Summer Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70track

Free PECB ISO-IEC-27001-Lead-Auditor Practice Exam with Questions & Answers | Set: 10

Questions 91

During a third-party certification audit you are presented with a list of issues by an auditee. Which four of the following constitute 'external' issues in the context of a management system to ISO/IEC 27001:2022?

Options:
A.

A rise in interest rates in response to high inflation

B.

A reduction in grants as a result of a change in government policy

C.

Poor levels of staff competence as a result of cuts in training expenditure

D.

Increased absenteeism as a result of poor management

E.

Higher labour costs as a result of an aging population

F.

Inability to source raw materials due to government sanctions

G.

Poor morale as a result of staff holidays being reduced

PECB ISO-IEC-27001-Lead-Auditor Premium Access
Questions 92

Question:

What is the main difference between qualitative and quantitative evidence?

Options:
A.

Qualitative evidence originates from the analysis of a sample related to determining the audit criteria, while quantitative evidence originates from the analysis of unquantifiable information

B.

Qualitative evidence focuses on evaluating if a process or control complies with the audit criteria, while quantitative evidence aims to determine if a process in operation is functional and effective

C.

Qualitative evidence is used to make estimations about the whole population, while quantitative evidence focuses on evaluating if a process complies with standard requirements

Questions 93

Which two of the following phrases would apply to "act" in relation to the Plan-Do-Check-Act cycle for a business process?

Options:
A.

Auditing processes

B.

Planning changes

C.

Measuring objectives

D.

Resetting objectives

E.

Achieving improvements

F.

Verifying training

Questions 94

You are an ISMS audit team leader preparing to chair a closing meeting following a third-party surveillance audit. You are drafting a closing meeting agenda setting out the topics you wish to discuss with your auditee.

Which one of the following would be appropriate for inclusion?

Options:
A.

A detailed explanation of the certification body's complaints process

B.

An explanation of the audit plan and its purpose

C.

A disclaimer that the result of the audit is based on the sampling of evidence

D.

Names of auditees associated with nonconformities

Questions 95

In the event of an Information security incident, system users' roles and responsibilities are to be observed, except:

Options:
A.

Report suspected or known incidents upon discovery through the Servicedesk

B.

Preserve evidence if necessary

C.

Cooperate with investigative personnel during investigation if needed

D.

Make the information security incident details known to all employees

Questions 96

Select the words that best complete the sentence below to describe a third-party audit plan.

To complete the sentence with the best word(s), click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.

ISO-IEC-27001-Lead-Auditor Question 96

Options:
Questions 97

Select the words that best complete the sentence below to describe audit resources:

ISO-IEC-27001-Lead-Auditor Question 97

Options:
Questions 98

Which two of the following work documents are not required for audit planning by an auditor conducting a certification audit?

Options:
A.

An audit plan

B.

A career history of the IT manager

C.

A checklist

D.

A list of external providers

E.

A sample plan

F.

An organisation’s financial statement

Questions 99

Question

Which statement best describes how internal audits and external audits complement each other in an organization?

Options:
A.

Internal audits regularly review the organization’s processes to identify issues and improvements, providing input that supports preparation for external audits

B.

Internal audits mainly monitor external auditors' reports and action plans without conducting their own assessments

C.

External audits focus on ongoing internal improvements while internal audits verify certification readiness

Questions 100

Scenario 8: Tessa. Malik, and Michael are an audit team of independent and qualified experts in the field of security, compliance, and business planning and strategies. They are assigned to conduct a certification audit in Clastus, a large web design company. They have previously shown excellent work ethics, including impartiality and objectiveness, while conducting audits. This time, Clastus is positive that they will be one step ahead if they get certified against ISO/IEC 27001.

Tessa, the audit team leader, has expertise in auditing and a very successful background in IT-related issues, compliance, and governance. Malik has an organizational planning and risk management background. His expertise relies on the level of synthesis and analysis of an organization's security controls and its risk tolerance in accurately characterizing the risk level within an organization On the other hand, Michael is an expert in the practical security of controls assessment by following rigorous standardized programs.

After performing the required auditing activities, Tessa initiated an audit team meeting They analyzed one of Michael s findings to decide on the issue objectively and accurately. The issue Michael had encountered was a minor nonconformity in the organization's daily operations, which he believed was caused by one of the organization's IT technicians As such, Tessa met with the top management and told them who was responsible for the nonconformity after they inquired about the names of the persons responsible

To facilitate clarity and understanding, Tessa conducted the closing meeting on the last day of the audit. During this meeting, she presented the identified nonconformities to the Clastus management. However, Tessa received advice to avoid providing unnecessary evidence in the audit report for the Clastus certification audit, ensuring that the report remains concise and focused on the critical findings.

Based on the evidence examined, the audit team drafted the audit conclusions and decided that two areas of the organization must be audited before the certification can be granted. These decisions were later presented to the auditee, who did not accept the findings and proposed to provide additional information. Despite the auditee's comments, the auditors, having already decided on the certification recommendation, did not accept the additional information. The auditee's top management insisted that the audit conclusions did not represent reality, but the audit team remained firm in their decision.

Based on the scenario above, answer the following question:

Question:

After analyzing the audit conclusions, Company X accepted the risk related to a detected nonconformity and decided not to take corrective action. However, their decision was not documented. Is this acceptable?

Options:
A.

Yes, the auditee’s management can decide to accept the risk instead of implementing corrective actions, and documenting such a decision is not necessary

B.

No, the decision of the auditee to accept the risk instead of implementing corrective actions should be justified and documented

C.

No, the auditee must implement corrective actions for all the observations documented during the audit