Summer Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70track

Free PECB ISO-IEC-27001-Lead-Auditor Practice Exam with Questions & Answers | Set: 5

Questions 41

From the following options, select the one option that is the sole responsibility of a third-party audit team leader.

Options:
A.

Select the audit team members

B.

Compile checklists for the audit team

C.

Act on behalf of the certification body

D.

Identify non-conformances in the management system

PECB ISO-IEC-27001-Lead-Auditor Premium Access
Questions 42

You are performing an ISMS audit at a residential nursing home called ABC that provides healthcare services.

The next step in your audit plan is to verify the information security of ABC's healthcare mobile app development, support, and lifecycle process. During the audit, you learned the organisation outsourced the mobile app development to a professional software development organisation with CMMI Level 5, ITSM

(ISO/IEC 20000-1), BCMS (ISO 22301) and ISMS (ISO/IEC 27001) certified.

The IT Manager presents the software security management procedure and summarises the process as follows:

The mobile app development shall adopt "security-by-design" and "security-by-default" principles, as a minimum. The following security functions for personal data protection shall be available:

Access control.

Personal data encryption, i.e., Advanced Encryption Standard (AES) algorithm, key lengths: 256 bits; and

Personal data pseudonymization.

Vulnerability checked and no security backdoor

You sample the latest Mobile App Test report - Reference ID: 0098, details as follows:

ISO-IEC-27001-Lead-Auditor Question 42

ISO-IEC-27001-Lead-Auditor Question 42

You would like to investigate other areas further to collect more audit evidence. Select three options that will not be in your audit trail.

Options:
A.

Collect more evidence on how much residents' family members pay to install ABC's healthcare mobile app. (Relevant to clause 4.2)

B.

Collect more evidence by downloading and testing the mobile app on your phone. (Relevant to control A.8.1)

C.

Collect more evidence to determine the number of users of ABC's healthcare mobile app. (relevant to clause 4.2)

D.

Collect more evidence on how the organisation performs testing of personal data handling. (Relevant to control A.5.34)

E.

Collect more evidence on the organisation's business continuity policy. (Relevant to control A.5.30)

F.

Collect more evidence on how the organisation manages information security in the selection of an external service provider. (Relevant to control A.5.19)

G.

Collect more evidence on how the developer trains its product support personnel. (Relevant to clause 7.2)

Questions 43

Scenario 5

CyberShielding Systems Inc. provides security services spanning the entire information technology infrastructure. It provides cybersecurity software, including endpoint security, firewalls, and antivirus software. CyberShielding Systems Inc. has helped various companies secure their networks for two decades through advanced products and services. Having achieved a reputation in the information and network security sector, CyberShielding Systems Inc. decided to implement a security information management system (ISMS) based on ISO/IEC 27001 and obtain a certification to better secure its internal and customer assets and gain a competitive advantage.

The certification body initiated the process by selecting the audit team for CyberShielding Systems Inc.'s ISO/IEC 27001 certification. They provided the company with the name and background information of each audit member. However, upon review, CyberShielding Systems Inc. discovered that one of the auditors did not hold the security clearance required by them. Consequently, the company objected to the appointment of this auditor. Upon review, the certification body replaced the auditor in response to CyberShielding Systems Inc.'s objection.

As part of the audit process, CyberShielding Systems Inc.'s approach to risk and opportunity determination was assessed as a standalone activity. This involved examining the organization’s methods for identifying and managing risks and opportunities. The audit team’s core objectives encompassed providing assurance on the effectiveness of CyberShielding Systems Inc.'s risk and opportunity identification mechanisms and reviewing the organization's strategies for addressing these determined risks and opportunities. During this, the audit team also identified a risk due to a lack of oversight in the firewall configuration review process, where changes were implemented without proper approval, potentially exposing the company to vulnerabilities. This finding highlighted the need for stronger internal controls to prevent such issues.

The audit team accessed process descriptions and organizational charts to understand the main business processes and controls. They performed a limited analysis of the IT risks and controls because their access to the IT infrastructure and applications was limited by third-party service provider restrictions. However, the audit team stated that the risk of a significant defect occurring in CyberShielding’s ISMS was low since most of the company's processes were automated. They therefore evaluated that the ISMS, as a whole, conforms to the standard requirements by questioning CyberShielding representatives on IT responsibilities, control effectiveness, and anti-malware measures. CyberShielding’s representatives provided sufficient and appropriate evidence to address all these questions.

Despite the agreement signed before the audit, which outlined the audit scope, criteria, and objectives, the audit was primarily focused on assessing conformity with established criteria and ensuring compliance with statutory and regulatory requirements.

Question

Did the certification body have a valid reason to accept CyberShielding Systems Inc.’s objection to the appointed auditor for their ISO/IEC 27001 certification audit?

Options:
A.

Yes, the certification body had a valid reason to accept CyberShielding Systems Inc.'s objection because auditors that do not hold the required security clearance should not audit the respective company.

B.

No, the certification body can accept objections from auditees only if the auditor has previously displayed unprofessional conduct.

C.

No, the certification body can only consider objections from auditees if there is a conflict of interest involving the auditor.

Questions 44

To verify conformity to control 8.15 Logging of ISO/IEC 27001 Annex A, the audit team verified a sample of server logs to determine if they can be edited or deleted. Which audit procedure was used?

Options:
A.

Analysis

B.

Sampling

C.

Observation

Questions 45

During a third-party certification audit, you are presented with a list of issues by an auditee. Which four of the following constitute 'internal' issues in the context of a management system to ISO 27001:2022?

    Higher labour costs as a result of an aging population

Options:
A.

A rise in interest rates in response to high inflation

B.

Poor levels of staff competence as a result of cuts in training expenditure

C.

Poor morale as a result of staff holidays being reduced

D.

Increased absenteeism as a result of poor management

E.

A reduction in grants as a result of a change in government policy

F.

A fall in productivity linked to outdated production equipment

G.

Inability to source raw materials due to government sanctions

Questions 46

Question

The top management of a company has designated specific personnel within the company to be responsible for reporting on the performance of the ISMS. These individuals are tasked with gathering relevant ISMS data, preparing reports, and ensuring that necessary information reaches the top management.

Does this approach align with ISO/IEC 27001 requirements?

Options:
A.

Yes, because the top management can assign responsibilities and authorities for reporting on the performance of the ISMS.

B.

No, because only the top management is responsible for gathering data on the performance of the ISMS.

C.

No, because only the Chief Information Security Officer should report on the performance of the ISMS.

Questions 47

Scenario 8: Tessa. Malik, and Michael are an audit team of independent and qualified experts in the field of security, compliance, and business planning and strategies. They are assigned to conduct a certification audit in Clastus, a large web design company. They have previously shown excellent work ethics, including impartiality and objectiveness, while conducting audits. This time, Clastus is positive that they will be one step ahead if they get certified against ISO/IEC 27001.

Tessa, the audit team leader, has expertise in auditing and a very successful background in IT-related issues, compliance, and governance. Malik has an organizational planning and risk management background. His expertise relies on the level of synthesis and analysis of an organization's security controls and its risk tolerance in accurately characterizing the risk level within an organization On the other hand, Michael is an expert in the practical security of controls assessment by following rigorous standardized programs.

After performing the required auditing activities, Tessa initiated an audit team meeting They analyzed one of Michael s findings to decide on the issue objectively and accurately. The issue Michael had encountered was a minor nonconformity in the organization's daily operations, which he believed was caused by one of the organization's IT technicians As such, Tessa met with the top management and told them who was responsible for the nonconformity after they inquired about the names of the persons responsible

To facilitate clarity and understanding, Tessa conducted the closing meeting on the last day of the audit. During this meeting, she presented the identified nonconformities to the Clastus management. However, Tessa received advice to avoid providing unnecessary evidence in the audit report for the Clastus certification audit, ensuring that the report remains concise and focused on the critical findings.

Based on the evidence examined, the audit team drafted the audit conclusions and decided that two areas of the organization must be audited before the certification can be granted. These decisions were later presented to the auditee, who did not accept the findings and proposed to provide additional information. Despite the auditee's comments, the auditors, having already decided on the certification recommendation, did not accept the additional information. The auditee's top management insisted that the audit conclusions did not represent reality, but the audit team remained firm in their decision.

Based on the scenario above, answer the following question:

Question:

What must Tessa do regarding the presentation of nonconformities during the closing meeting?

Options:
A.

Provide detailed analysis of each nonconformity, including potential impacts on the organization

B.

Only present major nonconformities

C.

Consistently align discussions with the relevant standard clauses

Questions 48

Select a word from the following options that best completes the sentence:

To complete the sentence with the word(s) click on the blank section you want to complete so that it is highlighted in red, and then click on the application text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.

ISO-IEC-27001-Lead-Auditor Question 48

Options:
Questions 49

OrgXY is an ISO/IEC 27001-certified software development company. A year after being certified, OrgXY's top management informed the certification body that the company was not ready for conducting the surveillance audit. What happens in this case?

Options:
A.

The certification is suspended

B.

The current certification is used until the next surveillance audit

C.

OrgXY transfers its registration to another certification body

Questions 50

Scenario 2: Knight is an electronics company from Northern California, US that develops video game consoles. Knight has more than 300 employees worldwide. On the

fifth anniversary of their establishment, they have decided to deliver the G-Console, a new generation video game console aimed for worldwide markets. G-Console is

considered to be the ultimate media machine of 2021 which will give the best gaming experience to players. The console pack will include a pair of VR headset, two

games, and other gifts.

Over the years, the company has developed a good reputation by showing integrity, honesty, and respect toward their customers. This good reputation is one of the

reasons why most passionate gamers aim to have Knight's G-console as soon as it is released in the market. Besides being a very customer-oriented company, Knight

also gained wide recognition within the gaming industry because of the developing quality. Their prices are a bit higher than the reasonable standards allow.

Nonetheless, that is not considered an issue for most loyal customers of Knight, as their quality is top-notch.

Being one of the top video game console developers in the world, Knight is also often the center of attention for malicious activities. The company has had an

operational ISMS for over a year. The ISMS scope includes all departments of Knight, except Finance and HR departments.

Recently, a number of Knight's files containing proprietary information were leaked by hackers. Knight's incident response team (IRT) immediately started to analyze

every part of the system and the details of the incident.

The IRT's first suspicion was that Knight's employees used weak passwords and consequently were easily cracked by hackers who gained unauthorized access to their

accounts. However, after carefully investigating the incident, the IRT determined that hackers accessed accounts by capturing the file transfer protocol (FTP) traffic.

FTP is a network protocol for transferring files between accounts. It uses clear text passwords for authentication.

Following the impact of this information security incident and with IRT's suggestion, Knight decided to replace the FTP with Secure Shell (SSH) protocol, so anyone

capturing the traffic can only see encrypted data.

Following these changes, Knight conducted a risk assessment to verify that the implementation of controls had minimized the risk of similar incidents. The results of

the process were approved by the ISMS project manager who claimed that the level of risk after the implementation of new controls was in accordance with the

company's risk acceptance levels.

Based on this scenario, answer the following question:

According to scenario 2, the ISMS scope was not applied to the Finance and HR Department of Knight. Is this acceptable?

Options:
A.

Yes, the ISMS must be applied only to processes and assets that may directly impact information security

B.

Yes, the ISMS scope can include the whole organization or only particular departments within the organization

C.

No, the ISMS scope must include all organizational units and processes