ISO-IEC-27001-Lead-Auditor Archives

NEW QUESTION 109
Which of the following does a lack of adequate security controls represent?

Asset

Vulnerability

Impact

Threat

NEW QUESTION 110
In regard to generating an audit finding, select the words that best complete the following sentence.
To complete the sentence with the best word(s), click on the blank section you want to complete so that it Is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.

NEW QUESTION 111
You are preparing the audit findings. Select two options that are correct.

There is an opportunity for improvement (OFI). The iLiirmation security incident training effectiveness can be improved. This is relevant to clause 7.2 and control A.6.3.

There is no nonconformance. The information security weaknesses, events, and incidents are reported.
This conforms with clause 9.1 and control A.5.24.

There is no nonconformance. The information security handling training has performed, and its effectiveness was evaluated. This conforms with clause 7.2 and control A.6.3.

There is a nonconformity (NC). Based on sampling interview results, none of the interviewees were able to describe the incident management procedure reporting process including the role and responsibilities of personnel. This is not conforming with clause 9.1 and control A.5.24.

There is a nonconformity (NC). The information security incident training has failed. This is not conforming with clause 7.2 and control A.6.3.

There is an opportunity for improvement (OFI). The information security weaknesses, events, and madents are reported. This is relevant to clause 9.1 and control A.5.24.

Explanation
According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 7.2 requires an organization to determine the necessary competence of persons doing work under its control that affects its ISMS performance, and to provide training or take other actions to acquire or maintain the necessary competence1. Control A.6.3 requires an organization to ensure that all employees and contractors are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational policies and procedures in this respect2. Therefore, if an ISMS auditor finds that the information security incident training effectiveness can be improved, this indicates an opportunity for improvement (OFI) that is relevant to clause 7.2 and control A.6.3.
According to ISO/IEC 27001:2022, clause 9.1 requires an organization to monitor, measure, analyze and evaluate its ISMS performance and effectiveness1. Control A.5.24 requires an organization to define and apply procedures for reporting information security events and weaknesses2. Therefore, if an ISMS auditor finds that based on sampling interview results, none of the interviewees were able to describe the incident management procedure reporting process including the role and responsibilities of personnel, this indicates a nonconformity (NC) that is not conforming with clause 9.1 and control A.5.24.
The other options are not correct options for preparing the audit findings based on the given information. For example, there is no nonconformance if the information security weaknesses, events, and incidents are reported, as this conforms with clause 9.1 and control A.5.24; there is no nonconformance if the information security handling training has performed, and its effectiveness was evaluated, as this conforms with clause 7.2 and control A.6.3; there is no nonconformity if the information security incident training has failed, as this may not necessarily indicate a lack of conformity with clause 7.2 or control A.6.3; there is no opportunity for improvement if the information security weaknesses, events, and incidents are reported, as this is already conforming with clause 9.1 and control A.5.24. References: ISO/IEC 27001:2022 – Information technology – Security techniques – Information security management systems – Requirements, ISO/IEC 27002:2013 – Information technology – Security techniques – Code of practice for information security controls

NEW QUESTION 112
Backup media is kept in the same secure area as the servers. What risk may the organisation be exposed to?

Unauthorised persons will have access to both the servers and backups

Responsibility for the backups is not defined well

After a fire, the information systems cannot be restored

After a server crash, it will take extra time to bring it back up again

NEW QUESTION 113
The audit lifecycle describes the ISO 19011 process for conducting an individual audit. Drag and drop the steps of the audit lifecycle into the correct sequence.

NEW QUESTION 114
Which two of the following phrases would apply to “plan” in relation to the Plan-Do-Check-Act cycle for a business process?

Retaining documentation

Organising changes

Setting objectives

Training staff

Providing ICT assets

NEW QUESTION 115
Which two of the following phrases would apply to ‘check’ in the Plan-Do-Check-Act cycle for a business process?

Making improvements

Managing changes

Verifying training

Resetting objectives

Updating the Information Security Policy

Auditing processes

NEW QUESTION 116
You are performing an ISMS initial certification audit at a residential nursing home that provides healthcare services. The next step in your audit plan is to conduct the closing meeting. During the final audit team meeting, as an audit team leader, you agree to report 2 minor nonconformities and 1 opportunity for improvement as below:

Select one option of the recommendation to the audit programme manager you are going to advise to the auditee at the closing meeting.

Recommend certification immediately

Recommend that a full scope re-audit is required within 6 months

Recommend that an unannounced audit is carried out at a future date

Recommend certification after your approval of the proposed corrective action plan Recommend that the findings can be closed out at a surveillance audit in 1 year

Recommend that a partial audit is required within 3 months

Explanation
According to ISO/IEC 17021-1:2015, which specifies the requirements for bodies providing audit and certification of management systems, clause 9.4.9 requires the certification body to make a certification decision based on the information obtained during the audit and any other relevant information1. The certification body should also consider the effectiveness of the corrective actions taken by the auditee to address any nonconformities identified during the audit1. Therefore, when making a recommendation to the audit programme manager, an ISMS auditor should consider the nature and severity of the nonconformities and the proposed corrective actions.
Based on the scenario above, the auditor should recommend certification after their approval of the proposed corrective action plan and recommend that the findings can be closed out at a surveillance audit in 1 year. The auditor should provide the following justification for their recommendation:
* Justification: This recommendation is appropriate because it reflects the fact that the auditee has only two minor nonconformities and one opportunity for improvement, which do not indicate a significant or systemic failure of their ISMS. A minor nonconformity is defined as a failure to achieve one or more requirements of ISO/IEC 27001:2022 or a situation which raises significant doubt about the ability of an ISMS process to achieve its intended output, but does not affect its overall effectiveness or conformity2. An opportunity for improvement is defined as a suggestion for improvement beyond what is required by ISO/IEC 27001:20222. Therefore, these findings do not prevent or preclude certification, as long as they are addressed by appropriate corrective actions within a reasonable time frame. The auditor should approve the proposed corrective action plan before recommending certification, to ensure that it is realistic, achievable, and effective. The auditor should also recommend that the findings can be closed out at a surveillance audit in 1 year, to verify that the corrective actions have been implemented and are working as intended.
The other options are not valid recommendations for the audit programme manager, as they are either too lenient or too strict for the given scenario. For example:
* Recommend certification immediately: This option is not valid because it implies that the auditor ignores or accepts the nonconformities, which is contrary to the audit principles and objectives of ISO
19011:20182, which provides guidelines for auditing management systems. It also contradicts the requirement of ISO/IEC 17021-1:20151, which requires the certification body to consider the effectiveness of the corrective actions taken by the auditee before making a certification decision.
* Recommend that a full scope re-audit is required within 6 months: This option is not valid because it implies that the auditor overreacts or exaggerates the nonconformities, which is contrary to the audit principles and objectives of ISO 19011:20182. It also contradicts the requirement of ISO/IEC
17021-1:20151, which requires the certification body to determine whether a re-audit is necessary based on the nature and extent of nonconformities and other relevant factors. A full scope re-audit is usually reserved for major nonconformities or multiple minor nonconformities that indicate a serious or widespread failure of an ISMS.
* Recommend that an unannounced audit is carried out at a future date: This option is not valid because it implies that the auditor distrusts or doubts the auditee’s commitment or capability to implement corrective actions, which is contrary to the audit principles and objectives of ISO 19011:20182. It also contradicts the requirement of ISO/IEC 17021-1:20151, which requires the certification body to conduct unannounced audits only under certain conditions, such as when there are indications of serious problems with an ISMS or when required by sector-specific schemes.
* Recommend that a partial audit is required within 3 months: This option is not valid because it implies that the auditor imposes or prescribes a specific time frame or scope for verifying corrective actions, which is contrary to the audit principles and objectives of ISO 19011:20182. It also contradicts the requirement of ISO/IEC 17021-1:20151, which requires the certification body to determine whether a partial audit is necessary based on the nature and extent of nonconformities and other relevant factors. A partial audit may be appropriate for minor nonconformities, but the time frame and scope should be agreed upon with the auditee and based on the proposed corrective action plan.
References: ISO/IEC 17021-1:2015 – Conformity assessment – Requirements for bodies providing audit and certification of management systems – Part 1: Requirements, ISO 19011:2018 – Guidelines for auditing management systems

NEW QUESTION 117
Why do we need to test a disaster recovery plan regularly, and keep it up to date?

Otherwise the measures taken and the incident procedures planned may not be adequate

Otherwise it is no longer up to date with the registration of daily occurring faults

Otherwise remotely stored backups may no longer be available to the security team

NEW QUESTION 118
Who is authorized to change the classification of a document?

The author of the document

The administrator of the document

The owner of the document

The manager of the owner of the document

NEW QUESTION 119
Please match the roles to the following descriptions:

NEW QUESTION 120
Integrity of data means

Accuracy and completeness of the data

Data should be viewable at all times

Data should be accessed by only the right people

NEW QUESTION 121
Changes on project-managed applications or database should undergo the change control process as documented.

True

False

NEW QUESTION 122
You are an experienced audit team leader guiding an auditor in training.
Your team is currently conducting a third-party surveillance audit of an organisation that stores data on behalf of external clients. The auditor in training has been tasked with reviewing the TECHNOLOGICAL controls listed in the Statement of Applicability (SoA) and implemented at the site.
Select four controls from the following that would you expect the auditor in training to review.
You are an experienced audit team leader guiding an auditor in training, Your team is currently conducting a third-party surveillance audit of an organisation that stores data on behalf of external clients. The auditor in training has been tasked with reviewing the TECHNOLOGICAL controls listed in the Statement of Applicability (SoA) and implemented at the site.
Select four controls from the following that would you expect the auditor in training to review.

The development and maintenance of an information asset inventory

Rules for transferring information within the organisation and to other organisations

Confidentiality and nondisclosure agreements

How protection against malware is implemented

Access to and from the loading bay

The conducting of verification checks on personnel

Remote working arrangements

How information security has been addressed within supplier agreements

How the organisation evaluates its exposure to technical vulnerabilities

The organisation’s business continuity arrangements

The organisation’s arrangements for information deletion

Information security awareness, education and training

How access to source code and development tools are managed

The operation of the site CCTV and door control systems

The organisation’s arrangements for maintaining equipment

How power and data cables enter the building

According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), an organization should select and implement appropriate controls to achieve its information security objectives1. The controls should be derived from the results of risk assessment and risk treatment, and should be consistent with the Statement of Applicability (SoA), which is a document that identifies the controls that are applicable and necessary for the ISMS1. The controls can be selected from various sources, such as ISO/IEC 27002:2013, which provides a code of practice for information security controls2. Therefore, if an auditor in training has been tasked with reviewing the technological controls listed in the SoA and implemented at the site of an organization that stores data on behalf of external clients, four controls that would be expected to review are:
How protection against malware is implemented: This is a technological control that aims to prevent, detect and remove malicious software (such as viruses, worms, ransomware, etc.) that could compromise the confidentiality, integrity or availability of information or information systems2. This control is related to control A.12.2.1 of ISO/IEC 27002:20132.
How the organisation evaluates its exposure to technical vulnerabilities: This is a technological control that aims to identify and assess the potential weaknesses or flaws in information systems or networks that could be exploited by malicious actors or cause accidental failures2. This control is related to control A.12.6.1 of ISO/IEC 27002:20132.
How access to source code and development tools are managed: This is a technological control that aims to protect the intellectual property rights and integrity of software applications or systems that are developed or maintained by the organization or its external providers2. This control is related to control A.14.2.5 of ISO/IEC 27002:20132.
The operation of the site CCTV and door control systems: This is a technological control that aims to monitor and restrict physical access to the premises or facilities where information or information systems are stored or processed2. This control is related to control A.11.1.4 of ISO/IEC 27002:20132.
The other options are not examples of technological controls, but rather organizational, legal or procedural controls that may also be relevant for an ISMS audit, but are not within the scope of the auditor in training’s task. For example, the development and maintenance of an information asset inventory (related to control A.8.1.1), rules for transferring information within the organization and to other organizations (related to control A.13.2.1), confidentiality and nondisclosure agreements (related to control A.13.2.4), verification checks on personnel (related to control A.7.1.2), remote working arrangements (related to control A.6.2.1), information security within supplier agreements (related to control A.15.1.1), business continuity arrangements (related to control A.17), information deletion (related to control A.8.3), information security awareness, education and training (related to control A.7.2), equipment maintenance (related to control A.11.2), and how power and data cables enter the building (related to control A.11) are not technological controls, but rather organizational, legal or procedural controls that may also be relevant for an ISMS audit, but are not within the scope of the auditor in training’s task. Reference: ISO/IEC 27001:2022 – Information technology – Security techniques – Information security management systems – Requirements, ISO/IEC 27002:2013 – Information technology – Security techniques – Code of practice for information security controls

NEW QUESTION 123
Select two of the following options that are the responsibility of a legal technical expert on the audit team during a certification audit.

Evaluating the auditee’s legal knowledge

Criticising the organisation’s legal compliance issues

Debating complex legal points with the auditee

Advising on legal checkpoints for the audit team

Verifying the legal status of the organisation

Meeting the organisation’s legal representative

NEW QUESTION 124
How are data and information related?

Data is a collection of structured and unstructured information

Information consists of facts and statistics collected together for reference or analysis

When meaning and value are assigned to data, it becomes information

NEW QUESTION 125
An employee caught temporarily storing an MP3 file in his workstation will not receive an IR.

True

False

NEW QUESTION 126
Which of the following is an information security management system standard published by the International Organization for Standardization?

ISO9008

ISO27001

ISO5501

ISO22301

NEW QUESTION 127
You are an ISMS auditor conducting a third-party surveillance audit of a telecom’s provider. You are in the equipment staging room where network switches are pre-programmed before being despatched to clients. You note that recently there has been a significant increase in the number of switches failing their initial configuration test and being returned for reprogramming.
You ask the Chief Tester why and she says, ‘It’s a result of the recent ISMS upgrade’. Before the upgrade each technician had their own hard copy work instructions. Now, the eight members of my team have to share two laptops to access the clients’ configuration instructions online. These delays put pressure on the technicians, resulting in more mistakes being made’.
Based solely on the information above, which clause of ISO to raise a nonconformity against’ Select one.

Clause 7.5 – Documented information

Clause 8.1 – Operational planning and control

Clause 10.2 – Nonconformity and corrective action

Clause 7.3 – Awareness

Clause 7.2 – Competence

Clause 7.4 – Communication

Explanation
According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 8.1 requires an organization to plan, implement and control its processes needed to meet ISMS requirements2. This includes determining what needs to be done, how it will be done, who will do it, when it will be done, what resources are required, how performance will be evaluated, etc2. Therefore, if an ISMS auditor conducting a third-party surveillance audit of a telecom’s provider notes that there has been a significant increase in the number of switches failing their initial configuration test and being returned for reprogramming due to a recent ISMS upgrade that reduced access to work instructions, this indicates a nonconformity against clause 8.1 of ISO/IEC 27001:2022. The organization has failed to plan and control its operational processes effectively to ensure information security and quality2. The other options are not correct clauses to raise a nonconformity against based solely on this information. For example, clause 7.5 deals with documented information required by ISMS or determined by an organization as necessary for its effectiveness2, but it does not specify how many copies or formats of work instructions should be available; clause 10.2 deals with nonconformity and corrective action as a response to an identified problem or incident2, but it does not address how to prevent or avoid such problems or incidents in operational processes; clause 7.3 deals with awareness of ISMS policy, objectives, roles and responsibilities among persons doing work under an organization’s control2, but it does not relate to how work instructions are accessed or followed; clause 7.2 deals with competence of persons doing work under an organization’s control that affects its ISMS performance2, but it does not imply that lack of competence is caused by insufficient work instructions; clause
7.4 deals with communication about ISMS among internal and external interested parties2, but it does not cover how operational information is communicated within an organization. References: ISO/IEC 27001:2022
– Information technology – Security techniques – Information security management systems – Requirements

NEW QUESTION 128
As a new member of the IT department you have noticed that confidential information has been leaked several times. This may damage the reputation of the company. You have been asked to propose an organisational measure to protect laptop computers. What is the first step in a structured approach to come up with this measure?

Appoint security staff

Encrypt all sensitive information

Formulate a policy

Set up an access control procedure

NEW QUESTION 129
Which reliability aspect of information is compromised when a staff member denies having sent a message?

Confidentiality

Integrity

Availability

Correctness

NEW QUESTION 130
You are a certification body auditor, conducting a surveillance audit to ISO/IEC 27001:2022 of a data centre operated by a client who provides hosting services for ICT facilities.
You and your guide are currently in one of the private suites that the client rents out to customers. Access to each suite is controlled using a combination lock. CCTV is also installed in every suite.
Within each suite are three data cabinets in which the client can locate mission-critical servers and other items of networking equipment such as switches and routers.
You notice that whilst two of the cabinets in your suite are locked, the third is unlocked. You ask the guide why. They reply “This is because the client is currently swapping out a hard drive unit. Their technician is currently on a lunch break”.
What three actions should you undertake next?

Do nothing, the room appears adequately protected so it is unlikely that a security incident has taken place.

Raise a nonconformity against control 5.16 ‘identity management’ as it may not be possible to identify who left the cabinet unlocked.

Raise a nonconformity against control 7.2 ‘physical entry’ as the area where the client’s equipment is located is not protected.

Raise a nonconformity against control 7.4 ‘physical security monitoring’ as the private suite is not being continuously monitored for unauthorised physical access.

Raise an opportunity for improvement suggesting cabinet doors are locked whenever clients leave their suites, even if they intend to return within a short time.

Review the CCTV records to ensure that only the client has accessed the cabinet since it was last confirmed as locked.

When the technician returns from lunch, reprimand them for leaving the cabinet open.

With the permission of the guide, speak to the customer to confirm that they are in the process of swapping out a drive.

NEW QUESTION 131
The computer room is protected by a pass reader. Only the System Management department has a pass.
What type of security measure is this?

a corrective security measure

a physical security measure

a logical security measure

a repressive security measure

NEW QUESTION 132
The following are definitions of Information, except:

accurate and timely data

specific and organized data for a purpose

mature and measurable data

can lead to understanding and decrease in uncertainty

NEW QUESTION 133
What is a repressive measure in case of a fire?

Taking out a fire insurance

Putting out a fire after it has been detected by a fire detector

Repairing damage caused by the fire

Topic	Details
Topic 1	Managing an ISO IEC 27001 audit program Preparation, Conducting, Closing of an ISO IEC 27001 audit
Topic 2	Evaluate the ISMS conformity to ISO IEC 27001 requirements, in accordance with the fundamental audit concepts and principles
Topic 3	Explain the fundamental concepts and principles of an information security management system (ISMS) based on ISO IEC 27001
Topic 4	Interpret the ISO IEC 27001 requirements for an ISMS from the perspective of an auditor Information Security Management System (ISMS)
Topic 5	Fundamental audit concepts and principles Fundamental principles and concepts of Information Security Management System (ISMS)

Topic	Details
Topic 1	Evaluate the ISMS conformity to ISO IEC 27001 requirements, in accordance with the fundamental audit concepts and principles
Topic 2	Managing an ISO IEC 27001 audit program Preparation, Conducting, Closing of an ISO IEC 27001 audit
Topic 3	Interpret the ISO IEC 27001 requirements for an ISMS from the perspective of an auditor Information Security Management System (ISMS)
Topic 4	Plan, conduct, and close an ISO IEC 27001 compliance audit Manage an ISO IEC 27001 audit program

Premium VCE Dumps

Premium VCE Dumps

Ultimate Guide to Prepare Free PECB ISO-IEC-27001-Lead-Auditor Exam Questions & Answer [Q109-Q133]

[Q26-Q43] ISO-IEC-27001-Lead-Auditor Free Update With 100% Exam Passing Guarantee [2022]

PECB ISO-IEC-27001-Lead-Auditor Exam Syllabus Topics:

100% Free ISO 27001 ISO-IEC-27001-Lead-Auditor Dumps PDF Demo Cert Guide Cover [Q49-Q73]

PECB ISO-IEC-27001-Lead-Auditor Exam Syllabus Topics:

Premium VCE Dumps

Premium VCE Dumps

Category Archives: ISO-IEC-27001-Lead-Auditor

Ultimate Guide to Prepare Free PECB ISO-IEC-27001-Lead-Auditor Exam Questions & Answer [Q109-Q133]

[Q26-Q43] ISO-IEC-27001-Lead-Auditor Free Update With 100% Exam Passing Guarantee [2022]

PECB ISO-IEC-27001-Lead-Auditor Exam Syllabus Topics:

100% Free ISO 27001 ISO-IEC-27001-Lead-Auditor Dumps PDF Demo Cert Guide Cover [Q49-Q73]

PECB ISO-IEC-27001-Lead-Auditor Exam Syllabus Topics: