PECB ISO-IEC-27001-Lead-Auditor Study & Exam Dumps 2025

PECB Certified ISO/IEC 27001 2022 Lead Auditor exam Questions and Answers

Get Free ISO-IEC-27001-Lead-Auditor Questions and Answers

Question 1

The data centre at which you work is currently seeking ISO/IEC27001:2022 certification. In preparation for your initial certification visit, several internal audits have been carried out by a colleague working at another data centre within your Group. They secured their own ISO/IEC 27001:2022 certificate earlier in the year.

You have just qualified as an Internal ISMS auditor and your manager has asked you to review the audit process and audit findings as a final check before the external Certification Body arrives.

Which four of the following would cause you concern in respect of conformity to ISO/IEC 27001:2022 requirements?

Options:

Although the scope for each internal audit has been defined, there are no audit criteria defined for the audits carried out to date.

Audit reports are not held in hardcopy (i.e. on paper). They are only stored as *. PDF documents on the organisation's intranet.

The audit process states the results of audits will be made available to 'relevant' managers, not top management.

The audit programme does not reference audit methods or audit responsibilities.

The audit programme does not take into account the relative importance of information security processes.

The audit programme does not take into account the results of previous audits.

The audit programme has not been signed as 'approved by Top Management.

Buy Now

Question 2

After analyzing the audit conclusions, Company X decided to accept the risk related to one of the detected nonconformities. They claimed that no corrective action was necessary; however, their decision was not documented. Is this acceptable?

Options:

Yes, the auditee's management can decide to accept the risk instead of implementing corrective actions and documenting such decision is not necessary

No, the decision of the auditee to accept the risk instead of implementing corrective actions should be justified and documented

No, the auditee must implement corrective actions for all the observations documented during the audit

Question 3

You are performing an ISMS audit at a nursing home where residents always wear an electronic wristband for monitoring their location, heartbeat, and blood pressure. The wristband automatically uploads this data to a cloud server for healthcare monitoring and analysis by staff.

You now wish to verify that the information security policy and objectives have been established by top management. You are sampling the mobile device policy and identify a security objective of this policy is "to ensure the security of teleworking and use of mobile devices" The policy states the following controls will be applied in order to achieve this.

Personal mobile devices are prohibited from connecting to the nursing home network, processing, and storing residents'

data.

The company's mobile devices within the ISMS scope shall be registered in the asset register.

The company's mobile devices shall implement or enable physical protection, i.e., pin-code protected screen lock/unlock,

facial or fingerprint to unlock the device.

The company's mobile devices shall have a regular backup.

To verify that the mobile device policy and objectives are implemented and effective, select three options for your audit trail.

Options:

Interview the reception personnel to make sure all visitor and employee bags are checked before entering the nursing home

Review visitors' register book to make sure no visitor can have their personal mobile phone in the nursing home

Review the internal audit report to make sure the IT department has been audited

Review the asset register to make sure all personal mobile devices are registered

Sampling some mobile devices from on-duty medical staff and validate the mobile device information with the asset register

Review the asset register to make sure all company's mobile devices are registered

Interview the supplier of the devices to make sure they are aware of the ISMS policy

Answer:

C, E, F

Explanation:

According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 5.2 requires top management to establish an information security policy that provides the framework for setting information security objectives1. Clause 6.2 requires top management to ensure that the information security objectives are established at relevant functions and levels1. Therefore, when verifying that the information security policy and objectives have been established by top management, an ISMS auditor should review relevant documents and records that demonstrate top management’s involvement and commitment.

To verify that the mobile device policy and objectives are implemented and effective, an ISMS auditor should review relevant documents and records that demonstrate how the policy and objectives are communicated, monitored, measured, analyzed, and evaluated. The auditor should also sample and verify the implementation of the controls that are stated in the policy.

Three options for the audit trail that are relevant to verifying the mobile device policy and objectives are:

Review the internal audit report to make sure the IT department has been audited: This option is relevant because it can provide evidence of how the IT department, which is responsible for managing the mobile devices and their security, has been evaluated for its conformity and effectiveness in implementing the mobile device policy and objectives. The internal audit report can also reveal any nonconformities, corrective actions, or opportunities for improvement related to the mobile device policy and objectives.

Sampling some mobile devices from on-duty medical staff and validate the mobile device information with the asset register: This option is relevant because it can provide evidence of how the mobile devices that are used by the medical staff, who are involved in processing and storing residents’ data, are registered in the asset register and have physical protection enabled. This can verify the implementation and effectiveness of two of the controls that are stated in the mobile device policy.

Review the asset register to make sure all company’s mobile devices are registered: This option is relevant because it can provide evidence of how the company’s mobile devices that are within the ISMS scope are identified and accounted for. This can verify the implementation and effectiveness of one of the controls that are stated in the mobile device policy.

The other options for the audit trail are not relevant to verifying the mobile device policy and objectives, as they are not related to the policy or objectives or their implementation or effectiveness. For example:

Interview the reception personnel to make sure all visitor and employee bags are checked before entering the nursing home: This option is not relevant because it does not provide evidence of how the mobile device policy and objectives are implemented or effective. It may be related to another policy or objective regarding physical security or access control, but not specifically to mobile devices.

Review visitors’ register book to make sure no visitor can have their personal mobile phone in the nursing home: This option is not relevant because it does not provide evidence of how the mobile device policy and objectives are implemented or effective. It may be related to another policy or objective regarding information security awareness or compliance, but not specifically to mobile devices.

Interview the supplier of the devices to make sure they are aware of the ISMS policy: This option is not relevant because it does not provide evidence of how the mobile device policy and objectives are implemented or effective. It may be related to another policy or objective regarding information security within supplier relationships, but not specifically to mobile devices.

Interview top management to verify their involvement in establishing the information security policy and the information security objectives: This option is not relevant because it does not provide evidence of how the mobile device policy and objectives are implemented or effective. It may be related to verifying that the information security policy and objectives have been established by top management, but not specifically to mobile devices.

[References: ISO/IEC 27001:2022 - Information technology – Security techniques – Information security management systems – Requirements, , ]

Get Free ISO-IEC-27001-Lead-Auditor Questions and Answers

Summer Certification Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

PECB ISO-IEC-27001-Lead-Auditor Exam With Confidence Using Practice Dumps

ISO-IEC-27001-Lead-Auditor: ISO 27001 Exam 2025 Study Guide Pdf and Test Engine

Related PECB Exams

PECB Certified ISO/IEC 27001 2022 Lead Auditor exam Questions and Answers

Options:

Answer:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

CompTIA

Fortinet

Microsoft

Salesforce