Winter Sale Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: v4s65

ISO-IEC-27001-Lead-Auditor Exam Dumps - PECB Certified ISO/IEC 27001 2022 Lead Auditor exam

Question # 4

Select two options that describe an advantage of using a checklist.

A.

Using the same checklist for every audit without review

B.

Restricting interviews to nominated parties

C.

Ensuring relevant audit trails are followed

D.

Ensuring the audit plan is implemented

E.

Reducing audit duration

F.

Not varying from the checklist when necessary

Full Access
Question # 5

Which one of the following options is the definition of the context of an organisation?

A.

The control of internal and external issues that can have an effect on an organisation's desire to achieve its objectives

B.

Complexity of internal and external issues that can have an effect on an organisation's approach to developing and achieving its purpose

C.

A combination of internal and external issues that can have an effect on an organisation's approach to developing and achieving its objectives

D.

The coordination of internal and external issues that can have a positive or negative effect on an organisation's success

Full Access
Question # 6

During a Stage 1 audit opening meeting, the Management System Representative (MSR) asks to extend the audit scope to include a new site overseas which they have expanded into since the certification application was made.

Select two options for how the auditor should respond.

A.

Advise the MSR that an extension of the scope may be incorporated but will have to go through established procedures

B.

Advise the MSR that the audit scope has been determined based on their initial application so the audit has to proceed as planned

C.

Suggest that the MSR cancels the audit contract and reapplies for the new situation

D.

Determine whether the Management System covers the processes at the new site and, if so, proceed with the audit

E.

Advise the MSR that, within the existing scope, the new work area can be included without any problem

F.

Confirm that the auditor will advise the auditee that the audit scope will be revised to include the new work area

Full Access
Question # 7

Scenario 4: SendPay is a financial company that provides its services through a network of agents and financial institutions. One of their main services is transferring money worldwide. SendPay, as a new company, seeks to offer top quality services to its clients. Since the company offers international transactions, it requires from their clients to provide personal information, such as their identity, the reason for the transactions, and other details that might be needed to complete the transaction. Therefore, SendPay has implemented security measures to protect their clients' information, including detecting, investigating, and responding to any information security threats that may emerge. Their commitment to offering secure services was also reflected during the ISMS implementation where the company invested a lot of time and resources.

Last year, SendPay unveiled their digital platform that allows money transactions through electronic devices, such as smartphones or laptops, without requiring an additional fee. Through this platform, SendPay's clients can send and receive money from anywhere and at any time. The digital platform helped SendPay to simplify the company's operations and further expand its business. At the time, SendPay was outsourcing its software operations, hence the project was completed by the software development team of the outsourced company. The same team was also responsible for maintaining the technology infrastructure of SendPay.

Recently, the company applied for ISO/IEC 27001 certification after having an ISMS in place for almost a year. They contracted a certification body that fit their criteria. Soon after, the certification body appointed a team of four auditors to audit SendPay's ISMS.

During the audit, among others, the following situations were observed:

1.The outsourced software company had terminated the contract with SendPay without prior notice. As a result, SendPay was unable to immediately bring the services back in-house and its operations were disrupted for five days. The auditors requested from SendPay's representatives to provide evidence that they have a plan to follow in cases of contract terminations. The representatives did not provide any documentary evidence but during an interview, they told the auditors that the top management of SendPay had identified two other software development companies that could provide services immediately if similar situations happen again.

2.There was no evidence available regarding the monitoring of the activities that were outsourced to the software development company. Once again, the representatives of SendPay told the auditors that they regularly communicate with the software development company and that they are appropriately informed for any possible change that might occur.

3.There was no nonconformity found during the firewall testing. The auditors tested the firewall configuration in order to determine the level of security provided by

these services. They used a packet analyzer to test the firewall policies which enabled them to check the packets sent or received in real-time.

Based on this scenario, answer the following question:

Based on scenario 4, the auditors requested documentary evidence regarding the monitoring process of outsourced operations. What does this indicate?

A.

The auditors demonstrated professional skepticism

B.

The auditors compromised the confidentiality of outsourced operations

C.

The auditors evaluated the evidence based on a risk-based approach

Full Access
Question # 8

Which two of the following options for information are not required for audit planning of a certification audit?

A.

A sampling plan

B.

A document review

C.

The working experience of the management system representative

D.

An audit checklist

E.

An organisation's financial statement

F.

An audit plan

Full Access
Question # 9

You are carrying out your first third-party ISMS surveillance audit as an Audit Team Leader. You are presently in the auditee's data centre with another member of your audit team.

Your colleague seems unsure as to the difference between an information security event and an information security incident. You attempt to explain the difference by providing examples.

Which three of the following scenarios can be defined as information security incidents?

A.

The organisation's malware protection software prevents a virus

B.

A hard drive is used after its recommended replacement date

C.

The organisation receives a phishing email

D.

An employee fails to clear their desk at the end of their shift

E.

A contractor who has not been paid deletes top management ICT accounts

F.

An unhappy employee changes payroll records without permission

G.

The organisation fails a third-party penetration test

Full Access
Question # 10

Which two of the following phrases would apply to "act" in relation to the Plan-Do-Check-Act cycle for a business process?

A.

Auditing processes

B.

Planning changes

C.

Measuring objectives

D.

Resetting objectives

E.

Achieving improvements

F.

Verifying training

Full Access
Question # 11

Finnco, a subsidiary of a certification body, provided ISMS consultancy services to an organization. Considering this scenario, when can the certification body certify the organization?

A.

There is no time constraint in such a situation

B.

At no time, since it presents a conflict of interest

C.

If a minimum period of two years has passed since the last consulting activities

Full Access
Question # 12

You are an experienced ISMS audit team leader, talking to an Auditor in training who has been assigned to your audit team. You want to ensure that they understand the importance of the Check stage of the Plan-Do-Check-Act cycle in respect of the operation of the information security management system.

You do this by asking him to select the words that best complete the sentence:

To complete the sentence with the best word(s), click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.

Full Access
Question # 13

As an auditor, you have noticed that ABC Inc. has established a procedure to manage the removable storage media. The procedure is based on the classification scheme adopted by ABC Inc. Thus, if the information stored is classified as "confidential," the procedure applies. On the other hand, the information that is classified as "public," does not have confidentiality requirements: thus, only a procedure for ensuring its integrity and availability applies. What type of audit finding is this?

A.

Nonconformity

B.

Anomaly

C.

Conformity

Full Access
Question # 14

Which one of the following options best describes the purpose of a Stage 2 audit?

A.

To check for legal compliance by the organisation

B.

To ensure that the audit plan is carried out

C.

To evaluate the implementation of the management system

D.

To get to know the organisation's processes

Full Access
Question # 15

You are conducting an ISMS audit in the despatch department of an international logistics organisation that provides shipping services to large organisations including local hospitals and government offices. Parcels typically contain pharmaceutical products, biological samples, and documents such as passports and driving licences. You note that the company records show a very large number of returned items with causes including misaddressed labels and, in 15% of cases, two or more labels for different addresses for the one package. You are interviewing the Shipping Manager (SM).

You: Are items checked before being dispatched?

SM: Any obviously damaged items are removed by the duty staff before being dispatched, but the small profit margin makes it uneconomic to

implement a formal checking process.

You: What action is taken when items are returned?

SM: Most of these contracts are relatively low value, therefore it has been decided that it is easier and more convenient to simply reprint the label and re-send individual parcels than it is to implement an investigation.

You raise a nonconformity. Referencing the scenario, which three of the following Annex A controls would you expect the auditee to have implemented when you conduct the follow-up audit?

A.

5.11 Return of assets

B.

5.13 Labelling of information

C.

5.3 Segregation of duties

D.

5.32 Intellectual property rights

E.

5.34 Privacy and protection of personal identifiable information (PII)

F.

5.6 Contact with special interest groups

G.

6.3 Information security awareness, education, and training

Full Access
Question # 16

Scenario 7: Lawsy is a leading law firm with offices in New Jersey and New York City. It has over 50 attorneys offering sophisticated legal services to clients in business and commercial law, intellectual property, banking, and financial services. They believe they have a comfortable position in the market thanks to their commitment to implement information security best practices and remain up to date with technological developments.

Lawsy has implemented, evaluated, and conducted internal audits for an ISMS rigorously for two years now. Now, they have applied for ISO/IEC 27001 certification to ISMA, a well-known and trusted certification body.

During stage 1 audit, the audit team reviewed all the ISMS documents created during the implementation. They also reviewed and evaluated the records from management reviews and internal audits.

Lawsy submitted records of evidence that corrective actions on nonconformities were performed when necessary, so the audit team interviewed the internal auditor. The interview validated the adequacy and frequency of the internal audits by providing detailed insight into the internal audit plan and procedures.

The audit team continued with the verification of strategic documents, including the information security policy and risk evaluation criteria. During the information security policy review, the team noticed inconsistencies between the documented information describing governance framework (i.e., the information security policy) and the procedures.

Although the employees were allowed to take the laptops outside the workplace, Lawsy did not have procedures in place regarding the use of laptops in such cases. The policy only provided general information about the use of laptops. The company relied on employees' common knowledge to protect the confidentiality and integrity of information stored in the laptops. This issue was documented in the stage 1 audit report.

Upon completing stage 1 audit, the audit team leader prepared the audit plan, which addressed the audit objectives, scope, criteria, and procedures.

During stage 2 audit, the audit team interviewed the information security manager, who drafted the information security policy. He justified the Issue identified in stage 1 by stating that Lawsy conducts mandatory information security training and awareness sessions every three months.

Following the interview, the audit team examined 15 employee training records (out of 50) and concluded that Lawsy meets requirements of ISO/IEC 27001 related to training and awareness. To support this conclusion, they photocopied the examined employee training records.

Based on the scenario above, answer the following question:

The audit team photocopied the examined employee training records to support their conclusion. Should the audit team obtain an approval from Lawsy before taking this action? Refer to scenario 7.

A.

Yes. the audit team should obtain the approval of the auditee when verifying the existence of a process in all cases, including when taking notes and photocopying documents

B.

Yes, the audit team can photocopy documents observed during the audit if the auditee agrees to it

C.

No, the audit team has the authority to photocopy documents in order to verify the conformity of a certain document to the audit criteria

Full Access
Question # 17

A key audit process is the way auditors gather information and determine the findings' characteristics. Put the actions listed in the correct order to complete this process. The last one has been done for you.

Full Access
Question # 18

As the ISMS audit team leader, you are conducting a second-party audit of an international logistics company on behalf of an online retailer. During the audit, one of your team members reports a nonconformity relating to control 5.18 (Access rights) of Appendix A of ISO/IEC 27001:2022. She found evidence that removing the server access protocols of 20 people who left in the last 3 months took up to 1 week whereas the policy required removing access within 24 hours of their departure.

Complete the sentence with the best word(s), dick on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.

Full Access
Question # 19

Scenario 8: EsBank provides banking and financial solutions to the Estonian banking sector since September 2010. The company has a network of 30 branches with over 100 ATMs across the country.

Operating in a highly regulated industry, EsBank must comply with many laws and regulations regarding the security and privacy of data. They need to manage information security across their operations by implementing technical and nontechnical controls. EsBank decided to implement an ISMS based on ISO/IEC 27001 because it provided better security, more risk control, and compliance with key requirements of laws and regulations.

Nine months after the successful implementation of the ISMS, EsBank decided to pursue certification of their ISMS by an independent certification body against ISO/IEC 27001 .The certification audit included all of EsBank’s systems, processes, and technologies.

The stage 1 and stage 2 audits were conducted jointly and several nonconformities were detected. The first nonconformity was related to EsBank’s labeling of information. The company had an information classification scheme but there was no information labeling procedure. As a result, documents requiring the same level of protection would be labeled differently (sometimes as confidential, other times sensitive).

Considering that all the documents were also stored electronically, the nonconformity also impacted media handling. The audit team used sampling and concluded that 50 of 200 removable media stored sensitive information mistakenly classified as confidential. According to the information classification scheme, confidential information is allowed to be stored in removable media, whereas storing sensitive information is strictly prohibited. This marked the other nonconformity.

They drafted the nonconformity report and discussed the audit conclusions with EsBank’s representatives, who agreed to submit an action plan for the detected nonconformities within two months.

EsBank accepted the audit team leader's proposed solution. They resolved the nonconformities by drafting a procedure for information labeling based on the classification scheme for both physical and electronic formats. The removable media procedure was also updated based on this procedure.

Two weeks after the audit completion, EsBank submitted a general action plan. There, they addressed the detected nonconformities and the corrective actions taken, but did not include any details on systems, controls, or operations impacted. The audit team evaluated the action plan and concluded that it would resolve the nonconformities. Yet, EsBank received an unfavorable recommendation for certification.

Based on the scenario above, answer the following question:

Which option justifies the unfavorable recommendation for certification? Refer to scenario 8.

A.

The major nonconformity related to storing sensitive information in removable media

B.

The minor nonconformity related to the lack of information labeling procedure

C.

The unrealistic date of the submitted action plan (two weeks)

Full Access
Question # 20

Which statement below best describes the relationship between information security aspects?

A.

Threats exploit vulnerabilities to damage or destroy assets

B.

Controls protect assets by reducing threats

C.

Risk is a function of vulnerabilities that harm assets

Full Access
Question # 21

Which one of the following conclusions in the audit report is not required by the certification body when deciding to grant certification?

A.

The corrections taken by the organisation related to major nonconformities have been accepted.

B.

The organisation fully complies with all legal and other requirements applicable to the Information Security Management System.

C.

The plans to address corrective actions related to minor nonconformities have been accepted

D.

The scope of certification has been fulfilled

Full Access
Question # 22

You are an experienced ISMS audit team leader guiding an auditor in training. You decide to test her knowledge of follow-up audits by asking her a series of questions. Here are your questions and her answers.

Which four of your questions has she answered correctly?

A.

Q: Should a follow-up audit seek to identify new nonconformities? A:YES

B.

Q: Should follow-up audits seek to ensure nonconformities have been effectively addressed? A:YES

C.

Q: Should follow-up audits consider agreed opportunities for improvement as well as corrective action? A:No

D.

Q: Is the purpose of a follow-up audit to verify the completion of corrections, corrective actions, and opportunities for improvement? A:YES

E.

Q: Are follow-up audits required for all audits? A:No

F.

Q: Should the outcome from a follow-up audit be reported to the audit team leader who carried out the audit at which the NCs were originally identified? A:YES

G.

Q: Should the outcome from a follow-up audit be reported to the audit client? A:No

Full Access
Question # 23

You ask the IT Manager why the organisation still uses the mobile app while personal data

encryption and pseudonymization tests failed. Also, whether the Service Manager is authorized to approve the test.

The IT Manager explains the test results should be approved by him according to the software security management procedure. The reason why the encryption and pseudonymization functions failed is that these functions heavily slowed down the system and service performance. An extra 150% of resources are needed to cover this. The Service Manager agreed that access control is good enough and acceptable. That's why the Service Manager signed the approval.

You sample one of the medical staff's mobile and found that ABC's healthcare mobile app, version 1.01 is installed. You found that version 1.01 has no test record.

The IT Manager explains that because of frequent ransomware attacks, the outsourced mobile app development company gave a free minor update on the tested software, performed an emergency release of the updated software, and gave a verbal guarantee that there will be no impact on any security functions. Based on his 20 years of information security experience, there is no need to re-test.

You are preparing the audit findings Select two options that are correct.

A.

There is NO nonconformity (NC). The IT Manager demonstrates he is fully competent. (Relevant to clause 7.2)

B.

There is a nonconformity (NC). The IT Manager does not comply with the software security management procedure. (Relevant to clause 8.1, control A.8.30)

C.

There is a nonconformity (NC). The organisation does not control planned changes and review the consequences of unintended changes. (Relevant to clause 8.1)

D.

There is an opportunity for improvement (OI). The organisation selects an external service provider based on the extent of free services it will provide. (Relevant to clause 8.1, control A.5.21)

E.

There is NO nonconformity (NC). The IT Manager demonstrates good leadership. (Relevant to clause 5.1, control 5.4)

F.

There is an opportunity for improvement (OI). The IT Manager should make the decision to continue the service based on appropriate testing. (Relevant to clause 8.1, control A.8.30)

Full Access
Question # 24

Which two of the following statements are true?

A.

The role of a certification body auditor involves evaluating the organisation's processes for ensuring compliance with their legal requirements

B.

Curing a third-party audit, the auditor evaluates how the organisation ensures that 4 6 made aware of changes to the legal requirements

C.

As part of a certification body audit the auditor is resporable for verifying the organisation's legal compliance status

Full Access
Question # 25

You are performing an ISMS audit at a residential nursing home that provides healthcare services. The next step in your audit plan is to verify the information security incident management process. The IT Security Manager presents the information security incident management procedure and explains that the process is based on ISO/IEC 27035-1:2016.

You review the document and notice a statement "any information security weakness, event, and incident should be reported to the Point of Contact (PoC) within 1 hour after identification". When interviewing staff, you found that there were differences in the understanding of the meaning of "weakness, event, and incident".

You sample incident report records from the event tracking system for the last 6 months with summarized results in the following table.

You would like to further investigate other areas to collect more audit evidence. Select two options that will not be in your audit trail.

A.

Collect more evidence on how and when the Human Resources manager pays the ransom fee to unlock personal mobile data, i.e., credit card, and bank transfer. (Relevant to control A.5.26)

B.

Collect more evidence on what the service requirements of healthcare monitoring are. (Relevant to clause 4.2)

C.

Collect more evidence on how the organization determined no further action was needed after the incident. (Relevant to control A.5.26)

D.

Collect more evidence on how the organisation determined the incident recovery time. (Relevant to control A.5.27)

E.

Collect more evidence on the incident recovery procedures. (Relevant to control A.5.26)

F.

Collect more evidence by interviewing more staff about their understanding of the reporting process. (Relevant to control A.6.8)

G.

Collect more evidence on how and when the company pays the ransom fee to unlock the company's mobile phone and data, i.e., credit card, and bank transfer. (Relevant to control A.5.26)

Full Access
Question # 26

How does the use of new technologies such as big data impact auditing?

A.

It presents new challenges, for example, combining structured and unstructured data

B.

It enhances the audit quality by enabling auditors to collect higher quality audit evidence

C.

It causes significant disruptions, for example, introducing data that is too large or complex for processing by traditional database management tools

Full Access
Question # 27

After analyzing the audit conclusions, Company X decided to accept the risk related to one of the detected nonconformities. They claimed that no corrective action was necessary; however, their decision was not documented. Is this acceptable?

A.

Yes, the auditee's management can decide to accept the risk instead of implementing corrective actions and documenting such decision is not necessary

B.

No, the decision of the auditee to accept the risk instead of implementing corrective actions should be justified and documented

C.

No, the auditee must implement corrective actions for all the observations documented during the audit

Full Access
Question # 28

Which two of the following statements are true?

A.

The benefits of implementing an ISMS primarily result from a reduction in information security risks

B.

The benefit of certifying an ISMS is to obtain contracts from governmental institutions

C.

The purpose of an ISMS is to apply a risk management process for preserving information security

D.

The purpose of an ISMS is to demonstrate compliance with regulatory requirements

Full Access
Question # 29

The audit team leader decided to involve a technical expert as part of the audit team, so they could fill the potential gaps of the audit team members' knowledge. What should the audit team leader consider in this case?

A.

The technical expert is allowed to take decisions related to the audit process when it is needed

B.

The technical expert should discuss their concerns directly with the certification body, and not with the auditor

C.

The technical expert can communicate their audit findings to the auditee only through one of the audit team members

Full Access
Question # 30

A marketing agency has developed its own risk assessment approach as part of the ISMS implementation. Is this acceptable?

A.

Yes, any risk assessment methodology that complies with the ISO/IEC 27001 requirements can be used

B.

Yes, only if the risk assessment methodology is aligned with recognized risk assessment methodologies

C.

No, when implementing an ISMS, the risk assessment methodology provided by ISO/IEC 27001 should be used

Full Access
Question # 31

Review the following statements and determine which two are false:

A.

Conducting a technology check in advance of a virtual audit can improve the effectiveness and efficiency of the audit

B.

During a virtual audit, auditees participating in interviews are strongly recommended to keep their webcam enabled

C.

The number of days assigned to a third-party audit is determined by the auditee's availability

D.

Due to confidentiality and security concerns, screen sharing during a virtual audit is one method by which the audit team can review the auditee's documentation

E.

The selection of onsite, virtual or combination audits should take into consideration historical performance and previous audit results

F.

Auditors approved for conducting onsite audits do not require additional training for virtual audits, as there are no significant differences in the skillset required

Full Access
Question # 32

You are conducting a third-party surveillance audit when another member of the audit team approaches you seeking clarification. They have been asked to assess the organisation's application of control 5.7 - Threat Intelligence. They are aware that this is one of the new controls introduced in the 2022 edition of ISO/IEC 27001, and they want to make sure they audit the control correctly.

They have prepared a checklist to assist them with their audit and want you to confirm that their planned activities are aligned with the control's requirements.

Which three of the following options represent valid audit trails?

A.

I will determine whether internal and external sources of information are used in the production of threat intelligence

B.

I will ensure that the task of producing threat intelligence is assigned to the organisation's internal audit team

C.

I will ensure that the organisation's risk assessment process begins with effective threat intelligence

D.

I will check that the organisation has a fully documented threat intelligence process

E.

I will check that threat intelligence is actively used to protect the confidentiality, integrity and availability of the organisation's information assets

F.

I will speak to top management to make sure all staff are aware of the importance of reporting threats

G.

I will ensure that appropriate measures have been introduced to inform top management as to the effectiveness of current threat intelligence arrangements

Full Access
Question # 33

Auditor competence is a combination of knowledge and skills. Which two of the following activities are predominately related to "knowledge"?

A.

Understanding how to identify findings

B.

Designing a checklist

C.

Follow an audit trail deviating from the prepared checklist

D.

Communicate with the auditee

E.

Determining how to seek evidence from the auditee

F.

Determining what evidence to gather

Full Access
Question # 34

Scenario 6: Sinvestment is an insurance company that offers home, commercial, and life insurance. The company was founded in North Carolina, but have recently expanded in other locations, including Europe and Africa.

Sinvestment is committed to complying with laws and regulations applicable to their industry and preventing any information security incident. They have implemented an ISMS based on ISO/IEC 27001 and have applied for ISO/IEC 27001 certification.

Two auditors were assigned by the certification body to conduct the audit. After signing a confidentiality agreement with Sinvestment. they started the audit activities. First, they reviewed the documentation required by the standard, including the declaration of the ISMS scope, information security policies, and internal audits reports. The review process was not easy because, although Sinvestment stated that they had a documentation procedure in place, not all documents had the same format.

Then, the audit team conducted several interviews with Sinvestment's top management to understand their role in the ISMS implementation. All activities of the stage 1 audit were performed remotely, except the review of documented information, which took place on-site, as requested by Sinvestment.

During this stage, the auditors found out that there was no documentation related to information security training and awareness program. When asked, Sinvestment's representatives stated that the company has provided information security training sessions to all employees. Stage 1 audit gave the audit team a general understanding of Sinvestment's operations and ISMS.

The stage 2 audit was conducted three weeks after stage 1 audit. The audit team observed that the marketing department (which was not included in the audit scope) had no procedures in place to control employees’ access rights. Since controlling employees' access rights is one of the ISO/IEC 27001 requirements and was included in the information security policy of the company, the issue was included in the audit report. In addition, during stage 2 audit, the audit team observed that Sinvestment did not record logs of user activities. The procedures of the company stated that "Logs recording user activities should be retained and regularly reviewed," yet the company did not present any evidence of the implementation of such procedure.

During all audit activities, the auditors used observation, interviews, documented information review, analysis, and technical verification to collect information and evidence. All the audit findings during stages 1 and 2 were analyzed and the audit team decided to issue a positive recommendation for certification.

According to ISO/IEC 27001 requirements, does the company need to provide evidence of implementation of the procedure regarding logs recording user activities? Refer to scenario 6.

A.

Yes, event logs recording user activities must be kept and regularly reviewed

B.

No, because the implementation of this procedure is not a requirement of the standard

C.

No, the company only recommended implementing this procedure

Full Access
Question # 35

During an audit, the audit team leader reached timely conclusions based on logical reasoning and analysis. What professional behaviour was displayed by the audit team leader?

A.

Decisive

B.

Open minded

C.

Ethical

D.

Perceptive

Full Access
Question # 36

An audit finding is the result of the evaluation of the collected audit evidence against audit criteria. Evaluate the following potential formats of audit evidence and select the two that are acceptable.

A.

Unsigned hand written changes to test results

B.

Statement of facts by the IT manager

C.

Documented information on results of IT audits

D.

Statements by a system engineer that cannot be verified

E.

Observation of a previously recorded video demonstrating the performance of a hazardous activity

F.

An audio recording of a dialog between the IT manager and a system engineer

Full Access
Question # 37

Which two of the following options do not participate in a first-party audit?

A.

A certification body auditor

B.

An audit team from an accreditation body

C.

An auditor certified by CQI and IRCA

D.

An auditor from a consultancy organisation

E.

An auditor trained in the CQI and IRCA scheme

F.

An auditor trained in the organization

Full Access
Question # 38

Which three of the following phrases are objectives' in relation to an audit?

A.

International Standard

B.

Identify opportunities for improvement

C.

Confirm the scope of the management system

D.

Management policy

E.

Complete audit on time

F.

Regulatory requirements

Full Access
Question # 39

During a third-party certification audit, you are presented with a list of issues by an auditee. Which four of the following constitute 'internal' issues in the context of a management system to ISO 27001:2022?

A.

Higher labour costs as a result of an aging population

B.

A rise in interest rates in response to high inflation

C.

Poor levels of staff competence as a result of cuts in training expenditure

D.

Poor morale as a result of staff holidays being reduced

E.

Increased absenteeism as a result of poor management

F.

A reduction in grants as a result of a change in government policy

G.

A fall in productivity linked to outdated production equipment

Full Access
Question # 40

Information Security is a matter of building and maintaining ________ .

A.

Confidentiality

B.

Trust

C.

Protection

D.

Firewalls

Full Access
Question # 41

Scenario 9: UpNet, a networking company, has been certified against ISO/IEC 27001. It provides network security, virtualization, cloud computing, network hardware, network management software, and networking technologies.

The company's recognition has increased drastically since gaining ISO/IEC 27001 certification. The certification confirmed the maturity of UpNefs operations and its compliance with a widely recognized and accepted standard.

But not everything ended after the certification. UpNet continually reviewed and enhanced its security controls and the overall effectiveness and efficiency of the ISMS by conducting internal audits. The top management was not willing to employ a full-time team of internal auditors, so they decided to outsource the internal audit function. This form of internal audits ensured independence, objectivity, and that they had an advisory role about the continual improvement of the ISMS.

Not long after the initial certification audit, the company created a new department specialized in data and storage products. They offered routers and switches optimized for data centers and software-based networking devices, such as network virtualization and network security appliances. This caused changes to the operations of the other departments already covered in the ISMS certification scope.

Therefore. UpNet initiated a risk assessment process and an internal audit. Following the internal audit result, the company confirmed the effectiveness and efficiency of the existing and new processes and controls.

The top management decided to include the new department in the certification scope since it complies with ISO/IEC 27001 requirements. UpNet announced that it is ISO/IEC 27001 certified and the certification scope encompasses the whole company.

One year after the initial certification audit, the certification body conducted another audit of UpNefs ISMS. This audit aimed to determine the UpNefs ISMS fulfillment of specified ISO/IEC 27001 requirements and ensure that the ISMS is being continually improved. The audit team confirmed that the certified ISMS continues to fulfill

the requirements of the standard. Nonetheless, the new department caused a significant impact on governing the management system. Moreover, the certification body was not informed about any changes. Thus, the UpNefs certification was suspended.

Based on the scenario above, answer the following question:

UpNet ensured independence, objectivity, and advisory activities from the internal audit. Is this action acceptable?

A.

Yes, because internal audits have an advisory role

B.

No, because internal audits should be independent of the audited activities

C.

No, because the internal audit function was outsourced

Full Access
Question # 42

Match the correct responsibility with each participant of a second-party audit:

Full Access
Question # 43

You are an experienced ISMS audit team leader conducting a third-party surveillance audit of an internet services provider. You are reviewing the organization's risk assessment processes for conformity with ISO/IEC 27001:2022.

Which three of the following audit findings would prompt you to raise a nonconformity report?

A.

Both systems contain additional information security risks which are not associated with preserving the confidentiality, integrity and accessibility of information

B.

The organisation is treating information security risks in the order in which they are identified

C.

The organisation's information security risk assessment process suggests each risk is allocated a risk owner

D.

The organisation has not used RAG (Red, Amber, Green) to classify its' information security risks. Instead, it has used a smiling emoji, a neutral face emoji and a sad face emoji

E.

The organisation's risk assessment criteria have not been reviewed and approved by top management

F.

The organisation's information security risk assessment process is based solely on an assessment of the impact of each risk

G.

The organisation has assessed the probability of all of its information security risks as either 0%, 25%, 50%, 75% or 100%

Full Access
Question # 44

You are an experience ISMS audit team leader carrying out a third-party certification audit of an organization specialising in the secure disposal of confidential documents and removable media. Both documents and media are shredded in military grade devices which make it impossible to reconstruct the original.

The audit has gone well and you are just about to start to write the audit report, 30 minutes before the closing meeting. At

this point one of the organization's employees knocks on your door and asks if they can speak to you. They tell you that when things get busy her manager tells her to use a lower grade industrial shredder instead as the organisation has more of these and they operate faster. You were not informed about the existence or use of these machines by the auditee.

Select three options for how you should respond to this information.

A.

Advise the individual managing the audit programme of any recommendation by you to conduct a further auditprior to certification

B.

Cancel the production of the audit report and instead review the organization's contracts with its clients to determine whether they have permitted the use of lower grade machines

C.

Consider the need for a subsequent audit within 4 weeks based on the additional information that has come to light

D.

Do nothing. All audits are based on a sample and the sample you took did not include a planned review of the lower grade machines

E.

Extend the certification audit duration to create additional time to audit the use of the lower grade machines

F.

Raise a nonconformity against 8.1 Operational Planning and Control as the organization has not been open about its processes

G.

Verify with the auditee that lower grade machines are used in certain circumstances

Full Access
Question # 45

Which two of the following standards are used as ISMS third-party certification audit criteria?

A.

ISO/IEC 27002

B.

ISO/IEC 20000-1

C.

ISO 19011

D.

ISO/IEC 27001

E.

Relavent legal, statutory, and regulatory requirements

F.

ISO/IEC 17021-1

Full Access
Question # 46

Which two options are benefits of third-party accredited certification of information security management systems to ISO/IEC 27001:2022 for organisations and interested parties?

A.

Third-party accredited certification demonstrates that the organisation complies with the legal and legislation requirements expected by interested parties

B.

Third-party accredited certification demonstrates that the organisation's ICT products are secured and certified

C.

Third-party accredited certification demonstrates that the organisation's management system is maintained and effective

D.

Third-party accredited certification demonstrates the organisation's management system adopted a systematic approach to information security

E.

Third-party accredited certification makes sure the organisation will obtain more customers

F.

Third-party accredited certification makes sure the organisation's IT system will be protected from external interference

Full Access
Question # 47

What is meant by the term 'Corrective Action'? Select one

A.

Action is taken to prevent a nonconformity or an incident from occurring

B.

Action is taken to eliminate the cause(s) of a nonconformity or an incident

C.

Action is taken by management to respond to a nonconformity

D.

Action is taken to fix a nonconformity or an incident

Full Access
Question # 48

You are performing an ISO 27001 ISMS surveillance audit at a residential nursing home, ABC Healthcare Services. ABC uses a healthcare mobile app designed and maintained by a supplier, WeCare, to monitor residents' well-being. During the audit, you learn that 90% of the residents' family members regularly receive medical device advertisements from WeCare, by email and SMS once a week. The service agreement between ABC and WeCare prohibits the supplier from using residents' personal data. ABC has received many complaints from residents and their family members.

The Service Manager says that the complaints were investigated as an information security incident which found that they were justified.

Corrective actions have been planned and implemented according to the nonconformity and corrective action management procedure.

You write a nonconformity "ABC failed to comply with information security control A.5.34 (Privacy and protection of PII) relating to the personal data of residents' and their family members. A supplier, WeCare, used residents' personal information to send advertisements to family members."

Select three options of the corrections and corrective actions listed that you would expect ABC to make in response to the nonconformity.

A.

ABC asks an ISMS consultant to test the ABC Healthcare mobile app for protection against cyber-crime.

B.

ABC cancels the service agreement with WeCare.

C.

ABC confirms that information security control A.5.34 is contained in the Statement of Applicability (SoA).

D.

ABC discontinues the use of the ABC Healthcare mobile app.

E.

ABC introduces background checks on information security performance for all suppliers.

F.

ABC periodically monitors compliance with all applicable legislation and contractual requirements involving third parties.

G.

ABC takes legal action against WeCare for breach of contract.

Full Access
Question # 49

What is we do in ACT - From PDCA cycle

A.

Take actions to continually monitor process performance

B.

Take actions to continually improve process performance

C.

Take actions to continually monitor process performance

D.

Take actions to continually improve people performance

Full Access
Question # 50

You are carrying out a third-party surveillance audit of a client's ISMS. You are currently in the secure storage area of the data centre where the organisation's customers are able to temporarily locate equipment coming into or going out of the site. The equipment is contained within locked cabinets and each cabinet is allocated to a single, specific client.

Out of the corner of your eye you spot movement near the external door of the storage area. This is followed by a loud noise. You ask the guide what is going on. They tell you that recent high rainfall has raised local river levels and caused an infestation of rats. The noise was a specialist pest control stunning device being triggered. You check the device in the corner and find there is a large immobile rat contained within it.

What three actions would be appropriate to take next?

A.

Take no further action. This is an ISMS audit, not an environmental management system audit

B.

Investigate whether pest infestation is an identified risk and if so, what risk treatment is to be applied

C.

Determine whether the high levels of rainfall have had other impacts on data centre operations e.g. damage to infrastructure, access issues for clients, invocation of business continuity arrangements

D.

Raise a nonconformity against control 7.4 Physical Security monitoring

E.

Raise a nonconformity against control 7.2 Physical Entry

F.

Check with the guide that they intend to initiate the organisation's information security incident process

G.

Inspect the client cabinets for signs of rodent ingress and record your findings as audit evidence

Full Access
Question # 51

You are conducting an ISMS audit. The next step in your audit plan is to verify that the organisation's

information security risk treatment plan has been established and implemented properly. You decide to

interview the IT security manager.

You: Can you please explain how the organisation performs its information security risk assessment and

treatment process?

IT Security Manager: We follow the information security risk management procedure which generates a

risk treatment plan.

Narrator: You review risk treatment plan No. 123 relating to the planned installation of an electronic

(invisible) fence to improve the physical security of the nursing home. You found the risk treatment plan was

approved by IT Security Manager.

You: Who is responsible for physical security risks?

IT Security Manager: The Facility Manager is responsible for the physical security risk. The IT department helps them to monitor the alarm. The Facility Manager is authorized to approve the budget for risk treatment plan No. 123.

You: What residual information security risks exist after risk treatment plan No. 123 was implemented?

IT Security Manager: There is no information for the acceptance of residual information security risks as far as I know.

You prepare your audit findings. Select three options for findings that are justified in the scenario.

A.

Nonconformity (NC) - The information for the acceptance of residual information security risks should be updated after the risk treatment is implemented. Clause 6.1.3.f

B.

There is an opportunity for improvement (OI) to conduct security checks on the perimetre fence

C.

There is an opportunity for improvement (OI) once the Electronic (invisible) fence is installed. Residents' physical security is improved

D.

Nonconformity (NC) - Top management must ensure that the resources needed for the ISMS are available. Clause 5.1.c

E.

Nonconformity (NC) - The IT security manager should be aware of and understand his authority and area of responsibility. Clause 7.3

F.

Nonconformity (NC) - The organization should provide the resources needed for the continual improvement of the ISMS. Clause 7.1

G.

Nonconformity (NC) - The risk treatment plan No. 123 should be approved by the risk owner, the Facility Manager in this case. Clause 6.1.3.f

Full Access
Question # 52

Full Access
Question # 53

Which two of the following options are an advantage of using a sampling plan for the audit?

A.

Overrules the auditor's instincts

B.

Reduces the audit duration

C.

Prevents conflict within the audit team

D.

Gives confidence in the audit results

E.

Implements the audit plan efficiently

F.

Use of the plan for consecutive audits

Full Access
Question # 54

Select the words that best complete the sentence:

Full Access
Question # 55

You are performing an ISMS audit at a residential nursing home called ABC that provides healthcare services.

The next step in your audit plan is to verify the information security of ABC's healthcare mobile app development, support, and lifecycle process. During the audit, you learned the organisation outsourced the mobile app development to a professional software development organisation with CMMI Level 5, ITSM

(ISO/IEC 20000-1), BCMS (ISO 22301) and ISMS (ISO/IEC 27001) certified.

The IT Manager presents the software security management procedure and summarises the process as follows:

The mobile app development shall adopt "security-by-design" and "security-by-default" principles, as a minimum. The following security functions for personal data protection shall be available:

Access control.

Personal data encryption, i.e., Advanced Encryption Standard (AES) algorithm, key lengths: 256 bits; and

Personal data pseudonymization.

Vulnerability checked and no security backdoor

You sample the latest Mobile App Test report - Reference ID: 0098, details as follows:

You would like to investigate other areas further to collect more audit evidence. Select three options that will not be in your audit trail.

A.

Collect more evidence on how much residents' family members pay to install ABC's healthcare mobile app. (Relevant to clause 4.2)

B.

Collect more evidence by downloading and testing the mobile app on your phone. (Relevant to control A.8.1)

C.

Collect more evidence to determine the number of users of ABC's healthcare mobile app. (relevant to clause 4.2)

D.

Collect more evidence on how the organisation performs testing of personal data handling. (Relevant to control A.5.34)

E.

Collect more evidence on the organisation's business continuity policy. (Relevant to control A.5.30)

F.

Collect more evidence on how the organisation manages information security in the selection of an external service provider. (Relevant to control A.5.19)

G.

Collect more evidence on how the developer trains its product support personnel. (Relevant to clause 7.2)

Full Access
Question # 56

Objectives, criteria, and scope are critical features of a third-party ISMS audit. Which two issues are audit objectives?

A.

Evaluate customer processes and functions

B.

Assess conformity with ISO/IEC 27001 requirements

C.

Fulfil the audit plan

D.

Confirm sites operating the ISMS

E.

Determine the scope of the ISMS

F.

Review organisation efficiency

Full Access
Question # 57

Scenario 2: Knight is an electronics company from Northern California, US that develops video game consoles. Knight has more than 300 employees worldwide. On the

fifth anniversary of their establishment, they have decided to deliver the G-Console, a new generation video game console aimed for worldwide markets. G-Console is

considered to be the ultimate media machine of 2021 which will give the best gaming experience to players. The console pack will include a pair of VR headset, two

games, and other gifts.

Over the years, the company has developed a good reputation by showing integrity, honesty, and respect toward their customers. This good reputation is one of the

reasons why most passionate gamers aim to have Knight's G-console as soon as it is released in the market. Besides being a very customer-oriented company, Knight

also gained wide recognition within the gaming industry because of the developing quality. Their prices are a bit higher than the reasonable standards allow.

Nonetheless, that is not considered an issue for most loyal customers of Knight, as their quality is top-notch.

Being one of the top video game console developers in the world, Knight is also often the center of attention for malicious activities. The company has had an

operational ISMS for over a year. The ISMS scope includes all departments of Knight, except Finance and HR departments.

Recently, a number of Knight's files containing proprietary information were leaked by hackers. Knight's incident response team (IRT) immediately started to analyze

every part of the system and the details of the incident.

The IRT's first suspicion was that Knight's employees used weak passwords and consequently were easily cracked by hackers who gained unauthorized access to their

accounts. However, after carefully investigating the incident, the IRT determined that hackers accessed accounts by capturing the file transfer protocol (FTP) traffic.

FTP is a network protocol for transferring files between accounts. It uses clear text passwords for authentication.

Following the impact of this information security incident and with IRT's suggestion, Knight decided to replace the FTP with Secure Shell (SSH) protocol, so anyone

capturing the traffic can only see encrypted data.

Following these changes, Knight conducted a risk assessment to verify that the implementation of controls had minimized the risk of similar incidents. The results of

the process were approved by the ISMS project manager who claimed that the level of risk after the implementation of new controls was in accordance with the

company's risk acceptance levels.

Based on this scenario, answer the following question:

FTP uses clear text passwords for authentication. This is an FTP:

A.

Vulnerability

B.

Risk

C.

Threat

Full Access
Question # 58

You are performing an ISMS audit at a residential nursing home called ABC that provides healthcare services. You find all nursing home residents wear an electronic wristband for monitoring their location, heartbeat, and blood pressure always. You learned that the electronic wristband automatically uploads all data to the artificial intelligence (AI) cloud server for healthcare monitoring and analysis by healthcare staff.

To verify the scope of ISMS, you interview the management system representative (MSR) who explains that the ISMS scope covers an outsourced data center.

Select three options for the audit evidence you need to find to verify the scope of the ISMS.

A.

The auditee has identified the resident's needs and expectations on the facility and environmental safety

B.

The auditee has ISO 9001 certification

C.

The auditee has identified the governmental authorities' needs and expectations on healthcare services and patient data handling

D.

The auditee has identified the resident's needs and expectations on how they should protect the resident's personal data

E.

The auditee has identified the resident's needs and expectations on the comfort facility, medical professional's competence, and clean environment

F.

The auditee has identified the resident's needs and expectations on healthcare medical treatment services

G.

The IT service agreement with the data center where the artificial intelligence (AI) cloud server is located

Full Access
Question # 59

You are an experienced ISMS audit team leader guiding an auditor in training. Your team has just completed a third-party surveillance audit of a mobile telecom provider. The auditor in training asks you how you intend to prepare for the Closing meeting. Which four of the following are appropriate responses?

A.

I will advise the auditee that the purpose of the closing meeting is for the audit team to communicate our findings. It is not an opportunity for the auditee to challenge the findings

B.

I will instruct my audit team to wait outside the auditee's offices so we can leave as quickly as possible after the closing meeting. This saves our time and the client's time too

C.

It is not necessary to prepare for the closing meeting. Once you have carried out as many audits as I have you already know what needs to be discussed

D.

I will schedule a closing meeting with the auditee's representatives at which the audit conclusions will be presented

E.

I will contact head office to ensure our invoice has been paid, If not, I will cancel the closing meeting and temporarily withhold the audit report

F.

I will discuss any follow-up required with my audit team

G.

I will review and, as appropriate, approve my teams audit conclusions

Full Access
Question # 60

The auditor discovered that two out of 15 employees of the IT Department have not received adequate information security training. What does this represent?

A.

Audit finding

B.

Audit evidence

C.

Information source

Full Access
Question # 61

Who are allowed to access highly confidential files?

A.

Employees with a business need-to-know

B.

Contractors with a business need-to-know

C.

Employees with signed NDA have a business need-to-know

D.

Non-employees designated with approved access and have signed NDA

Full Access
Question # 62

Which two of the following actions are the individual(s) managing the audit programme responsible for?

A.

Determining the resources necessary for the audit programme

B.

Communicating with the auditee during the audit

C.

Determining the legal requirements applicable to each audit

D.

Keping informed the accreditation body on the progress of the audit programme

E.

Defining the objectives, scope and criteria for an individual audit

F.

Defining the plan of an individual audit

Full Access
Question # 63

Which two of the following are examples of audit methods that 'do' involve human interaction?

A.

Performing an independent review of procedures in preparation for an audit

B.

Reviewing the auditee's response to an audit finding

C.

Analysing data by remotely accessing the auditee's server

D.

Observing work performed by remote surveillance

E.

Analysing data by remotely accessing the auditee's server

Full Access
Question # 64

Scenario 8: EsBank provides banking and financial solutions to the Estonian banking sector since September 2010. The company has a network of 30 branches with over 100 ATMs across the country.

Operating in a highly regulated industry, EsBank must comply with many laws and regulations regarding the security and privacy of data. They need to manage information security across their operations by implementing technical and nontechnical controls. EsBank decided to implement an ISMS based on ISO/IEC 27001 because it provided better security, more risk control, and compliance with key requirements of laws and regulations.

Nine months after the successful implementation of the ISMS, EsBank decided to pursue certification of their ISMS by an independent certification body against ISO/IEC 27001 .The certification audit included all of EsBank’s systems, processes, and technologies.

The stage 1 and stage 2 audits were conducted jointly and several nonconformities were detected. The first nonconformity was related to EsBank’s labeling of information. The company had an information classification scheme but there was no information labeling procedure. As a result, documents requiring the same level of protection would be labeled differently (sometimes as confidential, other times sensitive).

Considering that all the documents were also stored electronically, the nonconformity also impacted media handling. The audit team used sampling and concluded that 50 of 200 removable media stored sensitive information mistakenly classified as confidential. According to the information classification scheme, confidential information is allowed to be stored in removable media, whereas storing sensitive information is strictly prohibited. This marked the other nonconformity.

They drafted the nonconformity report and discussed the audit conclusions with EsBank’s representatives, who agreed to submit an action plan for the detected nonconformities within two months.

EsBank accepted the audit team leader's proposed solution. They resolved the nonconformities by drafting a procedure for information labeling based on the classification scheme for both physical and electronic formats. The removable media procedure was also updated based on this procedure.

Two weeks after the audit completion, EsBank submitted a general action plan. There, they addressed the detected nonconformities and the corrective actions taken, but did not include any details on systems, controls, or operations impacted. The audit team evaluated the action plan and concluded that it would resolve the nonconformities. Yet, EsBank received an unfavorable recommendation for certification.

Based on the scenario above, answer the following question:

Based on scenario 8, EsBank submitted a general action plan. Is this acceptable?

A.

Yes, nonconformities with the same root cause should have a general action plan

B.

No, an action plan should only address one nonconformity

C.

No, a general action plan does not enable the correction of nonconformities

Full Access
Question # 65

Which two of the following are valid audit conclusions?

A.

ISMS induction training does not provide guidance on malware prevention

B.

The risk register had not been updated since June 202X

C.

Corrective action was outstanding for two internal audits

D.

The ISMS policy has been effectively communicated to the organisation

E.

The organisation's ISMS objectives meet the requirements of ISO/IEC 27001:2022

F.

The schedule of applicability was based on the 2013 edition of ISO/IEC 27001, not the 2022 edition

Full Access
Question # 66

Which three of the following work documents are not required for audit planning by an auditor conducting a certification audit?

A.

An audit plan

B.

A sample plan

C.

An organisation's financial statement

D.

A checklist

E.

A career history of the IT manager

F.

A list of external providers

Full Access
Question # 67

Select a word from the following options that best completes the sentence:

To complete the sentence with the word(s) click on the blank section you want to complete so that it is highlighted in red, and then click on the application text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.

Full Access
Question # 68

You are conducting a third-party surveillance audit when another member of the audit team approaches you seeking clarification. They have been asked to assess the organisation's application of control 5.7 - Threat Intelligence. They are aware that this is one of the new controls introduced in the 2022 edition of ISO/IEC 27001, and they want to make sure they audit the control correctly.

They have prepared a checklist to assist them with their audit and want you to confirm that their planned activities are aligned with the control's requirements.

Which three of the following options represent valid audit trails?

A.

I will ensure that the task of producing threat intelligence is assigned to the organisation's internal audit team

B.

I will ensure that the organisation's risk assessment process begins with effective threat intelligence

C.

I will speak to top management to make sure all staff are aware of the importance of reporting threats

D.

I will ensure that appropriate measures have been introduced to inform top management as to the effectiveness of current threat intelligence arrangements

E.

I will check that the organisation has a fully documented threat intelligence process

F.

I will check that threat intelligence is actively used to protect the confidentiality, integrity and availability of the organisation's information assets

G.

I will review how information relating to information security threats is collected and evaluated to produce threat intelligence

Full Access
Question # 69

You are performing an ISMS audit at a residential nursing home that provides healthcare services. The next step in your audit plan is to verify the information security incident management process. The IT Security Manager presents the information

security incident management procedure (Document reference ID: ISMS_L2_16, version 4) and explains that the process is

based on ISO/IEC 27035-1:2016.

You review the document and notice a statement "any information security weakness, event, and incident should be reported

to the Point of Contact (PoC) within 1 hour after identification". When interviewing staff, you found that there were differences

in the understanding of the meaning of "weakness, event, and incident".

The IT Security Manager explained that an online "information security handling" training seminar was conducted 6 months

ago. All of the interviewed persons participated in and passed the reporting exercise and course assessment.

You are preparing the audit findings. Select two options that are correct.

A.

There is a nonconformity (NC). The information security incident training has failed. This is not conforming with clause 7.2 and control A.6.3.

B.

There is a nonconformity (NC). The terminology of the the incident management reporting process is unclear as evidenced by staff misunderstanding of the meaning of "weakness, event and incident". This is not conforming with clause 9.1 and control A.5.24.

C.

There is an opportunity for improvement (OFI). The information security incident training effectiveness can be improved. This is relevant to clause 7.2 and control A.6.3.

D.

There is an opportunity for improvement (OFI). The information security weaknesses, events, and incidents are reported. This is relevant to clause 9.1 and control A.5.24.

E.

There is no nonconformance. The information security handling training has been effective. This conforms with clause 7.2 and control A.6.3.

F.

There is no nonconformance. The information security weaknesses, events, and incidents are reported. This conforms with clause 9.1 and control A.5.24.

Full Access
Question # 70

During a third-party certification audit you are presented with a list of issues by an auditee. Which four of the following constitute 'external' issues in the context of a management system to ISO/IEC 27001:2022?

A.

A rise in interest rates in response to high inflation

B.

A reduction in grants as a result of a change in government policy

C.

Poor levels of staff competence as a result of cuts in training expenditure

D.

Increased absenteeism as a result of poor management

E.

Higher labour costs as a result of an aging population

F.

Inability to source raw materials due to government sanctions

G.

Poor morale as a result of staff holidays being reduced

Full Access
Question # 71

The data center at which you work is currently seeking ISO/IEC27001:2022 certification. In preparation for your initial certification visit a number of internal audits have been carried out by a colleague working at another data centre within your Group. They secured their ISO/IEC 27001:2022 certificate earlier in the year.

You have just qualified as an Internal ISMS auditor and your manager has asked you to review the audit process and audit findings as a final check before the external Certrfication Body arrives.

Which six of the following would cause you concern in respect of conformity to ISO/IEC 27001:2022 requirements?

A.

The audit programme shows management reviews taking place at irregular intervals during the year

B.

Audit reports are not held in hardcopy (i.e. on paper). They are only stored as ".POF documents on the organisation's intranet

C.

The audit programme does not take into account the relative importance of information security processes

D.

The audit programme mandates auditors must be independent of the areas they audit in order to satisfy the requirements of ISO/IEC 27001:2022

E.

Although the scope for each internal audit has been defined, there are no audit criteria defined for the audits carried out to date

F.

Audit reports to date have used key performance indicator information to focus solely on the efficiency of ISMS processes

G.

The audit programme does not reference audit methods or audit responsibilities

Full Access
Question # 72

You are an audit team leader who has just completed a third-party audit of a mobile telecommunication provider. You are preparing your audit report and are just about to complete a section headed 'confidentiality'.

An auditor in training on your team asks you if there are any circumstances under which the confidential report can be released to third parties.

Which four of the following responses are false?

A.

Although we advise the client the report is confidential we can decide to release it to third parties if we feel this is justified. We would always tell the client afterwards

B.

The report can be released to third parties but only with the explicit, prior approval of the audit client

C.

There are no circumstances under which the report can be released to a third party. Confidential means confidential and releasing the document would be a breach of trust

D.

The starting position is always that third parties have no automatic right to access an audit report

E.

If the third party has gained a legal notice for us to disclose the report then we must do so. In all such cases we would advise the audit client and, as appropriate, the auditee

F.

Any auditor employed by the auditing organisation can access the audit report

G.

Our duty of confidentiality is not something that lasts forever. As a certification body, we can decide how long we wish to keep reports confidential. After this, they can be accessed by third parties making a subject access request

Full Access
Question # 73

The following are the guidelines to protect your password, except: 

A.

Don't use the same password for various company system security access

B.

Do not share passwords with anyone

C.

For easy recall, use the same password for company and personal accounts

D.

Change a temporary password on first log-on

Full Access
Question # 74

You are an ISMS auditor conducting a third-party surveillance audit of a telecom's provider. You are in the equipment staging room where network switches are pre-programmed before being despatched to clients. You note that recently there has been a significant increase in the number of switches failing their initial configuration test and being returned for reprogramming.

You ask the Chief Tester why and she says, 'It's a result of the recent ISMS upgrade'. Before the upgrade each technician had their own hard copy work instructions. Now, the eight members of my team have to share two laptops to access the clients' configuration instructions online. These delays put pressure on the technicians, resulting in more mistakes being made'.

Based solely on the information above, which clause of ISO/IEC 27001:2022 would be the most appropriate to raise a nonconformity against? Select one.

A.

Clause 10.2 - Nonconformity and corrective action

B.

Clause 7.2 - Competence

C.

Clause 7.5 - Documented information

D.

Clause 8.1 - Operational planning and control

Full Access
Question # 75

You are an experienced audit team leader guiding an auditor in training.

Your team is currently conducting a third-party surveillance audit of an organisation that stores data on behalf of external clients. The auditor in training has been tasked with reviewing the PHYSICAL controls listed in the Statement of Applicability (SoA) and implemented at the site.

Select four controls from the following that would you expect the auditor in training to review.

A.

Access to and from the loading bay

B.

How power and data cables enter the building

C.

Information security awareness, education, and training

D.

The conducting of verification checks on personnel

E.

The development and maintenance of an information asset inventory

F.

The operation of the site CCTV and door control systems

G.

The organisation's arrangements for maintaining equipment

Full Access
Question # 76

You are an ISMS audit team leader tasked with conducting a follow-up audit at a client's data centre. Following two days on-site you conclude that of the original 12 minor and 1 major nonconformities that prompted the follow-up audit, only 1 minor nonconformity still remains outstanding.

Select four options for the actions you could take.

A.

Agree with the auditee/audit client how the remaining nonconformity will be cleared, by when, and how its clearance will be verified

B.

Recommend that the outstanding minor nonconformity is dealt with at the next surveillance audit

C.

Close the follow-up audit as the organisation has demonstrated it is committed to clearing the nonconformities raised

D.

Recommend suspension of the organisation's certification as they have failed to implement the agreed corrections and corrective actions within the agreed timescale

E.

Advise the auditee that you will arrange for the next audit to be an online audit to deal with the outstanding nonconformity

F.

Note the progress made but hold the audit open until all corrective action has been cleared

G.

Advise the individual managing the audit programme of any decision taken regarding the outstanding nonconformity

Full Access
Question # 77

An external auditor received an offer to conduct an ISMS audit at a research development company. Before accepting it, they discussed with the internal auditor of the auditee, who was their friend, about previous audit reports. Is this acceptable?

A.

No, the external auditor should discuss about the auditee's previous audit reports only with the certification body

B.

Yes, the auditor can review and discuss the previous audit reports before accepting an audit mandate

C.

No, the auditor should uphold objectivity even when deciding whether to accept the audit mandate or not

Full Access
Question # 78

You are performing an ISMS audit at a residential nursing home (ABC) that provides healthcare services. The next step in your audit plan is to verify the information security of ABC's healthcare mobile app development, support, and lifecycle process. During the audit, you learned the organization outsourced the mobile app development to a professional software development company with CMMI Level 5, ITSM (ISO/IEC 20000-1), BCMS (ISO 22301) and ISMS (ISO/IEC 27001) certified.

The IT Manager presented the software security management procedure and summarised the process as following:

The mobile app development shall adopt "security-by-design" and "security-by-default" principles, as a minimum. The following security

functions for personal data protection shall be available:

Access control.

Personal data encryption, i.e., Advanced Encryption Standard (AES) algorithm, key lengths: 256 bits; and

Personal data pseudonymization.

Vulnerability checked and no security backdoor

You sample the latest Mobile App Test report, details as follows:

You ask the IT Manager why the organisation still uses the mobile app while personal data encryption and pseudonymization tests failed. Also, whether the Service Manager is authorised to approve the test.

The IT Manager explains the test results should be approved by him according to the software security management procedure.

The reason why the encryption and pseudonymisation functions failed is that these functions heavily slowed down the system and service performance. An extra 150% of resources are needed to cover this. The Service Manager agreed that access control is good enough and acceptable. That's why the Service Manager signed the approval.

You are preparing the audit findings. Select the correct option.

A.

There is NO nonconformity (NC). The Service Manager makes a good decision to continue the service. (Relevant to clause 8.1, control A.8.30)

B.

There is a nonconformity (NC). The organisation and developer do not perform acceptance tests. (Relevant to clause 8.1, control A.8.29)

C.

There is a nonconformity (NC). The organisation and developer perform security tests that fail. (Relevant to clause 8.1, control A.8.29)

D.

There is a nonconformity (NC). The Service Manager does not comply with the software security management procedure. (Relevant to clause 8.1, control A.8.30)

Full Access
Question # 79

You are an experienced ISMS audit team leader. During the conducting of a third-party surveillance audit, you decide to test your auditee's knowledge of ISO/IEC 27001's risk management requirements.

You ask her a series of questions to which the answer is either 'that is true' or 'that is false'. Which four of the following should she answer 'that is true'?

A.

The results of risk assessments must be maintained

B.

Risk identification is used to determine the severity of an information security risk

C.

ISO/IEC 27001 provides an outline approach for the management of risk

D.

The organisation must produce a risk treatment plan for every business risk identified

E.

The organisation must operate a risk treatment process to eliminate it's information security risks

F.

The initial phase in an organisation's risk management process should be information security risk assessment

G.

Risks assessments should be undertaken at monthly intervals

Full Access
Question # 80

Scenario 1: Fintive is a distinguished security provider for online payments and protection solutions. Founded in 1999 by Thomas Fin in San Jose, California, Fintive

offers services to companies that operate online and want to improve their information security, prevent fraud, and protect user information such as PII. Fintive centers

its decision-making and operating process based on previous cases. They gather customer data, classify them depending on the case, and analyze them. The company

needed a large number of employees to be able to conduct such complex analyses. After some years, however, the technology that assists in conducting such analyses

advanced as well. Now, Fintive is planning on using a modern tool, a chatbot, to achieve pattern analyses toward preventing fraud in real-time. This tool would also be

used to assist in improving customer service.

This initial idea was communicated to the software development team, who supported it and were assigned to work on this project. They began integrating the chatbot

on their existing system. In addition, the team set an objective regarding the chatbot which was to answer 85% of all chat queries.

After the successful integration of the chatbot, the company immediately released it to their customers for use. The chatbot, however, appeared to have some issues.

Due to insufficient testing and lack of samples provided to the chatbot during the training phase, in which it was supposed "to learn" the queries pattern, the chatbot

failed to address user queries and provide the right answers. Furthermore, the chatbot sent random files to users when it received invalid inputs such as odd patterns

of dots and special characters. Therefore, the chatbot was unable to properly answer customer queries and the traditional customer support was overwhelmed with

chat queries and thus was unable to help customers with their requests.

Consequently, Fintive established a software development policy. This policy specified that whether the software is developed in-house or outsourced, it will undergo a

black box testing prior to its implementation on operational systems.

According to scenario 1, the chatbot sent random files to users when it received invalid inputs. What impact might that lead to?

A.

Inability to provide service

B.

Loss of reputation

C.

Leak of confidential information

Full Access
Question # 81

Select the option which best describes how Information Security Management System audits should be conducted:

A.

Audit criteria should be used to assess circumstantial evidence in order to generate audit outcomes. Then, the audit report should be created and presented to the audit team at the audit team meeting.

B.

Audit criteria should be used to assess objective evidence in order to generate audit outcomes. Then, the audit report should be created and presented to the audit team leader at the closing meeting.

C.

Audit methods should be used to assess audit evidence in order to generate audit recommendations. Then, the audit recommendations should be created and presented to the auditee at the closing meeting.

D.

Audit methods should be used to assess objective evidence in order to generate audit findings. Then, the audit conclusion should be created and presented to the auditee at the closing meeting.

E.

Audit objectives should be used to assess audit evidence in order to generate audit conclusions. Then, the audit findings should be created and presented to the audit client at the closing meeting.

F.

Audit objectives should be used to assess objective evidence in order to generate audit conclusions. Then, the audit recommendations should be created and presented to top management at management review.

Full Access
Question # 82

Which option below about the ISMS scope is correct?

A.

ISMS scope should be available as documented information

B.

ISMS scope should ensure continual improvement

C.

ISMS scope should be compatible with the strategic orientation of the organization

Full Access