PECB ISO-IEC-27001-Lead-Auditor Exam With Confidence Using Practice Dumps

You are performing an ISMS audit at a residential nursing home called ABC that provides healthcare services.

The next step in your audit plan is to verify the information security on ABC's healthcare mobile app

development, support, and lifecycle process. During the audit, you learned the organization outsourced the

mobile app development to a professional software development company with CMMI Level 5, ITSM (ISO/IEC

20000-1), BCMS (ISO 22301) and ISMS (ISO/IEC 27001) certified. The IT Manager presented the software

security management procedure and summarised the process as follows:

The mobile app development shall adopt "security-by-design" and "security-by-default" principles, as a

minimum. The following security functions for personal data protection shall be available:

Access control.

Personal data encryption, i.e., Advanced Encryption Standard (AES) algorithm, key lengths: 256 bits; and

Personal data pseudonymization.

Vulnerability checked and no security backdoor

You sample the latest Mobile App Test report - details as follows:

You ask the IT Manager why the organisation still uses the mobile app while personal data

encryption and pseudonymization tests failed. Also, whether the Service Manager is authorized to

approve the test.

The IT Manager explains the test results should be approved by him according to the software

security management procedure. The reason why the encryption and pseudonymization functions

failed is that these functions heavily slowed down the system and service performance. An extra

150% of resources are needed to cover this. The Service Manager agreed that access control is

good enough and acceptable. That's why the Service Manager signed the approval.

You sample one of the medical staff's mobile and found that ABC's healthcare mobile app, version

1.01 is installed. You found that version 1.01 has no test record.

The IT Manager explains that because of frequent ransomware attacks, the outsourced mobile app

development company gave a free minor update on the tested software, performed an emergency

release of the updated software, and gave a verbal guarantee that there will be no impact on any

security functions. Based on his 20 years of information security experience, there is no need to re-

test.

You are preparing the audit findings Select two options that are correct.

Which option below is NOT a role of the audit team leader?

Scenario 6: Sinvestment is an insurance company that offers home, commercial, and life insurance. The company was founded in North Carolina, but have recently expanded in other locations, including Europe and Africa.

Sinvestment is committed to complying with laws and regulations applicable to their industry and preventing any information security incident. They have implemented an ISMS based on ISO/IEC 27001 and have applied for ISO/IEC 27001 certification.

Two auditors were assigned by the certification body to conduct the audit. After signing a confidentiality agreement with Sinvestment. they started the audit activities. First, they reviewed the documentation required by the standard, including the declaration of the ISMS scope, information security policies, and internal audits reports. The review process was not easy because, although Sinvestment stated that they had a documentation procedure in place, not all documents had the same format.

Then, the audit team conducted several interviews with Sinvestment's top management to understand their role in the ISMS implementation. All activities of the stage 1 audit were performed remotely, except the review of documented information, which took place on-site, as requested by Sinvestment.

During this stage, the auditors found out that there was no documentation related to information security training and awareness program. When asked, Sinvestment's representatives stated that the company has provided information security training sessions to all employees. Stage 1 audit gave the audit team a general understanding of Sinvestment's operations and ISMS.

The stage 2 audit was conducted three weeks after stage 1 audit. The audit team observed that the marketing department (which was not included in the audit scope) had no procedures in place to control employees’ access rights. Since controlling employees' access rights is one of the ISO/IEC 27001 requirements and was included in the information security policy of the company, the issue was included in the audit report. In addition, during stage 2 audit, the audit team observed that Sinvestment did not record logs of user activities. The procedures of the company stated that "Logs recording user activities should be retained and regularly reviewed," yet the company did not present any evidence of the implementation of such procedure.

During all audit activities, the auditors used observation, interviews, documented information review, analysis, and technical verification to collect information and evidence. All the audit findings during stages 1 and 2 were analyzed and the audit team decided to issue a positive recommendation for certification.

Based on scenario 6, during stage 1 audit, the auditor found out that some documents regarding the ISMS had different format. What should the auditor do in this case?