These three options represent valid audit trails for control 5.7, as they are aligned with the control’s requirements and objectives. According to the web search results from my predefined tool, control 5.7 requires organisations to collect and analyse information relating to information security threats and use that information to take mitigation actions12. The control also specifies that threat intelligence should be relevant, perceptive, contextual, and actionable, and that it should be used to prevent, detect, or respond to threats34. Therefore, the auditor should verify how the organisation collects, analyses, and produces threat intelligence, how it uses threat intelligence to protect its information assets, and how it monitors and evaluates the effectiveness of its threat intelligence arrangements. The other options are not valid audit trails, as they are either irrelevant, incorrect, or incomplete. For example:

•The task of producing threat intelligence is not assigned to the organisation’s internal audit team, but to the person or team responsible for the ISMS, such as the information security manager or the information security committee5 .

•The organisation’s risk assessment process does not begin with effective threat intelligence, but with the identification of the context, scope, and objectives of the ISMS . Threat intelligence is an input for the risk identification and analysis, but not the starting point of the risk assessment process.

•Speaking to top management to make sure all staff are aware of the importance of reporting threats is not sufficient to audit the control, as it does not address how the organisation collects, analyses, and produces threat intelligence, nor how it uses it to take mitigation actions. The auditor should also speak to the staff involved in the threat intelligence process, and review the relevant documents and records.

•Checking that the organisation has a fully documented threat intelligence process is not enough to audit the control, as it does not verify the implementation and effectiveness of the process. The auditor should also observe the process in action, and examine the outputs and outcomes of the process.

•Determining whether internal and external sources of information are used in the production of threat intelligence is a partial audit trail, as it only covers one aspect of the control. The auditor should also assess the quality, reliability, and relevance of the sources, and how the information is analysed and used.

According to ISO 19011:2018, which provides guidelines for auditing management systems, clause 6.7 requires the audit team leader to conduct a follow-up audit to verify the implementation and effectiveness of the corrective actions taken by the auditee in response to the nonconformities identified during a previous audit1. The follow-up audit should be conducted in accordance with the same principles and processes as the initial audit, and should result in a conclusion on the status of the nonconformities and any remaining issues1. Therefore, when conducting a follow-up audit, an ISMS auditor should consider the following actions:

Recommend that the outstanding minor nonconformity is dealt with at the next surveillance audit: This action is appropriate because it reflects the fact that the auditee has cleared most of the nonconformities, including the major one, and only one minor nonconformity remains outstanding. A minor nonconformity is defined as a failure to achieve one or more requirements of ISO/IEC 27001:2022 or a situation which raises significant doubt about the ability of an ISMS process to achieve its intended output, but does not affect its overall effectiveness or conformity2. Therefore, this finding does not prevent or preclude the continuation of certification, as long as it is addressed by appropriate corrective actions within a reasonable time frame. The auditor should recommend that the outstanding minor nonconformity is dealt with at the next surveillance audit, which is a regular audit conducted by the certification body to confirm the ongoing conformity and effectiveness of an ISMS3.

Agree with the auditee/audit client how the remaining nonconformity will be cleared, by when, and how its clearance will be verified: This action is appropriate because it reflects the fact that the auditee has demonstrated commitment and capability to implement corrective actions for the nonconformities identified during the previous audit. The auditor should agree with the auditee/audit client on a realistic, achievable, and effective corrective action plan for the remaining nonconformity, including a clear deadline and verification method. The auditor should also document this agreement in the follow-up audit report1.

Advise the individual managing the audit programme of any decision taken regarding the outstanding nonconformity: This action is appropriate because it reflects the fact that the auditor has followed a systematic and consistent approach to conducting and reporting the follow-up audit. The auditor should advise the individual managing the audit programme of any decision taken regarding the outstanding nonconformity, such as recommending its closure at the next surveillance audit or agreeing on a corrective action plan with the auditee/audit client. The auditor should also provide sufficient information and evidence to support their decision1.

Close the follow-up audit as the organisation has demonstrated it is committed to clearing the nonconformities raised: This action is appropriate because it reflects the fact that the organisation has achieved satisfactory results in the follow-up audit. The auditor should close the follow-up audit as the organisation has demonstrated it is committed to clearing the nonconformities raised by implementing effective corrective actions for most of them and agreeing on a plan for the remaining one. The auditor should also communicate the follow-up audit conclusion to the auditee/audit client and other relevant parties1.

Determine source of information

Collect by means of appropriate sampling

Reviewing

Audit evidence

Evaluating against audit criteria

Audit findings

Audit conclusions

The reviewing step involves checking the accuracy, completeness, and relevance of the collected information. The audit evidence step involves documenting the information in a verifiable and traceable manner. The evaluating against audit criteria step involves comparing the audit evidence with the requirements of the ISO 27001 standard and the organization’s own policies and objectives. The audit findings step involves identifying any nonconformities, weaknesses, or opportunities for improvement in the ISMS. The audit conclusions step involves summarizing the audit results and providing recommendations for corrective actions or enhancements.

The certification body had a valid reason to accept CyberShielding Systems Inc.’s objection, making option A the correct answer. ISO/IEC 17021-1 requires certification bodies to ensure that audit teams are competent and acceptable to the auditee, particularly where access to sensitive information, systems, or facilities is involved. Security clearance requirements set by the auditee are a legitimate consideration, especially for organizations operating in highly sensitive information security environments.

In this scenario, CyberShielding Systems Inc. operates in the cybersecurity sector and handles sensitive internal and customer information. Auditors without the necessary security clearance may be unable to access required information or systems, which would compromise the effectiveness and completeness of the audit. Accepting such an objection supports both audit quality and information protection.

Option B is incorrect because objections are not limited to cases of prior unprofessional conduct. Option C is incorrect because conflicts of interest are not the only valid grounds for objection. ISO/IEC 17021-1 allows auditees to object to auditors for justified reasons, including competence, impartiality, confidentiality, or access limitations.

Therefore, replacing the auditor due to insufficient security clearance was appropriate and consistent with certification body requirements and good auditing practice.

The audit team employed an evidence-based approach, making option A the correct answer. This is explicitly demonstrated throughout the scenario and aligns directly with ISO 19011:2018, which defines evidence-based auditing as one of the fundamental principles of auditing management systems. An evidence-based approach requires that audit conclusions are based on verifiable information and objective evidence rather than assumptions, opinions, or hypothetical scenarios.

In the scenario, the audit team clearly states that only information capable of being verified to some extent was considered valid audit evidence. This reflects the ISO 19011 requirement that audit evidence should be verifiable, relevant, and based on samples of available information. The auditors documented observations, inspection notes, asset inventories, and firewall configurations, all of which are tangible and verifiable sources of audit evidence. Even in situations where evidence was difficult to verify, the auditors applied professional judgment to assess reliability, which is consistent with the principle of due professional care rather than speculative analysis.

Option B is incorrect because a risk-based approach focuses on prioritizing audit activities based on risk levels, not on how conclusions are reached. While risk awareness may influence audit planning, it does not define the method of forming conclusions. Option C is incorrect because hypothetical analysis is not recognized as an acceptable audit method under ISO standards. ISO audits must be grounded in factual, verifiable evidence.

Therefore, the audit team’s systematic reliance on verifiable information confirms that an evidence-based approach was used.

Furthermore, Jack’s understanding of NightCore’s organizational context, management practices, and applicable statutory and regulatory requirements demonstrates competence in applying audit criteria within the organization’s specific environment. His ability to exercise professional judgment when evidence is difficult to verify further supports his suitability as an audit team leader.

Option A is incorrect because Jack’s experience spans multiple relevant domains, not just a few limited areas. Option B is incorrect because auditor competence is not based solely on understanding organizational structure; it requires a broader combination of auditing, technical, and contextual knowledge, all of which Jack clearly demonstrates.

The role of the audit team leader does not include setting up an ethics committee. The primary responsibilities of the audit team leader include planning the audit, directing the activities of the audit team, ensuring compliance with the auditing standards, managing conflicts that arise during the audit, and presenting audit conclusions.

The possible matches of the characteristics to the descriptions are:

Tenacious: Persistent and focused on objectives

Ethical: Fair, truthful, sincere, honest, discreet

Diplomatic: Tactful in dealing with individuals

Observant: Actively observing surroundings/activities

Perceptive: Aware of and able to understand situations

Open to improvement: Willing to learn from situations

Actively observing surroundings/activities = Observant

Fair, truthful, sincere, honest, discreet = Ethical

Persistent and focused on objectives = Tenacious

Willing to learn from situations = Open to improvement

Tactful in dealing with individuals = Diplomatic

Aware of and able to understand situations = Perceptive

These are the auditor’s characteristics and their descriptions as defined by ISO 19011:2022, Clause 7.2.21. The auditor’s personal behaviour is essential for building trust and confidence with the auditee and for ensuring the credibility and effectiveness of the audit12. References: 1: ISO 19011:2022, Guidelines for auditing management systems, Clause 7.2.2 \n2: PECB Certified ISO/IEC 27001 Lead Auditor Exam Preparation Guide, Domain 3: Fundamental audit concepts and principles

The PDCA cycle is a four-step method for managing and improving processes. The steps are Plan, Do, Check, and Act. In the Plan phase, the objectives and scope of the process are defined, and the resources and activities are planned. In the Do phase, the process is implemented on a test basis, and the results are recorded and analyzed1. References: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) | CQI | IRCA

Comprehensive and Detailed In-Depth Explanation:

Northstorm adopted an international standard for Personally Identifiable Information (PII) controllers and PII processors to ensure its data handling practices were secure and compliant with global regulations. This aligns directly with ISO/IEC 27701, which extends ISO/IEC 27001 and ISO/IEC 27002 to cover Privacy Information Management Systems (PIMS), specifically addressing the protection of PII.

A. ISO/IEC 27701 – Correct Answer. This standard is designed for organizations acting as PII controllers and processors and provides guidelines on privacy management, regulatory compliance, and data protection.

B. ISO/IEC 27009 – Incorrect because this standard provides guidance on sector-specific requirements for ISMS, not privacy or PII protection.

C. ISO/IEC 27003 – Incorrect because it provides general implementation guidance for ISMS, not specific controls for PII processing.

This aligns with ISO/IEC 27001:2022 Annex A Control A.5.34 (Privacy and Protection of PII), which focuses on ensuring compliance with privacy regulations and implementing privacy-enhancing security measures.