PECB Updated ISO-IEC-27001-Lead-Auditor Exam Questions and Answers by lilia

The evidence provided by SendPay, which is solely verbal confirmation about the monitoring of outsourced operations, is not considered reliable under ISO/IEC 27001. The standard requires documented evidence to support claims of effective monitoring and control over outsourced processes.

References: ISO/IEC 27001:2013 Standard, Clause A.15 (Supplier relationships)

According to ISO 19011:2018, which provides guidelines for auditing management systems, clause 6.7 requires the audit team leader to conduct a follow-up audit to verify the implementation and effectiveness of the corrective actions taken by the auditee in response to the nonconformities identified during a previous audit1. The follow-up audit should be conducted in accordance with the same principles and processes as the initial audit, and should result in a conclusion on the status of the nonconformities and any remaining issues1. Therefore, when conducting a follow-up audit, an ISMS auditor should consider the following actions:

• Recommend that the outstanding minor nonconformity is dealt with at the next surveillance audit: This action is appropriate because it reflects the fact that the auditee has cleared most of the nonconformities, including the major one, and only one minor nonconformity remains outstanding. A minor nonconformity is defined as a failure to achieve one or more requirements of ISO/IEC 27001:2022 or a situation which raises significant doubt about the ability of an ISMS process to achieve its intended output, but does not affect its overall effectiveness or conformity2. Therefore, this finding does not prevent or preclude the continuation of certification, as long as it is addressed by appropriate corrective actions within a reasonable time frame. The auditor should recommend that the outstanding minor nonconformity is dealt with at the next surveillance audit, which is a regular audit conducted by the certification body to confirm the ongoing conformity and effectiveness of an ISMS3.
• Agree with the auditee/audit client how the remaining nonconformity will be cleared, by when, and how its clearance will be verified: This action is appropriate because it reflects the fact that the auditee has demonstrated commitment and capability to implement corrective actions for the nonconformities identified during the previous audit. The auditor should agree with the auditee/audit client on a realistic, achievable, and effective corrective action plan for the remaining nonconformity, including a clear deadline and verification method. The auditor should also document this agreement in the follow-up audit report1.
• Advise the individual managing the audit programme of any decision taken regarding the outstanding nonconformity: This action is appropriate because it reflects the fact that the auditor has followed a systematic and consistent approach to conducting and reporting the follow-up audit. The auditor should advise the individual managing the audit programme of any decision taken regarding the outstanding nonconformity, such as recommending its closure at the next surveillance audit or agreeing on a corrective action plan with the auditee/audit client. The auditor should also provide sufficient information and evidence to support their decision1.
• Close the follow-up audit as the organisation has demonstrated it is committed to clearing the nonconformities raised: This action is appropriate because it reflects the fact that the organisation has achieved satisfactory results in the follow-up audit. The auditor should close the follow-up audit as the organisation has demonstrated it is committed to clearing the nonconformities raised by implementing effective corrective actions for most of them and agreeing on a plan for the remaining one. The auditor should also communicate the follow-up audit conclusion to the auditee/audit client and other relevant parties1.

The four controls from the list that the auditor in training should review are:

•A. Confidentiality and nondisclosure agreements: This control requires the organisation to ensure that all employees, contractors, and third parties who have access to sensitive information sign appropriate agreements that oblige them to protect the confidentiality and integrity of such information. This is especially important for an organisation that stores data on behalf of external clients, as it demonstrates its commitment to safeguarding their information assets and complying with their contractual obligations.

•C. Information security awareness, education and training: This control requires the organisation to provide regular and relevant information security awareness, education and training to all employees, contractors, and third parties who have access to the organisation’s information systems and information assets. This is essential for ensuring that they are aware of their roles and responsibilities, the information security policies and procedures, the potential threats and risks, and the best practices for preventing and responding to information security incidents.

•D. Remote working arrangements: This control requires the organisation to establish and implement policies and procedures for managing the information security risks associated with remote working arrangements, such as teleworking, mobile working, or working from home. This includes defining the conditions and requirements for remote working, such as the authorised devices, applications, and networks, the encryption and authentication methods, the backup and recovery procedures, and the reporting and monitoring mechanisms. This is important for an organisation that stores data on behalf of external clients, as it ensures that the information security level is maintained regardless of the location of the workers and the devices they use.

•E. The conducting of verification checks on personnel: This control requires the organisation to conduct appropriate verification checks on the background, qualifications, and references of all employees, contractors, and third parties who have access to the organisation’s information systems and information assets. This is necessary for verifying their identity, suitability, and trustworthiness, and for preventing the hiring of unauthorised or malicious individuals who could compromise the information security of the organisation and its clients.

References: = ISO/IEC 27001:2022, Annex A, clauses A.5.7, A.7.2, A.7.3, and A.7.4; ISO 27001 People Controls: How personnel ensures information security; What are the 11 new security controls in ISO 27001:2022? - Advisera.

You are an experienced ISMS auditor conducting a third-party surveillance audit at an organisation which offers ICT reclamation services. ICT equipment which companies no longer require is processed by the organisation. It is either recommissioned and reused or is securely destroyed.

You notice two servers on a bench in the corner of the room. Both have stickers on them with the server's name, IP address and admin password. You ask the ICT Manager about them, and he tells you they were part of a shipment received yesterday from a regular customer.

Which one action should you take?

A.Ask the auditee to remove the labels, then carry on with the audit

B.Ask the ICT Manager to record an information security incident and initiate the information security incident management process

C.Note the audit finding and check the process for dealing with incoming shipments relating to customer IT security

D.Raise a nonconformity against control 5.31 'Legal, staturary, regulatory and contractual requirements'

E.Raise a nonconformity against control 8.20 'network security' (networks and network devices shall be secured, managed and controlled to protect information in systems and applications)

F.Record what you have seen in your audit findings, but take no further action

Answer: C

You are an experienced ISMS audit team leader. You are currently conducting a third-party surveillance audit of an

international haulage organisation. You have sampled four internal audit reports which state:

Report 1 - Auditor: Mr James.

Over the year the organisation has failed to meet its promised delivery dates on 23 occasions out of 100. This is against a target of '95% of deliveries on time'.

Grading - Minor

Corrective Action due: Within 9 months.

Report 2 - Auditor: Mr James.

Between January and March, it was noted 125 complaints were received about the Service Desk Team. Clients

accused them of being rude and unresponsive.

Grading - Minor

Corrective Action due: Within 12 months.

Report 3 - Auditor: Mr James.

Of the 40 customer orders received last month, 38 were correctly processed. Of the remaining 2, one was missing a

signature and one was missing a date.

Grading -

Corrections due: Within 3 weeks

Report 4 - Auditor: Mr Rogers.

Of the 30 personnel records examined, 26 were found to be fully completed whilst the remaining 4 were all missing

the individual's start date.

Grading – Major

Corrections due: Within 1 week

Which four of the options demonstrate the concerns you would have about these reports?

A.I would be concerned as to whether criteria for grading nonconformities are in existence in this organisation

B.I would be concerned as to whether the auditors understand the difference between corrections and corrective actions

C.I would be concerned because action taken to address a major nonconformity should always be completed sooner than action taken to address minor nonconformities

D.I would be concerned that no grading is recorded for Report 3. This could indicate that the auditor did not complete the report correctly or that they failed to make a determination as to severity

E.I would be concerned that the auditors focussed only on information security processes

F.I would be concerned that timing for addressing the nonconformities is significantly different in the four reports

G.I would have a concern that no nonconformity review was conducted

H.I would have a concern that one auditor appeared to be conducting most of the internal audits

Answer: ABDF

As the Information Security Management System audit team leader, you are conducting a second-party audit of an international logistics company on behalf of an online retailer. During the audit, one of your team members reports a nonconformity relating to control 5.18 (Access rights) of Appendix A of ISO/IEC 27001:2022. She found evidence that removing the server access protocols of 20 people who left in the last 3 months took up to 1 week whereas the policy required removing access within 24 hours of their departure.

When the auditee was asked why there was a delay in removing access they replied, 'no one was available in the IT department during that period as a result of COVID-19. As soon as an IT officer became available the rights were removed.

You note that she intends to raise a minor non-conformity against Access rights control (5.18). How should you respond to this?

A.Agree with the raising of a minor non-conformity but against control 5.15, not 5.18.

B.Agree with the raising of the minor non-conformity against 5.18.

C.Disagree with the raising of a minor conformity as appropriate action was taken at the earliest opportunity Take no further action.

D.Disagree with the raising of the minor nonconformity as appropriate action was taken at the earliest opportunity. Instead raise an opportunity for improvement.

E.Disagree with the raising of the minor nonconformity, there is sufficient evidence to justify an escalation to a major non-conformity.

F.Require additional audit evidence to be obtained before determining whether a non-conformity is appropriate.

Answer: A