ISO-IEC-27001-Lead-Auditor Reviews Questions

PECB Certified ISO/IEC 27001 2022 Lead Auditor exam Questions and Answers

Question 17

You are conducting a third-party surveillance audit when another member of the audit team approaches you seeking clarification. They have been asked to assess the organisation's application of control 5.7 - Threat Intelligence. They are aware that this is one of the new controls introduced in the 2022 edition of ISO/IEC 27001, and they want to make sure they audit the control correctly.

They have prepared a checklist to assist them with their audit and want you to confirm that their planned activities are aligned with the control's requirements.

Which three of the following options represent valid audit trails?

Options:

I will ensure that the task of producing threat intelligence is assigned to the organisation's internal audit team

I will ensure that the organisation's risk assessment process begins with effective threat intelligence

I will speak to top management to make sure all staff are aware of the importance of reporting threats

I will ensure that appropriate measures have been introduced to inform top management as to the effectiveness of current threat intelligence arrangements

I will check that the organisation has a fully documented threat intelligence process

I will check that threat intelligence is actively used to protect the confidentiality, integrity and availability of the organisation's information assets

I will review how information relating to information security threats is collected and evaluated to produce threat intelligence

Answer:

D, F, G

Explanation:

These three options represent valid audit trails for control 5.7, as they are aligned with the control’s requirements and objectives. According to the web search results from my predefined tool, control 5.7 requires organisations to collect and analyse information relating to information security threats and use that information to take mitigation actions12. The control also specifies that threat intelligence should be relevant, perceptive, contextual, and actionable, and that it should be used to prevent, detect, or respond to threats34. Therefore, the auditor should verify how the organisation collects, analyses, and produces threat intelligence, how it uses threat intelligence to protect its information assets, and how it monitors and evaluates the effectiveness of its threat intelligence arrangements. The other options are not valid audit trails, as they are either irrelevant, incorrect, or incomplete. For example:

•The task of producing threat intelligence is not assigned to the organisation’s internal audit team, but to the person or team responsible for the ISMS, such as the information security manager or the information security committee5 .

•The organisation’s risk assessment process does not begin with effective threat intelligence, but with the identification of the context, scope, and objectives of the ISMS . Threat intelligence is an input for the risk identification and analysis, but not the starting point of the risk assessment process.

•Speaking to top management to make sure all staff are aware of the importance of reporting threats is not sufficient to audit the control, as it does not address how the organisation collects, analyses, and produces threat intelligence, nor how it uses it to take mitigation actions. The auditor should also speak to the staff involved in the threat intelligence process, and review the relevant documents and records.

•Checking that the organisation has a fully documented threat intelligence process is not enough to audit the control, as it does not verify the implementation and effectiveness of the process. The auditor should also observe the process in action, and examine the outputs and outcomes of the process.

•Determining whether internal and external sources of information are used in the production of threat intelligence is a partial audit trail, as it only covers one aspect of the control. The auditor should also assess the quality, reliability, and relevance of the sources, and how the information is analysed and used.

[References: = 1: ISO 27001:2022 Annex A 5.7 – Threat Intelligence - ISMS.online12: ISO 27001 Annex A 5.7 Threat Intelligence - High Table23: ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements, clause A.5.74: ISO 27002 Emphasizes Need For Threat Intelligence - Rapid745: ISO/IEC 27007:2011 Information technology — Security techniques — Guidelines for information security management systems auditing, clause 6.3.2. : ISO 27001 Statement of Applicability [Updated 2024] - Sprinto3 : ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements, clause 6.1.1. : ISO 27001 Requirement 6.1.1 – Actions to address risks and opportunities | ISMS.online1, , , ]

Question 18

You are performing an ISMS audit at a residential nursing home called ABC that provides healthcare services.

The next step in your audit plan is to verify the information security on ABC's healthcare mobile app

development, support, and lifecycle process. During the audit, you learned the organization outsourced the

mobile app development to a professional software development company with CMMI Level 5, ITSM (ISO/IEC

20000-1), BCMS (ISO 22301) and ISMS (ISO/IEC 27001) certified. The IT Manager presented the software

security management procedure and summarised the process as follows:

The mobile app development shall adopt "security-by-design" and "security-by-default" principles, as a

minimum. The following security functions for personal data protection shall be available:

Access control.

Personal data encryption, i.e., Advanced Encryption Standard (AES) algorithm, key lengths: 256 bits; and

Personal data pseudonymization.

Vulnerability checked and no security backdoor

You sample the latest Mobile App Test report - details as follows:

You ask the IT Manager why the organisation still uses the mobile app while personal data

encryption and pseudonymization tests failed. Also, whether the Service Manager is authorized to

approve the test.

The IT Manager explains the test results should be approved by him according to the software

security management procedure. The reason why the encryption and pseudonymization functions

failed is that these functions heavily slowed down the system and service performance. An extra

150% of resources are needed to cover this. The Service Manager agreed that access control is

good enough and acceptable. That's why the Service Manager signed the approval.

You sample one of the medical staff's mobile and found that ABC's healthcare mobile app, version

1.01 is installed. You found that version 1.01 has no test record.

The IT Manager explains that because of frequent ransomware attacks, the outsourced mobile app

development company gave a free minor update on the tested software, performed an emergency

release of the updated software, and gave a verbal guarantee that there will be no impact on any

security functions. Based on his 20 years of information security experience, there is no need to re-

test.

You are preparing the audit findings Select two options that are correct.

Options:

There is a nonconformity (NC). The IT. Manager does not comply with the software security management procedure. (Relevant to clause 8.1, control A.8.30)

There is a nonconformity (NC). The organisation does not control planned changes and review the consequences of unintended changes. (Relevant to clause 8.1)

There is an opportunity for improvement (OI). The IT Manager should make the decision to continue the service based on appropriate testing. (Relevant to clause 8.1, control A.8.30)

There is an opportunity for improvement (OI). The organisation selects an external service provider based on the extent of free services it will provide. (Relevant to clause 8.1, control A.5.21)

There is NO nonconformity (NC). The IT Manager demonstrates good leadership. (Relevant to clause 5.1, control 5.4)

There is NO nonconformity (NC). The IT Manager demonstrates he is fully competent. (Relevant to clause 7.2)

Question 19

During a third-party certification audit you are presented with a list of issues by an auditee. Which four of the following constitute 'external' issues in the context of a management system to ISO/IEC 27001:2022?

Options:

A rise in interest rates in response to high inflation

A reduction in grants as a result of a change in government policy

Poor levels of staff competence as a result of cuts in training expenditure

Increased absenteeism as a result of poor management

Higher labour costs as a result of an aging population

Inability to source raw materials due to government sanctions

Poor morale as a result of staff holidays being reduced

Answer:

A, B, E, F

Explanation:

According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 4.1 requires an organization to determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcomes of its ISMS2. External issues are those that originate from outside the organization, such as legal, regulatory, cultural, social, political, economic, natural and competitive factors2. Internal issues are those that originate from within the organization, such as governance, structure, roles and responsibilities, policies, objectives, culture, capabilities, resources and information systems2. Therefore, based on this definition, four examples of external issues in the context of a management system to ISO/IEC 27001:2022 are a rise in interest rates in response to high inflation (which affects the economic environment of the organization), a reduction in grants as a result of a change in government policy (which affects the political and legal environment of the organization), higher labour costs as a result of an aging population (which affects the social and demographic environment of the organization), and inability to source raw materials due to government sanctions (which affects the trade and supply environment of the organization)2. The other options are examples of internal issues, as they originate from within the organization or its activities. For example, poor levels of staff competence as a result of cuts in training expenditure (which affects the capabilities and resources of the organization), increased absenteeism as a result of poor management (which affects the culture and performance of the organization), poor morale as a result of staff holidays being reduced (which affects the motivation and satisfaction of the organization’s personnel), and a fall in productivity linked to outdated production equipment (which affects the efficiency and quality of the organization’s processes)2. References: ISO/IEC 27001:2022 - Information technology – Security techniques – Information security management systems – Requirements

Question 20

After analyzing the audit conclusions, Company X decided to accept the risk related to one of the detected nonconformities. They claimed that no corrective action was necessary; however, their decision was not documented. Is this acceptable?

Options:

Yes, the auditee's management can decide to accept the risk instead of implementing corrective actions and documenting such decision is not necessary

No, the decision of the auditee to accept the risk instead of implementing corrective actions should be justified and documented

No, the auditee must implement corrective actions for all the observations documented during the audit

Spring Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

ISO-IEC-27001-Lead-Auditor Reviews Questions

PECB Certified ISO/IEC 27001 2022 Lead Auditor exam Questions and Answers

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

CompTIA

Fortinet

Microsoft

Salesforce