Month End Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

Last Attempt ISO-IEC-27001-Lead-Implementer Questions

PECB Certified ISO/IEC 27001 : 2022 Lead Implementer exam Questions and Answers

Question 29

Scenario:

Evergreen tailored the format and naming convention of their information security policy to align with their internal structure and needs.

Question:

Is this acceptable?

Options:

A.

No – the policy must adhere to the predefined template set by ISO/IEC 27001

B.

Yes – the organization can determine the formats and names of these policy documents that meet the organization’s needs

C.

No – the policy format and naming conventions must be approved by an external auditor before being implemented

Question 30

Scenario 9: CoreBit Systems

CoreBit Systems, with its headquarters m San Francisco, specializes in information and communication technology (ICT) solutions, its clientele primarily includes data communication enterprises and network operators. The company's core objective is to enable its clients a smooth transition into multi-service providers, aligning their operations with the complex demands of the digital landscape.

Recently. John, the internal auditor of CoreBit Systems, conducted an internal audit which uncovered nonconformities related to their monitoring procedures and system vulnerabilities, in response to the identified nonconformities. CoreBit Systems decided to employ a comprehensive problem-solving approach to solve these issues systematically. The method encompasses a team-oriented approach, aiming to identify, correct, and eliminate the root causes of issues. This approach involves several steps. First, establish a group of experts with deep knowledge of processes and controls. Next, break down the nonconformity into measurable components and implement interim containment measures. Then, identify potential root causes and select and verify permanent corrective actions. Finally, put those actions into practice, validate them, take steps to prevent recurrence, and recognize and acknowledge the team's efforts.

Following the analysis of the root cause of the nonconformities, CoreBit Systems's ISMS project manager. Julia, developed a list of potential actions to address the identified nonconformities. Julia carefully evaluated the list to ensure that each action would effectively eliminate the root cause of the respective nonconformity. While assessing potential corrective action for addressing a nonconformity, Julia identified the issue as significant and assessed a high likelihood of its reoccurrence Consequently, she chose to implement temporary corrective actions. Afterward. Julia combined all the nonconformities Into a single action plan and sought approval from the top management.

The submitted action plan was written as follows:

A new version of the access control policy will be established and new restrictions will be created to ensure that network access is effectively managed and monitored by the Information and Communication Technology (ICT) Department.

However. Julia's submitted action plan was not approved by top management The reason cited was that a general action plan meant to address all nonconformities was deemed unacceptable. Consequently, Julia revised the action plan and submitted separate ones for approval Unfortunately, Julia did not adhere to the organization's specified deadline for submission, resulting in a delay in the corrective action process, and notably, the revised action plans lacked a defined schedule for execution.

Question:

Which method did CoreBit Systems use to address and prevent reoccurring problems after identifying the nonconformities?

Options:

A.

The Eight Disciplines Problem Solving (8Ds) method

B.

DMAIC (Define, Measure, Analyze, Improve, Control) method

C.

Lean Six Sigma method

Question 31

Scenario 8: SunDee is an American biopharmaceutical company, headquartered in California, the US. It specializes in developing novel human therapeutics, with a focus on cardiovascular diseases, oncology, bone health, and inflammation. The company has had an information security management system(ISMS) based on SO/IEC 27001 in place for the past two years. However, it has not monitored or measured the performance and effectiveness of its ISMS and conducted management reviews regularly

Just before the recertification audit, the company decided to conduct an internal audit. It also asked most of their staff to compile the written individual reports of the past two years for their departments. This left the Production Department with less than the optimum workforce, which decreased the company's stock.

Tessa was SunDee's internal auditor. With multiple reports written by 50 different employees, the internal audit process took much longer than planned, was very inconsistent, and had no qualitative measures whatsoever Tessa concluded that SunDee must evaluate the performance of the ISMS adequately. She defined SunDee's negligence of ISMS performance evaluation as a major nonconformity, so she wrote a nonconformity report including the description of the nonconformity, the audit findings, and recommendations. Additionally, Tessa created a new plan which would enable SunDee to resolve these issues and presented it to the top management

How does SunDee's negligence affect the ISMS certificate? Refer to scenario 8.

Options:

A.

SunDee will renew the ISMS certificate, because it has conducted an Internal audit to evaluate the ISMS effectiveness

B.

SunDee might not be able to renew the ISMS certificate, because it has not conducted management reviews at planned intervals

C.

SunDee might not be able to renew the ISMS certificate, because the internal audit lasted longer than planned

Question 32

Scenario 9: OpenTech provides IT and communications services. It helps data communication enterprises and network operators become multi-service providers During an internal audit, its internal auditor, Tim, has identified nonconformities related to the monitoring procedures He identified and evaluated several system Invulnerabilities.

Tim found out that user IDs for systems and services that process sensitive information have been reused and the access control policy has not been followed After analyzing the root causes of this nonconformity, the ISMS project manager developed a list of possible actions to resolve the nonconformity. Then, the ISMS project manager analyzed the list and selected the activities that would allow the elimination of the root cause and the prevention of a similar situation in the future. These activities were included in an action plan The action plan, approved by the top management, was written as follows:

A new version of the access control policy will be established and new restrictions will be created to ensure that network access is effectively managed and monitored by the Information and Communication Technology (ICT) Department

The approved action plan was implemented and all actions described in the plan were documented.

Based on scenario 9. is the action plan for the identified nonconformities sufficient to eliminate the detected nonconformities?

Options:

A.

Yes, because a separate action plan has been created for the identified nonconformity

B.

No, because the action plan does not include a timeframe for implementation

C.

No, because the action plan does not address the root cause of the identified nonconformity