PECB Updated ISO-IEC-27001-Lead-Auditor Exam Questions and Answers by kitty

A follow-up audit may be carried out where nonconformities are major. This is true because a major nonconformity is a situation that raises significant doubt about the ability of the organization’s management system to achieve its intended results, and therefore requires immediate corrective action. A follow-up audit is necessary to verify the effectiveness of the corrective action and the conformity of the management system12.

A follow-up audit may be carried out where nonconformities are minor. This is true because a minor nonconformity is a situation that does not affect the capability of the management system to achieve its intended results, but represents a deviation from the specified requirements. A follow-up audit may be conducted to check the implementation of the corrective action and the improvement of the management system12.

The outcomes of a follow-up audit should be reported to top management and the audit team leader who carried out the audit where the nonconformities were initially identified. This is true because the top management is responsible for ensuring the effectiveness and continual improvement of the management system, and the audit team leader is accountable for the audit process and the audit conclusions. The follow-up audit report should provide them with objective evidence of the status of the nonconformities and the corrective actions taken by the auditee13.

The outcomes of a follow-up audit should be reported to the individual managing the audit programme and the audit client. This is true because the individual managing the audit programme is responsible for planning, implementing, monitoring and reviewing the audit activities, and the audit client is the organization or person requesting an audit. The follow-up audit report should inform them of the results of the follow-up audit and any changes in the certification status of the auditee13.

References :=

ISO 19011:2022 Guidelines for auditing management systems

ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements

ISO/IEC 17021-1:2022 Conformity assessment — Requirements for bodies providing audit and certification of management systems — Part 1: Requirements

Establishing the audit programme objectives, scope and criteria

Determining the resources necessary for the audit programme, such as the audit team members, the budget, the time, the tools, etc.

Selecting and appointing the audit team leaders and auditors

Reviewing and approving the audit plans and arrangements

Ensuring the effective communication and coordination among the audit programme stakeholders, such as the auditors, the auditees, the certification bodies, the accreditation bodies, etc.

Keeping informed the accreditation body on the progress of the audit programme, especially in case of any significant changes, issues, or nonconformities

Monitoring and reviewing the performance and results of the audit programme and the audit teams

Evaluating the feedback and satisfaction of the auditees and other interested parties

Identifying and implementing the opportunities for improvement of the audit programme

The individual(s) managing the audit programme are not responsible for the following tasks, which are delegated to the audit team leaders or the auditors12:

Communicating with the auditee during the audit, such as conducting the opening and closing meetings, resolving any audit-related problems, reporting any audit findings, etc.

Determining the legal requirements applicable to each audit, such as the confidentiality, the impartiality, the consent, the liability, etc.

Defining the objectives, scope and criteria for an individual audit, which are derived from the audit programme and agreed with the auditee

Defining the plan of an individual audit, which includes the audit schedule, the audit activities, the audit methods, the audit documents, etc.

Comprehensive and Detailed In-Depth Explanation:

A. Correct Answer:

ISO/IEC 27001:2022 Annex A Control A.5.19 (Information Security in Supplier Relationships) requires organizations to monitor and control their suppliers to ensure compliance with security requirements.

Branding must monitor, assess, and ensure Techvology maintains compliance with ISO/IEC 27001 and outsourcing agreements.

B. Incorrect:

Even if not explicitly stated in the contract, ISO/IEC 27001 requires continual supplier monitoring.

C. Incorrect:

Branding is responsible for both controlling and monitoring outsourced services, not just monitoring them.

Relevant Standard Reference:

ISO/IEC 27001:2022 Annex A Control A.5.19 (Supplier Security Compliance)

ISO/IEC 27001:2022 Clause 8.2 (Outsourced Service Controls)

The best practice in acceptable use of information assets is A: access to information and communication systems are provided for business purpose only. This means that the organization grants access to its information and communication systems only to authorized users who need to use them for legitimate and approved business activities. The organization does not allow or tolerate any unauthorized, inappropriate or personal use of its information and communication systems, as this could compromise information security, violate policies or laws, or cause damage or harm to the organization or its stakeholders. The other options are not best practices in acceptable use of information assets, as they could violate information security policies and procedures, as well as ethical or legal standards. Interfering with or denying service to any user other than the employee’s host (B) is a malicious act that could disrupt the availability or performance of the information systems or services of another user or organization. Playing any computer games during office hours © is a personal and unprofessional use of the information and communication systems that could distract the employee from their work duties, waste resources and bandwidth, or expose the systems to malware or other risks. Accessing phone or network transmissions, including wireless or wifi transmissions (D) is a potential breach of confidentiality or privacy that could intercept, monitor or modify the information transmitted by another user or organization without their consent or authorization. ISO/IEC 27001:2022 requires the organization to implement rules for acceptable use of assets (see clause A.8.1.3). References: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements, What is Acceptable Use?