Exam Dumps ISO-IEC-27001-Lead-Auditor Practice Free Latest PECB Practice Tests [Q98-Q120]

Q98. An employee caught with offense of abusing the internet, such as P2P file sharing or video/audio streaming, will not receive a warning for committing such act but will directly receive an IR.

True

False

Q99. An organisation is looking for management system initial certification. Please identify the sequence of the activities to be undertaken by the organisation.
To complete the sequence click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the options to the appropriate blank section.

Q100. Which reliability aspect of information is compromised when a staff member denies having sent a message?

Confidentiality

Integrity

Availability

Correctness

Q101. An employee caught temporarily storing an MP3 file in his workstation will not receive an IR.

True

False

Q102. A member of staff denies sending a particular message.
Which reliability aspect of information is in danger here?

availability

correctness

integrity

confidentiality

Q103. Stages of Information

creation, evolution, maintenance, use, disposition

creation, use, disposition, maintenance, evolution

creation, distribution, use, maintenance, disposition

creation, distribution, maintenance, disposition, use

Q104. You are an ISMS audit team leader tasked with conducting a follow-up audit at a client’s data centre.
Following two days on-site you conclude that of the original 12 minor and 1 major nonconformities that prompted the follow-up audit, only 1 minor nonconformity still remains outstanding.
Select four options for the actions you could take.

Book another follow-up audit on-site to review the one outstanding minor nonconformity once it has been cleared

Recommend that the outstanding minor nonconformity is dealt with at the next surveillance audit

Advise the auditee that you will arrange an online audit to deal with the outstanding nonconformity

Note the progress made but hold the audit open until all corrective action has been cleared

Agree with the auditee/audit client how the remaining nonconformity will be cleared, by when, and how its clearance will be verified

Advise the individual managing the audit programme of any decision taken regarding the outstanding nonconformity

Recommend suspension of the organisation’s certification as they have failed to implement the agreed corrections and corrective actions within the agreed timescale

Close the follow-up audit as the organisation has demonstrated it is committed to clearing the nonconformities raised

Explanation
According to ISO 19011:2018, which provides guidelines for auditing management systems, clause 6.7 requires the audit team leader to conduct a follow-up audit to verify the implementation and effectiveness of the corrective actions taken by the auditee in response to the nonconformities identified during a previous audit1. The follow-up audit should be conducted in accordance with the same principles and processes as the initial audit, and should result in a conclusion on the status of the nonconformities and any remaining issues1.
Therefore, when conducting a follow-up audit, an ISMS auditor should consider the following actions:
* Recommend that the outstanding minor nonconformity is dealt with at the next surveillance audit: This action is appropriate because it reflects the fact that the auditee has cleared most of the nonconformities, including the major one, and only one minor nonconformity remains outstanding. A minor nonconformity is defined as a failure to achieve one or more requirements of ISO/IEC 27001:2022 or a situation which raises significant doubt about the ability of an ISMS process to achieve its intended output, but does not affect its overall effectiveness or conformity2. Therefore, this finding does not prevent or preclude the continuation of certification, as long as it is addressed by appropriate corrective actions within a reasonable time frame. The auditor should recommend that the outstanding minor nonconformity is dealt with at the next surveillance audit, which is a regular audit conducted by the certification body to confirm the ongoing conformity and effectiveness of an ISMS3.
* Agree with the auditee/audit client how the remaining nonconformity will be cleared, by when, and how its clearance will be verified: This action is appropriate because it reflects the fact that the auditee has demonstrated commitment and capability to implement corrective actions for the nonconformities identified during the previous audit. The auditor should agree with the auditee/audit client on a realistic, achievable, and effective corrective action plan for the remaining nonconformity, including a clear deadline and verification method. The auditor should also document this agreement in the follow-up audit report1.
* Advise the individual managing the audit programme of any decision taken regarding the outstanding nonconformity: This action is appropriate because it reflects the fact that the auditor has followed a systematic and consistent approach to conducting and reporting the follow-up audit. The auditor should advise the individual managing the audit programme of any decision taken regarding the outstanding nonconformity, such as recommending its closure at the next surveillance audit or agreeing on a corrective action plan with the auditee/audit client. The auditor should also provide sufficient information and evidence to support their decision1.
* Close the follow-up audit as the organisation has demonstrated it is committed to clearing the nonconformities raised: This action is appropriate because it reflects the fact that the organisation has achieved satisfactory results in the follow-up audit. The auditor should close the follow-up audit as the organisation has demonstrated it is committed to clearing the nonconformities raised by implementing effective corrective actions for most of them and agreeing on a plan for the remaining one. The auditor should also communicate the follow-up audit conclusion to the auditee/audit client and other relevant parties1.

Q105. During a follow-up audit, you notice that a nonconformity identified for completion before the follow-up audit is still outstanding.
Which four of the following actions should you take?

Report the failure to address the corrective action for the outstanding nonconformity to the organisation’s top management

Immediately raise an nonconformity as the date for completion has been exceeded

If the delay is justified agree on a revised date for clearing the nonconformity with the auditee/audit client

Contact the individuals) managing the audit programme to seek their advice as to how to proceed

Decide whether the delay in addressing the nonconformity is justified

Cancel the follow-up audit and return when an assurance has been received that the nonconformity has been cleared

Note the nonconformity is still outstanding and follow audit trails to determine why

If the delay is unjustified advise the auditee /audit client and agree on remedial action

Q106. In regard to generating an audit finding, select the words that best complete the following sentence.
To complete the sentence with the best word(s), click on the blank section you want to complete so that it Is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.

Q107. Which six of the following actions are the individual(s) managing the audit programme responsible for?

Selecting the audit team

Retaining documented information of the audit results

Defining the objectives, scope and criteria for an individual audit

Defining the plan of an individual audit

Establishing the extent of the audit programme

Establishing the audit programme

Determining the resources necessary for the audit programme

Communicating with the auditee during the audit

Q108. You are conducting an ISMS audit in the despatch department of an international logistics organisation that provides shipping services to large organisations including local hospitals and government offices. Parcels typically contain pharmaceutical products, biological samples, and documents such as passports and driving licences. You note that the company records show a very large number of returned items with causes including mis-addressed labels and, in 15% of company cases, two or more labels for different addresses for the one package. You are interviewing the Shipping Manager (SM).
You: Are items checked before being dispatched?
SH: Any obviously damaged items are removed by the duty staff before being dispatched, but the small profit margin makes it uneconomic to implement a formal checking process.
You: What action is taken when items are returned?
SM: Most of these contracts are relatively low value, therefore it has been decided that it is easier and more convenient to simply reprint the label and re-send individual parcels than it is to implement an investigation.
You raise a nonconformity. Referencing the scenario, which six of the following Appendix A controls would you expect the auditee to have implemented when you conduct the follow-up audit?

5.11 Return of assets

8.12 Data leakage protection

5.3 Segregation of duties

6.3 Information security awareness, education, and training

7.10 Storage media

8.3 Information access restriction

5.6 Contact with special interest groups

6.4 Disciplinary process

7.4 Physical security monitoring

5.13 Labelling of information

5.32 Intellectual property rights

B) 8.12 Data leakage protection. This is true because the auditee should have implemented measures to prevent unauthorized disclosure of sensitive information, such as personal data, medical records, or official documents, that are contained in the parcels. Data leakage protection could include encryption, authentication, access control, logging, and monitoring of data transfers12.
D) 6.3 Information security awareness, education, and training. This is true because the auditee should have ensured that all employees and contractors involved in the shipping process are aware of the information security policies and procedures, and have received appropriate training on how to handle and protect the information assets in their custody. Information security awareness, education, and training could include induction programmes, periodic refreshers, awareness campaigns, e-learning modules, and feedback mechanisms13.
E) 7.10 Storage media. This is true because the auditee should have implemented controls to protect the storage media that contain information assets from unauthorized access, misuse, theft, loss, or damage. Storage media could include paper documents, optical disks, magnetic tapes, flash drives, or hard disks14. Storage media controls could include physical locks, encryption, backup, disposal, or destruction14.
F) 8.3 Information access restriction. This is true because the auditee should have implemented controls to restrict access to information assets based on the principle of least privilege and the need-to-know basis. Information access restriction could include identification, authentication, authorization, accountability, and auditability of users and systems that access information assets15.
I) 7.4 Physical security monitoring. This is true because the auditee should have implemented controls to monitor the physical security of the premises where information assets are stored or processed. Physical security monitoring could include CCTV cameras, alarms, sensors, guards, or patrols16. Physical security monitoring could help detect and deter unauthorized physical access or intrusion attempts16.
J) 5.13 Labelling of information. This is true because the auditee should have implemented controls to label information assets according to their classification level and handling instructions. Labelling of information could include markings, tags, stamps, stickers, or barcodes1 . Labelling of information could help identify and protect information assets from unauthorized disclosure or misuse1 .
Reference:
ISO/IEC 27002:2022 Information technology – Security techniques – Code of practice for information security controls ISO/IEC 27001:2022 Information technology – Security techniques – Information security management systems – Requirements ISO/IEC 27003:2022 Information technology – Security techniques – Information security management systems – Guidance ISO/IEC 27004:2022 Information technology – Security techniques – Information security management systems – Monitoring measurement analysis and evaluation ISO/IEC 27005:2022 Information technology – Security techniques – Information security risk management ISO/IEC 27006:2022 Information technology – Security techniques – Requirements for bodies providing audit and certification of information security management systems
[ISO/IEC 27007:2022 Information technology – Security techniques – Guidelines for information security management systems auditing]

Q109. Which two options are benefits of third-party accredited certification of information security management systems to ISO/IEC 27001:2022 for organisations and interested parties?

Third-party accredited certification demonstrates that the organisation complies with the legal and legislation requirements expected by interested parties

Third-party accredited certification demonstrates that the organisation’s ICT products are secured and certified

Third-party accredited certification demonstrates that the organisation’s management system is maintained and effective

Third-party accredited certification demonstrates the organisation’s management system adopted a systematic approach to information security

Third-party accredited certification makes sure the organisation will obtain more customers

Third-party accredited certification makes sure the organisation’s IT system will be protected from external interference

Q110. Select two options that describe an advantage of using a checklist.

Using the same checklist for every audit without review

Restricting interviews to nominated parties

Ensuring relevant audit trails are followed

Ensuring the audit plan is implemented

Reducing audit duration

Not varying from the checklist when necessary

Explanation
A checklist is a tool that helps auditors to collect and verify information relevant to the audit objectives and scope. It can provide the following advantages:
Ensuring relevant audit trails are followed: A checklist can help auditors to identify and trace the sources of evidence that support the conformity or nonconformity of the audited criteria. It can also help auditors to avoid missing or overlooking any important aspects of the audit.
Ensuring the audit plan is implemented: A checklist can help auditors to follow and fulfil the audit plan, which describes the arrangements and details of the audit, such as the objectives, scope, criteria, schedule, roles, and responsibilities. It can also help auditors to manage their time and resources effectively and efficiently.
The other options are not advantages of using a checklist, but rather:
Using the same checklist for every audit without review: This is a disadvantage of using a checklist, as it can lead to a rigid and ineffective audit approach. A checklist should be tailored and adapted to each specific audit, taking into account the context, risks, and changes of the auditee and the audit criteria. A checklist should also be reviewed and updated periodically to ensure its validity and relevance.
Restricting interviews to nominated parties: This is a disadvantage of using a checklist, as it can limit the scope and depth of the audit. A checklist should not prevent auditors from interviewing other relevant parties or sources of information that may provide valuable evidence or insights for the audit. A checklist should be used as a guide, not as a constraint.
Reducing audit duration: This is not necessarily an advantage of using a checklist, as it depends on various factors, such as the complexity, size, and maturity of the auditee’s ISMS, the availability and quality of evidence, the competence and experience of the auditors, and the level of cooperation and communication between the auditors and the auditee. A checklist may help reduce audit duration by improving efficiency and organization, but it may also increase audit duration by requiring more evidence or verification.
Not varying from the checklist when necessary: This is a disadvantage of using a checklist, as it can result in a superficial or incomplete audit. A checklist should not prevent auditors from exploring or investigating any issues or concerns that arise during the audit, even if they are not included in the checklist. A checklist should be used as a support, not as a substitute.
References:
ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) objectives and content from Quality.org and PECB ISO 19011:2018 Guidelines for auditing management systems [Section 6.2.2]

Q111. You are conducting an ISMS audit in the despatch department of an international logistics organisation that provides shipping services to large organisations including local hospitals and government offices. Parcels typically contain pharmaceutical products, biological samples, and documents such as passports and driving licences. You note that the company records show a very large number of returned items with causes including mis-addressed labels and, in 15% of company cases, two or more labels for different addresses for the one package. You are interviewing the Shipping Manager (SM).
You: Are items checked before being dispatched?
SH: Any obviously damaged items are removed by the duty staff before being dispatched, but the small profit margin makes it uneconomic to implement a formal checking process.
You: What action is taken when items are returned?
SM: Most of these contracts are relatively low value, therefore it has been decided that it is easier and more convenient to simply reprint the label and re-send individual parcels than it is to implement an investigation.
You raise a nonconformity. Referencing the scenario, which six of the following Appendix A controls would you expect the auditee to have implemented when you conduct the follow-up audit?

5.11 Return of assets

8.12 Data leakage protection

5.3 Segregation of duties

6.3 Information security awareness, education, and training

7.10 Storage media

8.3 Information access restriction

5.6 Contact with special interest groups

6.4 Disciplinary process

7.4 Physical security monitoring

5.13 Labelling of information

5.32 Intellectual property rights

B. 8.12 Data leakage protection. This is true because the auditee should have implemented measures to prevent unauthorized disclosure of sensitive information, such as personal data, medical records, or official documents, that are contained in the parcels. Data leakage protection could include encryption, authentication, access control, logging, and monitoring of data transfers12.
D. 6.3 Information security awareness, education, and training. This is true because the auditee should have ensured that all employees and contractors involved in the shipping process are aware of the information security policies and procedures, and have received appropriate training on how to handle and protect the information assets in their custody. Information security awareness, education, and training could include induction programmes, periodic refreshers, awareness campaigns, e-learning modules, and feedback mechanisms13.
E. 7.10 Storage media. This is true because the auditee should have implemented controls to protect the storage media that contain information assets from unauthorized access, misuse, theft, loss, or damage. Storage media could include paper documents, optical disks, magnetic tapes, flash drives, or hard disks14. Storage media controls could include physical locks, encryption, backup, disposal, or destruction14.
F. 8.3 Information access restriction. This is true because the auditee should have implemented controls to restrict access to information assets based on the principle of least privilege and the need-to-know basis. Information access restriction could include identification, authentication, authorization, accountability, and auditability of users and systems that access information assets15.
I. 7.4 Physical security monitoring. This is true because the auditee should have implemented controls to monitor the physical security of the premises where information assets are stored or processed. Physical security monitoring could include CCTV cameras, alarms, sensors, guards, or patrols16. Physical security monitoring could help detect and deter unauthorized physical access or intrusion attempts16.
J. 5.13 Labelling of information. This is true because the auditee should have implemented controls to label information assets according to their classification level and handling instructions. Labelling of information could include markings, tags, stamps, stickers, or barcodes1 . Labelling of information could help identify and protect information assets from unauthorized disclosure or misuse1 .
References :=
ISO/IEC 27002:2022 Information technology – Security techniques – Code of practice for information security controls ISO/IEC 27001:2022 Information technology – Security techniques – Information security management systems – Requirements ISO/IEC 27003:2022 Information technology – Security techniques – Information security management systems – Guidance ISO/IEC 27004:2022 Information technology – Security techniques – Information security management systems – Monitoring measurement analysis and evaluation ISO/IEC 27005:2022 Information technology – Security techniques – Information security risk management ISO/IEC 27006:2022 Information technology – Security techniques – Requirements for bodies providing audit and certification of information security management systems
[ISO/IEC 27007:2022 Information technology – Security techniques – Guidelines for information security management systems auditing]

Q112. You are conducting an ISMS audit in the despatch department of an international logistics organisation that provides shipping services to large organisations including local hospitals and government offices. Parcels typically contain pharmaceutical products, biological samples, and documents such as passports and driving licences. You note that the company records show a very large number of returned items with causes including mis-addressed labels and, in 15% of company cases, two or more labels for different addresses for the one package. You are interviewing the Shipping Manager (SM).
You: Are items checked before being dispatched?
SH: Any obviously damaged items are removed by the duty staff before being dispatched, but the small profit margin makes it uneconomic to implement a formal checking process.
You: What action is taken when items are returned?
SM: Most of these contracts are relatively low value, therefore it has been decided that it is easier and more convenient to simply reprint the label and re-send individual parcels than it is to implement an investigation.
You raise a nonconformity. Referencing the scenario, which six of the following Appendix A controls would you expect the auditee to have implemented when you conduct the follow-up audit?

5.11 Return of assets

8.12 Data leakage protection

5.3 Segregation of duties

6.3 Information security awareness, education, and training

7.10 Storage media

8.3 Information access restriction

5.6 Contact with special interest groups

6.4 Disciplinary process

7.4 Physical security monitoring

5.13 Labelling of information

5.32 Intellectual property rights

Explanation
* B. 8.12 Data leakage protection. This is true because the auditee should have implemented measures to prevent unauthorized disclosure of sensitive information, such as personal data, medical records, or official documents, that are contained in the parcels. Data leakage protection could include encryption, authentication, access control, logging, and monitoring of data transfers12.
* D. 6.3 Information security awareness, education, and training. This is true because the auditee should have ensured that all employees and contractors involved in the shipping process are aware of the
* information security policies and procedures, and have received appropriate training on how to handle and protect the information assets in their custody. Information security awareness, education, and training could include induction programmes, periodic refreshers, awareness campaigns, e-learning modules, and feedback mechanisms13.
* E. 7.10 Storage media. This is true because the auditee should have implemented controls to protect the storage media that contain information assets from unauthorized access, misuse, theft, loss, or damage. Storage media could include paper documents, optical disks, magnetic tapes, flash drives, or hard disks14. Storage media controls could include physical locks, encryption, backup, disposal, or destruction14.
* F. 8.3 Information access restriction. This is true because the auditee should have implemented controls to restrict access to information assets based on the principle of least privilege and the need-to-know basis. Information access restriction could include identification, authentication, authorization, accountability, and auditability of users and systems that access information assets15.
* I. 7.4 Physical security monitoring. This is true because the auditee should have implemented controls to monitor the physical security of the premises where information assets are stored or processed. Physical security monitoring could include CCTV cameras, alarms, sensors, guards, or patrols16. Physical security monitoring could help detect and deter unauthorized physical access or intrusion attempts16.
* J. 5.13 Labelling of information. This is true because the auditee should have implemented controls to label information assets according to their classification level and handling instructions. Labelling of information could include markings, tags, stamps, stickers, or barcodes1 . Labelling of information could help identify and protect information assets from unauthorized disclosure or misuse1 .
References :=
* ISO/IEC 27002:2022 Information technology – Security techniques – Code of practice for information security controls
* ISO/IEC 27001:2022 Information technology – Security techniques – Information security management systems – Requirements
* ISO/IEC 27003:2022 Information technology – Security techniques – Information security management systems – Guidance
* ISO/IEC 27004:2022 Information technology – Security techniques – Information security management systems – Monitoring measurement analysis and evaluation
* ISO/IEC 27005:2022 Information technology – Security techniques – Information security risk management
* ISO/IEC 27006:2022 Information technology – Security techniques – Requirements for bodies providing audit and certification of information security management systems
* [ISO/IEC 27007:2022 Information technology – Security techniques – Guidelines for information security management systems auditing]

Q113. In the event of an Information security incident, system users’ roles and responsibilities are to be observed, except:

Report suspected or known incidents upon discovery through the Servicedesk

Preserve evidence if necessary

Cooperate with investigative personnel during investigation if needed

Make the information security incident details known to all employees

Q114. You are an audit team leader conducting a third-party surveillance audit of a telecom services provider. You have assigned responsibility for auditing the organisation’s information security objectives to a junior member of your audit team. Before they begin their assessment, you ask them the following question to check their understanding of the requirements of ISO/IEC 27001:2022.
Which four of the following criteria must Information security objectives fulfil?

They must be communicated appropriately

They must be available as documented information

They must always be measured

They must always be monitored

They must be reviewed annually

They must be clear and unambiguous

They must be consistent with the IS Policy

They must be achievable

Explanation
According to ISO/IEC 27001:2022, clause 6.2, information security objectives are the specific results that an organisation intends to achieve with its information security management system (ISMS). The standard specifies that information security objectives must fulfil the following criteria:
They must be communicated appropriately (A): The organisation must ensure that the relevant internal and external parties are informed about the information security objectives and their roles and responsibilities in achieving them. This can help to create awareness, commitment, and accountability for information security. This criterion is related to clause 6.2.2 of ISO/IEC 27001:2022.
They must be available as documented information (B): The organisation must maintain and retain documented information on the information security objectives, including their scope, level, indicators, and time frame. This can help to provide evidence, traceability, and consistency for information security. This criterion is related to clause 6.2.1 of ISO/IEC 27001:2022.
They must be consistent with the IS Policy (G): The organisation must ensure that the information security objectives are aligned with the information security policy, which is the top-level statement of the organisation’s intentions and direction for information security. This can help to support the strategic objectives and the context of the organisation. This criterion is related to clause 5.2 of ISO/IEC
27001:2022.
They must be achievable (H): The organisation must ensure that the information security objectives are realistic and attainable, considering the available resources, capabilities, and constraints. This can help to avoid setting unrealistic or unfeasible expectations and to monitor and measure the progress and performance of information security. This criterion is related to clause 6.2.1 of ISO/IEC 27001:2022.
References:
ISO/IEC 27001:2022, Information technology – Security techniques – Information security management systems – Requirements1 PECB Candidate Handbook ISO/IEC 27001 Lead Auditor2 ISO 27001:2022 Lead Auditor – PECB3 ISO 27001:2022 certified ISMS lead auditor – Jisc4 ISO/IEC 27001:2022 Lead Auditor Transition Training Course5 ISO 27001 – Information Security Lead Auditor Course – PwC Training Academy6

Q115. During a Stage 1 audit opening meeting, the Management System Representative (MSR) asks to extend the audit scope to include a new site overseas which they have expanded into since the certification application was made.
Select two options for how the auditor should respond.

Advise the MSR that an extension of the scope may be incorporated but will have to go through established procedures

Advise the MSR that the audit scope has been determined based on their initial application so the audit has to proceed as planned

Suggest that the MSR cancels the audit contract and reapplies for the new situation

Determine whether the Management System covers the processes at the new site and, if so, proceed with the audit

Advise the MSR that, within the existing scope, the new work area can be included without any problem

Confirm that the auditor will advise the auditee that the audit scope will be revised to include the new work area

Explanation
The correct options for how the auditor should respond are:
* A. Advise the MSR that an extension of the scope may be incorporated but will have to go through established procedures
* D. Determine whether the Management System covers the processes at the new site and, if so, proceed with the audit These options are consistent with the ISO/IEC 27006:2015 standard, which states that any changes to the scope of certification should be notified by the client to the certification body, and that the certification body should evaluate and decide on these changes in accordance with its procedures1. The auditor should also verify that the ISMS is implemented and maintained at all sites included in the scope of certification1.
The other options are not appropriate for how the auditor should respond, because:
* B. Advise the MSR that the audit scope has been determined based on their initial application so the audit has to proceed as planned: This option is too rigid and does not allow for any flexibility or adaptation to the client’s situation. The auditor should be open to consider any changes to the scope of certification that may have occurred since the initial application, as long as they are properly notified and evaluated by the certification body.
* C. Suggest that the MSR cancels the audit contract and reapplies for the new situation: This option is too
* drastic and unnecessary, as it would cause delays and costs for both the client and the certification body.
The auditor should not suggest that the client cancels the audit contract, but rather that they follow the established procedures for requesting and approving an extension of the scope of certification.
* E. Advise the MSR that, within the existing scope, the new work area can be included without any problem: This option is too lenient and does not ensure that the new work area meets the requirements of ISO/IEC 27001 and the ISMS. The auditor should not assume that the new work area can be included within the existing scope without any problem, but rather that they need to verify that the ISMS is implemented and maintained at the new site, and that any changes to the scope of certification are approved by the certification body.
* F. Confirm that the auditor will advise the auditee that the audit scope will be revised to include the new work area: This option is too presumptuous and does not respect the authority of the certification body.
The auditor should not confirm that they will revise the audit scope to include the new work area, but rather that they will advise the certification body of the client’s request for an extension of the scope of certification, and wait for their decision.

Q116. CEO sends a mail giving his views on the status of the company and the company’s future strategy and the CEO’s vision and the employee’s part in it. The mail should be classified as

Internal Mail

Public Mail

Confidential Mail

Restricted Mail

Q117. Your organisation is currently seeking ISO/IEC27001:2022 certification. You have just qualified as an Internal ISMS auditor and the ICT Manager wants to use your newly acquired knowledge to assist him with the design of an information security incident management process.
He identifies the following stages in his planned process and asks you to confirm which order they should appear in.

Explanation:
Step 1 = Incident logging Step 2 = Incident categorisation Step 3 = Incident prioritisation Step 4 = Incident assignment Step 5 = Task creation and management Step 6 = SLA management and escalation Step 7 = Incident resolution Step 8 = Incident closure The order of the stages in the information security incident management process should follow a logical sequence that ensures a quick, effective, and orderly response to the incidents, events, and weaknesses. The order should also be consistent with the best practices and guidance provided by ISO/IEC 27001:2022 and ISO/IEC 27035:2022. Therefore, the following order is suggested:
Step 1 = Incident logging: This step involves recording the details of the potential incident, event, or weakness, such as the date, time, source, description, impact, and reporter. This step is important to provide a traceable record of the incident and to facilitate the subsequent analysis and response. This step is related to control A.16.1.1 of ISO/IEC 27001:2022, which requires the organization to establish responsibilities and procedures for the management of information security incidents, events, and weaknesses. This step is also related to clause 6.2 of ISO/IEC 27035:2022, which provides guidance on how to log the incidents, events, and weaknesses.
Step 2 = Incident categorisation: This step involves determining the type and nature of the incident, event, or weakness, such as whether it is a hardware issue, network issue, or software issue. This step is important to classify the incident and to assign it to the appropriate resolver or team. This step is related to control A.16.1.2 of ISO/IEC 27001:2022, which requires the organization to report information security events and weaknesses as quickly as possible through appropriate management channels. This step is also related to clause 6.3 of ISO/IEC 27035:2022, which provides guidance on how to categorize the incidents, events, and weaknesses.
Step 3 = Incident prioritisation: This step involves assessing the severity and urgency of the incident, event, or weakness, and classifying it as critical, high, medium, or low. This step is important to prioritize the incident and to allocate the necessary resources and time for the response. This step is related to control A.16.1.3 of ISO/IEC 27001:2022, which requires the organization to assess and prioritize information security events and weaknesses in accordance with the defined criteria. This step is also related to clause 6.4 of ISO/IEC 27035:2022, which provides guidance on how to prioritize the incidents, events, and weaknesses.
Step 4 = Incident assignment: This step involves passing the incident, event, or weakness to the individual or team who is best suited to resolve it, based on their skills, knowledge, and availability.
This step is important to ensure that the incident is handled by the right person or team and to avoid delays or confusion. This step is related to control A.16.1.4 of ISO/IEC 27001:2022, which requires the organization to respond to information security events and weaknesses in a timely manner, according to the agreed procedures. This step is also related to clause 6.5 of ISO/IEC 27035:2022, which provides guidance on how to assign the incidents, events, and weaknesses.
Step 5 = Task creation and management: This step involves identifying and coordinating the work needed to resolve the incident, event, or weakness, such as performing root cause analysis, testing solutions, implementing changes, and documenting actions. This step is important to ensure that the incident is resolved effectively and efficiently, and that the actions are tracked and controlled. This step is related to control A.16.1.5 of ISO/IEC 27001:2022, which requires the organization to apply lessons learned from information security events and weaknesses to take corrective and preventive actions. This step is also related to clause 6.6 of ISO/IEC 27035:2022, which provides guidance on how to create and manage the tasks for the incidents, events, and weaknesses.
Step 6 = SLA management and escalation: This step involves ensuring that any service level agreements (SLAs) are adhered to while the resolution is being implemented, and that the incident is escalated to a higher level of authority or support if a breach looks likely or occurs. This step is important to ensure that the incident is resolved within the agreed time frame and quality, and that any deviations or issues are communicated and addressed. This step is related to control A.16.1.6 of ISO/IEC 27001:2022, which requires the organization to communicate information security events and weaknesses to the relevant internal and external parties, as appropriate. This step is also related to clause 6.7 of ISO/IEC
27035:2022, which provides guidance on how to manage the SLAs and escalations for the incidents, events, and weaknesses.
Step 7 = Incident resolution: This step involves applying a temporary workaround or a permanent solution to resolve the incident, event, or weakness, and restoring the normal operation of the information and information processing facilities. This step is important to ensure that the incident is resolved completely and satisfactorily, and that the information security is restored to the desired level.
This step is related to control A.16.1.7 of ISO/IEC 27001:2022, which requires the organization to identify the cause of information security events and weaknesses, and to take actions to prevent their recurrence or occurrence. This step is also related to clause 6.8 of ISO/IEC 27035:2022, which provides guidance on how to resolve the incidents, events, and weaknesses.
Step 8 = Incident closure: This step involves closing the incident, event, or weakness, after verifying that it has been resolved satisfactorily, and that all the actions have been completed and documented.
This step is important to ensure that the incident is formally closed and that no further actions are required. This step is related to control A.16.1.8 of ISO/IEC 27001:2022, which requires the organization to collect evidence and document the information security events and weaknesses, and the actions taken. This step is also related to clause 6.9 of ISO/IEC 27035:2022, which provides guidance on how to close the incidents, events, and weaknesses.
References:
ISO/IEC 27001:2022, Information technology – Security techniques – Information security management systems – Requirements1 PECB Candidate Handbook ISO/IEC 27001 Lead Auditor2 ISO 27001:2022 Lead Auditor – PECB3 ISO 27001:2022 certified ISMS lead auditor – Jisc4 ISO/IEC 27001:2022 Lead Auditor Transition Training Course5 ISO 27001 – Information Security Lead Auditor Course – PwC Training Academy6 ISO/IEC 27035:2022, Information technology – Security techniques – Information security incident management

Q118. The following are purposes of Information Security, except:

Ensure Business Continuity

Minimize Business Risk

Increase Business Assets

Maximize Return on Investment

Q119. You are an experienced audit team leader guiding an auditor in training, Your team is currently conducting a third-party surveillance audit of an organisation that stores data on behalf of external clients. The auditor in training has been tasked with reviewing the TECHNOLOGICAL controls listed in the Statement of Applicability (SoA) and implemented at the site.
Select four controls from the following that would you expect the auditor in training to review.

The development and maintenance of an information asset inventory

Rules for transferring information within the organisation and to other organisations

Confidentiality and nondisclosure agreements

How protection against malware is implemented

Access to and from the loading bay

The conducting of verification checks on personnel

Remote working arrangements

How information security has been addressed within supplier agreements

How the organisation evaluates its exposure to technical vulnerabilities

The organisation’s business continuity arrangements

The organisation’s arrangements for information deletion

Information security awareness, education and training

How access to source code and development tools are managed

The operation of the site CCTV and door control systems

The organisation’s arrangements for maintaining equipment

How power and data cables enter the building

According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), an organization should select and implement appropriate controls to achieve its information security objectives1. The controls should be derived from the results of risk assessment and risk treatment, and should be consistent with the Statement of Applicability (SoA), which is a document that identifies the controls that are applicable and necessary for the ISMS1. The controls can be selected from various sources, such as ISO/IEC 27002:2013, which provides a code of practice for information security controls2. Therefore, if an auditor in training has been tasked with reviewing the technological controls listed in the SoA and implemented at the site of an organization that stores data on behalf of external clients, four controls that would be expected to review are:
* How protection against malware is implemented: This is a technological control that aims to prevent, detect and remove malicious software (such as viruses, worms, ransomware, etc.) that could compromise the confidentiality, integrity or availability of information or information systems2. This control is related to control A.12.2.1 of ISO/IEC 27002:20132.
* How the organisation evaluates its exposure to technical vulnerabilities: This is a technological control that aims to identify and assess the potential weaknesses or flaws in information systems or networks that could be exploited by malicious actors or cause accidental failures2. This control is related to control A.12.6.1 of ISO/IEC 27002:20132.
* How access to source code and development tools are managed: This is a technological control that aims to protect the intellectual property rights and integrity of software applications or systems that are developed or maintained by the organization or its external providers2. This control is related to control A.14.2.5 of ISO/IEC 27002:20132.
* The operation of the site CCTV and door control systems: This is a technological control that aims to
* monitor and restrict physical access to the premises or facilities where information or information systems are stored or processed2. This control is related to control A.11.1.4 of ISO/IEC 27002:20132.
The other options are not examples of technological controls, but rather organizational, legal or procedural controls that may also be relevant for an ISMS audit, but are not within the scope of the auditor in training’s task. For example, the development and maintenance of an information asset inventory (related to control A.8.1.1), rules for transferring information within the organization and to other organizations (related to control A.13.2.1), confidentiality and nondisclosure agreements (related to control A.13.2.4), verification checks on personnel (related to control A.7.1.2), remote working arrangements (related to control A.6.2.1), information security within supplier agreements (related to control A.15.1.1), business continuity arrangements (related to control A.17), information deletion (related to control A.8.3), information security awareness, education and training (related to control A.7.2), equipment maintenance (related to control A.11.2), and how power and data cables enter the building (related to control A.11) are not technological controls, but rather organizational, legal or procedural controls that may also be relevant for an ISMS audit, but are not within the scope of the auditor in training’s task. References: ISO/IEC 27001:2022 – Information technology – Security techniques – Information security management systems – Requirements, ISO/IEC
27002:2013 – Information technology – Security techniques – Code of practice for information security controls

Q120. In the context of a management system audit, please identify the sequence of a typical process of collecting and verifying information. The first one has been done for you.