Summer Sale Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: buysanta

Exact2Pass Menu

PECB Certified ISO/IEC 27001 2022 Lead Auditor exam

Last Update 17 hours ago Total Questions : 418

The PECB Certified ISO/IEC 27001 2022 Lead Auditor exam content is now fully updated, with all current exam questions added 17 hours ago. Deciding to include ISO-IEC-27001-Lead-Auditor practice exam questions in your study plan goes far beyond basic test preparation.

You'll find that our ISO-IEC-27001-Lead-Auditor exam questions frequently feature detailed scenarios and practical problem-solving exercises that directly mirror industry challenges. Engaging with these ISO-IEC-27001-Lead-Auditor sample sets allows you to effectively manage your time and pace yourself, giving you the ability to finish any PECB Certified ISO/IEC 27001 2022 Lead Auditor exam practice test comfortably within the allotted time.

Question # 1

An audit finding is the result of the evaluation of the collected audit evidence against audit criteria. Evaluate the following potential formats of audit evidence and select the two that are acceptable.

A.

Unsigned hand written changes to test results

B.

Statement of facts by the IT manager

C.

Documented information on results of IT audits

D.

Statements by a system engineer that cannot be verified

E.

Observation of a previously recorded video demonstrating the performance of a hazardous activity

F.

An audio recording of a dialog between the IT manager and a system engineer

Question # 2

Scenario 6: Sinvestment is an insurance company that offers home, commercial, and life insurance. The company was founded in North Carolina, but have recently expanded in other locations, including Europe and Africa.

Sinvestment is committed to complying with laws and regulations applicable to their industry and preventing any information security incident. They have implemented an ISMS based on ISO/IEC 27001 and have applied for ISO/IEC 27001 certification.

Two auditors were assigned by the certification body to conduct the audit. After signing a confidentiality agreement with Sinvestment. they started the audit activities. First, they reviewed the documentation required by the standard, including the declaration of the ISMS scope, information security policies, and internal audits reports. The review process was not easy because, although Sinvestment stated that they had a documentation procedure in place, not all documents had the same format.

Then, the audit team conducted several interviews with Sinvestment ' s top management to understand their role in the ISMS implementation. All activities of the stage 1 audit were performed remotely, except the review of documented information, which took place on-site, as requested by Sinvestment.

During this stage, the auditors found out that there was no documentation related to information security training and awareness program. When asked, Sinvestment ' s representatives stated that the company has provided information security training sessions to all employees. Stage 1 audit gave the audit team a general understanding of Sinvestment ' s operations and ISMS.

The stage 2 audit was conducted three weeks after stage 1 audit. The audit team observed that the marketing department (which was not included in the audit scope) had no procedures in place to control employees’ access rights. Since controlling employees ' access rights is one of the ISO/IEC 27001 requirements and was included in the information security policy of the company, the issue was included in the audit report. In addition, during stage 2 audit, the audit team observed that Sinvestment did not record logs of user activities. The procedures of the company stated that " Logs recording user activities should be retained and regularly reviewed, " yet the company did not present any evidence of the implementation of such procedure.

During all audit activities, the auditors used observation, interviews, documented information review, analysis, and technical verification to collect information and evidence. All the audit findings during stages 1 and 2 were analyzed and the audit team decided to issue a positive recommendation for certification.

Based on the scenario above, answer the following question:

The audit team reviewed Sinvestment ' s documented information on-site, as requested by the company. Is this acceptable?

A.

Yes, Sinvestment has the right to require that no document is carried off-site during the documented information review

B.

No, Sinvestment cannot decide where the documentation review take place, since a confidentiality agreement was signed prior to stage 1 audit

C.

No, the combination of on-site and off-site activities can impact the audit negatively

Question # 3

Question:

As an auditor, you have noticed that ABC Inc. has established a procedure to manage removable storage media. The procedure is based on the classification scheme adopted by ABC Inc.. Thus, if the information stored is classified as " confidential, " the procedure applies. However, public information does not have confidentiality requirements, so only integrity and availability controls apply. What type of audit finding is this?

A.

Nonconformity

B.

Anomaly

C.

Conformity

Question # 4

Which six of the following actions are the individual(s) managing the audit programme responsible for?

A.

Selecting the audit team

B.

Retaining documented information of the audit results

C.

Defining the objectives, scope and criteria for an individual audit

D.

Defining the plan of an individual audit

E.

Establishing the extent of the audit programme

F.

Establishing the audit programme

G.

Determining the resources necessary for the audit programme

Question # 5

You are conducting an Information Security Management System audit in the despatch department of an international

logistics organisation that provides shipping services to large organisations including local hospitals and government offices.

Parcels typically contain pharmaceutical products, biological samples and documents such as passports and driving licences.

You note that the company records show a very large number of returned items with causes including misaddressed labels

and, in 15% of cases, two or more labels for different addresses for the one package. You are interviewing the Shipping

Manager (SM).

You: Are items checked before being dispatched?

SM: Any obviously damaged items are removed by the duty staff before being dispatched, but the small profit margin makes

it uneconomic to implement a formal checking process.

You: What action is taken when items are returned?

SM: Most of these contracts are relatively low value, therefore it has been decided that it is easier and more convenient to

simply reprint the label and re-send individual parcels than it is to implement an investigation.

You raise a non-conformity against clause 8.1 of ISO 27001:2022.

Which one option below that best describes the non-conformity you have identified?

A.

The organisation does not have an approved process in place that ensures service requirements and regulatory requirements for data protection are met. Records show that 15% of returned parcels have corrected information intended for another party to the recipient (which may include sensitive medical information or government department communications) without adequate operational methods to meet information security requirements.

B.

The organisation does not have an audited process in place that ensures service requirements and regulatory requirements for data protection are met. Records show that 15% of returned parcels have inaccurate information intended for another party to the recipient (which may include sensitive medical information or government department communications) without adequate operational rules to meet information security requirements.

C.

The organisation does not have an effective process in place that ensures service requirements and regulatory requirements for data protection are met. Records show that 15% of returned parcels have disclosed information intended for another party to the recipient (which may include sensitive medical information or government department communications) without adequate operational controls to meet information security requirements.

D.

The organisation does not have an efficient process in place that ensures service requirements and regulatory requirements for data protection are met. Records show that 15% of returned parcels have detailed information intended for another party to the recipient (which may include sensitive medical information or government department communications) without adequate operational procedures to meet information security requirements.

E.

The organisation does not have an efficient process in place that ensures service requirements and regulatory requirements for data protection are met. Records show that 15% of returned parcels have protected information intended for another party to the recipient (which may include sensitive medical information or government department communications) without adequate operational processes to meet information security requirements.

Question # 6

Scenario 8

Trustingo has been providing banking and financial services in Estonia since 2010. The company has a network of 30 branches with over 100 ATMs nationwide. To meet strict data security and privacy regulations, Trustingo implemented an information security management system (ISMS) based on ISO/IEC 27001, ensuring better security, improved risk management, and compliance with legal requirements.

Nine months after the successful implementation of the ISMS, Trustingo decided to pursue certification for their ISMS based on ISO/IEC 27001 by an independent certification body. The certification audit included Trustingo ' s systems, processes, and technologies.

The audit team conducted the Stage 1 and Stage 2 audits jointly, and several nonconformities were detected. The first nonconformity was related to Trustingo’s labeling of information. The company had an information classification scheme but no information labeling procedure. As a result, documents requiring the same level of protection would be labeled differently.

The nonconformity also impacted media handling. The audit team used sampling and concluded that 50 of 200 removable media stored sensitive information mistakenly classified as confidential. According to the classification scheme, confidential information may be stored on removable media, whereas sensitive information is strictly prohibited.

The audit team drafted the nonconformity report and discussed conclusions with Trustingo’s representatives. Trustingo accepted the audit team leader’s proposed solution and addressed the nonconformities by drafting an information labeling procedure and updating the removable media procedure.

Two weeks after audit completion, Trustingo submitted a general corrective action plan. Although it addressed the nonconformities, it lacked detailed action steps and system-specific impacts. As a result, Trustingo received an unfavorable certification recommendation.

Question

Which action in Scenario 8 is unacceptable in an external audit?

A.

The audit team leader proposed a solution for resolving the nonconformities, which is not allowed in external audits

B.

Stage 1 audit and Stage 2 audits were performed at the same time

C.

The information labeling procedure was incomplete but marked as a minor nonconformity

Question # 7

Which one of the following conclusions in the audit report is not required by the certification body when deciding to grant certification?

A.

The corrections taken by the organisation related to major nonconformities have been accepted.

B.

The organisation fully complies with all legal and other requirements applicable to the Information Security Management System.

C.

The plans to address corrective actions related to minor nonconformities have been accepted

D.

The scope of certification has been fulfilled

Question # 8

You are performing an ISO 27001 ISMS surveillance audit at a residential nursing home, ABC Healthcare Services. ABC uses a healthcare mobile app designed and maintained by a supplier, WeCare, to monitor residents ' well-being. During the audit, you learn that 90% of the residents ' family members regularly receive medical device advertisements from WeCare, by email and SMS once a week. The service agreement between ABC and WeCare prohibits the supplier from using residents ' personal data. ABC has received many complaints from residents and their family members.

The Service Manager says that the complaints were investigated as an information security incident which found that they were justified.

Corrective actions have been planned and implemented according to the nonconformity and corrective action management procedure.

You write a nonconformity " ABC failed to comply with information security control A.5.34 (Privacy and protection of PI I) relating to the personal data of residents ' and their family members. A supplier, WeCare, used residents ' personal information to send advertisements to family members. "

Select three options of the corrections and corrective actions listed that you would expect ABC to make in response to the nonconformity.

    ABC asks an ISMS consultant to test the ABC Healthcare mobile app for protection against cyber-crime.

A.

ABC cancels the service agreement with WeCare.

B.

ABC confirms that information security control A.5.34 is contained in the Statement of Applicability (SoA).

C.

ABC discontinues the use of the ABC Healthcare mobile app.

D.

ABC introduces background checks on information security performance for all suppliers.

E.

ABC periodically monitors compliance with all applicable legislation and contractual requirements involving third parties.

F.

ABC takes legal action against WeCare for breach of contract.

G.

ABC trains all staff on the importance of maintaining information security protocols.

Question # 9

As the Information Security Management System audit team leader, you are conducting a second-party audit of an international logistics company on behalf of an online retailer. During the audit, one of your team members reports a nonconformity relating to control 5.18 (Access rights) of Appendix A of ISO/IEC 27001:2022. She found evidence that removing the server access protocols of 20 people who left in the last 3 months took up to 1 week whereas the policy required removing access within 24 hours of their departure.

When the auditee was asked why there was a delay in removing access they replied, ' no one was available in the IT department during that period as a result of COVID-19. As soon as an IT officer became available the rights were removed.

You note that she intends to raise a minor non-conformity against Access rights control (5.18). How should you respond to this?

A.

Agree with the raising of a minor non-conformity but against control 5.15, not 5.18.

B.

Agree with the raising of the minor non-conformity against 5.18.

C.

Disagree with the raising of a minor conformity as appropriate action was taken at the earliest opportunity Take no further action.

D.

Disagree with the raising of the minor nonconformity as appropriate action was taken at the earliest opportunity. Instead raise an opportunity for improvement.

E.

Disagree with the raising of the minor nonconformity, there is sufficient evidence to justify an escalation to a major non-conformity.

F.

Require additional audit evidence to be obtained before determining whether a non-conformity is appropriate.

Question # 10

You are an experienced ISMS audit team leader providing guidance to an auditor in training. She asks you why it is important to have specific criteria relating to the grading of nonconformities.

Which one of the following responses is correct?

    Because grading criteria provide a common basis for the evaluation of nonconformities across the organization

A.

Because ISO/IEC 27001:2022 requires it

B.

Because the establishment and implementation of grading criteria demonstrate a high level of commitment to the corrective action process

C.

Because grading criteria will ensure that all auditors score nonconformities in exactly the same way

Go to page: