[UPDATED 2024] Read ISO-IEC-27001-Lead-Auditor Study Guide Cover to Cover as Literally [Q68-Q82]

QUESTION 68
You are conducting an ISMS audit in the despatch department of an international logistics organisation that provides shipping services to large organisations including local hospitals and government offices. Parcels typically contain pharmaceutical products, biological samples, and documents such as passports and driving licences. You note that the company records show a very large number of returned items with causes including misaddressed labels and, in 15% of cases, two or more labels for different addresses for the one package. You are interviewing the Shipping Manager (SM).
You: Are items checked before being dispatched?
SM: Any obviously damaged items are removed by the duty staff before being dispatched, but the small profit margin makes it uneconomic to implement a formal checking process.
You: What action is taken when items are returned?
SM: Most of these contracts are relatively low value, therefore it has been decided that it is easier and more convenient to simply reprint the label and re-send individual parcels than it is to implement an investigation.
You raise a nonconformity. Referencing the scenario, which three of the following Annex A controls would you expect the auditee to have implemented when you conduct the follow-up audit?

5.11 Return of assets

5.13 Labelling of information

5.3 Segregation of duties

5.32 Intellectual property rights

5.34 Privacy and protection of personal identifiable information (PII)

5.6 Contact with special interest groups

6.3 Information security awareness, education, and training

6.4 Disciplinary process

Explanation
The three Annex A controls that you would expect the auditee to have implemented when you conduct the follow-up audit are:
* B. 5.13 Labelling of information
* E. 5.34 Privacy and protection of personal identifiable information (PII)
* G. 6.3 Information security awareness, education, and training
* B. This control requires the organisation to label information assets in accordance with the information classification scheme, and to handle them accordingly12. This control is relevant for the auditee because it could help them to avoid misaddressing labels and sending parcels to wrong destinations, which could compromise the confidentiality, integrity, and availability of the information assets. By labelling the information assets correctly, the auditee could also ensure that they are delivered to the intended recipients and that they are protected from unauthorized access, use, or disclosure.
* E. This control requires the organisation to protect the privacy and the rights of individuals whose personal identifiable information (PII) is processed by the organisation, and to comply with the applicable legal and contractual obligations13. This control is relevant for the auditee because it could help them to prevent the unauthorized use of residents’ personal data by a supplier, which could violate the privacy and the rights of the residents and their family members, and expose the auditee to legal and reputational risks. By protecting the PII of the residents and their family members, the auditee could also enhance their trust and satisfaction, and avoid complaints and disputes.
* G. This control requires the organisation to ensure that all employees and contractors are aware of the information security policy, their roles and responsibilities, and the relevant information security procedures and controls14. This control is relevant for the auditee because it could help them to improve the information security culture and behaviour of their staff, and to reduce the human errors and negligence that could lead to information security incidents. By providing information security awareness, education, and training to their staff, the auditee could also increase their competence and performance, and ensure the effectiveness and efficiency of the information security processes and controls.
References:
1: ISO/IEC 27001:2022 – Information technology – Security techniques – Information security management systems – Requirements, Annex A 2: ISO/IEC 27002:2022 – Information technology – Security techniques
– Code of practice for information security controls, clause 8.2.1 3: ISO/IEC 27002:2022 – Information technology – Security techniques – Code of practice for information security controls, clause 18.1.4 4:
ISO/IEC 27002:2022 – Information technology – Security techniques – Code of practice for information security controls, clause 7.2.2

QUESTION 69
In which order is an Information Security Management System set up?

Implementation, operation, improvement, maintenance

Implementation, operation, maintenance, establishment

Establishment, operation, monitoring, improvement

Establishment, implementation, operation, maintenance

QUESTION 70
You have just completed a scheduled information security audit of your organisation when the IT Manager approaches you and asks for your assistance in the revision of the company’s risk management process.
He is attempting to update the current documentation to make it easier for other managers to understand, however, it is clear from your discussion he is confusing several key terms.
You ask him to match each of the descriptions with the appropriate risk term. What should the correct answers be?

QUESTION 71
Which reliability aspect of information is compromised when a staff member denies having sent a message?

Confidentiality

Integrity

Availability

Correctness

QUESTION 72
In acceptable use of Information Assets, which is the best practice?

Access to information and communication systems are provided for business purpose only

Interfering with or denying service to any user other than the employee’s host

Playing any computer games during office hours

Accessing phone or network transmissions, including wireless or wifi transmissions

QUESTION 73
We can leave laptops during weekdays or weekends in locked bins.

True

False

QUESTION 74
You are the audit team leader conducting a third-party audit of an online insurance company. During Stage 1, you found that the organization took a very cautious risk approach and included all the information security controls in ISO/IEC 27001:2022 Appendix A in their Statement of Applicability.
During the Stage 2 audit, your audit team found that there was no evidence of a risk treatment plan for the implementation of the three controls (5.3 Segregation of duties, 6.1 Screening, 7.12 Cabling security). You raise a nonconformity against clause 6.1.3.e of ISO 27001:2022.
At the closing meeting, the Technical Director issues an extract from an amended Statement of Applicability (as shown) and asks for the nonconformity to be withdrawn.

Select three options of the correct responses of an audit team leader to the request of the Technical Director.

Advise management that the information provided will be reviewed when the auditors have more time.

Advise the Technical Director that his request will be included in the audit report.

Advise the Technical Director that once a nonconformity is raised it cannot be withdrawn.

Advise the Technical Director that the nonconformity must stand since the evidence obtained for it was clear.

Ask the auditor who raised the issue for their opinion on how you should respond to the request.

Inform the Technical Director that the nonconformity will be changed to an Opportunity for Improvement.

Review the documentation produced and withdraw the nonconformity.

State that a follow up audit will be necessary to review the evidence for the updated Statement of Applicability.

The three options of the correct responses of an audit team leader to the request of the Technical Director are:
* B. Advise the Technical Director that his request will be included in the audit report.
* D. Advise the Technical Director that the nonconformity must stand since the evidence obtained for it was clear.
* H. State that a follow up audit will be necessary to review the evidence for the updated Statement of Applicability.
* B. This response is correct because the audit team leader should document the request of the Technical
* Director and include it in the audit report, along with the audit findings and conclusions12. This will ensure transparency and traceability of the audit process and the audit results.
* D. This response is correct because the audit team leader should not withdraw the nonconformity based on the amended Statement of Applicability alone. The nonconformity was raised against clause 6.1.3.e of ISO 27001:2022, which requires the organisation to produce and maintain a risk treatment plan that defines how the information security risks are treated, including the controls selected and their implementation status34. The Statement of Applicability is only one part of the risk treatment plan, and it does not provide sufficient evidence that the controls have been implemented effectively. The audit team leader should base the nonconformity on the objective evidence obtained during the audit, not on the subjective claims of the auditee12.
* H. This response is correct because the audit team leader should state that a follow up audit will be necessary to review the evidence for the updated Statement of Applicability. A follow up audit is an audit that is conducted after a previous audit to verify the implementation and effectiveness of the corrective actions and/or opportunities for improvement that were agreed upon as a result of the previous audit56. The follow up audit should seek to ensure that the nonconformity has been effectively addressed and that the ISMS is compliant and effective. The follow up audit should also consider any new or changed risks or requirements that may affect the ISMS56.
References:
1: PECB Candidate Handbook – ISO 27001 Lead Auditor, page 25 2: ISO 19011:2018 – Guidelines for auditing management systems, clause 6.7 3: ISO/IEC 27001:2022 – Information technology – Security techniques – Information security management systems – Requirements, clause 6.1.3.e 4: ISO/IEC
27005:2022 – Information technology – Security techniques – Information security risk management, clause
8.3.2 5: PECB Candidate Handbook – ISO 27001 Lead Auditor, page 25 6: ISO 19011:2018 – Guidelines for auditing management systems, clause 6.7

QUESTION 75
You have a hard copy of a customer design document that you want to dispose off. What would you do

Throw it in any dustbin

Shred it using a shredder

Give it to the office boy to reuse it for other purposes

Be environment friendly and reuse it for writing

QUESTION 76
You are an ISMS audit team leader assigned by your certification body to carry out a follow-up audit of a Data Centre client.
According to ISO 19011:2018, the purpose of a follow-up audit is to verify which one of the following?

The effectiveness of the management system

Implementation of ISMS objectives

Implementation of risk treatment plans

Completion and effectiveness of corrective actions

QUESTION 77
Which one of the following options best describes the main purpose of a Stage 1 third-party audit?

To introduce the audit team to the client

To learn about the organisation’s procurement

To determine redness for a stage 2 audit

To check for legal compliance by the organisation

To prepare an independent audit report

To get to know the organisation’s customers

QUESTION 78
You are an experienced ISMS audit team leader providing instruction to an auditor in training. They are unclear in their understanding of risk processes and ask you to provide them with an example of each of the processes detailed below.
Match each of the descriptions provided to one of the following risk management processes.
To complete the table click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop each option to the appropriate blank section.

Explanation:

* Risk analysis is the process by which the nature of the risk is determined along with its probability and impact. Risk analysis involves estimating the likelihood and consequences of potential events or situations that could affect the organization’s information security objectives or requirements12. Risk analysis could use qualitative or quantitative methods, or a combination of both12.
* Risk management is the process by which a risk is controlled at all stages of its life cycle by means of the application of organisational policies, procedures and practices. Risk management involves establishing the context, identifying, analyzing, evaluating, treating, monitoring, and reviewing the risks that could affect the organization’s information security performance or compliance12. Risk management aims to ensure that risks are identified and treated in a timely and effective manner, and that opportunities for improvement are exploited12.
* Risk identification is the process by which a risk is recognised and described. Risk identification involves identifying and documenting the sources, causes, events, scenarios, and potential impacts of risks that could affect the organization’s information security objectives or requirements12. Risk identification could use various techniques, such as brainstorming, interviews, checklists, surveys, or historical data12.
* Risk evaluation is the process by which the impact and/or probability of a risk is compared against risk criteria to determine if it is tolerable. Risk evaluation involves comparing the results of risk analysis with predefined criteria that reflect the organization’s risk appetite, tolerance, or acceptance12. Risk evaluation could use various methods, such as ranking, scoring, or matrix12. Risk evaluation helps to prioritize and decide on the appropriate risk treatment options12.
* Risk mitigation is the process by which the impact and/or probability of a risk is reduced by means of the application of controls. Risk mitigation involves selecting and implementing measures that are designed to prevent, reduce, transfer, or accept risks that could affect the organization’s information security objectives or requirements12. Risk mitigation could include various types of controls, such as technical, organizational, legal, or physical12. Risk mitigation should be based on a cost-benefit analysis and a residual risk assessment12.
* Risk transfer is the process by which a risk is passed to a third party, for example through obtaining appropriate insurance. Risk transfer involves sharing or shifting some or all of the responsibility or liability for a risk to another party that has more capacity or capability to manage it12. Risk transfer could include various methods, such as contracts, agreements, partnerships, outsourcing, or insurance12. Risk transfer should not be used as a substitute for effective risk management within the organization12.
References :=
* ISO/IEC 27001:2022 Information technology – Security techniques – Information security management systems – Requirements
* ISO/IEC 27005:2022 Information technology – Security techniques – Information security risk management

QUESTION 79
An employee caught temporarily storing an MP3 file in his workstation will not receive an IR.

True

False

QUESTION 80
Match the correct responsibility with each participant of a second-party audit:

Explanation

The correct responsibility with each participant of a second-party audit is:
* Prepares the audit report: Audit Team Leader. The audit team leader is responsible for coordinating the audit activities, communicating with the auditee and the customer, and preparing and delivering the audit report that summarizes the audit findings and conclusions1.
* Prepares audit checklists for use during the audit: Auditor. The auditor is responsible for collecting and verifying objective evidence during the audit, using audit checklists as a tool to guide the audit process and ensure that all relevant aspects of the audit criteria are covered1.
* Supports an auditor and provides feedback on their experience: Auditor in training. The auditor in training is a person who is learning how to perform audits under the supervision of an experienced auditor. The auditor in training supports the auditor by observing and participating in the audit activities, and provides feedback on their experience to improve their skills and competence1.
* Follows-up on audit findings within an agreed timeframe: Auditee. The auditee is the organisation that is being audited by the customer or a third party on behalf of the customer. The auditee is responsible for providing access and cooperation to the auditors, and for following up on the audit findings within an agreed timeframe, by implementing corrective actions or improvement measures as needed1.
* Provides an independent account of the audit but does not participate in the audit: Observer. The observer is a person who accompanies the audit team but does not participate in the audit activities. The observer may be a representative of the customer, a regulatory body, or another interested party. The observer provides an independent account of the audit but does not interfere with or influence the audit process or outcome1.
* Escorts the auditors but does not participate in the audit: Guide. The guide is a person who is appointed by the auditee to assist the audit team during the audit. The guide may escort the auditors to different locations, facilitate access to information and personnel, or provide clarification or explanation as requested by the auditors. The guide does not participate in the audit or influence its results1.

QUESTION 81
You are performing an ISMS audit at a residential nursing home (ABC) that provides healthcare services. The next step in your audit plan is to verify the information security of ABC’s healthcare mobile app development, support, and lifecycle process. During the audit, you learned the organization outsourced the mobile app development to a professional software development company with CMMI Level 5, ITSM (ISO/IEC
20000-1), BCMS (ISO 22301) and ISMS (ISO/IEC 27001) certified.
The IT Manager presented the software security management procedure and summarised the process as following:
The mobile app development shall adopt “security-by-design” and “security-by-default” principles, as a minimum. The following security functions for personal data protection shall be available:
Access control.
Personal data encryption, i.e., Advanced Encryption Standard (AES) algorithm, key lengths: 256 bits; and Personal data pseudonymization.
Vulnerability checked and no security backdoor
You sample the latest Mobile App Test report, details as follows:

You ask the IT Manager why the organisation still uses the mobile app while personal data encryption and pseudonymization tests failed. Also, whether the Service Manager is authorised to approve the test.
The IT Manager explains the test results should be approved by him according to the software security management procedure.
The reason why the encryption and pseudonymisation functions failed is that these functions heavily slowed down the system and service performance. An extra 150% of resources are needed to cover this. The Service Manager agreed that access control is good enough and acceptable. That’s why the Service Manager signed the approval.
You are preparing the audit findings. Select the correct option.

There is NO nonconformity (NC). The Service Manager makes a good decision to continue the service.
(Relevant to clause 8.1, control A.8.30)

There is a nonconformity (NC). The organisation and developer do not perform acceptance tests.
(Relevant to clause 8.1, control A.8.29)

There is a nonconformity (NC). The organisation and developer perform security tests that fail.
(Relevant to clause 8.1, control A.8.29)

There is a nonconformity (NC). The Service Manager does not comply with the software security management procedure. (Relevant to clause 8.1, control A.8.30)

QUESTION 82
You are an ISMS audit team leader preparing to chair a closing meeting following a third-party surveillance audit. You are drafting a closing meeting agenda setting out the topics you wish to discuss with your auditee.
Which one of the following would be appropriate for inclusion?

A detailed explanation of the certification body’s complaints process

An explanation of the audit plan and its purpose

A disclaimer that the result of the audit is based on the sampling of evidence

Names of auditees associated with nonconformities

This option is appropriate for inclusion in the closing meeting agenda, as it is a requirement of the ISO 19011 standard, which provides guidelines for auditing management systems, including ISMS12. The standard states that the audit team leader should advise the auditee of any situations encountered during the audit that may decrease the confidence that can be placed in the audit conclusions, such as limitations in the audit scope, access, or sampling3. The standard also states that the audit report should include a statement that the audit is based on a sample of the information available at the time of the audit, and that the audit does not provide absolute assurance of the conformity or effectiveness of the audited management system4. Therefore, the audit team leader should include a disclaimer in the closing meeting agenda to inform the auditee of the nature and limitations of the audit, and to avoid any misunderstandings or false expectations. The other options are not appropriate for inclusion in the closing meeting agenda, as they are either irrelevant, incorrect, or incomplete.
For example:
*A detailed explanation of the certification body’s complaints process is not relevant for the closing meeting agenda, as it is not related to the audit findings or conclusions. The certification body’s complaints process should be communicated to the auditee before the audit, as part of the audit agreement or contract5.
*An explanation of the audit plan and its purpose is not correct for the closing meeting agenda, as it should have been done at the opening meeting or before the audit. The audit plan is a document that describes the scope, objectives, criteria, and methodology of the audit, as well as the audit schedule, the audit team, the audit locations, and the audit deliverables . The audit plan should be communicated and agreed with the auditee in advance, and any changes or deviations should be notified during the audit.
*Names of auditees associated with nonconformities are not complete for the closing meeting agenda, as they do not provide the details or the evidence of the nonconformities. The audit team leader should present the audit findings, which include the description, the audit criteria, and the audit evidence of each nonconformity, as well as the audit conclusions and the audit recommendation . The audit team leader should also avoid naming or blaming individuals, and focus on the processes and the system.
References: = 1: PECB Candidate Handbook – ISO/IEC 27001 Lead Auditor, page 222: ISO 19011:2018 Guidelines for auditing management systems, clause 13: ISO 19011:2018 Guidelines for auditing management systems, clause 6.4.94: ISO 19011:2018 Guidelines for auditing management systems, clause 7.5.25: ISO/IEC
17021-1:2015 Conformity assessment – Requirements for bodies providing audit and certification of management systems – Part 1: Requirements, clause 9.8. : ISO 19011:2018 Guidelines for auditing management systems, clause 6.4.1. : ISO/IEC 27007:2011 Information technology – Security techniques – Guidelines for information security management systems auditing, clause 6.2.1. : ISO 19011:2018 Guidelines for auditing management systems, clause 6.4.2. : ISO 19011:2018 Guidelines for auditing management systems, clause 6.4.10. : ISO/IEC 27007:2011 Information technology – Security techniques – Guidelines for information security management systems auditing, clause 6.3.3.

[UPDATED 2024] Read ISO-IEC-27001-Lead-Auditor Study Guide Cover to Cover as Literally [Q68-Q82]

[UPDATED 2024] Read ISO-IEC-27001-Lead-Auditor Study Guide Cover to Cover as Literally [Q68-Q82]

TrainingDump

Leave a Reply
Cancel reply

Leave a Reply

[UPDATED 2024] Read ISO-IEC-27001-Lead-Auditor Study Guide Cover to Cover as Literally [Q68-Q82]

TrainingDump

Leave a Reply Cancel reply

Leave a Reply

Leave a Reply
Cancel reply