Summer Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70track

Free PECB ISO-IEC-27001-Lead-Auditor Practice Exam with Questions & Answers | Set: 13

Questions 121

You are carrying out a third-party surveillance audit of a client's ISMS. You are currently in the secure storage area of the data centre where the organisation's customers are able to temporarily locate equipment coming into or going out of the site. The equipment is contained within locked cabinets and each cabinet is allocated to a single, specific client.

Out of the corner of your eye you spot movement near the external door of the storage area. This is followed by a loud noise. You ask the guide what is going on. They tell you that recent high rainfall has raised local river levels and caused an infestation of rats. The noise was a specialist pest control stunning device being triggered. You check the device in the corner and find there is a large immobile rat contained within it.

What three actions would be appropriate to take next?

Options:
A.

Take no further action. This is an ISMS audit, not an environmental management system audit

B.

Investigate whether pest infestation is an identified risk and if so, what risk treatment is to be applied

C.

Determine whether the high levels of rainfall have had other impacts on data centre operations e.g. damage to infrastructure, access issues for clients, invocation of business continuity arrangements

D.

Raise a nonconformity against control 7.4 Physical Security monitoring

E.

Raise a nonconformity against control 7.2 Physical Entry

F.

Check with the guide that they intend to initiate the organisation's information security incident process

G.

Inspect the client cabinets for signs of rodent ingress and record your findings as audit evidence

PECB ISO-IEC-27001-Lead-Auditor Premium Access
Questions 122

You are performing an ISMS audit at a residential nursing home that provides healthcare services. The next step in your audit plan is to verify the information security incident management process. The IT Security Manager presents the information security incident management procedure and explains that the process is based on ISO/IEC 27035-1:2016.

You review the document and notice a statement "any information security weakness, event, and incident should be reported to the Point of Contact (PoC) within 1 hour after identification". When interviewing staff, you found that there were differences in the understanding of the meaning of "weakness, event, and incident".

You sample incident report records from the event tracking system for the last 6 months with summarized results in the following table.

ISO-IEC-27001-Lead-Auditor Question 122

You would like to further investigate other areas to collect more audit evidence. Select two options that will not be in your audit trail.

Options:
A.

Collect more evidence by interviewing more staff about their understanding of the reporting process. (Relevant to control A.6.8)

B.

Collect more evidence on how and when the company pays the ransom fee to unlock the company's mobile phone and data, i.e., credit card, and bank transfer. (Relevant to control A.5.26)

C.

Collect more evidence on how and when the Human Resources manager pays the ransom fee to unlock personal mobile data, i.e., credit card, and bank transfer. (Relevant to control A.5.26)

D.

Collect more evidence on how the organisation determined the incident recovery time. (Relevant to control A.5.27)

E.

Collect more evidence on how the organization determined no further action was needed after the incident. (Relevant to control A.5.26)

F.

Collect more evidence on the incident recovery procedures. (Relevant to control A.5.26)

Questions 123

Which four of the following statements about audit reports are true?

Options:
A.

Audit reports should be produced by the audit team leader with input from the audit team

B.

Audit reports should include or refer to the audit plan

C.

Audit reports should be sent to the organisation's top management first because their contents could be embarrassing

D.

Audit reports should be assumed suitable for general circulation unless they are specifically marked confidential

E.

Audit reports should only evidence nonconformity

F.

Audit reports should be produced within an agreed timescale

G.

Audit reports that are no longer required can be destroyed as part of the organisation's general waste

Questions 124

Scenario 5: Data Grid Inc. is a well-known company that delivers security services across the entire information technology infrastructure. It provides cybersecurity software, including endpoint security, firewalls, and antivirus software. For two decades, Data Grid Inc. has helped various companies secure their networks through advanced products and services. Having achieved reputation in the information and network security field, Data Grid Inc. decided to obtain the ISO/IEC 27001 certification to better secure its internal and customer assets and gain competitive advantage.

Data Grid Inc. appointed the audit team, who agreed on the terms of the audit mandate. In addition, Data Grid Inc. defined the audit scope, specified the audit criteria, and proposed to close the audit within five days. The audit team rejected Data Grid Inc.'s proposal to conduct the audit within five days, since the company has a large number of employees and complex processes. Data Grid Inc. insisted that they have planned to complete the audit within five days, so both parties agreed upon conducting the audit within the defined duration. The audit team followed a risk-based auditing approach.

To gain an overview of the main business processes and controls, the audit team accessed process descriptions and organizational charts. They were unable to perform a deeper analysis of the IT risks and controls because their access to the IT infrastructure and applications was restricted. However, the audit team stated that the risk that a significant defect could occur to Data Grid Inc.'s ISMS was low since most of the company's processes were automated. They therefore evaluated that the ISMS, as a whole, conforms to the standard requirements by asking the representatives of Data Grid Inc. the following questions:

•How are responsibilities for IT and IT controls defined and assigned?

•How does Data Grid Inc. assess whether the controls have achieved the desired results?

•What controls does Data Grid Inc. have in place to protect the operating environment and data from malicious software?

•Are firewall-related controls implemented?

Data Grid Inc.'s representatives provided sufficient and appropriate evidence to address all these questions.

The audit team leader drafted the audit conclusions and reported them to Data Grid Inc.'s top management. Though Data Grid Inc. was recommended for certification by the auditors, misunderstandings were raised between Data Grid Inc. and the certification body in regards to audit objectives. Data Grid Inc. stated that even though the audit objectives included the identification of areas for potential improvement, the audit team did not provide such information.

Based on this scenario, answer the following question:

Based on scenario 5, the audit team assessed the ISMS as a whole, rather than assessing the effectiveness and conformity of each process. Is this acceptable?

Options:
A.

Yes, due to time constraints for the audit completion, the audit team must obtain absolute assurance by assessing the ISMS as a whole

B.

No, the audit team should obtain assurance that the ISMS conforms to the standard requirements by assessing each process

C.

Yes, if the audit team has obtained a reasonable assurance that helps them evaluate the ISMS conformity

Questions 125

The purpose of a management system audit is to? Select 1

Options:
A.

Evaluate the performance of an organisation's management system

B.

Improve the performance of an organisation's management system

C.

Manage the performance of an organisation's management system

D.

Research the performance of an organisation's management system