PECB ISO-IEC-27001-Lead-Auditor Questions Answers

• B. 8.12 Data leakage protection. This is true because the auditee should have implemented measures to prevent unauthorized disclosure of sensitive information, such as personal data, medical records, or official documents, that are contained in the parcels. Data leakage protection could include encryption, authentication, access control, logging, and monitoring of data transfers12.
• D. 6.3 Information security awareness, education, and training. This is true because the auditee should have ensured that all employees and contractors involved in the shipping process are aware of the information security policies and procedures, and have received appropriate training on how to handle and protect the information assets in their custody. Information security awareness, education, and training could include induction programmes, periodic refreshers, awareness campaigns, e-learning modules, and feedback mechanisms13.
• E. 7.10 Storage media. This is true because the auditee should have implemented controls to protect the storage media that contain information assets from unauthorized access, misuse, theft, loss, or damage. Storage media could include paper documents, optical disks, magnetic tapes, flash drives, or hard disks14. Storage media controls could include physical locks, encryption, backup, disposal, or destruction14.
• F. 8.3 Information access restriction. This is true because the auditee should have implemented controls to restrict access to information assets based on the principle of least privilege and the need-to-know basis. Information access restriction could include identification, authentication, authorization, accountability, and auditability of users and systems that access information assets15.
• I. 7.4 Physical security monitoring. This is true because the auditee should have implemented controls to monitor the physical security of the premises where information assets are stored or processed. Physical security monitoring could include CCTV cameras, alarms, sensors, guards, or patrols16. Physical security monitoring could help detect and deter unauthorized physical access or intrusion attempts16.
• J. 5.13 Labelling of information. This is true because the auditee should have implemented controls to label information assets according to their classification level and handling instructions. Labelling of information could include markings, tags, stamps, stickers, or barcodes1 . Labelling of information could help identify and protect information assets from unauthorized disclosure or misuse1 .

References :=

• ISO/IEC 27002:2022 Information technology — Security techniques — Code of practice for information security controls
• ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements
• ISO/IEC 27003:2022 Information technology — Security techniques — Information security management systems — Guidance
• ISO/IEC 27004:2022 Information technology — Security techniques — Information security management systems — Monitoring measurement analysis and evaluation
• ISO/IEC 27005:2022 Information technology — Security techniques — Information security risk management
• ISO/IEC 27006:2022 Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems
• [ISO/IEC 27007:2022 Information technology — Security techniques — Guidelines for information security management systems auditing]

A third-party virtual audit is an external audit conducted by an independent certification body using remote technology such as video conferencing, screen sharing, and electronic document exchange. The purpose of a third-party virtual audit is to verify the conformity and effectiveness of the information security management system (ISMS) and to issue a certificate of compliance12

Before you start conducting the audit, you would need to inform the auditee about the following issues: 12

• You will ask those being interviewed to state their name and position beforehand, i.e., to confirm their identity and role in the ISMS. This is to ensure that you are interviewing the relevant personnel and that they are authorized to provide information and evidence for the audit.
• You will ask for a 360-degree view of the room where the audit is being carried out, i.e., to verify the physical and environmental security of the audit location. This is to ensure that there are no unauthorized persons or devices in the vicinity that could compromise the confidentiality, integrity, or availability of the information being audited.

The other issues are not relevant or appropriate for a third-party virtual audit, because:

• You will ask to see the ID card of the person that is on the screen, i.e., to verify their identity. This is not necessary if you have already asked them to state their name and position beforehand, and if you have access to the auditee’s organizational chart or staff directory. Asking to see the ID card could also be seen as intrusive or disrespectful by the auditee.
• You will take photos of every person you interview, i.e., to document the audit process. This is not advisable as it could violate the privacy or consent of the auditee and the interviewees. Taking photos could also be seen as unprofessional or suspicious by the auditee. You should rely on the audit records and evidence provided by the auditee and the audit tool instead.
• You will not record any part of the audit, unless permitted, i.e., to respect the auditee’s preferences and rights. This is not a valid issue to inform the auditee about, as you should always record the audit for quality assurance and verification purposes. Recording the audit is also a requirement of the ISO/IEC 27001 standard and the certification body. You should inform the auditee that you will record the audit and obtain their consent before the audit begins.
• You expect the auditee to have assessed all risks associated with online activities, i.e., to ensure the security of the audit process. This is not an issue to inform the auditee about, as it is part of the auditee’s responsibility and obligation to have a risk assessment and treatment process for their ISMS. You should assess the auditee’s risk management practices and controls during the audit, not before it.

References:

1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1 2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2

The AES (Advanced Encryption Standard) method is a symmetric-key algorithm, meaning the same key is used for both encrypting and decrypting data1. This type of control is considered preventive because it is implemented to prevent unauthorized access to confidential information by ensuring that the data is unreadable to anyone who does not have the key. References: = The explanation is based on the general understanding of encryption as a security control within the field of information security, particularly as it pertains to the ISO/IEC 27001 standard for information security management systems (ISMS), which includes encryption as a preventive control measure.

The correct sequence of the steps of the audit lifecycle according to ISO 19011:2018 is:

• Step 1: Audit initiation
• Step 2: Audit preparation
• Step 3: Conducting the audit
• Step 4: Preparing and distributing the audit report
• Step 5: Audit completion
• Step 6: Audit follow-up

This sequence reflects the logical order of the audit activities, from establishing the audit objectives, scope and criteria, to verifying the implementation and effectiveness of the corrective actions. However, ISO 19011:2018 also recognizes that some audit activities can be iterative or concurrent, depending on the nature and complexity of the audit. For example, audit preparation and conducting the audit can overlap when new information or changes occur during the audit. Similarly, audit follow-up can be integrated with audit completion when the corrective actions are verified shortly after the audit. Therefore, the audit lifecycle should be adapted to the specific context and needs of each audit.