New Year Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

PDF ISO-IEC-27001-Lead-Auditor Study Guide

PECB Certified ISO/IEC 27001 2022 Lead Auditor exam Questions and Answers

Question 33

Scenario 6: Sinvestment is an insurance company that offers home, commercial, and life insurance. The company was founded in North Carolina, but have recently expanded in other locations, including Europe and Africa.

Sinvestment is committed to complying with laws and regulations applicable to their industry and preventing any information security incident. They have implemented an ISMS based on ISO/IEC 27001 and have applied for ISO/IEC 27001 certification.

Two auditors were assigned by the certification body to conduct the audit. After signing a confidentiality agreement with Sinvestment. they started the audit activities. First, they reviewed the documentation required by the standard, including the declaration of the ISMS scope, information security policies, and internal audits reports. The review process was not easy because, although Sinvestment stated that they had a documentation procedure in place, not all documents had the same format.

Then, the audit team conducted several interviews with Sinvestment's top management to understand their role in the ISMS implementation. All activities of the stage 1 audit were performed remotely, except the review of documented information, which took place on-site, as requested by Sinvestment.

During this stage, the auditors found out that there was no documentation related to information security training and awareness program. When asked, Sinvestment's representatives stated that the company has provided information security training sessions to all employees. Stage 1 audit gave the audit team a general understanding of Sinvestment's operations and ISMS.

The stage 2 audit was conducted three weeks after stage 1 audit. The audit team observed that the marketing department (which was not included in the audit scope) had no procedures in place to control employees’ access rights. Since controlling employees' access rights is one of the ISO/IEC 27001 requirements and was included in the information security policy of the company, the issue was included in the audit report. In addition, during stage 2 audit, the audit team observed that Sinvestment did not record logs of user activities. The procedures of the company stated that "Logs recording user activities should be retained and regularly reviewed," yet the company did not present any evidence of the implementation of such procedure.

During all audit activities, the auditors used observation, interviews, documented information review, analysis, and technical verification to collect information and evidence. All the audit findings during stages 1 and 2 were analyzed and the audit team decided to issue a positive recommendation for certification.

During stage 1 audit, the audit team found out that Sinvestment did not have records on information security training and awareness. What Sinvestment do in this case? Refer to scenario 6.

Options:

A.

Correct the identified issue before the stage 2 audit

B.

Document the identified issue and correct it after the certification audit is completed

C.

Perform a new risk assessment process to understand whether the issue needs modification or not

Question 34

The following options are key actions involved in a first-party audit. Order the stages to show the sequence in which the actions should take place.

Options:

Question 35

During a Stage 1 audit opening meeting, the Management System Representative (MSR) asks to extend the audit scope to include a new site overseas which they have expanded into since the certification application was made.

Select two options for how the auditor should respond.

Options:

A.

Advise the MSR that an extension of the scope may be incorporated but will have to go through established procedures

B.

Advise the MSR that the audit scope has been determined based on their initial application so the audit has to proceed as planned

C.

Suggest that the MSR cancels the audit contract and reapplies for the new situation

D.

Determine whether the Management System covers the processes at the new site and, if so, proceed with the audit

E.

Advise the MSR that, within the existing scope, the new work area can be included without any problem

F.

Confirm that the auditor will advise the auditee that the audit scope will be revised to include the new work area

Question 36

Scenario 4: SendPay is a financial company that provides its services through a network of agents and financial institutions. One of their main services is transferring money worldwide. SendPay, as a new company, seeks to offer top quality services to its clients. Since the company offers international transactions, it requires from their clients to provide personal information, such as their identity, the reason for the transactions, and other details that might be needed to complete the transaction. Therefore, SendPay has implemented security measures to protect their clients' information, including detecting, investigating, and responding to any information security threats that may emerge. Their commitment to offering secure services was also reflected during the ISMS implementation where the company invested a lot of time and resources.

Last year, SendPay unveiled their digital platform that allows money transactions through electronic devices, such as smartphones or laptops, without requiring an additional fee. Through this platform, SendPay's clients can send and receive money from anywhere and at any time. The digital platform helped SendPay to simplify the company's operations and further expand its business. At the time, SendPay was outsourcing its software operations, hence the project was completed by the software development team of the outsourced company. The same team was also responsible for maintaining the technology infrastructure of SendPay.

Recently, the company applied for ISO/IEC 27001 certification after having an ISMS in place for almost a year. They contracted a certification body that fit their criteria. Soon after, the certification body appointed a team of four auditors to audit SendPay's ISMS.

During the audit, among others, the following situations were observed:

1.The outsourced software company had terminated the contract with SendPay without prior notice. As a result, SendPay was unable to immediately bring the services back in-house and its operations were disrupted for five days. The auditors requested from SendPay's representatives to provide evidence that they have a plan to follow in cases of contract terminations. The representatives did not provide any documentary evidence but during an interview, they told the auditors that the top management of SendPay had identified two other software development companies that could provide services immediately if similar situations happen again.

2.There was no evidence available regarding the monitoring of the activities that were outsourced to the software development company. Once again, the representatives of SendPay told the auditors that they regularly communicate with the software development company and that they are appropriately informed for any possible change that might occur.

3.There was no nonconformity found during the firewall testing. The auditors tested the firewall configuration in order to determine the level of security provided by

these services. They used a packet analyzer to test the firewall policies which enabled them to check the packets sent or received in real-time.

Based on this scenario, answer the following question:

How do you evaluate the evidence obtained related to the monitoring process of outsourced operations? Refer to scenario 4.

Options:

A.

Irrelevant, monitoring the outsourced operations is not a requirement of the standard

B.

Not reliable. SendPay provided only verbal evidence regarding the monitoring of its outsourced operations

C.

Appropriate and sufficient, verbal confirmation from the SendPay's representatives indicates that the they were aware that outsourced operations must be monitored