PDF ISO-IEC-27001-Lead-Auditor Study Guide

PECB Certified ISO/IEC 27001 2022 Lead Auditor exam Questions and Answers

Question 33

Scenario 6: Sinvestment is an insurance company that offers home, commercial, and life insurance. The company was founded in North Carolina, but have recently expanded in other locations, including Europe and Africa.

Sinvestment is committed to complying with laws and regulations applicable to their industry and preventing any information security incident. They have implemented an ISMS based on ISO/IEC 27001 and have applied for ISO/IEC 27001 certification.

Two auditors were assigned by the certification body to conduct the audit. After signing a confidentiality agreement with Sinvestment. they started the audit activities. First, they reviewed the documentation required by the standard, including the declaration of the ISMS scope, information security policies, and internal audits reports. The review process was not easy because, although Sinvestment stated that they had a documentation procedure in place, not all documents had the same format.

Then, the audit team conducted several interviews with Sinvestment's top management to understand their role in the ISMS implementation. All activities of the stage 1 audit were performed remotely, except the review of documented information, which took place on-site, as requested by Sinvestment.

During this stage, the auditors found out that there was no documentation related to information security training and awareness program. When asked, Sinvestment's representatives stated that the company has provided information security training sessions to all employees. Stage 1 audit gave the audit team a general understanding of Sinvestment's operations and ISMS.

The stage 2 audit was conducted three weeks after stage 1 audit. The audit team observed that the marketing department (which was not included in the audit scope) had no procedures in place to control employees’ access rights. Since controlling employees' access rights is one of the ISO/IEC 27001 requirements and was included in the information security policy of the company, the issue was included in the audit report. In addition, during stage 2 audit, the audit team observed that Sinvestment did not record logs of user activities. The procedures of the company stated that "Logs recording user activities should be retained and regularly reviewed," yet the company did not present any evidence of the implementation of such procedure.

During all audit activities, the auditors used observation, interviews, documented information review, analysis, and technical verification to collect information and evidence. All the audit findings during stages 1 and 2 were analyzed and the audit team decided to issue a positive recommendation for certification.

During stage 1 audit, the audit team found out that Sinvestment did not have records on information security training and awareness. What Sinvestment do in this case? Refer to scenario 6.

Options:

Correct the identified issue before the stage 2 audit

Document the identified issue and correct it after the certification audit is completed

Perform a new risk assessment process to understand whether the issue needs modification or not

Question 34

The following options are key actions involved in a first-party audit. Order the stages to show the sequence in which the actions should take place.

Options:

Answer:

Explanation:

The correct order of the stages is:

Prepare the audit checklist
Gather objective evidence
Review audit evidence
Document findings

Audit preparation: This stage involves defining the audit objectives, scope, criteria, and plan. The auditor also prepares the audit checklist, which is a list of questions or topics that will be covered during the audit. The audit checklist helps the auditor to ensure that all relevant aspects of the ISMS are addressed and that the audit evidence is collected in a systematic and consistent manner12.
Audit execution: This stage involves conducting the audit activities, such as opening meeting, interviews, observations, document review, and closing meeting. The auditor gathers objective evidence, which is any information that supports the audit findings and conclusions. Objective evidence can be qualitative or quantitative, and can be obtained from various sources, such as records, statements, physical objects, or observations123.
Audit reporting: This stage involves reviewing the audit evidence, evaluating the audit findings, and documenting the audit results. The auditor reviews the audit evidence to determine whether it is sufficient, reliable, and relevant to support the audit findings. The auditor evaluates the audit findings to determine the degree of conformity or nonconformity of the ISMS with the audit criteria. The auditor documents the audit results in an audit report, which is a formal record of the audit process and outcomes. The audit report typically includes the following elements123:
Audit follow-up: This stage involves verifying the implementation and effectiveness of the corrective actions taken by the auditee to address the audit findings. The auditor monitors the progress and completion of the corrective actions, and evaluates their impact on the ISMS performance and conformity. The auditor may conduct a follow-up audit to verify the corrective actions on-site, or may rely on other methods, such as document review, remote interviews, or self-assessment by the auditee. The auditor documents the follow-up results and updates the audit report accordingly123.

References:

PECB Candidate Handbook ISO 27001 Lead Auditor, pages 19-25
ISO 19011:2018 - Guidelines for auditing management systems
The ISO 27001 audit process | ISMS.online

Question 35

During a Stage 1 audit opening meeting, the Management System Representative (MSR) asks to extend the audit scope to include a new site overseas which they have expanded into since the certification application was made.

Select two options for how the auditor should respond.

Options:

Advise the MSR that an extension of the scope may be incorporated but will have to go through established procedures

Advise the MSR that the audit scope has been determined based on their initial application so the audit has to proceed as planned

Suggest that the MSR cancels the audit contract and reapplies for the new situation

Determine whether the Management System covers the processes at the new site and, if so, proceed with the audit

Advise the MSR that, within the existing scope, the new work area can be included without any problem

Confirm that the auditor will advise the auditee that the audit scope will be revised to include the new work area

Answer:

A, D

Explanation:

The correct options for how the auditor should respond are:

A. Advise the MSR that an extension of the scope may be incorporated but will have to go through established procedures
D. Determine whether the Management System covers the processes at the new site and, if so, proceed with the audit

These options are consistent with the ISO/IEC 27006:2015 standard, which states that any changes to the scope of certification should be notified by the client to the certification body, and that the certification body should evaluate and decide on these changes in accordance with its procedures1. The auditor should also verify that the ISMS is implemented and maintained at all sites included in the scope of certification1.

The other options are not appropriate for how the auditor should respond, because:

B. Advise the MSR that the audit scope has been determined based on their initial application so the audit has to proceed as planned: This option is too rigid and does not allow for any flexibility or adaptation to the client’s situation. The auditor should be open to consider any changes to the scope of certification that may have occurred since the initial application, as long as they are properly notified and evaluated by the certification body.
C. Suggest that the MSR cancels the audit contract and reapplies for the new situation: This option is too drastic and unnecessary, as it would cause delays and costs for both the client and the certification body. The auditor should not suggest that the client cancels the audit contract, but rather that they follow the established procedures for requesting and approving an extension of the scope of certification.
E. Advise the MSR that, within the existing scope, the new work area can be included without any problem: This option is too lenient and does not ensure that the new work area meets the requirements of ISO/IEC 27001 and the ISMS. The auditor should not assume that the new work area can be included within the existing scope without any problem, but rather that they need to verify that the ISMS is implemented and maintained at the new site, and that any changes to the scope of certification are approved by the certification body.
F. Confirm that the auditor will advise the auditee that the audit scope will be revised to include the new work area: This option is too presumptuous and does not respect the authority of the certification body. The auditor should not confirm that they will revise the audit scope to include the new work area, but rather that they will advise the certification body of the client’s request for an extension of the scope of certification, and wait for their decision.

Question 36

Scenario 4: SendPay is a financial company that provides its services through a network of agents and financial institutions. One of their main services is transferring money worldwide. SendPay, as a new company, seeks to offer top quality services to its clients. Since the company offers international transactions, it requires from their clients to provide personal information, such as their identity, the reason for the transactions, and other details that might be needed to complete the transaction. Therefore, SendPay has implemented security measures to protect their clients' information, including detecting, investigating, and responding to any information security threats that may emerge. Their commitment to offering secure services was also reflected during the ISMS implementation where the company invested a lot of time and resources.

Last year, SendPay unveiled their digital platform that allows money transactions through electronic devices, such as smartphones or laptops, without requiring an additional fee. Through this platform, SendPay's clients can send and receive money from anywhere and at any time. The digital platform helped SendPay to simplify the company's operations and further expand its business. At the time, SendPay was outsourcing its software operations, hence the project was completed by the software development team of the outsourced company. The same team was also responsible for maintaining the technology infrastructure of SendPay.

Recently, the company applied for ISO/IEC 27001 certification after having an ISMS in place for almost a year. They contracted a certification body that fit their criteria. Soon after, the certification body appointed a team of four auditors to audit SendPay's ISMS.

During the audit, among others, the following situations were observed:

1.The outsourced software company had terminated the contract with SendPay without prior notice. As a result, SendPay was unable to immediately bring the services back in-house and its operations were disrupted for five days. The auditors requested from SendPay's representatives to provide evidence that they have a plan to follow in cases of contract terminations. The representatives did not provide any documentary evidence but during an interview, they told the auditors that the top management of SendPay had identified two other software development companies that could provide services immediately if similar situations happen again.

2.There was no evidence available regarding the monitoring of the activities that were outsourced to the software development company. Once again, the representatives of SendPay told the auditors that they regularly communicate with the software development company and that they are appropriately informed for any possible change that might occur.

3.There was no nonconformity found during the firewall testing. The auditors tested the firewall configuration in order to determine the level of security provided by

these services. They used a packet analyzer to test the firewall policies which enabled them to check the packets sent or received in real-time.

Based on this scenario, answer the following question:

How do you evaluate the evidence obtained related to the monitoring process of outsourced operations? Refer to scenario 4.

Options:

Irrelevant, monitoring the outsourced operations is not a requirement of the standard

Not reliable. SendPay provided only verbal evidence regarding the monitoring of its outsourced operations

Appropriate and sufficient, verbal confirmation from the SendPay's representatives indicates that the they were aware that outsourced operations must be monitored

Winter Special - Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: top65certs

PDF ISO-IEC-27001-Lead-Auditor Study Guide

PECB Certified ISO/IEC 27001 2022 Lead Auditor exam Questions and Answers

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

CompTIA

Fortinet

Microsoft

Salesforce