Summer Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70track

Free PECB ISO-IEC-27001-Lead-Auditor Practice Exam with Questions & Answers | Set: 12

Questions 111

An organisation is looking for management system initial certification. Please identify the sequence of the activities to be undertaken by the organisation.

To complete the sequence click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the options to the appropriate blank section.

ISO-IEC-27001-Lead-Auditor Question 111

Options:
PECB ISO-IEC-27001-Lead-Auditor Premium Access
Questions 112

Scenario 6: Sinvestment is an insurance company that offers home, commercial, and life insurance. The company was founded in North Carolina, but have recently expanded in other locations, including Europe and Africa.

Sinvestment is committed to complying with laws and regulations applicable to their industry and preventing any information security incident. They have implemented an ISMS based on ISO/IEC 27001 and have applied for ISO/IEC 27001 certification.

Two auditors were assigned by the certification body to conduct the audit. After signing a confidentiality agreement with Sinvestment. they started the audit activities. First, they reviewed the documentation required by the standard, including the declaration of the ISMS scope, information security policies, and internal audits reports. The review process was not easy because, although Sinvestment stated that they had a documentation procedure in place, not all documents had the same format.

Then, the audit team conducted several interviews with Sinvestment's top management to understand their role in the ISMS implementation. All activities of the stage 1 audit were performed remotely, except the review of documented information, which took place on-site, as requested by Sinvestment.

During this stage, the auditors found out that there was no documentation related to information security training and awareness program. When asked, Sinvestment's representatives stated that the company has provided information security training sessions to all employees. Stage 1 audit gave the audit team a general understanding of Sinvestment's operations and ISMS.

The stage 2 audit was conducted three weeks after stage 1 audit. The audit team observed that the marketing department (which was not included in the audit scope) had no procedures in place to control employees’ access rights. Since controlling employees' access rights is one of the ISO/IEC 27001 requirements and was included in the information security policy of the company, the issue was included in the audit report. In addition, during stage 2 audit, the audit team observed that Sinvestment did not record logs of user activities. The procedures of the company stated that "Logs recording user activities should be retained and regularly reviewed," yet the company did not present any evidence of the implementation of such procedure.

During all audit activities, the auditors used observation, interviews, documented information review, analysis, and technical verification to collect information and evidence. All the audit findings during stages 1 and 2 were analyzed and the audit team decided to issue a positive recommendation for certification.

According to scenario 6, the marketing department employees were not following the access control policy. Which option is correct in this case?

Options:
A.

The marketing department is not included in the audit scope, so the issue should only be communicated to Sinvestment's representatives

B.

The employees' access right control is included in Sinvestment’s information security policy, so the issue must be communicated to Sinvestment's representatives and included in the audit report

C.

Sinvestment is not controlling the employees' access rights, which represents a potential information security risk and should be reported as a major nonconformity

Questions 113

Which one of the following options is the definition of an interested party?

    A third party can appeal to an organisation when it perceives itself to be affected by a decision or activity

Options:
A.

A person or organisation that can affect, be affected by or perceive itself to be affected by a decision or activity

B.

A group or organisation that can interfere in or perceive itself to be interfered with by a management decision

C.

An individual or organisation that can control, be controlled by, or perceive itself to be controlled by a decision or activity

Questions 114

After completing Stage 1 and in preparation for a Stage 2 initial certification audit, the auditee informs the audit team leader that they wish to extend the audit scope to include two additional sites that have recently been acquired by the organisation.

Considering this information, what action would you expect the audit team leader to take?

Options:
A.

Arrange to complete a remote Stage 1 audit of the two sites using a video conferencing platform

B.

Increase the length of the Stage 2 audit to include the extra sites

C.

Inform the auditee that the audit team leader accepts the request

D.

Obtain information about the additional sites to inform the individual(s) managing the audit programme

Questions 115

Scenario 6

Sinvestment is an insurance provider that offers a wide range of coverage options, including home, commercial, and life insurance. Originally established in North California, the company has expanded its operations to other locations, including Europe and Africa. In addition to its growth, Sinvestment is committed to complying with laws and regulations applicable to its industry and preventing any information security incident. They have implemented an information security management system (ISMS) based on ISO/IEC 27001 and have applied for certification.

A team of auditors was assigned by the certification body to conduct the audit. After signing a confidentiality agreement with Sinvestment, they started the audit activities. For the activities of the stage 1 audit, it was decided that they would be performed on site, except the review of documented information, which took place remotely, as requested by Sinvestment.

The audit team started the stage 1 audit by reviewing the documentation required, including the declaration of the ISMS scope, information security policies, and internal audit reports. The evaluation of the documented information was based on the content and procedure for managing the documented information.

In addition, the auditors found out that the documentation related to information security training and awareness programs was incomplete and lacked essential details. When asked, Sinvestment’s top management stated that the company has provided information security training sessions to all employees.

The stage 2 audit was conducted three weeks after the stage 1 audit. The audit team observed that the marketing department (not included in the audit scope) had no procedures to control employees’ access rights. Since controlling employees' access rights is one of the ISO/IEC 27001 requirements and was included in the company's information security policy, the issue was included in the audit report.

Question

Was Sinvestment’s request for reviewing documented information remotely acceptable?

Options:
A.

Yes, documented information can be reviewed remotely.

B.

No, as it can lead to a breach of confidentiality.

C.

No, as the combination of different locations can negatively impact the audit efficiency.

Questions 116

You are the audit team leader conducting a third-party audit of an online insurance organisation. During Stage 1, you found that the organisation took a very cautious risk approach and included all the information security controls in ISO/IEC 27001:2022 Appendix A in their Statement of Applicability.

During the Stage 2 audit, your audit team found that there was no evidence of the implementation of the three controls (5.3 Segregation of duties, 6.1 Screening, 7.12 Cabling security) shown in the extract from the Statement of Applicability. No risk treatment plan was found.

ISO-IEC-27001-Lead-Auditor Question 116

Select three options for the actions you would expect the auditee to take in response to a

nonconformity against clause 6.1.3.e of ISO/IEC 27001:2022.

Options:
A.

Allocate responsibility for producing evidence to prove to auditors that the controls are implemented.

B.

Compile plans for the periodic assessment of the risks associated with the controls.

C.

Implement the appropriate risk treatment for each of the applicable controls.

D.

Incorporate written procedures for the controls into the organisation's Security Manual.

E.

Remove the three controls from the Statement of Applicability.

F.

Revise the relevant content in the Statement of Applicability to justify their exclusion.

G.

Revisit the risk assessment process relating to the three controls.

Questions 117

You are an experienced ISMS audit team leader providing instruction to an auditor in training. They are unclear in their understanding of risk processes and ask you to provide them with an example of each of the processes detailed below.

Match each of the descriptions provided to one of the following risk management processes.

To complete the table click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop each option to the appropriate blank section.

ISO-IEC-27001-Lead-Auditor Question 117

Options:
Questions 118

You are performing an ISMS audit at a European-based residential nursing home called ABC that provides healthcare services.

During the audit, you discovered evidence suggesting that ABC may be leaking personal data of residents’ family members to a third party for marketing purposes, despite signed agreements prohibiting this. Complaints were treated as nonconformities, and corrective actions were documented under procedure ISMS L2 10.1.

You decide to write a non-conformity. Select the best sentence for the nonconformity:

Options:
A.

"When assessing the extent of action taken in response to a nonconformity, an auditor seeks evidence of corrective action that will allow recurrence of the issue."

B.

"When conducting follow up audit of preventive action(s) taken in response to a nonconformity, an auditor seeks evidence confirming that there will be no recurrence of the Issue."

C.

"When evaluating the action taken in response to a nonconformity an auditor seeks evidence of documented information that reduces the probability of a recurrence of the issue."

D.

"When examining the completeness of action taken in response to a nonconformity, an auditor seeks an assurance from the auditee that they will prevent recurrence of the issue."

E.

"When inspecting the extent of action taken in response to a nonconformity, an auditor seeks comfort that necessary corrections will prevent recurrence of the issue."

F.

"When reviewing the effectiveness of action taken in response to a nonconformity, an auditor seeks evidence of change that will prevent recurrence of the issue."

Questions 119

You are an experienced ISMS auditor conducting a third-party surveillance audit at an organisation which offers ICT reclamation services. ICT equipment which companies no longer require is processed by the organisation. It is either recommissioned and reused or is securely destroyed.

You notice two servers on a bench in the corner of the room. Both have stickers on them with the server's name, IP address and admin password. You ask the ICT Manager about them, and he tells you they were part of a shipment received yesterday from a regular customer.

Which one action should you take?

Options:
A.

Ask the auditee to remove the labels, then carry on with the audit

B.

Ask the ICT Manager to record an information security incident and initiate the information security incident management process

C.

Note the audit finding and check the process for dealing with incoming shipments relating to customer IT security

D.

Raise a nonconformity against control 5.31 'Legal, staturary, regulatory and contractual requirements'

E.

Raise a nonconformity against control 8.20 'network security' (networks and network devices shall be secured, managed and controlled to protect information in systems and applications)

F.

Record what you have seen in your audit findings, but take no further action

Questions 120

Question

Factors such as costs related to nonconformities or penalties in case of failure to comply with legal and contractual obligations are evaluated during the definition of which of the following?

Options:
A.

Materiality

B.

Audit risks

C.

Reasonable assurance