Weekend Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: xmas50

PECB ISO-IEC-27001-Lead-Auditor - PECB Certified ISO/IEC 27001 2022 Lead Auditor exam

PECB ISO-IEC-27001-Lead-Auditor Premium Access     Download Demo    
Page: 1 / 11
Total 368 questions

Scenario:

Northstorm is an online retail shop offering unique vintage and modern accessories. It initially entered a small market but gradually grew thanks to the development of the overall e-commerce landscape. Northstorm works exclusively online and ensures efficient payment processing, inventory management, marketing tools, and shipment orders. It uses prioritized ordering to receive, restock, and ship its most popular products.

Northstorm has traditionally managed its IT operations by hosting its website and maintaining full control over its infrastructure, including hardware, software, and data administration. However, this approach hindered its growth due to the lack of responsive infrastructure. Seeking to enhance its e-commerce and payment systems, Northstorm opted to expand its in-house data centers, completing the expansion in two phases over three months. Initially, the company upgraded its core servers, point-of-sale, ordering, billing, database, and backup systems. The second phase involved improving mail, payment, and network functionalities. Additionally, during this phase, Northstorm adopted an international standard for personally identifiable information (PII) controllers and PII processors regarding PII processing to ensure its data handling practices were secure and compliant with global regulations.

Despite the expansion, Northstorm's upgraded data centers failed to meet its evolving business demands. This inadequacy led to several new challenges, including issues with order prioritization. Customers reported not receiving priority orders, and the company struggled with responsiveness. This was largely due to the main server's inability to process orders from YouDecide, an application designed to prioritize orders and simulate customer interactions. The application, reliant on advanced algorithms, was incompatible with the new operating system (OS) installed during the upgrade.

Faced with urgent compatibility issues, Northstorm quickly patched the application without proper validation, leading to the installation of a compromised version. This security lapse resulted in the main server being affected and the company's website going offline for a week. Recognizing the need for a more reliable solution, the company decided to outsource its website hosting to an e-commerce provider. The company signed a confidentiality agreement concerning product ownership and conducted a thorough review of user access rights to enhance security before transitioning.

Question:

Based on Scenario 1, which international standard did Northstorm adopt during the second phase of expansion?

A.

ISO/IEC 27701

B.

ISO/IEC 27009

C.

ISO/IEC 27003

Scenario 8: Tessa. Malik, and Michael are an audit team of independent and qualified experts in the field of security, compliance, and business planning and strategies. They are assigned to conduct a certification audit in Clastus, a large web design company. They have previously shown excellent work ethics, including impartiality and objectiveness, while conducting audits. This time, Clastus is positive that they will be one step ahead if they get certified against ISO/IEC 27001.

Tessa, the audit team leader, has expertise in auditing and a very successful background in IT-related issues, compliance, and governance. Malik has an organizational planning and risk management background. His expertise relies on the level of synthesis and analysis of an organization's security controls and its risk tolerance in accurately characterizing the risk level within an organization On the other hand, Michael is an expert in the practical security of controls assessment by following rigorous standardized programs.

After performing the required auditing activities, Tessa initiated an audit team meeting They analyzed one of Michael s findings to decide on the issue objectively and accurately. The issue Michael had encountered was a minor nonconformity in the organization's daily operations, which he believed was caused by one of the organization's IT technicians As such, Tessa met with the top management and told them who was responsible for the nonconformity after they inquired about the names of the persons responsible

To facilitate clarity and understanding, Tessa conducted the closing meeting on the last day of the audit. During this meeting, she presented the identified nonconformities to the Clastus management. However, Tessa received advice to avoid providing unnecessary evidence in the audit report for the Clastus certification audit, ensuring that the report remains concise and focused on the critical findings.

Based on the evidence examined, the audit team drafted the audit conclusions and decided that two areas of the organization must be audited before the certification can be granted. These decisions were later presented to the auditee, who did not accept the findings and proposed to provide additional information. Despite the auditee's comments, the auditors, having already decided on the certification recommendation, did not accept the additional information. The auditee's top management insisted that the audit conclusions did not represent reality, but the audit team remained firm in their decision.

Based on the scenario above, answer the following question:

Question:

The audit team did not accept Clastus's additional information because they had already made the certification recommendation. Is this acceptable?

A.

Yes, once the audit team decides on a certification recommendation, they cannot accept any additional information

B.

No, the auditee can provide additional information if they disagree with the certification recommendation

C.

No, the auditor should not consider revisions that resulted from discussions with the auditee in the certification recommendation decision

The audit lifecycle describes the ISO 19011 process for conducting an individual audit. Drag and drop the steps of the audit lifecycle into the correct sequence.

Information or data that are classified as ______ do not require labeling.

A.

Public

B.

Internal

C.

Confidential

D.

Highly Confidential

Question:

Which option below is correct about the audit plan?

A.

The audit plan involves the use of several audit procedures

B.

The audit plan should be flexible to allow for modifications

C.

The auditee’s top management prepares the audit plan

The audit team leader decided to involve a technical expert as part of the audit team, so they could fill the potential gaps of the audit team members' knowledge. What should the audit team leader consider in this case?

A.

The technical expert is allowed to take decisions related to the audit process when it is needed

B.

The technical expert should discuss their concerns directly with the certification body, and not with the auditor

C.

The technical expert can communicate their audit findings to the auditee only through one of the audit team members

You are performing an ISMS audit at a residential nursing home called ABC that provides healthcare services.

The next step in your audit plan is to verify the information security on ABC's healthcare mobile app

development, support, and lifecycle process. During the audit, you learned the organization outsourced the

mobile app development to a professional software development company with CMMI Level 5, ITSM (ISO/IEC

20000-1), BCMS (ISO 22301) and ISMS (ISO/IEC 27001) certified. The IT Manager presented the software

security management procedure and summarised the process as follows:

The mobile app development shall adopt "security-by-design" and "security-by-default" principles, as a

minimum. The following security functions for personal data protection shall be available:

Access control.

Personal data encryption, i.e., Advanced Encryption Standard (AES) algorithm, key lengths: 256 bits; and

Personal data pseudonymization.

Vulnerability checked and no security backdoor

You sample the latest Mobile App Test report - details as follows:

You ask the IT Manager why the organisation still uses the mobile app while personal data

encryption and pseudonymization tests failed. Also, whether the Service Manager is authorized to

approve the test.

The IT Manager explains the test results should be approved by him according to the software

security management procedure. The reason why the encryption and pseudonymization functions

failed is that these functions heavily slowed down the system and service performance. An extra

150% of resources are needed to cover this. The Service Manager agreed that access control is

good enough and acceptable. That's why the Service Manager signed the approval.

You sample one of the medical staff's mobile and found that ABC's healthcare mobile app, version

1.01 is installed. You found that version 1.01 has no test record.

The IT Manager explains that because of frequent ransomware attacks, the outsourced mobile app

development company gave a free minor update on the tested software, performed an emergency

release of the updated software, and gave a verbal guarantee that there will be no impact on any

security functions. Based on his 20 years of information security experience, there is no need to re-

test.

You are preparing the audit findings Select two options that are correct.

A.

There is a nonconformity (NC). The IT. Manager does not comply with the software security management procedure. (Relevant to clause 8.1, control A.8.30)

B.

There is a nonconformity (NC). The organisation does not control planned changes and review the consequences of unintended changes. (Relevant to clause 8.1)

C.

There is an opportunity for improvement (OI). The IT Manager should make the decision to continue the service based on appropriate testing. (Relevant to clause 8.1, control A.8.30)

D.

There is an opportunity for improvement (OI). The organisation selects an external service provider based on the extent of free services it will provide. (Relevant to clause 8.1, control A.5.21)

E.

There is NO nonconformity (NC). The IT Manager demonstrates good leadership. (Relevant to clause 5.1, control 5.4)

F.

There is NO nonconformity (NC). The IT Manager demonstrates he is fully competent. (Relevant to clause 7.2)

You are an ISMS auditor conducting a third-party surveillance audit of a telecom's provider. You are in the equipment staging room where network switches are pre-programmed before being despatched to clients. You note that recently there has been a significant increase in the number of switches failing their initial configuration test and being returned for reprogramming.

You ask the Chief Tester why and she says, 'It's a result of the recent ISMS upgrade'. Before the upgrade each technician had their own hard copy work instructions. Now, the eight members of my team have to share two laptops to access the clients' configuration instructions online. These delays put pressure on the technicians, resulting in more mistakes being made'.

Based solely on the information above, which clause of ISO/IEC 27001:2022 would be the most appropriate to raise a nonconformity against? Select one.

A.

Clause 10.2 - Nonconformity and corrective action

B.

Clause 7.2 - Competence

C.

Clause 7.5 - Documented information

D.

Clause 8.1 - Operational planning and control

In regard to generating an audit finding, select the words that best complete the following sentence.

To complete the sentence with the best word(s), click on the blank section you want to complete so that it Is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.

You are performing an ISO 27001 ISMS surveillance audit at a residential nursing home, ABC Healthcare Services. ABC uses a healthcare mobile app designed and maintained by a supplier, WeCare, to monitor residents' well-being. During the audit, you learn that 90% erf the residents' family members regularly receive medical device advertisements from WeCare, by email and SMS once a week. The service agreement between ABC and WeCare prohibits the supplier from using residents' personal data. ABC has received many complaints from residents and their family members.

The Service Manager says that the complaints were investigated as an information security incident which found that they were justified. Corrective actions have been planned and implemented according to the nonconformity and corrective action management procedure.

You write a nonconformity "ABC failed to comply with information security control A.5.34 (Privacy and protection of PII) relating to the personal data of residents' and their family members. A supplier, WeCare, used residents' personal information to send advertisements to family members"

Select three options of the corrections and corrective actions listed that you would expect ABC to make in response to the nonconformity

A.

ABC confirms that information security control A.5.34 is contained in the Statement of Applicability (SoA)

B.

The Service Manager provides evidence of analysis of the cause of nonconformity and how the ABC evaluates the effectiveness of implemented corrective actions

C.

ABC instructs all staff to follow the signed healthcare service agreement with residents' family members

D.

ABC conducts a management review to take the feedback from residents' family members into consideration

E.

ABC needs to collect more evidence on how the organisation defines the management system scope and find out if they covered WeCare the medical device manufacturer

F.

ABC identifies and checks compliance with all applicable legislation and contractual requirements involving third parties

G.

The Service Manager implements the corrective actions and Customer Service Representatives evaluate the effectiveness of implemented corrective actions