PECB ISO-IEC-27001 Lead Auditor 시험

Question No : 1

You are an experienced ISMS audit team leader conducting a third-party surveillance audit of an internet services provider. You are reviewing the organization's risk assessment processes for conformity with ISO/IEC 27001:2022.
Which three of the following audit findings would prompt you to raise a nonconformity report?

• A.Both systems contain additional information security risks which are not associated with preserving the confidentiality, integrity and accessibility of information
• B.The organisation is treating information security risks in the order in which they are identified
• C.The organisation's information security risk assessment process suggests each risk is allocated a risk owner
• D.The organisation has not used RAG (Red, Amber, Green) to classify its' information security risks. Instead, it has used a smiling emoji, a neutral face emoji and a sad face emoji
• E.The organisation's risk assessment criteria have not been reviewed and approved by top management
• F.The organisation's information security risk assessment process is based solely on an assessment of the impact of each risk
• G.The organisation has assessed the probability of all of its information security risks as either 0%, 25%, 50%, 75% or 100%
• H.There is a different system in place for assessing operational information security risks and for assessing strategic information security risks

답을 확인하기

정답:
Explanation:
The three audit findings that would prompt you to raise a nonconformity report are:
• The organisation is treating information security risks in the order in which they are identified
• The organisation’s risk assessment criteria have not been reviewed and approved by top management
• The organisation’s information security risk assessment process is based solely on an assessment of the impact of each risk
According to ISO/IEC 27001:2022, clause 6.1.2, the organisation must establish and maintain an information security risk management process that is consistent with the organisation’s context and aligned with its overall risk management approach1. This process must include the following steps:
• Establishing the risk assessment criteria, which must be approved by top management and reflect the organisation’s risk appetite and objectives2
• Identifying the information security risks, which must consider the assets, threats, vulnerabilities, impacts, and likelihoods3
• Analysing the information security risks, which must determine the levels of risk and compare them with the risk criteria4
• Evaluating the information security risks, which must prioritise the risks and decide whether they need treatment or not5
Therefore, the audit findings B, E, and F indicate that the organisation is not following the required steps of the information security risk management process, and thus are nonconformities with the standard.
The other audit findings are not necessarily nonconformities, as they may be acceptable depending on the organisation’s context and justification.
For example:
• Audit finding A may be acceptable if the organisation has identified and treated the additional information security risks that are relevant to its scope and objectives, and has documented the rationale for doing so6
• Audit finding C may be acceptable if the organisation has assigned clear roles and responsibilities for the information security risk management process, and has ensured that the risk owners have the authority and competence to manage the risks7
• Audit finding D may be acceptable if the organisation has defined and communicated the meaning and implications of the emoji-based risk classification, and has ensured that it is consistent with the risk criteria and the risk treatment process8
• Audit finding G may be acceptable if the organisation has justified the use of discrete values for the probability of the information security risks, and has ensured that they are realistic and consistent with the risk criteria and the risk analysis method9
• Audit finding H may be acceptable if the organisation has established and maintained different systems for assessing operational and strategic information security risks, and has ensured that they are integrated and aligned with the overall risk management approach and the ISMS objectives10
References: 1: ISO/IEC 27001:2022, 6.1.2; 2: ISO/IEC 27001:2022, 6.1.2 a); 3: ISO/IEC 27001:2022,

Question No : 2

You are an experienced audit team leader conducting a third-party surveillance audit of an organisation that designs websites for its clients. You are currently reviewing the organisation's Statement of Applicability.
Based on the requirements of ISO/IEC 27001, which two of the following observations about the Statement of Applicability are false?

• A.A Statement of Applicability must be produced by organisations seeking ISO/IEC 27001 conformity
• B.Justification is only required for any controls that the organisations choses to exclude
• C.Justification for both the inclusion and exclusion of Annex A controls in the Statement of Applicability is required
• D.The Statement of Applicability is owned and amended by the organisation's top management
• E.Additional controls not included in Appendix A may be added to the Statement of Applicability if the organisation choses to do so
• F.The Statement of Applicability must include Organisational, Physical, People and Technological controls that are necessary

답을 확인하기

정답:

Question No : 3

You are an experienced audit team leader guiding an auditor in training.
Your team is currently conducting a third-party surveillance audit of an organisation that stores data on behalf of external clients. The auditor in training has been tasked with reviewing the PHYSICAL controls listed in the Statement of Applicability (SoA) and implemented at the site.
Select four controls from the following that would you expect the auditor in training to review.

• A.Access to and from the loading bay
• B.How power and data cables enter the building
• C.Information security awareness, education, and training
• D.The conducting of verification checks on personnel
• E.The development and maintenance of an information asset inventory
• F.The operation of the site CCTV and door control systems
• G.The organisation's arrangements for maintaining equipment
• H.The organisation's business continuity arrangements

답을 확인하기

정답:
Explanation:
The four controls from the list that are related to PHYSICAL aspects of the ISMS are:
• Access to and from the loading bay
• How power and data cables enter the building
• The operation of the site CCTV and door control systems
• The organisation’s arrangements for maintaining equipment
These controls are derived from the ISO 27001 Annex A, which provides a comprehensive list of information security controls that can be applied to an ISMS1. The other controls in the list are more related to ORGANIZATIONAL, LEGAL, or HUMAN aspects of the ISMS, which are also important, but not the focus of this question.
According to the ISMS Auditing Guideline2, the auditor in training should review the PHYSICAL controls by:
• Checking the SoA to identify the applicable controls and their implementation status
• Interviewing the relevant staff and management to verify their understanding and involvement in the controls
• Observing the physical and environmental conditions to confirm the existence and effectiveness of the controls
• Examining the relevant documents and records to validate the compliance and performance of the controls
I hope this helps you prepare for the exam.
References:
1: What Are ISO 27001 Controls? A Guide to Annex A | Secureframe;
2: ISMS Auditing Guideline - ISO27000

Question No : 4

You are an experienced ISMS audit team leader conducting a third-party surveillance visit.
You notice that although the auditee is claiming conformity with ISO/IEC 27001:2022 they are still referring to Improvement as clause 10.2 (as it was in the 2013 edition) when this is now clause 10.1 in the 2022 edition. You have confirmed they are meeting all of the 2022 requirements set out in the standard.
Select one option of the action you should take.

• A.Note the issue in the audit report
• B.Raise a nonconformity against clause 7.5.3 - Control of documented information
• C.Raise it as an opportunity for improvement
• D.Bring the matter up at the closing meeting

답을 확인하기

정답:
Explanation:
The correct action to take in this situation is to raise it as an opportunity for improvement. This is because the auditee is not violating any requirement of the standard, but rather using outdated terminology that does not reflect the current version of the standard. An opportunity for improvement is a suggestion for enhancing the performance or effectiveness of the ISMS1. It is not a nonconformity, which is a failure to fulfil a requirement2. Therefore, option B is incorrect.
Option A is also incorrect, because noting the issue in the audit report without raising it as an opportunity for improvement would not provide any value or feedback to the auditee.
Option D is also incorrect, because bringing the matter up at the closing meeting without documenting it as an opportunity for improvement would not ensure that the auditee takes any action to address it.
References:
1: ISMS Auditing Guideline - ISO27000, page 11;
2: ISO/IEC 27000:2022, 3.28; : ISMS Auditing Guideline - ISO27000; : ISO/IEC 27000:2022

Question No : 5

DRAG DROP
You are an experienced ISMS audit team leader, assisting an auditor in training to write their first audit report.
You want to check the auditor in training's understanding of terminology relating to the contents of an audit report and chose to do this by presenting the following examples.
For each example, you ask the auditor in training what the correct term is that describes the activity. Match the activity to the description.

답을 확인하기

정답:


Explanation:

Question No : 6

Which two of the following options are an advantage of using a sampling plan for the audit?

• A.Overrules the auditor's instincts
• B.Reduces the audit duration
• C.Prevents conflict within the audit team
• D.Gives confidence in the audit results
• E.Implements the audit plan efficiently
• F.Use of the plan for consecutive audits

답을 확인하기

정답:
Explanation:
A sampling plan for the audit is a method of selecting a representative subset of the audit evidence to evaluate the conformity of the ISMS1.
The advantages of using a sampling plan are:
It reduces the audit duration by focusing on the most relevant and significant aspects of the ISMS2. It gives confidence in the audit results by ensuring that the sample is sufficient, reliable, and unbiased3.
Reference: 1: ISMS Auditing Guideline - ISO27000, page 9; 2: Internal Audit Plan C ISO Templates and
Documents Download; 3: A Step-by-Step Guide to Conducting an ISO 27001 Internal Audit, Step 4;
: ISMS Auditing Guideline - ISO27000; : Internal Audit Plan C ISO Templates and Documents Download; : A Step-by-Step Guide to Conducting an ISO 27001 Internal Audit

Question No : 7

DRAG DROP
A key audit process is the way auditors gather information and determine the findings' characteristics. Put the actions listed in the correct order to complete this process. The last one has been done for you.

답을 확인하기

정답:


Explanation:
Determine source of information
Collect by means of appropriate sampling
Reviewing
Audit evidence
Evaluating against audit criteria
Audit findings
Audit conclusions
The reviewing step involves checking the accuracy, completeness, and relevance of the collected information. The audit evidence step involves documenting the information in a verifiable and traceable manner. The evaluating against audit criteria step involves comparing the audit evidence with the requirements of the ISO 27001 standard and the organization’s own policies and objectives. The audit findings step involves identifying any nonconformities, weaknesses, or opportunities for improvement in the ISMS. The audit conclusions step involves summarizing the audit results and providing recommendations for corrective actions or enhancements.

Question No : 8

Audit methods can be either with or without interaction with individuals representing the auditee.
Which two of the following methods are with interaction?

• A.Sampling (e.g. products)
• B.Observing work performed via live video streaming
• C.Reviewing checklists with auditee
• D.Checking legal compliance with local authorities
• E.Conducting interviews
• F.Analysing documents provided in advance of the audit

답을 확인하기

정답:
Explanation:
According to the PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, audit methods can be classified into two categories: with or without interaction with individuals representing the auditee (page 12). Audit methods with interaction include reviewing checklists with auditee and conducting interviews, as they involve direct communication and feedback from the auditee. Audit methods without interaction include sampling (e.g. products), observing work performed via live video streaming, checking legal compliance with local authorities, and analysing documents provided in advance of the audit, as they do not require any dialogue or exchange with the auditee.
References: PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 12.

Question No : 9

During an audit, the audit team leader reached timely conclusions based on logical reasoning and analysis.
What professional behaviour was displayed by the audit team leader?

• A.Decisive
• B.Open minded
• C.Ethical
• D.Perceptive

답을 확인하기

정답:
Explanation:
According to the PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, one of the professional behaviours expected from an audit team leader is to be decisive, which means to “reach timely conclusions based on logical reasoning and analysis” (page 8). Being open minded, ethical, and perceptive are also desirable qualities for an audit team leader, but they do not match the description given in the question.
References: PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 8.

Question No : 10

DRAG DROP
In the context of a management system audit, please identify the sequence of a typical process of collecting and verifying information. The first one has been done for you.

답을 확인하기

정답:


Explanation:
Identifying the source of information (already given)
Gathering audit evidence: This involves collecting information from various sources such as documents, records, interviews, and observations.
Sampling the available data: Due to the vast amount of information available, auditors typically use sampling techniques to select representative data for closer scrutiny.
Verifying objective evidence: This involves checking the accuracy, completeness, and reliability of the collected evidence.
Evaluating evidence against the audit criteria: Auditors compare the collected evidence to the established criteria (e.g., standards, policies, procedures) to assess compliance and effectiveness.
Recording audit findings: This involves documenting the results of the evaluation, including observations, conclusions, and recommendations.
Making audit conclusions: Based on the recorded findings, auditors formulate overall conclusions about the status of the management system.
Therefore, the correct sequence is:

Question No : 11

Which two of the following phrases would apply to "act" in relation to the Plan-Do-Check-Act cycle for a business process?

• A.Auditing processes
• B.Planning changes
• C.Measuring objectives
• D.Resetting objectives
• E.Achieving improvements
• F.Verifying training

답을 확인하기

정답:
Explanation:
The Act phase of the PDCA cycle is where the organisation takes actions to improve its processes and performance based on the results of the Check phase. This may involve resetting objectives to make them more realistic, achievable or challenging, or implementing changes to address the root causes of problems and achieve the desired outcomes. The Act phase is also where the organisation monitors the effects of the actions taken and evaluates their effectiveness and efficiency. The Act phase is important because it enables the organisation to learn from its experience and continually improve its ISMS.
References: What is ‘Plan, Do, Check, Act’? A framework for continuous improvement, PDCA in ISO27001 - Free guide to learn | Dr. Erdal Ozkaya, PECB Candidate Handbook ISO 27001 Lead Auditor (page 12)

Question No : 12

Which two of the following options do not participate in a first-party audit?

• A.A certification body auditor
• B.An audit team from an accreditation body
• C.An auditor certified by CQI and IRCA
• D.An auditor from a consultancy organisation
• E.An auditor trained in the CQI and IRCA scheme
• F.An auditor trained in the organization

답을 확인하기

정답:
Explanation:
A first-party audit is an internal audit in which the organization’s own staff or contractors check the conformity and effectiveness of the ISMS. A certification body auditor and an audit team from an accreditation body are external auditors who conduct audits for the purpose of certification or accreditation. They do not participate in a first-party audit, but rather in a third-party audit.
References: First & Second Party Audits - operational services, The ISO 27001 Audit Process | Blog | OneTrust, The ISO 27001 Audit Process | A Beginner’s Guide - IAS USA

Question No : 13

What is meant by the term 'Corrective Action'? Select one

• A.Action is taken to prevent a nonconformity or an incident from occurring
• B.Action is taken to eliminate the cause(s) of a nonconformity or an incident
• C.Action is taken by management to respond to a nonconformity
• D.Action is taken to fix a nonconformity or an incident

답을 확인하기

정답:
Explanation:
Corrective action is a process of identifying and eliminating the root causes of nonconformities or incidents that have occurred or could potentially occur, in order to prevent their recurrence or occurrence. Corrective action is part of the improvement requirement of ISO 27001 and follows a standard workflow of identification, evaluation, implementation, review and documentation of corrections and corrective actions.
References: Procedure for Corrective Action, Nonconformity & Corrective Action For ISO 27001 Requirement 10.1, PECB Candidate Handbook ISO 27001 Lead Auditor (page 12)

Question No : 14

You are conducting an ISMS audit in the despatch department of an international logistics organisation that provides shipping services to large organisations including local hospitals and government offices. Parcels typically contain pharmaceutical products, biological samples, and documents such as passports and driving licences. You note that the company records show a very large number of returned items with causes including misaddressed labels and, in 15% of cases, two or more labels for different addresses for the one package. You are interviewing the Shipping Manager (SM).
You: Are items checked before being dispatched?
SM: Any obviously damaged items are removed by the duty staff before being dispatched, but the small profit margin makes it uneconomic to implement a formal checking process.
You: What action is taken when items are returned?
SM: Most of these contracts are relatively low value, therefore it has been decided that it is easier and more convenient to simply reprint the label and re-send individual parcels than it is to implement an investigation.
You raise a nonconformity. Referencing the scenario, which three of the following Annex A controls would you expect the auditee to have implemented when you conduct the follow-up audit?

• A.5.11 Return of assets
• B.5.13 Labelling of information
• C.5.3 Segregation of duties
• D.5.32 Intellectual property rights
• E.5.34 Privacy and protection of personal identifiable information (PII)
• F.5.6 Contact with special interest groups
• G.6.3 Information security awareness, education, and training
• H.6.4 Disciplinary process

답을 확인하기

정답:
Explanation:
The three Annex A controls that you would expect the auditee to have implemented when you conduct the follow-up audit are:
B. 5.13 Labelling of information
E. 5.34 Privacy and protection of personal identifiable information (PII)
G. 6.3 Information security awareness, education, and training
B. This control requires the organisation to label information assets in accordance with the information classification scheme, and to handle them accordingly12. This control is relevant for the auditee because it could help them to avoid misaddressing labels and sending parcels to wrong destinations, which could compromise the confidentiality, integrity, and availability of the information assets. By labelling the information assets correctly, the auditee could also ensure that they are delivered to the intended recipients and that they are protected from unauthorized access, use, or disclosure.
E. This control requires the organisation to protect the privacy and the rights of individuals whose personal identifiable information (PII) is processed by the organisation, and to comply with the applicable legal and contractual obligations13. This control is relevant for the auditee because it could help them to prevent the unauthorized use of residents’ personal data by a supplier, which could violate the privacy and the rights of the residents and their family members, and expose the auditee to legal and reputational risks. By protecting the PII of the residents and their family members, the auditee could also enhance their trust and satisfaction, and avoid complaints and disputes.
G. This control requires the organisation to ensure that all employees and contractors are aware of the information security policy, their roles and responsibilities, and the relevant information security procedures and controls14. This control is relevant for the auditee because it could help them to improve the information security culture and behaviour of their staff, and to reduce the human errors and negligence that could lead to information security incidents. By providing information security awareness, education, and training to their staff, the auditee could also increase their competence and performance, and ensure the effectiveness and efficiency of the information security processes and controls.
References:
1: ISO/IEC 27001:2022 - Information technology ― Security techniques ― Information security management systems ― Requirements, Annex A 2: ISO/IEC 27002:2022 - Information technology ― Security techniques ― Code of practice for information security controls, clause 8.2.1 3: ISO/IEC 27002:2022 - Information technology ― Security techniques ― Code of practice for information security controls, clause 18.1.4 4: ISO/IEC 27002:2022 - Information technology ― Security techniques ― Code of practice for information security controls, clause 7.2.2

Question No : 15

You are performing an ISO 27001 ISMS surveillance audit at a residential nursing home, ABC Healthcare Services. ABC uses a healthcare mobile app designed and maintained by a supplier, WeCare, to monitor residents' well-being. During the audit, you learn that 90% of the residents' family members regularly receive medical device advertisements from WeCare, by email and SMS once a week. The service agreement between ABC and WeCare prohibits the supplier from using residents' personal data. ABC has received many complaints from residents and their family members.
The Service Manager says that the complaints were investigated as an information security incident which found that they were justified.
Corrective actions have been planned and implemented according to the nonconformity and corrective action management procedure.
You write a nonconformity "ABC failed to comply with information security control A.5.34 (Privacy and protection of PII) relating to the personal data of residents' and their family members. A supplier, WeCare, used residents' personal information to send advertisements to family members."
Select three options of the corrections and corrective actions listed that you would expect ABC to make in response to the nonconformity.
ABC asks an ISMS consultant to test the ABC Healthcare mobile app for protection against cyber-crime.
A. ABC cancels the service agreement with WeCare.
B. ABC confirms that information security control A.5.34 is contained in the Statement of Applicability (SoA).
C. ABC discontinues the use of the ABC Healthcare mobile app.
D. ABC introduces background checks on information security performance for all suppliers.
E. ABC periodically monitors compliance with all applicable legislation and contractual requirements involving third parties.
F. ABC takes legal action against WeCare for breach of contract.
G. ABC trains all staff on the importance of maintaining information security protocols.

답을 확인하기

정답: B, E, F
Explanation:
The three options of the corrections and corrective actions listed that you would expect ABC to make in response to the nonconformity are:
B. ABC cancels the service agreement with WeCare.
E. ABC introduces background checks on information security performance for all suppliers.
F. ABC periodically monitors compliance with all applicable legislation and contractual requirements involving third parties.
B. This option is a possible correction and corrective action that ABC could take to address the nonconformity. A correction is the action taken to eliminate a detected nonconformity, while a corrective action is the action taken to eliminate the cause of a nonconformity and to prevent its recurrence1. By cancelling the service agreement with WeCare, ABC could stop the unauthorized use of residents’ personal data and protect their privacy and rights. This could also prevent further complaints and legal issues from the residents and their family members. However, this option may also have some drawbacks, such as the loss of a service provider, the need to find an alternative solution, and the potential impact on the residents’ well-being.
E. This option is a possible corrective action that ABC could take to address the nonconformity. By introducing background checks on information security performance for all suppliers, ABC could ensure that they select and work with reliable and trustworthy partners who respect the confidentiality, integrity, and availability of the information they handle. This could also help ABC to comply with information security control A.15.1.1 (Information security policy for supplier relationships), which requires the organisation to agree and document information security requirements for mitigating the risks associated with supplier access to the organisation’s assets2.
F. This option is a possible corrective action that ABC could take to address the nonconformity. By periodically monitoring compliance with all applicable legislation and contractual requirements involving third parties, ABC could verify that the suppliers are fulfilling their obligations and responsibilities regarding information security. This could also help ABC to comply with information security control A .18.1.1 (Identification of applicable legislation and contractual requirements), which requires the organisation to identify, document, and keep up to date the relevant legislative, regulatory, contractual, and other requirements to which the organisation is subject3.
References:
1: ISO 27000:2018 - Information technology ― Security techniques ― Information security management systems ― Overview and vocabulary, clause 3.9 and 3.10 2: ISO/IEC 27001:2022 - Information technology ― Security techniques ― Information security management systems ― Requirements, Annex A, control A.15.1.1 3: ISO/IEC 27001:2022 - Information technology ― Security techniques ― Information security management systems ― Requirements, Annex A, control A.18.1.1