[Mar 19, 2024] Latest PECB ISO-IEC-27001-Lead-Auditor Exam Practice Test To Gain Brilliante Result [Q52-Q72]

Latest [Mar 19, 2024] PECB ISO-IEC-27001-Lead-Auditor Exam Practice Test To Gain Brilliante Result

Take a Leap Forward in Your Career by Earning PECB ISO-IEC-27001-Lead-Auditor

NEW QUESTION # 52
In which order is an Information Security Management System set up?

• A. Establishment, implementation, operation, maintenance
• B. Implementation, operation, maintenance, establishment
• C. Implementation, operation, improvement, maintenance
• D. Establishment, operation, monitoring, improvement

Answer: A

Explanation:
The establishment phase of an ISMS involves defining the scope, context, objectives, and leadership commitment for information security management within an organization. It also involves identifying and assessing the risks and opportunities related to information security and selecting the appropriate controls to treat them. The implementation phase of an ISMS involves executing the plans and actions to achieve the information security objectives and implement the selected controls. It also involves ensuring the availability of resources and competencies for information security management. The operation phase of an ISMS involves monitoring and measuring the performance and effectiveness of the ISMS and reporting on the results. It also involves addressing nonconformities and taking corrective actions to prevent recurrence. The maintenance phase of an ISMS involves reviewing and evaluating the ISMS at planned intervals and identifying opportunities for improvement. It also involves updating the ISMS as necessary to reflect changes in the internal and external context of the organization. Therefore, an ISMS is set up in the following order: establishment, implementation, operation, maintenance. Reference: ISO/IEC 27001:2022, clauses 6-10; ISO/IEC 27000:2022, clause 4.

NEW QUESTION # 53
What type of measure involves the stopping of possible consequences of security incidents?

• A. Repressive
• B. Detective
• C. Preventive
• D. Corrective

Answer: A

NEW QUESTION # 54
Cabling Security is associated with Power, telecommunication and network cabling carrying information are protected from interception and damage.

• A. False
• B. True

Answer: B

NEW QUESTION # 55
In regard to generating an audit finding, select the words that best complete the following sentence.
To complete the sentence with the best word(s), click on the blank section you want to complete so that it Is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.

Answer:

Explanation:

Reference:
ISO 19011:2022 Guidelines for auditing management systems
ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements Components of Audit Findings - The Institute of Internal Auditors

NEW QUESTION # 56
Which two of the following actions are the individual(s) managing the audit programme responsible for?

• A. Communicating with the auditee during the audit
• B. Determining the legal requirements applicable to each audit
• C. Determining the resources necessary for the audit programme
• D. Keping informed the accreditation body on the progress of the audit programme
• E. Defining the plan of an individual audit
• F. Defining the objectives, scope and criteria for an individual audit

Answer: C,D

Explanation:
Explanation
Establishing the audit programme objectives, scope and criteria
Determining the resources necessary for the audit programme, such as the audit team members, the budget, the time, the tools, etc.
Selecting and appointing the audit team leaders and auditors
Reviewing and approving the audit plans and arrangements
Ensuring the effective communication and coordination among the audit programme stakeholders, such as the auditors, the auditees, the certification bodies, the accreditation bodies, etc.
Keeping informed the accreditation body on the progress of the audit programme, especially in case of any significant changes, issues, or nonconformities Monitoring and reviewing the performance and results of the audit programme and the audit teams Evaluating the feedback and satisfaction of the auditees and other interested parties Identifying and implementing the opportunities for improvement of the audit programme The individual(s) managing the audit programme are not responsible for the following tasks, which are delegated to the audit team leaders or the auditors12:
Communicating with the auditee during the audit, such as conducting the opening and closing meetings, resolving any audit-related problems, reporting any audit findings, etc.
Determining the legal requirements applicable to each audit, such as the confidentiality, the impartiality, the consent, the liability, etc.
Defining the objectives, scope and criteria for an individual audit, which are derived from the audit programme and agreed with the auditee Defining the plan of an individual audit, which includes the audit schedule, the audit activities, the audit methods, the audit documents, etc.
References:
ISO 19011:2018 - Guidelines for auditing management systems
PECB Candidate Handbook ISO 27001 Lead Auditor, pages 19-20

NEW QUESTION # 57
Who is responsible for Initial asset allocation to the user/custodian of the assets?

• A. Asset Practitioner
• B. Asset Manager
• C. Asset Stakeholder
• D. Asset Owner

Answer: D

NEW QUESTION # 58
You are performing an ISMS initial certification audit at a residential nursing home that provides healthcare services. The next step in your audit plan is to conduct the closing meeting. During the final audit team meeting, as an audit team leader, you agree to report 2 minor nonconformities and 1 opportunity for improvement as below:

Select one option of the recommendation to the audit programme manager you are going to advise to the auditee at the closing meeting.

• A. Recommend that a full scope re-audit is required within 6 months
• B. Recommend that a partial audit is required within 3 months
• C. Recommend certification immediately
• D. Recommend certification after your approval of the proposed corrective action plan Recommend that the findings can be closed out at a surveillance audit in 1 year
• E. Recommend that an unannounced audit is carried out at a future date

Answer: D

Explanation:
According to ISO/IEC 17021-1:2015, which specifies the requirements for bodies providing audit and certification of management systems, clause 9.4.9 requires the certification body to make a certification decision based on the information obtained during the audit and any other relevant information1. The certification body should also consider the effectiveness of the corrective actions taken by the auditee to address any nonconformities identified during the audit1. Therefore, when making a recommendation to the audit programme manager, an ISMS auditor should consider the nature and severity of the nonconformities and the proposed corrective actions.
Based on the scenario above, the auditor should recommend certification after their approval of the proposed corrective action plan and recommend that the findings can be closed out at a surveillance audit in 1 year. The auditor should provide the following justification for their recommendation:
Justification: This recommendation is appropriate because it reflects the fact that the auditee has only two minor nonconformities and one opportunity for improvement, which do not indicate a significant or systemic failure of their ISMS. A minor nonconformity is defined as a failure to achieve one or more requirements of ISO/IEC 27001:2022 or a situation which raises significant doubt about the ability of an ISMS process to achieve its intended output, but does not affect its overall effectiveness or conformity2. An opportunity for improvement is defined as a suggestion for improvement beyond what is required by ISO/IEC 27001:20222. Therefore, these findings do not prevent or preclude certification, as long as they are addressed by appropriate corrective actions within a reasonable time frame. The auditor should approve the proposed corrective action plan before recommending certification, to ensure that it is realistic, achievable, and effective. The auditor should also recommend that the findings can be closed out at a surveillance audit in 1 year, to verify that the corrective actions have been implemented and are working as intended.
The other options are not valid recommendations for the audit programme manager, as they are either too lenient or too strict for the given scenario. For example:
Recommend certification immediately: This option is not valid because it implies that the auditor ignores or accepts the nonconformities, which is contrary to the audit principles and objectives of ISO 19011:20182, which provides guidelines for auditing management systems. It also contradicts the requirement of ISO/IEC 17021-1:20151, which requires the certification body to consider the effectiveness of the corrective actions taken by the auditee before making a certification decision.
Recommend that a full scope re-audit is required within 6 months: This option is not valid because it implies that the auditor overreacts or exaggerates the nonconformities, which is contrary to the audit principles and objectives of ISO 19011:20182. It also contradicts the requirement of ISO/IEC 17021-1:20151, which requires the certification body to determine whether a re-audit is necessary based on the nature and extent of nonconformities and other relevant factors. A full scope re-audit is usually reserved for major nonconformities or multiple minor nonconformities that indicate a serious or widespread failure of an ISMS.
Recommend that an unannounced audit is carried out at a future date: This option is not valid because it implies that the auditor distrusts or doubts the auditee's commitment or capability to implement corrective actions, which is contrary to the audit principles and objectives of ISO 19011:20182. It also contradicts the requirement of ISO/IEC 17021-1:20151, which requires the certification body to conduct unannounced audits only under certain conditions, such as when there are indications of serious problems with an ISMS or when required by sector-specific schemes.
Recommend that a partial audit is required within 3 months: This option is not valid because it implies that the auditor imposes or prescribes a specific time frame or scope for verifying corrective actions, which is contrary to the audit principles and objectives of ISO 19011:20182. It also contradicts the requirement of ISO/IEC 17021-1:20151, which requires the certification body to determine whether a partial audit is necessary based on the nature and extent of nonconformities and other relevant factors. A partial audit may be appropriate for minor nonconformities, but the time frame and scope should be agreed upon with the auditee and based on the proposed corrective action plan.

NEW QUESTION # 59
You are an experienced ISMS audit team leader. During the conducting of a third-party surveillance audit, you decide to test your auditee's knowledge of ISO/IEC 27001's risk management requirements.
You ask her a series of questions to which the answer is either 'that is true' or 'that is false'. Which four of the following should she answer 'that is true'?

• A. The organisation must operate a risk treatment process to eliminate it's information security risks
• B. The results of risk assessments must be maintained
• C. Risk assessments should be undertaken following significant changes
• D. The organisation must produce a risk treatment plan for every business risk identified
• E. The initial phase in an organisation's risk management process should be information security risk assessment
• F. Risk identification is used to determine the severity of an information security risk
• G. Risks assessments should be undertaken at monthly intervals
• H. ISO/IEC 27001 provides an outline approach for the management of risk

Answer: B,C,D,H

Explanation:
Explanation
The following four statements are true according to ISO/IEC 27001's risk management requirements: 12 The results of risk assessments must be maintained. This is true because clause 8.2.3 of ISO/IEC
27001:2022 requires the organisation to retain documented information of the information security risk assessment process and the results12 ISO/IEC 27001 provides an outline approach for the management of risk. This is true because clause
6.1.2 of ISO/IEC 27001:2022 specifies the general steps for the information security risk management process, which include establishing the risk criteria, assessing the risks, treating the risks, and monitoring and reviewing the risks12 The organisation must produce a risk treatment plan for every business risk identified. This is true because clause 6.1.3 of ISO/IEC 27001:2022 requires the organisation to produce a risk treatment plan that defines the actions to be taken to address the unacceptable risks, the responsibilities, the expected dates, and the resources required12 Risk assessments should be undertaken following significant changes. This is true because clause 8.2.4 of ISO/IEC 27001:2022 requires the organisation to review and update the risk assessment at planned intervals or when significant changes occur12 The following four statements are false according to ISO/IEC 27001's risk management requirements:
Risk identification is used to determine the severity of an information security risk. This is false because risk identification is used to identify the assets, threats, vulnerabilities, and existing controls that are relevant to the information security risk management process. The severity of an information security risk is determined by the risk analysis, which evaluates the likelihood and impact of the risk scenarios12 The organisation must operate a risk treatment process to eliminate its information security risks. This is false because the organisation can choose from four options to treat its information security risks: avoid, transfer, mitigate, or accept. The organisation does not have to eliminate all its information security risks, but only those that are unacceptable according to its risk criteria12 The initial phase in an organisation's risk management process should be information security risk assessment. This is false because the initial phase in an organisation's risk management process should be establishing the risk management framework, which includes defining the risk management policy, objectives, scope, roles, responsibilities, and criteria. The information security risk assessment is the second phase in the risk management process12 Risks assessments should be undertaken at monthly intervals. This is false because there is no fixed frequency for conducting risk assessments in ISO/IEC 27001. The organisation should determine the appropriate intervals for reviewing and updating the risk assessment based on its risk appetite, risk profile, and operational context12 References:
1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1 2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2

NEW QUESTION # 60
Does the security have the right to ask you to display your ID badges and check your bags?

• A. False
• B. True

Answer: B

Explanation:
Explanation
The security has the right to ask you to display your ID badges and check your bags. This statement is true, as it is part of the physical security measures that the organization implements to prevent unauthorized physical access, damage and interference to its information and information processing facilities. The security personnel are authorized to verify the identity and authorization of anyone entering or leaving the premises, as well as to inspect any bags or items that may contain information or information processing equipment. This is done to ensure that no information or assets are stolen, lost, damaged or compromised by unauthorized persons. ISO/IEC 27001:2022 requires the organization to implement physical and environmental security controls to prevent unauthorized physical access, damage and interference to the organization's information and information processing facilities (see clause A.11). References: CQI & IRCA Certified ISO/IEC
27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, What is Physical Security?

NEW QUESTION # 61
Which of the following is a possible event that can have a disruptive effect on the reliability of information?

• A. Vulnerability
• B. Threat
• C. Dependency
• D. Risk

Answer: B

Explanation:
A possible event that can have a disruptive effect on the reliability of information is a threat. A threat is anything that has the potential to harm an asset or its protection, such as a natural disaster, a human error, a malicious attack, etc. A threat can exploit a vulnerability or weakness in an asset or its protection and cause an adverse impact on the confidentiality, integrity or availability of information. ISO/IEC 27001:2022 defines threat as "potential cause of an unwanted incident, which can result in harm to a system or organization" (see clause 3.48). Reference: [CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course], ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, What is Threat?

NEW QUESTION # 62
Which one of the following options is the definition of an interested party?

• A. A third party can appeal to an organisation when it perceives itself to be affected by a decision or activity
• B. An individual or organisation that can control, be controlled by, or perceive itself to be controlled by a decision or activity
• C. A person or organisation that can affect, be affected by or perceive itself to be affected by a decision or activity
• D. A group or organisation that can interfere in or perceive itself to be interfered with by a management decision

Answer: C

Explanation:
Explanation
This is the definition of an interested party according to ISO 27001:2013, clause 3.16. An interested party is essentially a stakeholder, i.e., a person or organization that can influence or be influenced by the information security management system (ISMS) or its activities. Interested parties can have different needs and expectations regarding the ISMS, and these should be identified and addressed by the organization.
References:
ISO/IEC 27001:2013, Information technology - Security techniques - Information security management systems - Requirements, clause 3.16 PECB Candidate Handbook ISO 27001 Lead Auditor, page 10 Identifying interested parties and their expectations for an ISO 27001 ISMS Examples of ISO 27001 interested parties

NEW QUESTION # 63
You are carrying out your first third-party ISMS surveillance audit as an Audit Team Leader. You are presently in the auditee's data centre with another member of your audit team.
Your colleague seems unsure as to the difference between an information security event and an information security incident. You attempt to explain the difference by providing examples.
Which three of the following scenarios can be defined as information security incidents?

• A. The organisation's malware protection software prevents a virus
• B. The organisation receives a phishing email
• C. A contractor who has not been paid deletes top management ICT accounts
• D. The organisation fails a third-party penetration test
• E. An unhappy employee changes payroll records without permission
• F. An employee fails to clear their desk at the end of their shift
• G. The organisation's marketing data is copied by hackers and sold to a competitor
• H. A hard drive is used after its recommended replacement date

Answer: C,E,G

Explanation:
Explanation
According to ISO/IEC 27000:2018, which provides an overview and vocabulary of information security management systems, an information security event is an identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation that may be security relevant1. An information security incident is a single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security1. Therefore, based on this definition, three examples of information security incidents are:
* A contractor who has not been paid deletes top management ICT accounts: This is an example of an unwanted or unexpected information security event that has a significant probability of compromising business operations and threatening information security, as it may result in loss of access, data, or functionality for the top management.
* An unhappy employee changes payroll records without permission: This is an example of an unwanted or unexpected information security event that has a significant probability of compromising business operations and threatening information security, as it may result in financial fraud, legal liability, or reputational damage for the organization.
* The organisation's marketing data is copied by hackers and sold to a competitor: This is an example of an unwanted or unexpected information security event that has a significant probability of compromising business operations and threatening information security, as it may result in loss of confidentiality, competitive advantage, or customer trust for the organization.
The other options are not examples of information security incidents, but rather information security events that may or may not lead to incidents depending on their impact and severity. For example:
* The organisation's malware protection software prevents a virus: This is an example of an identified occurrence of a system state indicating a possible breach of information security policy or failure of safeguards, but it does not have a significant probability of compromising business operations and threatening information security, as it is prevented by the malware protection software.
* A hard drive is used after its recommended replacement date: This is an example of an identified occurrence of a system state indicating a possible breach of information security policy or failure of safeguards, but it does not have a significant probability of compromising business operations and threatening information security, unless it fails or causes other problems.
* The organisation receives a phishing email: This is an example of an identified occurrence of a network state indicating a possible breach of information security policy or failure of safeguards, but it does not have a significant probability of compromising business operations and threatening information security, unless it is opened or responded to by the recipient.
* An employee fails to clear their desk at the end of their shift: This is an example of an identified occurrence of a service state indicating a possible breach of information security policy or failure of safeguards, but it does not have a significant probability of compromising business operations and threatening information security, unless the desk contains sensitive or confidential information that is accessed by unauthorized persons.
* The organisation fails a third-party penetration test: This is an example of an identified occurrence of a system state indicating a possible breach of information security policy or failure of safeguards, but it does not have a significant probability of compromising business operations and threatening information security, unless the penetration test reveals serious vulnerabilities that are exploited by malicious actors.
References: ISO/IEC 27000:2018 - Information technology - Security techniques - Information security management systems - Overview and vocabulary

NEW QUESTION # 64
You are conducting an ISMS audit in the despatch department of an international logistics organisation that provides shipping services to large organisations including local hospitals and government offices. Parcels typically contain pharmaceutical products, biological samples, and documents such as passports and driving licences. You note that the company records show a very large number of returned items with causes including misaddressed labels and, in 15% of cases, two or more labels for different addresses for the one package. You are interviewing the Shipping Manager (SM).
You: Are items checked before being dispatched?
SM: Any obviously damaged items are removed by the duty staff before being dispatched, but the small profit margin makes it uneconomic to implement a formal checking process.
You: What action is taken when items are returned?
SM: Most of these contracts are relatively low value, therefore it has been decided that it is easier and more convenient to simply reprint the label and re-send individual parcels than it is to implement an investigation.
You raise a nonconformity against ISO 27001:2022 based on the lack of control of the labelling process.
At the closing meeting, the Shipping Manager issues an apology to you that his comments may have been misunderstood. He says that he did not realise that there is a background IT process that automatically checks that the right label goes onto the right parcel otherwise the parcel is ejected at labelling. He asks that you withdraw your nonconformity.
Select three options of the correct responses that you as the audit team leader would make to the request of the Shipping Manager.

• A. Inform the Shipping Manager that the nonconformity is minor and should be quickly corrected
• B. Advise the Shipping Manager that the nonconformity must stand since the evidence obtained for it was dear
• C. Advise management that the new information provided will be discussed when the auditors have more time
• D. Indicate that the nonconformity is evidence of a deeper system failure that needs to be rectified
• E. Ask the audit team members to state what they think should happen
• F. Thank the Shipping Manager for his honesty but advise that withdrawing the nonconformity is not the right way to proceed
• G. Inform him of your understanding and withdraw the nonconformity
• H. Advise the Shipping Manager that his request will be included in the audit report

Answer: C,F,H

Explanation:
Explanation
* A. Advise the Shipping Manager that his request will be included in the audit report. This is true because the audit report should document all the relevant information and evidence related to the audit, including any requests or objections raised by the auditee. The audit report should also provide the rationale for the audit conclusions and recommendations12.
* B. Advise management that the new information provided will be discussed when the auditors have more time. This is true because the auditors should not make hasty decisions based on incomplete or unverified information. The auditors should review and evaluate the new information in a systematic and objective manner, and determine whether it affects the audit findings, nonconformities, or conclusions12.
* F. Thank the Shipping Manager for his honesty but advise that withdrawing the nonconformity is not the right way to proceed. This is true because the auditors should acknowledge and appreciate the cooperation and transparency of the auditee, but also maintain their professional integrity and independence. The auditors should not withdraw a nonconformity unless they are satisfied that it was raised in error or that it has been effectively corrected and verified12.
References :=
* ISO 19011:2022 Guidelines for auditing management systems
* ISO/IEC 17021-1:2022 Conformity assessment - Requirements for bodies providing audit and certification of management systems - Part 1: Requirements

NEW QUESTION # 65
Which two of the following phrases would apply to "plan" in relation to the Plan-Do-Check-Act cycle for a business process?

• A. Organising changes
• B. Providing ICT assets
• C. Retaining documentation
• D. Retaining documentation
• E. Setting objectives
• F. Training staff

Answer: E,F

Explanation:
Explanation
The Plan-Do-Check-Act (PDCA) cycle is a four-step method for implementing and improving processes, products, or services. The "plan" phase involves establishing the objectives and processes necessary to deliver the desired results. This may include setting SMART goals, identifying resources, defining roles and responsibilities, conducting risk assessments, and developing plans for training, communication, and monitoring.
References:
* ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) objectives and content from Quality.org and PECB
* ISO 19011:2018 Guidelines for auditing management systems [Section 5.3.1]

NEW QUESTION # 66
Stages of Information

• A. creation, evolution, maintenance, use, disposition
• B. creation, distribution, maintenance, disposition, use
• C. creation, use, disposition, maintenance, evolution
• D. creation, distribution, use, maintenance, disposition

Answer: D

Explanation:
Explanation
The stages of information are creation, distribution, use, maintenance, and disposition. These are the phases that information goes through during its lifecycle, from the moment it is generated to the moment it is destroyed or archived. Each stage of information has different security requirements and risks, and should be managed accordingly. Creation, evolution, maintenance, use, and disposition are not the correct stages of information, as evolution is not a distinct stage, but a process that can occur in any stage. Creation, use, disposition, maintenance, and evolution are not the correct stages of information, as they are not in the right order. Creation, distribution, maintenance, disposition, and use are not the correct stages of information, as they are not in the right order. References: : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 32. : [ISO/IEC 27001 LEAD AUDITOR - PECB], page 12.

NEW QUESTION # 67
Backup media is kept in the same secure area as the servers. What risk may the organisation be exposed to?

• A. After a fire, the information systems cannot be restored
• B. Unauthorised persons will have access to both the servers and backups
• C. Responsibility for the backups is not defined well
• D. After a server crash, it will take extra time to bring it back up again

Answer: A

Explanation:
Explanation
The risk that the organization may be exposed to if backup media is kept in the same secure area as the servers is that after a fire, the information systems cannot be restored. Backup media is a copy of data or information that can be used to restore the original data or information in case of loss, corruption or destruction. Backup media should be stored in a different location from the original data or information, preferably in a remote or off-site location, to ensure its availability and protection from physical threats and hazards. If backup media is kept in the same secure area as the servers, it means that both the original data and the backup data are vulnerable to the same physical threats and hazards, such as fire, flood, theft, etc. If a fire occurs in the secure area, both the servers and the backup media could be damaged or destroyed, making it impossible to restore the information systems and resume normal operations. References: [CQI & IRCA Certified ISO/IEC
27001:2022 Lead Auditor Training Course], ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, What is Backup Media?

NEW QUESTION # 68
Please match the roles to the following descriptions:

To complete the table click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable test from the options below. Alternatively, you may drag and drop each option to the appropriate blank section.

Answer:

Explanation:

Explanation

The auditee is the organization or part of it that is subject to the audit. The auditee could be internal or external to the audit client . The auditee should cooperate with the audit team and provide them with access to relevant information, documents, records, personnel, and facilities .
The audit client is the organization or person that requests an audit. The audit client could be internal or external to the auditee . The audit client should define the audit objectives, scope, criteria, and programme, and appoint the audit team leader .
The technical expert is a person who provides specific knowledge or expertise relating to the organization, activity, process, product, service, or discipline to be audited. The technical expert could be internal or external to the audit team . The technical expert should support the audit team in collecting and evaluating audit evidence, but should not act as an auditor .
The observer is a person who accompanies the audit team but does not act as an auditor. The observer could be internal or external to the audit team . The observer should observe the audit activities without interfering or influencing them, unless agreed otherwise by the audit team leader and the auditee .
References :=
[ISO 19011:2022 Guidelines for auditing management systems]
[ISO/IEC 17021-1:2022 Conformity assessment - Requirements for bodies providing audit and certification of management systems - Part 1: Requirements]

NEW QUESTION # 69
What is the security management term for establishing whether someone's identity is correct?

• A. Authentication
• B. Authorisation
• C. Identification
• D. Verification

Answer: A

NEW QUESTION # 70
CEO sends a mail giving his views on the status of the company and the company's future strategy and the CEO's vision and the employee's part in it. The mail should be classified as

• A. Internal Mail
• B. Public Mail
• C. Restricted Mail
• D. Confidential Mail

Answer: A

Explanation:
The mail sent by the CEO giving his views on the status of the company and the company's future strategy and the CEO's vision and the employee's part in it should be classified as internal mail. Internal mail is a type of classification that indicates that the information is intended for internal use only, and should not be disclosed to external parties without authorization. The mail sent by the CEO contains information that is relevant and important for the employees of the company, but may not be suitable for public disclosure, as it may contain sensitive or confidential information about the company's performance, goals, or plans. Reference: : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 34. : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 37. : [ISO/IEC 27001 LEAD AUDITOR - PECB], page 14.

NEW QUESTION # 71
Which two of the following statements are true?

• A. As part of a certification body audit the auditor is resporable for verifying the organisation's legal compliance status
• B. The role of a certification body auditor involves evaluating the organisation's processes for ensuring compliance with their legal requirements
• C. Curing a third-party audit, the auditor evaluates how the organisation ensures that 4 6 made aware of changes to the legal requirements

Answer: B,C

Explanation:
Explanation
The following statements are true:
The role of a certification body auditor involves evaluating the organization's processes for ensuring compliance with their legal requirements. This is part of the auditor's responsibility to assess the effectiveness and conformity of the organization's ISMS against the ISO/IEC 27001:2022 standard and the applicable legal and regulatory requirements.
During a third-party audit, the auditor evaluates how the organization ensures that they are made aware of changes to the legal requirements. This is part of the auditor's responsibility to verify that the organization has established and maintained a process for identifying and updating their legal and other requirements related to information security. The following statement is false:
As part of a certification body audit, the auditor is responsible for verifying the organization's legal compliance status. This is not true, as the auditor is not authorized or qualified to provide legal advice or judgment on the organization's compliance status. The auditor can only report on the evidence of compliance or noncompliance observed during the audit, but the ultimate responsibility for ensuring legal compliance lies with the organization. References: : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 66. : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 67. ISO/IEC 27001 LEAD AUDITOR - PECB, page 22.

NEW QUESTION # 72
......

The ISO/IEC 27001 standard is an internationally recognized framework that provides a systematic approach to managing and protecting sensitive information. The standard outlines best practices for implementing an ISMS, which is a set of policies, procedures, and processes that manage information risks, ensure confidentiality, integrity, and availability of information. The ISO/IEC 27001 lead auditor certification validates a professional's ability to audit and assess an organization's ISMS based on the ISO/IEC 27001 standard.

In order to be eligible for the PECB ISO-IEC-27001-Lead-Auditor certification exam, candidates must have a minimum of five years of professional experience, with at least two years of experience in information security management and one year of experience in ISMS audits. They must also have completed a PECB-recognized lead auditor training course or equivalent. Upon successful completion of the exam, candidates will receive a PECB Certified ISO/IEC 27001 Lead Auditor certificate that is valid for three years.

 

Authentic Best resources for ISO-IEC-27001-Lead-Auditor Online Practice Exam: https://www.actual4cert.com/ISO-IEC-27001-Lead-Auditor-real-questions.html

Updates Up to 365 days On Developing ISO-IEC-27001-Lead-Auditor Braindumps: https://drive.google.com/open?id=1zWrDZoKemboRMiV5FQ-6Alog1j-L-uOS