• Home
  • Articles
  • Latest Mar-2026 PECB ISO-IEC-27001-Lead-Auditor Dumps Updated 368 Questions [Q65-Q81]

Latest Mar-2026 PECB ISO-IEC-27001-Lead-Auditor Dumps Updated 368 Questions [Q65-Q81]

Share

Latest Mar-2026 PECB ISO-IEC-27001-Lead-Auditor Dumps Updated 368 Questions

PDF Download Free of ISO-IEC-27001-Lead-Auditor Valid Practice Test Questions

NEW QUESTION # 65
You receive an E-mail from some unknown person claiming to be representative of your bank and asking for your account number and password so that they can fix your account. Such an attempt of social engineering is called

  • A. Mountaineering
  • B. Spoofing
  • C. Shoulder Surfing
  • D. Phishing

Answer: D


NEW QUESTION # 66
You have to carry out a third-party virtual audit. Which two of the following issues would you need to inform the auditee about before you start conducting the audit ?

  • A. You will ask those being interviewed to state their name and position beforehand.
  • B. You will ask to see the ID card of the person that is on the screen.
  • C. You will ask for a 360-degree view of the room where the audit is being carried out.
  • D. You expect the auditee to have assessed all risks associated with online activities.
  • E. You will not record any part of the audit, unless permitted.
  • F. You will take photos of every person you interview.

Answer: A,C

Explanation:
A third-party virtual audit is an external audit conducted by an independent certification body using remote technology such as video conferencing, screen sharing, and electronic document exchange. The purpose of a third-party virtual audit is to verify the conformity and effectiveness of the information security management system (ISMS) and to issue a certificate of compliance12 Before you start conducting the audit, you would need to inform the auditee about the following issues: 12 You will ask those being interviewed to state their name and position beforehand, i.e., to confirm their identity and role in the ISMS. This is to ensure that you are interviewing the relevant personnel and that they are authorized to provide information and evidence for the audit.
You will ask for a 360-degree view of the room where the audit is being carried out, i.e., to verify the physical and environmental security of the audit location. This is to ensure that there are no unauthorized persons or devices in the vicinity that could compromise the confidentiality, integrity, or availability of the information being audited.
The other issues are not relevant or appropriate for a third-party virtual audit, because:
You will ask to see the ID card of the person that is on the screen, i.e., to verify their identity. This is not necessary if you have already asked them to state their name and position beforehand, and if you have access to the auditee's organizational chart or staff directory. Asking to see the ID card could also be seen as intrusive or disrespectful by the auditee.
You will take photos of every person you interview, i.e., to document the audit process. This is not advisable as it could violate the privacy or consent of the auditee and the interviewees. Taking photos could also be seen as unprofessional or suspicious by the auditee. You should rely on the audit records and evidence provided by the auditee and the audit tool instead.
You will not record any part of the audit, unless permitted, i.e., to respect the auditee's preferences and rights. This is not a valid issue to inform the auditee about, as you should always record the audit for quality assurance and verification purposes. Recording the audit is also a requirement of the ISO/IEC 27001 standard and the certification body. You should inform the auditee that you will record the audit and obtain their consent before the audit begins.
You expect the auditee to have assessed all risks associated with online activities, i.e., to ensure the security of the audit process. This is not an issue to inform the auditee about, as it is part of the auditee's responsibility and obligation to have a risk assessment and treatment process for their ISMS. You should assess the auditee's risk management practices and controls during the audit, not before it.
Reference:
1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1 2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2


NEW QUESTION # 67
What is the standard definition of ISMS?

  • A. A company wide business objectives to achieve information security awareness for establishing, implementing, operating, monitoring, reviewing, maintaining and improving
  • B. Is an information security systematic approach to achieve business objectives for implementation, establishing, reviewing,operating and maintaining organization's reputation.
  • C. A systematic approach for establishing, implementing, operating,monitoring, reviewing, maintaining and improving an organization's information security to achieve business objectives.
  • D. A project-based approach to achieve business objectives for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization's information security

Answer: C

Explanation:
Explanation
The standard definition of ISMS is a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization's information security to achieve business objectives. This definition is given in clause 3.17 of ISO/IEC 27001:2022, and it describes the main components and purpose of an ISMS. An ISMS is not a project-based approach, as it is an ongoing process that requires continual improvement. An ISMS is not a company wide business objective, as it is a management system that supports the organization's objectives. An ISMS is not an information security systematic approach, as it is a broader concept that encompasses the organization's context, risks, controls, and performance. References: : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 15. :
ISO/IEC 27001:2022, clause 3.17.


NEW QUESTION # 68
CEO sends a mail giving his views on the status of the company and the company's future strategy and the CEO's vision and the employee's part in it. The mail should be classified as

  • A. Public Mail
  • B. Confidential Mail
  • C. Restricted Mail
  • D. Internal Mail

Answer: D


NEW QUESTION # 69
Which six of the following actions are the individual(s) managing the audit programme responsible for?

  • A. Retaining documented information of the audit results
  • B. Determining the resources necessary for the audit programme
  • C. Defining the objectives, scope and criteria for an individual audit
  • D. Defining the plan of an individual audit
  • E. Establishing the extent of the audit programme
  • F. Communicating with the auditee during the audit
  • G. Selecting the audit team
  • H. Establishing the audit programme

Answer: A,C,D,E,G,H

Explanation:
According to ISO 19011:2018, which provides guidelines for auditing management systems, an audit programme is a set of one or more audits planned for a specific time frame and directed towards a specific purpose1. The individual(s) managing the audit programme are responsible for establishing, implementing and maintaining the audit programme in accordance with the organization's policies and objectives1. This includes defining the extent of the audit programme based on strategic direction, risks and opportunities; establishing the audit programme by defining its objectives, scope and criteria; determining the resources necessary for the audit programme; selecting competent auditors and assigning them to appropriate audits; defining the objectives, scope and criteria for each individual audit; defining the plan of each individual audit; retaining documented information of the audit results; reviewing and improving the performance of the audit programme1. Therefore, these six actions are part of the responsibilities of the individual(s) managing the audit programme. The other option, communicating with the auditee during the audit, is not a responsibility of the individual(s) managing the audit programme, but rather a responsibility of the audit team leader1. References: ISO 19011:2018 - Guidelines for auditing management systems


NEW QUESTION # 70
When preparing for an audit, which of the following statements is false?

  • A. The audit plan may be changed during the audit
  • B. Each auditor creates their own audit checklist for use during the audit
  • C. The audit checklists are shared and agreed with the auditee in advance of the audit
  • D. The audit plan is shared with the auditee in advance of the audit

Answer: C


NEW QUESTION # 71
Select the words that best complete the sentence below to describe a third-party audit plan.
To complete the sentence with the best word(s), click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.

Answer:

Explanation:


NEW QUESTION # 72
What type of compliancy standard, regulation or legislation provides a code of practice for information security?

  • A. Personal data protection act
  • B. IT Service Management
  • C. Computer criminality act
  • D. ISO/IEC 27002

Answer: D

Explanation:
Explanation
ISO/IEC 27002:2022 is an international standard that provides a code of practice for information security controls4. A code of practice is a set of guidelines and recommendations for implementing, maintaining, and improving information security in an organization5. ISO/IEC 27002:2022 covers various aspects of information security, such as organizational, human, technical, physical, and environmental controls. It is designed to be used as a reference for selecting, implementing, and managing controls within the process of establishing an ISMS based on ISO/IEC 27001:20224. References: ISO/IEC 27002:2022, Foreword and Introduction; ISO/IEC 27000:2022, clause 3.10.


NEW QUESTION # 73
You are an experienced ISMS audit team leader guiding an auditor in training. You are testing her understanding of follow-up audits by asking her a series of questions to which the answer is either "true* or
'false'. Which four of the following questions should the answer be true"'

  • A. The outcome of a follow-up audit could be a recommendabon to suspend the client's certification
  • B. A follow-up audit is required only in instances where a major nonconformity has been identified
  • C. The outcome of a follow-up audit could lower a major nonconformity to minor status
  • D. The outcomes of a follow-up audit should be reported to top management and the audit team leader who carried out the audit where the nonconformities were initially identified
  • E. The outcomes of a follow-up audit should be reported to the individual managing the audit programme and the audit client
  • F. A follow-up audit may be carried out where nonconformities are minor
  • G. A follow-up audit is required in all instances where nonconformities have been identified
  • H. A follow-up audit may be carried out where nonconformities are major

Answer: D,E,F,H

Explanation:
* A follow-up audit may be carried out where nonconformities are major. This is true because a major nonconformity is a situation that raises significant doubt about the ability of the organization's management system to achieve its intended results, and therefore requires immediate corrective action. A follow-up audit is necessary to verify the effectiveness of the corrective action and the conformity of the management system12.
* A follow-up audit may be carried out where nonconformities are minor. This is true because a minor nonconformity is a situation that does not affect the capability of the management system to achieve its intended results, but represents a deviation from the specified requirements. A follow-up audit may be conducted to check the implementation of the corrective action and the improvement of the management system12.
* The outcomes of a follow-up audit should be reported to top management and the audit team leader who carried out the audit where the nonconformities were initially identified. This is true because the top management is responsible for ensuring the effectiveness and continual improvement of the management system, and the audit team leader is accountable for the audit process and the audit conclusions. The follow-up audit report should provide them with objective evidence of the status of the nonconformities and the corrective actions taken by the auditee13.
* The outcomes of a follow-up audit should be reported to the individual managing the audit programme and the audit client. This is true because the individual managing the audit programme is responsible for planning, implementing, monitoring and reviewing the audit activities, and the audit client is the organization or person requesting an audit. The follow-up audit report should inform them of the results of the follow-up audit and any changes in the certification status of the auditee13.
References :=
* ISO 19011:2022 Guidelines for auditing management systems
* ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements
* ISO/IEC 17021-1:2022 Conformity assessment - Requirements for bodies providing audit and certification of management systems - Part 1: Requirements


NEW QUESTION # 74
Which one of the following statements best describes the purpose of conducting a document review?

  • A. To decide about the conformity of the documented management system with audit standards and to gather findings to support the audit process
  • B. To determine the conformity of the management system, as far as documented, with audit criteria and to gather information to support the on-site audit activities
  • C. To reveal whether the documented management system is nonconforming with audit criteria and to gather evidence to support the audit report
  • D. To detect any nonconformity of the management system, if documented, with audit criteria and to identify information to support the audit plan

Answer: B

Explanation:
A document review is a process of examining the documented information related to the management system before the on-site audit activities. The purpose of a document review is to: 12
* Determine the conformity of the management system, as far as documented, with audit criteria, i.e., to check whether the documents are consistent, complete, and compliant with the requirements of ISO/IEC
27001 and any other applicable standards or regulations.
* Gather information to support the on-site audit activities, i.e., to identify the scope, objectives, processes, controls, risks, and opportunities of the management system, and to plan the audit methods, techniques, and resources accordingly.
The other statements are not accurate, because:
* A document review does not reveal or decide about the conformity or nonconformity of the management system as a whole, but only of the documented information. The conformity or nonconformity of the management system is determined by the on-site audit activities, which include interviews, observations, and tests12
* A document review does not gather evidence or findings to support the audit report or process, but information to support the on-site audit activities. The evidence or findings are collected during the on-site audit activities, which are then documented and reported12
* A document review does not detect any nonconformity of the management system, if documented, but determines the conformity of the documented information. The nonconformity of the management system is detected by the on-site audit activities, which evaluate the performance and effectiveness of the management system12
* A document review does not identify information to support the audit plan, but gathers information to support the on-site audit activities. The audit plan is prepared before the document review, based on the audit scope, objectives, criteria, and program. The document review is part of the audit plan implementation12 References:
1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1 2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2


NEW QUESTION # 75
Scenario 8: Tess
a. Malik, and Michael are an audit team of independent and qualified experts in the field of security, compliance, and business planning and strategies. They are assigned to conduct a certification audit in Clastus, a large web design company. They have previously shown excellent work ethics, including impartiality and objectiveness, while conducting audits. This time, Clastus is positive that they will be one step ahead if they get certified against ISO/IEC 27001.
Tessa, the audit team leader, has expertise in auditing and a very successful background in IT-related issues, compliance, and governance. Malik has an organizational planning and risk management background. His expertise relies on the level of synthesis and analysis of an organization's security controls and its risk tolerance in accurately characterizing the risk level within an organization On the other hand, Michael is an expert in the practical security of controls assessment by following rigorous standardized programs.
After performing the required auditing activities, Tessa initiated an audit team meeting They analyzed one of Michael s findings to decide on the issue objectively and accurately. The issue Michael had encountered was a minor nonconformity in the organization's daily operations, which he believed was caused by one of the organization's IT technicians As such, Tessa met with the top management and told them who was responsible for the nonconformity after they inquired about the names of the persons responsible To facilitate clarity and understanding, Tessa conducted the closing meeting on the last day of the audit. During this meeting, she presented the identified nonconformities to the Clastus management. However, Tessa received advice to avoid providing unnecessary evidence in the audit report for the Clastus certification audit, ensuring that the report remains concise and focused on the critical findings.
Based on the evidence examined, the audit team drafted the audit conclusions and decided that two areas of the organization must be audited before the certification can be granted. These decisions were later presented to the auditee, who did not accept the findings and proposed to provide additional information. Despite the auditee's comments, the auditors, having already decided on the certification recommendation, did not accept the additional information. The auditee's top management insisted that the audit conclusions did not represent reality, but the audit team remained firm in their decision.
Based on the scenario above, answer the following question:
Was the closing meeting conducted accordingly?

  • A. No, it should be conducted several weeks after the on-site audit
  • B. Yes, the closing meeting is conducted on the last day of the audit
  • C. No, it should be conducted after the audit conclusions have been drafted

Answer: B

Explanation:
Comprehensive and Detailed In-Depth
A . Correct answer:
ISO 19011:2018 requires that closing meetings occur at the end of the audit to present findings to the auditee.
B . Incorrect:
Audit conclusions can be drafted later, but the closing meeting must still happen immediately post-audit.
C . Incorrect:
Delaying the closing meeting beyond the audit timeline is improper.
Relevant Standard Reference:


NEW QUESTION # 76
You are performing an ISMS audit at a residential nursing home (ABC) that provides healthcare services. The next step in your audit plan is to verify the information security of ABC's healthcare mobile app development, support, and lifecycle process. During the audit, you learned the organization outsourced the mobile app development to a professional software development company with CMMI Level 5, ITSM (ISO/IEC 20000-
1), BCMS (ISO 22301) and ISMS (ISO/IEC 27001) certified.
The IT Manager presented the software security management procedure and summarised the process as following:
The mobile app development shall adopt "security-by-design" and "security-by-default" principles, as a minimum. The following security functions for personal data protection shall be available:
Access control.
Personal data encryption, i.e., Advanced Encryption Standard (AES) algorithm, key lengths: 256 bits; and Personal data pseudonymization.
Vulnerability checked and no security backdoor
You sample the latest Mobile App Test report, details as follows:

You ask the IT Manager why the organisation still uses the mobile app while personal data encryption and pseudonymization tests failed. Also, whether the Service Manager is authorised to approve the test.
The IT Manager explains the test results should be approved by him according to the software security management procedure.
The reason why the encryption and pseudonymisation functions failed is that these functions heavily slowed down the system and service performance. An extra 150% of resources are needed to cover this. The Service Manager agreed that access control is good enough and acceptable. That's why the Service Manager signed the approval.
You are preparing the audit findings. Select the correct option.

  • A. There is NO nonconformity (NC). The Service Manager makes a good decision to continue the service.
    (Relevant to clause 8.1, control A.8.30)
  • B. There is a nonconformity (NC). The organisation and developer perform security tests that fail.
    (Relevant to clause 8.1, control A.8.29)
  • C. There is a nonconformity (NC). The organisation and developer do not perform acceptance tests.
    (Relevant to clause 8.1, control A.8.29)
  • D. There is a nonconformity (NC). The Service Manager does not comply with the software security management procedure. (Relevant to clause 8.1, control A.8.30)

Answer: D

Explanation:
The correct option is D. There is a nonconformity (NC). The Service Manager does not comply with the software security management procedure. (Relevant to clause 8.1, control A.8.30). The IT Manager should have approved the test results according to the software security management procedure, not the Service Manager. The Service Manager's decision to accept the failed security tests also violates the "security-by- design" and "security-by-default" principles that the organization adopted. The other options are either incorrect or irrelevant. The organization and developer did perform acceptance tests, but they failed (B, C). The Service Manager's decision to continue the service does not justify the nonconformity (A). References: 1: ISO/IEC 27001:2022, Information technology - Security techniques - Information security management systems - Requirements, Clause 8.1 \n2: PECB Certified ISO/IEC 27001 Lead Auditor Exam Preparation Guide, Domain 5: Conducting an ISO/IEC 27001 audit


NEW QUESTION # 77
An employee caught with offense of abusing the internet, such as P2P file sharing or video/audio streaming, will not receive a warning for committing such act but will directly receive an IR.

  • A. False
  • B. True

Answer: B

Explanation:
According to ISO/IEC 27001:2022, clause A.8.1.5, the organization should establish and implement a clear policy on the acceptable use of information assets, including the internet. The policy should define the rules and consequences for violating them, such as disciplinary actions or legal sanctions. The policy should also be communicated to all users and relevant parties. Therefore, if an employee is caught abusing the internet, such as P2P file sharing or video/audio streaming, they will not receive a warning but will directly receive an IR (incident report), which is a formal record of the incident and its impact, as well as the corrective actions taken or planned. Reference: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course Handbook, page 54; [ISO/IEC 27001:2022], clause A.8.1.5.


NEW QUESTION # 78
Please match the roles to the following descriptions:

To complete the table click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable test from the options below. Alternatively, you may drag and drop each option to the appropriate blank section.

Answer:

Explanation:

Explanation:

* The auditee is the organization or part of it that is subject to the audit. The auditee could be internal or external to the audit client . The auditee should cooperate with the audit team and provide them with access to relevant information, documents, records, personnel, and facilities .
* The audit client is the organization or person that requests an audit. The audit client could be internal or external to the auditee . The audit client should define the audit objectives, scope, criteria, and programme, and appoint the audit team leader .
* The technical expert is a person who provides specific knowledge or expertise relating to the organization, activity, process, product, service, or discipline to be audited. The technical expert could be internal or external to the audit team . The technical expert should support the audit team in collecting and evaluating audit evidence, but should not act as an auditor .
* The observer is a person who accompanies the audit team but does not act as an auditor. The observer could be internal or external to the audit team . The observer should observe the audit activities without interfering or influencing them, unless agreed otherwise by the audit team leader and the auditee .
References :=
* [ISO 19011:2022 Guidelines for auditing management systems]
* [ISO/IEC 17021-1:2022 Conformity assessment - Requirements for bodies providing audit and certification of management systems - Part 1: Requirements]


NEW QUESTION # 79
You are an experienced audit team leader guiding an auditor in training, Your team is currently conducting a third-party surveillance audit of an organisation that stores data on behalf of external clients. The auditor in training has been tasked with reviewing the TECHNOLOGICAL controls listed in the Statement of Applicability (SoA) and implemented at the site.
Select four controls from the following that would you expect the auditor in training to review.

  • A. Access to and from the loading bay
  • B. Confidentiality and nondisclosure agreements
  • C. Information security awareness, education and training
  • D. How protection against malware is implemented
  • E. How the organisation evaluates its exposure to technical vulnerabilities
  • F. Remote working arrangements
  • G. How access to source code and development tools are managed
  • H. The organisation's arrangements for information deletion
  • I. Rules for transferring information within the organisation and to other organisations
  • J. How information security has been addressed within supplier agreements
  • K. The conducting of verification checks on personnel
  • L. The organisation's arrangements for maintaining equipment
  • M. The organisation's business continuity arrangements
  • N. How power and data cables enter the building
  • O. The operation of the site CCTV and door control systems
  • P. The development and maintenance of an information asset inventory

Answer: D,E,G,O

Explanation:
According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), an organization should select and implement appropriate controls to achieve its information security objectives1. The controls should be derived from the results of risk assessment and risk treatment, and should be consistent with the Statement of Applicability (SoA), which is a document that identifies the controls that are applicable and necessary for the ISMS1. The controls can be selected from various sources, such as ISO/IEC 27002:2013, which provides a code of practice for information security controls2. Therefore, if an auditor in training has been tasked with reviewing the technological controls listed in the SoA and implemented at the site of an organization that stores data on behalf of external clients, four controls that would be expected to review are:
How protection against malware is implemented: This is a technological control that aims to prevent, detect and remove malicious software (such as viruses, worms, ransomware, etc.) that could compromise the confidentiality, integrity or availability of information or information systems2. This control is related to control A.12.2.1 of ISO/IEC 27002:20132.
How the organisation evaluates its exposure to technical vulnerabilities: This is a technological control that aims to identify and assess the potential weaknesses or flaws in information systems or networks that could be exploited by malicious actors or cause accidental failures2. This control is related to control A.12.6.1 of ISO/IEC 27002:20132.
How access to source code and development tools are managed: This is a technological control that aims to protect the intellectual property rights and integrity of software applications or systems that are developed or maintained by the organization or its external providers2. This control is related to control A.14.2.5 of ISO/IEC 27002:20132.
The operation of the site CCTV and door control systems: This is a technological control that aims to monitor and restrict physical access to the premises or facilities where information or information systems are stored or processed2. This control is related to control A.11.1.4 of ISO/IEC 27002:20132.
The other options are not examples of technological controls, but rather organizational, legal or procedural controls that may also be relevant for an ISMS audit, but are not within the scope of the auditor in training's task. For example, the development and maintenance of an information asset inventory (related to control A.8.1.1), rules for transferring information within the organization and to other organizations (related to control A.13.2.1), confidentiality and nondisclosure agreements (related to control A.13.2.4), verification checks on personnel (related to control A.7.1.2), remote working arrangements (related to control A.6.2.1), information security within supplier agreements (related to control A.15.1.1), business continuity arrangements (related to control A.17), information deletion (related to control A.8.3), information security awareness, education and training (related to control A.7.2), equipment maintenance (related to control
A.11.2), and how power and data cables enter the building (related to control A.11) are not technological controls, but rather organizational, legal or procedural controls that may also be relevant for an ISMS audit, but are not within the scope of the auditor in training's task. References: ISO/IEC 27001:2022 - Information technology - Security techniques - Information security management systems - Requirements, ISO/IEC
27002:2013 - Information technology - Security techniques - Code of practice for information security controls


NEW QUESTION # 80
You are an experience ISMS audit team leader carrying out a third-party certification audit of an organization specialising in the secure disposal of confidential documents and removable media. Both documents and media are shredded in military grade devices which make it impossible to reconstruct the original.
The audit has gone well and you are just about to start to write the audit report, 30 minutes before the closing meeting. At this point one of the organization's employees knocks on your door and asks if they can speak to you. They tell you that when things get busy her manager tells her to use a lower grade industrial shredder instead as the organisation has more of these and they operate faster. You were not informed about the existence or use of these machines by the auditee.
Select three options for how you should respond to this information.

  • A. Verify with the auditee that lower grade machines are used in certain circumstances
  • B. Raise a nonconformity against 8.1 Operational Planning and Control as the organization has not been open about its processes
  • C. Cancel the production of the audit report and instead review the organization's contracts with its clients to determine whether they have permitted the use of lower grade machines
  • D. Consider the need for a subsequent audit within 4 weeks based on the additional information that has come to light
  • E. Advise the individual managing the audit programme of any recommendation by you to conduct a further auditprior to certification
  • F. Do nothing. All audits are based on a sample and the sample you took did not include a planned review of the lower grade machines
  • G. Extend the certification audit duration to create additional time to audit the use of the lower grade machines

Answer: A,D,E

Explanation:
According to ISO/IEC 27001:2022 clause 8.1, the organization must plan, implement and control the processes needed to meet the information security requirements, and to implement the actions determined in clause 6.1. The organization must also ensure that the outsourced processes are controlled or influenced.
According to control A.5.24, the organization must establish and maintain an information security incident management process that includes reporting information security events and weaknesses. Therefore, the use of lower grade machines for the secure disposal of confidential documents and media could pose a significant information security risk and a potential breach of contract with the clients. The auditor should respond to this information by:
* A. Advising the individual managing the audit programme of any recommendation by you to conduct a further audit prior to certification. This is in accordance with ISO/IEC 27006:2022 clause 7.4.3, which states that the audit team leader shall report to the certification body any situation that may significantly affect the audit conclusions or the certification decision, and propose any necessary changes to the audit plan.
* C. Considering the need for a subsequent audit within 4 weeks based on the additional information that has come to light. This is in accordance with ISO/IEC 27006:2022 clause 7.5.2, which states that the audit team leader shall review the audit findings and any other appropriate information collected during the audit to determine the audit conclusions, and to identify any need for a subsequent audit.
* G. Verifying with the auditee that lower grade machines are used in certain circumstances. This is in accordance with ISO/IEC 27006:2022 clause 7.4.2, which states that the audit team leader shall ensure
* that the audit is conducted in accordance with the audit plan, and that any changes to the plan are agreed upon and documented.
The other options are not appropriate responses, as they either ignore the information, exceed the scope of the audit, or prematurely raise a nonconformity without sufficient evidence. For example:
* B. Cancelling the production of the audit report and instead reviewing the organization's contracts with its clients to determine whether they have permitted the use of lower grade machines. This is not a suitable response, as it would delay the audit process and the certification decision, and it would involve reviewing documents that are outside the scope of the ISMS audit. The auditor should focus on verifying the information security risk assessment and treatment process, and the information security incident management process, as they relate to the use of lower grade machines.
* D. Doing nothing. All audits are based on a sample and the sample you took did not include a planned review of the lower grade machines. This is not a suitable response, as it would disregard a significant information security risk and a potential nonconformity that could affect the audit conclusions and the certification decision. The auditor should follow up on the information provided by the employee and verify its validity and impact.
* E. Extending the certification audit duration to create additional time to audit the use of the lower grade machines. This is not a suitable response, as it would disrupt the audit schedule and the availability of the audit team and the auditee. The auditor should report the situation to the certification body and propose any necessary changes to the audit plan, such as conducting a subsequent audit.
* F. Raising a nonconformity against 8.1 Operational Planning and Control as the organization has not been open about its processes. This is not a suitable response, as it would be based on a single source of information that has not been verified or corroborated. The auditor should collect sufficient and appropriate audit evidence to support any nonconformity, and should also consider the root cause and the severity of the nonconformity.
References:
* ISO/IEC 27001:2022, clauses 8.1 and Annex A control A.5.24
* ISO/IEC 27006:2022, clauses 7.4.2, 7.4.3, and 7.5.2
* [PECB Candidate Handbook ISO/IEC 27001 Lead Auditor], pages 18-19, 23-24
* A Step-by-Step Guide to Conducting an ISO 27001 Internal Audit
* ISO 27001 - Annex A.16: Information Security Incident Management


NEW QUESTION # 81
......

ISO-IEC-27001-Lead-Auditor Test Engine files, ISO-IEC-27001-Lead-Auditor Dumps PDF: https://braindumps2go.actualpdf.com/ISO-IEC-27001-Lead-Auditor-real-questions.html

Related Articles

more
PECB ISO-IEC-27001-Lead-Auditor Certification Practice Exam