Spring Sale Limited Time 75% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code = simple75

Pass the PECB ISO 27001 ISO-IEC-27001-Lead-Auditor Questions and answers with Dumpstech

Exam ISO-IEC-27001-Lead-Auditor Premium Access

View all detail and faqs for the ISO-IEC-27001-Lead-Auditor exam

Go to Exam

Practice at least 50% of the questions to maximize your chances of passing.

Viewing page 12 out of 13 pages

Viewing questions 111-120 out of questions

Questions # 111:

Scenario 7: Lawsy is a leading law firm with offices in New Jersey and New York City. It has over 50 attorneys offering sophisticated legal services to clients in business and commercial law, intellectual property, banking, and financial services. They believe they have a comfortable position in the market thanks to their commitment to implement information security best practices and remain up to date with technological developments.

Lawsy has implemented, evaluated, and conducted internal audits for an ISMS rigorously for two years now. Now, they have applied for ISO/IEC 27001 certification to ISMA, a well-known and trusted certification body.

During stage 1 audit, the audit team reviewed all the ISMS documents created during the implementation. They also reviewed and evaluated the records from management reviews and internal audits.

Lawsy submitted records of evidence that corrective actions on nonconformities were performed when necessary, so the audit team interviewed the internal auditor. The interview validated the adequacy and frequency of the internal audits by providing detailed insight into the internal audit plan and procedures.

The audit team continued with the verification of strategic documents, including the information security policy and risk evaluation criteria. During the information security policy review, the team noticed inconsistencies between the documented information describing governance framework (i.e., the information security policy) and the procedures.

Although the employees were allowed to take the laptops outside the workplace, Lawsy did not have procedures in place regarding the use of laptops in such cases. The policy only provided general information about the use of laptops. The company relied on employees' common knowledge to protect the confidentiality and integrity of information stored in the laptops. This issue was documented in the stage 1 audit report.

Upon completing stage 1 audit, the audit team leader prepared the audit plan, which addressed the audit objectives, scope, criteria, and procedures.

During stage 2 audit, the audit team interviewed the information security manager, who drafted the information security policy. He justified the Issue identified in stage 1 by stating that Lawsy conducts mandatory information security training and awareness sessions every three months.

Following the interview, the audit team examined 15 employee training records (out of 50) and concluded that Lawsy meets requirements of ISO/IEC 27001 related to training and awareness. To support this conclusion, they photocopied the examined employee training records.

Based on the scenario above, answer the following question:

The audit team concluded that Lawsy meets the ISO/IEC 27001's requirements related to training and awareness by examining 15 out of 50 employee training records, as provided in scenario 7. This is a risk or error related to:

Options:

The auditor

Sampling

The sample size

Questions # 112:

Question

The top management of a company has designated specific personnel within the company to be responsible for reporting on the performance of the ISMS. These individuals are tasked with gathering relevant ISMS data, preparing reports, and ensuring that necessary information reaches the top management.

Does this approach align with ISO/IEC 27001 requirements?

Options:

Yes, because the top management can assign responsibilities and authorities for reporting on the performance of the ISMS.

No, because only the top management is responsible for gathering data on the performance of the ISMS.

No, because only the Chief Information Security Officer should report on the performance of the ISMS.

Questions # 113:

You are conducting an Information Security Management System audit in the despatch department of an international

logistics organisation that provides shipping services to large organisations including local hospitals and government offices.

Parcels typically contain pharmaceutical products, biological samples and documents such as passports and driving licences.

You note that the company records show a very large number of returned items with causes including misaddressed labels

and, in 15% of cases, two or more labels for different addresses for the one package. You are interviewing the Shipping

Manager (SM).

You: Are items checked before being dispatched?

SM: Any obviously damaged items are removed by the duty staff before being dispatched, but the small profit margin makes

it uneconomic to implement a formal checking process.

You: What action is taken when items are returned?

SM: Most of these contracts are relatively low value, therefore it has been decided that it is easier and more convenient to

simply reprint the label and re-send individual parcels than it is to implement an investigation.

You raise a non-conformity against clause 8.1 of ISO 27001:2022.

Which one option below that best describes the non-conformity you have identified?

Options:

The organisation does not have an approved process in place that ensures service requirements and regulatory requirements for data protection are met. Records show that 15% of returned parcels have corrected information intended for another party to the recipient (which may include sensitive medical information or government department communications) without adequate operational methods to meet information security requirements.

The organisation does not have an audited process in place that ensures service requirements and regulatory requirements for data protection are met. Records show that 15% of returned parcels have inaccurate information intended for another party to the recipient (which may include sensitive medical information or government department communications) without adequate operational rules to meet information security requirements.

The organisation does not have an effective process in place that ensures service requirements and regulatory requirements for data protection are met. Records show that 15% of returned parcels have disclosed information intended for another party to the recipient (which may include sensitive medical information or government department communications) without adequate operational controls to meet information security requirements.

The organisation does not have an efficient process in place that ensures service requirements and regulatory requirements for data protection are met. Records show that 15% of returned parcels have detailed information intended for another party to the recipient (which may include sensitive medical information or government department communications) without adequate operational procedures to meet information security requirements.

The organisation does not have an efficient process in place that ensures service requirements and regulatory requirements for data protection are met. Records show that 15% of returned parcels have protected information intended for another party to the recipient (which may include sensitive medical information or government department communications) without adequate operational processes to meet information security requirements.

Questions # 114:

When preparing for an audit, which of the following statements is false?

Options:

Each auditor creates their own audit checklist for use during the audit

The audit checklists are shared and agreed with the auditee in advance of the audit

The audit plan is shared with the auditee in advance of the audit

The audit plan may be changed during the audit

Questions # 115:

You are an experienced ISMS audit team leader. During the conducting of a third-party surveillance audit, you decide to test your auditee's knowledge of ISO/IEC 27001's risk management requirements.

You ask her a series of questions to which the answer is either 'that is true' or 'that is false'. Which four of the following should she answer 'that is true'?

Options:

The results of risk assessments must be maintained

Risk identification is used to determine the severity of an information security risk

ISO/IEC 27001 provides an outline approach for the management of risk

The organisation must produce a risk treatment plan for every business risk identified

The organisation must operate a risk treatment process to eliminate it's information security risks

The initial phase in an organisation's risk management process should be information security risk assessment

Risks assessments should be undertaken at monthly intervals

Answer

A, C, D, H

Explanation

The following four statements are true according to ISO/IEC 27001’s risk management requirements: 12

The results of risk assessments must be maintained. This is true because clause 8.2.3 of ISO/IEC 27001:2022 requires the organisation to retain documented information of the information security risk assessment process and the results12

ISO/IEC 27001 provides an outline approach for the management of risk. This is true because clause 6.1.2 of ISO/IEC 27001:2022 specifies the general steps for the information security risk management process, which include establishing the risk criteria, assessing the risks, treating the risks, and monitoring and reviewing the risks12

The organisation must produce a risk treatment plan for every business risk identified. This is true because clause 6.1.3 of ISO/IEC 27001:2022 requires the organisation to produce a risk treatment plan that defines the actions to be taken to address the unacceptable risks, the responsibilities, the expected dates, and the resources required12

Risk assessments should be undertaken following significant changes. This is true because clause 8.2.4 of ISO/IEC 27001:2022 requires the organisation to review and update the risk assessment at planned intervals or when significant changes occur12

The following four statements are false according to ISO/IEC 27001’s risk management requirements:

Risk identification is used to determine the severity of an information security risk. This is false because risk identification is used to identify the assets, threats, vulnerabilities, and existing controls that are relevant to the information security risk management process. The severity of an information security risk is determined by the risk analysis, which evaluates the likelihood and impact of the risk scenarios12

The organisation must operate a risk treatment process to eliminate its information security risks. This is false because the organisation can choose from four options to treat its information security risks: avoid, transfer, mitigate, or accept. The organisation does not have to eliminate all its information security risks, but only those that are unacceptable according to its risk criteria12

The initial phase in an organisation’s risk management process should be information security risk assessment. This is false because the initial phase in an organisation’s risk management process should be establishing the risk management framework, which includes defining the risk management policy, objectives, scope, roles, responsibilities, and criteria. The information security risk assessment is the second phase in the risk management process12

Risks assessments should be undertaken at monthly intervals. This is false because there is no fixed frequency for conducting risk assessments in ISO/IEC 27001. The organisation should determine the appropriate intervals for reviewing and updating the risk assessment based on its risk appetite, risk profile, and operational context12

[References:, 1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1 2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2, , ]

Questions # 116:

Integrity of data means

Options:

Accuracy and completeness of the data

Data should be viewable at all times

Data should be accessed by only the right people

Questions # 117:

A marketing agency has developed its own risk assessment approach as part of the ISMS implementation. Is this acceptable?

Options:

Yes, any risk assessment methodology that complies with the ISO/IEC 27001 requirements can be used

Yes, only if the risk assessment methodology is aligned with recognized risk assessment methodologies

No, when implementing an ISMS, the risk assessment methodology provided by ISO/IEC 27001 should be used

Questions # 118:

Question:

Which of the following can be considered a minor nonconformity?

Options:

Employees lack training to recognize phishing attempts, increasing malware risks

Lack of multi-factor authentication leaves accounts vulnerable to unauthorized access

The information security policy lacks reference to continual ISMS improvement

Questions # 119:

Scenario 3: Rebuildy is a construction company located in Bangkok.. Thailand, that specializes in designing, building, and maintaining residential buildings. To ensure the security of sensitive project data and client information, Rebuildy decided to implement an ISMS based on ISO/IEC 27001. This included a comprehensive understanding of information security risks, a defined continual improvement approach, and robust business solutions.

The ISMS implementation outcomes are presented below

•Information security is achieved by applying a set of security controls and establishing policies, processes, and procedures.

•Security controls are implemented based on risk assessment and aim to eliminate or reduce risks to an acceptable level.

•All processes ensure the continual improvement of the ISMS based on the plan-do-check-act (PDCA) model.

•The information security policy is part of a security manual drafted based on best security practices Therefore, it is not a stand-alone document.

•Information security roles and responsibilities have been clearly stated in every employees job description

•Management reviews of the ISMS are conducted at planned intervals.

Rebuildy applied for certification after two midterm management reviews and one annual internal audit Before the certification audit one of Rebuildy’s former employees approached one of the audit team members to tell them that Rebuildy has several security problems that the company is trying to conceal. The former employee presented the documented evidence to the audit team member Electra, a key client of Rebuildy, also submitted evidence on the same issues, and the auditor determined to retain this evidence instead of the former employee's. The audit team member remained in contact with Electra until the audit was completed, discussing the nonconformities found during the audit. Electra provided additional evidence to support these findings.

At the beginning of the audit, the audit team interviewed the company’s top management They discussed, among other things, the top management's commitment to the ISMS implementation. The evidence obtained from these discussions was documented in written confirmation, which was used to determine Rebuildy’s conformity to several clauses of ISO/IEC 27001

The documented evidence obtained from Electra was attached to the audit report, along with the nonconformities report. Among others, the following nonconformities were detected:

•An instance of improper user access control settings was detected within the company's financial reporting system.

•A stand-alone information security policy has not been established. Instead, the company uses a security manual drafted based on best security practices.

After receiving these documents from the audit team, the team leader met Rebuildy’s top management to present the audit findings. The audit team reported the findings related to the financial reporting system and the lack of a stand-alone information security policy. The top management expressed dissatisfaction with the findings and suggested that the audit team leader's conduct was unprofessional, implying they might request a replacement. Under pressure, the audit team leader decided to cooperate with top management to downplay the significance of the detected nonconformities. Consequently, the audit team leader adjusted the report to present a more favorable view, thus misrepresenting the true extent of Rebuildy's compliance issues.

Based on the scenario above, answer the following question:

Question:

Is it acceptable for the auditor to prioritize keeping the evidence provided by Electra over the evidence provided by the former employee?

Options:

No, because evidence from a former employee is always more reliable than that from a client

No, both sources of evidence should be retained and evaluated equally

Yes, because evidence from a client is considered more reliable due to their independent status

Questions # 120:

Scenario 8: EsBank provides banking and financial solutions to the Estonian banking sector since September 2010. The company has a network of 30 branches with over 100 ATMs across the country.

Operating in a highly regulated industry, EsBank must comply with many laws and regulations regarding the security and privacy of data. They need to manage information security across their operations by implementing technical and nontechnical controls. EsBank decided to implement an ISMS based on ISO/IEC 27001 because it provided better security, more risk control, and compliance with key requirements of laws and regulations.

Nine months after the successful implementation of the ISMS, EsBank decided to pursue certification of their ISMS by an independent certification body against ISO/IEC 27001 .The certification audit included all of EsBank’s systems, processes, and technologies.

The stage 1 and stage 2 audits were conducted jointly and several nonconformities were detected. The first nonconformity was related to EsBank’s labeling of information. The company had an information classification scheme but there was no information labeling procedure. As a result, documents requiring the same level of protection would be labeled differently (sometimes as confidential, other times sensitive).

Considering that all the documents were also stored electronically, the nonconformity also impacted media handling. The audit team used sampling and concluded that 50 of 200 removable media stored sensitive information mistakenly classified as confidential. According to the information classification scheme, confidential information is allowed to be stored in removable media, whereas storing sensitive information is strictly prohibited. This marked the other nonconformity.

They drafted the nonconformity report and discussed the audit conclusions with EsBank’s representatives, who agreed to submit an action plan for the detected nonconformities within two months.

EsBank accepted the audit team leader's proposed solution. They resolved the nonconformities by drafting a procedure for information labeling based on the classification scheme for both physical and electronic formats. The removable media procedure was also updated based on this procedure.

Two weeks after the audit completion, EsBank submitted a general action plan. There, they addressed the detected nonconformities and the corrective actions taken, but did not include any details on systems, controls, or operations impacted. The audit team evaluated the action plan and concluded that it would resolve the nonconformities. Yet, EsBank received an unfavorable recommendation for certification.

Based on the scenario above, answer the following question:

By drafting a procedure for information labeling, EsBank has:

Options:

Submitted an action plan to resolve the nonconformity

Created an information classification scheme

Eliminated the root cause of the nonconformity

Viewing page 12 out of 13 pages

Viewing questions 111-120 out of questions