PECB ISO-IEC-27001-Lead-Auditor Exam Questions Instant Access

Question 1

Which situation presented below represents a threat?

AAn employee accesses unauthorized files using their legitimate credentials

BAn organization fails to implement multi-factor authentication (MFA) for its cloud services

CCyber attackers infiltrated the network by exploiting a zero-day vulnerability in the organization's firewall software

Answer : C

Comprehensive and Detailed In-Depth

C . Correct Answer -- This is a Threat. A cyberattack exploiting a zero-day vulnerability is an active security threat, as it causes harm to the organization.

A . Employee accessing unauthorized files is a vulnerability (insider risk) rather than an external threat.

B . Lack of MFA is a security weakness (vulnerability), not a threat.

Question 2

A marketing agency has developed its risk assessment approach as part of the ISMS implementation. Is this acceptable?

AYes, any risk assessment methodology that complies with the ISO/IEC 27001 requirements can be used

BYes, only if the risk assessment methodology is aligned with recognized risk assessment methodologies

CNo, the risk assessment methodology provided by ISO/IEC 27001 should be used when implementing an ISMS

Answer : A

Comprehensive and Detailed In-Depth

ISO/IEC 27001 does not prescribe a specific risk assessment methodology but instead provides general requirements for risk assessment. Organizations are free to develop their own risk assessment methods, as long as they:

Identify risks and impacts on information security.

Define risk criteria for evaluating risks.

Implement risk treatment plans based on the organization's context.

A . Correct Answer:

ISO/IEC 27001 Clause 6.1.2 (Information Security Risk Assessment) states that organizations may define their own risk assessment methodology.

This approach must be systematic, measurable, and aligned with business objectives.

B . Incorrect:

Organizations are not required to use a recognized methodology like OCTAVE, MEHARI, or EBIOS, as long as their approach meets ISO requirements.

C . Incorrect:

ISO/IEC 27001 does not mandate a specific risk assessment method, only that a consistent and structured approach is used.

Relevant Standard Reference:

ISO/IEC 27001:2022 Clause 6.1.2 (Information Security Risk Assessment Process)

Question 3

Auditors should have certain knowledge and skills; while audit team leaders should have some additional knowledge and skills. From the following list, select two that only apply to audit team leaders.

APlan the audit

BUnderstand and apply the risk-based approach to auditing

CApply appropriate sampling techniques

DMake effective use of resources provided to the audit

EBe aware of cultural and social aspects of the auditee

FVerify the relevance and accuracy of collected information

Answer : A, D

According to the PECB Candidate Handbook1, audit team leaders should have the following additional knowledge and skills compared to auditors:

* Plan the audit, including preparing the audit plan, assigning work to the audit team members and coordinating their activities

* Make effective use of resources provided to the audit, such as personnel, time, budget and equipment

* Manage the audit process, including leading the opening and closing meetings, directing the audit team, resolving conflicts and ensuring the audit objectives are achieved

* Review and approve the audit report and audit findings

* Communicate with the client and other interested parties throughout the audit

Question 4

You are carrying out your first third-party ISMS surveillance audit as an Audit Team Leader. You are presently in the auditee's data centre with another member of your audit team.

You are currently in a large room that is subdivided into several smaller rooms, each of which has a numeric combination lock and swipe card reader on the door. You notice two external contractors using a swipe card and combination number provided by the centre's reception desk to gain access to a client's suite to carry out authorised electrical repairs.

You go to reception and ask to see the door access record for the client's suite. This indicates only one card was swiped. You ask the receptionist and they reply, "yes it's a common problem. We ask everyone to swipe their cards but with contractors especially, one tends to swipe and the rest simply 'tailgate' their way in" but we know who they are from the reception sign-in.

Based on the scenario above which one of the following actions would you now take?

ATake no action. Irrespective of any recommendations, contractors will always act in this way

BRaise a nonconformity against control A.5.20 'addressing information security in supplier relationships' as information security requirements have not been agreed upon with the supplier

CRaise a nonconformity against control A.7.6 'working in secure areas' as security measures for working in secure areas have not been defined

DDetermine whether any additional effective arrangements are in place to verify individual access to secure areas e.g. CCTV

ERaise an opportunity for improvement that contractors must be accompanied at all times when accessing secure facilities

FRaise an opportunity for improvement to have a large sign in reception reminding everyone requiring access must use their swipe card at all times

GRaise a nonconformity against control A.7.2 'physical entry' as a secure area is not adequately protected

HTell the organisation they must write to their contractors, reminding them of the need to use access cards appropriately

Answer : G

According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), control A.7.2 requires an organization to implement appropriate physical entry controls to prevent unauthorized access to secure areas1.The organization should define and document the criteria for granting and revoking access rights to secure areas, and should monitor and record the use of such access rights1. Therefore, when auditing the organization's application of control A.7.2, an ISMS auditor should verify that these aspects are met in accordance with the audit criteria.

Based on the scenario above, the auditor should raise a nonconformity against control A.7.2, as the secure area is not adequately protected from unauthorized access. The auditor should provide the following evidence and justification for the nonconformity:

Evidence: The auditor observed two external contractors using a swipe card and combination number provided by the centre's reception desk to gain access to a client's suite to carry out authorized electrical repairs. The auditor checked the door access record for the client's suite and found that only one card was swiped. The auditor asked the receptionist and was told that it was a common problem that contractors tend to swipe one card and tailgate their way in, but they were known from the reception sign-in.

Justification: This evidence indicates that the organization has not implemented appropriate physical entry controls to prevent unauthorized access to secure areas, as required by control A.7.2. The organization has not defined and documented the criteria for granting and revoking access rights to secure areas, as there is no verification or authorization process for providing swipe cards and combination numbers to external contractors. The organization has not monitored and recorded the use of access rights to secure areas, as there is no mechanism to ensure that each individual swipes their card and enters their combination number before entering a secure area. The organization has relied on the reception sign-in as a means of identification, which is not sufficient or reliable for ensuring information security.

The other options are not valid actions for auditing control A.7.2, as they are not related to the control or its requirements, or they are not appropriate or effective for addressing the nonconformity. For example:

Take no action: This option is not valid because it implies that the auditor ignores or accepts the nonconformity, which is contrary to the audit principles and objectives of ISO 19011:20182, which provides guidelines for auditing management systems.

Raise a nonconformity against control A.5.20 'addressing information security in supplier relationships' as information security requirements have not been agreed upon with the supplier: This option is not valid because it does not address the root cause of the nonconformity, which is related to physical entry controls, not supplier relationships.Control A.5.20 requires an organization to agree on information security requirements with suppliers that may access, process, store, communicate or provide IT infrastructure components for its information assets1. While this control may be relevant for ensuring information security in supplier relationships, it does not address the issue of unauthorized access to secure areas by external contractors.

Raise a nonconformity against control A.7.6 'working in secure areas' as security measures for working in secure areas have not been defined: This option is not valid because it does not address the root cause of the nonconformity, which is related to physical entry controls, not working in secure areas.Control A.7.6 requires an organization to define and apply security measures for working in secure areas1. While this control may be relevant for ensuring information security when working in secure areas, it does not address the issue of unauthorized access to secure areas by external contractors.

Determine whether any additional effective arrangements are in place to verify individual access to secure areas e.g. CCTV: This option is not valid because it does not address or resolve the nonconformity, but rather attempts to find alternative or compensating controls that may mitigate its impact or likelihood. While additional arrangements such as CCTV may be useful for verifying individual access to secure areas, they do not replace or substitute the requirement for appropriate physical entry controls as specified by control A.7.2.

Raise an opportunity for improvement that contractors must be accompanied at all times when accessing secure facilities: This option is not valid because it does not address or resolve the nonconformity, but rather suggests a possible improvement action that may prevent or reduce its recurrence or severity. While accompanying contractors at all times when accessing secure facilities may be a good practice for ensuring information security, it does not replace or substitute the requirement for appropriate physical entry controls as specified by control A.7.2.

Raise an opportunity for improvement to have a large sign in reception reminding everyone requiring access must use their swipe card at all times: This option is not valid because it does not address or resolve the nonconformity, but rather suggests a possible improvement action that may increase awareness or compliance with the existing controls. While having a large sign in reception reminding everyone requiring access must use their swipe card at all times may be a helpful reminder for ensuring information security, it does not replace or substitute the requirement for appropriate physical entry controls as specified by control A.7.2.

Tell the organisation they must write to their contractors, reminding them of the need to use access cards appropriately: This option is not valid because it does not address or resolve the nonconformity, but rather instructs the organization to take a corrective action that may not be effective or sufficient for ensuring information security. While writing to contractors, reminding them of the need to use access cards appropriately may be a communication measure for ensuring information security, it does not replace or substitute the requirement for appropriate physical entry controls as specified by control A.7.2.

Question 5

Scenario 4: Branding is a marketing company that works with some of the most famous companies in the US. To reduce internal costs. Branding has outsourced the software development and IT helpdesk operations to Techvology for over two years. Techvology. equipped with the necessary expertise, manages Branding's software, network, and hardware needs. Branding has implemented an information security management system (ISMS) and is certified against ISO/IEC 27001, demonstrating its commitment to maintaining high standards of information security. It actively conducts audits on Techvology to ensure that the security of its outsourced operations complies with ISO/IEC 27001 certification requirements.

During the last audit. Branding's audit team defined the processes to be audited and the audit schedule. They adopted an evidence based approach, particularly in light of two information security incidents reported by Techvology in the past year The focus was on evaluating how these incidents were addressed and ensuring compliance with the terms of the outsourcing agreement

The audit began with a comprehensive review of Techvology's methods for monitoring the quality of outsourced operations, assessing whether the services provided met Branding's expectations and agreed-upon standards The auditors also verified whether Techvology complied with the contractual requirements established between the two entities This involved thoroughly examining the terms and conditions in the outsourcing agreement to guarantee that all aspects, including information security measures, are being adhered to.

Furthermore, the audit included a critical evaluation of the governance processes Techvology uses to manage its outsourced operations and other organizations. This step is crucial for Branding to verify that proper controls and oversight mechanisms are in place to mitigate potential risks associated with the outsourcing arrangement.

The auditors conducted interviews with various levels of Techvology's personnel and analyzed the incident resolution records. In addition, Techvology provided the records that served as evidence that they conducted awareness sessions for the staff regarding incident management. Based on the information gathered, they predicted that both information security incidents were caused by incompetent personnel. Therefore, auditors requested to see the personnel files of the employees involved in the incidents to review evidence of their competence, such as relevant experience, certificates, and records of attended trainings.

Branding's auditors performed a critical evaluation of the validity of the evidence obtained and remained alert for evidence that could contradict or question the reliability of the documented information received. During the audit at Techvology, the auditors upheld this approach by critically assessing the incident resolution records and conducting thorough interviews with employees at different levels and functions. They did not merely take the word of Techvology's representatives for facts; instead, they sought concrete evidence to support the representatives' claims about the incident management processes.

Based on the scenario above, answer the following question:

Based on Scenario 4, what type of audit did Branding conduct?

AFirst-party audit

BSecond-party audit

CThird-party audit

Answer : B

Comprehensive and Detailed In-Depth

B . Correct Answer:

A second-party audit is conducted by an organization on its suppliers or outsourced service providers to ensure compliance with contractual and regulatory requirements.

Branding audited Techvology, an outsourced IT service provider, making this a second-party audit.

A . Incorrect:

A first-party audit is an internal audit, but Techvology is not an internal entity.

C . Incorrect:

A third-party audit is performed by an independent certification body, which is not the case here.

Relevant Standard Reference:

Question 6

During a follow-up audit, you notice that a nonconformity identified for completion before the follow-up audit is still outstanding.

Which four of the following actions should you take?

AReport the failure to address the corrective action for the outstanding nonconformity to the organisation's top management

BImmediately raise an nonconformity as the date for completion has been exceeded

CIf the delay is justified agree on a revised date for clearing the nonconformity with the auditee/audit client

DContact the individuals) managing the audit programme to seek their advice as to how to proceed

EDecide whether the delay in addressing the nonconformity is justified

FCancel the follow-up audit and return when an assurance has been received that the nonconformity has been cleared

GNote the nonconformity is still outstanding and follow audit trails to determine why

HIf the delay is unjustified advise the auditee /audit client and agree on remedial action

Answer : A, C, E, G

According to the ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) course, the following actions should be taken when a nonconformity identified for completion before the follow-up audit is still outstanding:

A . Report the failure to address the corrective action for the outstanding nonconformity to the organisation's top management. This is part of the auditor's responsibility to communicate the audit results and ensure that the audit objectives are met12.

C . If the delay is justified agree on a revised date for clearing the nonconformity with the auditee/audit client. This is part of the auditor's responsibility to verify the effectiveness of the corrective actions taken by the auditee and to close the nonconformity when the evidence is satisfactory12.

. Decide whether the delay in addressing the nonconformity is justified. This is part of the auditor's responsibility to evaluate the evidence presented by the auditee and to use professional judgement and objectivity to determine the validity of the reasons for the delay12.

G . Note the nonconformity is still outstanding and follow audit trails to determine why. This is part of the auditor's responsibility to collect and verify audit evidence and to identify the root causes of the nonconformity12.

1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) course, CQI and IRCA Certified Training, 1

2: ISO/IEC 27001 Lead Auditor Training Course, PECB, 2

Question 7

A telecommunications company uses the AES method for ensuring that confidential information is protected. This means that they use a single key to encrypt and

decrypt the information. What kind of control does the company use?

ADetective

BCorrective

CPreventive

Answer : C

The AES (Advanced Encryption Standard) method is a symmetric-key algorithm, meaning the same key is used for both encrypting and decrypting data1. This type of control is considered preventive because it is implemented to prevent unauthorized access to confidential information by ensuring that the data is unreadable to anyone who does not have the key. Reference: = The explanation is based on the general understanding of encryption as a security control within the field of information security, particularly as it pertains to the ISO/IEC 27001 standard for information security management systems (ISMS), which includes encryption as a preventive control measure.

PECB ISO/IEC 27001 Lead Auditor ISO-IEC-27001-Lead-Auditor Exam Questions