Black Friday Special - 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: dm70dm

ISO-IEC-27001-Lead-Auditor PECB Certified ISO/IEC 27001 2022 Lead Auditor exam Questions and Answers

Questions 4

You are performing an ISMS audit at a residential nursing home that provides healthcare services. The next step in your audit

plan is to verify the information security of the business continuity management process. During the audit, you learned that

the organisation activated one of the business continuity plans (BCPs) to make sure the nursing service continued during the

recent pandemic. You ask the Service Manager to explain how the organization manages information security during the

business continuity management process.

The Service Manager presented the nursing service continuity plan for a pandemic and summarised the process as follows:

Stop the admission of any NEW residents.

70% of administration staff and 30% of medical staff will work from home.

Regular staff self-testing, including submitting a negative test report 1 day BEFORE they come to the office.

Install ABC's healthcare mobile app, tracking their footprint and presenting a GREEN Health Status QR-Code for checking on the spot.

You ask the Service Manager how to prevent non-relevant family members or interested parties from accessing residents' personal data when staff work from home. The Service Manager cannot answer and suggests the IT Security Manager should help with that.

You would like to further investigate other areas to collect more audit evidence. Select three options that will not be in your audit trail.

Options:

A.

Collect more evidence on how information security protocols are maintained during disruption (relevant to control A.5.29)

B.

Collect more evidence that staff only use IT equipment protected from malware when working from home (relevant to control A.8.7)

C.

Collect more evidence by interviewing additional staff to ensure they are aware of the need to sometimes work from home (Relevant to clause 7.3)

D.

Collect more evidence on how and when the Business Continuity Plan has been tested. (Relevant to control A.5.29)

E.

Collect more evidence on how the organisation makes sure all staff periodically conduct a positive Covid test (Relevant to control A.7.2)

F.

Collect more evidence on how the organisation manages information security on mobile devices and during teleworking (Relevant to control A.6.7)

G.

Collect more evidence on how the organisation performs a business risk assessment to evaluate how fast the existing residents can be discharged from the nursing home. (Relevant to clause 6)

Buy Now
Questions 5

After completing Stage 1 and in preparation for a Stage 2 initial certification audit, the auditee informs the audit team leader that they wish to extend the audit scope to include two additional sites that have recently been acquired by the organisation.

Considering this information, what action would you expect the audit team leader to take?

Options:

A.

Arrange to complete a remote Stage 1 audit of the two sites using a video conferencing platform

B.

Increase the length of the Stage 2 audit to include the extra sites

C.

Inform the auditee that the audit team leader accepts the request

D.

Obtain information about the additional sites to inform the individual(s) managing the audit programme

Buy Now
Questions 6

You are an ISMS audit team leader assigned by your certification body to carry out a follow-up audit of a Data Centre client.

According to ISO 19011:2018, the purpose of a follow-up audit is to verify which one of the following?

Options:

A.

The effectiveness of the management system

B.

Implementation of ISMS objectives

C.

Implementation of risk treatment plans

D.

Completion and effectiveness of corrective actions

Buy Now
Questions 7

Which two of the following statements are true?

Options:

A.

Responsibility for managing the audit programme rests with the audit team leader.

B.

The audit plan describes the arrangements for a set of one or more audits planned for a specific time frame and directed towards a specific purpose.

C.

Once agreed, the audit plan is fixed and cannot be changed during the conducting of the audi.

D.

The audit programme describes the arrangements for a set of one or more audits planned for a specific time frame and directed towards a specific purpose.

E.

The audit plan describes the activities and arrangements for an audit.

F.

The audit programme describes the activities and arrangements for an audit.

Buy Now
Questions 8

You are conducting an ISMS audit in the despatch department of an international logistics organisation that provides shipping services to large organisations including local hospitals and government offices. Parcels typically contain pharmaceutical products, biological samples, and documents such as passports and driving licences. You note that the company records show a very large number of returned items with causes including misaddressed labels and, in 15% of cases, two or more labels for different addresses for the one package. You are interviewing the Shipping Manager (SM).

You: Are items checked before being dispatched?

SM: Any obviously damaged items are removed by the duty staff before being dispatched, but the small profit margin makes it uneconomic to implement a formal checking process.

You: What action is taken when items are returned?

SM: Most of these contracts are relatively low value, therefore it has been decided that it is easier and more convenient to simply reprint the label and re-send individual parcels than it is to implement an investigation.

You raise a nonconformity against ISO 27001:2022 based on the lack of control of the labelling process.

At the closing meeting, the Shipping Manager issues an apology to you that his comments may have been misunderstood. He says that he did not realise that there is a background IT process that automatically checks that the right label goes onto the right parcel otherwise the parcel is ejected at labelling. He asks that you withdraw your nonconformity.

Select three options of the correct responses that you as the audit team leader would make to the request of the Shipping Manager.

Options:

A.

Advise the Shipping Manager that his request will be included in the audit report

B.

Advise management that the new information provided will be discussed when the auditors have more time

C.

Inform the Shipping Manager that the nonconformity is minor and should be quickly corrected

D.

Ask the audit team members to state what they think should happen

E.

Inform him of your understanding and withdraw the nonconformity

F.

Thank the Shipping Manager for his honesty but advise that withdrawing the nonconformity is not the right way to proceed

G.

Advise the Shipping Manager that the nonconformity must stand since the evidence obtained for it was dear

Buy Now
Questions 9

Audit methods can be either with or without interaction with individuals representing the auditee. Which two of the following methods are with interaction?

Options:

A.

Sampling (e.g. products)

B.

Observing work performed via live video streaming

C.

Reviewing checklists with auditee

D.

Checking legal compliance with local authorities

E.

Conducting interviews

F.

Analysing documents provided in advance of the audit

Buy Now
Questions 10

What is we do in ACT - From PDCA cycle

Options:

A.

Take actions to continually monitor process performance

B.

Take actions to continually improve process performance

C.

Take actions to continually monitor process performance

D.

Take actions to continually improve people performance

Buy Now
Questions 11

All are prohibited in acceptable use of information assets, except:

Options:

A.

Electronic chain letters

B.

E-mail copies to non-essential readers

C.

Company-wide e-mails with supervisor/TL permission.

D.

Messages with very large attachments or to a large number ofrecipients.

Buy Now
Questions 12

Which of the following is not a type of Information Security attack?

Options:

A.

Legal Incidents

B.

Vehicular Incidents

C.

Technical Vulnerabilities

D.

Privacy Incidents

Buy Now
Questions 13

Select the words that best complete the sentence:

ISO-IEC-27001-Lead-Auditor Question 13

Options:

Buy Now
Questions 14

Scenario 3: NightCore is a multinational technology company based in the United States that focuses on e-commerce, cloud computing, digital streaming, and artificial intelligence. After having an information security management system (ISMS) implemented for over 8 months, they contracted a certification body to conduct a third party audit in order to get certified against ISO/IEC 27001.

The certification body set up a team of seven auditors. Jack, the most experienced auditor, was assigned as the audit team leader. Over the years, he received many well known certifications, such as the ISO/IEC 27001 Lead Auditor, CISA, CISSP, and CISM.

Jack conducted thorough analyses on each phase of the ISMS audit, by studying and evaluating every information security requirement and control that was implemented by NightCore. During stage 2 audit. Jack detected several nonconformities. After comparing the number of purchased invoices for software licenses with the software inventory, Jack found out that the company has been using the illegal versions of a software for many computers. He decided to ask for an explanation from the top management about this nonconformity and see whether they were aware about this. His next step was to audit NightCore's IT Department. The top management assigned Tom, NightCore's system administrator, to act as a guide and accompany Jack and the audit team toward the inner workings of their system and their digital assets infrastructure.

While interviewing a member of the Department of Finance, the auditors discovered that the company had recently made some unusual large transactions to one of their consultants. After gathering all the necessary details regarding the transactions. Jack decided to directly interview the top management.

When discussing about the first nonconformity, the top management told Jack that they willingly decided to use a copied software over the original one since it was cheaper. Jack explained to the top management of NightCore that using illegal versions of software is against the requirements of ISO/IEC 27001 and the national laws and regulations. However, they seemed to be fine with it.

Several months after the audit, Jack sold some of NightCore's information that he collected during the audit for a huge amount of money to competitors of NightCore.

Based on this scenario, answer the following question:

Based on audit principles, should Jack contact the certification body regarding the second nonconformity? Refer to scenario 3.

Options:

A.

Yes, auditors should contact the ethics committee members of the certification body to obtain advice on such situation

B.

Yes, auditors should communicate such situations to the certification body; however, the top management should not be informed

C.

No, situations that may indicate financial crime are not the focus of an ISMS audit

Buy Now
Questions 15

Which one of the following options best describes the main purpose of a Stage 2 third-party audit?

Options:

A.

To determine readiness for certification

B.

To check for legal compliance by the organisation

C.

To identify nonconformances against a standard

D.

To get to know the organisation's management system

Buy Now
Questions 16

Which two of the following statements are true?

Options:

A.

The benefits of implementing an ISMS primarily result from a reduction in information security risks

B.

The benefit of certifying an ISMS is to obtain contracts from governmental institutions

C.

The purpose of an ISMS is to apply a risk management process for preserving information security

D.

The purpose of an ISMS is to demonstrate compliance with regulatory requirements

Buy Now
Questions 17

You are an experienced ISMS audit team leader guiding an auditor in training. You decide to test her knowledge of follow-up audits by asking her a series of questions. Here are your questions and her answers.

Which four of your questions has she answered correctly?

Options:

A.

Q: Should a follow-up audit seek to identify new nonconformities? A:YES

B.

Q: Should follow-up audits seek to ensure nonconformities have been effectively addressed? A:YES

C.

Q: Should follow-up audits consider agreed opportunities for improvement as well as corrective action? A:No

D.

Q: Is the purpose of a follow-up audit to verify the completion of corrections, corrective actions, and opportunities for improvement? A:YES

E.

Q: Are follow-up audits required for all audits? A:No

F.

Q: Should the outcome from a follow-up audit be reported to the audit team leader who carried out the audit at which the NCs were originally identified? A:YES

G.

Q: Should the outcome from a follow-up audit be reported to the audit client? A:No

Buy Now
Questions 18

Scenario 9: UpNet, a networking company, has been certified against ISO/IEC 27001. It provides network security, virtualization, cloud computing, network hardware, network management software, and networking technologies.

The company's recognition has increased drastically since gaining ISO/IEC 27001 certification. The certification confirmed the maturity of UpNefs operations and its compliance with a widely recognized and accepted standard.

But not everything ended after the certification. UpNet continually reviewed and enhanced its security controls and the overall effectiveness and efficiency of the ISMS by conducting internal audits. The top management was not willing to employ a full-time team of internal auditors, so they decided to outsource the internal audit function. This form of internal audits ensured independence, objectivity, and that they had an advisory role about the continual improvement of the ISMS.

Not long after the initial certification audit, the company created a new department specialized in data and storage products. They offered routers and switches optimized for data centers and software-based networking devices, such as network virtualization and network security appliances. This caused changes to the operations of the other departments already covered in the ISMS certification scope.

Therefore. UpNet initiated a risk assessment process and an internal audit. Following the internal audit result, the company confirmed the effectiveness and efficiency of the existing and new processes and controls.

The top management decided to include the new department in the certification scope since it complies with ISO/IEC 27001 requirements. UpNet announced that it is ISO/IEC 27001 certified and the certification scope encompasses the whole company.

One year after the initial certification audit, the certification body conducted another audit of UpNefs ISMS. This audit aimed to determine the UpNefs ISMS fulfillment of specified ISO/IEC 27001 requirements and ensure that the ISMS is being continually improved. The audit team confirmed that the certified ISMS continues to fulfill

the requirements of the standard. Nonetheless, the new department caused a significant impact on governing the management system. Moreover, the certification body was not informed about any changes. Thus, the UpNefs certification was suspended.

Based on the scenario above, answer the following question:

UpNet announced that the ISMS certification scope encompasses the whole company once ensuring that the new department also complies with the ISO/IEC 27001 requirements. How would you classify this situation illustrated in scenario 9?

Options:

A.

Unacceptable, the internal auditor should have approved the extension audit, not the top management

B.

Unacceptable, UpNet should have requested and granted an extension audit prior to making the announcement

C.

Acceptable, the internal audit confirmed the effectiveness and efficiency of the existing and new processes and controls

Buy Now
Questions 19

After conducting an external audit, the auditor decided that the internal auditor would follow-up on the implementation of corrective actions until the next surveillance audit. Is this acceptable?

Options:

A.

No, only the external auditor should follow up on the implementation of corrective actions after the completion of the audit

B.

Yes, the internal auditor may verify the implementation of corrective actions if it cannot be done by the external auditor

C.

Yes, the internal auditor may follow-up on the implementation of corrective actions until a verification from the external auditor during the surveillance audit

Buy Now
Questions 20

You are conducting an Information Security Management System audit in the despatch department of an international

logistics organisation that provides shipping services to large organisations including local hospitals and government offices.

Parcels typically contain pharmaceutical products, biological samples and documents such as passports and driving licences.

You note that the company records show a very large number of returned items with causes including misaddressed labels

and, in 15% of cases, two or more labels for different addresses for the one package. You are interviewing the Shipping

Manager (SM).

You: Are items checked before being dispatched?

SM: Any obviously damaged items are removed by the duty staff before being dispatched, but the small profit margin makes

it uneconomic to implement a formal checking process.

You: What action is taken when items are returned?

SM: Most of these contracts are relatively low value, therefore it has been decided that it is easier and more convenient to

simply reprint the label and re-send individual parcels than it is to implement an investigation.

You raise a non-conformity against clause 8.1 of ISO 27001:2022.

Which one option below that best describes the non-conformity you have identified?

Options:

A.

The organisation does not have an approved process in place that ensures service requirements and regulatory requirements for data protection are met. Records show that 15% of returned parcels have corrected information intended for another party to the recipient (which may include sensitive medical information or government department communications) without adequate operational methods to meet information security requirements.

B.

The organisation does not have an audited process in place that ensures service requirements and regulatory requirements for data protection are met. Records show that 15% of returned parcels have inaccurate information intended for another party to the recipient (which may include sensitive medical information or government department communications) without adequate operational rules to meet information security requirements.

C.

The organisation does not have an effective process in place that ensures service requirements and regulatory requirements for data protection are met. Records show that 15% of returned parcels have disclosed information intended for another party to the recipient (which may include sensitive medical information or government department communications) without adequate operational controls to meet information security requirements.

D.

The organisation does not have an efficient process in place that ensures service requirements and regulatory requirements for data protection are met. Records show that 15% of returned parcels have detailed information intended for another party to the recipient (which may include sensitive medical information or government department communications) without adequate operational procedures to meet information security requirements.

E.

The organisation does not have an efficient process in place that ensures service requirements and regulatory requirements for data protection are met. Records show that 15% of returned parcels have protected information intended for another party to the recipient (which may include sensitive medical information or government department communications) without adequate operational processes to meet information security requirements.

Buy Now
Questions 21

Information or data that are classified as ______ do not require labeling.

Options:

A.

Public

B.

Internal

C.

Confidential

D.

Highly Confidential

Buy Now
Questions 22

You are an experienced audit team leader guiding an auditor in training.

Your team is currently conducting a third-party surveillance audit of an organisation that stores data on behalf of external clients. The auditor in training has been tasked with reviewing the PHYSICAL controls listed in the Statement of Applicability (SoA) and implemented at the site.

Select four controls from the following that would you expect the auditor in training to review.

Options:

A.

Access to and from the loading bay

B.

How power and data cables enter the building

C.

Information security awareness, education, and training

D.

The conducting of verification checks on personnel

E.

The development and maintenance of an information asset inventory

F.

The operation of the site CCTV and door control systems

G.

The organisation's arrangements for maintaining equipment

Buy Now
Questions 23

You are performing an ISMS audit at a residential nursing home that provides healthcare services. The next step in your audit plan is to verify the information security of the business continuity management process. During the audit, you learned that the organisation activated one of the business continuity plans (BCPs) to make sure the nursing service continued during the recent pandemic. You ask Service Manager to explain how the organisation manages information security during the business continuity management process.

The Service Manager presents the nursing service continuity plan for a pandemic and summarises the process as follows:

Stop the admission of any NEW residents.

70% of administration staff and 30% of medical staff will work from home.

Regular staff self-testing including submitting a negative test report 1 day BEFORE they come to the office.

Install ABC's healthcare mobile app, tracking their footprint and presenting a GREEN Health Status QR-Code for checking on the spot.

You ask the Service Manager how to prevent non-relevant family members or interested parties from accessing residents' personal data when staff work from home. The Service Manager cannot answer and suggests the n" Security Manager should help with that.

You would like to further investigate other areas to collect more audit evidence Select three options that will be in your audit trail.

Options:

A.

Collect more evidence on how the organisation manages information security on mobile devices and during teleworking (Relevant to control A.6.7)

B.

Collect more evidence by interviewing more staff about their feeling about working from home. (Relevant to clause 4.2)

C.

Collect more evidence on what resources the organisation provides to support the staff working from home. (Relevant to clause 7.1)

D.

Collect more evidence on how the organisation performs a business risk assessment to evaluate how fast the existing residents can be discharged from the nursing home. (Relevant to clause 6)

E.

Collect more evidence on how and when the Business Continuity Wan has been tested. (Relevant to control A.5.29)

F.

Collect more evidence on how the organisation makes sure only staff with a negative test result can enter the organisation (Relevant to control A.7.2)

Buy Now
Questions 24

Scenario 5: Data Grid Inc. is a well-known company that delivers security services across the entire information technology infrastructure. It provides cybersecurity software, including endpoint security, firewalls, and antivirus software. For two decades, Data Grid Inc. has helped various companies secure their networks through advanced products and services. Having achieved reputation in the information and network security field, Data Grid Inc. decided to obtain the ISO/IEC 27001 certification to better secure its internal and customer assets and gain competitive advantage.

Data Grid Inc. appointed the audit team, who agreed on the terms of the audit mandate. In addition, Data Grid Inc. defined the audit scope, specified the audit criteria, and proposed to close the audit within five days. The audit team rejected Data Grid Inc.'s proposal to conduct the audit within five days, since the company has a large number of employees and complex processes. Data Grid Inc. insisted that they have planned to complete the audit within five days, so both parties agreed upon conducting the audit within the defined duration. The audit team followed a risk-based auditing approach.

To gain an overview of the main business processes and controls, the audit team accessed process descriptions and organizational charts. They were unable to perform a deeper analysis of the IT risks and controls because their access to the IT infrastructure and applications was restricted. However, the audit team stated that the risk that a significant defect could occur to Data Grid Inc.'s ISMS was low since most of the company's processes were automated. They therefore evaluated that the ISMS, as a whole, conforms to the standard requirements by asking the representatives of Data Grid Inc. the following questions:

•How are responsibilities for IT and IT controls defined and assigned?

•How does Data Grid Inc. assess whether the controls have achieved the desired results?

•What controls does Data Grid Inc. have in place to protect the operating environment and data from malicious software?

•Are firewall-related controls implemented?

Data Grid Inc.'s representatives provided sufficient and appropriate evidence to address all these questions.

The audit team leader drafted the audit conclusions and reported them to Data Grid Inc.'s top management. Though Data Grid Inc. was recommended for certification by the auditors, misunderstandings were raised between Data Grid Inc. and the certification body in regards to audit objectives. Data Grid Inc. stated that even though the audit objectives included the identification of areas for potential improvement, the audit team did not provide such information.

Based on this scenario, answer the following question:

Based on scenario 5, the audit team disagreed with the proposed audit duration by Data Grid Inc. for the ISMS audit. How do you describe such a situation?

Options:

A.

Acceptable, auditors have the right to object, even refuse the audit mandate, if they deem that the audit duration is not sufficient

B.

Unacceptable, the audit duration is defined by the auditee and cannot be changed by the auditors

C.

Unacceptable, once the audit mandate is accepted, the audit duration cannot be changed

Buy Now
Questions 25

Scenario 4: SendPay is a financial company that provides its services through a network of agents and financial institutions. One of their main services is transferring money worldwide. SendPay, as a new company, seeks to offer top quality services to its clients. Since the company offers international transactions, it requires from their clients to provide personal information, such as their identity, the reason for the transactions, and other details that might be needed to complete the transaction. Therefore, SendPay has implemented security measures to protect their clients' information, including detecting, investigating, and responding to any information security threats that may emerge. Their commitment to offering secure services was also reflected during the ISMS implementation where the company invested a lot of time and resources.

Last year, SendPay unveiled their digital platform that allows money transactions through electronic devices, such as smartphones or laptops, without requiring an additional fee. Through this platform, SendPay's clients can send and receive money from anywhere and at any time. The digital platform helped SendPay to simplify the company's operations and further expand its business. At the time, SendPay was outsourcing its software operations, hence the project was completed by the software development team of the outsourced company. The same team was also responsible for maintaining the technology infrastructure of SendPay.

Recently, the company applied for ISO/IEC 27001 certification after having an ISMS in place for almost a year. They contracted a certification body that fit their criteria. Soon after, the certification body appointed a team of four auditors to audit SendPay's ISMS.

During the audit, among others, the following situations were observed:

1.The outsourced software company had terminated the contract with SendPay without prior notice. As a result, SendPay was unable to immediately bring the services back in-house and its operations were disrupted for five days. The auditors requested from SendPay's representatives to provide evidence that they have a plan to follow in cases of contract terminations. The representatives did not provide any documentary evidence but during an interview, they told the auditors that the top management of SendPay had identified two other software development companies that could provide services immediately if similar situations happen again.

2.There was no evidence available regarding the monitoring of the activities that were outsourced to the software development company. Once again, the representatives of SendPay told the auditors that they regularly communicate with the software development company and that they are appropriately informed for any possible change that might occur.

3.There was no nonconformity found during the firewall testing. The auditors tested the firewall configuration in order to determine the level of security provided by

these services. They used a packet analyzer to test the firewall policies which enabled them to check the packets sent or received in real-time.

Based on this scenario, answer the following question:

Why could SendPay not restore their services back in-house after the contract termination? Refer to scenario 4.

Options:

A.

Because SendPay did not monitor the technology infrastructure of the outsourced software operations

B.

Because SendPay lacked a comprehensive business continuity plan with potential impact of contract terminations

C.

Because the outsourced software company terminated the contract with SendPay without prior notice

Buy Now
Questions 26

Select the word that best completes the sentence:

ISO-IEC-27001-Lead-Auditor Question 26

Options:

Buy Now
Questions 27

You are conducting an ISMS audit. The next step in your audit plan is to verify that the organisation's

information security risk treatment plan has been established and implemented properly. You decide to

interview the IT security manager.

You: Can you please explain how the organisation performs its information security risk assessment and

treatment process?

IT Security Manager: We follow the information security risk management procedure which generates a

risk treatment plan.

Narrator: You review risk treatment plan No. 123 relating to the planned installation of an electronic

(invisible) fence to improve the physical security of the nursing home. You found the risk treatment plan was

approved by IT Security Manager.

You: Who is responsible for physical security risks?

IT Security Manager: The Facility Manager is responsible for the physical security risk. The IT department helps them to monitor the alarm. The Facility Manager is authorized to approve the budget for risk treatment plan No. 123.

You: What residual information security risks exist after risk treatment plan No. 123 was implemented?

IT Security Manager: There is no information for the acceptance of residual information security risks as far as I know.

You prepare your audit findings. Select three options for findings that are justified in the scenario.

Options:

A.

Nonconformity (NC) - The information for the acceptance of residual information security risks should be updated after the risk treatment is implemented. Clause 6.1.3.f

B.

There is an opportunity for improvement (OI) to conduct security checks on the perimetre fence

C.

There is an opportunity for improvement (OI) once the Electronic (invisible) fence is installed. Residents' physical security is improved

D.

Nonconformity (NC) - Top management must ensure that the resources needed for the ISMS are available. Clause 5.1.c

E.

Nonconformity (NC) - The IT security manager should be aware of and understand his authority and area of responsibility. Clause 7.3

F.

Nonconformity (NC) - The organization should provide the resources needed for the continual improvement of the ISMS. Clause 7.1

G.

Nonconformity (NC) - The risk treatment plan No. 123 should be approved by the risk owner, the Facility Manager in this case. Clause 6.1.3.f

Buy Now
Questions 28

The auditor discovered that two out of 15 employees of the IT Department have not received adequate information security training. What does this represent?

Options:

A.

Audit finding

B.

Audit evidence

C.

Information source

Buy Now
Questions 29

In regard to generating an audit finding, select the words that best complete the following sentence.

To complete the sentence with the best word(s), click on the blank section you want to complete so that it Is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.

ISO-IEC-27001-Lead-Auditor Question 29

Options:

Buy Now
Questions 30

Which two of the following phrases would apply to "plan" in relation to the Plan-Do-Check-Act cycle for a business process?

Options:

A.

Retaining documentation

B.

Retaining documentation

C.

Organising changes

D.

Setting objectives

E.

Training staff

F.

Providing ICT assets

Buy Now
Questions 31

You are an experienced ISMS audit team leader, talking to an Auditor in training who has been assigned to your audit team. You want to ensure that they understand the importance of the Check stage of the Plan-Do-Check-Act cycle in respect of the operation of the information security management system.

You do this by asking him to select the words that best complete the sentence:

To complete the sentence with the best word(s), click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.

ISO-IEC-27001-Lead-Auditor Question 31

Options:

Buy Now
Questions 32

Which two of the following actions are the individual(s) managing the audit programme responsible for?

Options:

A.

Determining the resources necessary for the audit programme

B.

Communicating with the auditee during the audit

C.

Determining the legal requirements applicable to each audit

D.

Keping informed the accreditation body on the progress of the audit programme

E.

Defining the objectives, scope and criteria for an individual audit

F.

Defining the plan of an individual audit

Buy Now
Questions 33

Scenario 2: Knight is an electronics company from Northern California, US that develops video game consoles. Knight has more than 300 employees worldwide. On the

fifth anniversary of their establishment, they have decided to deliver the G-Console, a new generation video game console aimed for worldwide markets. G-Console is

considered to be the ultimate media machine of 2021 which will give the best gaming experience to players. The console pack will include a pair of VR headset, two

games, and other gifts.

Over the years, the company has developed a good reputation by showing integrity, honesty, and respect toward their customers. This good reputation is one of the

reasons why most passionate gamers aim to have Knight's G-console as soon as it is released in the market. Besides being a very customer-oriented company, Knight

also gained wide recognition within the gaming industry because of the developing quality. Their prices are a bit higher than the reasonable standards allow.

Nonetheless, that is not considered an issue for most loyal customers of Knight, as their quality is top-notch.

Being one of the top video game console developers in the world, Knight is also often the center of attention for malicious activities. The company has had an

operational ISMS for over a year. The ISMS scope includes all departments of Knight, except Finance and HR departments.

Recently, a number of Knight's files containing proprietary information were leaked by hackers. Knight's incident response team (IRT) immediately started to analyze

every part of the system and the details of the incident.

The IRT's first suspicion was that Knight's employees used weak passwords and consequently were easily cracked by hackers who gained unauthorized access to their

accounts. However, after carefully investigating the incident, the IRT determined that hackers accessed accounts by capturing the file transfer protocol (FTP) traffic.

FTP is a network protocol for transferring files between accounts. It uses clear text passwords for authentication.

Following the impact of this information security incident and with IRT's suggestion, Knight decided to replace the FTP with Secure Shell (SSH) protocol, so anyone

capturing the traffic can only see encrypted data.

Following these changes, Knight conducted a risk assessment to verify that the implementation of controls had minimized the risk of similar incidents. The results of

the process were approved by the ISMS project manager who claimed that the level of risk after the implementation of new controls was in accordance with the

company's risk acceptance levels.

Based on this scenario, answer the following question:

Based on scenario 2, Knight decided to replace the FTP with Secure Shell (SSH) protocol. Should the Statement of Applicability (SoA) be updated in this case?

Options:

A.

No, the usage of SSH protocol is not an ISO/IEC 27001 requirement and; therefore, does not need to be included in the SoA

B.

No, because the SoA should be updated only when new controls are added, not when old ones are canceled

C.

Yes, the implementation of the new control should be justified and included in the SoA

Buy Now
Questions 34

Costs related to nonconformities and failures to comply with legal and contractual requirements are assessed when defining:

Options:

A.

Materiality

B.

Audit risks

C.

Reasonable assurance

Buy Now
Questions 35

Scenario 8: EsBank provides banking and financial solutions to the Estonian banking sector since September 2010. The company has a network of 30 branches with over 100 ATMs across the country.

Operating in a highly regulated industry, EsBank must comply with many laws and regulations regarding the security and privacy of data. They need to manage information security across their operations by implementing technical and nontechnical controls. EsBank decided to implement an ISMS based on ISO/IEC 27001 because it provided better security, more risk control, and compliance with key requirements of laws and regulations.

Nine months after the successful implementation of the ISMS, EsBank decided to pursue certification of their ISMS by an independent certification body against ISO/IEC 27001 .The certification audit included all of EsBank’s systems, processes, and technologies.

The stage 1 and stage 2 audits were conducted jointly and several nonconformities were detected. The first nonconformity was related to EsBank’s labeling of information. The company had an information classification scheme but there was no information labeling procedure. As a result, documents requiring the same level of protection would be labeled differently (sometimes as confidential, other times sensitive).

Considering that all the documents were also stored electronically, the nonconformity also impacted media handling. The audit team used sampling and concluded that 50 of 200 removable media stored sensitive information mistakenly classified as confidential. According to the information classification scheme, confidential information is allowed to be stored in removable media, whereas storing sensitive information is strictly prohibited. This marked the other nonconformity.

They drafted the nonconformity report and discussed the audit conclusions with EsBank’s representatives, who agreed to submit an action plan for the detected nonconformities within two months.

EsBank accepted the audit team leader's proposed solution. They resolved the nonconformities by drafting a procedure for information labeling based on the classification scheme for both physical and electronic formats. The removable media procedure was also updated based on this procedure.

Two weeks after the audit completion, EsBank submitted a general action plan. There, they addressed the detected nonconformities and the corrective actions taken, but did not include any details on systems, controls, or operations impacted. The audit team evaluated the action plan and concluded that it would resolve the nonconformities. Yet, EsBank received an unfavorable recommendation for certification.

Based on the scenario above, answer the following question:

By drafting a procedure for information labeling, EsBank has:

Options:

A.

Submitted an action plan to resolve the nonconformity

B.

Created an information classification scheme

C.

Eliminated the root cause of the nonconformity

Buy Now
Questions 36

Which two of the following phrases would apply to "audit objectives"?

Options:

A.

Audit duration

B.

Determining conformity

C.

Checking legal compliance

D.

Auditor competence

E.

Revising management policy

F.

Identifying opportunities for improvement, if required

Buy Now
Questions 37

Scenario 4: SendPay is a financial company that provides its services through a network of agents and financial institutions. One of their main services is transferring money worldwide. SendPay, as a new company, seeks to offer top quality services to its clients. Since the company offers international transactions, it requires from their clients to provide personal information, such as their identity, the reason for the transactions, and other details that might be needed to complete the transaction. Therefore, SendPay has implemented security measures to protect their clients' information, including detecting, investigating, and responding to any information security threats that may emerge. Their commitment to offering secure services was also reflected during the ISMS implementation where the company invested a lot of time and resources.

Last year, SendPay unveiled their digital platform that allows money transactions through electronic devices, such as smartphones or laptops, without requiring an additional fee. Through this platform, SendPay's clients can send and receive money from anywhere and at any time. The digital platform helped SendPay to simplify the company's operations and further expand its business. At the time, SendPay was outsourcing its software operations, hence the project was completed by the software development team of the outsourced company. The same team was also responsible for maintaining the technology infrastructure of SendPay.

Recently, the company applied for ISO/IEC 27001 certification after having an ISMS in place for almost a year. They contracted a certification body that fit their criteria. Soon after, the certification body appointed a team of four auditors to audit SendPay's ISMS.

During the audit, among others, the following situations were observed:

1.The outsourced software company had terminated the contract with SendPay without prior notice. As a result, SendPay was unable to immediately bring the services back in-house and its operations were disrupted for five days. The auditors requested from SendPay's representatives to provide evidence that they have a plan to follow in cases of contract terminations. The representatives did not provide any documentary evidence but during an interview, they told the auditors that the top management of SendPay had identified two other software development companies that could provide services immediately if similar situations happen again.

2.There was no evidence available regarding the monitoring of the activities that were outsourced to the software development company. Once again, the representatives of SendPay told the auditors that they regularly communicate with the software development company and that they are appropriately informed for any possible change that might occur.

3.There was no nonconformity found during the firewall testing. The auditors tested the firewall configuration in order to determine the level of security provided by

these services. They used a packet analyzer to test the firewall policies which enabled them to check the packets sent or received in real-time.

Based on this scenario, answer the following question:

Based on scenario 4, the auditors requested documentary evidence regarding the monitoring process of outsourced operations. What does this indicate?

Options:

A.

The auditors demonstrated professional skepticism

B.

The auditors compromised the confidentiality of outsourced operations

C.

The auditors evaluated the evidence based on a risk-based approach

Buy Now
Questions 38

Which one of the following conclusions in the audit report is not required by the certification body when deciding to grant certification?

Options:

A.

The corrections taken by the organisation related to major nonconformities have been accepted.

B.

The organisation fully complies with all legal and other requirements applicable to the Information Security Management System.

C.

The plans to address corrective actions related to minor nonconformities have been accepted

D.

The scope of certification has been fulfilled

Buy Now
Questions 39

You are performing an ISMS audit at a European-based residential nursing home called ABC that provides healthcare services. The next step in your audit plan is to verify the effectiveness of the continual improvement process.

During the audit, you learned most of the residents' family members (90%) receive WeCare medical devices promotion advertisements through email and SMS once a week via ABC's healthcare mobile app. All of them do not agree on the use of the collected personal data for marketing or any other purposes than nursing and medical care on the signed service agreement with ABC. They have very strong reason to believe that ABC is leaking residents' and family members' personal information to a non-relevant third party and they have filed complaints.

The Service Manager says that, after investigation, all these complaints have been treated as nonconformities. The corrective actions have been planned and implemented according to the nonconformity and corrective management procedure (Document reference ID: ISMS_L2_10.1, version 1).

You write a nonconformity which you will follow up on later. Select the words that best complete the sentence:

ISO-IEC-27001-Lead-Auditor Question 39

Options:

Buy Now
Questions 40

Which is an example of a qualitative evidence?

Options:

A.

The documented results of an intrusion-detection test from an information security expert from an external organization

B.

A defined sample analysis of nonconformity reports drafted by the audited organization from the time their ISMS was implemented

C.

An interview with the information security personnel to validate if the information security process complies with the standard requirements

Buy Now
Questions 41

Scenario 8: EsBank provides banking and financial solutions to the Estonian banking sector since September 2010. The company has a network of 30 branches with over 100 ATMs across the country.

Operating in a highly regulated industry, EsBank must comply with many laws and regulations regarding the security and privacy of data. They need to manage information security across their operations by implementing technical and nontechnical controls. EsBank decided to implement an ISMS based on ISO/IEC 27001 because it provided better security, more risk control, and compliance with key requirements of laws and regulations.

Nine months after the successful implementation of the ISMS, EsBank decided to pursue certification of their ISMS by an independent certification body against ISO/IEC 27001 .The certification audit included all of EsBank’s systems, processes, and technologies.

The stage 1 and stage 2 audits were conducted jointly and several nonconformities were detected. The first nonconformity was related to EsBank’s labeling of information. The company had an information classification scheme but there was no information labeling procedure. As a result, documents requiring the same level of protection would be labeled differently (sometimes as confidential, other times sensitive).

Considering that all the documents were also stored electronically, the nonconformity also impacted media handling. The audit team used sampling and concluded that 50 of 200 removable media stored sensitive information mistakenly classified as confidential. According to the information classification scheme, confidential information is allowed to be stored in removable media, whereas storing sensitive information is strictly prohibited. This marked the other nonconformity.

They drafted the nonconformity report and discussed the audit conclusions with EsBank’s representatives, who agreed to submit an action plan for the detected nonconformities within two months.

EsBank accepted the audit team leader's proposed solution. They resolved the nonconformities by drafting a procedure for information labeling based on the classification scheme for both physical and electronic formats. The removable media procedure was also updated based on this procedure.

Two weeks after the audit completion, EsBank submitted a general action plan. There, they addressed the detected nonconformities and the corrective actions taken, but did not include any details on systems, controls, or operations impacted. The audit team evaluated the action plan and concluded that it would resolve the nonconformities. Yet, EsBank received an unfavorable recommendation for certification.

Based on the scenario above, answer the following question:

Which option justifies the unfavorable recommendation for certification? Refer to scenario 8.

Options:

A.

The major nonconformity related to storing sensitive information in removable media

B.

The minor nonconformity related to the lack of information labeling procedure

C.

The unrealistic date of the submitted action plan (two weeks)

Buy Now
Questions 42

Scenario 4: SendPay is a financial company that provides its services through a network of agents and financial institutions. One of their main services is transferring money worldwide. SendPay, as a new company, seeks to offer top quality services to its clients. Since the company offers international transactions, it requires from their clients to provide personal information, such as their identity, the reason for the transactions, and other details that might be needed to complete the transaction. Therefore, SendPay has implemented security measures to protect their clients' information, including detecting, investigating, and responding to any information security threats that may emerge. Their commitment to offering secure services was also reflected during the ISMS implementation where the company invested a lot of time and resources.

Last year, SendPay unveiled their digital platform that allows money transactions through electronic devices, such as smartphones or laptops, without requiring an additional fee. Through this platform, SendPay's clients can send and receive money from anywhere and at any time. The digital platform helped SendPay to simplify the company's operations and further expand its business. At the time, SendPay was outsourcing its software operations, hence the project was completed by the software development team of the outsourced company. The same team was also responsible for maintaining the technology infrastructure of SendPay.

Recently, the company applied for ISO/IEC 27001 certification after having an ISMS in place for almost a year. They contracted a certification body that fit their criteria. Soon after, the certification body appointed a team of four auditors to audit SendPay's ISMS.

During the audit, among others, the following situations were observed:

1.The outsourced software company had terminated the contract with SendPay without prior notice. As a result, SendPay was unable to immediately bring the services back in-house and its operations were disrupted for five days. The auditors requested from SendPay's representatives to provide evidence that they have a plan to follow in cases of contract terminations. The representatives did not provide any documentary evidence but during an interview, they told the auditors that the top management of SendPay had identified two other software development companies that could provide services immediately if similar situations happen again.

2.There was no evidence available regarding the monitoring of the activities that were outsourced to the software development company. Once again, the representatives of SendPay told the auditors that they regularly communicate with the software development company and that they are appropriately informed for any possible change that might occur.

3.There was no nonconformity found during the firewall testing. The auditors tested the firewall configuration in order to determine the level of security provided by

these services. They used a packet analyzer to test the firewall policies which enabled them to check the packets sent or received in real-time.

Based on this scenario, answer the following question:

Regarding the third situation observed, auditors themselves tested the configuration of firewalls implemented in SendPay's network. How do you describe this situation? Refer to scenario 4.

Options:

A.

Acceptable, technical evidence is required to validate the operation of technical processes

B.

Unacceptable, the auditors should only observe the testing of system or equipment configurations and not test the system themselves

C.

Unacceptable, firewall configurations should not be tested during an audit since this can have an impact systems' operation

Buy Now
Questions 43

Scenario 1: Fintive is a distinguished security provider for online payments and protection solutions. Founded in 1999 by Thomas Fin in San Jose, California, Fintive

offers services to companies that operate online and want to improve their information security, prevent fraud, and protect user information such as PII. Fintive centers

its decision-making and operating process based on previous cases. They gather customer data, classify them depending on the case, and analyze them. The company

needed a large number of employees to be able to conduct such complex analyses. After some years, however, the technology that assists in conducting such analyses

advanced as well. Now, Fintive is planning on using a modern tool, a chatbot, to achieve pattern analyses toward preventing fraud in real-time. This tool would also be

used to assist in improving customer service.

This initial idea was communicated to the software development team, who supported it and were assigned to work on this project. They began integrating the chatbot

on their existing system. In addition, the team set an objective regarding the chatbot which was to answer 85% of all chat queries.

After the successful integration of the chatbot, the company immediately released it to their customers for use. The chatbot, however, appeared to have some issues.

Due to insufficient testing and lack of samples provided to the chatbot during the training phase, in which it was supposed "to learn" the queries pattern, the chatbot

failed to address user queries and provide the right answers. Furthermore, the chatbot sent random files to users when it received invalid inputs such as odd patterns

of dots and special characters. Therefore, the chatbot was unable to properly answer customer queries and the traditional customer support was overwhelmed with

chat queries and thus was unable to help customers with their requests.

Consequently, Fintive established a software development policy. This policy specified that whether the software is developed in-house or outsourced, it will undergo a

black box testing prior to its implementation on operational systems.

According to scenario 1, the chatbot sent random files to users when it received invalid inputs. What impact might that lead to?

Options:

A.

Inability to provide service

B.

Loss of reputation

C.

Leak of confidential information

Buy Now
Questions 44

A property of Information that has the ability to prove occurrence of a claimed event.

Options:

A.

Electronic chain letters 

B.

Integrity

C.

Availability

D.

Accessibility

Buy Now
Questions 45

Which two of the following are examples of audit methods that 'do not' involve human interaction?

Options:

A.

Conducting an interview using a teleconferencing platform

B.

Performing a review of auditees procedures in preparation for an audit

C.

Reviewing the auditee's response to an audit finding

D.

Analysing data by remotely accessing the auditee's server

E.

Observing work performed by remote surveillance

F.

Confirming the date and time of the audit

Buy Now
Questions 46

Scenario 3: NightCore is a multinational technology company based in the United States that focuses on e-commerce, cloud computing, digital streaming, and artificial intelligence. After having an information security management system (ISMS) implemented for over 8 months, they contracted a certification body to conduct a third party audit in order to get certified against ISO/IEC 27001.

The certification body set up a team of seven auditors. Jack, the most experienced auditor, was assigned as the audit team leader. Over the years, he received many well known certifications, such as the ISO/IEC 27001 Lead Auditor, CISA, CISSP, and CISM.

Jack conducted thorough analyses on each phase of the ISMS audit, by studying and evaluating every information security requirement and control that was implemented by NightCore. During stage 2 audit. Jack detected several nonconformities. After comparing the number of purchased invoices for software licenses with the software inventory, Jack found out that the company has been using the illegal versions of a software for many computers. He decided to ask for an explanation from the top management about this nonconformity and see whether they were aware about this. His next step was to audit NightCore's IT Department. The top management assigned Tom, NightCore's system administrator, to act as a guide and accompany Jack and the audit team toward the inner workings of their system and their digital assets infrastructure.

While interviewing a member of the Department of Finance, the auditors discovered that the company had recently made some unusual large transactions to one of their consultants. After gathering all the necessary details regarding the transactions. Jack decided to directly interview the top management.

When discussing about the first nonconformity, the top management told Jack that they willingly decided to use a copied software over the original one since it was cheaper. Jack explained to the top management of NightCore that using illegal versions of software is against the requirements of ISO/IEC 27001 and the national laws and regulations. However, they seemed to be fine with it.

Several months after the audit, Jack sold some of NightCore's information that he collected during the audit for a huge amount of money to competitors of NightCore.

Based on this scenario, answer the following question:

Based on scenario 3. which ISO/IEC 27001 control has NightCore ignored when they used an illegal version of software?

Options:

A.

Annex A 5.1 Policies for information security

B.

Annex A 5.10 Acceptable use of information and other associated assets

C.

Annex A 5.32 Intellectual property rights

Buy Now
Questions 47

Scenario 8: EsBank provides banking and financial solutions to the Estonian banking sector since September 2010. The company has a network of 30 branches with over 100 ATMs across the country.

Operating in a highly regulated industry, EsBank must comply with many laws and regulations regarding the security and privacy of data. They need to manage information security across their operations by implementing technical and nontechnical controls. EsBank decided to implement an ISMS based on ISO/IEC 27001 because it provided better security, more risk control, and compliance with key requirements of laws and regulations.

Nine months after the successful implementation of the ISMS, EsBank decided to pursue certification of their ISMS by an independent certification body against ISO/IEC 27001 .The certification audit included all of EsBank’s systems, processes, and technologies.

The stage 1 and stage 2 audits were conducted jointly and several nonconformities were detected. The first nonconformity was related to EsBank’s labeling of information. The company had an information classification scheme but there was no information labeling procedure. As a result, documents requiring the same level of protection would be labeled differently (sometimes as confidential, other times sensitive).

Considering that all the documents were also stored electronically, the nonconformity also impacted media handling. The audit team used sampling and concluded that 50 of 200 removable media stored sensitive information mistakenly classified as confidential. According to the information classification scheme, confidential information is allowed to be stored in removable media, whereas storing sensitive information is strictly prohibited. This marked the other nonconformity.

They drafted the nonconformity report and discussed the audit conclusions with EsBank’s representatives, who agreed to submit an action plan for the detected nonconformities within two months.

EsBank accepted the audit team leader's proposed solution. They resolved the nonconformities by drafting a procedure for information labeling based on the classification scheme for both physical and electronic formats. The removable media procedure was also updated based on this procedure.

Two weeks after the audit completion, EsBank submitted a general action plan. There, they addressed the detected nonconformities and the corrective actions taken, but did not include any details on systems, controls, or operations impacted. The audit team evaluated the action plan and concluded that it would resolve the nonconformities. Yet, EsBank received an unfavorable recommendation for certification.

Based on the scenario above, answer the following question:

According to scenario 8, the audit team evaluated the action plan and concluded that it would resolve the detected nonconformities. Is this acceptable?

Options:

A.

Yes. the audit team must evaluate the action plan and verify if it is appropriate for correcting the detected nonconformities

B.

Yes, only if EsBank has previously verified the effectiveness of the action plan and informed the audit team that the action plan allows the correction of nonconformities

C.

No, the auditee should verify if the action plan allows the correction of nonconformities and elimination of the root causes

Buy Now
Questions 48

You are an experienced ISMS audit team leader. During the conducting of a third-party surveillance audit, you decide to test your auditee's knowledge of ISO/IEC 27001's risk management requirements.

You ask her a series of questions to which the answer is either 'that is true' or 'that is false'. Which four of the following should she answer 'that is true'?

Options:

A.

The results of risk assessments must be maintained

B.

Risk identification is used to determine the severity of an information security risk

C.

ISO/IEC 27001 provides an outline approach for the management of risk

D.

The organisation must produce a risk treatment plan for every business risk identified

E.

The organisation must operate a risk treatment process to eliminate it's information security risks

F.

The initial phase in an organisation's risk management process should be information security risk assessment

G.

Risks assessments should be undertaken at monthly intervals

Buy Now
Questions 49

Scenario 2: Knight is an electronics company from Northern California, US that develops video game consoles. Knight has more than 300 employees worldwide. On the

fifth anniversary of their establishment, they have decided to deliver the G-Console, a new generation video game console aimed for worldwide markets. G-Console is

considered to be the ultimate media machine of 2021 which will give the best gaming experience to players. The console pack will include a pair of VR headset, two

games, and other gifts.

Over the years, the company has developed a good reputation by showing integrity, honesty, and respect toward their customers. This good reputation is one of the

reasons why most passionate gamers aim to have Knight's G-console as soon as it is released in the market. Besides being a very customer-oriented company, Knight

also gained wide recognition within the gaming industry because of the developing quality. Their prices are a bit higher than the reasonable standards allow.

Nonetheless, that is not considered an issue for most loyal customers of Knight, as their quality is top-notch.

Being one of the top video game console developers in the world, Knight is also often the center of attention for malicious activities. The company has had an

operational ISMS for over a year. The ISMS scope includes all departments of Knight, except Finance and HR departments.

Recently, a number of Knight's files containing proprietary information were leaked by hackers. Knight's incident response team (IRT) immediately started to analyze

every part of the system and the details of the incident.

The IRT's first suspicion was that Knight's employees used weak passwords and consequently were easily cracked by hackers who gained unauthorized access to their

accounts. However, after carefully investigating the incident, the IRT determined that hackers accessed accounts by capturing the file transfer protocol (FTP) traffic.

FTP is a network protocol for transferring files between accounts. It uses clear text passwords for authentication.

Following the impact of this information security incident and with IRT's suggestion, Knight decided to replace the FTP with Secure Shell (SSH) protocol, so anyone

capturing the traffic can only see encrypted data.

Following these changes, Knight conducted a risk assessment to verify that the implementation of controls had minimized the risk of similar incidents. The results of

the process were approved by the ISMS project manager who claimed that the level of risk after the implementation of new controls was in accordance with the

company's risk acceptance levels.

Based on this scenario, answer the following question:

FTP uses clear text passwords for authentication. This is an FTP:

Options:

A.

Vulnerability

B.

Risk

C.

Threat

Buy Now
Questions 50

You are an ISMS audit team leader preparing to chair a closing meeting following a third-party surveillance audit. You are drafting a closing meeting agenda setting out the topics you wish to discuss with your auditee.

Which one of the following would be appropriate for inclusion?

Options:

A.

A detailed explanation of the certification body's complaints process

B.

An explanation of the audit plan and its purpose

C.

A disclaimer that the result of the audit is based on the sampling of evidence

D.

Names of auditees associated with nonconformities

Buy Now
Questions 51

An organisation has ISO/IEC 27001 Information Security Management System (ISMS) certification from a third-party certification body. Which one of the following represents an advantage of having accredited certification?

Options:

A.

An increase in the marketing price of the organisation's products

B.

An increase in the number of clients

C.

Clarity of the audit report

D.

Recognition of the credibility of the certification process.

Buy Now
Questions 52

The responsibilities of a------------ include facilitating audit activities, maintaining logistics, ensuring that health and safety policies are observed, and witnessing

the audit process on behalf of the auditee.

Options:

A.

Internal auditor

B.

Observer

C.

Guide

Buy Now
Questions 53

In acceptable use of Information Assets, which is the best practice?

Options:

A.

Access to information and communication systems are provided for business purpose only

B.

Interfering with or denying service to any user other than the employee's host

C.

Playing any computer games during office hours

D.

Accessing phone or network transmissions, including wireless or wifi transmissions

Buy Now
Questions 54

You are an experienced ISMS audit team leader providing guidance to an ISMS auditor in training. They have been asked to carry out an assessment of external providers and have prepared a checklist containing the following activities. They have asked you to review their checklist to confirm that the actions they are proposing are appropriate.

The audit they have been invited to participate in is a third-party surveillance audit of a data centre . The data centre agent is part of a wider telecommunication group. Each data centre within the group operates its own ISMS and holds its own certificate.

Select three options that relate to ISO/IEC 27001:2022's requirements regarding external providers.

Options:

A.

I will check the other data centres are treated as external providers, even though they are part of the same telecommunication group

B.

I will ensure external providers have a documented process in place to notify the organisation of any risks arising from the use of its products or services

C.

I will ensure that the organisation has a reserve external provider for each process it has identified as critical to preservation of the confidentiality, integrity and accessibility of its information

D.

I will limit my audit activity to externally provided processes as there is no need to audit externally provided products of services

E.

I will ensure the organization is regularly monitoring, reviewing and evaluating external provider performance

F.

I will ensure the organization is has determined the need to communicate with external providers regarding the ISMS

G.

I will ensure that top management have assigned roles and responsibilities for those providing external ISMS processes as well as internal ISMS processes

Buy Now
Questions 55

Which four of the following statements about audit reports are true?

Options:

A.

Audit reports should be produced by the audit team leader with input from the audit team

B.

Audit reports should include or refer to the audit plan

C.

Audit reports should be sent to the organisation's top management first because their contents could be embarrassing

D.

Audit reports should be assumed suitable for general circulation unless they are specifically marked confidential

E.

Audit reports should only evidence nonconformity

F.

Audit reports should be produced within an agreed timescale

G.

Audit reports that are no longer required can be destroyed as part of the organisation's general waste

Buy Now
Questions 56

Implement plan on a test basis - this comes under which section of PDCA

Options:

A.

Plan

B.

Do

C.

Act

D.

Check

Buy Now
Questions 57

You are an experienced audit team leader conducting a third-party surveillance audit of an organisation that designs websites for its clients. You are currently reviewing the organisation's Statement of Applicability.

Based on the requirements of ISO/IEC 27001, which two of the following observations about the Statement of Applicability are false?

Options:

A.

A Statement of Applicability must be produced by organisations seeking ISO/IEC 27001 conformity

B.

Justification is only required for any controls that the organisations choses to exclude

C.

Justification for both the inclusion and exclusion of Annex A controls in the Statement of Applicability is required

D.

The Statement of Applicability is owned and amended by the organisation's top management

E.

Additional controls not included in Appendix A may be added to the Statement of Applicability if the organisation choses to do so

F.

The Statement of Applicability must include Organisational, Physical, People and Technological controls that are necessary

Buy Now
Questions 58

Which two of the following are valid audit conclusions?

Options:

A.

ISMS induction training does not provide guidance on malware prevention

B.

The risk register had not been updated since June 202X

C.

Corrective action was outstanding for two internal audits

D.

The ISMS policy has been effectively communicated to the organisation

E.

The organisation's ISMS objectives meet the requirements of ISO/IEC 27001:2022

F.

The schedule of applicability was based on the 2013 edition of ISO/IEC 27001, not the 2022 edition

Buy Now
Questions 59

You are an ISMS audit team leader tasked with conducting a follow-up audit at a client's data centre. Following two days on-site you conclude that of the original 12 minor and 1 major nonconformities that prompted the follow-up audit, only 1 minor nonconformity still remains outstanding.

Select four options for the actions you could take.

Options:

A.

Agree with the auditee/audit client how the remaining nonconformity will be cleared, by when, and how its clearance will be verified

B.

Recommend that the outstanding minor nonconformity is dealt with at the next surveillance audit

C.

Close the follow-up audit as the organisation has demonstrated it is committed to clearing the nonconformities raised

D.

Recommend suspension of the organisation's certification as they have failed to implement the agreed corrections and corrective actions within the agreed timescale

E.

Advise the auditee that you will arrange for the next audit to be an online audit to deal with the outstanding nonconformity

F.

Note the progress made but hold the audit open until all corrective action has been cleared

G.

Advise the individual managing the audit programme of any decision taken regarding the outstanding nonconformity

Buy Now
Questions 60

During a third-party certification audit, you are presented with a list of issues by an auditee. Which four of the following constitute 'internal' issues in the context of a management system to ISO 27001:2022?

Options:

A.

Higher labour costs as a result of an aging population

B.

A rise in interest rates in response to high inflation

C.

Poor levels of staff competence as a result of cuts in training expenditure

D.

Poor morale as a result of staff holidays being reduced

E.

Increased absenteeism as a result of poor management

F.

A reduction in grants as a result of a change in government policy

G.

A fall in productivity linked to outdated production equipment

Buy Now
Questions 61

Below is Purpose of "Integrity", which is one of the Basic Components of Information Security

Options:

A.

the property that information is not made available or disclosed to unauthorized individuals

B.

the property of safeguarding the accuracy and completeness of assets.

C.

the property that information is not made available or disclosed to unauthorized individuals

D.

the property of being accessible and usable upon demand by an authorized entity.

Buy Now
Questions 62

You are conducting an ISMS audit in the despatch department of an international logistics organisation that provides shipping services to large organisations including local hospitals and government offices. Parcels typically contain pharmaceutical products, biological samples, and documents such as passports and driving licences. You note that the company records show a very large number of returned items with causes including mis-addressed labels and, in 15% of company cases, two or more labels for different addresses for the one package. You are interviewing the Shipping Manager (SM).

You: Are items checked before being dispatched?

SH: Any obviously damaged items are removed by the duty staff before being dispatched, but the small profit margin makes it uneconomic to implement a formal checking process.

You: What action is taken when items are returned?

SM: Most of these contracts are relatively low value, therefore it has been decided that it is easier and more convenient to simply reprint the label and re-send individual parcels than it is to implement an investigation.

You raise a nonconformity. Referencing the scenario, which six of the following Appendix A controls would you expect the auditee to have implemented when you conduct the follow-up audit?

Options:

A.

5.11 Return of assets

B.

8.12 Data leakage protection

C.

5.3 Segregation of duties

D.

6.3 Information security awareness, education, and training

E.

7.10 Storage media

F.

8.3 Information access restriction

G.

5.6 Contact with special interest groups

Buy Now
Questions 63

Which two of the following phrases would apply to 'check' in the Plan-Do-Check-Act cycle for a business process?

Options:

A.

Making improvements

B.

Managing changes

C.

Verifying training

D.

Resetting objectives

E.

Updating the Information Security Policy

F.

Auditing processes

Buy Now
Questions 64

Which two of the following standards are used as ISMS third-party certification audit criteria?

Options:

A.

ISO/IEC 27002

B.

ISO/IEC 20000-1

C.

ISO 19011

D.

ISO/IEC 27001

E.

Relavent legal, statutory, and regulatory requirements

F.

ISO/IEC 17021-1

Buy Now
Questions 65

Which six of the following actions are the individual(s) managing the audit programme responsible for?

Options:

A.

Selecting the audit team

B.

Retaining documented information of the audit results

C.

Defining the objectives, scope and criteria for an individual audit

D.

Defining the plan of an individual audit

E.

Establishing the extent of the audit programme

F.

Establishing the audit programme

G.

Determining the resources necessary for the audit programme

Buy Now
Questions 66

You are an experienced ISMS audit team leader guiding an auditor in training. She asks you about the grading of nonconformities in audit reports. You decide to test her knowledge by asking her which four of the following statements are true.

Options:

A.

Major nonconformities may be subject to on-site follow up

B.

Nonconformities must be graded only using the terms 'major' or 'minor'

C.

The action taken to address major nonconformities is typically more substantial than the action taken to address minor nonconformities

D.

Very minor nonconformities should be re-graded as opportunities for improvement

E.

Several minor nonconformities can be grouped into a major nonconformity

F.

The grading of nonconformities must be explained to the auditee at the opening meeting

G.

The auditee is always responsible for determining the criteria for grading nonconformities

Buy Now
Questions 67

Which one option best describes the purpose of retaining documented information related to the Information Security Management System (ISMS) of an organisation?

Options:

A.

To ensure that all workers will follow the established procedure.

B.

To show compliance with legal requirements.

C.

To show objective evidence to third-party auditors.

D.

To the extent necessary, to have confidence that the processes have been carried out as planned.

Buy Now
Questions 68

An auditor of organisation A performs an audit of supplier B. Which two of the following actions is likely to represent a breach of confidentiality by the auditor after having identified findings in B's information security management system?

Options:

A.

Shares the findings with other relevant managers in A

B.

Shares the findings with B's Information Security Manager

C.

Shares the findings with A's supplier evaluation team

D.

Shares the findings with B's other customers

E.

Shares the findings with B's certification body

F.

Shares the findings with other relevant managers in B

Buy Now
Questions 69

How are internal audits and external audits related?

Options:

A.

Internal audits ensure that the organization regularly monitors the external audit reports and action plans

B.

Internal audits ensure the implementation of the corrective actions before the organization is recommended for certification by the external auditor

C.

Internal audits and external audits are included in the certification cycle, which ensures the monitoring of the management system on a regular basis

Buy Now
Questions 70

Scenario 6: Sinvestment is an insurance company that offers home, commercial, and life insurance. The company was founded in North Carolina, but have recently expanded in other locations, including Europe and Africa.

Sinvestment is committed to complying with laws and regulations applicable to their industry and preventing any information security incident. They have implemented an ISMS based on ISO/IEC 27001 and have applied for ISO/IEC 27001 certification.

Two auditors were assigned by the certification body to conduct the audit. After signing a confidentiality agreement with Sinvestment. they started the audit activities. First, they reviewed the documentation required by the standard, including the declaration of the ISMS scope, information security policies, and internal audits reports. The review process was not easy because, although Sinvestment stated that they had a documentation procedure in place, not all documents had the same format.

Then, the audit team conducted several interviews with Sinvestment's top management to understand their role in the ISMS implementation. All activities of the stage 1 audit were performed remotely, except the review of documented information, which took place on-site, as requested by Sinvestment.

During this stage, the auditors found out that there was no documentation related to information security training and awareness program. When asked, Sinvestment's representatives stated that the company has provided information security training sessions to all employees. Stage 1 audit gave the audit team a general understanding of Sinvestment's operations and ISMS.

The stage 2 audit was conducted three weeks after stage 1 audit. The audit team observed that the marketing department (which was not included in the audit scope) had no procedures in place to control employees’ access rights. Since controlling employees' access rights is one of the ISO/IEC 27001 requirements and was included in the information security policy of the company, the issue was included in the audit report. In addition, during stage 2 audit, the audit team observed that Sinvestment did not record logs of user activities. The procedures of the company stated that "Logs recording user activities should be retained and regularly reviewed," yet the company did not present any evidence of the implementation of such procedure.

During all audit activities, the auditors used observation, interviews, documented information review, analysis, and technical verification to collect information and evidence. All the audit findings during stages 1 and 2 were analyzed and the audit team decided to issue a positive recommendation for certification.

According to ISO/IEC 27001 requirements, does the company need to provide evidence of implementation of the procedure regarding logs recording user activities? Refer to scenario 6.

Options:

A.

Yes, event logs recording user activities must be kept and regularly reviewed

B.

No, because the implementation of this procedure is not a requirement of the standard

C.

No, the company only recommended implementing this procedure

Buy Now
Questions 71

Which one of the following options describes the main purpose of a Stage 1 audit?

Options:

A.

To determine readiness for Stage 2

B.

To check for legal compliance by the organisation

C.

To get to know the organisation

D.

To compile the audit plan

Buy Now
Questions 72

In the context of a management system audit, please identify the sequence of a typical process of collecting and verifying information. The first one has been done for you.

ISO-IEC-27001-Lead-Auditor Question 72

Options:

Buy Now
Questions 73

You are an experienced ISMS internal auditor.

You have just completed a scheduled information security audit of your organisation when the IT Manager approaches you and asks for your assistance in the revision of the company's Statement of Applicability.

The IT Manager is attempting to update the ISO/IEC 27001:2013 based Statement of Applicability to a Statement aligned to the 4 control themes present in ISO/IEC 27001:2022 (Organizational controls, People Controls, Physical Controls, Technical Controls).

The IT Manager is happy with their reassignment of controls, with the following exceptions. He asks you which of the four control categories each of the following should appear under.

ISO-IEC-27001-Lead-Auditor Question 73

Options:

Buy Now
Questions 74

What is meant by the term 'Corrective Action'? Select one

Options:

A.

Action is taken to prevent a nonconformity or an incident from occurring

B.

Action is taken to eliminate the cause(s) of a nonconformity or an incident

C.

Action is taken by management to respond to a nonconformity

D.

Action is taken to fix a nonconformity or an incident

Buy Now
Questions 75

During a Stage 1 audit opening meeting, the Management System Representative (MSR) asks to extend the audit scope to include a new site overseas which they have expanded into since the certification application was made.

Select two options for how the auditor should respond.

Options:

A.

Advise the MSR that an extension of the scope may be incorporated but will have to go through established procedures

B.

Advise the MSR that the audit scope has been determined based on their initial application so the audit has to proceed as planned

C.

Suggest that the MSR cancels the audit contract and reapplies for the new situation

D.

Determine whether the Management System covers the processes at the new site and, if so, proceed with the audit

E.

Advise the MSR that, within the existing scope, the new work area can be included without any problem

F.

Confirm that the auditor will advise the auditee that the audit scope will be revised to include the new work area

Buy Now
Questions 76

Select two of the following options that are the responsibility of a legal technical expert on the audit team during a certification audit.

Options:

A.

Evaluating the auditee's legal knowledge

B.

Criticising the organisation's legal compliance issues

C.

Debating complex legal points with the auditee

D.

Advising on legal checkpoints for the audit team

E.

Verifying the legal status of the organisation

F.

Meeting the organisation's legal representative

Buy Now
Questions 77

Which one of the following statements best describes the purpose of conducting a document review?

Options:

A.

To reveal whether the documented management system is nonconforming with audit criteria and to gather evidence to support the audit report

B.

To decide about the conformity of the documented management system with audit standards and to gather findings to support the audit process

C.

To determine the conformity of the management system, as far as documented, with audit criteria and to gather information to support the on-site audit activities

D.

To detect any nonconformity of the management system, if documented, with audit criteria and to identify information to support the audit plan

Buy Now
Questions 78

Scenario 6: Sinvestment is an insurance company that offers home, commercial, and life insurance. The company was founded in North Carolina, but have recently expanded in other locations, including Europe and Africa.

Sinvestment is committed to complying with laws and regulations applicable to their industry and preventing any information security incident. They have implemented an ISMS based on ISO/IEC 27001 and have applied for ISO/IEC 27001 certification.

Two auditors were assigned by the certification body to conduct the audit. After signing a confidentiality agreement with Sinvestment. they started the audit activities. First, they reviewed the documentation required by the standard, including the declaration of the ISMS scope, information security policies, and internal audits reports. The review process was not easy because, although Sinvestment stated that they had a documentation procedure in place, not all documents had the same format.

Then, the audit team conducted several interviews with Sinvestment's top management to understand their role in the ISMS implementation. All activities of the stage 1 audit were performed remotely, except the review of documented information, which took place on-site, as requested by Sinvestment.

During this stage, the auditors found out that there was no documentation related to information security training and awareness program. When asked, Sinvestment's representatives stated that the company has provided information security training sessions to all employees. Stage 1 audit gave the audit team a general understanding of Sinvestment's operations and ISMS.

The stage 2 audit was conducted three weeks after stage 1 audit. The audit team observed that the marketing department (which was not included in the audit scope) had no procedures in place to control employees’ access rights. Since controlling employees' access rights is one of the ISO/IEC 27001 requirements and was included in the information security policy of the company, the issue was included in the audit report. In addition, during stage 2 audit, the audit team observed that Sinvestment did not record logs of user activities. The procedures of the company stated that "Logs recording user activities should be retained and regularly reviewed," yet the company did not present any evidence of the implementation of such procedure.

During all audit activities, the auditors used observation, interviews, documented information review, analysis, and technical verification to collect information and evidence. All the audit findings during stages 1 and 2 were analyzed and the audit team decided to issue a positive recommendation for certification.

During stage 1 audit, the audit team found out that Sinvestment did not have records on information security training and awareness. What Sinvestment do in this case? Refer to scenario 6.

Options:

A.

Correct the identified issue before the stage 2 audit

B.

Document the identified issue and correct it after the certification audit is completed

C.

Perform a new risk assessment process to understand whether the issue needs modification or not

Buy Now
Questions 79

What is the standard definition of ISMS? 

Options:

A.

Is an information security systematic approach to achieve business objectives for implementation, establishing, reviewing,operating and maintaining organization's reputation.

B.

A company wide business objectives to achieve information security awareness for establishing, implementing, operating, monitoring, reviewing, maintaining and improving

C.

A project-based approach to achieve business objectives for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization’s information security

D.

A systematic approach for establishing, implementing, operating,monitoring, reviewing,  maintaining and improving an organization’s information security to achieve business objectives.

Buy Now
Questions 80

The auditor used sampling to ensure that event logs recording information security events are maintained and regularly reviewed. Sampling was based on the audit objectives, whereas the sample selection process was based on the probability theory. What type of sampling was used?

Options:

A.

Statistical sampling

B.

Judgment-based sampling

C.

Systematic sampling

Buy Now
Questions 81

An external auditor received an offer to conduct an ISMS audit at a research development company. Before accepting it, they discussed with the internal auditor of the auditee, who was their friend, about previous audit reports. Is this acceptable?

Options:

A.

No, the external auditor should discuss about the auditee's previous audit reports only with the certification body

B.

Yes, the auditor can review and discuss the previous audit reports before accepting an audit mandate

C.

No, the auditor should uphold objectivity even when deciding whether to accept the audit mandate or not

Buy Now
Questions 82

You are performing an ISMS audit at a residential nursing home (ABC) that provides healthcare services. The next

step in your audit plan is to verify the information security of ABC's healthcare mobile app development, support,

and lifecycle process. During the audit, you learned the organization outsourced the mobile app development to a

professional software development company with CMMI Level 5, ITSM (ISO/IEC 20000-1), BCMS (ISO 22301) and

ISMS (ISO/IEC 27001) certified.

The IT Manager presented the software security management procedure and summarised the process as following:

The mobile app development shall adopt "security-by-design" and "security-by-default" principles, as a minimum.

The following security functions for personal data protection shall be available:

Access control.

Personal data encryption, i.e., Advanced Encryption Standard (AES) algorithm, key lengths: 256 bits; and

Personal data pseudonymization.

Vulnerability checked and no security backdoor

You sample the latest Mobile App Test report, details as follows:

ISO-IEC-27001-Lead-Auditor Question 82

The IT Manager explains the test results should be approved by him according to the software security management procedure. The reason why the encryption and pseudonymisation functions failed is that these functions heavily slowed down the system and service performance. An extra 150% of resources are needed to cover this. The Service Manager agreed that access control is good enough and acceptable. That's why the Service Manager signed the approval.

You are preparing the audit findings. Select the correct option.

Options:

A.

There is a nonconformity (NC). The organisation and developer do not perform acceptance tests. (Relevant to clause 8.1, control A.8.29)

B.

There is a nonconformity (NC). The organisation and developer perform security tests that fail. (Relevant to clause 8.1, control A.8.29)

C.

There is a nonconformity (NC). The Service Manager does not comply with the software security management procedure. (Relevant to clause 8.1, control A.8.30)

D.

There is NO nonconformity (NC). The Service Manager makes a good decision to continue the service. (Relevant to clause 8.1, control A.8.30)

Buy Now
Exam Name: PECB Certified ISO/IEC 27001 2022 Lead Auditor exam
Last Update: Nov 19, 2024
Questions: 289

PDF + Testing Engine

$49.5  $164.99

Testing Engine

$37.5  $124.99
buy now ISO-IEC-27001-Lead-Auditor testing engine

PDF (Q&A)

$31.5  $104.99
buy now ISO-IEC-27001-Lead-Auditor pdf
dumpsmate guaranteed to pass
24/7 Customer Support

DumpsMate's team of experts is always available to respond your queries on exam preparation. Get professional answers on any topic of the certification syllabus. Our experts will thoroughly satisfy you.

Site Secure

mcafee secure

TESTED 24 Nov 2024