Based on the provided scenario, the auditors’ request for documentary evidence regarding the monitoring process of outsourced operations indicates that the auditors demonstrated professional skepticism. This is because professional skepticism involves a critical assessment of audit evidence and includes a questioning mind and a careful evaluation of the information provided by the auditee123.

Professional skepticism is an essential part of the auditing process, especially in the context of ISO/IEC 27001, which requires auditors to systematically examine an organization’s information security risks, including the management of outsourced processes4. The auditors’ request for evidence suggests that they were not satisfied with verbal assurances alone and sought to verify that SendPay had a formal, documented process for monitoring outsourced activities, which is a requirement for maintaining an effective Information Security Management System (ISMS)5.

Therefore, the correct answer is: A. The auditors demonstrated professional skepticism.

The scenario represents planning risk, making option A the correct answer. Planning risk arises when an audit is inadequately planned, resulting in incomplete coverage, misaligned objectives, or failure to address critical areas. ISO 19011 emphasizes that defining the audit scope, objectives, and criteria is a fundamental step in audit planning and is essential to achieving effective audit outcomes.

In this case, the organization failed to define the audit scope and objectives clearly. As a direct consequence, the auditor overlooked departments handling sensitive information, which are typically high-risk areas in an ISMS. This oversight undermines the effectiveness of the audit and increases the likelihood that significant risks or nonconformities remain undetected.

Option B is incorrect because communication risk relates to misunderstandings or ineffective information exchange between auditors and auditees. While communication issues may exist, the root cause here is inadequate planning. Option C is incorrect because resource risk concerns insufficient auditor time, competence, or tools. The problem in this scenario is not a lack of resources but the absence of structured planning.

ISO/IEC 27001 internal audits rely heavily on proper planning to ensure that all relevant processes and assets are evaluated. Therefore, the primary risk present is planning risk.

The three options for findings that are justified in the scenario are:

•Nonconformity (NC) - The information for the acceptance of residual information security risks should be updated after the risk treatment is implemented. Clause 6.1.3.f

•Nonconformity (NC) - The IT security manager should be aware of and understand his authority and area of responsibility. Clause 7.3

•Nonconformity (NC) - The risk treatment plan No. 123 should be approved by the risk owner, the Facility Manager in this case. Clause 6.1.3.f

According to ISO/IEC 27001:2022, clause 6.1.3.f, the organisation must retain documented information that includes the information for the acceptance of residual information security risks, and the approval of the risk treatment plan by the risk owner1. Therefore, option A and G are justified as nonconformities, because the organisation failed to update the information for the acceptance of residual risks, and the risk treatment plan was approved by the IT security manager, who is not the risk owner.

According to ISO/IEC 27001:2022, clause 7.3, the organisation must ensure that the persons assigned to perform the roles and responsibilities for the ISMS are competent, and are aware of the consequences of not conforming to the ISMS requirements2. Therefore, option E is justified as a nonconformity, because the IT security manager, who is responsible for the information security risk management process, was not aware of his authority and area of responsibility.

The other options are not justified as findings, because they are either irrelevant or incorrect. For example:

•Option B is irrelevant, because it is not related to the information security risk treatment plan No. 123, which is the focus of the audit.

•Option C is incorrect, because it is not an opportunity for improvement, but rather a benefit of the risk treatment plan No. 123, which is already implemented.

•Option D is incorrect, because it is not a nonconformity, but rather a requirement for the organisation to provide the resources needed for the ISMS, which is not the same as the resources needed for the risk treatment plan No. 123.

•Option F is incorrect, because it is not a nonconformity, but rather a requirement for the organisation to provide the resources needed for the continual improvement of the ISMS, which is not the same as the resources needed for the risk treatment plan No. 123.

•Option H is irrelevant, because it is not a finding, but rather a good practice, which is not the objective of the audit.

Comprehensive and Detailed In-Depth Explanation:

A. Correct Answer: When an organization refuses to share sensitive information off-site, the auditor can resolve the situation by reviewing the information on-site while ensuring auditor confidentiality. This maintains transparency and compliance with ISO 19011 auditing guidelines.

B. Incorrect: The auditor cannot immediately refuse the mandate. Instead, an attempt to reach an agreement should be made first.

C. Incorrect: While audit leaders define audit access, they must also respect confidentiality agreements.

Relevant Standard Reference:

ISO/IEC 27001:2022 Clause 9.2 (Internal Audit)

ISO 19011:2018 Clause 6.4.5 (Audit Information Availability and Access)

The purpose of a Stage 2 audit is to evaluate the implementation of the management system, in this case, the ISMS, according to the requirements of ISO/IEC 27001:2022 and the organisation’s own policies and procedures. The Stage 2 audit involves collecting evidence of the effectiveness and performance of the ISMS, as well as verifying the conformity and suitability of the organisation’s controls. The Stage 2 audit also assesses the organisation’s ability to achieve its information security objectives and to manage information security risks. References: = ISO/IEC 27006:2022, clause 9.2.2.2; PECB Candidate Handbook ISO 27001 Lead Auditor, page 28.

While competence is important for an effective ISMS, the specific competence records of the ISMS manager are less relevant when determining resources for the internal audit program. The focus should be on resources directly related to the audit process itself. Here ' s why the other options matter:

•A. Availability of competent auditors and technical experts: Crucial for conducting thorough audits and accurately assessing the ISMS.

•C. Availability of the necessary documented information: Essential for auditors to review policies, procedures, and records related to the ISMS.

•D. Impact of different time zones: Can affect scheduling, coordination, and communication during the audit, potentially requiring additional resources.

Knowledge is the understanding of facts, concepts, principles, theories and practices related to a specific subject or discipline. Skills are the ability to apply knowledge and use know-how to complete tasks and solve problems. According to ISO 19011:2018, the knowledge and skills of an auditor include the following:

Knowledge of audit principles, procedures and methods

Knowledge of management system standards and reference documents

Knowledge of the organization’s context, scope, processes and objectives

Knowledge of relevant legal, regulatory and contractual requirements

Knowledge of applicable industry, sector or technical disciplines

Knowledge of risk management and risk-based thinking

Skill in collecting and verifying information

Skill in evaluating conformity and effectiveness of management systems

Skill in reporting and communicating audit results

Skill in managing audit activities and teams

Based on this, the activities that are predominately related to knowledge are designing a checklist and determining what evidence to gather, as they require the auditor to understand the audit criteria, scope, objectives and methods, as well as the organization’s context, processes and risks. The other activities are more related to skills, as they involve applying knowledge and using know-how to perform tasks and solve problems during the audit.

The following statements are true:

The role of a certification body auditor involves evaluating the organization’s processes for ensuring compliance with their legal requirements. This is part of the auditor’s responsibility to assess the effectiveness and conformity of the organization’s ISMS against the ISO/IEC 27001:2022 standard and the applicable legal and regulatory requirements.

During a third-party audit, the auditor evaluates how the organization ensures that they are made aware of changes to the legal requirements. This is part of the auditor’s responsibility to verify that the organization has established and maintained a process for identifying and updating their legal and other requirements related to information security. The following statement is false:

As part of a certification body audit, the auditor is responsible for verifying the organization’s legal compliance status. This is not true, as the auditor is not authorized or qualified to provide legal advice or judgment on the organization’s compliance status. The auditor can only report on the evidence of compliance or noncompliance observed during the audit, but the ultimate responsibility for ensuring legal compliance lies with the organization. References: : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 66. : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 67. : ISO/IEC 27001 LEAD AUDITOR - PECB, page 22.

You see a blue color sticker on certain physical assets. This signifies that the asset is high critical and its failure will affect a group/s/project’s work in the organization. A blue color sticker is a type of label that indicates the level of criticality of an asset, which is a measure of how important an asset is for the organization’s operations and objectives. A high critical asset is an asset that has a significant impact on the organization’s activities, and its loss or damage would cause major disruption or loss of service. A blue color sticker also implies that the asset requires a high level of protection and security, and should be handled with care. References: : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 36. : [ISO/IEC 27001 Brochures | PECB], page 6.

Comprehensive and Detailed In-Depth Explanation:

A. Correct Answer:

Statistical sampling follows probability theory and ensures objective selection.

ISO 19011:2018 supports statistical sampling for unbiased audit conclusions.

B. Incorrect:

Judgment-based sampling is subjective, not probability-based.

C. Incorrect:

Multi-site sampling applies to organizations with multiple locations.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.4.9 (Using Statistical Sampling for Audits)