does not interfere with or influence the audit process or outcome1.
Escorts the auditors but does not participate in the audit: Guide. The guide is a person who is appointed by the auditee to assist the audit team during the audit. The guide may escort the auditors to different locations, facilitate access to information and personnel, or provide clarification or explanation as requested by the auditors. The guide does not participate in the audit or influence its results1.
Which one of the following options describes the main purpose of a Stage 1 audit?
- A . To determine readiness for Stage 2
- B . To check for legal compliance by the organisation
- C . To get to know the organisation
- D . To compile the audit plan
A
Explanation:
The main purpose of a Stage 1 audit is to evaluate the adequacy and effectiveness of the organisation’s ISMS documentation, and to assess whether the organisation is prepared for the Stage 2 audit, where the implementation and operation of the ISMS will be verified. The Stage 1 audit also involves verifying the scope, objectives, and context of the ISMS, as well as identifying any areas of concern or nonconformities that need to be addressed before the Stage 2 audit.
Reference: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) objectives and content from Quality.org and PECB
ISO/IEC 27006:2015 Information technology ― Security techniques ― Requirements for bodies providing audit and certification of information security management systems Section 7.3.1
Objectives, criteria, and scope are critical features of a third-party ISMS audit.
Which two issues are audit objectives?
- A . Evaluate customer processes and functions
- B . Assess conformity with ISO/IEC 27001 requirements
- C . Fulfil the audit plan
- D . Confirm sites operating the ISMS
- E . Determine the scope of the ISMS
- F . Review organisation efficiency
BD
Explanation:
Audit objectives are the specific purposes or goals that the customer or the certification body wants to achieve through the audit. They define what the audit intends to accomplish and provide the basis for planning and conducting the audit. Audit objectives may vary depending on the type, scope, and criteria of the audit, but they should be clear, measurable, and achievable.
Some examples of audit objectives for a third-party ISMS audit are:
Assess conformity with ISO/IEC 27001 requirements: This objective means that the audit aims to verify that the organisation’s ISMS meets the requirements of the ISO/IEC 27001 standard, which specifies the best practices for establishing, implementing, maintaining, and improving an information security management system. The audit will evaluate the organisation’s ISMS documentation, processes, controls, and performance against the standard’s clauses and annex A controls.
Confirm sites operating the ISMS: This objective means that the audit aims to confirm that the organisation’s ISMS covers all the relevant sites or locations where the organisation operates or provides its services. The audit will verify that the scope of the ISMS is accurate and consistent with the organisation’s context, objectives, and risks.
The other phrases are not audit objectives, but rather:
Evaluate customer processes and functions: This is not an audit objective, but rather a possible audit criterion or a requirement that the organisation’s processes and functions should meet. The audit criterion is the reference against which the audit evidence is compared to determine conformity or nonconformity. The audit criterion may include ISO/IEC 27001 requirements, customer requirements, or other applicable standards or regulations.
Fulfil the audit plan: This is not an audit objective, but rather a task or an activity that the auditor performs during the audit. The audit plan is a document that describes the arrangements and details of the audit, such as the objectives, scope, criteria, schedule, roles, and responsibilities. The auditor should follow and fulfil the audit plan to ensure that the audit is conducted effectively and efficiently. Determine the scope of the ISMS: This is not an audit objective, but rather a prerequisite or an input for conducting the audit. The scope of the ISMS is the extent and boundaries of the information security management system within the organisation. It defines what processes, activities, locations, assets, and stakeholders are included or excluded from the ISMS. The scope of the ISMS should be determined by the organisation before applying for certification or undergoing an audit.
Review organisation efficiency: This is not an audit objective, but rather a possible outcome or a
result of conducting an audit. The organisation efficiency is a measure of how well the organisation
uses its resources to achieve its goals and objectives. The audit may help review and improve the
organisation efficiency by identifying strengths, weaknesses, opportunities, and threats in its
information security management system.
Reference: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) objectives and content from Quality.org and PECB
ISO 19011:2018 Guidelines for auditing management systems [Section 5.3.1]
Which two of the following are examples of audit methods that ‘do not’ involve human interaction?
- A . Conducting an interview using a teleconferencing platform
- B . Performing a review of auditees procedures in preparation for an audit
- C . Reviewing the auditee’s response to an audit finding
- D . Analysing data by remotely accessing the auditee’s server
- E . Observing work performed by remote surveillance
- F . Confirming the date and time of the audit
BD
Explanation:
Audit methods are the techniques and procedures that auditors use to collect and evaluate audit evidence. Audit methods can be classified into two categories: those that involve human interaction and those that do not. Human interaction methods are those that require direct or indirect communication with the auditee or other relevant parties, such as interviews, questionnaires, surveys, observations, or walkthroughs. Non-human interaction methods are those that do not require any communication with the auditee or other parties, such as document reviews, data analysis, or remote surveillance.
Some examples of audit methods that do not involve human interaction are:
Performing a review of auditee’s procedures in preparation for an audit: This method involves examining the auditee’s documented information, such as policies, processes, records, or reports, to verify their adequacy and effectiveness in meeting the audit criteria. The auditor does not need to interact with the auditee or anyone else to perform this method. Analysing data by remotely accessing the auditee’s server: This method involves accessing and processing the auditee’s data, such as performance indicators, logs, metrics, or statistics, to verify their accuracy and reliability in meeting the audit criteria. The auditor does not need to interact with the auditee or anyone else to perform this method.
Reference: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) objectives and content from Quality.org and PECB
ISO 19011:2018 Guidelines for auditing management systems [Section 6.2.2]
Select two options that describe an advantage of using a checklist.
- A . Using the same checklist for every audit without review
- B . Restricting interviews to nominated parties
- C . Ensuring relevant audit trails are followed
- D . Ensuring the audit plan is implemented
- E . Reducing audit duration
- F . Not varying from the checklist when necessary
CD
Explanation:
A checklist is a tool that helps auditors to collect and verify information relevant to the audit objectives and scope.
It can provide the following advantages:
Ensuring relevant audit trails are followed: A checklist can help auditors to identify and trace the sources of evidence that support the conformity or nonconformity of the audited criteria. It can also help auditors to avoid missing or overlooking any important aspects of the audit.
Ensuring the audit plan is implemented: A checklist can help auditors to follow and fulfil the audit plan, which describes the arrangements and details of the audit, such as the objectives, scope, criteria, schedule, roles, and responsibilities. It can also help auditors to manage their time and resources effectively and efficiently.
The other options are not advantages of using a checklist, but rather:
Using the same checklist for every audit without review: This is a disadvantage of using a checklist, as it can lead to a rigid and ineffective audit approach. A checklist should be tailored and adapted to each specific audit, taking into account the context, risks, and changes of the auditee and the audit criteria. A checklist should also be reviewed and updated periodically to ensure its validity and relevance.
Restricting interviews to nominated parties: This is a disadvantage of using a checklist, as it can limit the scope and depth of the audit. A checklist should not prevent auditors from interviewing other relevant parties or sources of information that may provide valuable evidence or insights for the audit. A checklist should be used as a guide, not as a constraint.
Reducing audit duration: This is not necessarily an advantage of using a checklist, as it depends on various factors, such as the complexity, size, and maturity of the auditee’s ISMS, the availability and quality of evidence, the competence and experience of the auditors, and the level of cooperation and communication between the auditors and the auditee. A checklist may help reduce audit duration by improving efficiency and organization, but it may also increase audit duration by requiring more evidence or verification.
Not varying from the checklist when necessary: This is a disadvantage of using a checklist, as it can result in a superficial or incomplete audit. A checklist should not prevent auditors from exploring or investigating any issues or concerns that arise during the audit, even if they are not included in the checklist. A checklist should be used as a support, not as a substitute.
Reference: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) objectives and content from Quality.org and PECB
ISO 19011:2018 Guidelines for auditing management systems [Section 6.2.2]
Which one of the following statements best describes the purpose of conducting a document review?
- A . To reveal whether the documented management system is nonconforming with audit criteria and to gather evidence to support the audit report
- B . To decide about the conformity of the documented management system with audit standards and to gather findings to support the audit process
- C . To determine the conformity of the management system, as far as documented, with audit criteria and to gather information to support the on-site audit activities
- D . To detect any nonconformity of the management system, if documented, with audit criteria and to identify information to support the audit plan
C
Explanation:
A document review is a process of examining the documented information related to the management system before the on-site audit activities. The purpose of a document review is to: 12
Determine the conformity of the management system, as far as documented, with audit criteria, i.e., to check whether the documents are consistent, complete, and compliant with the requirements of ISO/IEC 27001 and any other applicable standards or regulations.
Gather information to support the on-site audit activities, i.e., to identify the scope, objectives, processes, controls, risks, and opportunities of the management system, and to plan the audit methods, techniques, and resources accordingly.
The other statements are not accurate, because:
A document review does not reveal or decide about the conformity or nonconformity of the management system as a whole, but only of the documented information. The conformity or nonconformity of the management system is determined by the on-site audit activities, which include interviews, observations, and tests12
A document review does not gather evidence or findings to support the audit report or process, but information to support the on-site audit activities. The evidence or findings are collected during the on-site audit activities, which are then documented and reported12
A document review does not detect any nonconformity of the management system, if documented, but determines the conformity of the documented information. The nonconformity of the management system is detected by the on-site audit activities, which evaluate the performance and effectiveness of the management system12
A document review does not identify information to support the audit plan, but gathers information to support the on-site audit activities. The audit plan is prepared before the document review, based on the audit scope, objectives, criteria, and program. The document review is part of the audit plan implementation12
Reference: 1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1 2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2
DRAG DROP
Explanation:
An audit finding is the result of the evaluation of the collected audit evidence against audit criteria.
During a Stage 1 audit opening meeting, the Management System Representative (MSR) asks to extend the audit scope to include a new site overseas which they have expanded into since the certification application was made.
Select two options for how the auditor should respond.
- A . Advise the MSR that an extension of the scope may be incorporated but will have to go through
established procedures - B . Advise the MSR that the audit scope has been determined based on their initial application so the audit has to proceed as planned
- C . Suggest that the MSR cancels the audit contract and reapplies for the new situation
- D . Determine whether the Management System covers the processes at the new site and, if so, proceed with the audit
- E . Advise the MSR that, within the existing scope, the new work area can be included without any problem
- F . Confirm that the auditor will advise the auditee that the audit scope will be revised to include the new work area
AD
Explanation:
The correct options for how the auditor should respond are:
You have to carry out a third-party virtual audit.
Which two of the following issues would you need to inform the auditee about before you start conducting the audit?
- A . You will ask to see the ID card of the person that is on the screen.
- B . You will take photos of every person you interview.
- C . You will ask those being interviewed to state their name and position beforehand.
- D . You will ask for a 360-degree view of the room where the audit is being carried out.
- E . You will not record any part of the audit, unless permitted.
- F . You expect the auditee to have assessed all risks associated with online activities.
CD
Explanation:
A third-party virtual audit is an external audit conducted by an independent certification body using remote technology such as video conferencing, screen sharing, and electronic document exchange. The purpose of a third-party virtual audit is to verify the conformity and effectiveness of the information security management system (ISMS) and to issue a certificate of compliance12 Before you start conducting the audit, you would need to inform the auditee about the following issues: 12
You will ask those being interviewed to state their name and position beforehand, i.e., to confirm their identity and role in the ISMS. This is to ensure that you are interviewing the relevant personnel and that they are authorized to provide information and evidence for the audit.
You will ask for a 360-degree view of the room where the audit is being carried out, i.e., to verify the physical and environmental security of the audit location. This is to ensure that there are no unauthorized persons or devices in the vicinity that could compromise the confidentiality, integrity, or availability of the information being audited.
The other issues are not relevant or appropriate for a third-party virtual audit, because:
You will ask to see the ID card of the person that is on the screen, i.e., to verify their identity. This is not necessary if you have already asked them to state their name and position beforehand, and if you have access to the auditee’s organizational chart or staff directory. Asking to see the ID card could also be seen as intrusive or disrespectful by the auditee.
You will take photos of every person you interview, i.e., to document the audit process. This is not advisable as it could violate the privacy or consent of the auditee and the interviewees. Taking photos could also be seen as unprofessional or suspicious by the auditee. You should rely on the audit records and evidence provided by the auditee and the audit tool instead.
You will not record any part of the audit, unless permitted, i.e., to respect the auditee’s preferences and rights. This is not a valid issue to inform the auditee about, as you should always record the audit for quality assurance and verification purposes. Recording the audit is also a requirement of the ISO/IEC 27001 standard and the certification body. You should inform the auditee that you will record the audit and obtain their consent before the audit begins.
You expect the auditee to have assessed all risks associated with online activities, i.e., to ensure the
security of the audit process. This is not an issue to inform the auditee about, as it is part of the
auditee’s responsibility and obligation to have a risk assessment and treatment process for their
ISMS. You should assess the auditee’s risk management practices and controls during the audit, not
before it.
Reference: 1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1 2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2
DRAG DROP
You have just completed a scheduled information security audit of your organisation when the IT Manager approaches you and asks for your assistance in the revision of the company’s risk management process.
He is attempting to update the current documentation to make it easier for other managers to understand, however, it is clear from your discussion he is confusing several key terms.
You ask him to match each of the descriptions with the appropriate risk term.
What should the correct answers be?
Explanation:
The correct answers for matching each of the descriptions with the appropriate risk term are:
The strategy chosen to respond to a specific information security risk: This is a definition of information security risk treatment. According to ISO/IEC 27000:2022, information security risk treatment is “the process of selecting and implementing measures to modify the information security risk” Section 3.33.
The effect of uncertainty on information security objectives: This is a definition of information security risk. According to ISO/IEC 27000:2022, information security risk is “the effect of uncertainty on information security objectives” Section 3.32.
The requirements against which information security risks are evaluated: This is a definition of information security risk criteria. According to ISO/IEC 27000:2022, information security risk criteria are “the terms of reference by which the significance of information security risks is assessed” Section 3.31.
A definition of the overall level of information security risk that is considered to be tolerable: This is a definition of information security risk acceptance criteria.
According to ISO/IEC 27000:2022, information security risk acceptance criteria are “the level of information security risk that is acceptable” Section 3.30.
You ask the IT Manager why the organisation still uses the mobile app while personal data encryption and pseudonymisation tests failed. Also, whether the Service Manager is authorised to approve the test.
The IT Manager explains the test results should be approved by him according to the software security management procedure. The reason why the encryption and pseudonymisation functions failed is that these functions heavily slowed down the system and service performance. An extra 150% of resources are needed to cover this. The Service Manager agreed that access control is good enough and acceptable. That’s why the Service Manager signed the approval. You are preparing the audit findings. Select the correct option.
- A . There is a nonconformity (NC). The organisation and developer do not perform acceptance tests. (Relevant to clause 8.1, control A.8.29)
- B . There is a nonconformity (NC). The Service Manager does not comply with the software security management procedure. (Relevant to clause 8.1, control A.8.30)
- C . There is a nonconformity (NC). The organisation and developer perform security tests that fail. (Relevant to clause 8.1, control A.8.29)
- D . There is NO nonconformity (NC). The Service Manager makes a good decision to continue the service. (Relevant to clause 8.1, control A.8.30)
B
Explanation:
According to ISO 27001:2022 Annex A Control 8.30, the organisation shall ensure that externally provided processes, products or services that are relevant to the information security management system are controlled. This includes developing and entering into licensing agreements that cover code ownership and intellectual property rights, and implementing appropriate contractual requirements related to secure design and coding in accordance with Annex A 8.25 and 8.2912
In this case, the organisation and the developer have performed security tests that failed, which indicates that the secure design and coding requirements of Annex A 8.29 were not met. The IT Manager explains that the encryption and pseudonymisation functions failed because they slowed down the system and service performance, and that an extra 150% of resources are needed to cover this. However, this does not justify the acceptance of the test results by the Service Manager, who is not authorised to approve the test according to the software security management procedure. The Service Manager should have consulted with the IT Manager, who is the owner of the process, and followed the procedure for handling nonconformities and corrective actions. The Service Manager’s decision to continue the service based on access control alone exposes the organisation to the risk of compromising the confidentiality, integrity, and availability of personal data processed by the mobile app. Therefore, there is a nonconformity (NC) with clause 8.1, control A.8.30.
Reference: 1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1 2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2
You ask the IT Manager why the organisation still uses the mobile app while personal data encryption and pseudonymization tests failed. Also, whether the Service Manager is authorized to approve the test.
The IT Manager explains the test results should be approved by him according to the software security management procedure. The reason why the encryption and pseudonymization functions failed is that these functions heavily slowed down the system and service performance. An extra 150% of resources are needed to cover this. The Service Manager agreed that access control is good enough and acceptable. That’s why the Service Manager signed the approval.
You sample one of the medical staff’s mobile and found that ABC’s healthcare mobile app, version 1.01 is installed. You found that version 1.01 has no test record.
The IT Manager explains that because of frequent ransomware attacks, the outsourced mobile app development company gave a free minor update on the tested software, performed an emergency release of the updated software, and gave a verbal guarantee that there will be no impact on any security functions. Based on his 20 years of information security experience, there is no need to re-test.
You are preparing the audit findings Select two options that are correct.
- A . There is NO nonconformity (NC). The IT Manager demonstrates he is fully competent. (Relevant to clause 7.2)
- B . There is a nonconformity (NC). The IT Manager does not comply with the software security management procedure. (Relevant to clause 8.1, control A.8.30)
- C . There is a nonconformity (NC). The organisation does not control planned changes and review the consequences of unintended changes. (Relevant to clause 8.1)
- D . There is an opportunity for improvement (OI). The organisation selects an external service provider based on the extent of free services it will provide. (Relevant to clause 8.1, control A.5.21)
- E . There is NO nonconformity (NC). The IT Manager demonstrates good leadership. (Relevant to clause 5.1, control 5.4)
- F . There is an opportunity for improvement (OI). The IT Manager should make the decision to continue the service based on appropriate testing. (Relevant to clause 8.1, control A.8.30)
BC
Explanation:
According to ISO 27001:2022 Annex A Control 8.30, the organisation shall ensure that externally provided processes, products or services that are relevant to the information security management system are controlled. This includes developing and entering into licensing agreements that cover code ownership and intellectual property rights, and implementing appropriate contractual requirements related to secure design and coding in accordance with Annex A 8.25 and 8.2912
In this case, the organisation and the developer have performed security tests that failed, which indicates that the secure design and coding requirements of Annex A 8.29 were not met. The IT Manager explains that the encryption and pseudonymization functions failed because they slowed down the system and service performance, and that an extra 150% of resources are needed to cover this. However, this does not justify the acceptance of the test results by the Service Manager, who is not authorised to approve the test according to the software security management procedure. The Service Manager should have consulted with the IT Manager, who is the owner of the process, and followed the procedure for handling nonconformities and corrective actions. The Service Manager’s decision to continue the service based on access control alone exposes the organisation to the risk of
compromising the confidentiality, integrity, and availability of personal data processed by the mobile app. Therefore, there is a nonconformity (NC) with clause 8.1, control A.8.30.
According to ISO 27001:2022 Clause 8.1, the organisation shall plan, implement and control the processes needed to meet information security requirements, and to implement the actions determined in Clause 6.1. The organisation shall also control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary12 In this case, the organisation has not controlled the planned change of the mobile app from version 1.0 to version 1.01, which was a minor update provided by the outsourced developer in response to frequent ransomware attacks. The IT Manager explains that the developer performed an emergency release of the updated software, and gave a verbal guarantee that there will be no impact on any security functions. However, this is not sufficient to ensure that the change is properly assessed, tested, documented, and approved before deployment. The IT Manager should have followed the change management process and procedure, and verified that the updated software meets the security requirements and does not introduce any new vulnerabilities or risks. The IT Manager’s reliance on his 20 years of information security experience and the developer’s verbal guarantee is not a valid basis for skipping the re-testing of the software. Therefore, there is a nonconformity (NC) with clause 8.1.
Reference: 1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1 2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2
During a third-party certification audit, you are presented with a list of issues by an auditee.
Which four of the following constitute ‘internal’ issues in the context of a management system to ISO 27001:2022?
- A . Higher labour costs as a result of an aging population
- B . A rise in interest rates in response to high inflation
- C . Poor levels of staff competence as a result of cuts in training expenditure
- D . Poor morale as a result of staff holidays being reduced
- E . Increased absenteeism as a result of poor management
- F . A reduction in grants as a result of a change in government policy
- G . A fall in productivity linked to outdated production equipment
- H . Inability to source raw materials due to government sanctions
C, D, E, G
Explanation:
According to ISO 27001:2022 clause 4.1, the organisation shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system (ISMS)12
External issues are factors outside the organisation that it cannot control, but can influence or adapt to. They include political, economic, social, technological, legal, and environmental factors that may affect the organisation’s information security objectives, risks, and opportunities12
Internal issues are factors within the organisation that it can control or change. They include the organisation’s structure, culture, values, policies, objectives, strategies, capabilities, resources, processes, activities, relationships, and performance that may affect the organisation’s information security management system12
Therefore, the following issues are considered ‘internal’ in the context of a management system to ISO 27001:2022:
Poor levels of staff competence as a result of cuts in training expenditure: This is an internal issue because it relates to the organisation’s capability, resource, and process of developing and maintaining the competence of its personnel involved in the ISMS. The organisation can control or change its training expenditure and its impact on staff competence12
Poor morale as a result of staff holidays being reduced: This is an internal issue because it relates to the organisation’s culture, value, and relationship with its employees. The organisation can control or change its staff holiday policy and its impact on staff morale12
Increased absenteeism as a result of poor management: This is an internal issue because it relates to the organisation’s performance, structure, and accountability of its management. The organisation can control or change its management practices and its impact on staff absenteeism12
A fall in productivity linked to outdated production equipment: This is an internal issue because it relates to the organisation’s capability, resource, and process of ensuring the availability and suitability of its production equipment. The organisation can control or change its equipment maintenance and upgrade and its impact on productivity12
The following issues are considered ‘external’ in the context of a management system to ISO 27001:2022:
Higher labour costs as a result of an aging population: This is an external issue because it relates to the social and demographic factor that affects the availability and cost of labour in the market. The organisation cannot control or change the aging population, but can influence or adapt to its impact on labour costs12
A rise in interest rates in response to high inflation: This is an external issue because it relates to the economic and monetary factor that affects the cost and availability of capital in the market. The organisation cannot control or change the interest rates or inflation, but can influence or adapt to its impact on capital costs12
A reduction in grants as a result of a change in government policy: This is an external issue because it relates to the political and legal factor that affects the availability and conditions of public funding for the organisation. The organisation cannot control or change the government policy, but can influence or adapt to its impact on grants12
Inability to source raw materials due to government sanctions: This is an external issue because it relates to the political and legal factor that affects the availability and cost of raw materials in the market. The organisation cannot control or change the government sanctions, but can influence or adapt to its impact on raw materials12
Reference: 1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1 2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2
You are an experienced ISMS audit team leader. During the conducting of a third-party surveillance audit, you decide to test your auditee’s knowledge of ISO/IEC 27001’s risk management requirements.
You ask her a series of questions to which the answer is either ‘that is true’ or ‘that is false’.
Which four of the following should she answer ‘that is true’?
- A . The results of risk assessments must be maintained
- B . Risk identification is used to determine the severity of an information security risk
- C . ISO/IEC 27001 provides an outline approach for the management of risk
- D . The organisation must produce a risk treatment plan for every business risk identified
- E . The organisation must operate a risk treatment process to eliminate it’s information security risks
- F . The initial phase in an organisation’s risk management process should be information security risk assessment
- G . Risks assessments should be undertaken at monthly intervals
- H . Risk assessments should be undertaken following significant changes
ACDH
Explanation:
The following four statements are true according to ISO/IEC 27001’s risk management requirements: 12
The results of risk assessments must be maintained. This is true because clause 8.2.3 of ISO/IEC 27001:2022 requires the organisation to retain documented information of the information security risk assessment process and the results12
ISO/IEC 27001 provides an outline approach for the management of risk. This is true because clause 6.1.2 of ISO/IEC 27001:2022 specifies the general steps for the information security risk management process, which include establishing the risk criteria, assessing the risks, treating the risks, and monitoring and reviewing the risks12
The organisation must produce a risk treatment plan for every business risk identified. This is true because clause 6.1.3 of ISO/IEC 27001:2022 requires the organisation to produce a risk treatment plan that defines the actions to be taken to address the unacceptable risks, the responsibilities, the expected dates, and the resources required12
Risk assessments should be undertaken following significant changes. This is true because clause 8.2.4 of ISO/IEC 27001:2022 requires the organisation to review and update the risk assessment at planned intervals or when significant changes occur12
The following four statements are false according to ISO/IEC 27001’s risk management requirements: Risk identification is used to determine the severity of an information security risk. This is false because risk identification is used to identify the assets, threats, vulnerabilities, and existing controls that are relevant to the information security risk management process. The severity of an information security risk is determined by the risk analysis, which evaluates the likelihood and impact of the risk scenarios12
The organisation must operate a risk treatment process to eliminate its information security risks. This is false because the organisation can choose from four options to treat its information security risks: avoid, transfer, mitigate, or accept. The organisation does not have to eliminate all its information security risks, but only those that are unacceptable according to its risk criteria12 The initial phase in an organisation’s risk management process should be information security risk assessment. This is false because the initial phase in an organisation’s risk management process should be establishing the risk management framework, which includes defining the risk management policy, objectives, scope, roles, responsibilities, and criteria. The information security risk assessment is the second phase in the risk management process12
Risks assessments should be undertaken at monthly intervals. This is false because there is no fixed frequency for conducting risk assessments in ISO/IEC 27001. The organisation should determine the appropriate intervals for reviewing and updating the risk assessment based on its risk appetite, risk profile, and operational context12
Reference: 1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1 2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2
You are performing an ISMS audit at a residential nursing home called ABC that provides healthcare services. You find all nursing home residents wear an electronic wristband for monitoring their location, heartbeat, and blood pressure always. You learned that the electronic wristband automatically uploads all data to the artificial intelligence (AI) cloud server for healthcare monitoring and analysis by healthcare staff.
To verify the scope of ISMS, you interview the management system representative (MSR) who explains that the ISMS scope covers an outsourced data center.
Select three options for the audit evidence you need to find to verify the scope of the ISMS.
- A . The auditee has identified the resident’s needs and expectations on the facility and environmental safety
- B . The auditee has ISO 9001 certification
- C . The auditee has identified the governmental authorities’ needs and expectations on healthcare services and patient data handling
- D . The auditee has identified the resident’s needs and expectations on how they should protect the resident’s personal data
- E . The auditee has identified the resident’s needs and expectations on the comfort facility, medical professional’s competence, and clean environment
- F . The auditee has identified the resident’s needs and expectations on healthcare medical treatment services
- G . The IT service agreement with the data center where the artificial intelligence (AI) cloud server is located
- H . The auditee is considering the purchase of a healthcare monitoring app from an external software company
C, D, G
Explanation:
According to ISO 27001:2022 clause 4.3, the organisation shall determine the scope of the information security management system (ISMS) by considering the internal and external issues, the requirements of interested parties, and the interfaces and dependencies with other organisations12 In this case, the ISMS scope covers an outsourced data center that hosts the artificial intelligence (AI) cloud server for healthcare monitoring and analysis of the residents’ data. Therefore, the audit evidence you need to find to verify the scope of the ISMS should include:
The auditee has identified the governmental authorities’ needs and expectations on healthcare services and patient data handling. This is an external issue and an interested party requirement that affects the ISMS scope, as the auditee has to comply with the relevant laws and regulations regarding the quality, safety, and privacy of healthcare services and patient data12
The auditee has identified the resident’s needs and expectations on how they should protect the resident’s personal data. This is an external issue and an interested party requirement that affects the ISMS scope, as the auditee has to ensure the confidentiality, integrity, and availability of the resident’s personal data that is collected, processed, and stored by the electronic wristband and the AI cloud server12
The IT service agreement with the data center where the artificial intelligence (AI) cloud server is located. This is an interface and dependency with another organisation that affects the ISMS scope, as the auditee has to control the externally provided processes, products, and services that are relevant to the ISMS, and to implement appropriate contractual requirements related to information security12
The following options are not relevant or sufficient for verifying the scope of the ISMS:
The auditee has identified the resident’s needs and expectations on the facility and environmental safety. This is an external issue and an interested party requirement, but it does not affect the ISMS scope, as it is not related to information security12
The auditee has ISO 9001 certification. This is an indication of the auditee’s quality management system, but it does not verify the scope of the ISMS, as it is not related to information security12 The auditee has identified the resident’s needs and expectations on the comfort facility, medical professional’s competence, and clean environment. These are external issues and interested party requirements, but they do not affect the ISMS scope, as they are not related to information security12
The auditee has identified the resident’s needs and expectations on healthcare medical treatment services. These are external issues and interested party requirements, but they do not verify the scope of the ISMS, as they are not specific to information security12
The auditee is considering the purchase of a healthcare monitoring app from an external software company. This is a potential change that may affect the ISMS scope in the future, but it does not verify the current scope of the ISMS, as it is not yet implemented or controlled12
Reference: 1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1 2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2
You are an experienced ISMS audit team leader providing guidance to an ISMS auditor in training. They have been asked to carry out an assessment of external providers and have prepared a checklist containing the following activities. They have asked you to review their checklist to confirm that the actions they are proposing are appropriate.
The audit they have been invited to participate in is a third-party surveillance audit of a data centre. The data centre agent is part of a wider telecommunication group. Each data centre within the group operates its own ISMS and holds its own certificate.
Select three options that relate to ISO/IEC 27001:2022’s requirements regarding external providers.
- A . I will check the other data centres are treated as external providers, even though they are part of the same telecommunication group
- B . I will ensure external providers have a documented process in place to notify the organisation of any risks arising from the use of its products or services
- C . I will ensure that the organisation has a reserve external provider for each process it has identified as critical to preservation of the confidentiality, integrity and accessibility of its information
- D . I will limit my audit activity to externally provided processes as there is no need to audit externally provided products of services
- E . I will ensure the organization is regularly monitoring, reviewing and evaluating external provider performance
- F . I will ensure the organization is has determined the need to communicate with external providers regarding the ISMS
- G . I will ensure that top management have assigned roles and responsibilities for those providing external ISMS processes as well as internal ISMS processes
- H . I will ensure that the organisation ranks its external providers and allocates the majority of its work to those providers who are rated the highest
A, B, E
Explanation:
You are an experienced ISMS audit team leader providing guidance to an ISMS auditor in training. They have been asked to carry out an assessment of external providers and have prepared a checklist containing the following activities. They have asked you to review their checklist to confirm that the actions they are proposing are appropriate.
The audit they have been invited to participate in is a third-party surveillance audit of a data centre. The data centre agent is part of a wider telecommunication group. Each data centre within the group operates its own ISMS and holds its own certificate.
Select three options that relate to ISO/IEC 27001:2022’s requirements regarding external providers.
- A . I will check the other data centres are treated as external providers, even though they are part of the same telecommunication group
- B . I will ensure external providers have a documented process in place to notify the organisation of any risks arising from the use of its products or services
- C . I will ensure that the organisation has a reserve external provider for each process it has identified as critical to preservation of the confidentiality, integrity and accessibility of its information
- D . I will limit my audit activity to externally provided processes as there is no need to audit externally provided products of services
- E . I will ensure the organization is regularly monitoring, reviewing and evaluating external provider performance
- F . I will ensure the organization is has determined the need to communicate with external providers regarding the ISMS
- G . I will ensure that top management have assigned roles and responsibilities for those providing external ISMS processes as well as internal ISMS processes
- H . I will ensure that the organisation ranks its external providers and allocates the majority of its work to those providers who are rated the highest
A, B, E
Explanation:
You are an experienced ISMS auditor conducting a third-party surveillance audit at an organisation which offers ICT reclamation services. ICT equipment which companies no longer require is processed by the organisation. It Is either recommissioned and reused or is securely destroyed. You notice two servers on a bench in the corner of the room. Both have stickers on item with the server’s name, IP address and admin password. You ask the ICT Manager about them, and he tells you they were part of a shipment received yesterday from a regular customer.
Which one action should you take?
- A . Ask the ICT Manager to record an information security incident and initiate the information security incident management process
- B . Note the audit finding and check the process for dealing with incoming shipments relating to customer IT security
- C . Record what you have seen in your audit findings, but take no further action
- D . Raise a nonconformity against control 5.31 Legal, staturary, regulatory and contractual requirements’
- E . Raise a nonconformity against control 8.20 ‘network security’ (networks and network devices shall be secured, managed and controlled to protect information in systems and applications)
- F . Ask the auditee to remove the labels, then carry on with the audit
B
Explanation:
According to ISO 27001:2022 clause 8.1.4, the organisation shall ensure that externally provided processes, products or services that are relevant to the information security management system are controlled. This includes implementing appropriate contractual requirements related to information security with external providers, such as customers who send ICT equipment for reclamation12
In this case, the organisation offers ICT reclamation services, which involves processing customer ICT equipment that may contain sensitive or confidential information. The organisation should have a process in place to ensure that the customer ICT equipment is handled securely and in accordance with the customer’s information security requirements. The process should include steps such as verifying the customer’s identity and authorisation, checking the inventory and condition of the equipment, removing or destroying any labels or stickers that contain information about the equipment or the customer, wiping or erasing any data stored on the equipment, and documenting the actions taken and the results achieved12
The fact that the auditor noticed two servers on a bench with stickers that reveal the server’s name, IP address and admin password indicates that the process for dealing with incoming shipments relating to customer IT security is not effective or not followed. This could pose a risk of unauthorised access, disclosure, or modification of the customer’s information or systems. Therefore, the auditor should note the audit finding and check the process for dealing with incoming shipments relating to customer IT security, and determine whether there is a nonconformity with clause 8.1.4 of ISO 27001:202212
The other actions are not appropriate for the following reasons:
DRAG DROP
You are an experienced ISMS audit team leader. An auditor in training has approached you to ask you to clarify the different types of audits she may be required to undertake. Match the following audit types to the descriptions.
To complete the table click on the blank section you want to complete so that It is highlighted In fed, and then click on the applicable text from the options below. Alternatively, you may drag and drop each option to the appropriate blank section.
You are performing an ISMS audit at a residential nursing home railed ABC that provides healthcare services. The next step in your audit plan is to verify the effectiveness of the continual improvement process. During the audit, you learned most of the residents’ family members (90%) receive WeCare medical device promotional advertisements through email and SMS once a week via ABC’s healthcare mobile app. All of them do not agree on the use of the collected personal data (or marketing or any other purposes than nursing and medical care on the signed service agreement with ABC. They have very strong reason to believe that ABC is leaking residents’ and family members’ personal information to a non-relevant third party and they have filed complaints.
The Service Manager says that all these complaints have been treated as nonconformities, and the corrective actions have been planned and implemented according to the Nonconformity and Corrective management procedure. The corrective action involved stopping working with WeCare the medical device manufacturer immediately and asking them to delete all personal data received as well as sending an apology email to all residents and their family members. You are preparing the audit findings. Select one option of the correct finding.
- A . Nonconformity: ABC does not follow the signed healthcare service agreement with residents’ family members
- B . No nonconformity: I would like to collect more evidence on how the organisation defines the management system scope and see if they covered WeCare medical device manufacture
- C . No nonconformity: The Service Manager implemented the corrective actions and the Customer Service Representative evaluates the effectiveness of implemented corrective actions
- D . Nonconformity: The management review does not take the feedback from residents’ family members into consideration
A
Explanation:
According to ISO 27001:2022 clause 8.1.4, the organisation shall ensure that externally provided processes, products or services that are relevant to the information security management system are controlled. This includes implementing appropriate contractual requirements related to information security with external providers, such as customers who send ICT equipment for reclamation12
In this case, ABC is a residential nursing home that provides healthcare services to its residents and collects their personal data and their family members’ personal data. ABC has a signed service agreement with the residents’ family members that states that the collected personal data will not be used for marketing or any other purposes than nursing and medical care. However, ABC has violated this contractual requirement by sharing the personal data with WeCare, a medical device manufacturer, who has used the data to send promotional advertisements to the residents’ family members via email and SMS. This has caused dissatisfaction and complaints from the residents’ family members, who have a strong reason to believe that ABC is leaking their personal information to a non-relevant third party.
Therefore, the audit finding is a nonconformity with clause 8.1.4 of ISO 27001:2022, as ABC has failed to control the externally provided processes, products or services that are relevant to the information security management system, and has breached the contractual requirements related to information security with its customers. The fact that ABC has taken corrective actions to stop working with WeCare and to apologise to the customers does not eliminate the nonconformity, but only mitigates its consequences. The nonconformity still needs to be recorded, evaluated, and reviewed for effectiveness and improvement.
Reference: 1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1 2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2
You are an ISMS audit team leader who has been assigned by your certification body to carry out a follow-up audit of a client. You are preparing your audit plan for this audit.
Which two of the following statements are true?
- A . Verification should focus on whether any action undertaken taken has been undertaken efficiently
- B . Corrections should be verified first, followed by corrective actions and finally opportunities for improvement
- C . Verification should focus on whether any action undertaken is complete
- D . Opportunities for improvement should be verified first, followed by corrections and finally corrective actions
- E . Corrective actions should be reviewed first, followed by corrections and finally opportunities for improvement
- F . Verification should focus on whether any action undertaken has been undertaken effectively
C, F
Explanation:
According to ISO 27001:2022 clause 9.1.2, the organisation shall conduct internal audits at planned intervals to provide information on whether the information security management system conforms to the organisation’s own requirements, the requirements of ISO 27001:2022, and is effectively implemented and maintained12
According to ISO 27001:2022 clause 10.1, the organisation shall react to the nonconformities and take action, as applicable, to control and correct them and deal with the consequences. The organisation shall also evaluate the need for action to eliminate the causes of nonconformities, in order to prevent recurrence or occurrence. The organisation shall implement any action needed, review the effectiveness of any corrective action taken, and make changes to the information security management system, if necessary12
A follow-up audit is a type of internal audit that is conducted after a previous audit to verify whether the nonconformities and corrective actions have been addressed and resolved, and whether the information security management system has been improved12
Therefore, the following statements are true for preparing a follow-up audit plan:
Verification should focus on whether any action undertaken is complete. This means that the auditor should check whether the organisation has implemented all the planned actions to correct and prevent the nonconformities, and whether the actions have been documented and communicated as required12
Verification should focus on whether any action undertaken has been undertaken effectively. This means that the auditor should check whether the organisation has achieved the intended results and objectives of the actions, and whether the actions have eliminated or reduced the nonconformities and their causes and consequences12
The following statements are false for preparing a follow-up audit plan:
Verification should focus on whether any action undertaken has been undertaken efficiently. This is false because efficiency is not a criterion for verifying the actions taken to address the nonconformities and corrective actions. Efficiency refers to the optimal use of resources to achieve the desired outcomes, but it is not a requirement of ISO 27001:2022. The auditor should focus on the effectiveness and completeness of the actions, not on the efficiency12
Corrections should be verified first, followed by corrective actions and finally opportunities for improvement. This is false because there is no prescribed order for verifying the corrections, corrective actions, and opportunities for improvement. The auditor should verify all the actions taken by the organisation, regardless of their sequence or priority. The auditor may choose to verify the actions based on their relevance, significance, or impact, but this is not a mandatory requirement12
Opportunities for improvement should be verified first, followed by corrections and finally corrective actions. This is false because there is no prescribed order for verifying the opportunities for improvement, corrections, and corrective actions. The auditor should verify all the actions taken by the organisation, regardless of their sequence or priority. The auditor may choose to verify the actions based on their relevance, significance, or impact, but this is not a mandatory requirement12 Corrective actions should be reviewed first, followed by corrections and finally opportunities for improvement. This is false because there is no prescribed order for reviewing the corrective actions, corrections, and opportunities for improvement. The auditor should review all the actions taken by the organisation, regardless of their sequence or priority. The auditor may choose to review the actions based on their relevance, significance, or impact, but this is not a mandatory requirement12
Reference: 1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1 2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2
During a follow-up audit, you notice that a nonconformity identified for completion before the follow-up audit is still outstanding.
Which four of the following actions should you take?
- A . Report the failure to address the corrective action for the outstanding nonconformity to the organisation’s top management
- B . Immediately raise an nonconformity as the date for completion has been exceeded
- C . If the delay is justified agree on a revised date for clearing the nonconformity with the auditee/audit client
- D . Contact the individuals) managing the audit programme to seek their advice as to how to proceed
- E . Decide whether the delay in addressing the nonconformity is justified
- F . Cancel the follow-up audit and return when an assurance has been received that the
nonconformity has been cleared - G . Note the nonconformity is still outstanding and follow audit trails to determine why H. If the delay is unjustified advise the auditee /audit client and agree on remedial action
ACEG
Explanation:
According to the ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) course, the following actions should be taken when a nonconformity identified for completion before the follow-up audit is still outstanding:
You are performing an ISO 27001 ISMS surveillance audit at a residential nursing home, ABC Healthcare Services. ABC uses a healthcare mobile app designed and maintained by a supplier, WeCare, to monitor residents’ well-being. During the audit, you learn that 90% erf the residents’ family members regularly receive medical device advertisements from WeCare, by email and SMS once a week. The service agreement between ABC and WeCare prohibits the supplier from using residents’ personal data. ABC has received many complaints from residents and their family members.
The Service Manager says that the complaints were investigated as an information security incident which found that they were justified. Corrective actions have been planned and implemented according to the nonconformity and corrective action management procedure.
You write a nonconformity "ABC failed to comply with information security control A.5.34 (Privacy and protection of PII) relating to the personal data of residents’ and their family members. A supplier, WeCare, used residents’ personal information to send advertisements to family members"
Select three options of the corrections and corrective actions listed that you would expect ABC to make in response to the nonconformity
- A . ABC confirms that information security control A.5.34 is contained in the Statement of Applicability (SoA)
- B . The Service Manager provides evidence of analysis of the cause of nonconformity and how the
ABC evaluates the effectiveness of implemented corrective actions - C . ABC instructs all staff to follow the signed healthcare service agreement with residents’ family members
- D . ABC conducts a management review to take the feedback from residents’ family members into consideration
- E . ABC needs to collect more evidence on how the organisation defines the management system scope and find out if they covered WeCare the medical device manufacturer
- F . ABC identifies and checks compliance with all applicable legislation and contractual requirements involving third parties
- G . The Service Manager implements the corrective actions and Customer Service Representatives evaluate the effectiveness of implemented corrective actions
- H . ABC needs to collect more evidence on how information security risk assessment relates to the identified nonconformities before concluding actions on the nonconformity
B, F, G
Explanation:
According to the ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) course, the following corrections and corrective actions are expected from ABC in response to the nonconformity:
B. The Service Manager provides evidence of analysis of the cause of nonconformity and how the ABC evaluates the effectiveness of implemented corrective actions. This is part of the requirement of clause 10.1 of ISO/IEC 27001:2022, which states that the organization shall determine the causes of nonconformities and evaluate the need for action to ensure that they do not recur or occur elsewhere12. The organization shall also evaluate the effectiveness of any corrective actions taken12.
F. ABC identifies and checks compliance with all applicable legislation and contractual requirements involving third parties. This is part of the requirement of clause 4.2 of ISO/IEC 27001:2022, which states that the organization shall determine the external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system12. This includes the legal and contractual requirements related to the information security aspects of the organization’s activities, products and services12.
G. The Service Manager implements the corrective actions and Customer Service Representatives evaluate the effectiveness of implemented corrective actions. This is part of the requirement of clause 10.1 of ISO/IEC 27001:2022, which states that the organization shall implement any action needed and retain documented information as evidence of the results of any action taken12. The organization shall also monitor, measure, analyze and evaluate the information security performance and the effectiveness of the information security management system12.
Reference: 1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) course, CQI and IRCA Certified Training, 1
2: ISO/IEC 27001 Lead Auditor Training Course, PECB, 2
Which one of the following options is the definition of an interested party?
- A . A third party can appeal to an organisation when it perceives itself to be affected by a decision or
activity - B . A person or organisation that can affect, be affected by or perceive itself to be affected by a decision or activity
- C . A group or organisation that can interfere in or perceive itself to be interfered with by a management decision
- D . An individual or organisation that can control, be controlled by, or perceive itself to be controlled by a decision or activity
B
Explanation:
This is the definition of an interested party according to ISO 27001:2013, clause 3.16. An interested party is essentially a stakeholder, i.e., a person or organization that can influence or be influenced by the information security management system (ISMS) or its activities. Interested parties can have different needs and expectations regarding the ISMS, and these should be identified and addressed by the organization.
Reference: ISO/IEC 27001:2013, Information technology ― Security techniques ― Information security management systems ― Requirements, clause 3.16
PECB Candidate Handbook ISO 27001 Lead Auditor, page 10
Identifying interested parties and their expectations for an ISO 27001 ISMS Examples of ISO 27001 interested parties
Which two of the following statements are true?
- A . The benefit of certifying an ISMS is to show the accreditation certificate on the website.
- B . The purpose of an ISMS is to demonstrate awareness of information security issues by management.
- C . The benefit of certifying an ISMS is to increase the number of customers.
- D . The benefits of implementing an ISMS primarily result from a reduction in information security risks.
- E . The purpose of an ISMS is to apply a risk management process for preserving information security.
- F . The purpose of an ISMS is to demonstrate compliance with regulatory requirements.
DE
Explanation:
The benefits of implementing an ISMS primarily result from a reduction in information security risks.
E. The purpose of an ISMS is to apply a risk management process for preserving information security. Comprehensive and Detailed Explanation
According to the ISO 27001 standard, the benefits of implementing an ISMS include the following1:
Assuring customers and other stakeholders of the confidentiality, integrity and availability of information
Enhancing the ability to respond to information security incidents and minimize their impacts Improving the governance and management of information security
Reducing the costs and losses associated with information security breaches Increasing the competitiveness and reputation of the organization
Complying with legal, regulatory and contractual obligations The purpose of an ISMS is to provide a systematic approach to managing information security risks, based on the Plan-Do-Check-Act (PDCA)
cycle1. The ISMS enables the organization to establish, implement, maintain and continually improve its information security performance, in alignment with its business objectives and the needs and expectations of interested parties1. The ISMS consists of the following elements1: The information security policy and objectives
The scope and boundaries of the ISMS
The processes and procedures for information security risk assessment and treatment
The resources and competencies for information security
The roles and responsibilities for information security
The performance evaluation and improvement of the ISMS
The internal and external communication and awareness of the ISMS
Reference: ISO/IEC 27001:2013, Information technology ― Security techniques ― Information security management systems ― Requirements, clauses 1, 4, 5, 6, 7, 8, 9 and 10
PECB Candidate Handbook ISO 27001 Lead Auditor, pages 9-11 ISO/IEC 27001:2013 Information Security Management Standards 4 Key Benefits of ISO 27001 Implementation | ISMS.online ISO/IEC 27001:2022
An Introduction to the ISO 27001 ISMS | Secureframe
DRAG DROP
Select the words that best complete the sentence:
"The purpose of maintaining regulatory compliance in a management system is to.
To complete the sentence with the best word(s), click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.
Explanation:
According to ISO 27001:2013, clause 5.2, the top management of an organization must establish, implement and maintain an information security policy that is appropriate to the purpose of the organization and provides a framework for setting information security objectives. The information security policy must also include a commitment to comply with the applicable legal, regulatory and contractual requirements, as well as any other requirements that the organization subscribes to. Therefore, maintaining regulatory compliance is part of fulfilling the management system policy and ensuring its effectiveness and suitability.
Reference: ISO/IEC 27001:2013, Information technology ― Security techniques ― Information security management systems ― Requirements, clause 5.2
PECB Candidate Handbook ISO 27001 Lead Auditor, page 10 ISO 27001 Policy: How to write it according to ISO 27001
Which two of the following phrases would apply to ‘check’ in the Plan-Do-Check-Act cycle for a business process?
- A . Making improvements
- B . Managing changes
- C . Verifying training
- D . Resetting objectives
- E . Updating the Information Security Policy
- F . Auditing processes
CF
Explanation:
The two phrases that would apply to ‘check’ in the Plan-Do-Check-Act cycle for a business process are:
C. Verifying training
F. Auditing processes
C. This phrase applies to ‘check’ in the PDCA cycle because it involves measuring and evaluating the effectiveness of the training activities that were implemented in the ‘do’ phase. Training is an important aspect of information security awareness, education, and competence, which are required by clause 7.2 of ISO 27001:20221. Verifying training can help the organisation to assess whether the staff have acquired the necessary knowledge, skills, and behaviour to perform their roles and responsibilities in relation to information security. Verifying training can also help the organisation to identify any gaps or weaknesses in the training program and to plan for improvement actions.
F. This phrase applies to ‘check’ in the PDCA cycle because it involves examining and reviewing the performance and conformity of the processes that were implemented in the ‘do’ phase. Auditing is a systematic, independent, and documented process for obtaining objective evidence and evaluating it to determine the extent to which the audit criteria are fulfilled2. Auditing processes can help the organisation to verify whether the information security objectives and requirements are met, whether the information security controls are effective and efficient, and whether the information security risks are adequately managed. Auditing processes can also help the organisation to identify any nonconformities or opportunities for improvement and to plan for corrective or preventive actions.
Reference: 1: ISO/IEC 27001:2022 – Information technology ― Security techniques ― Information security management systems ― Requirements, clause 7.2 2: ISO 19011:2018 – Guidelines for auditing management systems, clause 3.2
DRAG DROP
Select the words that best complete the sentence:
Explanation:
A third-party audit is an independent assessment of an organisation’s management system by an external auditor, who is not affiliated with the organisation or its customers. The auditor verifies that the management system meets the requirements of a specific standard, such as ISO 27001, and evaluates its effectiveness and performance. The auditor also identifies any strengths, weaknesses, opportunities, or risks of the management system, and provides recommendations for improvement. The purpose of a third-party audit is to provide an objective and impartial evaluation of the organisation’s management system, and to inform a certification decision by a certification body. A certification body is an organisation that grants a certificate of conformity to the organisation, after reviewing the audit report and evidence, and confirming that the management system meets the certification criteri
a. A certification decision is the outcome of the certification process, which can be positive (granting, maintaining, renewing, or expanding the scope of certification) or negative (suspending, withdrawing, or reducing the scope of certification).
Reference: PECB Candidate Handbook ISO 27001 Lead Auditor, pages 19-25 ISO 19011:2018 – Guidelines for auditing management systems The ISO 27001 audit process | ISMS.online
Which two of the following actions are the individual(s) managing the audit programme responsible for?
- A . Determining the resources necessary for the audit programme
- B . Communicating with the auditee during the audit
- C . Determining the legal requirements applicable to each audit
- D . Keping informed the accreditation body on the progress of the audit programme
- E . Defining the objectives, scope and criteria for an individual audit
- F . Defining the plan of an individual audit
AD
Explanation:
Establishing the audit programme objectives, scope and criteria
Determining the resources necessary for the audit programme, such as the audit team members, the budget, the time, the tools, etc.
Selecting and appointing the audit team leaders and auditors Reviewing and approving the audit plans and arrangements
Ensuring the effective communication and coordination among the audit programme stakeholders, such as the auditors, the auditees, the certification bodies, the accreditation bodies, etc.
Keeping informed the accreditation body on the progress of the audit programme, especially in case of any significant changes, issues, or nonconformities
Monitoring and reviewing the performance and results of the audit programme and the audit teams
Evaluating the feedback and satisfaction of the auditees and other interested parties
Identifying and implementing the opportunities for improvement of the audit programme
The individual(s) managing the audit programme are not responsible for the following tasks, which are delegated to the audit team leaders or the auditors12:
Communicating with the auditee during the audit, such as conducting the opening and closing meetings, resolving any audit-related problems, reporting any audit findings, etc. Determining the legal requirements applicable to each audit, such as the confidentiality, the impartiality, the consent, the liability, etc.
Defining the objectives, scope and criteria for an individual audit, which are derived from the audit programme and agreed with the auditee
Defining the plan of an individual audit, which includes the audit schedule, the audit activities, the audit methods, the audit documents, etc.
Reference: ISO 19011:2018 – Guidelines for auditing management systems PECB Candidate Handbook ISO 27001 Lead Auditor, pages 19-20
DRAG DROP
The audit lifecycle describes the ISO 19011 process for conducting an individual audit.
Drag and drop the steps of the audit lifecycle into the correct sequence.
Explanation:
The correct sequence of the steps of the audit lifecycle according to ISO 19011:2018 is:
Step 1: Audit initiation
Step 2: Audit preparation
Step 3: Conducting the audit
Step 4: Preparing and distributing the audit report
Step 5: Audit completion
Step 6: Audit follow-up
This sequence reflects the logical order of the audit activities, from establishing the audit objectives, scope and criteria, to verifying the implementation and effectiveness of the corrective actions. However, ISO 19011:2018 also recognizes that some audit activities can be iterative or concurrent, depending on the nature and complexity of the audit. For example, audit preparation and conducting the audit can overlap when new information or changes occur during the audit. Similarly, audit follow-up can be integrated with audit completion when the corrective actions are verified shortly after the audit. Therefore, the audit lifecycle should be adapted to the specific context and needs of each audit.
You are the person responsible for managing the audit programme and deciding the size and composition of the audit team for a specific audit. Select the two factors that should be considered.
- A . The audit scope and criteria
- B . Customer relationships
- C . The overall competence of the audit team needed to achieve audit objectives
- D . Seniority of the audit team leader
- E . The cost of the audit
- F . The duration preferred by the auditee
AC
Explanation:
The overall competence of the12:
The audit scope and criteria: The audit scope defines the extent and boundaries of the audit, such as the locations, processes, functions, and time period to be audited. The audit criteria are the set of policies, procedures, standards, or requirements used as a reference against which the audit evidence is compared. The audit scope and criteria determine the complexity and extent of the audit, and thus influence the number and expertise of the auditors needed to cover all the relevant aspects of the audit.
The overall competence of the audit team needed to achieve audit objectives: The audit team should have the appropriate knowledge, skills, and experience to conduct the audit effectively and efficiently, and to provide credible and reliable audit results. The audit team competence should include the following elements12:
Generic competence: The ability to apply the principles and methods of auditing, such as planning, conducting, reporting, and following up the audit, as well as the personal behaviour and attributes of the auditors, such as ethical conduct, fair presentation, professional care, independence, and impartiality.
Discipline and sector-specific competence: The ability to understand and apply the audit criteria and the relevant technical or industry aspects of the audited organization, such as the information security management system (ISMS) requirements, the information security risks and controls, the legal and regulatory obligations, the organizational context and culture, the processes and activities, the products and services, etc.
Audit team leader competence: The ability to manage the audit team and the audit process, such as coordinating the audit activities, communicating with the audit programme manager and the auditee, resolving any audit-related problems, ensuring the quality and consistency of the audit work and the audit report, etc.
The person responsible for managing the audit programme should not consider the following factors when deciding the size and composition of the audit team for a specific audit, as they are either irrelevant or inappropriate for the audit process12:
Customer relationships: The audit team should not be influenced by any personal or professional relationships with the auditee or other interested parties, as this may compromise the objectivity and impartiality of the audit. The audit team should avoid any conflicts of interest or self-interest that may affect the audit results or the audit decisions.
Seniority of the audit team leader: The audit team leader should be selected based on their competence and experience, not on their seniority or rank within the organization or the audit programme. The audit team leader should have the authority and responsibility to manage the audit team and the audit process, regardless of their seniority or position.
The cost of the audit: The cost of the audit should not be the primary factor for determining the size and composition of the audit team, as this may compromise the quality and effectiveness of the audit. The audit team should have sufficient resources and time to conduct the audit in accordance with the audit objectives, scope, and criteria, and to provide accurate and reliable audit results and recommendations.
The duration preferred by the auditee: The duration of the audit should be based on the audit objectives, scope, and criteria, and the availability and cooperation of the auditee, not on the preference or convenience of the auditee. The audit team should have enough time to conduct the audit in a thorough and systematic manner, and to collect and evaluate sufficient and relevant audit evidence.
Reference: ISO 19011:2018 – Guidelines for auditing management systems PECB Candidate Handbook ISO 27001 Lead Auditor, pages 19-20