Free PECB ISO-IEC-27001-Lead-Auditor Exam Questions

Question 1

During a follow-up audit, you notice that a nonconformity identified for completion before the follow-up audit

is still outstanding.

Which four of the following actions should you take?

A : Report the failure to address the corrective action for the outstanding nonconformity to the organisation's top management

B : Immediately raise an nonconformity as the date for completion has been exceeded

C : If the delay is justified agree on a revised date for clearing the nonconformity with the auditee/audit client

D : Contact the individuals) managing the audit programme to seek their advice as to how to proceed

E : Decide whether the delay in addressing the nonconformity is justified

F : Cancel the follow-up audit and return when an assurance has been received that the nonconformity has been cleared

G : Note the nonconformity is still outstanding and follow audit trails to determine why

H : If the delay is unjustified advise the auditee /audit client and agree on remedial action

Answer: A,C,E,G

Question 2

What is the standard definition of ISMS?

A : an information security systematic approach to achieve business objectives for implementation, establishing, reviewing,operating and maintaining organization's reputation.

B : company wide business objectives to achieve information security awareness for establishing, implementing, operating, monitoring, reviewing, maintaining and improving

C : project-based approach to achieve business objectives for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization’s information security

D : ystematic approach for establishing, implementing, operating,monitoring, reviewing, maintaining and improving an organization’s information security to achieve business objectives.

Answer: D

Question 3

Which option below about the ISMS scope is correct?

A : ISMS scope should be available as documented information

B : ISMS scope should ensure continual improvement

C : ISMS scope should be compatible with the strategic orientation of the organization

Answer: A

Question 4

Which of the following is an information security management system standard published by the International Organization for Standardization?

A : O9008

B : O27001

C : O5501

D : O22301

Answer: B

Question 5

Scenario 5: Data Grid Inc. is a well-known company that delivers security services across the entire

information technology infrastructure. It provides cybersecurity software, including endpoint security,

firewalls, and antivirus software. For two decades, Data Grid Inc. has helped various companies secure their

networks through advanced products and services. Having achieved reputation in the information and network

security field, Data Grid Inc. decided to obtain the ISO/IEC 27001 certification to better secure its internal and

customer assets and gain competitive advantage.

Data Grid Inc. appointed the audit team, who agreed on the terms of the audit mandate. In addition, Data Grid

Inc. defined the audit scope, specified the audit criteria, and proposed to close the audit within five days. The

audit team rejected Data Grid Inc.'s proposal to conduct the audit within five days, since the company has a

large number of employees and complex processes. Data Grid Inc. insisted that they have planned to complete

the audit within five days, so both parties agreed upon conducting the audit within the defined duration. The

audit team followed a risk-based auditing approach.

To gain an overview of the main business processes and controls, the audit team accessed process descriptions

and organizational charts. They were unable to perform a deeper analysis of the IT risks and controls because

their access to the IT infrastructure and applications was restricted. However, the audit team stated that the risk

that a significant defect could occur to Data Grid Inc.'s ISMS was low since most of the company's processes

were automated. They therefore evaluated that the ISMS, as a whole, conforms to the standard requirements

by asking the representatives of Data Grid Inc. the following questions:

•How are responsibilities for IT and IT controls defined and assigned?•How does Data Grid Inc. assess whether the controls have achieved the desired results?

•What controls does Data Grid Inc. have in place to protect the operating environment and data from malicious

software?

•Are firewall-related controls implemented?

Data Grid Inc.'s representatives provided sufficient and appropriate evidence to address all these questions.

The audit team leader drafted the audit conclusions and reported them to Data Grid Inc.'s top management.

Though Data Grid Inc. was recommended for certification by the auditors, misunderstandings were raised

between Data Grid Inc. and the certification body in regards to audit objectives. Data Grid Inc. stated that even

though the audit objectives included the identification of areas for potential improvement, the audit team did

not provide such information.

Based on this scenario, answer the following question:

Based on scenario 5, the audit team assessed the ISMS as a whole, rather than assessing the effectiveness and

conformity of each process. Is this acceptable?

A : Yes, due to time constraints for the audit completion, the audit team must obtain absolute assurance by assessing the ISMS as a whole

B : No, the audit team should obtain assurance that the ISMS conforms to the standard requirements by assessing each process

C : Yes, if the audit team has obtained a reasonable assurance that helps them evaluate the ISMS conformity

Answer: C