Halloween Special Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: buysanta

Exact2Pass Menu

Question # 4

You are an ISMS audit team leader who has been assigned by your certification body to carry out a follow-up audit of a client. You are preparing your audit plan for this audit.

Which two of the following statements are true?

A.

Verification should focus on whether any action undertaken taken has been undertaken efficiently

B.

Corrections should be verified first, followed by corrective actions and finally opportunities for improvement

C.

Verification should focus on whether any action undertaken is complete

D.

Opportunities for improvement should be verified first, followed by corrections and finally corrective actions

E.

Corrective actions should be reviewed first, followed by corrections and finally opportunities for improvement

F.

Verification should focus on whether any action undertaken has been undertaken effectively

Full Access
Question # 5

Scenario 2: Knight is an electronics company from Northern California, US that develops video game consoles. Knight has more than 300 employees worldwide. On the

fifth anniversary of their establishment, they have decided to deliver the G-Console, a new generation video game console aimed for worldwide markets. G-Console is

considered to be the ultimate media machine of 2021 which will give the best gaming experience to players. The console pack will include a pair of VR headset, two

games, and other gifts.

Over the years, the company has developed a good reputation by showing integrity, honesty, and respect toward their customers. This good reputation is one of the

reasons why most passionate gamers aim to have Knight's G-console as soon as it is released in the market. Besides being a very customer-oriented company, Knight

also gained wide recognition within the gaming industry because of the developing quality. Their prices are a bit higher than the reasonable standards allow.

Nonetheless, that is not considered an issue for most loyal customers of Knight, as their quality is top-notch.

Being one of the top video game console developers in the world, Knight is also often the center of attention for malicious activities. The company has had an

operational ISMS for over a year. The ISMS scope includes all departments of Knight, except Finance and HR departments.

Recently, a number of Knight's files containing proprietary information were leaked by hackers. Knight's incident response team (IRT) immediately started to analyze

every part of the system and the details of the incident.

The IRT's first suspicion was that Knight's employees used weak passwords and consequently were easily cracked by hackers who gained unauthorized access to their

accounts. However, after carefully investigating the incident, the IRT determined that hackers accessed accounts by capturing the file transfer protocol (FTP) traffic.

FTP is a network protocol for transferring files between accounts. It uses clear text passwords for authentication.

Following the impact of this information security incident and with IRT's suggestion, Knight decided to replace the FTP with Secure Shell (SSH) protocol, so anyone

capturing the traffic can only see encrypted data.

Following these changes, Knight conducted a risk assessment to verify that the implementation of controls had minimized the risk of similar incidents. The results of

the process were approved by the ISMS project manager who claimed that the level of risk after the implementation of new controls was in accordance with the

company's risk acceptance levels.

Based on this scenario, answer the following question:

According to scenario 2, the ISMS scope was not applied to the Finance and HR Department of Knight. Is this acceptable?

A.

Yes, the ISMS must be applied only to processes and assets that may directly impact information security

B.

Yes, the ISMS scope can include the whole organization or only particular departments within the organization

C.

No, the ISMS scope must include all organizational units and processes

Full Access
Question # 6

You are an experienced ISMS audit team leader conducting a third-party surveillance visit.

You notice that although the auditee is claiming conformity with ISO/IEC 27001:2022 they are still referring to Improvement as clause 10.2 (as it was in the 2013 edition) when this is now clause 10.1 in

the 2022 edition. You have confirmed they are meeting all of the 2022 requirements set out in the standard.

Select one option of the action you should take.

A.

Note the issue in the audit report

B.

Raise a nonconformity against clause 7.5.3 - Control of documented information

C.

Raise it as an opportunity for improvement

D.

Bring the matter up at the closing meeting

Full Access
Question # 7

Scenario 2: Knight is an electronics company from Northern California, US that develops video game consoles. Knight has more than 300 employees worldwide. On the

fifth anniversary of their establishment, they have decided to deliver the G-Console, a new generation video game console aimed for worldwide markets. G-Console is

considered to be the ultimate media machine of 2021 which will give the best gaming experience to players. The console pack will include a pair of VR headset, two

games, and other gifts.

Over the years, the company has developed a good reputation by showing integrity, honesty, and respect toward their customers. This good reputation is one of the

reasons why most passionate gamers aim to have Knight's G-console as soon as it is released in the market. Besides being a very customer-oriented company, Knight

also gained wide recognition within the gaming industry because of the developing quality. Their prices are a bit higher than the reasonable standards allow.

Nonetheless, that is not considered an issue for most loyal customers of Knight, as their quality is top-notch.

Being one of the top video game console developers in the world, Knight is also often the center of attention for malicious activities. The company has had an

operational ISMS for over a year. The ISMS scope includes all departments of Knight, except Finance and HR departments.

Recently, a number of Knight's files containing proprietary information were leaked by hackers. Knight's incident response team (IRT) immediately started to analyze

every part of the system and the details of the incident.

The IRT's first suspicion was that Knight's employees used weak passwords and consequently were easily cracked by hackers who gained unauthorized access to their

accounts. However, after carefully investigating the incident, the IRT determined that hackers accessed accounts by capturing the file transfer protocol (FTP) traffic.

FTP is a network protocol for transferring files between accounts. It uses clear text passwords for authentication.

Following the impact of this information security incident and with IRT's suggestion, Knight decided to replace the FTP with Secure Shell (SSH) protocol, so anyone

capturing the traffic can only see encrypted data.

Following these changes, Knight conducted a risk assessment to verify that the implementation of controls had minimized the risk of similar incidents. The results of

the process were approved by the ISMS project manager who claimed that the level of risk after the implementation of new controls was in accordance with the

company's risk acceptance levels.

Based on this scenario, answer the following question:

FTP uses clear text passwords for authentication. This is an FTP:

A.

Vulnerability

B.

Risk

C.

Threat

Full Access
Question # 8

You are carrying out a third-party surveillance audit of a client's ISMS. You are currently in the secure storage area of the data centre where the organisation's customers are able to temporarily locate equipment coming into or going out of the site. The equipment is contained within locked cabinets and each cabinet is allocated to a single, specific client.

Out of the corner of your eye you spot movement near the external door of the storage area. This is followed by a loud noise. You ask the guide what is going on. They tell you that recent high rainfall has raised local river levels and caused an infestation of rats. The noise was a specialist pest control stunning device being triggered. You check the device in the corner and find there is a large immobile rat contained within it.

What three actions would be appropriate to take next?

A.

Take no further action. This is an ISMS audit, not an environmental management system audit

B.

Investigate whether pest infestation is an identified risk and if so, what risk treatment is to be applied

C.

Determine whether the high levels of rainfall have had other impacts on data centre operations e.g. damage to infrastructure, access issues for clients, invocation of business continuity arrangements

D.

Raise a nonconformity against control 7.4 Physical Security monitoring

E.

Raise a nonconformity against control 7.2 Physical Entry

F.

Check with the guide that they intend to initiate the organisation's information security incident process

G.

Inspect the client cabinets for signs of rodent ingress and record your findings as audit evidence

Full Access
Question # 9

CEO sends a  mail giving his views on the status of the company and the company’s future strategy and the CEO's vision and the employee's part in it. The mail should be classified as

A.

Internal Mail

B.

Public Mail

C.

Confidential Mail

D.

Restricted Mail

Full Access
Question # 10

You are an experienced ISMS audit team leader. An auditor in training has approached you to ask you to clarify the different types of audits she may be required to undertake.

Match the following audit types to the descriptions.

To complete the table click on the blank section you want to complete so that It is highlighted In fed, and then click on the applicable text from the options below. Alternatively, you may drag and drop each option to the appropriate blank section.

Full Access
Question # 11

Which one of the following conclusions in the audit report is not required by the certification body when deciding to grant certification?

A.

The corrections taken by the organisation related to major nonconformities have been accepted.

B.

The organisation fully complies with all legal and other requirements applicable to the Information Security Management System.

C.

The plans to address corrective actions related to minor nonconformities have been accepted

D.

The scope of certification has been fulfilled

Full Access
Question # 12

Scenario 8: EsBank provides banking and financial solutions to the Estonian banking sector since September 2010. The company has a network of 30 branches with over 100 ATMs across the country.

Operating in a highly regulated industry, EsBank must comply with many laws and regulations regarding the security and privacy of data. They need to manage information security across their operations by implementing technical and nontechnical controls. EsBank decided to implement an ISMS based on ISO/IEC 27001 because it provided better security, more risk control, and compliance with key requirements of laws and regulations.

Nine months after the successful implementation of the ISMS, EsBank decided to pursue certification of their ISMS by an independent certification body against ISO/IEC 27001 .The certification audit included all of EsBank’s systems, processes, and technologies.

The stage 1 and stage 2 audits were conducted jointly and several nonconformities were detected. The first nonconformity was related to EsBank’s labeling of information. The company had an information classification scheme but there was no information labeling procedure. As a result, documents requiring the same level of protection would be labeled differently (sometimes as confidential, other times sensitive).

Considering that all the documents were also stored electronically, the nonconformity also impacted media handling. The audit team used sampling and concluded that 50 of 200 removable media stored sensitive information mistakenly classified as confidential. According to the information classification scheme, confidential information is allowed to be stored in removable media, whereas storing sensitive information is strictly prohibited. This marked the other nonconformity.

They drafted the nonconformity report and discussed the audit conclusions with EsBank’s representatives, who agreed to submit an action plan for the detected nonconformities within two months.

EsBank accepted the audit team leader's proposed solution. They resolved the nonconformities by drafting a procedure for information labeling based on the classification scheme for both physical and electronic formats. The removable media procedure was also updated based on this procedure.

Two weeks after the audit completion, EsBank submitted a general action plan. There, they addressed the detected nonconformities and the corrective actions taken, but did not include any details on systems, controls, or operations impacted. The audit team evaluated the action plan and concluded that it would resolve the nonconformities. Yet, EsBank received an unfavorable recommendation for certification.

Based on the scenario above, answer the following question:

According to scenario 8, the audit team evaluated the action plan and concluded that it would resolve the detected nonconformities. Is this acceptable?

A.

Yes. the audit team must evaluate the action plan and verify if it is appropriate for correcting the detected nonconformities

B.

Yes, only if EsBank has previously verified the effectiveness of the action plan and informed the audit team that the action plan allows the correction of nonconformities

C.

No, the auditee should verify if the action plan allows the correction of nonconformities and elimination of the root causes

Full Access
Question # 13

Scenario 6: Sinvestment is an insurance company that offers home, commercial, and life insurance. The company was founded in North Carolina, but have recently expanded in other locations, including Europe and Africa.

Sinvestment is committed to complying with laws and regulations applicable to their industry and preventing any information security incident. They have implemented an ISMS based on ISO/IEC 27001 and have applied for ISO/IEC 27001 certification.

Two auditors were assigned by the certification body to conduct the audit. After signing a confidentiality agreement with Sinvestment. they started the audit activities. First, they reviewed the documentation required by the standard, including the declaration of the ISMS scope, information security policies, and internal audits reports. The review process was not easy because, although Sinvestment stated that they had a documentation procedure in place, not all documents had the same format.

Then, the audit team conducted several interviews with Sinvestment's top management to understand their role in the ISMS implementation. All activities of the stage 1 audit were performed remotely, except the review of documented information, which took place on-site, as requested by Sinvestment.

During this stage, the auditors found out that there was no documentation related to information security training and awareness program. When asked, Sinvestment's representatives stated that the company has provided information security training sessions to all employees. Stage 1 audit gave the audit team a general understanding of Sinvestment's operations and ISMS.

The stage 2 audit was conducted three weeks after stage 1 audit. The audit team observed that the marketing department (which was not included in the audit scope) had no procedures in place to control employees’ access rights. Since controlling employees' access rights is one of the ISO/IEC 27001 requirements and was included in the information security policy of the company, the issue was included in the audit report. In addition, during stage 2 audit, the audit team observed that Sinvestment did not record logs of user activities. The procedures of the company stated that "Logs recording user activities should be retained and regularly reviewed," yet the company did not present any evidence of the implementation of such procedure.

During all audit activities, the auditors used observation, interviews, documented information review, analysis, and technical verification to collect information and evidence. All the audit findings during stages 1 and 2 were analyzed and the audit team decided to issue a positive recommendation for certification.

According to scenario 6, the marketing department employees were not following the access control policy. Which option is correct in this case?

A.

The marketing department is not included in the audit scope, so the issue should only be communicated to Sinvestment's representatives

B.

The employees' access right control is included in Sinvestment’s information security policy, so the issue must be communicated to Sinvestment's representatives and included in the audit report

C.

Sinvestment is not controlling the employees' access rights, which represents a potential information security risk and should be reported as a major nonconformity

Full Access
Question # 14

The following are purposes of Information Security, except:

A.

Ensure Business Continuity

B.

Minimize Business Risk

C.

Increase Business Assets

D.

Maximize Return on Investment

Full Access
Question # 15

You are the audit team leader conducting a third-party audit of an online insurance company. During Stage 1, you found that the organization took a very cautious risk approach and included all the information security controls in ISO/IEC 27001:2022 Appendix A in their Statement of Applicability.

During the Stage 2 audit, your audit team found that there was no evidence of a risk treatment plan for the implementation of the three controls (5.3 Segregation of duties, 6.1 Screening, 7.12 Cabling security). You raise a nonconformity against clause 6.1.3.e of ISO 27001:2022.

At the closing meeting, the Technical Director issues an extract from an amended Statement of Applicability (as shown) and asks for the nonconformity to be withdrawn.

Select three options of the correct responses of an audit team leader to the request of the Technical Director.

A.

Advise management that the information provided will be reviewed when the auditors have more time.

B.

Advise the Technical Director that his request will be included in the audit report.

C.

Advise the Technical Director that once a nonconformity is raised it cannot be withdrawn.

D.

Advise the Technical Director that the nonconformity must stand since the evidence obtained for it was clear.

E.

Ask the auditor who raised the issue for their opinion on how you should respond to the request.

F.

Inform the Technical Director that the nonconformity will be changed to an Opportunity for Improvement.

G.

Review the documentation produced and withdraw the nonconformity.

Full Access
Question # 16

Select the words that best complete the sentence:

Full Access
Question # 17

During discussions with the individual(s) managing the audit programme of a certification body, the Management System Representative of the client organisation asks for a specific auditor for the certification audit. Select two of the following options for how the individual(s) managing the audit programme should respond.

A.

Advise the Management System Representative that his request can be accepted

B.

Suggest that the Management System Representative chooses another certification body

C.

State that his request will be considered but may not be taken up

D.

Suggest asking the certification body management to permit the request

E.

Advise the Management System Representative that the audit team selection is a decision that the audit programme manager needs to make based on the resources available

Full Access
Question # 18

Scenario 7: Lawsy is a leading law firm with offices in New Jersey and New York City. It has over 50 attorneys offering sophisticated legal services to clients in business and commercial law, intellectual property, banking, and financial services. They believe they have a comfortable position in the market thanks to their commitment to implement information security best practices and remain up to date with technological developments.

Lawsy has implemented, evaluated, and conducted internal audits for an ISMS rigorously for two years now. Now, they have applied for ISO/IEC 27001 certification to ISMA, a well-known and trusted certification body.

During stage 1 audit, the audit team reviewed all the ISMS documents created during the implementation. They also reviewed and evaluated the records from management reviews and internal audits.

Lawsy submitted records of evidence that corrective actions on nonconformities were performed when necessary, so the audit team interviewed the internal auditor. The interview validated the adequacy and frequency of the internal audits by providing detailed insight into the internal audit plan and procedures.

The audit team continued with the verification of strategic documents, including the information security policy and risk evaluation criteria. During the information security policy review, the team noticed inconsistencies between the documented information describing governance framework (i.e., the information security policy) and the procedures.

Although the employees were allowed to take the laptops outside the workplace, Lawsy did not have procedures in place regarding the use of laptops in such cases. The policy only provided general information about the use of laptops. The company relied on employees' common knowledge to protect the confidentiality and integrity of information stored in the laptops. This issue was documented in the stage 1 audit report.

Upon completing stage 1 audit, the audit team leader prepared the audit plan, which addressed the audit objectives, scope, criteria, and procedures.

During stage 2 audit, the audit team interviewed the information security manager, who drafted the information security policy. He justified the Issue identified in stage 1 by stating that Lawsy conducts mandatory information security training and awareness sessions every three months.

Following the interview, the audit team examined 15 employee training records (out of 50) and concluded that Lawsy meets requirements of ISO/IEC 27001 related to training and awareness. To support this conclusion, they photocopied the examined employee training records.

Based on the scenario above, answer the following question:

Based on scenario 7, what should Lawsy do prior to the initiation of stage 2 audit?

A.

Perform a quality review of audit findings from stage 1 audit

B.

Define which audit test plans can be combined to verify compliance

C.

Review and confirm the audit plan with the certification body

Full Access
Question # 19

You are performing an ISMS audit at a residential nursing home called ABC that provides healthcare services. You find all nursing home residents wear an electronic wristband for monitoring their location, heartbeat, and blood pressure always. You learned that the electronic wristband automatically uploads all data to the artificial intelligence (AI) cloud server for healthcare monitoring and analysis by healthcare staff.

To verify the scope of ISMS, you interview the management system representative (MSR) who explains that the ISMS scope covers an outsourced data center.

Select one option of the correct statement which defines the content of the scope of the ISMS.

A.

The ISMS scope should not cover external service providers because they can have compliance difficulties with the information security policy and requirements

B.

The ISMS scope should take any information security issues that have occurred and any interested parties' requirements into consideration

C.

The most likely ISMS scope is to cover the IT department and the outsourced data centre

D.

The organisation should only follow the government's recommendation, i.e., legal and legislation to define the ISMS scope

Full Access
Question # 20

You are performing an ISMS audit at a residential nursing home (ABC) that provides healthcare services. The next step in your audit plan is to verify the information security of ABC's healthcare mobile app development, support, and lifecycle process. During the audit, you learned the organization outsourced the mobile app development to a professional software development company with CMMI Level 5, ITSM (ISO/IEC 20000-1), BCMS (ISO 22301) and ISMS (ISO/IEC 27001) certified.

The IT Manager presented the software security management procedure and summarised the process as following:

The mobile app development shall adopt "security-by-design" and "security-by-default" principles, as a minimum. The following security

functions for personal data protection shall be available:

Access control.

Personal data encryption, i.e., Advanced Encryption Standard (AES) algorithm, key lengths: 256 bits; and

Personal data pseudonymization.

Vulnerability checked and no security backdoor

You sample the latest Mobile App Test report, details as follows:

You ask the IT Manager why the organisation still uses the mobile app while personal data encryption and pseudonymization tests failed. Also, whether the Service Manager is authorised to approve the test.

The IT Manager explains the test results should be approved by him according to the software security management procedure.

The reason why the encryption and pseudonymisation functions failed is that these functions heavily slowed down the system and service performance. An extra 150% of resources are needed to cover this. The Service Manager agreed that access control is good enough and acceptable. That's why the Service Manager signed the approval.

You are preparing the audit findings. Select the correct option.

A.

There is NO nonconformity (NC). The Service Manager makes a good decision to continue the service. (Relevant to clause 8.1, control A.8.30)

B.

There is a nonconformity (NC). The organisation and developer do not perform acceptance tests. (Relevant to clause 8.1, control A.8.29)

C.

There is a nonconformity (NC). The organisation and developer perform security tests that fail. (Relevant to clause 8.1, control A.8.29)

D.

There is a nonconformity (NC). The Service Manager does not comply with the software security management procedure. (Relevant to clause 8.1, control A.8.30)

Full Access
Question # 21

Which two of the following options do not participate in a first-party audit?

A.

A certification body auditor

B.

An audit team from an accreditation body

C.

An auditor certified by CQI and IRCA

D.

An auditor from a consultancy organisation

E.

An auditor trained in the CQI and IRCA scheme

F.

An auditor trained in the organization

Full Access
Question # 22

You are carrying out your first third-party ISMS surveillance audit as an Audit Team Leader. You are presently in

the auditee's data centre with another member of your audit team.

You are currently in a large room that is subdivided into several smaller rooms, each of which has a numeric

combination lock and swipe card reader on the door. You notice two external contractors using a swipe card and

combination number provided by the centre's reception desk to gain access to a client's suite to carry out authorised electrical repairs.

You go to reception and ask to see the door access record for the client's suite. This indicates only one card was

swiped. You ask the receptionist and they reply, "yes it's a common problem. We ask everyone to swipe their

cards but with contractors especially, one tends to swipe and the rest simply 'tailgate' their way in" but we know who they are from the reception sign-in.

Based on the scenario above which one of the following actions would you now take?

A.

Raise an opportunity for improvement to have a large sign in reception reminding everyone requiring access must use their swipe card at all times

B.

Determine whether any additional effective arrangements are in place to verify individual access to secure areas e.g. CCTV

C.

Raise a nonconformity against control A.7.1 'security perimiters' as a secure area is not adequately protected

D.

Raise a nonconformity against control A.7.6 'working in secure areas' as security measures for working in secure areas have not been defined

E.

Raise a nonconformity against control A.5.20 'addressing information security in supplier relationships' as information security requirements have not been agreed upon with the supplier

F.

Raise an opportunity for improvement that contractors must be accompanied at all times when accessing secure facilities

Full Access
Question # 23

After conducting an external audit, the auditor decided that the internal auditor would follow-up on the implementation of corrective actions until the next surveillance audit. Is this acceptable?

A.

No, only the external auditor should follow up on the implementation of corrective actions after the completion of the audit

B.

Yes, the internal auditor may verify the implementation of corrective actions if it cannot be done by the external auditor

C.

Yes, the internal auditor may follow-up on the implementation of corrective actions until a verification from the external auditor during the surveillance audit

Full Access
Question # 24

You are performing an ISMS audit at a residential nursing home called ABC that provides healthcare services.

The next step in your audit plan is to verify the information security of ABC's healthcare mobile app development, support, and lifecycle process. During the audit, you learned the organisation outsourced the mobile app development to a professional software development organisation with CMMI Level 5, ITSM

(ISO/IEC 20000-1), BCMS (ISO 22301) and ISMS (ISO/IEC 27001) certified.

The IT Manager presents the software security management procedure and summarises the process as follows:

The mobile app development shall adopt "security-by-design" and "security-by-default" principles, as a minimum. The following security functions for personal data protection shall be available:

Access control.

Personal data encryption, i.e., Advanced Encryption Standard (AES) algorithm, key lengths: 256 bits; and

Personal data pseudonymization.

Vulnerability checked and no security backdoor

You sample the latest Mobile App Test report - Reference ID: 0098, details as follows:

You would like to investigate other areas further to collect more audit evidence. Select three options that will not be in your audit trail.

A.

Collect more evidence on how much residents' family members pay to install ABC's healthcare mobile app. (Relevant to clause 4.2)

B.

Collect more evidence by downloading and testing the mobile app on your phone. (Relevant to control A.8.1)

C.

Collect more evidence to determine the number of users of ABC's healthcare mobile app. (relevant to clause 4.2)

D.

Collect more evidence on how the organisation performs testing of personal data handling. (Relevant to control A.5.34)

E.

Collect more evidence on the organisation's business continuity policy. (Relevant to control A.5.30)

F.

Collect more evidence on how the organisation manages information security in the selection of an external service provider. (Relevant to control A.5.19)

G.

Collect more evidence on how the developer trains its product support personnel. (Relevant to clause 7.2)

Full Access
Question # 25

The following options are key actions involved in a first-party audit. Order the stages to show the sequence in which the actions should take place.

Full Access
Question # 26

Scenario 7: Lawsy is a leading law firm with offices in New Jersey and New York City. It has over 50 attorneys offering sophisticated legal services to clients in business and commercial law, intellectual property, banking, and financial services. They believe they have a comfortable position in the market thanks to their commitment to implement information security best practices and remain up to date with technological developments.

Lawsy has implemented, evaluated, and conducted internal audits for an ISMS rigorously for two years now. Now, they have applied for ISO/IEC 27001 certification to ISMA, a well-known and trusted certification body.

During stage 1 audit, the audit team reviewed all the ISMS documents created during the implementation. They also reviewed and evaluated the records from management reviews and internal audits.

Lawsy submitted records of evidence that corrective actions on nonconformities were performed when necessary, so the audit team interviewed the internal auditor. The interview validated the adequacy and frequency of the internal audits by providing detailed insight into the internal audit plan and procedures.

The audit team continued with the verification of strategic documents, including the information security policy and risk evaluation criteria. During the information security policy review, the team noticed inconsistencies between the documented information describing governance framework (i.e., the information security policy) and the procedures.

Although the employees were allowed to take the laptops outside the workplace, Lawsy did not have procedures in place regarding the use of laptops in such cases. The policy only provided general information about the use of laptops. The company relied on employees' common knowledge to protect the confidentiality and integrity of information stored in the laptops. This issue was documented in the stage 1 audit report.

Upon completing stage 1 audit, the audit team leader prepared the audit plan, which addressed the audit objectives, scope, criteria, and procedures.

During stage 2 audit, the audit team interviewed the information security manager, who drafted the information security policy. He justified the Issue identified in stage 1 by stating that Lawsy conducts mandatory information security training and awareness sessions every three months.

Following the interview, the audit team examined 15 employee training records (out of 50) and concluded that Lawsy meets requirements of ISO/IEC 27001 related to training and awareness. To support this conclusion, they photocopied the examined employee training records.

Based on the scenario above, answer the following question:

The audit team photocopied the examined employee training records to support their conclusion. Should the audit team obtain an approval from Lawsy before taking this action? Refer to scenario 7.

A.

Yes. the audit team should obtain the approval of the auditee when verifying the existence of a process in all cases, including when taking notes and photocopying documents

B.

Yes, the audit team can photocopy documents observed during the audit if the auditee agrees to it

C.

No, the audit team has the authority to photocopy documents in order to verify the conformity of a certain document to the audit criteria

Full Access
Question # 27

Which option below is NOT a role of the audit team leader?

A.

Preventing and solving conflict during the audit

B.

Setting up an ethics committee

C.

Preparing and explaining the audit conclusions

Full Access
Question # 28

Which two of the following phrases would apply to "act" in relation to the Plan-Do-Check-Act cycle for a business process?

A.

Auditing processes

B.

Planning changes

C.

Measuring objectives

D.

Resetting objectives

E.

Achieving improvements

F.

Verifying training

Full Access
Question # 29

You are an experienced ISMS audit team leader providing instruction to a class of auditors in training. The subject of today's lesson is the management of information security risk in accordance with the requirements of ISO/IEC 27001:2022.

You provide the class with a series of activities. You then ask the class to sort these activities into the order in which they appear in the standard.

What is the correct sequence they should report back to you?

Full Access
Question # 30

Which two of the following standards are used as ISMS third-party certification audit criteria?

A.

ISO/IEC 27002

B.

ISO/IEC 20000-1

C.

ISO 19011

D.

ISO/IEC 27001

E.

Relavent legal, statutory, and regulatory requirements

F.

ISO/IEC 17021-1

Full Access
Question # 31

Scenario 5: Data Grid Inc. is a well-known company that delivers security services across the entire information technology infrastructure. It provides cybersecurity software, including endpoint security, firewalls, and antivirus software. For two decades, Data Grid Inc. has helped various companies secure their networks through advanced products and services. Having achieved reputation in the information and network security field, Data Grid Inc. decided to obtain the ISO/IEC 27001 certification to better secure its internal and customer assets and gain competitive advantage.

Data Grid Inc. appointed the audit team, who agreed on the terms of the audit mandate. In addition, Data Grid Inc. defined the audit scope, specified the audit criteria, and proposed to close the audit within five days. The audit team rejected Data Grid Inc.'s proposal to conduct the audit within five days, since the company has a large number of employees and complex processes. Data Grid Inc. insisted that they have planned to complete the audit within five days, so both parties agreed upon conducting the audit within the defined duration. The audit team followed a risk-based auditing approach.

To gain an overview of the main business processes and controls, the audit team accessed process descriptions and organizational charts. They were unable to perform a deeper analysis of the IT risks and controls because their access to the IT infrastructure and applications was restricted. However, the audit team stated that the risk that a significant defect could occur to Data Grid Inc.'s ISMS was low since most of the company's processes were automated. They therefore evaluated that the ISMS, as a whole, conforms to the standard requirements by asking the representatives of Data Grid Inc. the following questions:

•How are responsibilities for IT and IT controls defined and assigned?

•How does Data Grid Inc. assess whether the controls have achieved the desired results?

•What controls does Data Grid Inc. have in place to protect the operating environment and data from malicious software?

•Are firewall-related controls implemented?

Data Grid Inc.'s representatives provided sufficient and appropriate evidence to address all these questions.

The audit team leader drafted the audit conclusions and reported them to Data Grid Inc.'s top management. Though Data Grid Inc. was recommended for certification by the auditors, misunderstandings were raised between Data Grid Inc. and the certification body in regards to audit objectives. Data Grid Inc. stated that even though the audit objectives included the identification of areas for potential improvement, the audit team did not provide such information.

Based on this scenario, answer the following question:

What would prevent the misunderstanding between the certification body and the Data Grid Inc.?

Refer to scenario 5.

A.

Validating the audit offer

B.

Signing the certification agreement

C.

Defining the audit schedule

Full Access
Question # 32

Scenario 9: UpNet, a networking company, has been certified against ISO/IEC 27001. It provides network security, virtualization, cloud computing, network hardware, network management software, and networking technologies.

The company's recognition has increased drastically since gaining ISO/IEC 27001 certification. The certification confirmed the maturity of UpNefs operations and its compliance with a widely recognized and accepted standard.

But not everything ended after the certification. UpNet continually reviewed and enhanced its security controls and the overall effectiveness and efficiency of the ISMS by conducting internal audits. The top management was not willing to employ a full-time team of internal auditors, so they decided to outsource the internal audit function. This form of internal audits ensured independence, objectivity, and that they had an advisory role about the continual improvement of the ISMS.

Not long after the initial certification audit, the company created a new department specialized in data and storage products. They offered routers and switches optimized for data centers and software-based networking devices, such as network virtualization and network security appliances. This caused changes to the operations of the other departments already covered in the ISMS certification scope.

Therefore. UpNet initiated a risk assessment process and an internal audit. Following the internal audit result, the company confirmed the effectiveness and efficiency of the existing and new processes and controls.

The top management decided to include the new department in the certification scope since it complies with ISO/IEC 27001 requirements. UpNet announced that it is ISO/IEC 27001 certified and the certification scope encompasses the whole company.

One year after the initial certification audit, the certification body conducted another audit of UpNefs ISMS. This audit aimed to determine the UpNefs ISMS fulfillment of specified ISO/IEC 27001 requirements and ensure that the ISMS is being continually improved. The audit team confirmed that the certified ISMS continues to fulfill

the requirements of the standard. Nonetheless, the new department caused a significant impact on governing the management system. Moreover, the certification body was not informed about any changes. Thus, the UpNefs certification was suspended.

Based on the scenario above, answer the following question:

UpNet announced that the ISMS certification scope encompasses the whole company once ensuring that the new department also complies with the ISO/IEC 27001 requirements. How would you classify this situation illustrated in scenario 9?

A.

Unacceptable, the internal auditor should have approved the extension audit, not the top management

B.

Unacceptable, UpNet should have requested and granted an extension audit prior to making the announcement

C.

Acceptable, the internal audit confirmed the effectiveness and efficiency of the existing and new processes and controls

Full Access
Question # 33

Who are allowed to access highly confidential files?

A.

Employees with a business need-to-know

B.

Contractors with a business need-to-know

C.

Employees with signed NDA have a business need-to-know

D.

Non-employees designated with approved access and have signed NDA

Full Access
Question # 34

You are performing an ISMS audit at a European-based residential nursing home called ABC that provides healthcare services. The next step in your audit plan is to verify the effectiveness of the continual improvement process.

During the audit, you learned most of the residents' family members (90%) receive WeCare medical devices promotion advertisements through email and SMS once a week via ABC's healthcare mobile app. All of them do not agree on the use of the collected personal data for marketing or any other purposes than nursing and medical care on the signed service agreement with ABC. They have very strong reason to believe that ABC is leaking residents' and family members' personal information to a non-relevant third party and they have filed complaints.

The Service Manager says that, after investigation, all these complaints have been treated as nonconformities. The corrective actions have been planned and implemented according to the nonconformity and corrective management procedure (Document reference ID: ISMS_L2_10.1, version 1).

You write a nonconformity which you will follow up on later. Select the words that best complete the sentence:

Full Access
Question # 35

You are an experienced ISMS audit team leader providing instruction to an auditor in training. They are unclear in their understanding of risk processes and ask you to provide them with an example of each of the processes detailed below.

Match each of the descriptions provided to one of the following risk management processes.

To complete the table click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop each option to the appropriate blank section.

Full Access
Question # 36

Which three of the following work documents are not required for audit planning by an auditor conducting a certification audit?

A.

An audit plan

B.

A sample plan

C.

An organisation's financial statement

D.

A checklist

E.

A career history of the IT manager

F.

A list of external providers

Full Access
Question # 37

You are performing an ISMS audit at a residential nursing home that provides healthcare services. The next step in your audit plan is to verify the information security incident management process. The IT Security Manager presents the information

security incident management procedure (Document reference ID: ISMS_L2_16, version 4) and explains that the process is

based on ISO/IEC 27035-1:2016.

You review the document and notice a statement "any information security weakness, event, and incident should be reported

to the Point of Contact (PoC) within 1 hour after identification". When interviewing staff, you found that there were differences

in the understanding of the meaning of "weakness, event, and incident".

The IT Security Manager explained that an online "information security handling" training seminar was conducted 6 months

ago. All of the interviewed persons participated in and passed the reporting exercise and course assessment.

You are preparing the audit findings. Select two options that are correct.

A.

There is a nonconformity (NC). The information security incident training has failed. This is not conforming with clause 7.2 and control A.6.3.

B.

There is a nonconformity (NC). The terminology of the the incident management reporting process is unclear as evidenced by staff misunderstanding of the meaning of "weakness, event and incident". This is not conforming with clause 9.1 and control A.5.24.

C.

There is an opportunity for improvement (OFI). The information security incident training effectiveness can be improved. This is relevant to clause 7.2 and control A.6.3.

D.

There is an opportunity for improvement (OFI). The information security weaknesses, events, and incidents are reported. This is relevant to clause 9.1 and control A.5.24.

E.

There is no nonconformance. The information security handling training has been effective. This conforms with clause 7.2 and control A.6.3.

F.

There is no nonconformance. The information security weaknesses, events, and incidents are reported. This conforms with clause 9.1 and control A.5.24.

Full Access
Question # 38

You are conducting a third-party surveillance audit when another member of the audit team approaches you seeking clarification. They have been asked to assess the organisation's application of control 5.7 - Threat Intelligence. They are aware that this is one of the new controls introduced in the 2022 edition of ISO/IEC 27001, and they want to make sure they audit the control correctly.

They have prepared a checklist to assist them with their audit and want you to confirm that their planned activities are aligned with the control's requirements.

Which three of the following options represent valid audit trails?

A.

I will determine whether internal and external sources of information are used in the production of threat intelligence

B.

I will ensure that the task of producing threat intelligence is assigned to the organisation's internal audit team

C.

I will ensure that the organisation's risk assessment process begins with effective threat intelligence

D.

I will check that the organisation has a fully documented threat intelligence process

E.

I will check that threat intelligence is actively used to protect the confidentiality, integrity and availability of the organisation's information assets

F.

I will speak to top management to make sure all staff are aware of the importance of reporting threats

G.

I will ensure that appropriate measures have been introduced to inform top management as to the effectiveness of current threat intelligence arrangements

Full Access
Question # 39

Select the correct sequence for the information security risk assessment process in an ISMS.

To complete the sequence click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the options to the appropriate blank

Full Access
Question # 40

You are an experienced audit team leader guiding an auditor in training.

Your team is currently conducting a third-party surveillance audit of an organisation that stores data on behalf of external clients. The auditor in training has been tasked with reviewing the PEOPLE controls listed in the Statement of Applicability (SoA) and mplemented at the site.

Select four controls from the following that would you expect the auditor in training to review.

A.

Confidentiality and nondisclosure agreements

B.

How protection against malware is implemented

C.

Information security awareness, education and training

D.

Remote working arrangements

E.

The conducting of verification checks on personnel

F.

The operation of the site CCTV and door control systems

G.

The organisation's arrangements for information deletion

Full Access
Question # 41

The auditor used sampling to ensure that event logs recording information security events are maintained and regularly reviewed. Sampling was based on the audit objectives, whereas the sample selection process was based on the probability theory. What type of sampling was used?

A.

Statistical sampling

B.

Judgment-based sampling

C.

Systematic sampling

Full Access
Question # 42

You are an experienced ISMS audit team leader guiding an auditor in training. She asks you about the grading of nonconformities in audit reports. You decide to test her knowledge by asking her which four of the following statements are true.

A.

Major nonconformities may be subject to on-site follow up

B.

Nonconformities must be graded only using the terms 'major' or 'minor'

C.

The action taken to address major nonconformities is typically more substantial than the action taken to address minor nonconformities

D.

Very minor nonconformities should be re-graded as opportunities for improvement

E.

Several minor nonconformities can be grouped into a major nonconformity

F.

The grading of nonconformities must be explained to the auditee at the opening meeting

G.

The auditee is always responsible for determining the criteria for grading nonconformities

Full Access
Question # 43

As the ISMS audit team leader, you are conducting a second-party audit of an international logistics company on behalf of an online retailer. During the audit, one of your team members reports a nonconformity relating to control 5.18 (Access rights) of Appendix A of ISO/IEC 27001:2022. She found evidence that removing the server access protocols of 20 people who left in the last 3 months took up to 1 week whereas the policy required removing access within 24 hours of their departure.

Complete the sentence with the best word(s), dick on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.

Full Access
Question # 44

Scenario 1: Fintive is a distinguished security provider for online payments and protection solutions. Founded in 1999 by Thomas Fin in San Jose, California, Fintive

offers services to companies that operate online and want to improve their information security, prevent fraud, and protect user information such as PII. Fintive centers

its decision-making and operating process based on previous cases. They gather customer data, classify them depending on the case, and analyze them. The company

needed a large number of employees to be able to conduct such complex analyses. After some years, however, the technology that assists in conducting such analyses

advanced as well. Now, Fintive is planning on using a modern tool, a chatbot, to achieve pattern analyses toward preventing fraud in real-time. This tool would also be

used to assist in improving customer service.

This initial idea was communicated to the software development team, who supported it and were assigned to work on this project. They began integrating the chatbot

on their existing system. In addition, the team set an objective regarding the chatbot which was to answer 85% of all chat queries.

After the successful integration of the chatbot, the company immediately released it to their customers for use. The chatbot, however, appeared to have some issues.

Due to insufficient testing and lack of samples provided to the chatbot during the training phase, in which it was supposed "to learn" the queries pattern, the chatbot

failed to address user queries and provide the right answers. Furthermore, the chatbot sent random files to users when it received invalid inputs such as odd patterns

of dots and special characters. Therefore, the chatbot was unable to properly answer customer queries and the traditional customer support was overwhelmed with

chat queries and thus was unable to help customers with their requests.

Consequently, Fintive established a software development policy. This policy specified that whether the software is developed in-house or outsourced, it will undergo a

black box testing prior to its implementation on operational systems.

Based on this scenario, answer the following question:

Based on scenario 1, the chatbot was unable to properly answer customer queries. Which principle of information security has been affected in this

case?

A.

Availability

B.

Integrity

C.

Confidentiality

Full Access
Question # 45

Which two of the following phrases are 'objectives' in relation to a first-party audit?

A.

Apply international standards

B.

Prepare the audit report for the certification body

C.

Confirm the scope of the management system is accurate

D.

Complete the audit on time

E.

Apply Regulatory requirements

F.

Update the management policy

Full Access
Question # 46

Select the words that best complete the sentence below to describe audit resources:

Full Access
Question # 47

You are preparing the audit findings. Select two options that are correct.

A.

There is an opportunity for improvement (OFI). The iLiirmation security incident training effectiveness can be improved. This is relevant to clause 7.2 and control A.6.3.

B.

There is no nonconformance. The information security weaknesses, events, and incidents are reported. This conforms with clause 9.1 and control A.5.24.

C.

There is no nonconformance. The information security handling training has performed, and its effectiveness was evaluated. This conforms with clause 7.2 and control A.6.3.

D.

There is a nonconformity (NC). Based on sampling interview results, none of the interviewees were able to describe the incident management procedure reporting process including the role and responsibilities of personnel. This is not conforming with clause 9.1 and control A.5.24.

E.

There is a nonconformity (NC). The information security incident training has failed. This is not conforming with clause 7.2 and control A.6.3.

F.

There is an opportunity for improvement (OFI). The information security weaknesses, events, and madents are reported. This is relevant to clause 9.1 and control A.5.24.

Full Access
Question # 48

You are a certification body auditor, conducting a surveillance audit to ISO/IEC 27001:2022 of a data centre operated by a client who provides hosting services for ICT facilities.

You and your guide are currently in one of the private suites that the client rents out to customers. Access to each suite is controlled using a combination lock. CCTV is also installed in every suite.

Within each suite are three data cabinets in which the client can locate mission-critical servers and other items of networking equipment such as switches and routers.

You notice that whilst two of the cabinets in your suite are locked, the third is unlocked. You ask the guide why. They reply "This is because the client is currently swapping out a hard drive unit. Their technician is currently on a lunch break".

What three actions should you undertake next?

A.

Do nothing, the room appears adequately protected so it is unlikely that a security incident has taken place.

B.

Raise a nonconformity against control 5.16 'identity management' as it may not be possible to identify who left the cabinet unlocked.

C.

Raise a nonconformity against control 7.2 'physical entry' as the area where the client's equipment is located is not protected.

D.

Raise a nonconformity against control 7.4 'physical security monitoring' as the private suite is not being continuously monitored for unauthorised physical access.

E.

Raise an opportunity for improvement suggesting cabinet doors are locked whenever clients leave their suites, even if they intend to return within a short time.

F.

Review the CCTV records to ensure that only the client has accessed the cabinet since it was last confirmed as locked.

G.

When the technician returns from lunch, reprimand them for leaving the cabinet open.

Full Access
Question # 49

Which two of the following are examples of audit methods that 'do not' involve human interaction?

A.

Conducting an interview using a teleconferencing platform

B.

Performing a review of auditees procedures in preparation for an audit

C.

Reviewing the auditee's response to an audit finding

D.

Analysing data by remotely accessing the auditee's server

E.

Observing work performed by remote surveillance

F.

Confirming the date and time of the audit

Full Access
Question # 50

Which one of the following options best describes the main purpose of a Stage 2 third-party audit?

A.

To determine readiness for certification

B.

To check for legal compliance by the organisation

C.

To identify nonconformances against a standard

D.

To get to know the organisation's management system

Full Access
Question # 51

Which one of the following options is the definition of an interested party?

A.

A third party can appeal to an organisation when it perceives itself to be affected by a decision or activity

B.

A person or organisation that can affect, be affected by or perceive itself to be affected by a decision or activity

C.

A group or organisation that can interfere in or perceive itself to be interfered with by a management decision

D.

An individual or organisation that can control, be controlled by, or perceive itself to be controlled by a decision or activity

Full Access
Question # 52

Which two of the following statements are true?

A.

The benefits of implementing an ISMS primarily result from a reduction in information security risks

B.

The benefit of certifying an ISMS is to obtain contracts from governmental institutions

C.

The purpose of an ISMS is to apply a risk management process for preserving information security

D.

The purpose of an ISMS is to demonstrate compliance with regulatory requirements

Full Access
Question # 53

You ask the IT Manager why the organisation still uses the mobile app while personal data

encryption and pseudonymisation tests failed. Also, whether the Service Manager is authorised to approve the test.

The IT Manager explains the test results should be approved by him according to the software security management procedure. The reason why the encryption and pseudonymisation functions failed is that these functions heavily slowed down the system and service performance. An extra 150% of resources are needed to cover this. The Service Manager agreed that access control is good enough and acceptable. That's why the Service Manager signed the approval.

You are preparing the audit findings. Select the correct option.

A.

There is a nonconformity (NC). The organisation and developer do not perform acceptance tests. (Relevant to clause 8.1, control A.8.29)

B.

There is a nonconformity (NC). The Service Manager does not comply with the software security management procedure. (Relevant to clause 8.1, control A.8.30)

C.

There is a nonconformity (NC). The organisation and developer perform security tests that fail. (Relevant to clause 8.1, control A.8.29)

D.

There is NO nonconformity (NC). The Service Manager makes a good decision to continue the service. (Relevant to clause 8.1, control A.8.30)

Full Access
Question # 54

You see a blue color sticker on certain physical assets. What does this signify?

A.

The asset is very high critical and its failure affects the entire organization

B.

The asset with blue stickers should be kept air conditioned at all times

C.

The asset is high critical and its failure will affect a group/s/project's work in the organization

D.

The asset is critical and the impact is restricted to an employee only

Full Access
Question # 55

Which two activities align with the “Check’’ stage of the Plan-Do-Check-Act cycle when applied to the process of managing an internal audit program as described in ISO 19011?

A.

Retains records of internal audits

B.

Define audit criteria and scope for each internal audit

C.

Update the internal audit programme

D.

Establish a risk-based internal audit programme

E.

Conduct internal audits

F.

Verify effectiveness of the internal audit programme

G.

Review trends in internal audit result

Full Access
Question # 56

An organisation is looking for management system initial certification. Please identify the sequence of the activities to be undertaken by the organisation.

To complete the sequence click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the options to the appropriate blank section.

Full Access
Question # 57

You are an experienced audit team leader guiding an auditor in training.

Your team is currently conducting a third-party surveillance audit of an organisation that stores data on behalf of external clients. The auditor in training has been tasked with reviewing the PEOPLE controls listed in the

Statement of Applicability (SoA) and implemented at the site.

Select four controls from the following that would you expect the auditor in training to review.

A.

Confidentiality and nondisclosure agreements

B.

How protection against malware is implemented

C.

Information security awareness, education and training

D.

Remote working arrangements

E.

The conducting of verification checks on personnel

F.

The operation of the site CCTV and door control systems

G.

The organisation's arrangements for information deletion

Full Access
Question # 58

Scenario 4: SendPay is a financial company that provides its services through a network of agents and financial institutions. One of their main services is transferring money worldwide. SendPay, as a new company, seeks to offer top quality services to its clients. Since the company offers international transactions, it requires from their clients to provide personal information, such as their identity, the reason for the transactions, and other details that might be needed to complete the transaction. Therefore, SendPay has implemented security measures to protect their clients' information, including detecting, investigating, and responding to any information security threats that may emerge. Their commitment to offering secure services was also reflected during the ISMS implementation where the company invested a lot of time and resources.

Last year, SendPay unveiled their digital platform that allows money transactions through electronic devices, such as smartphones or laptops, without requiring an additional fee. Through this platform, SendPay's clients can send and receive money from anywhere and at any time. The digital platform helped SendPay to simplify the company's operations and further expand its business. At the time, SendPay was outsourcing its software operations, hence the project was completed by the software development team of the outsourced company. The same team was also responsible for maintaining the technology infrastructure of SendPay.

Recently, the company applied for ISO/IEC 27001 certification after having an ISMS in place for almost a year. They contracted a certification body that fit their criteria. Soon after, the certification body appointed a team of four auditors to audit SendPay's ISMS.

During the audit, among others, the following situations were observed:

1.The outsourced software company had terminated the contract with SendPay without prior notice. As a result, SendPay was unable to immediately bring the services back in-house and its operations were disrupted for five days. The auditors requested from SendPay's representatives to provide evidence that they have a plan to follow in cases of contract terminations. The representatives did not provide any documentary evidence but during an interview, they told the auditors that the top management of SendPay had identified two other software development companies that could provide services immediately if similar situations happen again.

2.There was no evidence available regarding the monitoring of the activities that were outsourced to the software development company. Once again, the representatives of SendPay told the auditors that they regularly communicate with the software development company and that they are appropriately informed for any possible change that might occur.

3.There was no nonconformity found during the firewall testing. The auditors tested the firewall configuration in order to determine the level of security provided by

these services. They used a packet analyzer to test the firewall policies which enabled them to check the packets sent or received in real-time.

Based on this scenario, answer the following question:

SendPay's representatives stated that the company did not have a plan to follow in case of a contract termination with the company that they outsource activities to. Instead, the top management had identified two other software development companies that could provide the same services. How do you describe this situation?

A.

Unacceptable, SendPay evidence and criteria for identifying alternative software development companies is insufficient

B.

Acceptable, SendPay can decide whether to develop a plan for similar contract terminations or not, hence there is no need for additional evidence

C.

Unacceptable, SendPay must always have a recovery plan in place that states what steps should the company follow

Full Access
Question # 59

You are an ISMS auditor conducting a third-party surveillance audit of a telecom's provider. You are in the equipment staging room where network switches are pre-programmed before being despatched to clients. You note that recently there has been a significant increase in the number of switches failing their initial configuration test and being returned for reprogramming.

You ask the Chief Tester why and she says, 'It's a result of the recent ISMS upgrade'. Before the upgrade each technician had their own hard copy work instructions. Now, the eight members of my team have to share two laptops to access the clients' configuration instructions online. These delays put pressure on the technicians, resulting in more mistakes being made'.

Based solely on the information above, which clause of ISO to raise a nonconformity against' Select one.

A.

Clause 7.5 - Documented information

B.

Clause 8.1 - Operational planning and control

C.

Clause 10.2 - Nonconformity and corrective action

D.

Clause 7.3 - Awareness

E.

Clause 7.2 - Competence

F.

Clause 7.4 - Communication

Full Access
Question # 60

Which two of the following options for information are not required for audit planning of a certification audit?

A.

A sampling plan

B.

A document review

C.

The working experience of the management system representative

D.

An audit checklist

E.

An organisation's financial statement

F.

An audit plan

Full Access
Question # 61

You are an ISMS audit team leader preparing to chair a closing meeting following a third-party surveillance audit. You are drafting a closing meeting agenda setting out the topics you wish to discuss with your auditee.

Which one of the following would be appropriate for inclusion?

A.

A detailed explanation of the certification body's complaints process

B.

An explanation of the audit plan and its purpose

C.

A disclaimer that the result of the audit is based on the sampling of evidence

D.

Names of auditees associated with nonconformities

Full Access
Question # 62

Which two of the following statements are true?

A.

Responsibility for managing the audit programme rests with the audit team leader.

B.

The audit plan describes the arrangements for a set of one or more audits planned for a specific time frame and directed towards a specific purpose.

C.

Once agreed, the audit plan is fixed and cannot be changed during the conducting of the audi.

D.

The audit programme describes the arrangements for a set of one or more audits planned for a specific time frame and directed towards a specific purpose.

E.

The audit plan describes the activities and arrangements for an audit.

F.

The audit programme describes the activities and arrangements for an audit.

Full Access
Question # 63

You are an experienced audit team leader guiding an auditor in training.

Your team is currently conducting a third-party surveillance audit of an organisation that stores data on behalf of external clients. The auditor in training has been tasked with reviewing the TECHNOLOGICAL controls listed in

the Statement of Applicability (SoA) and implemented at the site.

Select four controls from the following that would you expect the auditor in training to review.

A.

Confidentiality and nondisclosure agreements

B.

How access to source code and development tools are managed

C.

How power and data cables enter the building

D.

How protection against malware is implemented

E.

How the organisation evaluates its exposure to technical vulnerabilities

F.

Information security awareness, education and training

G.

The organisation's arrangements for information deletion

Full Access
Question # 64

Costs related to nonconformities and failures to comply with legal and contractual requirements are assessed when defining:

A.

Materiality

B.

Audit risks

C.

Reasonable assurance

Full Access
Question # 65

How are internal audits and external audits related?

A.

Internal audits ensure that the organization regularly monitors the external audit reports and action plans

B.

Internal audits ensure the implementation of the corrective actions before the organization is recommended for certification by the external auditor

C.

Internal audits and external audits are included in the certification cycle, which ensures the monitoring of the management system on a regular basis

Full Access
Question # 66

Scenario 9: UpNet, a networking company, has been certified against ISO/IEC 27001. It provides network security, virtualization, cloud computing, network hardware, network management software, and networking technologies.

The company's recognition has increased drastically since gaining ISO/IEC 27001 certification. The certification confirmed the maturity of UpNefs operations and its compliance with a widely recognized and accepted standard.

But not everything ended after the certification. UpNet continually reviewed and enhanced its security controls and the overall effectiveness and efficiency of the ISMS by conducting internal audits. The top management was not willing to employ a full-time team of internal auditors, so they decided to outsource the internal audit function. This form of internal audits ensured independence, objectivity, and that they had an advisory role about the continual improvement of the ISMS.

Not long after the initial certification audit, the company created a new department specialized in data and storage products. They offered routers and switches optimized for data centers and software-based networking devices, such as network virtualization and network security appliances. This caused changes to the operations of the other departments already covered in the ISMS certification scope.

Therefore. UpNet initiated a risk assessment process and an internal audit. Following the internal audit result, the company confirmed the effectiveness and efficiency of the existing and new processes and controls.

The top management decided to include the new department in the certification scope since it complies with ISO/IEC 27001 requirements. UpNet announced that it is ISO/IEC 27001 certified and the certification scope encompasses the whole company.

One year after the initial certification audit, the certification body conducted another audit of UpNefs ISMS. This audit aimed to determine the UpNefs ISMS fulfillment of specified ISO/IEC 27001 requirements and ensure that the ISMS is being continually improved. The audit team confirmed that the certified ISMS continues to fulfill

the requirements of the standard. Nonetheless, the new department caused a significant impact on governing the management system. Moreover, the certification body was not informed about any changes. Thus, the UpNefs certification was suspended.

Based on the scenario above, answer the following question:

What type of audit is illustrated in the last paragraph of scenario 9?

A.

Surveillance audit

B.

Internal audit

C.

Recertification audit

Full Access
Question # 67

Which option below about the ISMS scope is correct?

A.

ISMS scope should be available as documented information

B.

ISMS scope should ensure continual improvement

C.

ISMS scope should be compatible with the strategic orientation of the organization

Full Access
Question # 68

You are an experienced ISMS audit team leader providing guidance to an auditor in training.

The auditor in training appears to be confused about the interpretation of competence in ISO 27001:2022 and is seeking clarification from you that his understanding is correct. He sets out a series of mini scenarios and asks you which of these you would attribute to a lack of competence. Select four correct options.

A.

An employee recently transferred from the IT networks team to Software development was unaware of the need to complete product release forms prior to shipping

B.

A senior programmer did not check their coding for errors as they were running late for a doctor's appointment

C.

A new starter was unable to switch on CCTV monitoring because they had not been shown how to do this

D.

An IT technician failed to configure a new model of server correctly as a result of not reading the supplied instructions

E.

An experienced receptionist allowed a contractor she recognised to enter the data centre without his access card

F.

A system administrator deleted two live accounts as well as five redundant accounts as a result of receiving an incorrect instruction

G.

A data centre operator inadvertently placed a backup tape into an incorrect drive because they were in a hurry to move on to another task

Full Access
Question # 69

Scenario 4: SendPay is a financial company that provides its services through a network of agents and financial institutions. One of their main services is transferring money worldwide. SendPay, as a new company, seeks to offer top quality services to its clients. Since the company offers international transactions, it requires from their clients to provide personal information, such as their identity, the reason for the transactions, and other details that might be needed to complete the transaction. Therefore, SendPay has implemented security measures to protect their clients' information, including detecting, investigating, and responding to any information security threats that may emerge. Their commitment to offering secure services was also reflected during the ISMS implementation where the company invested a lot of time and resources.

Last year, SendPay unveiled their digital platform that allows money transactions through electronic devices, such as smartphones or laptops, without requiring an additional fee. Through this platform, SendPay's clients can send and receive money from anywhere and at any time. The digital platform helped SendPay to simplify the company's operations and further expand its business. At the time, SendPay was outsourcing its software operations, hence the project was completed by the software development team of the outsourced company. The same team was also responsible for maintaining the technology infrastructure of SendPay.

Recently, the company applied for ISO/IEC 27001 certification after having an ISMS in place for almost a year. They contracted a certification body that fit their criteria. Soon after, the certification body appointed a team of four auditors to audit SendPay's ISMS.

During the audit, among others, the following situations were observed:

1.The outsourced software company had terminated the contract with SendPay without prior notice. As a result, SendPay was unable to immediately bring the services back in-house and its operations were disrupted for five days. The auditors requested from SendPay's representatives to provide evidence that they have a plan to follow in cases of contract terminations. The representatives did not provide any documentary evidence but during an interview, they told the auditors that the top management of SendPay had identified two other software development companies that could provide services immediately if similar situations happen again.

2.There was no evidence available regarding the monitoring of the activities that were outsourced to the software development company. Once again, the representatives of SendPay told the auditors that they regularly communicate with the software development company and that they are appropriately informed for any possible change that might occur.

3.There was no nonconformity found during the firewall testing. The auditors tested the firewall configuration in order to determine the level of security provided by

these services. They used a packet analyzer to test the firewall policies which enabled them to check the packets sent or received in real-time.

Based on this scenario, answer the following question:

Why could SendPay not restore their services back in-house after the contract termination? Refer to scenario 4.

A.

Because SendPay did not monitor the technology infrastructure of the outsourced software operations

B.

Because SendPay lacked a comprehensive business continuity plan with potential impact of contract terminations

C.

Because the outsourced software company terminated the contract with SendPay without prior notice

Full Access
Question # 70

A key audit process is the way auditors gather information and determine the findings' characteristics. Put the actions listed in the correct order to complete this process. The last one has been done for you.

Full Access
Question # 71

What is meant by the term 'Corrective Action'? Select one

A.

Action is taken to prevent a nonconformity or an incident from occurring

B.

Action is taken to eliminate the cause(s) of a nonconformity or an incident

C.

Action is taken by management to respond to a nonconformity

D.

Action is taken to fix a nonconformity or an incident

Full Access
Question # 72

Which two of the following statements are true?

A.

The benefit of certifying an ISMS is to show the accreditation certificate on the website.

B.

The purpose of an ISMS is to demonstrate awareness of information security issues by management.

C.

The benefit of certifying an ISMS is to increase the number of customers.

D.

The benefits of implementing an ISMS primarily result from a reduction in information security risks.

E.

The purpose of an ISMS is to apply a risk management process for preserving information security.

F.

The purpose of an ISMS is to demonstrate compliance with regulatory requirements.

Full Access
Question # 73

You are an experienced ISMS audit team leader providing guidance to an auditor in training. She asks you why it is important to have specific criteria relating to the grading of nonconformities.

Which one of the following responses is correct?

A.

Because grading criteria provide a common basis for the evaluation of nonconformities across the organization

B.

Because ISO/IEC 27001:2022 requires it

C.

Because the establishment and implementation of grading criteria demonstrate a high level of commitment to the corrective action process

D.

Because grading criteria will ensure that all auditors score nonconformities in exactly the same way

Full Access
Question # 74

OrgXY is an ISO/IEC 27001-certified software development company. A year after being certified, OrgXY's top management informed the certification body that the company was not ready for conducting the surveillance audit. What happens in this case?

A.

The certification is suspended

B.

The current certification is used until the next surveillance audit

C.

OrgXY transfers its registration to another certification body

Full Access
Question # 75

You are an experienced ISMS audit team leader guiding an auditor in training. You are testing her understanding of follow-up audits by asking her a series of questions to which the answer is either "true* or 'false'. Which four of the following questions should the answer be true"'

A.

A follow-up audit may be carried out where nonconformities are major

B.

A follow-up audit may be carried out where nonconformities are minor

C.

The outcomes of a follow-up audit should be reported to top management and the audit team leader who carried out the audit where the nonconformities were initially identified

D.

The outcome of a follow-up audit could lower a major nonconformity to minor status

E.

The outcome of a follow-up audit could be a recommendabon to suspend the client's certification

F.

The outcomes of a follow-up audit should be reported to the individual managing the audit programme and the audit client

G.

A follow-up audit is required in all instances where nonconformities have been identified

Full Access
Question # 76

ISMS (1)---------------helps determine (2)--------------,

A.

(1) Continual improvement, (2) the effectiveness of corrective actions

B.

Q (1) Management review, (2) opportunities for continual improvement

C.

(1) Internal audit, (2) the ISMS scope

Full Access
Question # 77

Which two of the following actions are the individual(s) managing the audit programme responsible for?

A.

Determining the resources necessary for the audit programme

B.

Communicating with the auditee during the audit

C.

Determining the legal requirements applicable to each audit

D.

Keping informed the accreditation body on the progress of the audit programme

E.

Defining the objectives, scope and criteria for an individual audit

F.

Defining the plan of an individual audit

Full Access
Question # 78

In the context of a management system audit, please identify the sequence of a typical process of collecting and verifying information. The first one has been done for you.

Full Access
Question # 79

You are an ISMS auditor conducting a third-party surveillance audit of a telecom's provider. You are in the equipment staging room where network switches are pre-programmed before being despatched to clients. You note that recently there has been a significant increase in the number of switches failing their initial configuration test and being returned for reprogramming.

You ask the Chief Tester why and she says, 'It's a result of the recent ISMS upgrade'. Before the upgrade each technician had their own hard copy work instructions. Now, the eight members of my team have to share two laptops to access the clients' configuration instructions online. These delays put pressure on the technicians, resulting in more mistakes being made'.

Based solely on the information above, which clause of ISO/IEC 27001:2022 would be the most appropriate to raise a nonconformity against? Select one.

A.

Clause 10.2 - Nonconformity and corrective action

B.

Clause 7.2 - Competence

C.

Clause 7.5 - Documented information

D.

Clause 8.1 - Operational planning and control

Full Access
Question # 80

An auditor of organisation A performs an audit of supplier B. Which two of the following actions is likely to represent a breach of confidentiality by the auditor after having identified findings in B's information security management system?

A.

Shares the findings with other relevant managers in A

B.

Shares the findings with B's Information Security Manager

C.

Shares the findings with A's supplier evaluation team

D.

Shares the findings with B's other customers

E.

Shares the findings with B's certification body

F.

Shares the findings with other relevant managers in B

Full Access
Question # 81

Which one of the following options is the definition of the context of an organisation?

A.

The control of internal and external issues that can have an effect on an organisation's desire to achieve its objectives

B.

Complexity of internal and external issues that can have an effect on an organisation's approach to developing and achieving its purpose

C.

A combination of internal and external issues that can have an effect on an organisation's approach to developing and achieving its objectives

D.

The coordination of internal and external issues that can have a positive or negative effect on an organisation's success

Full Access
Question # 82

You are conducting a third-party surveillance audit when another member of the audit team approaches you seeking clarification. They have been asked to assess the organisation's application of control 5.7 - Threat Intelligence. They are aware that this is one of the new controls introduced in the 2022 edition of ISO/IEC 27001, and they want to make sure they audit the control correctly.

They have prepared a checklist to assist them with their audit and want you to confirm that their planned activities are aligned with the control's requirements.

Which three of the following options represent valid audit trails?

A.

I will ensure that the task of producing threat intelligence is assigned to the organisation's internal audit team

B.

I will ensure that the organisation's risk assessment process begins with effective threat intelligence

C.

I will speak to top management to make sure all staff are aware of the importance of reporting threats

D.

I will ensure that appropriate measures have been introduced to inform top management as to the effectiveness of current threat intelligence arrangements

E.

I will check that the organisation has a fully documented threat intelligence process

F.

I will check that threat intelligence is actively used to protect the confidentiality, integrity and availability of the organisation's information assets

G.

I will review how information relating to information security threats is collected and evaluated to produce threat intelligence

Full Access