PECB Updated ISO-IEC-27001-Lead-Auditor Exam Questions and Answers by ingrid

The correct answer is Materiality, because materiality involves evaluating the significance and potential impact of issues identified during an audit, including financial, legal, contractual, and reputational consequences. In auditing, materiality helps determine which matters are important enough to influence audit conclusions or stakeholder decisions.

When defining materiality, auditors consider factors such as the cost of nonconformities, potential regulatory penalties, contractual breaches, and the broader business impact of noncompliance. For an ISO/IEC 27001 audit, this may include assessing whether failures in information security controls could lead to fines under data protection laws, loss of customer trust, or breach of service-level agreements. These considerations help auditors decide where to focus audit effort and how to prioritize findings.

Option B is incorrect because audit risk relates to the risk that auditors may reach incorrect conclusions due to inherent, control, or detection risks. While costs and penalties may influence risk assessment, they are not evaluated specifically when defining audit risk. Option C is incorrect because reasonable assurance refers to the level of confidence an audit can provide, not the evaluation of financial or legal impacts.

ISO 19011 supports the use of materiality concepts to ensure audits focus on issues that matter most to the organization and interested parties. Therefore, evaluating costs and penalties is directly linked to defining materiality.

The two statements that are valid audit conclusions are:

•The ISMS policy has been effectively communicated to the organisation

•The organisation’s ISMS objectives meet the requirements of ISO/IEC 27001:2022

According to ISO 19011:2018, an audit conclusion is the outcome of an audit, provided by the audit team after considering the audit objectives and all audit findings1. An audit conclusion can be positive or negative, depending on whether the audit criteria are fulfilled or not. An audit conclusion can also include recommendations for improvement or recognition of good practices.

The statements D and E are valid audit conclusions, because they express the outcome of the audit based on the audit criteria and findings. For example:

•Statement D is a positive audit conclusion, because it indicates that the organisation has fulfilled the requirement of clause 5.2.2 of ISO/IEC 27001:2022, which states that the ISMS policy must be communicated within the organisation and to relevant interested parties2. The audit team must have obtained sufficient and appropriate audit evidence to support this conclusion, such as records of communication, awareness activities, feedback, etc.

•Statement E is a positive audit conclusion, because it indicates that the organisation has fulfilled the requirement of clause 6.2 of ISO/IEC 27001:2022, which states that the organisation must establish ISMS objectives that are consistent with the ISMS policy and relevant to the information security risks3. The audit team must have obtained sufficient and appropriate audit evidence to support this conclusion, such as records of objective setting, risk assessment, alignment with policy, etc.

The other statements are not valid audit conclusions, because they do not express the outcome of the audit based on the audit criteria and findings. They are rather examples of audit findings, which are the results of the evaluation of the collected audit evidence against the audit criteria4. Audit findings can indicate either conformity or nonconformity with the audit criteria, or opportunities for improvement. For example:

•Statement A is a negative audit finding, because it indicates a nonconformity with the requirement of clause 7.2.2 of ISO/IEC 27001:2022, which states that the organisation must provide information security awareness education and training to persons under its control5. The audit team must have identified and documented this nonconformity, and reported it to the auditee.

•Statement B is a negative audit finding, because it indicates a nonconformity with the requirement of clause 6.1.2 of ISO/IEC 27001:2022, which states that the organisation must maintain and review the information security risk assessment at planned intervals or when significant changes occur6. The audit team must have identified and documented this nonconformity, and reported it to the auditee.

•Statement C is a negative audit finding, because it indicates a nonconformity with the requirement of clause 10.1 of ISO/IEC 27001:2022, which states that the organisation must take action to eliminate the causes of nonconformities and prevent recurrence7. The audit team must have identified and documented this nonconformity, and reported it to the auditee.

•Statement F is a negative audit finding, because it indicates a nonconformity with the requirement of clause 6.1.3 of ISO/IEC 27001:2022, which states that the organisation must determine the controls that are necessary to implement the risk treatment plan, and document them in the statement of applicability8. The audit team must have identified and documented this nonconformity, and reported it to the auditee.

The correct answer is Analytical evidence, because the auditors relied heavily on analysis, calculations, and evaluation of performance data to validate the effectiveness of SendPay’s ISMS. Analytical evidence involves examining trends, metrics, ratios, averages, and performance indicators to draw conclusions about how well processes are functioning.

In the scenario, the auditors calculated the number of training hours employees received on ISMS topics and computed the average resolution time of information security incidents based on sampled data. These activities are clear examples of analytical techniques, as they involve processing numerical and performance-related information to assess alignment with objectives and effectiveness of controls. Additionally, the auditors assessed the reliability of evidence by comparing different sources and considering timing factors, which further supports the use of analytical judgment rather than purely technical inspection.

Option B is incorrect because mathematical evidence is not a recognized audit evidence category under ISO standards. While calculations were performed, the purpose was analytical evaluation, not mathematical proof. Option C is incorrect because technical evidence would primarily involve direct inspection of systems, configurations, or infrastructure, such as firewall rule reviews or system settings. While some technical elements existed in the audit, the question focuses on the type of evidence used to validate ISMS performance broadly, which was predominantly analytical.

Therefore, analytical evidence best describes the evidence utilized by the auditors during SendPay’s audit.

According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 7.2 requires an organization to determine the necessary competence of persons doing work under its control that affects its ISMS performance, and to provide training or take other actions to acquire or maintain the necessary competence1. Control A.6.3 requires an organization to ensure that all employees and contractors are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational policies and procedures in this respect2. Therefore, if an ISMS auditor finds that the information security incident training effectiveness can be improved, this indicates an opportunity for improvement (OFI) that is relevant to clause 7.2 and control A.6.3.

According to ISO/IEC 27001:2022, clause 9.1 requires an organization to monitor, measure, analyze and evaluate its ISMS performance and effectiveness1. Control A.5.24 requires an organization to define and apply procedures for reporting information security events and weaknesses2. Therefore, if an ISMS auditor finds that based on sampling interview results, none of the interviewees were able to describe the incident management procedure reporting process including the role and responsibilities of personnel, this indicates a nonconformity (NC) that is not conforming with clause 9.1 and control A.5.24.

The other options are not correct options for preparing the audit findings based on the given information. For example, there is no nonconformance if the information security weaknesses, events, and incidents are reported, as this conforms with clause 9.1 and control A.5.24; there is no nonconformance if the information security handling training has performed, and its effectiveness was evaluated, as this conforms with clause 7.2 and control A.6.3; there is no nonconformity if the information security incident training has failed, as this may not necessarily indicate a lack of conformity with clause 7.2 or control A.6.3; there is no opportunity for improvement if the information security weaknesses, events, and incidents are reported, as this is already conforming with clause 9.1 and control A.5.24. References: ISO/IEC 27001:2022 - Information technology – Security techniques – Information security management systems – Requirements, ISO/IEC 27002:2013 - Information technology – Security techniques – Code of practice for information security controls