Summer Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70track

Free PECB ISO-IEC-27001-Lead-Auditor Practice Exam with Questions & Answers | Set: 3

Questions 21

Scenario 9: UpNet, a networking company, has been certified against ISO/IEC 27001. It provides network security, virtualization, cloud computing, network hardware, network management software, and networking technologies.

The company's recognition has increased drastically since gaining ISO/IEC 27001 certification. The certification confirmed the maturity of UpNefs operations and its compliance with a widely recognized and accepted standard.

But not everything ended after the certification. UpNet continually reviewed and enhanced its security controls and the overall effectiveness and efficiency of the ISMS by conducting internal audits. The top management was not willing to employ a full-time team of internal auditors, so they decided to outsource the internal audit function. This form of internal audits ensured independence, objectivity, and that they had an advisory role about the continual improvement of the ISMS.

Not long after the initial certification audit, the company created a new department specialized in data and storage products. They offered routers and switches optimized for data centers and software-based networking devices, such as network virtualization and network security appliances. This caused changes to the operations of the other departments already covered in the ISMS certification scope.

Therefore. UpNet initiated a risk assessment process and an internal audit. Following the internal audit result, the company confirmed the effectiveness and efficiency of the existing and new processes and controls.

The top management decided to include the new department in the certification scope since it complies with ISO/IEC 27001 requirements. UpNet announced that it is ISO/IEC 27001 certified and the certification scope encompasses the whole company.

One year after the initial certification audit, the certification body conducted another audit of UpNefs ISMS. This audit aimed to determine the UpNefs ISMS fulfillment of specified ISO/IEC 27001 requirements and ensure that the ISMS is being continually improved. The audit team confirmed that the certified ISMS continues to fulfill

the requirements of the standard. Nonetheless, the new department caused a significant impact on governing the management system. Moreover, the certification body was not informed about any changes. Thus, the UpNefs certification was suspended.

Based on the scenario above, answer the following question:

UpNet ensured independence, objectivity, and advisory activities from the internal audit. Is this action acceptable?

Options:
A.

Yes, because internal audits have an advisory role

B.

No, because internal audits should be independent of the audited activities

C.

No, because the internal audit function was outsourced

PECB ISO-IEC-27001-Lead-Auditor Premium Access
Questions 22

Scenario 8

Trustingo has been providing banking and financial services in Estonia since 2010. The company has a network of 30 branches with over 100 ATMs nationwide. To meet strict data security and privacy regulations, Trustingo implemented an information security management system (ISMS) based on ISO/IEC 27001, ensuring better security, improved risk management, and compliance with legal requirements.

Nine months after the successful implementation of the ISMS, Trustingo decided to pursue certification for their ISMS based on ISO/IEC 27001 by an independent certification body. The certification audit included Trustingo's systems, processes, and technologies.

The audit team conducted the Stage 1 and Stage 2 audits jointly, and several nonconformities were detected. The first nonconformity was related to Trustingo's labeling of information. The company had an information classification scheme but no information labeling procedure. As a result, documents requiring the same level of protection would be labeled differently.

The nonconformity also impacted media handling. The audit team used sampling and concluded that 50 of 200 removable media stored sensitive information mistakenly classified as confidential. According to the information classification scheme, confidential information can be stored in removable media, whereas storing sensitive information is strictly prohibited.

The audit team drafted the nonconformity report and discussed the audit conclusions with Trustingo's representatives, who agreed to submit an action plan for the detected nonconformities within two months. Since the certification recommendation is conditional upon filing corrective actions, Trustingo must submit corrective action plans to show how they will address and resolve these nonconformities. Trustingo accepted the audit team leader's proposed solution and addressed the nonconformities by drafting an information labeling procedure and updating the removable media procedure.

Two weeks after the audit completion, Trustingo submitted a general action plan. Although the plan addressed the detected nonconformities and corrective actions taken, it lacked detailed action steps for each nonconformity and did not include specific details on the impacted systems, controls, or operations. The audit team evaluated the action plan. Nevertheless, Trustingo received an unfavorable recommendation for certification.

Question

Based on Scenario 8, Trustingo submitted a general action plan. Is this acceptable?

Options:
A.

Yes, nonconformities with the same root cause should have a general action plan.

B.

No, an action plan should only address one nonconformity.

C.

No, a general action plan is acceptable as long as it is approved by the audit team leader.

Questions 23

Scenario 2

Knight is an electronics company based in Northern California, the US that develops video game consoles. With over 300 employees globally, Knight is celebrating its fifth anniversary by launching the G-Console, a next-generation gaming system aimed at international markets. G-Console is considered to be the ultimate media machine of 2021, and it will give players the best gaming experience. The console pack will include a pair of VR headsets, two games, and other gifts.

Over the years, the company has developed a strong reputation for integrity, honesty, and respect toward their customers. Besides being a very customer-oriented company, Knight also gained wide recognition within the gaming industry because of its quality.

As one of the leading video game console developers in the world, Knight often finds itself a target for malicious activities. Therefore, it has implemented an information security management system (ISMS) based on ISO/IEC 27001, and its scope was communicated to employees of the company over a weekly meeting.

Recently, however, Knight experienced a security breach when hackers leaked proprietary information. In response, the incident response team (IRT) immediately began a thorough investigation of the system and the specifics of the incident. Initially, the IRT suspected that employees may have used weak passwords, allowing hackers to easily access their accounts. Upon further investigation, it was revealed that the hackers captured traffic from the file transfer protocol (FTP), which transmits data using clear-text passwords for authentication.

In light of this security incident, and following the IRT’s recommendations, Knight decided to replace the FTP with Secure Shell (SSH) protocol. This change ensures that any captured traffic is encrypted, significantly improving security.

After implementing these changes, Knight conducted a risk assessment to verify that the implementation of controls had minimized the risk of similar incidents. Based on the results of the risk assessment, they chose a risk treatment option to treat the risk.

Question

Based on Scenario 2, the risk treatment option was based on the risk assessment results. Is this acceptable?

Options:
A.

Yes, an appropriate risk treatment option is taking into account the risk assessment results.

B.

No, the risk treatment option should be based solely on financial considerations regardless of the risk assessment results.

C.

No, the risk treatment options should be randomly selected to ensure unbiased decision-making.

Questions 24

Which is the glue that ties the triad together

Options:
A.

Process

B.

People

C.

Collaboration

D.

Technology

Questions 25

You are performing an ISMS audit at a residential nursing home (ABC) that provides healthcare services. The next

step in your audit plan is to verify the information security of ABC's healthcare mobile app development, support,

and lifecycle process. During the audit, you learned the organization outsourced the mobile app development to a

professional software development company with CMMI Level 5, ITSM (ISO/IEC 20000-1), BCMS (ISO 22301) and

ISMS (ISO/IEC 27001) certified.

The IT Manager presented the software security management procedure and summarised the process as following:

The mobile app development shall adopt "security-by-design" and "security-by-default" principles, as a minimum.

The following security functions for personal data protection shall be available:

Access control.

Personal data encryption, i.e., Advanced Encryption Standard (AES) algorithm, key lengths: 256 bits; and

Personal data pseudonymization.

Vulnerability checked and no security backdoor

You sample the latest Mobile App Test report, details as follows:

ISO-IEC-27001-Lead-Auditor Question 25

The IT Manager explains the test results should be approved by him according to the software security management procedure. The reason why the encryption and pseudonymisation functions failed is that these functions heavily slowed down the system and service performance. An extra 150% of resources are needed to cover this. The Service Manager agreed that access control is good enough and acceptable. That's why the Service Manager signed the approval.

You are preparing the audit findings. Select the correct option.

Options:
A.

There is a nonconformity (NC). The organisation and developer do not perform acceptance tests. (Relevant to clause 8.1, control A.8.29)

B.

There is a nonconformity (NC). The organisation and developer perform security tests that fail. (Relevant to clause 8.1, control A.8.29)

C.

There is a nonconformity (NC). The Service Manager does not comply with the software security management procedure. (Relevant to clause 8.1, control A.8.30)

D.

There is NO nonconformity (NC). The Service Manager makes a good decision to continue the service. (Relevant to clause 8.1, control A.8.30)

Questions 26

You are an experienced audit team leader guiding an auditor in training.

Your team is currently conducting a third-party surveillance audit of an organisation that stores data on behalf of external clients. The auditor in training has been tasked with reviewing the TECHNOLOGICAL controls listed in

the Statement of Applicability (SoA) and implemented at the site.

Select four controls from the following that would you expect the auditor in training to review.

Options:
A.

Confidentiality and nondisclosure agreements

B.

How access to source code and development tools are managed

C.

How power and data cables enter the building

D.

How protection against malware is implemented

E.

How the organisation evaluates its exposure to technical vulnerabilities

F.

Information security awareness, education and training

G.

The organisation's arrangements for information deletion

Questions 27

Review the following statements and determine which two are false:

Options:
A.

Conducting a technology check in advance of a virtual audit can improve the effectiveness and efficiency of the audit

B.

During a virtual audit, auditees participating in interviews are strongly recommended to keep their webcam enabled

C.

The number of days assigned to a third-party audit is determined by the auditee's availability

D.

Due to confidentiality and security concerns, screen sharing during a virtual audit is one method by which the audit team can review the auditee's documentation

E.

The selection of onsite, virtual or combination audits should take into consideration historical performance and previous audit results

F.

Auditors approved for conducting onsite audits do not require additional training for virtual audits, as there are no significant differences in the skillset required

Questions 28

Select the words that best complete the sentence:

To complete the sentence with the best word(s), click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.

ISO-IEC-27001-Lead-Auditor Question 28

Options:
Questions 29

As the ISMS audit team leader, you are conducting a second-party audit of an international logistics organisation on behalf of an online retailer. During the audit, one of your team members reports a nonconformity relating to control 5.18 (Access rights) of Annex A of ISO/IEC 27001:2022. The control was justified in the Statement of Applicability. She found evidence that removing the server access protocols of 20 people who left in the last 3 months took up to 1 week whereas the policy required removing access within 24 hours of their departure.

Select the three most appropriate actions taken by the auditee to deal with this situation.

Options:
A.

Extend the required removal period from 24 hours to 7 days

B.

Change the process to ensure that leaver access protocols are removed before personnel leaves the premises

C.

Employee more IT personnel to ensure that the specified timescale can be met.

D.

Ensure that removing the server access protocols of leavers from senior management positions is prioritised

E.

Investigate whether the delays in removing access protocols caused any security breaches

F.

Monitor the ongoing process of removing leaver access protocols to determine whether it meets requirements

G.

Reprimand the IT team for failing to remove the access protocols in the required timescale

Questions 30

Question

ABC Manufacturing operates in a highly regulated chemical industry. Despite having internal control mechanisms in place, the company faces challenges due to the complexity of the sector, leading to potential defects in its ISMS.

What type of risk does this scenario represent?

Options:
A.

Inherent risk

B.

Control risk

C.

Detection risk