New Year Sale Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: pass65

ISO-IEC-27001-Lead-Auditor PECB Certified ISO/IEC 27001 2022 Lead Auditor exam Questions and Answers

Questions 4

Which of the options below is a control related to the management of personnel that aims to avoid the occurrence of incidents?

Options:

A.

The organization regularly provides security awareness and training sessions for its employees

B.

The organization always reviews the security policy after the integration of a new division to the organization

C.

The organization conducts regular user access reviews to verify that only authorized employees have access to confidential information

Buy Now
Questions 5

Select the words that best complete the sentence:

To complete the sentence with the word(s) click on the blank section you want to complete so that it is highlighted in red, and then click on the application text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.

ISO-IEC-27001-Lead-Auditor Question 5

Options:

Buy Now
Questions 6

Scenario 9: UpNet, a networking company, has been certified against ISO/IEC 27001. It provides network security, virtualization, cloud computing, network hardware, network management software, and networking technologies.

The company's recognition has increased drastically since gaining ISO/IEC 27001 certification. The certification confirmed the maturity of UpNefs operations and its compliance with a widely recognized and accepted standard.

But not everything ended after the certification. UpNet continually reviewed and enhanced its security controls and the overall effectiveness and efficiency of the ISMS by conducting internal audits. The top management was not willing to employ a full-time team of internal auditors, so they decided to outsource the internal audit function. This form of internal audits ensured independence, objectivity, and that they had an advisory role about the continual improvement of the ISMS.

Not long after the initial certification audit, the company created a new department specialized in data and storage products. They offered routers and switches optimized for data centers and software-based networking devices, such as network virtualization and network security appliances. This caused changes to the operations of the other departments already covered in the ISMS certification scope.

Therefore. UpNet initiated a risk assessment process and an internal audit. Following the internal audit result, the company confirmed the effectiveness and efficiency of the existing and new processes and controls.

The top management decided to include the new department in the certification scope since it complies with ISO/IEC 27001 requirements. UpNet announced that it is ISO/IEC 27001 certified and the certification scope encompasses the whole company.

One year after the initial certification audit, the certification body conducted another audit of UpNefs ISMS. This audit aimed to determine the UpNefs ISMS fulfillment of specified ISO/IEC 27001 requirements and ensure that the ISMS is being continually improved. The audit team confirmed that the certified ISMS continues to fulfill

the requirements of the standard. Nonetheless, the new department caused a significant impact on governing the management system. Moreover, the certification body was not informed about any changes. Thus, the UpNefs certification was suspended.

Based on the scenario above, answer the following question:

Based on scenario 9, why was UpNefs certification suspended?

Options:

A.

Because UpNet used and applied the certification out of its scope

B.

Because UpNet outsourced the internal audit function

C.

Because UpNefs ISMS does not fulfill the requirements of the standard

Buy Now
Questions 7

Scenario 7: Lawsy is a leading law firm with offices in New Jersey and New York City. It has over 50 attorneys offering sophisticated legal services to clients in business and commercial law, intellectual property, banking, and financial services. They believe they have a comfortable position in the market thanks to their commitment to implement information security best practices and remain up to date with technological developments.

Lawsy has implemented, evaluated, and conducted internal audits for an ISMS rigorously for two years now. Now, they have applied for ISO/IEC 27001 certification to ISMA, a well-known and trusted certification body.

During stage 1 audit, the audit team reviewed all the ISMS documents created during the implementation. They also reviewed and evaluated the records from management reviews and internal audits.

Lawsy submitted records of evidence that corrective actions on nonconformities were performed when necessary, so the audit team interviewed the internal auditor. The interview validated the adequacy and frequency of the internal audits by providing detailed insight into the internal audit plan and procedures.

The audit team continued with the verification of strategic documents, including the information security policy and risk evaluation criteria. During the information security policy review, the team noticed inconsistencies between the documented information describing governance framework (i.e., the information security policy) and the procedures.

Although the employees were allowed to take the laptops outside the workplace, Lawsy did not have procedures in place regarding the use of laptops in such cases. The policy only provided general information about the use of laptops. The company relied on employees' common knowledge to protect the confidentiality and integrity of information stored in the laptops. This issue was documented in the stage 1 audit report.

Upon completing stage 1 audit, the audit team leader prepared the audit plan, which addressed the audit objectives, scope, criteria, and procedures.

During stage 2 audit, the audit team interviewed the information security manager, who drafted the information security policy. He justified the Issue identified in stage 1 by stating that Lawsy conducts mandatory information security training and awareness sessions every three months.

Following the interview, the audit team examined 15 employee training records (out of 50) and concluded that Lawsy meets requirements of ISO/IEC 27001 related to training and awareness. To support this conclusion, they photocopied the examined employee training records.

Based on the scenario above, answer the following question:

The audit team photocopied the examined employee training records to support their conclusion. Should the audit team obtain an approval from Lawsy before taking this action? Refer to scenario 7.

Options:

A.

Yes. the audit team should obtain the approval of the auditee when verifying the existence of a process in all cases, including when taking notes and photocopying documents

B.

Yes, the audit team can photocopy documents observed during the audit if the auditee agrees to it

C.

No, the audit team has the authority to photocopy documents in order to verify the conformity of a certain document to the audit criteria

Buy Now
Questions 8

The auditor used sampling to ensure that event logs recording information security events are maintained and regularly reviewed. Sampling was based on the audit objectives, whereas the sample selection process was based on the probability theory. What type of sampling was used?

Options:

A.

Statistical sampling

B.

Judgment-based sampling

C.

Systematic sampling

Buy Now
Questions 9

Who are allowed to access highly confidential files?

Options:

A.

Employees with a business need-to-know

B.

Contractors with a business need-to-know

C.

Employees with signed NDA have a business need-to-know

D.

Non-employees designated with approved access and have signed NDA

Buy Now
Questions 10

Scenario 8: EsBank provides banking and financial solutions to the Estonian banking sector since September 2010. The company has a network of 30 branches with over 100 ATMs across the country.

Operating in a highly regulated industry, EsBank must comply with many laws and regulations regarding the security and privacy of data. They need to manage information security across their operations by implementing technical and nontechnical controls. EsBank decided to implement an ISMS based on ISO/IEC 27001 because it provided better security, more risk control, and compliance with key requirements of laws and regulations.

Nine months after the successful implementation of the ISMS, EsBank decided to pursue certification of their ISMS by an independent certification body against ISO/IEC 27001 .The certification audit included all of EsBank’s systems, processes, and technologies.

The stage 1 and stage 2 audits were conducted jointly and several nonconformities were detected. The first nonconformity was related to EsBank’s labeling of information. The company had an information classification scheme but there was no information labeling procedure. As a result, documents requiring the same level of protection would be labeled differently (sometimes as confidential, other times sensitive).

Considering that all the documents were also stored electronically, the nonconformity also impacted media handling. The audit team used sampling and concluded that 50 of 200 removable media stored sensitive information mistakenly classified as confidential. According to the information classification scheme, confidential information is allowed to be stored in removable media, whereas storing sensitive information is strictly prohibited. This marked the other nonconformity.

They drafted the nonconformity report and discussed the audit conclusions with EsBank’s representatives, who agreed to submit an action plan for the detected nonconformities within two months.

EsBank accepted the audit team leader's proposed solution. They resolved the nonconformities by drafting a procedure for information labeling based on the classification scheme for both physical and electronic formats. The removable media procedure was also updated based on this procedure.

Two weeks after the audit completion, EsBank submitted a general action plan. There, they addressed the detected nonconformities and the corrective actions taken, but did not include any details on systems, controls, or operations impacted. The audit team evaluated the action plan and concluded that it would resolve the nonconformities. Yet, EsBank received an unfavorable recommendation for certification.

Based on the scenario above, answer the following question:

By drafting a procedure for information labeling, EsBank has:

Options:

A.

Submitted an action plan to resolve the nonconformity

B.

Created an information classification scheme

C.

Eliminated the root cause of the nonconformity

Buy Now
Questions 11

You are an experienced ISMS audit team leader guiding an auditor in training. You decide to test her knowledge of follow-up audits by asking her a series of questions. Here are your questions and her answers.

Which four of your questions has she answered correctly?

Options:

A.

Q: Should a follow-up audit seek to identify new nonconformities? A:YES

B.

Q: Should follow-up audits seek to ensure nonconformities have been effectively addressed? A:YES

C.

Q: Should follow-up audits consider agreed opportunities for improvement as well as corrective action? A:No

D.

Q: Is the purpose of a follow-up audit to verify the completion of corrections, corrective actions, and opportunities for improvement? A:YES

E.

Q: Are follow-up audits required for all audits? A:No

F.

Q: Should the outcome from a follow-up audit be reported to the audit team leader who carried out the audit at which the NCs were originally identified? A:YES

G.

Q: Should the outcome from a follow-up audit be reported to the audit client? A:No

Buy Now
Questions 12

You are performing an ISMS audit at a residential nursing home that provides healthcare services. The next step in your audit plan is to verify the information security incident management process. The IT Security Manager presents the information security incident management procedure and explains that the process is based on ISO/IEC 27035-1:2016.

You review the document and notice a statement "any information security weakness, event, and incident should be reported to the Point of Contact (PoC) within 1 hour after identification". When interviewing staff, you found that there were differences in the understanding of the meaning of "weakness, event, and incident".

You sample incident report records from the event tracking system for the last 6 months with summarized results in the following table.

ISO-IEC-27001-Lead-Auditor Question 12

You would like to further investigate other areas to collect more audit evidence. Select two options that will not be in your audit trail.

Options:

A.

Collect more evidence on how and when the Human Resources manager pays the ransom fee to unlock personal mobile data, i.e., credit card, and bank transfer. (Relevant to control A.5.26)

B.

Collect more evidence on what the service requirements of healthcare monitoring are. (Relevant to clause 4.2)

C.

Collect more evidence on how the organization determined no further action was needed after the incident. (Relevant to control A.5.26)

D.

Collect more evidence on how the organisation determined the incident recovery time. (Relevant to control A.5.27)

E.

Collect more evidence on the incident recovery procedures. (Relevant to control A.5.26)

F.

Collect more evidence by interviewing more staff about their understanding of the reporting process. (Relevant to control A.6.8)

G.

Collect more evidence on how and when the company pays the ransom fee to unlock the company's mobile phone and data, i.e., credit card, and bank transfer. (Relevant to control A.5.26)

Buy Now
Questions 13

You are performing an ISMS audit at a residential nursing home that provides healthcare services. The next step in your audit

plan is to verify the information security of the business continuity management process. During the audit, you learned that

the organisation activated one of the business continuity plans (BCPs) to make sure the nursing service continued during the

recent pandemic. You ask the Service Manager to explain how the organization manages information security during the

business continuity management process.

The Service Manager presented the nursing service continuity plan for a pandemic and summarised the process as follows:

Stop the admission of any NEW residents.

70% of administration staff and 30% of medical staff will work from home.

Regular staff self-testing, including submitting a negative test report 1 day BEFORE they come to the office.

Install ABC's healthcare mobile app, tracking their footprint and presenting a GREEN Health Status QR-Code for checking on the spot.

You ask the Service Manager how to prevent non-relevant family members or interested parties from accessing residents' personal data when staff work from home. The Service Manager cannot answer and suggests the IT Security Manager should help with that.

You would like to further investigate other areas to collect more audit evidence. Select three options that will not be in your audit trail.

Options:

A.

Collect more evidence on how information security protocols are maintained during disruption (relevant to control A.5.29)

B.

Collect more evidence that staff only use IT equipment protected from malware when working from home (relevant to control A.8.7)

C.

Collect more evidence by interviewing additional staff to ensure they are aware of the need to sometimes work from home (Relevant to clause 7.3)

D.

Collect more evidence on how and when the Business Continuity Plan has been tested. (Relevant to control A.5.29)

E.

Collect more evidence on how the organisation makes sure all staff periodically conduct a positive Covid test (Relevant to control A.7.2)

F.

Collect more evidence on how the organisation manages information security on mobile devices and during teleworking (Relevant to control A.6.7)

G.

Collect more evidence on how the organisation performs a business risk assessment to evaluate how fast the existing residents can be discharged from the nursing home. (Relevant to clause 6)

Buy Now
Questions 14

The data centre at which you work is currently seeking ISO/IEC27001:2022 certification. In preparation for your initial certification visit, several internal audits have been carried out by a colleague working at another data centre within your Group. They secured their own ISO/IEC 27001:2022 certificate earlier in the year.

You have just qualified as an Internal ISMS auditor and your manager has asked you to review the audit process and audit findings as a final check before the external Certification Body arrives.

Which four of the following would cause you concern in respect of conformity to ISO/IEC 27001:2022 requirements?

Options:

A.

Although the scope for each internal audit has been defined, there are no audit criteria defined for the audits carried out to date.

B.

Audit reports are not held in hardcopy (i.e. on paper). They are only stored as *. PDF documents on the organisation's intranet.

C.

The audit process states the results of audits will be made available to 'relevant' managers, not top management.

D.

The audit programme does not reference audit methods or audit responsibilities.

E.

The audit programme does not take into account the relative importance of information security processes.

F.

The audit programme does not take into account the results of previous audits.

G.

The audit programme has not been signed as 'approved by Top Management.

Buy Now
Questions 15

Which is not a requirement of HR prior to hiring?

Options:

A.

Undergo background verification

B.

Applicant must complete pre-employment documentation requirements

C.

Must undergo Awareness training on information security.

D.

Must successfully pass Background Investigation

Buy Now
Questions 16

You have just completed a scheduled information security audit of your organisation when the IT Manager approaches you and asks for your assistance in the revision of the company's risk management process.

He is attempting to update the current documentation to make it easier for other managers to understand, however, it is clear from your discussion he is confusing several key terms.

You ask him to match each of the descriptions with the appropriate risk term. What should the correct answers be?

ISO-IEC-27001-Lead-Auditor Question 16

Options:

Buy Now
Questions 17

You are an experienced ISMS audit team leader. During the conducting of a third-party surveillance audit, you decide to test your auditee's knowledge of ISO/IEC 27001's risk management requirements.

You ask her a series of questions to which the answer is either 'that is true' or 'that is false'. Which four of the following should she answer 'that is true'?

Options:

A.

The results of risk assessments must be maintained

B.

Risk identification is used to determine the severity of an information security risk

C.

ISO/IEC 27001 provides an outline approach for the management of risk

D.

The organisation must produce a risk treatment plan for every business risk identified

E.

The organisation must operate a risk treatment process to eliminate it's information security risks

F.

The initial phase in an organisation's risk management process should be information security risk assessment

G.

Risks assessments should be undertaken at monthly intervals

Buy Now
Questions 18

During a Stage 1 audit opening meeting, the Management System Representative (MSR) asks to extend the audit scope to include a new site overseas which they have expanded into since the certification application was made.

Select two options for how the auditor should respond.

Options:

A.

Advise the MSR that an extension of the scope may be incorporated but will have to go through established procedures

B.

Advise the MSR that the audit scope has been determined based on their initial application so the audit has to proceed as planned

C.

Suggest that the MSR cancels the audit contract and reapplies for the new situation

D.

Determine whether the Management System covers the processes at the new site and, if so, proceed with the audit

E.

Advise the MSR that, within the existing scope, the new work area can be included without any problem

F.

Confirm that the auditor will advise the auditee that the audit scope will be revised to include the new work area

Buy Now
Questions 19

You receive the following mail from the IT support team: Dear User,Starting next week, we will be deleting all inactive email accounts in order to create spaceshare the below details in order to continue using your account. In case of no response, 

Name:

Email ID:

Password:

DOB:

Kindly contact the webmail team for any further support. Thanks for your attention.

Which of the following is the best response?

Options:

A.

Ignore the email

B.

Respond it by saying that one should not share the password with anyone

C.

One should not respond to these mails and report such email to your supervisor 

Buy Now
Questions 20

Scenario 3: NightCore is a multinational technology company based in the United States that focuses on e-commerce, cloud computing, digital streaming, and artificial intelligence. After having an information security management system (ISMS) implemented for over 8 months, they contracted a certification body to conduct a third party audit in order to get certified against ISO/IEC 27001.

The certification body set up a team of seven auditors. Jack, the most experienced auditor, was assigned as the audit team leader. Over the years, he received many well known certifications, such as the ISO/IEC 27001 Lead Auditor, CISA, CISSP, and CISM.

Jack conducted thorough analyses on each phase of the ISMS audit, by studying and evaluating every information security requirement and control that was implemented by NightCore. During stage 2 audit. Jack detected several nonconformities. After comparing the number of purchased invoices for software licenses with the software inventory, Jack found out that the company has been using the illegal versions of a software for many computers. He decided to ask for an explanation from the top management about this nonconformity and see whether they were aware about this. His next step was to audit NightCore's IT Department. The top management assigned Tom, NightCore's system administrator, to act as a guide and accompany Jack and the audit team toward the inner workings of their system and their digital assets infrastructure.

While interviewing a member of the Department of Finance, the auditors discovered that the company had recently made some unusual large transactions to one of their consultants. After gathering all the necessary details regarding the transactions. Jack decided to directly interview the top management.

When discussing about the first nonconformity, the top management told Jack that they willingly decided to use a copied software over the original one since it was cheaper. Jack explained to the top management of NightCore that using illegal versions of software is against the requirements of ISO/IEC 27001 and the national laws and regulations. However, they seemed to be fine with it.

Several months after the audit, Jack sold some of NightCore's information that he collected during the audit for a huge amount of money to competitors of NightCore.

Based on this scenario, answer the following question:

According to scenario 3, which audit principle has Jack compromised when he sold NightCore’s information after the audit?

Options:

A.

Independence

B.

Integrity

C.

Confidentiality

Buy Now
Questions 21

A key audit process is the way auditors gather information and determine the findings' characteristics. Put the actions listed in the correct order to complete this process. The last one has been done for you.

ISO-IEC-27001-Lead-Auditor Question 21

Options:

Buy Now
Questions 22

Scenario 4: SendPay is a financial company that provides its services through a network of agents and financial institutions. One of their main services is transferring money worldwide. SendPay, as a new company, seeks to offer top quality services to its clients. Since the company offers international transactions, it requires from their clients to provide personal information, such as their identity, the reason for the transactions, and other details that might be needed to complete the transaction. Therefore, SendPay has implemented security measures to protect their clients' information, including detecting, investigating, and responding to any information security threats that may emerge. Their commitment to offering secure services was also reflected during the ISMS implementation where the company invested a lot of time and resources.

Last year, SendPay unveiled their digital platform that allows money transactions through electronic devices, such as smartphones or laptops, without requiring an additional fee. Through this platform, SendPay's clients can send and receive money from anywhere and at any time. The digital platform helped SendPay to simplify the company's operations and further expand its business. At the time, SendPay was outsourcing its software operations, hence the project was completed by the software development team of the outsourced company. The same team was also responsible for maintaining the technology infrastructure of SendPay.

Recently, the company applied for ISO/IEC 27001 certification after having an ISMS in place for almost a year. They contracted a certification body that fit their criteria. Soon after, the certification body appointed a team of four auditors to audit SendPay's ISMS.

During the audit, among others, the following situations were observed:

1.The outsourced software company had terminated the contract with SendPay without prior notice. As a result, SendPay was unable to immediately bring the services back in-house and its operations were disrupted for five days. The auditors requested from SendPay's representatives to provide evidence that they have a plan to follow in cases of contract terminations. The representatives did not provide any documentary evidence but during an interview, they told the auditors that the top management of SendPay had identified two other software development companies that could provide services immediately if similar situations happen again.

2.There was no evidence available regarding the monitoring of the activities that were outsourced to the software development company. Once again, the representatives of SendPay told the auditors that they regularly communicate with the software development company and that they are appropriately informed for any possible change that might occur.

3.There was no nonconformity found during the firewall testing. The auditors tested the firewall configuration in order to determine the level of security provided by

these services. They used a packet analyzer to test the firewall policies which enabled them to check the packets sent or received in real-time.

Based on this scenario, answer the following question:

How do you evaluate the evidence obtained related to the monitoring process of outsourced operations? Refer to scenario 4.

Options:

A.

Irrelevant, monitoring the outsourced operations is not a requirement of the standard

B.

Not reliable. SendPay provided only verbal evidence regarding the monitoring of its outsourced operations

C.

Appropriate and sufficient, verbal confirmation from the SendPay's representatives indicates that the they were aware that outsourced operations must be monitored

Buy Now
Questions 23

Which situation presented below represents a threat?

Options:

A.

HackX uses and distributes pirated software

B.

The information security training was provided to only the IT team members of the organization

C.

Hackers compromised the administrator's account by cracking the password

Buy Now
Questions 24

You are conducting an Information Security Management System audit in the despatch department of an international

logistics organisation that provides shipping services to large organisations including local hospitals and government offices.

Parcels typically contain pharmaceutical products, biological samples and documents such as passports and driving licences.

You note that the company records show a very large number of returned items with causes including misaddressed labels

and, in 15% of cases, two or more labels for different addresses for the one package. You are interviewing the Shipping

Manager (SM).

You: Are items checked before being dispatched?

SM: Any obviously damaged items are removed by the duty staff before being dispatched, but the small profit margin makes

it uneconomic to implement a formal checking process.

You: What action is taken when items are returned?

SM: Most of these contracts are relatively low value, therefore it has been decided that it is easier and more convenient to

simply reprint the label and re-send individual parcels than it is to implement an investigation.

You raise a non-conformity against clause 8.1 of ISO 27001:2022.

Which one option below that best describes the non-conformity you have identified?

Options:

A.

The organisation does not have an approved process in place that ensures service requirements and regulatory requirements for data protection are met. Records show that 15% of returned parcels have corrected information intended for another party to the recipient (which may include sensitive medical information or government department communications) without adequate operational methods to meet information security requirements.

B.

The organisation does not have an audited process in place that ensures service requirements and regulatory requirements for data protection are met. Records show that 15% of returned parcels have inaccurate information intended for another party to the recipient (which may include sensitive medical information or government department communications) without adequate operational rules to meet information security requirements.

C.

The organisation does not have an effective process in place that ensures service requirements and regulatory requirements for data protection are met. Records show that 15% of returned parcels have disclosed information intended for another party to the recipient (which may include sensitive medical information or government department communications) without adequate operational controls to meet information security requirements.

D.

The organisation does not have an efficient process in place that ensures service requirements and regulatory requirements for data protection are met. Records show that 15% of returned parcels have detailed information intended for another party to the recipient (which may include sensitive medical information or government department communications) without adequate operational procedures to meet information security requirements.

E.

The organisation does not have an efficient process in place that ensures service requirements and regulatory requirements for data protection are met. Records show that 15% of returned parcels have protected information intended for another party to the recipient (which may include sensitive medical information or government department communications) without adequate operational processes to meet information security requirements.

Buy Now
Questions 25

You are carrying out your first third-party ISMS surveillance audit as an audit team leader. You are presently in the auditee's data centre with another member of your audit team and the organisation's guide.

You request access to a locked room protected by a combination lock and iris scanner. In the corner of the room is a collection of hard drives piled on a desk. You ask the guide what the status of

the drives is. He tells you the drives are redundant and awaiting disposal. They should have been picked up last week, but the organisation's external provider of secure destruction services was

unable to source a driver due to staff sickness. He says this has recently become more common though he does not know why. He then presents you with a job ticket that confirms the pickup has

been rescheduled for tomorrow.

Based on the scenario above which three of the following actions would you now take?

Options:

A.

Record a nonconformity against control A.5.13 'labelling of information' as the disk drives' status was unclear

B.

Raise a nonconformity against control A.7.7, 'clear desk and clear screen' because the drives have been left unprotected on the desktop.

C.

Record an opportunity for improvement in respect of the external provider's inventory management arrangements.

D.

Ensure that the organisation's arrangements for the secure disposal and reuse of equipment have been adhered to.

E.

Record the finding but note no further action is required as the pickup has now been rescheduled.

F.

Raise a nonconformity against control A.7.5, 'protecting against physical and environmental threats' because the drives have been left exposed on the desktop.

G.

Ensure that the organisation's arrangements for the life cycle management of storage media have been adhered to.

Buy Now
Questions 26

The data center at which you work is currently seeking ISO/IEC27001:2022 certification. In preparation for your initial certification visit a number of internal audits have been carried out by a colleague working at another data centre within your Group. They secured their ISO/IEC 27001:2022 certificate earlier in the year.

You have just qualified as an Internal ISMS auditor and your manager has asked you to review the audit process and audit findings as a final check before the external Certrfication Body arrives.

Which six of the following would cause you concern in respect of conformity to ISO/IEC 27001:2022 requirements?

Options:

A.

The audit programme shows management reviews taking place at irregular intervals during the year

B.

Audit reports are not held in hardcopy (i.e. on paper). They are only stored as ".POF documents on the organisation's intranet

C.

The audit programme does not take into account the relative importance of information security processes

D.

The audit programme mandates auditors must be independent of the areas they audit in order to satisfy the requirements of ISO/IEC 27001:2022

E.

Although the scope for each internal audit has been defined, there are no audit criteria defined for the audits carried out to date

F.

Audit reports to date have used key performance indicator information to focus solely on the efficiency of ISMS processes

G.

The audit programme does not reference audit methods or audit responsibilities

Buy Now
Questions 27

Which two of the following standards are used as ISMS third-party certification audit criteria?

Options:

A.

ISO/IEC 27002

B.

ISO/IEC 20000-1

C.

ISO 19011

D.

ISO/IEC 27001

E.

Relavent legal, statutory, and regulatory requirements

F.

ISO/IEC 17021-1

Buy Now
Questions 28

Which three of the following work documents are not required for audit planning by an auditor conducting a certification audit?

Options:

A.

An audit plan

B.

A sample plan

C.

An organisation's financial statement

D.

A checklist

E.

A career history of the IT manager

F.

A list of external providers

Buy Now
Questions 29

Scenario 2: Knight is an electronics company from Northern California, US that develops video game consoles. Knight has more than 300 employees worldwide. On the

fifth anniversary of their establishment, they have decided to deliver the G-Console, a new generation video game console aimed for worldwide markets. G-Console is

considered to be the ultimate media machine of 2021 which will give the best gaming experience to players. The console pack will include a pair of VR headset, two

games, and other gifts.

Over the years, the company has developed a good reputation by showing integrity, honesty, and respect toward their customers. This good reputation is one of the

reasons why most passionate gamers aim to have Knight's G-console as soon as it is released in the market. Besides being a very customer-oriented company, Knight

also gained wide recognition within the gaming industry because of the developing quality. Their prices are a bit higher than the reasonable standards allow.

Nonetheless, that is not considered an issue for most loyal customers of Knight, as their quality is top-notch.

Being one of the top video game console developers in the world, Knight is also often the center of attention for malicious activities. The company has had an

operational ISMS for over a year. The ISMS scope includes all departments of Knight, except Finance and HR departments.

Recently, a number of Knight's files containing proprietary information were leaked by hackers. Knight's incident response team (IRT) immediately started to analyze

every part of the system and the details of the incident.

The IRT's first suspicion was that Knight's employees used weak passwords and consequently were easily cracked by hackers who gained unauthorized access to their

accounts. However, after carefully investigating the incident, the IRT determined that hackers accessed accounts by capturing the file transfer protocol (FTP) traffic.

FTP is a network protocol for transferring files between accounts. It uses clear text passwords for authentication.

Following the impact of this information security incident and with IRT's suggestion, Knight decided to replace the FTP with Secure Shell (SSH) protocol, so anyone

capturing the traffic can only see encrypted data.

Following these changes, Knight conducted a risk assessment to verify that the implementation of controls had minimized the risk of similar incidents. The results of

the process were approved by the ISMS project manager who claimed that the level of risk after the implementation of new controls was in accordance with the

company's risk acceptance levels.

Based on this scenario, answer the following question:

Based on scenario 2, the ISMS project manager approved the results of risk assessment. Is this acceptable?

Options:

A.

No, the risk remaining after the treatment of risk should be approved by the top management at any stage

B.

No, the risk remaining after the implementation of new controls for the ISMS should be approved by the ISMS team

C.

Yes, the risk remaining after the treatment of risk should be approved by the ISMS project manager

Buy Now
Questions 30

You are performing an ISMS audit at a residential nursing home that provides healthcare services. The next step in your audit plan is to verify that the Statement of Applicability (SoA) contains the necessary controls. You review the latest SoA (version 5) document, sampling the access control to the source code (A.8.4), and want to know how the organisation secures ABC's healthcare mobile app source code received from an outsourced software developer.

The IT Security Manager explains the received source code will be checked into the SCM system to make sure of its integrity and security. Only authorised users will be able to check out the software to update it. Both check-in and check-out activities will be logged by the system automatically. The version control is managed by the system automatically.

You found a total of 10 user accounts on the SCM. All of them are from the IT department. You further check with the Human Resource manager and confirm that one of the users, Scott, resigned 9 months ago. The SCM System Administrator confirmed Scott's last check-out of the source code was found 1 month ago. He was using one of the authorised desktops from the local network in a secure area.

You check the user de-registration procedure which states "Managers have to make sure of deregistration of the user account and authorisation immediately from the relevant ICT system and/or equipment after resignation approval." There was no deregistration record for user Scott.

The IT Security Manager explains that Scott is a very good software engineer, an ex-colleague, and a friend. He still comes back to the office every month after he resigned to provide support on source code maintenance. That's why his account on SCM still exists. "We know Scott well and he passed all our background checks when he joined us. As such we didn't feel it necessary to agree any further information security requirements with him just because he is now an external provider".

You prepare the audit findings. Select the three correct options.

Options:

A.

There is a nonconformity (NC). Scott should have been advised of applicable information security requirements relevant to his new relationship (external provider) with the nursing home. The IT security manager has however confirmed that this did not take place. This does not conform with control A.5.20.

B.

There is a nonconformity (NC). The organisation's access control arrangements are not operating effectively as an individual who is no longer employed by the organisation is being permitted to access the nursing home's ICT systems. This does not conform with control A.5.15.

C.

There is a nonconformity (NC). The IT Security manager did not make sure the user account for Scott was removed from the SCM and did not complete the user deregistration process after the resignation. This does not conform with clause 9.1 and control A.5.15.

D.

There is a nonconformity (NC). The operating procedures are not well documented. This prevented the SCM System Administrator from being able to remove a user account immediately. This does not conform with clause 9.1 and control A.5.37.

E.

There is a nonconformity (NC). The organisation does not have a documented procedure setting out the use of systematic tools to provide access and version control of the source code. This does not conform with clause 9.1 and control A.8.4.

F.

There is a nonconformity (NC). The organisation has failed to identify the security risks associated with leaving Scott's account open when he was only re-engaged for a short period monthly. This does not conform with clause 8.2.

G.

There is a nonconformity (NC). The SCM is open-source system software. It is not secured and cannot be used for access and version control of the source code. This does not conform with clause 9.1 and control A.8.4.

Buy Now
Questions 31

You are an experienced ISMS audit team leader guiding an auditor in training. She asks you about the grading of nonconformities in audit reports. You decide to test her knowledge by asking her which four of the following statements are true.

Options:

A.

Major nonconformities may be subject to on-site follow up

B.

Nonconformities must be graded only using the terms 'major' or 'minor'

C.

The action taken to address major nonconformities is typically more substantial than the action taken to address minor nonconformities

D.

Very minor nonconformities should be re-graded as opportunities for improvement

E.

Several minor nonconformities can be grouped into a major nonconformity

F.

The grading of nonconformities must be explained to the auditee at the opening meeting

G.

The auditee is always responsible for determining the criteria for grading nonconformities

Buy Now
Questions 32

In regard to generating an audit finding, select the words that best complete the following sentence.

To complete the sentence with the best word(s), click on the blank section you want to complete so that it Is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.

ISO-IEC-27001-Lead-Auditor Question 32

Options:

Buy Now
Questions 33

Integrity of data means

Options:

A.

Accuracy and completeness of the data

B.

Data should be viewable at all times

C.

Data should be accessed by only the right people

Buy Now
Questions 34

What is meant by the term 'Corrective Action'? Select one

Options:

A.

Action is taken to prevent a nonconformity or an incident from occurring

B.

Action is taken to eliminate the cause(s) of a nonconformity or an incident

C.

Action is taken by management to respond to a nonconformity

D.

Action is taken to fix a nonconformity or an incident

Buy Now
Questions 35

CEO sends a  mail giving his views on the status of the company and the company’s future strategy and the CEO's vision and the employee's part in it. The mail should be classified as

Options:

A.

Internal Mail

B.

Public Mail

C.

Confidential Mail

D.

Restricted Mail

Buy Now
Questions 36

Which one of the following options best describes the purpose of a Stage 2 audit?

Options:

A.

To check for legal compliance by the organisation

B.

To ensure that the audit plan is carried out

C.

To evaluate the implementation of the management system

D.

To get to know the organisation's processes

Buy Now
Questions 37

You are an experienced ISMS audit team leader conducting a third-party surveillance audit of an internet services provider. You are reviewing the organization's risk assessment processes for conformity with ISO/IEC 27001:2022.

Which three of the following audit findings would prompt you to raise a nonconformity report?

Options:

A.

Both systems contain additional information security risks which are not associated with preserving the confidentiality, integrity and accessibility of information

B.

The organisation is treating information security risks in the order in which they are identified

C.

The organisation's information security risk assessment process suggests each risk is allocated a risk owner

D.

The organisation has not used RAG (Red, Amber, Green) to classify its' information security risks. Instead, it has used a smiling emoji, a neutral face emoji and a sad face emoji

E.

The organisation's risk assessment criteria have not been reviewed and approved by top management

F.

The organisation's information security risk assessment process is based solely on an assessment of the impact of each risk

G.

The organisation has assessed the probability of all of its information security risks as either 0%, 25%, 50%, 75% or 100%

Buy Now
Questions 38

Which of the options below presents a minor nonconformity?

Options:

A.

The risk assessment methodology prevents evaluation of information security risks

B.

The contract of the company with its supplier does not have the appropriate document version control

C.

The backup of data is performed once a month, while the company's procedure requires daily backups

Buy Now
Questions 39

An organisation has ISO/IEC 27001 Information Security Management System (ISMS) certification from a third-party certification body. Which one of the following represents an advantage of having accredited certification?

Options:

A.

An increase in the marketing price of the organisation's products

B.

An increase in the number of clients

C.

Clarity of the audit report

D.

Recognition of the credibility of the certification process.

Buy Now
Questions 40

You have a hard copy of a customer design document that you want to dispose off. What would you do

Options:

A.

Throw it in any dustbin

B.

Shred it using a shredder

C.

Give it to the office boy to reuse it for other purposes

D.

Be environment friendly and reuse it for writing

Buy Now
Questions 41

You are carrying out your first third-party ISMS surveillance audit as an Audit Team Leader. You are presently in

the auditee's data centre with another member of your audit team.

You are currently in a large room that is subdivided into several smaller rooms, each of which has a numeric

combination lock and swipe card reader on the door. You notice two external contractors using a swipe card and

combination number provided by the centre's reception desk to gain access to a client's suite to carry out authorised electrical repairs.

You go to reception and ask to see the door access record for the client's suite. This indicates only one card was

swiped. You ask the receptionist and they reply, "yes it's a common problem. We ask everyone to swipe their

cards but with contractors especially, one tends to swipe and the rest simply 'tailgate' their way in" but we know who they are from the reception sign-in.

Based on the scenario above which one of the following actions would you now take?

Options:

A.

Raise an opportunity for improvement to have a large sign in reception reminding everyone requiring access must use their swipe card at all times

B.

Determine whether any additional effective arrangements are in place to verify individual access to secure areas e.g. CCTV

C.

Raise a nonconformity against control A.7.1 'security perimiters' as a secure area is not adequately protected

D.

Raise a nonconformity against control A.7.6 'working in secure areas' as security measures for working in secure areas have not been defined

E.

Raise a nonconformity against control A.5.20 'addressing information security in supplier relationships' as information security requirements have not been agreed upon with the supplier

F.

Raise an opportunity for improvement that contractors must be accompanied at all times when accessing secure facilities

Buy Now
Questions 42

You are preparing the audit findings. Select two options that are correct.

Options:

A.

There is an opportunity for improvement (OFI). The iLiirmation security incident training effectiveness can be improved. This is relevant to clause 7.2 and control A.6.3.

B.

There is no nonconformance. The information security weaknesses, events, and incidents are reported. This conforms with clause 9.1 and control A.5.24.

C.

There is no nonconformance. The information security handling training has performed, and its effectiveness was evaluated. This conforms with clause 7.2 and control A.6.3.

D.

There is a nonconformity (NC). Based on sampling interview results, none of the interviewees were able to describe the incident management procedure reporting process including the role and responsibilities of personnel. This is not conforming with clause 9.1 and control A.5.24.

E.

There is a nonconformity (NC). The information security incident training has failed. This is not conforming with clause 7.2 and control A.6.3.

F.

There is an opportunity for improvement (OFI). The information security weaknesses, events, and madents are reported. This is relevant to clause 9.1 and control A.5.24.

Buy Now
Questions 43

You are an experience ISMS audit team leader carrying out a third-party certification audit of an organization specialising in the secure disposal of confidential documents and removable media. Both documents and media are shredded in military grade devices which make it impossible to reconstruct the original.

The audit has gone well and you are just about to start to write the audit report, 30 minutes before the closing meeting. At

this point one of the organization's employees knocks on your door and asks if they can speak to you. They tell you that when things get busy her manager tells her to use a lower grade industrial shredder instead as the organisation has more of these and they operate faster. You were not informed about the existence or use of these machines by the auditee.

Select three options for how you should respond to this information.

Options:

A.

Advise the individual managing the audit programme of any recommendation by you to conduct a further auditprior to certification

B.

Cancel the production of the audit report and instead review the organization's contracts with its clients to determine whether they have permitted the use of lower grade machines

C.

Consider the need for a subsequent audit within 4 weeks based on the additional information that has come to light

D.

Do nothing. All audits are based on a sample and the sample you took did not include a planned review of the lower grade machines

E.

Extend the certification audit duration to create additional time to audit the use of the lower grade machines

F.

Raise a nonconformity against 8.1 Operational Planning and Control as the organization has not been open about its processes

G.

Verify with the auditee that lower grade machines are used in certain circumstances

Buy Now
Questions 44

Scenario 6: Sinvestment is an insurance company that offers home, commercial, and life insurance. The company was founded in North Carolina, but have recently expanded in other locations, including Europe and Africa.

Sinvestment is committed to complying with laws and regulations applicable to their industry and preventing any information security incident. They have implemented an ISMS based on ISO/IEC 27001 and have applied for ISO/IEC 27001 certification.

Two auditors were assigned by the certification body to conduct the audit. After signing a confidentiality agreement with Sinvestment. they started the audit activities. First, they reviewed the documentation required by the standard, including the declaration of the ISMS scope, information security policies, and internal audits reports. The review process was not easy because, although Sinvestment stated that they had a documentation procedure in place, not all documents had the same format.

Then, the audit team conducted several interviews with Sinvestment's top management to understand their role in the ISMS implementation. All activities of the stage 1 audit were performed remotely, except the review of documented information, which took place on-site, as requested by Sinvestment.

During this stage, the auditors found out that there was no documentation related to information security training and awareness program. When asked, Sinvestment's representatives stated that the company has provided information security training sessions to all employees. Stage 1 audit gave the audit team a general understanding of Sinvestment's operations and ISMS.

The stage 2 audit was conducted three weeks after stage 1 audit. The audit team observed that the marketing department (which was not included in the audit scope) had no procedures in place to control employees’ access rights. Since controlling employees' access rights is one of the ISO/IEC 27001 requirements and was included in the information security policy of the company, the issue was included in the audit report. In addition, during stage 2 audit, the audit team observed that Sinvestment did not record logs of user activities. The procedures of the company stated that "Logs recording user activities should be retained and regularly reviewed," yet the company did not present any evidence of the implementation of such procedure.

During all audit activities, the auditors used observation, interviews, documented information review, analysis, and technical verification to collect information and evidence. All the audit findings during stages 1 and 2 were analyzed and the audit team decided to issue a positive recommendation for certification.

Based on scenario 6, during stage 1 audit, the auditor found out that some documents regarding the ISMS had different format. What should the auditor do in this case?

Options:

A.

Verify if the documented information has the appropriate format and is in accordance with the company's documentation procedure since this is a requirement of the standard

B.

Verify only if the information required by the standard is documented without taking into account the format since this is not a requirement of the standard

C.

Document this observation as an issue that should be verified during stage 2 audit

Buy Now
Questions 45

After analyzing the audit conclusions, Company X decided to accept the risk related to one of the detected nonconformities. They claimed that no corrective action was necessary; however, their decision was not documented. Is this acceptable?

Options:

A.

Yes, the auditee's management can decide to accept the risk instead of implementing corrective actions and documenting such decision is not necessary

B.

No, the decision of the auditee to accept the risk instead of implementing corrective actions should be justified and documented

C.

No, the auditee must implement corrective actions for all the observations documented during the audit

Buy Now
Questions 46

Scenario 5: Data Grid Inc. is a well-known company that delivers security services across the entire information technology infrastructure. It provides cybersecurity software, including endpoint security, firewalls, and antivirus software. For two decades, Data Grid Inc. has helped various companies secure their networks through advanced products and services. Having achieved reputation in the information and network security field, Data Grid Inc. decided to obtain the ISO/IEC 27001 certification to better secure its internal and customer assets and gain competitive advantage.

Data Grid Inc. appointed the audit team, who agreed on the terms of the audit mandate. In addition, Data Grid Inc. defined the audit scope, specified the audit criteria, and proposed to close the audit within five days. The audit team rejected Data Grid Inc.'s proposal to conduct the audit within five days, since the company has a large number of employees and complex processes. Data Grid Inc. insisted that they have planned to complete the audit within five days, so both parties agreed upon conducting the audit within the defined duration. The audit team followed a risk-based auditing approach.

To gain an overview of the main business processes and controls, the audit team accessed process descriptions and organizational charts. They were unable to perform a deeper analysis of the IT risks and controls because their access to the IT infrastructure and applications was restricted. However, the audit team stated that the risk that a significant defect could occur to Data Grid Inc.'s ISMS was low since most of the company's processes were automated. They therefore evaluated that the ISMS, as a whole, conforms to the standard requirements by asking the representatives of Data Grid Inc. the following questions:

•How are responsibilities for IT and IT controls defined and assigned?

•How does Data Grid Inc. assess whether the controls have achieved the desired results?

•What controls does Data Grid Inc. have in place to protect the operating environment and data from malicious software?

•Are firewall-related controls implemented?

Data Grid Inc.'s representatives provided sufficient and appropriate evidence to address all these questions.

The audit team leader drafted the audit conclusions and reported them to Data Grid Inc.'s top management. Though Data Grid Inc. was recommended for certification by the auditors, misunderstandings were raised between Data Grid Inc. and the certification body in regards to audit objectives. Data Grid Inc. stated that even though the audit objectives included the identification of areas for potential improvement, the audit team did not provide such information.

Based on this scenario, answer the following question:

Based on scenario 5, the audit team assessed the ISMS as a whole, rather than assessing the effectiveness and conformity of each process. Is this acceptable?

Options:

A.

Yes, due to time constraints for the audit completion, the audit team must obtain absolute assurance by assessing the ISMS as a whole

B.

No, the audit team should obtain assurance that the ISMS conforms to the standard requirements by assessing each process

C.

Yes, if the audit team has obtained a reasonable assurance that helps them evaluate the ISMS conformity

Buy Now
Questions 47

You are carrying out a third-party surveillance audit of a client's ISMS. You are currently in the secure storage area of the data centre where the organisation's customers are able to temporarily locate equipment coming into or going out of the site. The equipment is contained within locked cabinets and each cabinet is allocated to a single, specific client.

Out of the corner of your eye you spot movement near the external door of the storage area. This is followed by a loud noise. You ask the guide what is going on. They tell you that recent high rainfall has raised local river levels and caused an infestation of rats. The noise was a specialist pest control stunning device being triggered. You check the device in the corner and find there is a large immobile rat contained within it.

What three actions would be appropriate to take next?

Options:

A.

Take no further action. This is an ISMS audit, not an environmental management system audit

B.

Investigate whether pest infestation is an identified risk and if so, what risk treatment is to be applied

C.

Determine whether the high levels of rainfall have had other impacts on data centre operations e.g. damage to infrastructure, access issues for clients, invocation of business continuity arrangements

D.

Raise a nonconformity against control 7.4 Physical Security monitoring

E.

Raise a nonconformity against control 7.2 Physical Entry

F.

Check with the guide that they intend to initiate the organisation's information security incident process

G.

Inspect the client cabinets for signs of rodent ingress and record your findings as audit evidence

Buy Now
Questions 48

During discussions with the individual(s) managing the audit programme of a certification body, the Management System Representative of the client organisation asks for a specific auditor for the certification audit. Select two of the following options for how the individual(s) managing the audit programme should respond.

Options:

A.

Advise the Management System Representative that his request can be accepted

B.

Suggest that the Management System Representative chooses another certification body

C.

State that his request will be considered but may not be taken up

D.

Suggest asking the certification body management to permit the request

E.

Advise the Management System Representative that the audit team selection is a decision that the audit programme manager needs to make based on the resources available

Buy Now
Questions 49

You are an experienced ISMS auditor, currently providing support to an ISMS auditor in training who is carrying out her first initial certification audit. She asks you what she should be verifying when auditing an organisation's Information Security objectives. You ask her what she has included in her audit checklist and she provides the following replies.

Which three of these responses would you cause you concern in relation to conformity with ISO/IEC 27001:2022?

Options:

A.

I am going to check how each Information Security objective has been communicated to those who need to be aware of it in order for the objective to be achieved

B.

I am going to check that top management have determined the Information Security objectives for the current year. If not, I will check that this task has been programmed to be completed

C.

I am going to check that the Information Security objectives are written down on paper so that everyone is clear on what needs to be achieved, how it will be achieved, and by when it will be achieved

D.

I am going to check that there is a process in place to periodically revisit Information Security objectives, with a view to amending or cancelling them if circumstances necessitate this

E.

I am going to check that a completion date has been set for each objective and that there are no objectives with missing 'achieve by' dates

F.

I am going to check that the necessary budget, manpower and materials to achieve each objective has been determined

G.

I am going to check that all the Information Security objectives are measurable. If they are not measurable the organisation will not be able to track progress against them

Buy Now
Questions 50

You are performing an ISMS audit at a residential nursing home (ABC) that provides healthcare services. The next step in your audit plan is to verify the information security of ABC's healthcare mobile app development, support, and lifecycle process. During the audit, you learned the organization outsourced the mobile app development to a professional software development company with CMMI Level 5, ITSM (ISO/IEC 20000-1), BCMS (ISO 22301) and ISMS (ISO/IEC 27001) certified.

The IT Manager presented the software security management procedure and summarised the process as following:

The mobile app development shall adopt "security-by-design" and "security-by-default" principles, as a minimum. The following security

functions for personal data protection shall be available:

Access control.

Personal data encryption, i.e., Advanced Encryption Standard (AES) algorithm, key lengths: 256 bits; and

Personal data pseudonymization.

Vulnerability checked and no security backdoor

You sample the latest Mobile App Test report, details as follows:

ISO-IEC-27001-Lead-Auditor Question 50

You ask the IT Manager why the organisation still uses the mobile app while personal data encryption and pseudonymization tests failed. Also, whether the Service Manager is authorised to approve the test.

The IT Manager explains the test results should be approved by him according to the software security management procedure.

The reason why the encryption and pseudonymisation functions failed is that these functions heavily slowed down the system and service performance. An extra 150% of resources are needed to cover this. The Service Manager agreed that access control is good enough and acceptable. That's why the Service Manager signed the approval.

You are preparing the audit findings. Select the correct option.

Options:

A.

There is NO nonconformity (NC). The Service Manager makes a good decision to continue the service. (Relevant to clause 8.1, control A.8.30)

B.

There is a nonconformity (NC). The organisation and developer do not perform acceptance tests. (Relevant to clause 8.1, control A.8.29)

C.

There is a nonconformity (NC). The organisation and developer perform security tests that fail. (Relevant to clause 8.1, control A.8.29)

D.

There is a nonconformity (NC). The Service Manager does not comply with the software security management procedure. (Relevant to clause 8.1, control A.8.30)

Buy Now
Questions 51

A property of Information that has the ability to prove occurrence of a claimed event.

Options:

A.

Electronic chain letters 

B.

Integrity

C.

Availability

D.

Accessibility

Buy Now
Questions 52

Select the option which best describes how Information Security Management System audits should be conducted:

Options:

A.

Audit criteria should be used to assess circumstantial evidence in order to generate audit outcomes. Then, the audit report should be created and presented to the audit team at the audit team meeting.

B.

Audit criteria should be used to assess objective evidence in order to generate audit outcomes. Then, the audit report should be created and presented to the audit team leader at the closing meeting.

C.

Audit methods should be used to assess audit evidence in order to generate audit recommendations. Then, the audit recommendations should be created and presented to the auditee at the closing meeting.

D.

Audit methods should be used to assess objective evidence in order to generate audit findings. Then, the audit conclusion should be created and presented to the auditee at the closing meeting.

E.

Audit objectives should be used to assess audit evidence in order to generate audit conclusions. Then, the audit findings should be created and presented to the audit client at the closing meeting.

F.

Audit objectives should be used to assess objective evidence in order to generate audit conclusions. Then, the audit recommendations should be created and presented to top management at management review.

Buy Now
Questions 53

You are performing an ISMS audit at a residential nursing home (ABC) that provides healthcare services. The next

step in your audit plan is to verify the information security of ABC's healthcare mobile app development, support,

and lifecycle process. During the audit, you learned the organization outsourced the mobile app development to a

professional software development company with CMMI Level 5, ITSM (ISO/IEC 20000-1), BCMS (ISO 22301) and

ISMS (ISO/IEC 27001) certified.

The IT Manager presented the software security management procedure and summarised the process as following:

The mobile app development shall adopt "security-by-design" and "security-by-default" principles, as a minimum.

The following security functions for personal data protection shall be available:

Access control.

Personal data encryption, i.e., Advanced Encryption Standard (AES) algorithm, key lengths: 256 bits; and

Personal data pseudonymization.

Vulnerability checked and no security backdoor

You sample the latest Mobile App Test report, details as follows:

ISO-IEC-27001-Lead-Auditor Question 53

The IT Manager explains the test results should be approved by him according to the software security management procedure. The reason why the encryption and pseudonymisation functions failed is that these functions heavily slowed down the system and service performance. An extra 150% of resources are needed to cover this. The Service Manager agreed that access control is good enough and acceptable. That's why the Service Manager signed the approval.

You are preparing the audit findings. Select the correct option.

Options:

A.

There is a nonconformity (NC). The organisation and developer do not perform acceptance tests. (Relevant to clause 8.1, control A.8.29)

B.

There is a nonconformity (NC). The organisation and developer perform security tests that fail. (Relevant to clause 8.1, control A.8.29)

C.

There is a nonconformity (NC). The Service Manager does not comply with the software security management procedure. (Relevant to clause 8.1, control A.8.30)

D.

There is NO nonconformity (NC). The Service Manager makes a good decision to continue the service. (Relevant to clause 8.1, control A.8.30)

Buy Now
Questions 54

Which one of the following options best describes the main purpose of a Stage 1 third-party audit?

Options:

A.

To introduce the audit team to the client

B.

To learn about the organisation's procurement

C.

To determine redness for a stage 2 audit

D.

To check for legal compliance by the organisation

E.

To prepare an independent audit report

F.

To get to know the organisation's customers

Buy Now
Questions 55

PayBell, a finance corporation, is using an accounting software to track financial transactions. The software can be accessed from anywhere with an internet connection. It also enables PayBell's employees to easily collaborate with each other to ensure accurate financial reporting. What type of services is PayBell using?

Options:

A.

Machine learning

B.

Cloud computing

C.

Artificial intelligence

Buy Now
Questions 56

The audit team leader prepares the audit plan for an initial certification stage 2 audit to ISO/IEC 27001:2022.

Which one of the following statements is true?

Options:

A.

The audit team leader should make sure the audit has the support of a Technical Expert

B.

The audit team leader should appoint audit team members with IT experience

C.

The audit team leader should plan to interview each employee within the scope

D.

The organisation should review the audit plan for agreement

Buy Now
Questions 57

The following are definitions of Information, except:

Options:

A.

accurate and timely data

B.

specific and organized data for a purpose

C.

mature and measurable data

D.

can lead to understanding and decrease in uncertainty

Buy Now
Questions 58

During a follow-up audit, you notice that a nonconformity identified for completion before the follow-up audit is still outstanding.

Which four of the following actions should you take?

Options:

A.

Report the failure to address the corrective action for the outstanding nonconformity to the organisation's top management

B.

Immediately raise an nonconformity as the date for completion has been exceeded

C.

If the delay is justified agree on a revised date for clearing the nonconformity with the auditee/audit client

D.

Contact the individuals) managing the audit programme to seek their advice as to how to proceed

E.

Decide whether the delay in addressing the nonconformity is justified

F.

Cancel the follow-up audit and return when an assurance has been received that the nonconformity has been cleared

G.

Note the nonconformity is still outstanding and follow audit trails to determine why

Buy Now
Questions 59

You are an ISMS audit team leader tasked with conducting a follow-up audit at a client's data centre. Following two days on-site you conclude that of the original 12 minor and 1 major nonconformities that prompted the follow-up audit, only 1 minor nonconformity still remains outstanding.

Select four options for the actions you could take.

Options:

A.

Agree with the auditee/audit client how the remaining nonconformity will be cleared, by when, and how its clearance will be verified

B.

Recommend that the outstanding minor nonconformity is dealt with at the next surveillance audit

C.

Close the follow-up audit as the organisation has demonstrated it is committed to clearing the nonconformities raised

D.

Recommend suspension of the organisation's certification as they have failed to implement the agreed corrections and corrective actions within the agreed timescale

E.

Advise the auditee that you will arrange for the next audit to be an online audit to deal with the outstanding nonconformity

F.

Note the progress made but hold the audit open until all corrective action has been cleared

G.

Advise the individual managing the audit programme of any decision taken regarding the outstanding nonconformity

Buy Now
Questions 60

The audit lifecycle describes the ISO 19011 process for conducting an individual audit. Drag and drop the steps of the audit lifecycle into the correct sequence.

ISO-IEC-27001-Lead-Auditor Question 60

Options:

Buy Now
Questions 61

Which two of the following are valid audit conclusions?

Options:

A.

ISMS induction training does not provide guidance on malware prevention

B.

The risk register had not been updated since June 202X

C.

Corrective action was outstanding for two internal audits

D.

The ISMS policy has been effectively communicated to the organisation

E.

The organisation's ISMS objectives meet the requirements of ISO/IEC 27001:2022

F.

The schedule of applicability was based on the 2013 edition of ISO/IEC 27001, not the 2022 edition

Buy Now
Questions 62

You are an ISMS audit team leader assigned by your certification body to carry out a follow-up audit of a Data Centre client.

According to ISO 19011:2018, the purpose of a follow-up audit is to verify which one of the following?

Options:

A.

The effectiveness of the management system

B.

Implementation of ISMS objectives

C.

Implementation of risk treatment plans

D.

Completion and effectiveness of corrective actions

Buy Now
Questions 63

The following are purposes of Information Security, except:

Options:

A.

Ensure Business Continuity

B.

Minimize Business Risk

C.

Increase Business Assets

D.

Maximize Return on Investment

Buy Now
Questions 64

Below is Purpose of "Integrity", which is one of the Basic Components of Information Security

Options:

A.

the property that information is not made available or disclosed to unauthorized individuals

B.

the property of safeguarding the accuracy and completeness of assets.

C.

the property that information is not made available or disclosed to unauthorized individuals

D.

the property of being accessible and usable upon demand by an authorized entity.

Buy Now
Questions 65

-------------------------is an asset like other important business assets has value to an organization and consequently needs to be protected.

Options:

A.

Infrastructure

B.

Data

C.

Information

D.

Security

Buy Now
Questions 66

You are an experienced ISMS audit team leader providing guidance to an ISMS auditor in training. They have been asked to carry out an assessment of external providers and have prepared a checklist containing the following activities. They have asked you to review their checklist to confirm that the actions they are proposing are appropriate.

The audit they have been invited to participate in is a third-party surveillance audit of a data centre . The data centre agent is part of a wider telecommunication group. Each data centre within the group operates its own ISMS and holds its own certificate.

Select three options that relate to ISO/IEC 27001:2022's requirements regarding external providers.

Options:

A.

I will check the other data centres are treated as external providers, even though they are part of the same telecommunication group

B.

I will ensure external providers have a documented process in place to notify the organisation of any risks arising from the use of its products or services

C.

I will ensure that the organisation has a reserve external provider for each process it has identified as critical to preservation of the confidentiality, integrity and accessibility of its information

D.

I will limit my audit activity to externally provided processes as there is no need to audit externally provided products of services

E.

I will ensure the organization is regularly monitoring, reviewing and evaluating external provider performance

F.

I will ensure the organization is has determined the need to communicate with external providers regarding the ISMS

G.

I will ensure that top management have assigned roles and responsibilities for those providing external ISMS processes as well as internal ISMS processes

Buy Now
Questions 67

Scenario 1: Fintive is a distinguished security provider for online payments and protection solutions. Founded in 1999 by Thomas Fin in San Jose, California, Fintive

offers services to companies that operate online and want to improve their information security, prevent fraud, and protect user information such as PII. Fintive centers

its decision-making and operating process based on previous cases. They gather customer data, classify them depending on the case, and analyze them. The company

needed a large number of employees to be able to conduct such complex analyses. After some years, however, the technology that assists in conducting such analyses

advanced as well. Now, Fintive is planning on using a modern tool, a chatbot, to achieve pattern analyses toward preventing fraud in real-time. This tool would also be

used to assist in improving customer service.

This initial idea was communicated to the software development team, who supported it and were assigned to work on this project. They began integrating the chatbot

on their existing system. In addition, the team set an objective regarding the chatbot which was to answer 85% of all chat queries.

After the successful integration of the chatbot, the company immediately released it to their customers for use. The chatbot, however, appeared to have some issues.

Due to insufficient testing and lack of samples provided to the chatbot during the training phase, in which it was supposed "to learn" the queries pattern, the chatbot

failed to address user queries and provide the right answers. Furthermore, the chatbot sent random files to users when it received invalid inputs such as odd patterns

of dots and special characters. Therefore, the chatbot was unable to properly answer customer queries and the traditional customer support was overwhelmed with

chat queries and thus was unable to help customers with their requests.

Consequently, Fintive established a software development policy. This policy specified that whether the software is developed in-house or outsourced, it will undergo a

black box testing prior to its implementation on operational systems.

Based on this scenario, answer the following question:

Insufficient testing and lack of samples provided to Fintive's chatbot during the training phase are considered as 1.

Refer to scenario

Options:

A.

Threats

B.

Vulnerabilities

C.

Risks

Buy Now
Questions 68

Which one of the following options is the definition of an interested party?

Options:

A.

A third party can appeal to an organisation when it perceives itself to be affected by a decision or activity

B.

A person or organisation that can affect, be affected by or perceive itself to be affected by a decision or activity

C.

A group or organisation that can interfere in or perceive itself to be interfered with by a management decision

D.

An individual or organisation that can control, be controlled by, or perceive itself to be controlled by a decision or activity

Buy Now
Questions 69

Which two of the following options are an advantage of using a sampling plan for the audit?

Options:

A.

Overrules the auditor's instincts

B.

Reduces the audit duration

C.

Prevents conflict within the audit team

D.

Gives confidence in the audit results

E.

Implements the audit plan efficiently

F.

Use of the plan for consecutive audits

Buy Now
Questions 70

You are an experienced audit team leader guiding an auditor in training.

Your team is currently conducting a third-party surveillance audit of an organisation that stores data on behalf of external clients. The auditor in training has been tasked with reviewing the PEOPLE controls listed in the

Statement of Applicability (SoA) and implemented at the site.

Select four controls from the following that would you expect the auditor in training to review.

Options:

A.

Confidentiality and nondisclosure agreements

B.

How protection against malware is implemented

C.

Information security awareness, education and training

D.

Remote working arrangements

E.

The conducting of verification checks on personnel

F.

The operation of the site CCTV and door control systems

G.

The organisation's arrangements for information deletion

Buy Now
Questions 71

Which four of the following statements about audit reports are true?

Options:

A.

Audit reports should be produced by the audit team leader with input from the audit team

B.

Audit reports should include or refer to the audit plan

C.

Audit reports should be sent to the organisation's top management first because their contents could be embarrassing

D.

Audit reports should be assumed suitable for general circulation unless they are specifically marked confidential

E.

Audit reports should only evidence nonconformity

F.

Audit reports should be produced within an agreed timescale

G.

Audit reports that are no longer required can be destroyed as part of the organisation's general waste

Buy Now
Questions 72

Scenario 7: Lawsy is a leading law firm with offices in New Jersey and New York City. It has over 50 attorneys offering sophisticated legal services to clients in business and commercial law, intellectual property, banking, and financial services. They believe they have a comfortable position in the market thanks to their commitment to implement information security best practices and remain up to date with technological developments.

Lawsy has implemented, evaluated, and conducted internal audits for an ISMS rigorously for two years now. Now, they have applied for ISO/IEC 27001 certification to ISMA, a well-known and trusted certification body.

During stage 1 audit, the audit team reviewed all the ISMS documents created during the implementation. They also reviewed and evaluated the records from management reviews and internal audits.

Lawsy submitted records of evidence that corrective actions on nonconformities were performed when necessary, so the audit team interviewed the internal auditor. The interview validated the adequacy and frequency of the internal audits by providing detailed insight into the internal audit plan and procedures.

The audit team continued with the verification of strategic documents, including the information security policy and risk evaluation criteria. During the information security policy review, the team noticed inconsistencies between the documented information describing governance framework (i.e., the information security policy) and the procedures.

Although the employees were allowed to take the laptops outside the workplace, Lawsy did not have procedures in place regarding the use of laptops in such cases. The policy only provided general information about the use of laptops. The company relied on employees' common knowledge to protect the confidentiality and integrity of information stored in the laptops. This issue was documented in the stage 1 audit report.

Upon completing stage 1 audit, the audit team leader prepared the audit plan, which addressed the audit objectives, scope, criteria, and procedures.

During stage 2 audit, the audit team interviewed the information security manager, who drafted the information security policy. He justified the Issue identified in stage 1 by stating that Lawsy conducts mandatory information security training and awareness sessions every three months.

Following the interview, the audit team examined 15 employee training records (out of 50) and concluded that Lawsy meets requirements of ISO/IEC 27001 related to training and awareness. To support this conclusion, they photocopied the examined employee training records.

Based on the scenario above, answer the following question:

The audit team concluded that Lawsy meets the ISO/IEC 27001's requirements related to training and awareness by examining 15 out of 50 employee training records, as provided in scenario 7. This is a risk or error related to:

Options:

A.

The auditor

B.

Sampling

C.

The sample size

Buy Now
Questions 73

ISO-IEC-27001-Lead-Auditor Question 73

Options:

Buy Now
Questions 74

In acceptable use of Information Assets, which is the best practice?

Options:

A.

Access to information and communication systems are provided for business purpose only

B.

Interfering with or denying service to any user other than the employee's host

C.

Playing any computer games during office hours

D.

Accessing phone or network transmissions, including wireless or wifi transmissions

Buy Now
Questions 75

You received an email requiring you to send information such as name, email, and password in order to continue using your email account. If you do not send such

information, your email account will be disabled. What does this scenario present?

Options:

A.

A personnel type of vulnerability

B.

An unauthorized action type of threat

C.

A compromise of information type of threat

Buy Now
Questions 76

The responsibilities of a------------ include facilitating audit activities, maintaining logistics, ensuring that health and safety policies are observed, and witnessing

the audit process on behalf of the auditee.

Options:

A.

Internal auditor

B.

Observer

C.

Guide

Buy Now
Questions 77

Scenario 4: SendPay is a financial company that provides its services through a network of agents and financial institutions. One of their main services is transferring money worldwide. SendPay, as a new company, seeks to offer top quality services to its clients. Since the company offers international transactions, it requires from their clients to provide personal information, such as their identity, the reason for the transactions, and other details that might be needed to complete the transaction. Therefore, SendPay has implemented security measures to protect their clients' information, including detecting, investigating, and responding to any information security threats that may emerge. Their commitment to offering secure services was also reflected during the ISMS implementation where the company invested a lot of time and resources.

Last year, SendPay unveiled their digital platform that allows money transactions through electronic devices, such as smartphones or laptops, without requiring an additional fee. Through this platform, SendPay's clients can send and receive money from anywhere and at any time. The digital platform helped SendPay to simplify the company's operations and further expand its business. At the time, SendPay was outsourcing its software operations, hence the project was completed by the software development team of the outsourced company. The same team was also responsible for maintaining the technology infrastructure of SendPay.

Recently, the company applied for ISO/IEC 27001 certification after having an ISMS in place for almost a year. They contracted a certification body that fit their criteria. Soon after, the certification body appointed a team of four auditors to audit SendPay's ISMS.

During the audit, among others, the following situations were observed:

1.The outsourced software company had terminated the contract with SendPay without prior notice. As a result, SendPay was unable to immediately bring the services back in-house and its operations were disrupted for five days. The auditors requested from SendPay's representatives to provide evidence that they have a plan to follow in cases of contract terminations. The representatives did not provide any documentary evidence but during an interview, they told the auditors that the top management of SendPay had identified two other software development companies that could provide services immediately if similar situations happen again.

2.There was no evidence available regarding the monitoring of the activities that were outsourced to the software development company. Once again, the representatives of SendPay told the auditors that they regularly communicate with the software development company and that they are appropriately informed for any possible change that might occur.

3.There was no nonconformity found during the firewall testing. The auditors tested the firewall configuration in order to determine the level of security provided by

these services. They used a packet analyzer to test the firewall policies which enabled them to check the packets sent or received in real-time.

Based on this scenario, answer the following question:

Why could SendPay not restore their services back in-house after the contract termination? Refer to scenario 4.

Options:

A.

Because SendPay did not monitor the technology infrastructure of the outsourced software operations

B.

Because SendPay lacked a comprehensive business continuity plan with potential impact of contract terminations

C.

Because the outsourced software company terminated the contract with SendPay without prior notice

Buy Now
Questions 78

You are an ISMS audit team leader who has been assigned by your certification body to carry out a follow-up audit of a client. You are preparing your audit plan for this audit.

Which two of the following statements are true?

Options:

A.

Verification should focus on whether any action undertaken taken has been undertaken efficiently

B.

Corrections should be verified first, followed by corrective actions and finally opportunities for improvement

C.

Verification should focus on whether any action undertaken is complete

D.

Opportunities for improvement should be verified first, followed by corrections and finally corrective actions

E.

Corrective actions should be reviewed first, followed by corrections and finally opportunities for improvement

F.

Verification should focus on whether any action undertaken has been undertaken effectively

Buy Now
Questions 79

Scenario 1: Fintive is a distinguished security provider for online payments and protection solutions. Founded in 1999 by Thomas Fin in San Jose, California, Fintive

offers services to companies that operate online and want to improve their information security, prevent fraud, and protect user information such as PII. Fintive centers

its decision-making and operating process based on previous cases. They gather customer data, classify them depending on the case, and analyze them. The company

needed a large number of employees to be able to conduct such complex analyses. After some years, however, the technology that assists in conducting such analyses

advanced as well. Now, Fintive is planning on using a modern tool, a chatbot, to achieve pattern analyses toward preventing fraud in real-time. This tool would also be

used to assist in improving customer service.

This initial idea was communicated to the software development team, who supported it and were assigned to work on this project. They began integrating the chatbot

on their existing system. In addition, the team set an objective regarding the chatbot which was to answer 85% of all chat queries.

After the successful integration of the chatbot, the company immediately released it to their customers for use. The chatbot, however, appeared to have some issues.

Due to insufficient testing and lack of samples provided to the chatbot during the training phase, in which it was supposed "to learn" the queries pattern, the chatbot

failed to address user queries and provide the right answers. Furthermore, the chatbot sent random files to users when it received invalid inputs such as odd patterns

of dots and special characters. Therefore, the chatbot was unable to properly answer customer queries and the traditional customer support was overwhelmed with

chat queries and thus was unable to help customers with their requests.

Consequently, Fintive established a software development policy. This policy specified that whether the software is developed in-house or outsourced, it will undergo a

black box testing prior to its implementation on operational systems.

Based on this scenario, answer the following question:

Based on scenario 1, the chatbot was unable to properly answer customer queries. Which principle of information security has been affected in this

case?

Options:

A.

Availability

B.

Integrity

C.

Confidentiality

Buy Now
Questions 80

Match the correct responsibility with each participant of a second-party audit:

ISO-IEC-27001-Lead-Auditor Question 80

Options:

Buy Now
Questions 81

You are performing an ISMS audit at a European-based residential

nursing home called ABC that provides healthcare services. You find all

nursing home residents wear an electronic wristband for monitoring

their location, heartbeat, and blood pressure always. You learned that

the electronic wristband automatically uploads all data to the artificial

intelligence (AI) cloud server for healthcare monitoring and analysis by

healthcare staff.

The next step in your audit plan is to verify that the information security

policy and objectives have been established by top management.

During the audit, you found the following audit evidence.

Match the audit evidence to the corresponding requirement in ISO/IEC 27001:2022.

ISO-IEC-27001-Lead-Auditor Question 81

Options:

Buy Now
Questions 82

You are conducting an ISMS audit in the despatch department of an international logistics organisation that provides shipping services to large organisations including local hospitals and government offices. Parcels typically contain pharmaceutical products, biological samples, and documents such as passports and driving licences. You note that the company records show a very large number of returned items with causes including mis-addressed labels and, in 15% of company cases, two or more labels for different addresses for the one package. You are interviewing the Shipping Manager (SM).

You: Are items checked before being dispatched?

SH: Any obviously damaged items are removed by the duty staff before being dispatched, but the small profit margin makes it uneconomic to implement a formal checking process.

You: What action is taken when items are returned?

SM: Most of these contracts are relatively low value, therefore it has been decided that it is easier and more convenient to simply reprint the label and re-send individual parcels than it is to implement an investigation.

You raise a nonconformity. Referencing the scenario, which six of the following Appendix A controls would you expect the auditee to have implemented when you conduct the follow-up audit?

Options:

A.

5.11 Return of assets

B.

8.12 Data leakage protection

C.

5.3 Segregation of duties

D.

6.3 Information security awareness, education, and training

E.

7.10 Storage media

F.

8.3 Information access restriction

G.

5.6 Contact with special interest groups

Buy Now
Exam Name: PECB Certified ISO/IEC 27001 2022 Lead Auditor exam
Last Update: Dec 19, 2024
Questions: 289

PDF + Testing Engine

$57.75  $164.99

Testing Engine

$43.75  $124.99
buy now ISO-IEC-27001-Lead-Auditor testing engine

PDF (Q&A)

$36.75  $104.99
buy now ISO-IEC-27001-Lead-Auditor pdf