PECB ISO-IEC-27001-Lead-Auditor Exam With Confidence Using Practice Dumps

The three audit findings that would prompt you to raise a nonconformity report are:

•The organisation is treating information security risks in the order in which they are identified

•The organisation’s risk assessment criteria have not been reviewed and approved by top management

•The organisation’s information security risk assessment process is based solely on an assessment of the impact of each risk

According to ISO/IEC 27001:2022, clause 6.1.2, the organisation must establish and maintain an information security risk management process that is consistent with the organisation’s context and aligned with its overall risk management approach1. This process must include the following steps:

•Establishing the risk assessment criteria, which must be approved by top management and reflect the organisation’s risk appetite and objectives2

•Identifying the information security risks, which must consider the assets, threats, vulnerabilities, impacts, and likelihoods3

•Analysing the information security risks, which must determine the levels of risk and compare them with the risk criteria4

•Evaluating the information security risks, which must prioritise the risks and decide whether they need treatment or not5

Therefore, the audit findings B, E, and F indicate that the organisation is not following the required steps of the information security risk management process, and thus are nonconformities with the standard.

The other audit findings are not necessarily nonconformities, as they may be acceptable depending on the organisation’s context and justification. For example:

•Audit finding A may be acceptable if the organisation has identified and treated the additional information security risks that are relevant to its scope and objectives, and has documented the rationale for doing so6

•Audit finding C may be acceptable if the organisation has assigned clear roles and responsibilities for the information security risk management process, and has ensured that the risk owners have the authority and competence to manage the risks7

•Audit finding D may be acceptable if the organisation has defined and communicated the meaning and implications of the emoji-based risk classification, and has ensured that it is consistent with the risk criteria and the risk treatment process8

•Audit finding G may be acceptable if the organisation has justified the use of discrete values for the probability of the information security risks, and has ensured that they are realistic and consistent with the risk criteria and the risk analysis method9

•Audit finding H may be acceptable if the organisation has established and maintained different systems for assessing operational and strategic information security risks, and has ensured that they are integrated and aligned with the overall risk management approach and the ISMS objectives10

A legal technical expert (LTE) is a person who provides specific knowledge or expertise related to the legal aspects of the information security management system (ISMS) during a certification audit. The LTE is not an auditor, but a member of the audit team who supports the auditors in collecting and evaluating the audit evidence. The LTE is not responsible for evaluating the auditee’s legal knowledge, criticising the organisation’s legal compliance issues, or debating complex legal points with the auditee, as these tasks may be beyond the scope of the audit, or may compromise the objectivity and impartiality of the audit. The LTE is responsible for advising on legal checkpoints for the audit team, such as the applicable legal, regulatory, and contractual requirements, the relevant sources of information, the methods of verification, and the criteria of evaluation. The LTE is also responsible for verifying the legal status of the organisation, such as the registration, licensing, authorisation, or accreditation of the organisation, and the compliance with the relevant laws and regulations. References:

What is the role of a technical expert in ISO audit?

Roles, Responsibilities & Authorities for ISO 27001 5.3

Guide to Become an ISO 27001 Lead Auditor

The correct answer is Previous audit experience within the audit scope, because judgement-based sampling relies heavily on the auditor’s professional judgment, knowledge, and experience. ISO 19011:2018 explicitly states that auditors may use judgmental (non-statistical) sampling when selecting audit samples, particularly when dealing with complex systems or limited audit time.

When applying judgement-based sampling, auditors consider factors such as areas with a history of nonconformities, previous audit findings, recurring weaknesses, and known high-risk processes. Prior audit experience within the same scope provides valuable insight into where problems are more likely to occur and where audit effort should be concentrated. This helps auditors select representative and meaningful samples that support reliable conclusions.

Option A is incorrect because monitoring activities prior to ISMS implementation may provide background context, but they are not a primary basis for judgement-based sampling in a certification audit. Option C is incorrect because the auditee’s general experience with management systems does not directly inform which specific records, processes, or controls should be sampled.

Judgement-based sampling is not random; it is risk-informed and experience-driven. Therefore, leveraging previous audit experience within the audit scope is the most appropriate and standards-aligned consideration.