PECB ISO-IEC-27001-Lead-Auditor Exam Practice Test Instant Access

Question 1

After conducting an external audit, the auditor decided that the internal auditor would follow-up on the implementation of corrective actions until the next surveillance audit. Is this acceptable?

ANo, only the external auditor should follow up on the implementation of corrective actions after the completion of the audit

BYes, the internal auditor may verify the implementation of corrective actions if it cannot be done by the external auditor

CYes, the internal auditor may follow-up on the implementation of corrective actions until a verification from the external auditor during the surveillance audit

Answer : C

Yes, it is acceptable for the internal auditor to follow-up on the implementation of corrective actions until verified by the external auditor during the next surveillance audit. This practice supports continuous improvement and ensures that corrective actions are effectively implemented and maintained over time.

Question 2

How are internal audits and external audits related?

AInternal audits ensure that the organization regularly monitors the external audit reports and action plans

BInternal audits ensure the implementation of the corrective actions before the organization is recommended for certification by the external auditor

CInternal audits and external audits are included in the certification cycle, which ensures the monitoring of the management system on a regular basis

Answer : C

Internal audits and external audits are integral components of the certification cycle, ensuring regular monitoring of the management system. Internal audits help organizations prepare for external audits by identifying and addressing potential nonconformities, while external audits validate the compliance of the management system with ISO/IEC 27001 standards.

Question 3

Scenario 9: UpNet, a networking company, has been certified against ISO/IEC 27001. It provides network security, virtualization, cloud computing, network hardware, network management software, and networking technologies.

The company's recognition has increased drastically since gaining ISO/IEC 27001 certification. The certification confirmed the maturity of UpNefs operations and its compliance with a widely recognized and accepted standard.

But not everything ended after the certification. UpNet continually reviewed and enhanced its security controls and the overall effectiveness and efficiency of the ISMS by conducting internal audits. The top management was not willing to employ a full-time team of internal auditors, so they decided to outsource the internal audit function. This form of internal audits ensured independence, objectivity, and that they had an advisory role about the continual improvement of the ISMS.

Not long after the initial certification audit, the company created a new department specialized in data and storage products. They offered routers and switches optimized for data centers and software-based networking devices, such as network virtualization and network security appliances. This caused changes to the operations of the other departments already covered in the ISMS certification scope.

Therefore. UpNet initiated a risk assessment process and an internal audit. Following the internal audit result, the company confirmed the effectiveness and efficiency of the existing and new processes and controls.

The top management decided to include the new department in the certification scope since it complies with ISO/IEC 27001 requirements. UpNet announced that it is ISO/IEC 27001 certified and the certification scope encompasses the whole company.

One year after the initial certification audit, the certification body conducted another audit of UpNefs ISMS. This audit aimed to determine the UpNefs ISMS fulfillment of specified ISO/IEC 27001 requirements and ensure that the ISMS is being continually improved. The audit team confirmed that the certified ISMS continues to fulfill

the requirements of the standard. Nonetheless, the new department caused a significant impact on governing the management system. Moreover, the certification body was not informed about any changes. Thus, the UpNefs certification was suspended.

Based on the scenario above, answer the following question:

What type of audit is illustrated in the last paragraph of scenario 9?

ASurveillance audit

BInternal audit

CRecertification audit

Answer : A

The audit described in the last paragraph of scenario 9 is a surveillance audit. This type of audit is conducted periodically to ensure that the certified ISMS continues to fulfill the requirements of the standard after the initial certification.

Question 4

Based on the scenario above, answer the following question:

UpNet outsourced the internal audit function, as provided in scenario 9. Does it impact the internal audit process?

ANo, internal audits do not necessarily have to be independent and objective because they have an advisory role

BNo, because the internal audit process can comprise more than an audit program

CYes, it increases the independence and impartiality of the internal audit because auditors do not have operational roles related to the ISMS

Answer : C

Yes, outsourcing the internal audit function can positively impact the internal audit process by increasing its independence and impartiality. This helps ensure that the internal audits are conducted without any bias or influence from the company's internal management.

Question 5

Based on the scenario above, answer the following question:

UpNet announced that the ISMS certification scope encompasses the whole company once ensuring that the new department also complies with the ISO/IEC 27001 requirements. How would you classify this situation illustrated in scenario 9?

AUnacceptable, the internal auditor should have approved the extension audit, not the top management

BUnacceptable, UpNet should have requested and granted an extension audit prior to making the announcement

CAcceptable, the internal audit confirmed the effectiveness and efficiency of the existing and new processes and controls

Answer : B

This situation is unacceptable because UpNet should have requested and been granted an extension audit prior to announcing that the ISMS certification scope encompasses the whole company, including the new department. Proper procedures need to be followed to extend the certification to additional departments or processes.

Question 6

To verify conformity to control 8.15 Logging of ISO/IEC 27001 Annex A, the audit team verified a sample of server logs to determine if they can be edited or deleted. Which audit procedure was used?

AAnalysis

BSampling

CObservation

Answer : A

The audit procedure used here is 'analysis.' The audit team analyzed server logs to verify if they can be edited or deleted, focusing on evaluating the logs' properties and the controls over their manipulation to ensure they comply with ISO/IEC 27001 requirements.

Question 7

As an auditor, you have noticed that ABC Inc. has established a procedure to manage the removable storage medi

a. The procedure is based on the classification scheme adopted by ABC Inc. Thus, if the information stored is classified as "confidential," the procedure applies. On the other hand, the information that is classified as "public," does not have confidentiality requirements: thus, only a procedure for ensuring its integrity and availability applies. What type of audit finding is this?

ANonconformity

BAnomaly

CConformity

Answer : C

This scenario represents a conformity because ABC Inc. has implemented procedures for managing removable storage media that align with the classification scheme of the information stored. When information is classified as 'confidential,' more stringent procedures apply, whereas for 'public' information, the procedures focus only on integrity and availability, following the organization's defined information classification policy.

PECB ISO/IEC 27001 Lead Auditor Exam Practice Test