Independence Day Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: sale65best

PECB ISO-IEC-27001-Lead-Auditor Exam Made Easy: Step-by-Step Preparation Guide

Questions 21

The audit team leader prepares the audit plan for an initial certification stage 2 audit to ISO/IEC 27001:2022.

Which one of the following statements is true?

Options:

A.

The audit team leader should make sure the audit has the support of a Technical Expert

B.

The audit team leader should appoint audit team members with IT experience

C.

The audit team leader should plan to interview each employee within the scope

D.

The organisation should review the audit plan for agreement

Buy Now
Questions 22

Scenario 4: SendPay is a financial company that provides its services through a network of agents and financial institutions. One of their main services is transferring money worldwide. SendPay, as a new company, seeks to offer top quality services to its clients. Since the company offers international transactions, it requires from their clients to provide personal information, such as their identity, the reason for the transactions, and other details that might be needed to complete the transaction. Therefore, SendPay has implemented security measures to protect their clients' information, including detecting, investigating, and responding to any information security threats that may emerge. Their commitment to offering secure services was also reflected during the ISMS implementation where the company invested a lot of time and resources.

Last year, SendPay unveiled their digital platform that allows money transactions through electronic devices, such as smartphones or laptops, without requiring an additional fee. Through this platform, SendPay's clients can send and receive money from anywhere and at any time. The digital platform helped SendPay to simplify the company's operations and further expand its business. At the time, SendPay was outsourcing its software operations, hence the project was completed by the software development team of the outsourced company. The same team was also responsible for maintaining the technology infrastructure of SendPay.

Recently, the company applied for ISO/IEC 27001 certification after having an ISMS in place for almost a year. They contracted a certification body that fit their criteria. Soon after, the certification body appointed a team of four auditors to audit SendPay's ISMS.

During the audit, among others, the following situations were observed:

1.The outsourced software company had terminated the contract with SendPay without prior notice. As a result, SendPay was unable to immediately bring the services back in-house and its operations were disrupted for five days. The auditors requested from SendPay's representatives to provide evidence that they have a plan to follow in cases of contract terminations. The representatives did not provide any documentary evidence but during an interview, they told the auditors that the top management of SendPay had identified two other software development companies that could provide services immediately if similar situations happen again.

2.There was no evidence available regarding the monitoring of the activities that were outsourced to the software development company. Once again, the representatives of SendPay told the auditors that they regularly communicate with the software development company and that they are appropriately informed for any possible change that might occur.

3.There was no nonconformity found during the firewall testing. The auditors tested the firewall configuration in order to determine the level of security provided by

these services. They used a packet analyzer to test the firewall policies which enabled them to check the packets sent or received in real-time.

Based on this scenario, answer the following question:

Based on scenario 4, the auditors requested documentary evidence regarding the monitoring process of outsourced operations. What does this indicate?

Options:

A.

The auditors demonstrated professional skepticism

B.

The auditors compromised the confidentiality of outsourced operations

C.

The auditors evaluated the evidence based on a risk-based approach

Buy Now
Questions 23

Which two of the following phrases would apply to "act" in relation to the Plan-Do-Check-Act cycle for a business process?

Options:

A.

Auditing processes

B.

Planning changes

C.

Measuring objectives

D.

Resetting objectives

E.

Achieving improvements

F.

Verifying training

Buy Now
Questions 24

You are performing an ISMS audit at a European-based residential nursing home called ABC that provides healthcare services. The next step in your audit plan is to verify the effectiveness of the continual improvement process.

During the audit, you learned most of the residents' family members (90%) receive WeCare medical devices promotion advertisements through email and SMS once a week via ABC's healthcare mobile app. All of them do not agree on the use of the collected personal data for marketing or any other purposes than nursing and medical care on the signed service agreement with ABC. They have very strong reason to believe that ABC is leaking residents' and family members' personal information to a non-relevant third party and they have filed complaints.

The Service Manager says that, after investigation, all these complaints have been treated as nonconformities. The corrective actions have been planned and implemented according to the nonconformity and corrective management procedure (Document reference ID: ISMS_L2_10.1, version 1).

You write a nonconformity which you will follow up on later. Select the words that best complete the sentence:

ISO-IEC-27001-Lead-Auditor Question 24

Options:

Buy Now
Questions 25

Which one of the following options is the definition of the context of an organisation?

Options:

A.

The control of internal and external issues that can have an effect on an organisation's desire to achieve its objectives

B.

Complexity of internal and external issues that can have an effect on an organisation's approach to developing and achieving its purpose

C.

A combination of internal and external issues that can have an effect on an organisation's approach to developing and achieving its objectives

D.

The coordination of internal and external issues that can have a positive or negative effect on an organisation's success

Buy Now
Questions 26

You are conducting an ISMS audit. The next step in your audit plan is to verify that the organisation's

information security risk treatment plan has been established and implemented properly. You decide to

interview the IT security manager.

You: Can you please explain how the organisation performs its information security risk assessment and

treatment process?

IT Security Manager: We follow the information security risk management procedure which generates a

risk treatment plan.

Narrator: You review risk treatment plan No. 123 relating to the planned installation of an electronic

(invisible) fence to improve the physical security of the nursing home. You found the risk treatment plan was

approved by IT Security Manager.

You: Who is responsible for physical security risks?

IT Security Manager: The Facility Manager is responsible for the physical security risk. The IT department helps them to monitor the alarm. The Facility Manager is authorized to approve the budget for risk treatment plan No. 123.

You: What residual information security risks exist after risk treatment plan No. 123 was implemented?

IT Security Manager: There is no information for the acceptance of residual information security risks as far as I know.

You prepare your audit findings. Select three options for findings that are justified in the scenario.

Options:

A.

Nonconformity (NC) - The information for the acceptance of residual information security risks should be updated after the risk treatment is implemented. Clause 6.1.3.f

B.

There is an opportunity for improvement (OI) to conduct security checks on the perimetre fence

C.

There is an opportunity for improvement (OI) once the Electronic (invisible) fence is installed. Residents' physical security is improved

D.

Nonconformity (NC) - Top management must ensure that the resources needed for the ISMS are available. Clause 5.1.c

E.

Nonconformity (NC) - The IT security manager should be aware of and understand his authority and area of responsibility. Clause 7.3

F.

Nonconformity (NC) - The organization should provide the resources needed for the continual improvement of the ISMS. Clause 7.1

G.

Nonconformity (NC) - The risk treatment plan No. 123 should be approved by the risk owner, the Facility Manager in this case. Clause 6.1.3.f

Buy Now
Questions 27

Scenario 2: Knight is an electronics company from Northern California, US that develops video game consoles. Knight has more than 300 employees worldwide. On the

fifth anniversary of their establishment, they have decided to deliver the G-Console, a new generation video game console aimed for worldwide markets. G-Console is

considered to be the ultimate media machine of 2021 which will give the best gaming experience to players. The console pack will include a pair of VR headset, two

games, and other gifts.

Over the years, the company has developed a good reputation by showing integrity, honesty, and respect toward their customers. This good reputation is one of the

reasons why most passionate gamers aim to have Knight's G-console as soon as it is released in the market. Besides being a very customer-oriented company, Knight

also gained wide recognition within the gaming industry because of the developing quality. Their prices are a bit higher than the reasonable standards allow.

Nonetheless, that is not considered an issue for most loyal customers of Knight, as their quality is top-notch.

Being one of the top video game console developers in the world, Knight is also often the center of attention for malicious activities. The company has had an

operational ISMS for over a year. The ISMS scope includes all departments of Knight, except Finance and HR departments.

Recently, a number of Knight's files containing proprietary information were leaked by hackers. Knight's incident response team (IRT) immediately started to analyze

every part of the system and the details of the incident.

The IRT's first suspicion was that Knight's employees used weak passwords and consequently were easily cracked by hackers who gained unauthorized access to their

accounts. However, after carefully investigating the incident, the IRT determined that hackers accessed accounts by capturing the file transfer protocol (FTP) traffic.

FTP is a network protocol for transferring files between accounts. It uses clear text passwords for authentication.

Following the impact of this information security incident and with IRT's suggestion, Knight decided to replace the FTP with Secure Shell (SSH) protocol, so anyone

capturing the traffic can only see encrypted data.

Following these changes, Knight conducted a risk assessment to verify that the implementation of controls had minimized the risk of similar incidents. The results of

the process were approved by the ISMS project manager who claimed that the level of risk after the implementation of new controls was in accordance with the

company's risk acceptance levels.

Based on this scenario, answer the following question:

Which risk treatment option has Knight used in replacing FTP with SSH? Refer to scenario 2.

Options:

A.

Risk retention

B.

Risk avoidance

C.

Risk modification

Buy Now
Questions 28

You are an experienced ISMS audit team leader who is currently conducting a third party initial certification audit of a new client, using ISO/IEC 27001:2022 as your criteria.

It is the afternoon of the second day of a 2-day audit, and you are just about to start writing your audit report. So far no nonconformities have been identified and you and your team have been impressed with both the site and the organisation's ISMS.

At this point, a member of your team approaches you and tells you that she has been unable to complete her assessment of leadership and commitment as she has spent too long reviewing the planning of changes.

Which one of the following actions will you take in response to this information?

Options:

A.

Apologise to the client and tell them you will return at a later date to review leadership and commitment.

B.

Suggest to the client that if they are prepared to upgrade your return flight to first class you will audit leadership and commitment in your own time tomorrow.

C.

Advise the auditee and audit client that it is not possible to make a positive recommendation at this point.

D.

Advise the auditee that the certification audit will need to be terminated and rescheduled.

E.

Contact the individual managing the audit programme and seek their permission to record a positive recommendation in the audit report.

F.

Contact your head office and await their further instructions of how to proceed.

G.

Given there have been no nonconformities identified and the overall impression of the organisation has been a good one, record a positive recommendation for certification in the audit report.

Buy Now
Questions 29

The following are purposes of Information Security, except:

Options:

A.

Ensure Business Continuity

B.

Minimize Business Risk

C.

Increase Business Assets

D.

Maximize Return on Investment

Buy Now
Questions 30

-------------------------is an asset like other important business assets has value to an organization and consequently needs to be protected.

Options:

A.

Infrastructure

B.

Data

C.

Information

D.

Security

Buy Now