New Year Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

ISO 27001 ISO-IEC-27001-Lead-Auditor Book

PECB Certified ISO/IEC 27001 2022 Lead Auditor exam Questions and Answers

Question 73

You are conducting a third-party surveillance audit when another member of the audit team approaches you seeking clarification. They have been asked to assess the organisation's application of control 5.7 - Threat Intelligence. They are aware that this is one of the new controls introduced in the 2022 edition of ISO/IEC 27001, and they want to make sure they audit the control correctly.

They have prepared a checklist to assist them with their audit and want you to confirm that their planned activities are aligned with the control's requirements.

Which three of the following options represent valid audit trails?

Options:

A.

I will ensure that the task of producing threat intelligence is assigned to the organisation's internal audit team

B.

I will ensure that the organisation's risk assessment process begins with effective threat intelligence

C.

I will speak to top management to make sure all staff are aware of the importance of reporting threats

D.

I will ensure that appropriate measures have been introduced to inform top management as to the effectiveness of current threat intelligence arrangements

E.

I will check that the organisation has a fully documented threat intelligence process

F.

I will check that threat intelligence is actively used to protect the confidentiality, integrity and availability of the organisation's information assets

G.

I will review how information relating to information security threats is collected and evaluated to produce threat intelligence

Question 74

A marketing agency has developed its own risk assessment approach as part of the ISMS implementation. Is this acceptable?

Options:

A.

Yes, any risk assessment methodology that complies with the ISO/IEC 27001 requirements can be used

B.

Yes, only if the risk assessment methodology is aligned with recognized risk assessment methodologies

C.

No, when implementing an ISMS, the risk assessment methodology provided by ISO/IEC 27001 should be used

Question 75

Which two of the following phrases are 'objectives' in relation to a first-party audit?

Options:

A.

Apply international standards

B.

Prepare the audit report for the certification body

C.

Confirm the scope of the management system is accurate

D.

Complete the audit on time

E.

Apply Regulatory requirements

F.

Update the management policy

Question 76

You are carrying out your first third-party ISMS surveillance audit as an Audit Team Leader. You are presently in the auditee's data centre with another member of your audit team.

You are currently in a large room that is subdivided into several smaller rooms, each of which has a numeric combination lock and swipe card reader on the door. You notice two external contractors using a swipe card and combination number provided by the centre's reception desk to gain access to a client's suite to carry out authorised electrical repairs.

You go to reception and ask to see the door access record for the client's suite. This indicates only one card was swiped. You ask the receptionist and they reply, "yes it's a common problem. We ask everyone to swipe their cards but with contractors especially, one tends to swipe and the rest simply 'tailgate' their way in" but we know who they are from the reception sign-in.

Based on the scenario above which one of the following actions would you now take?

Options:

A.

Take no action. Irrespective of any recommendations, contractors will always act in this way

B.

Raise a nonconformity against control A.5.20 'addressing information security in supplier relationships' as information security requirements have not been agreed upon with the supplier

C.

Raise a nonconformity against control A.7.6 'working in secure areas' as security measures for working in secure areas have not been defined

D.

Determine whether any additional effective arrangements are in place to verify individual access to secure areas e.g. CCTV

E.

Raise an opportunity for improvement that contractors must be accompanied at all times when accessing secure facilities

F.

Raise an opportunity for improvement to have a large sign in reception reminding everyone requiring access must use their swipe card at all times

G.

Raise a nonconformity against control A.7.2 'physical entry' as a secure area is not adequately protected