Summer Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70track

Free PECB ISO-IEC-27001-Lead-Auditor Practice Exam with Questions & Answers | Set: 4

Questions 31

Which one of the following options is the definition of the context of an organisation?

Options:
A.

The control of internal and external issues that can have an effect on an organisation's desire to achieve its objectives

B.

Complexity of internal and external issues that can have an effect on an organisation's approach to developing and achieving its purpose

C.

A combination of internal and external issues that can have an effect on an organisation's approach to developing and achieving its objectives

D.

The coordination of internal and external issues that can have a positive or negative effect on an organisation's success

PECB ISO-IEC-27001-Lead-Auditor Premium Access
Questions 32

Which statement below best describes the relationship between information security aspects?

Options:
A.

Threats exploit vulnerabilities to damage or destroy assets

B.

Controls protect assets by reducing threats

C.

Risk is a function of vulnerabilities that harm assets

Questions 33

Scenario 3: Rebuildy is a construction company located in Bangkok.. Thailand, that specializes in designing, building, and maintaining residential buildings. To ensure the security of sensitive project data and client information, Rebuildy decided to implement an ISMS based on ISO/IEC 27001. This included a comprehensive understanding of information security risks, a defined continual improvement approach, and robust business solutions.

The ISMS implementation outcomes are presented below

•Information security is achieved by applying a set of security controls and establishing policies, processes, and procedures.

•Security controls are implemented based on risk assessment and aim to eliminate or reduce risks to an acceptable level.

•All processes ensure the continual improvement of the ISMS based on the plan-do-check-act (PDCA) model.

•The information security policy is part of a security manual drafted based on best security practices Therefore, it is not a stand-alone document.

•Information security roles and responsibilities have been clearly stated in every employees job description

•Management reviews of the ISMS are conducted at planned intervals.

Rebuildy applied for certification after two midterm management reviews and one annual internal audit Before the certification audit one of Rebuildy’s former employees approached one of the audit team members to tell them that Rebuildy has several security problems that the company is trying to conceal. The former employee presented the documented evidence to the audit team member Electra, a key client of Rebuildy, also submitted evidence on the same issues, and the auditor determined to retain this evidence instead of the former employee's. The audit team member remained in contact with Electra until the audit was completed, discussing the nonconformities found during the audit. Electra provided additional evidence to support these findings.

At the beginning of the audit, the audit team interviewed the company’s top management They discussed, among other things, the top management's commitment to the ISMS implementation. The evidence obtained from these discussions was documented in written confirmation, which was used to determine Rebuildy’s conformity to several clauses of ISO/IEC 27001

The documented evidence obtained from Electra was attached to the audit report, along with the nonconformities report. Among others, the following nonconformities were detected:

•An instance of improper user access control settings was detected within the company's financial reporting system.

•A stand-alone information security policy has not been established. Instead, the company uses a security manual drafted based on best security practices.

After receiving these documents from the audit team, the team leader met Rebuildy’s top management to present the audit findings. The audit team reported the findings related to the financial reporting system and the lack of a stand-alone information security policy. The top management expressed dissatisfaction with the findings and suggested that the audit team leader's conduct was unprofessional, implying they might request a replacement. Under pressure, the audit team leader decided to cooperate with top management to downplay the significance of the detected nonconformities. Consequently, the audit team leader adjusted the report to present a more favorable view, thus misrepresenting the true extent of Rebuildy's compliance issues.

Based on the scenario above, answer the following question:

Question:

Based on Scenario 3, the audit team used information obtained from interviews with top management to determine Rebuildy’s conformity to several ISO/IEC 27001 clauses. Is this acceptable?

Options:
A.

No, the audit team should have used only documentary evidence, such as policies and procedures, to determine conformity

B.

Yes, the audit team obtained verbal evidence by written confirmations from the top management, which can be used to determine conformity to the standard

C.

Yes, interviews with top management are the most reliable form of audit evidence and can be used to determine conformity to the standard without further verification

Questions 34

A key audit process is the way auditors gather information and determine the findings' characteristics. Put the actions listed in the correct order to complete this process. The last one has been done for you.

ISO-IEC-27001-Lead-Auditor Question 34

Options:
Questions 35

ISMS (1)---------------helps determine (2)--------------,

Options:
A.

(1) Continual improvement, (2) the effectiveness of corrective actions

B.

Q (1) Management review, (2) opportunities for continual improvement

C.

(1) Internal audit, (2) the ISMS scope

Questions 36

As the Information Security Management System audit team leader, you are conducting a second-party audit of an international logistics company on behalf of an online retailer. During the audit, one of your team members reports a nonconformity relating to control 5.18 (Access rights) of Appendix A of ISO/IEC 27001:2022. She found evidence that removing the server access protocols of 20 people who left in the last 3 months took up to 1 week whereas the policy required removing access within 24 hours of their departure.

When the auditee was asked why there was a delay in removing access they replied, 'no one was available in the IT department during that period as a result of COVID-19. As soon as an IT officer became available the rights were removed.

You note that she intends to raise a minor non-conformity against Access rights control (5.18). How should you respond to this?

Options:
A.

Agree with the raising of a minor non-conformity but against control 5.15, not 5.18.

B.

Agree with the raising of the minor non-conformity against 5.18.

C.

Disagree with the raising of a minor conformity as appropriate action was taken at the earliest opportunity Take no further action.

D.

Disagree with the raising of the minor nonconformity as appropriate action was taken at the earliest opportunity. Instead raise an opportunity for improvement.

E.

Disagree with the raising of the minor nonconformity, there is sufficient evidence to justify an escalation to a major non-conformity.

F.

Require additional audit evidence to be obtained before determining whether a non-conformity is appropriate.

Questions 37

Which is an example of a qualitative evidence?

Options:
A.

The documented results of an intrusion-detection test from an information security expert from an external organization

B.

A defined sample analysis of nonconformity reports drafted by the audited organization from the time their ISMS was implemented

C.

An interview with the information security personnel to validate if the information security process complies with the standard requirements

Questions 38

You are an experienced ISMS audit team leader providing guidance to an auditor in training. She asks you why it is important to have specific criteria relating to the grading of nonconformities.

Which one of the following responses is correct?

    Because grading criteria provide a common basis for the evaluation of nonconformities across the organization

Options:
A.

Because ISO/IEC 27001:2022 requires it

B.

Because the establishment and implementation of grading criteria demonstrate a high level of commitment to the corrective action process

C.

Because grading criteria will ensure that all auditors score nonconformities in exactly the same way

Questions 39

Scenario 9: Techmanic is a Belgian company founded in 1995 and currently operating in Brussels. It provides IT consultancy, software design, and hardware/software services, including deployment and maintenance. The company serves sectors like public services, finance, telecom, energy, healthcare, and education. As a customer-centered company, it prioritizes strong client relationships and leading security practices.

Techmanic has been ISO/IEC 27001 certified for a year and regards this certification with pride. During the certification audit, the auditor found some inconsistencies in its ISMS implementation. Since the observed situations did not affect the capability of its ISMS to achieve the intended results, Techmanic was certified after auditors followed up on the root cause analysis and corrective actions remotely During that year, the company added hosting to its list of services and requested to expand its certification scope to include that area The auditor in charge approved the request and notified Techmanic that the extension audit would be conducted during the surveillance audit

Techmanic underwent a surveillance audit to verify its iSMS's continued effectiveness and compliance with ISO/IEC 27001. The surveillance audit aimed to ensure that Techmanic’s security practices, including the recent addition of hosting services, aligned seamlessly with the rigorous requirements of the certification

The auditor strategically utilized the findings from previous surveillance audit reports in the recertification activity with the purpose of replacing the need for additional recertification audits, specifically in the IT consultancy sector. Recognizing the value of continual improvement and learning from past assessments. Techmanic implemented a practice of reviewing previous surveillance audit reports. This proactive approach not only facilitated identifying and resolving potential nonconformities but also aimed to streamline the recertification process in the IT consultancy sector.

During the surveillance audit, several nonconformities were found. The ISMS continued to fulfill the ISO/IEC 27001*s requirements, but Techmanic failed to resolve the nonconformities related to the hosting services, as reported by its internal auditor. In addition, the internal audit report had several inconsistencies, which questioned the independence of the internal auditor during the audit of hosting services. Based on this, the extension certification was not granted. As a result. Techmanic requested a transfer to another certification body. In the meantime, the company released a statement to its clients stating that the ISO/IEC 27001 certification covers the IT services, as well as the hosting services.

Based on the scenario above, answer the following question:

Question:

Which of the options below does an internal audit program NOT allow?

Options:
A.

Verification of the effectiveness of corrective actions

B.

The reduction of manual audit tasks

C.

The prevention of nonconformities

Questions 40

Which two of the following actions are the individual(s) managing the audit programme responsible for?

    Determining the resources necessary for the audit programme

Options:
A.

Communicating with the auditee during the audit

B.

Determining the legal requirements applicable to each audit

C.

Keping informed the accreditation body on the progress of the audit programme

D.

Defining the objectives, scope and criteria for an individual audit

E.

Defining the plan of an individual audit