New Year Sale - Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70dumps

ISO-IEC-27001-Lead-Auditor Questions and Answers

Question # 6

Which two of the following options for information are not required for audit planning of a certification audit?

A.

A sampling plan

B.

A document review

C.

The working experience of the management system representative

D.

An audit checklist

E.

An organisation's financial statement

F.

An audit plan

Full Access
Question # 7

Scenario 7: Lawsy is a leading law firm with offices in New Jersey and New York City. It has over 50 attorneys offering sophisticated legal services to clients in business and commercial law, intellectual property, banking, and financial services. They believe they have a comfortable position in the market thanks to their commitment to implement information security best practices and remain up to date with technological developments.

Lawsy has implemented, evaluated, and conducted internal audits for an ISMS rigorously for two years now. Now, they have applied for ISO/IEC 27001 certification to ISMA, a well-known and trusted certification body.

During stage 1 audit, the audit team reviewed all the ISMS documents created during the implementation. They also reviewed and evaluated the records from management reviews and internal audits.

Lawsy submitted records of evidence that corrective actions on nonconformities were performed when necessary, so the audit team interviewed the internal auditor. The interview validated the adequacy and frequency of the internal audits by providing detailed insight into the internal audit plan and procedures.

The audit team continued with the verification of strategic documents, including the information security policy and risk evaluation criteria. During the information security policy review, the team noticed inconsistencies between the documented information describing governance framework (i.e., the information security policy) and the procedures.

Although the employees were allowed to take the laptops outside the workplace, Lawsy did not have procedures in place regarding the use of laptops in such cases. The policy only provided general information about the use of laptops. The company relied on employees' common knowledge to protect the confidentiality and integrity of information stored in the laptops. This issue was documented in the stage 1 audit report.

Upon completing stage 1 audit, the audit team leader prepared the audit plan, which addressed the audit objectives, scope, criteria, and procedures.

During stage 2 audit, the audit team interviewed the information security manager, who drafted the information security policy. He justified the Issue identified in stage 1 by stating that Lawsy conducts mandatory information security training and awareness sessions every three months.

Following the interview, the audit team examined 15 employee training records (out of 50) and concluded that Lawsy meets requirements of ISO/IEC 27001 related to training and awareness. To support this conclusion, they photocopied the examined employee training records.

Based on the scenario above, answer the following question:

Based on scenario 7, what should Lawsy do prior to the initiation of stage 2 audit?

A.

Perform a quality review of audit findings from stage 1 audit

B.

Define which audit test plans can be combined to verify compliance

C.

Review and confirm the audit plan with the certification body

Full Access
Question # 8

The audit team leader decided to involve a technical expert as part of the audit team, so they could fill the potential gaps of the audit team members' knowledge. What should the audit team leader consider in this case?

A.

The technical expert is allowed to take decisions related to the audit process when it is needed

B.

The technical expert should discuss their concerns directly with the certification body, and not with the auditor

C.

The technical expert can communicate their audit findings to the auditee only through one of the audit team members

Full Access
Question # 9

You are performing an ISMS audit at a residential nursing home (ABC) that provides healthcare services. The next

step in your audit plan is to verify the information security of ABC's healthcare mobile app development, support,

and lifecycle process. During the audit, you learned the organization outsourced the mobile app development to a

professional software development company with CMMI Level 5, ITSM (ISO/IEC 20000-1), BCMS (ISO 22301) and

ISMS (ISO/IEC 27001) certified.

The IT Manager presented the software security management procedure and summarised the process as following:

The mobile app development shall adopt "security-by-design" and "security-by-default" principles, as a minimum.

The following security functions for personal data protection shall be available:

Access control.

Personal data encryption, i.e., Advanced Encryption Standard (AES) algorithm, key lengths: 256 bits; and

Personal data pseudonymization.

Vulnerability checked and no security backdoor

You sample the latest Mobile App Test report, details as follows:

The IT Manager explains the test results should be approved by him according to the software security management procedure. The reason why the encryption and pseudonymisation functions failed is that these functions heavily slowed down the system and service performance. An extra 150% of resources are needed to cover this. The Service Manager agreed that access control is good enough and acceptable. That's why the Service Manager signed the approval.

You are preparing the audit findings. Select the correct option.

A.

There is a nonconformity (NC). The organisation and developer do not perform acceptance tests. (Relevant to clause 8.1, control A.8.29)

B.

There is a nonconformity (NC). The organisation and developer perform security tests that fail. (Relevant to clause 8.1, control A.8.29)

C.

There is a nonconformity (NC). The Service Manager does not comply with the software security management procedure. (Relevant to clause 8.1, control A.8.30)

D.

There is NO nonconformity (NC). The Service Manager makes a good decision to continue the service. (Relevant to clause 8.1, control A.8.30)

Full Access
Question # 10

The audit team leader prepares the audit plan for an initial certification stage 2 audit to ISO/IEC 27001:2022.

Which one of the following statements is true?

A.

The audit team leader should make sure the audit has the support of a Technical Expert

B.

The audit team leader should appoint audit team members with IT experience

C.

The audit team leader should plan to interview each employee within the scope

D.

The organisation should review the audit plan for agreement

Full Access
Question # 11

Which two of the following standards are used as ISMS third-party certification audit criteria?

A.

ISO/IEC 27002

B.

ISO/IEC 20000-1

C.

ISO 19011

D.

ISO/IEC 27001

E.

Relavent legal, statutory, and regulatory requirements

F.

ISO/IEC 17021-1

Full Access
Question # 12

You have just completed a scheduled information security audit of your organisation when the IT Manager approaches you and asks for your assistance in the revision of the company's risk management process.

He is attempting to update the current documentation to make it easier for other managers to understand, however, it is clear from your discussion he is confusing several key terms.

You ask him to match each of the descriptions with the appropriate risk term. What should the correct answers be?

Full Access
Question # 13

During an opening meeting of a Stage 2 audit, the Managing Director of the client organisation invites the audit team to view a new company video lasting 45 minutes. Which two of the following responses should the audit team leader make?

A.

Advise the Managing Director that the audit team has to keep to the planned schedule

B.

State that the audit team leader will stay behind after the opening meeting to view the video on behalf of the team

C.

Invite the Managing Director to the auditors' hotel for a viewing that evening.

D.

Suggest that the video could be viewed during a refreshment break

E.

State that the audit team will make a decision on the viewing at a later time

F.

Advise the Managing Director that the audit team agrees to his request

Full Access
Question # 14

Scenario 4: SendPay is a financial company that provides its services through a network of agents and financial institutions. One of their main services is transferring money worldwide. SendPay, as a new company, seeks to offer top quality services to its clients. Since the company offers international transactions, it requires from their clients to provide personal information, such as their identity, the reason for the transactions, and other details that might be needed to complete the transaction. Therefore, SendPay has implemented security measures to protect their clients' information, including detecting, investigating, and responding to any information security threats that may emerge. Their commitment to offering secure services was also reflected during the ISMS implementation where the company invested a lot of time and resources.

Last year, SendPay unveiled their digital platform that allows money transactions through electronic devices, such as smartphones or laptops, without requiring an additional fee. Through this platform, SendPay's clients can send and receive money from anywhere and at any time. The digital platform helped SendPay to simplify the company's operations and further expand its business. At the time, SendPay was outsourcing its software operations, hence the project was completed by the software development team of the outsourced company. The same team was also responsible for maintaining the technology infrastructure of SendPay.

Recently, the company applied for ISO/IEC 27001 certification after having an ISMS in place for almost a year. They contracted a certification body that fit their criteria. Soon after, the certification body appointed a team of four auditors to audit SendPay's ISMS.

During the audit, among others, the following situations were observed:

1.The outsourced software company had terminated the contract with SendPay without prior notice. As a result, SendPay was unable to immediately bring the services back in-house and its operations were disrupted for five days. The auditors requested from SendPay's representatives to provide evidence that they have a plan to follow in cases of contract terminations. The representatives did not provide any documentary evidence but during an interview, they told the auditors that the top management of SendPay had identified two other software development companies that could provide services immediately if similar situations happen again.

2.There was no evidence available regarding the monitoring of the activities that were outsourced to the software development company. Once again, the representatives of SendPay told the auditors that they regularly communicate with the software development company and that they are appropriately informed for any possible change that might occur.

3.There was no nonconformity found during the firewall testing. The auditors tested the firewall configuration in order to determine the level of security provided by

these services. They used a packet analyzer to test the firewall policies which enabled them to check the packets sent or received in real-time.

Based on this scenario, answer the following question:

How do you evaluate the evidence obtained related to the monitoring process of outsourced operations? Refer to scenario 4.

A.

Irrelevant, monitoring the outsourced operations is not a requirement of the standard

B.

Not reliable. SendPay provided only verbal evidence regarding the monitoring of its outsourced operations

C.

Appropriate and sufficient, verbal confirmation from the SendPay's representatives indicates that the they were aware that outsourced operations must be monitored

Full Access
Question # 15

What is we do in ACT - From PDCA cycle

A.

Take actions to continually monitor process performance

B.

Take actions to continually improve process performance

C.

Take actions to continually monitor process performance

D.

Take actions to continually improve people performance

Full Access
Question # 16

ISMS (1)---------------helps determine (2)--------------,

A.

(1) Continual improvement, (2) the effectiveness of corrective actions

B.

Q (1) Management review, (2) opportunities for continual improvement

C.

(1) Internal audit, (2) the ISMS scope

Full Access
Question # 17

You are an experienced ISMS auditor conducting a third-party surveillance audit at an organisation which offers ICT reclamation services. ICT equipment which companies no longer require is processed by the organisation. It Is either recommissioned and reused or is securely destroyed.

You notice two servers on a bench in the corner of the room. Both have stickers on item with the server's name, IP address and admin password. You ask the ICT Manager about them, and he tells you they were part of a shipment received yesterday from a regular customer.

Which one action should you take?

A.

Ask the ICT Manager to record an information security incident and initiate the information security incident management process

B.

Note the audit finding and check the process for dealing with incoming shipments relating to customer IT security

C.

Record what you have seen in your audit findings, but take no further action

D.

Raise a nonconformity against control 5.31 Legal, staturary, regulatory and contractual requirements'

E.

Raise a nonconformity against control 8.20 'network security’ (networks and network devices shall be secured, managed and controlled to protect information in systems and applications)

F.

Ask the auditee to remove the labels, then carry on with the audit

Full Access
Question # 18

Scenario 4: SendPay is a financial company that provides its services through a network of agents and financial institutions. One of their main services is transferring money worldwide. SendPay, as a new company, seeks to offer top quality services to its clients. Since the company offers international transactions, it requires from their clients to provide personal information, such as their identity, the reason for the transactions, and other details that might be needed to complete the transaction. Therefore, SendPay has implemented security measures to protect their clients' information, including detecting, investigating, and responding to any information security threats that may emerge. Their commitment to offering secure services was also reflected during the ISMS implementation where the company invested a lot of time and resources.

Last year, SendPay unveiled their digital platform that allows money transactions through electronic devices, such as smartphones or laptops, without requiring an additional fee. Through this platform, SendPay's clients can send and receive money from anywhere and at any time. The digital platform helped SendPay to simplify the company's operations and further expand its business. At the time, SendPay was outsourcing its software operations, hence the project was completed by the software development team of the outsourced company. The same team was also responsible for maintaining the technology infrastructure of SendPay.

Recently, the company applied for ISO/IEC 27001 certification after having an ISMS in place for almost a year. They contracted a certification body that fit their criteria. Soon after, the certification body appointed a team of four auditors to audit SendPay's ISMS.

During the audit, among others, the following situations were observed:

1.The outsourced software company had terminated the contract with SendPay without prior notice. As a result, SendPay was unable to immediately bring the services back in-house and its operations were disrupted for five days. The auditors requested from SendPay's representatives to provide evidence that they have a plan to follow in cases of contract terminations. The representatives did not provide any documentary evidence but during an interview, they told the auditors that the top management of SendPay had identified two other software development companies that could provide services immediately if similar situations happen again.

2.There was no evidence available regarding the monitoring of the activities that were outsourced to the software development company. Once again, the representatives of SendPay told the auditors that they regularly communicate with the software development company and that they are appropriately informed for any possible change that might occur.

3.There was no nonconformity found during the firewall testing. The auditors tested the firewall configuration in order to determine the level of security provided by

these services. They used a packet analyzer to test the firewall policies which enabled them to check the packets sent or received in real-time.

Based on this scenario, answer the following question:

Regarding the third situation observed, auditors themselves tested the configuration of firewalls implemented in SendPay's network. How do you describe this situation? Refer to scenario 4.

A.

Acceptable, technical evidence is required to validate the operation of technical processes

B.

Unacceptable, the auditors should only observe the testing of system or equipment configurations and not test the system themselves

C.

Unacceptable, firewall configurations should not be tested during an audit since this can have an impact systems' operation

Full Access
Question # 19

Scenario 1: Fintive is a distinguished security provider for online payments and protection solutions. Founded in 1999 by Thomas Fin in San Jose, California, Fintive

offers services to companies that operate online and want to improve their information security, prevent fraud, and protect user information such as PII. Fintive centers

its decision-making and operating process based on previous cases. They gather customer data, classify them depending on the case, and analyze them. The company

needed a large number of employees to be able to conduct such complex analyses. After some years, however, the technology that assists in conducting such analyses

advanced as well. Now, Fintive is planning on using a modern tool, a chatbot, to achieve pattern analyses toward preventing fraud in real-time. This tool would also be

used to assist in improving customer service.

This initial idea was communicated to the software development team, who supported it and were assigned to work on this project. They began integrating the chatbot

on their existing system. In addition, the team set an objective regarding the chatbot which was to answer 85% of all chat queries.

After the successful integration of the chatbot, the company immediately released it to their customers for use. The chatbot, however, appeared to have some issues.

Due to insufficient testing and lack of samples provided to the chatbot during the training phase, in which it was supposed "to learn" the queries pattern, the chatbot

failed to address user queries and provide the right answers. Furthermore, the chatbot sent random files to users when it received invalid inputs such as odd patterns

of dots and special characters. Therefore, the chatbot was unable to properly answer customer queries and the traditional customer support was overwhelmed with

chat queries and thus was unable to help customers with their requests.

Consequently, Fintive established a software development policy. This policy specified that whether the software is developed in-house or outsourced, it will undergo a

black box testing prior to its implementation on operational systems.

What type of security control does the use of black box testing represent? Refer to scenario 1.

A.

Corrective and technical

B.

Detective and managerial

C.

Preventive and technical

Full Access
Question # 20

Scenario 5: Data Grid Inc. is a well-known company that delivers security services across the entire information technology infrastructure. It provides cybersecurity software, including endpoint security, firewalls, and antivirus software. For two decades, Data Grid Inc. has helped various companies secure their networks through advanced products and services. Having achieved reputation in the information and network security field, Data Grid Inc. decided to obtain the ISO/IEC 27001 certification to better secure its internal and customer assets and gain competitive advantage.

Data Grid Inc. appointed the audit team, who agreed on the terms of the audit mandate. In addition, Data Grid Inc. defined the audit scope, specified the audit criteria, and proposed to close the audit within five days. The audit team rejected Data Grid Inc.'s proposal to conduct the audit within five days, since the company has a large number of employees and complex processes. Data Grid Inc. insisted that they have planned to complete the audit within five days, so both parties agreed upon conducting the audit within the defined duration. The audit team followed a risk-based auditing approach.

To gain an overview of the main business processes and controls, the audit team accessed process descriptions and organizational charts. They were unable to perform a deeper analysis of the IT risks and controls because their access to the IT infrastructure and applications was restricted. However, the audit team stated that the risk that a significant defect could occur to Data Grid Inc.'s ISMS was low since most of the company's processes were automated. They therefore evaluated that the ISMS, as a whole, conforms to the standard requirements by asking the representatives of Data Grid Inc. the following questions:

•How are responsibilities for IT and IT controls defined and assigned?

•How does Data Grid Inc. assess whether the controls have achieved the desired results?

•What controls does Data Grid Inc. have in place to protect the operating environment and data from malicious software?

•Are firewall-related controls implemented?

Data Grid Inc.'s representatives provided sufficient and appropriate evidence to address all these questions.

The audit team leader drafted the audit conclusions and reported them to Data Grid Inc.'s top management. Though Data Grid Inc. was recommended for certification by the auditors, misunderstandings were raised between Data Grid Inc. and the certification body in regards to audit objectives. Data Grid Inc. stated that even though the audit objectives included the identification of areas for potential improvement, the audit team did not provide such information.

Based on this scenario, answer the following question:

Based on scenario 5, the audit team disagreed with the proposed audit duration by Data Grid Inc. for the ISMS audit. How do you describe such a situation?

A.

Acceptable, auditors have the right to object, even refuse the audit mandate, if they deem that the audit duration is not sufficient

B.

Unacceptable, the audit duration is defined by the auditee and cannot be changed by the auditors

C.

Unacceptable, once the audit mandate is accepted, the audit duration cannot be changed

Full Access
Question # 21

How are internal audits and external audits related?

A.

Internal audits ensure that the organization regularly monitors the external audit reports and action plans

B.

Internal audits ensure the implementation of the corrective actions before the organization is recommended for certification by the external auditor

C.

Internal audits and external audits are included in the certification cycle, which ensures the monitoring of the management system on a regular basis

Full Access
Question # 22

What is meant by the term 'Corrective Action'? Select one

A.

Action is taken to prevent a nonconformity or an incident from occurring

B.

Action is taken to eliminate the cause(s) of a nonconformity or an incident

C.

Action is taken by management to respond to a nonconformity

D.

Action is taken to fix a nonconformity or an incident

Full Access
Question # 23

You are an experienced ISMS audit team leader, talking to an Auditor in training who has been assigned to your audit team. You want to ensure that they understand the importance of the Check stage of the Plan-Do-Check-Act cycle in respect of the operation of the information security management system.

You do this by asking him to select the words that best complete the sentence:

To complete the sentence with the best word(s), click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.

Full Access
Question # 24

Integrity of data means

A.

Accuracy and completeness of the data

B.

Data should be viewable at all times

C.

Data should be accessed by only the right people

Full Access
Question # 25

Scenario 6: Sinvestment is an insurance company that offers home, commercial, and life insurance. The company was founded in North Carolina, but have recently expanded in other locations, including Europe and Africa.

Sinvestment is committed to complying with laws and regulations applicable to their industry and preventing any information security incident. They have implemented an ISMS based on ISO/IEC 27001 and have applied for ISO/IEC 27001 certification.

Two auditors were assigned by the certification body to conduct the audit. After signing a confidentiality agreement with Sinvestment. they started the audit activities. First, they reviewed the documentation required by the standard, including the declaration of the ISMS scope, information security policies, and internal audits reports. The review process was not easy because, although Sinvestment stated that they had a documentation procedure in place, not all documents had the same format.

Then, the audit team conducted several interviews with Sinvestment's top management to understand their role in the ISMS implementation. All activities of the stage 1 audit were performed remotely, except the review of documented information, which took place on-site, as requested by Sinvestment.

During this stage, the auditors found out that there was no documentation related to information security training and awareness program. When asked, Sinvestment's representatives stated that the company has provided information security training sessions to all employees. Stage 1 audit gave the audit team a general understanding of Sinvestment's operations and ISMS.

The stage 2 audit was conducted three weeks after stage 1 audit. The audit team observed that the marketing department (which was not included in the audit scope) had no procedures in place to control employees’ access rights. Since controlling employees' access rights is one of the ISO/IEC 27001 requirements and was included in the information security policy of the company, the issue was included in the audit report. In addition, during stage 2 audit, the audit team observed that Sinvestment did not record logs of user activities. The procedures of the company stated that "Logs recording user activities should be retained and regularly reviewed," yet the company did not present any evidence of the implementation of such procedure.

During all audit activities, the auditors used observation, interviews, documented information review, analysis, and technical verification to collect information and evidence. All the audit findings during stages 1 and 2 were analyzed and the audit team decided to issue a positive recommendation for certification.

According to scenario 6, the marketing department employees were not following the access control policy. Which option is correct in this case?

A.

The marketing department is not included in the audit scope, so the issue should only be communicated to Sinvestment's representatives

B.

The employees' access right control is included in Sinvestment’s information security policy, so the issue must be communicated to Sinvestment's representatives and included in the audit report

C.

Sinvestment is not controlling the employees' access rights, which represents a potential information security risk and should be reported as a major nonconformity

Full Access
Question # 26

In the context of a management system audit, please identify the sequence of a typical process of collecting and verifying information. The first one has been done for you.

Full Access
Question # 27

You are the person responsible for managing the audit programme and deciding the size and composition of the audit team for a specific audit. Select the two factors that should be considered.

A.

The audit scope and criteria

B.

Customer relationships

C.

The overall competence of the audit team needed to achieve audit objectives

D.

Seniority of the audit team leader

E.

The cost of the audit

F.

The duration preferred by the auditee

Full Access
Question # 28

Which two of the following options do not participate in a first-party audit?

A.

A certification body auditor

B.

An audit team from an accreditation body

C.

An auditor certified by CQI and IRCA

D.

An auditor from a consultancy organisation

E.

An auditor trained in the CQI and IRCA scheme

F.

An auditor trained in the organization

Full Access
Question # 29

You are an experienced ISMS audit team leader who is currently conducting a third party initial certification audit of a new client, using ISO/IEC 27001:2022 as your criteria.

It is the afternoon of the second day of a 2-day audit, and you are just about to start writing your audit report. So far no nonconformities have been identified and you and your team have been impressed with both the site and the organisation's ISMS.

At this point, a member of your team approaches you and tells you that she has been unable to complete her assessment of leadership and commitment as she has spent too long reviewing the planning of changes.

Which one of the following actions will you take in response to this information?

A.

Apologise to the client and tell them you will return at a later date to review leadership and commitment.

B.

Suggest to the client that if they are prepared to upgrade your return flight to first class you will audit leadership and commitment in your own time tomorrow.

C.

Advise the auditee and audit client that it is not possible to make a positive recommendation at this point.

D.

Advise the auditee that the certification audit will need to be terminated and rescheduled.

E.

Contact the individual managing the audit programme and seek their permission to record a positive recommendation in the audit report.

F.

Contact your head office and await their further instructions of how to proceed.

G.

Given there have been no nonconformities identified and the overall impression of the organisation has been a good one, record a positive recommendation for certification in the audit report.

Full Access
Question # 30

An audit team leader is planning a follow-up audit after the completion of a third-party surveillance audit earlier in the year. They have decided they will verify the nonconformities that require corrections before they move on to consider corrective actions.

Based on the descriptions below, which four of the following are corrections for nonconformities identified at the surveillance?

A.

A signature missing from a client's contract for the supply of data services was added

B.

A software installation guide which had not been sent to the client along with their new system was posted out

C.

An incorrectly dated purchase order for a new network switch was rectified

D.

Data centre staff not carrying out backups in accordance with specified procedures were retrained

E.

Hard drive HD302 which had been colour-coded green (available for use) instead of red (to be destroyed) was removed from the system

F.

Scheduled management reviews, having been missed, were prioritised by the General Manager for holding on a specific date twice each following year

G.

The documented process for product shipment, which did not reflect how this activity was conducted by the despatch team, was re-written and the team trained accordingly

Full Access
Question # 31

Select the word that best completes the sentence:

Full Access
Question # 32

An auditor of organisation A performs an audit of supplier B. Which two of the following actions is likely to represent a breach of confidentiality by the auditor after having identified findings in B's information security management system?

A.

Shares the findings with other relevant managers in A

B.

Shares the findings with B's Information Security Manager

C.

Shares the findings with A's supplier evaluation team

D.

Shares the findings with B's other customers

E.

Shares the findings with B's certification body

F.

Shares the findings with other relevant managers in B

Full Access
Question # 33

Which two of the following statements are true?

A.

The benefit of certifying an ISMS is to show the accreditation certificate on the website.

B.

The purpose of an ISMS is to demonstrate awareness of information security issues by management.

C.

The benefit of certifying an ISMS is to increase the number of customers.

D.

The benefits of implementing an ISMS primarily result from a reduction in information security risks.

E.

The purpose of an ISMS is to apply a risk management process for preserving information security.

F.

The purpose of an ISMS is to demonstrate compliance with regulatory requirements.

Full Access
Question # 34

Scenario 9: UpNet, a networking company, has been certified against ISO/IEC 27001. It provides network security, virtualization, cloud computing, network hardware, network management software, and networking technologies.

The company's recognition has increased drastically since gaining ISO/IEC 27001 certification. The certification confirmed the maturity of UpNefs operations and its compliance with a widely recognized and accepted standard.

But not everything ended after the certification. UpNet continually reviewed and enhanced its security controls and the overall effectiveness and efficiency of the ISMS by conducting internal audits. The top management was not willing to employ a full-time team of internal auditors, so they decided to outsource the internal audit function. This form of internal audits ensured independence, objectivity, and that they had an advisory role about the continual improvement of the ISMS.

Not long after the initial certification audit, the company created a new department specialized in data and storage products. They offered routers and switches optimized for data centers and software-based networking devices, such as network virtualization and network security appliances. This caused changes to the operations of the other departments already covered in the ISMS certification scope.

Therefore. UpNet initiated a risk assessment process and an internal audit. Following the internal audit result, the company confirmed the effectiveness and efficiency of the existing and new processes and controls.

The top management decided to include the new department in the certification scope since it complies with ISO/IEC 27001 requirements. UpNet announced that it is ISO/IEC 27001 certified and the certification scope encompasses the whole company.

One year after the initial certification audit, the certification body conducted another audit of UpNefs ISMS. This audit aimed to determine the UpNefs ISMS fulfillment of specified ISO/IEC 27001 requirements and ensure that the ISMS is being continually improved. The audit team confirmed that the certified ISMS continues to fulfill

the requirements of the standard. Nonetheless, the new department caused a significant impact on governing the management system. Moreover, the certification body was not informed about any changes. Thus, the UpNefs certification was suspended.

Based on the scenario above, answer the following question:

What type of audit is illustrated in the last paragraph of scenario 9?

A.

Surveillance audit

B.

Internal audit

C.

Recertification audit

Full Access
Question # 35

Which one of the following conclusions in the audit report is not required by the certification body when deciding to grant certification?

A.

The corrections taken by the organisation related to major nonconformities have been accepted.

B.

The organisation fully complies with all legal and other requirements applicable to the Information Security Management System.

C.

The plans to address corrective actions related to minor nonconformities have been accepted

D.

The scope of certification has been fulfilled

Full Access
Question # 36

Which two of the following phrases are 'objectives' in relation to a first-party audit?

A.

Apply international standards

B.

Prepare the audit report for the certification body

C.

Confirm the scope of the management system is accurate

D.

Complete the audit on time

E.

Apply Regulatory requirements

F.

Update the management policy

Full Access
Question # 37

The scope of an organization certified against ISO/IEC 27001 states that they provide editing and web hosting services. However, due to some changes in the organization, the technical support related to the web hosting services has been outsourced. Should a change in the scope be initiated in this case?

A.

Yes, because any change in the external environment initiates a change in the scope

B.

No, because the change does not require implementation of new security controls

C.

No, because the organization is already certified for its editing and web hosting services

Full Access
Question # 38

Select the words that best complete the sentence:

To complete the sentence with the word(s) click on the blank section you want to complete so that it is highlighted in red, and then click on the application text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.

Full Access
Question # 39

Which one of the following options is the definition of the context of an organisation?

A.

The control of internal and external issues that can have an effect on an organisation's desire to achieve its objectives

B.

Complexity of internal and external issues that can have an effect on an organisation's approach to developing and achieving its purpose

C.

A combination of internal and external issues that can have an effect on an organisation's approach to developing and achieving its objectives

D.

The coordination of internal and external issues that can have a positive or negative effect on an organisation's success

Full Access
Question # 40

Scenario 1: Fintive is a distinguished security provider for online payments and protection solutions. Founded in 1999 by Thomas Fin in San Jose, California, Fintive

offers services to companies that operate online and want to improve their information security, prevent fraud, and protect user information such as PII. Fintive centers

its decision-making and operating process based on previous cases. They gather customer data, classify them depending on the case, and analyze them. The company

needed a large number of employees to be able to conduct such complex analyses. After some years, however, the technology that assists in conducting such analyses

advanced as well. Now, Fintive is planning on using a modern tool, a chatbot, to achieve pattern analyses toward preventing fraud in real-time. This tool would also be

used to assist in improving customer service.

This initial idea was communicated to the software development team, who supported it and were assigned to work on this project. They began integrating the chatbot

on their existing system. In addition, the team set an objective regarding the chatbot which was to answer 85% of all chat queries.

After the successful integration of the chatbot, the company immediately released it to their customers for use. The chatbot, however, appeared to have some issues.

Due to insufficient testing and lack of samples provided to the chatbot during the training phase, in which it was supposed "to learn" the queries pattern, the chatbot

failed to address user queries and provide the right answers. Furthermore, the chatbot sent random files to users when it received invalid inputs such as odd patterns

of dots and special characters. Therefore, the chatbot was unable to properly answer customer queries and the traditional customer support was overwhelmed with

chat queries and thus was unable to help customers with their requests.

Consequently, Fintive established a software development policy. This policy specified that whether the software is developed in-house or outsourced, it will undergo a

black box testing prior to its implementation on operational systems.

Based on this scenario, answer the following question:

The chatbot was supposed "to learn" the queries pattern to address user queries and provide the right answers. What type of technology enables

this?

A.

Artificial intelligence

B.

Cloud computing

C.

Machine learning

Full Access
Question # 41

Which two activities align with the “Check’’ stage of the Plan-Do-Check-Act cycle when applied to the process of managing an internal audit program as described in ISO 19011?

A.

Retains records of internal audits

B.

Define audit criteria and scope for each internal audit

C.

Update the internal audit programme

D.

Establish a risk-based internal audit programme

E.

Conduct internal audits

F.

Verify effectiveness of the internal audit programme

G.

Review trends in internal audit result

Full Access
Question # 42

Scenario 3: NightCore is a multinational technology company based in the United States that focuses on e-commerce, cloud computing, digital streaming, and artificial intelligence. After having an information security management system (ISMS) implemented for over 8 months, they contracted a certification body to conduct a third party audit in order to get certified against ISO/IEC 27001.

The certification body set up a team of seven auditors. Jack, the most experienced auditor, was assigned as the audit team leader. Over the years, he received many well known certifications, such as the ISO/IEC 27001 Lead Auditor, CISA, CISSP, and CISM.

Jack conducted thorough analyses on each phase of the ISMS audit, by studying and evaluating every information security requirement and control that was implemented by NightCore. During stage 2 audit. Jack detected several nonconformities. After comparing the number of purchased invoices for software licenses with the software inventory, Jack found out that the company has been using the illegal versions of a software for many computers. He decided to ask for an explanation from the top management about this nonconformity and see whether they were aware about this. His next step was to audit NightCore's IT Department. The top management assigned Tom, NightCore's system administrator, to act as a guide and accompany Jack and the audit team toward the inner workings of their system and their digital assets infrastructure.

While interviewing a member of the Department of Finance, the auditors discovered that the company had recently made some unusual large transactions to one of their consultants. After gathering all the necessary details regarding the transactions. Jack decided to directly interview the top management.

When discussing about the first nonconformity, the top management told Jack that they willingly decided to use a copied software over the original one since it was cheaper. Jack explained to the top management of NightCore that using illegal versions of software is against the requirements of ISO/IEC 27001 and the national laws and regulations. However, they seemed to be fine with it.

Several months after the audit, Jack sold some of NightCore's information that he collected during the audit for a huge amount of money to competitors of NightCore.

Based on this scenario, answer the following question:

Based on audit principles, should Jack contact the certification body regarding the second nonconformity? Refer to scenario 3.

A.

Yes, auditors should contact the ethics committee members of the certification body to obtain advice on such situation

B.

Yes, auditors should communicate such situations to the certification body; however, the top management should not be informed

C.

No, situations that may indicate financial crime are not the focus of an ISMS audit

Full Access
Question # 43

You are an experienced ISMS auditor, currently providing support to an ISMS auditor in training who is carrying out her first initial certification audit. She asks you what she should be verifying when auditing an organisation's Information Security objectives. You ask her what she has included in her audit checklist and she provides the following replies.

Which three of these responses would you cause you concern in relation to conformity with ISO/IEC 27001:2022?

A.

I am going to check how each Information Security objective has been communicated to those who need to be aware of it in order for the objective to be achieved

B.

I am going to check that top management have determined the Information Security objectives for the current year. If not, I will check that this task has been programmed to be completed

C.

I am going to check that the Information Security objectives are written down on paper so that everyone is clear on what needs to be achieved, how it will be achieved, and by when it will be achieved

D.

I am going to check that there is a process in place to periodically revisit Information Security objectives, with a view to amending or cancelling them if circumstances necessitate this

E.

I am going to check that a completion date has been set for each objective and that there are no objectives with missing 'achieve by' dates

F.

I am going to check that the necessary budget, manpower and materials to achieve each objective has been determined

G.

I am going to check that all the Information Security objectives are measurable. If they are not measurable the organisation will not be able to track progress against them

Full Access
Question # 44

You are carrying out your first third-party ISMS surveillance audit as an Audit Team Leader. You are presently in the auditee's data centre with another member of your audit team.

You are currently in a large room that is subdivided into several smaller rooms, each of which has a numeric combination lock and swipe card reader on the door. You notice two external contractors using a swipe card and combination number provided by the centre's reception desk to gain access to a client's suite to carry out authorised electrical repairs.

You go to reception and ask to see the door access record for the client's suite. This indicates only one card was swiped. You ask the receptionist and they reply, "yes it's a common problem. We ask everyone to swipe their cards but with contractors especially, one tends to swipe and the rest simply 'tailgate' their way in" but we know who they are from the reception sign-in.

Based on the scenario above which one of the following actions would you now take?

A.

Take no action. Irrespective of any recommendations, contractors will always act in this way

B.

Raise a nonconformity against control A.5.20 'addressing information security in supplier relationships' as information security requirements have not been agreed upon with the supplier

C.

Raise a nonconformity against control A.7.6 'working in secure areas' as security measures for working in secure areas have not been defined

D.

Determine whether any additional effective arrangements are in place to verify individual access to secure areas e.g. CCTV

E.

Raise an opportunity for improvement that contractors must be accompanied at all times when accessing secure facilities

F.

Raise an opportunity for improvement to have a large sign in reception reminding everyone requiring access must use their swipe card at all times

G.

Raise a nonconformity against control A.7.2 'physical entry' as a secure area is not adequately protected

Full Access
Question # 45

You are an experienced ISMS audit team leader. During the conducting of a third-party surveillance audit, you decide to test your auditee's knowledge of ISO/IEC 27001's risk management requirements.

You ask her a series of questions to which the answer is either 'that is true' or 'that is false'. Which four of the following should she answer 'that is true'?

A.

The results of risk assessments must be maintained

B.

Risk identification is used to determine the severity of an information security risk

C.

ISO/IEC 27001 provides an outline approach for the management of risk

D.

The organisation must produce a risk treatment plan for every business risk identified

E.

The organisation must operate a risk treatment process to eliminate it's information security risks

F.

The initial phase in an organisation's risk management process should be information security risk assessment

G.

Risks assessments should be undertaken at monthly intervals

Full Access
Question # 46

What is the standard definition of ISMS? 

A.

Is an information security systematic approach to achieve business objectives for implementation, establishing, reviewing,operating and maintaining organization's reputation.

B.

A company wide business objectives to achieve information security awareness for establishing, implementing, operating, monitoring, reviewing, maintaining and improving

C.

A project-based approach to achieve business objectives for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization’s information security

D.

A systematic approach for establishing, implementing, operating,monitoring, reviewing,  maintaining and improving an organization’s information security to achieve business objectives.

Full Access
Question # 47

Which two of the following options are an advantage of using a sampling plan for the audit?

A.

Overrules the auditor's instincts

B.

Reduces the audit duration

C.

Prevents conflict within the audit team

D.

Gives confidence in the audit results

E.

Implements the audit plan efficiently

F.

Use of the plan for consecutive audits

Full Access
Question # 48

Scenario 5: Data Grid Inc. is a well-known company that delivers security services across the entire information technology infrastructure. It provides cybersecurity software, including endpoint security, firewalls, and antivirus software. For two decades, Data Grid Inc. has helped various companies secure their networks through advanced products and services. Having achieved reputation in the information and network security field, Data Grid Inc. decided to obtain the ISO/IEC 27001 certification to better secure its internal and customer assets and gain competitive advantage.

Data Grid Inc. appointed the audit team, who agreed on the terms of the audit mandate. In addition, Data Grid Inc. defined the audit scope, specified the audit criteria, and proposed to close the audit within five days. The audit team rejected Data Grid Inc.'s proposal to conduct the audit within five days, since the company has a large number of employees and complex processes. Data Grid Inc. insisted that they have planned to complete the audit within five days, so both parties agreed upon conducting the audit within the defined duration. The audit team followed a risk-based auditing approach.

To gain an overview of the main business processes and controls, the audit team accessed process descriptions and organizational charts. They were unable to perform a deeper analysis of the IT risks and controls because their access to the IT infrastructure and applications was restricted. However, the audit team stated that the risk that a significant defect could occur to Data Grid Inc.'s ISMS was low since most of the company's processes were automated. They therefore evaluated that the ISMS, as a whole, conforms to the standard requirements by asking the representatives of Data Grid Inc. the following questions:

•How are responsibilities for IT and IT controls defined and assigned?

•How does Data Grid Inc. assess whether the controls have achieved the desired results?

•What controls does Data Grid Inc. have in place to protect the operating environment and data from malicious software?

•Are firewall-related controls implemented?

Data Grid Inc.'s representatives provided sufficient and appropriate evidence to address all these questions.

The audit team leader drafted the audit conclusions and reported them to Data Grid Inc.'s top management. Though Data Grid Inc. was recommended for certification by the auditors, misunderstandings were raised between Data Grid Inc. and the certification body in regards to audit objectives. Data Grid Inc. stated that even though the audit objectives included the identification of areas for potential improvement, the audit team did not provide such information.

Based on this scenario, answer the following question:

What would prevent the misunderstanding between the certification body and the Data Grid Inc.?

Refer to scenario 5.

A.

Validating the audit offer

B.

Signing the certification agreement

C.

Defining the audit schedule

Full Access
Question # 49

You receive the following mail from the IT support team: Dear User,Starting next week, we will be deleting all inactive email accounts in order to create spaceshare the below details in order to continue using your account. In case of no response, 

Name:

Email ID:

Password:

DOB:

Kindly contact the webmail team for any further support. Thanks for your attention.

Which of the following is the best response?

A.

Ignore the email

B.

Respond it by saying that one should not share the password with anyone

C.

One should not respond to these mails and report such email to your supervisor 

Full Access
Question # 50

During a third-party certification audit you are presented with a list of issues by an auditee. Which four of the following constitute 'external' issues in the context of a management system to ISO/IEC 27001:2022?

A.

A rise in interest rates in response to high inflation

B.

A reduction in grants as a result of a change in government policy

C.

Poor levels of staff competence as a result of cuts in training expenditure

D.

Increased absenteeism as a result of poor management

E.

Higher labour costs as a result of an aging population

F.

Inability to source raw materials due to government sanctions

G.

Poor morale as a result of staff holidays being reduced

Full Access
Question # 51

Which option below is NOT a role of the audit team leader?

A.

Preventing and solving conflict during the audit

B.

Setting up an ethics committee

C.

Preparing and explaining the audit conclusions

Full Access
Question # 52

Which one of the following options best describes the main purpose of a Stage 1 third-party audit?

A.

To introduce the audit team to the client

B.

To learn about the organisation's procurement

C.

To determine redness for a stage 2 audit

D.

To check for legal compliance by the organisation

E.

To prepare an independent audit report

F.

To get to know the organisation's customers

Full Access
Question # 53

Scenario 7: Lawsy is a leading law firm with offices in New Jersey and New York City. It has over 50 attorneys offering sophisticated legal services to clients in business and commercial law, intellectual property, banking, and financial services. They believe they have a comfortable position in the market thanks to their commitment to implement information security best practices and remain up to date with technological developments.

Lawsy has implemented, evaluated, and conducted internal audits for an ISMS rigorously for two years now. Now, they have applied for ISO/IEC 27001 certification to ISMA, a well-known and trusted certification body.

During stage 1 audit, the audit team reviewed all the ISMS documents created during the implementation. They also reviewed and evaluated the records from management reviews and internal audits.

Lawsy submitted records of evidence that corrective actions on nonconformities were performed when necessary, so the audit team interviewed the internal auditor. The interview validated the adequacy and frequency of the internal audits by providing detailed insight into the internal audit plan and procedures.

The audit team continued with the verification of strategic documents, including the information security policy and risk evaluation criteria. During the information security policy review, the team noticed inconsistencies between the documented information describing governance framework (i.e., the information security policy) and the procedures.

Although the employees were allowed to take the laptops outside the workplace, Lawsy did not have procedures in place regarding the use of laptops in such cases. The policy only provided general information about the use of laptops. The company relied on employees' common knowledge to protect the confidentiality and integrity of information stored in the laptops. This issue was documented in the stage 1 audit report.

Upon completing stage 1 audit, the audit team leader prepared the audit plan, which addressed the audit objectives, scope, criteria, and procedures.

During stage 2 audit, the audit team interviewed the information security manager, who drafted the information security policy. He justified the Issue identified in stage 1 by stating that Lawsy conducts mandatory information security training and awareness sessions every three months.

Following the interview, the audit team examined 15 employee training records (out of 50) and concluded that Lawsy meets requirements of ISO/IEC 27001 related to training and awareness. To support this conclusion, they photocopied the examined employee training records.

Based on the scenario above, answer the following question:

Lawsy lacks a procedure regarding the use of laptops outside the workplace and it relies on employees' common knowledge to protect the confidentiality of information stored in the laptops. This presents:

A.

An anomaly

B.

A nonconformity

C.

A conformity

Full Access
Question # 54

You are performing an ISMS audit at a residential nursing home that provides healthcare services. The next step in your audit plan is to verify the information security incident management process. The IT Security Manager presents the information security incident management procedure (Document reference ID: ISMS_L2_16, version 4).

You review the document and notice a statement "Any information security weakness, event, and incident should be reported to the Point of Contact (PoC) within 1 hour after identification". When interviewing staff, you found that there were differences in the understanding of the meaning of the phrase "weakness, event, and incident".

The IT Security Manager explained that an online "information security handling" training seminar was conducted 6 months ago. All the people interviewed participated in and passed the reporting exercise and course assessment.

You would like to investigate other areas further to collect more audit evidence. Select three

options that would not be valid audit trails.

A.

Collect more evidence on how areas subject to information security incidents are quarantined to maintain information security during disruption (relevant to control A.5.29)

B.

Collect more evidence on how information security incidents are reported via appropriate channels (relevant to control A.6.8)

C.

Collect more evidence on how the organisation conducts information security incident training and evaluates its effectiveness. (Relevant to clause 7.2)

D.

Collect more evidence on how the organisation learns from information security incidents and makes improvements. (Relevant to control A.5.27)

E.

Collect more evidence on how the organisation manages the Point of Contact (PoC) which monitors vulnerabilities. (Relevant to clause 8.1)

F.

Collect more evidence on how the organisation tests the business continuity plan. (Relevant to control A.5.30)

G.

Collect more evidence on whether terms and definitions are contained in the information security policy. (Relevant to control 5.32)

Full Access
Question # 55

Scenario 3: NightCore is a multinational technology company based in the United States that focuses on e-commerce, cloud computing, digital streaming, and artificial intelligence. After having an information security management system (ISMS) implemented for over 8 months, they contracted a certification body to conduct a third party audit in order to get certified against ISO/IEC 27001.

The certification body set up a team of seven auditors. Jack, the most experienced auditor, was assigned as the audit team leader. Over the years, he received many well known certifications, such as the ISO/IEC 27001 Lead Auditor, CISA, CISSP, and CISM.

Jack conducted thorough analyses on each phase of the ISMS audit, by studying and evaluating every information security requirement and control that was implemented by NightCore. During stage 2 audit. Jack detected several nonconformities. After comparing the number of purchased invoices for software licenses with the software inventory, Jack found out that the company has been using the illegal versions of a software for many computers. He decided to ask for an explanation from the top management about this nonconformity and see whether they were aware about this. His next step was to audit NightCore's IT Department. The top management assigned Tom, NightCore's system administrator, to act as a guide and accompany Jack and the audit team toward the inner workings of their system and their digital assets infrastructure.

While interviewing a member of the Department of Finance, the auditors discovered that the company had recently made some unusual large transactions to one of their consultants. After gathering all the necessary details regarding the transactions. Jack decided to directly interview the top management.

When discussing about the first nonconformity, the top management told Jack that they willingly decided to use a copied software over the original one since it was cheaper. Jack explained to the top management of NightCore that using illegal versions of software is against the requirements of ISO/IEC 27001 and the national laws and regulations. However, they seemed to be fine with it.

Several months after the audit, Jack sold some of NightCore's information that he collected during the audit for a huge amount of money to competitors of NightCore.

Based on this scenario, answer the following question:

Based on scenario 3. which ISO/IEC 27001 control has NightCore ignored when they used an illegal version of software?

A.

Annex A 5.1 Policies for information security

B.

Annex A 5.10 Acceptable use of information and other associated assets

C.

Annex A 5.32 Intellectual property rights

Full Access
Question # 56

The auditor used sampling to ensure that event logs recording information security events are maintained and regularly reviewed. Sampling was based on the audit objectives, whereas the sample selection process was based on the probability theory. What type of sampling was used?

A.

Statistical sampling

B.

Judgment-based sampling

C.

Systematic sampling

Full Access
Question # 57

Which two of the following phrases would apply to "plan" in relation to the Plan-Do-Check-Act cycle for a business process?

A.

Retaining documentation

B.

Retaining documentation

C.

Organising changes

D.

Setting objectives

E.

Training staff

F.

Providing ICT assets

Full Access
Question # 58

You are an experienced ISMS audit team leader providing instruction to a class of auditors in training. The subject of today's lesson is the management of information security risk in accordance with the requirements of ISO/IEC 27001:2022.

You provide the class with a series of activities. You then ask the class to sort these activities into the order in which they appear in the standard.

What is the correct sequence they should report back to you?

Full Access
Question # 59

You are an audit team leader who has just completed a third-party audit of a mobile telecommunication provider. You are preparing your audit report and are just about to complete a section headed 'confidentiality'.

An auditor in training on your team asks you if there are any circumstances under which the confidential report can be released to third parties.

Which four of the following responses are false?

A.

Although we advise the client the report is confidential we can decide to release it to third parties if we feel this is justified. We would always tell the client afterwards

B.

The report can be released to third parties but only with the explicit, prior approval of the audit client

C.

There are no circumstances under which the report can be released to a third party. Confidential means confidential and releasing the document would be a breach of trust

D.

The starting position is always that third parties have no automatic right to access an audit report

E.

If the third party has gained a legal notice for us to disclose the report then we must do so. In all such cases we would advise the audit client and, as appropriate, the auditee

F.

Any auditor employed by the auditing organisation can access the audit report

G.

Our duty of confidentiality is not something that lasts forever. As a certification body, we can decide how long we wish to keep reports confidential. After this, they can be accessed by third parties making a subject access request

Full Access
Question # 60

Which two of the following statements are true?

A.

The role of a certification body auditor involves evaluating the organisation's processes for ensuring compliance with their legal requirements

B.

Curing a third-party audit, the auditor evaluates how the organisation ensures that 4 6 made aware of changes to the legal requirements

C.

As part of a certification body audit the auditor is resporable for verifying the organisation's legal compliance status

Full Access
Question # 61

A property of Information that has the ability to prove occurrence of a claimed event.

A.

Electronic chain letters 

B.

Integrity

C.

Availability

D.

Accessibility

Full Access
Question # 62

Full Access
Question # 63

Which is not a requirement of HR prior to hiring?

A.

Undergo background verification

B.

Applicant must complete pre-employment documentation requirements

C.

Must undergo Awareness training on information security.

D.

Must successfully pass Background Investigation

Full Access
Question # 64

Select the words that best complete the sentence:

Full Access
Question # 65

What is the difference between a restricted and confidential document?

A.

Restricted - to be shared among an authorized group

Confidential - to be shared among named individuals

B.

Restricted - to be shared among named individuals 

Confidential - to be shared among an authorized group

C.

Restricted - to be shared among named individuals 

Confidential - to be shared across the organization only

D.

Restricted - to be shared among named individuals 

Confidential - to be shared with friends and family

Full Access
Question # 66

Review the following statements and determine which two are false:

A.

Auditors approved for conducting onsite audits do not require additional training for virtual audits, as there are no significant differences in the skillset required

B.

Conducting a technology check in advance of a virtual audit can improve the effectiveness and efficiency of the audit

C.

Due to confidentiality and security concerns, screen sharing during a virtual audit is one method by which the audit team can review the auditee's documentation

D.

During a virtual audit, auditees participating in interviews are strongly recommended to keep their webcam enabled

E.

The number of days assigned to a third-party audit is determined by the auditee's availability

F.

The selection of onsite, virtual or combination audits should take into consideration historical performance and previous audit results

Full Access
Question # 67

Scenario 6: Sinvestment is an insurance company that offers home, commercial, and life insurance. The company was founded in North Carolina, but have recently expanded in other locations, including Europe and Africa.

Sinvestment is committed to complying with laws and regulations applicable to their industry and preventing any information security incident. They have implemented an ISMS based on ISO/IEC 27001 and have applied for ISO/IEC 27001 certification.

Two auditors were assigned by the certification body to conduct the audit. After signing a confidentiality agreement with Sinvestment. they started the audit activities. First, they reviewed the documentation required by the standard, including the declaration of the ISMS scope, information security policies, and internal audits reports. The review process was not easy because, although Sinvestment stated that they had a documentation procedure in place, not all documents had the same format.

Then, the audit team conducted several interviews with Sinvestment's top management to understand their role in the ISMS implementation. All activities of the stage 1 audit were performed remotely, except the review of documented information, which took place on-site, as requested by Sinvestment.

During this stage, the auditors found out that there was no documentation related to information security training and awareness program. When asked, Sinvestment's representatives stated that the company has provided information security training sessions to all employees. Stage 1 audit gave the audit team a general understanding of Sinvestment's operations and ISMS.

The stage 2 audit was conducted three weeks after stage 1 audit. The audit team observed that the marketing department (which was not included in the audit scope) had no procedures in place to control employees’ access rights. Since controlling employees' access rights is one of the ISO/IEC 27001 requirements and was included in the information security policy of the company, the issue was included in the audit report. In addition, during stage 2 audit, the audit team observed that Sinvestment did not record logs of user activities. The procedures of the company stated that "Logs recording user activities should be retained and regularly reviewed," yet the company did not present any evidence of the implementation of such procedure.

During all audit activities, the auditors used observation, interviews, documented information review, analysis, and technical verification to collect information and evidence. All the audit findings during stages 1 and 2 were analyzed and the audit team decided to issue a positive recommendation for certification.

During stage 1 audit, the audit team found out that Sinvestment did not have records on information security training and awareness. What Sinvestment do in this case? Refer to scenario 6.

A.

Correct the identified issue before the stage 2 audit

B.

Document the identified issue and correct it after the certification audit is completed

C.

Perform a new risk assessment process to understand whether the issue needs modification or not

Full Access
Question # 68

After completing Stage 1 and in preparation for a Stage 2 initial certification audit, the auditee informs the audit team leader that they wish to extend the audit scope to include two additional sites that have recently been acquired by the organisation.

Considering this information, what action would you expect the audit team leader to take?

A.

Increase the length of the Stage 2 audit to include the extra sites

B.

Obtain information about the additional sites to inform the certification body

C.

Arrange to complete a remote Stage 1 audit of the two sites using a video conferencing platform

D.

Inform the auditee that the request can be accepted but a full Stage 1 audit must be repeated

Full Access
Question # 69

Scenario 1: Fintive is a distinguished security provider for online payments and protection solutions. Founded in 1999 by Thomas Fin in San Jose, California, Fintive

offers services to companies that operate online and want to improve their information security, prevent fraud, and protect user information such as PII. Fintive centers

its decision-making and operating process based on previous cases. They gather customer data, classify them depending on the case, and analyze them. The company

needed a large number of employees to be able to conduct such complex analyses. After some years, however, the technology that assists in conducting such analyses

advanced as well. Now, Fintive is planning on using a modern tool, a chatbot, to achieve pattern analyses toward preventing fraud in real-time. This tool would also be

used to assist in improving customer service.

This initial idea was communicated to the software development team, who supported it and were assigned to work on this project. They began integrating the chatbot

on their existing system. In addition, the team set an objective regarding the chatbot which was to answer 85% of all chat queries.

After the successful integration of the chatbot, the company immediately released it to their customers for use. The chatbot, however, appeared to have some issues.

Due to insufficient testing and lack of samples provided to the chatbot during the training phase, in which it was supposed "to learn" the queries pattern, the chatbot

failed to address user queries and provide the right answers. Furthermore, the chatbot sent random files to users when it received invalid inputs such as odd patterns

of dots and special characters. Therefore, the chatbot was unable to properly answer customer queries and the traditional customer support was overwhelmed with

chat queries and thus was unable to help customers with their requests.

Consequently, Fintive established a software development policy. This policy specified that whether the software is developed in-house or outsourced, it will undergo a

black box testing prior to its implementation on operational systems.

According to scenario 1, the chatbot sent random files to users when it received invalid inputs. What impact might that lead to?

A.

Inability to provide service

B.

Loss of reputation

C.

Leak of confidential information

Full Access
Question # 70

Scenario 4: SendPay is a financial company that provides its services through a network of agents and financial institutions. One of their main services is transferring money worldwide. SendPay, as a new company, seeks to offer top quality services to its clients. Since the company offers international transactions, it requires from their clients to provide personal information, such as their identity, the reason for the transactions, and other details that might be needed to complete the transaction. Therefore, SendPay has implemented security measures to protect their clients' information, including detecting, investigating, and responding to any information security threats that may emerge. Their commitment to offering secure services was also reflected during the ISMS implementation where the company invested a lot of time and resources.

Last year, SendPay unveiled their digital platform that allows money transactions through electronic devices, such as smartphones or laptops, without requiring an additional fee. Through this platform, SendPay's clients can send and receive money from anywhere and at any time. The digital platform helped SendPay to simplify the company's operations and further expand its business. At the time, SendPay was outsourcing its software operations, hence the project was completed by the software development team of the outsourced company. The same team was also responsible for maintaining the technology infrastructure of SendPay.

Recently, the company applied for ISO/IEC 27001 certification after having an ISMS in place for almost a year. They contracted a certification body that fit their criteria. Soon after, the certification body appointed a team of four auditors to audit SendPay's ISMS.

During the audit, among others, the following situations were observed:

1.The outsourced software company had terminated the contract with SendPay without prior notice. As a result, SendPay was unable to immediately bring the services back in-house and its operations were disrupted for five days. The auditors requested from SendPay's representatives to provide evidence that they have a plan to follow in cases of contract terminations. The representatives did not provide any documentary evidence but during an interview, they told the auditors that the top management of SendPay had identified two other software development companies that could provide services immediately if similar situations happen again.

2.There was no evidence available regarding the monitoring of the activities that were outsourced to the software development company. Once again, the representatives of SendPay told the auditors that they regularly communicate with the software development company and that they are appropriately informed for any possible change that might occur.

3.There was no nonconformity found during the firewall testing. The auditors tested the firewall configuration in order to determine the level of security provided by

these services. They used a packet analyzer to test the firewall policies which enabled them to check the packets sent or received in real-time.

Based on this scenario, answer the following question:

Why could SendPay not restore their services back in-house after the contract termination? Refer to scenario 4.

A.

Because SendPay did not monitor the technology infrastructure of the outsourced software operations

B.

Because SendPay lacked a comprehensive business continuity plan with potential impact of contract terminations

C.

Because the outsourced software company terminated the contract with SendPay without prior notice

Full Access
Question # 71

An organisation is looking for management system initial certification. Please identify the sequence of the activities to be undertaken by the organisation.

To complete the sequence click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the options to the appropriate blank section.

Full Access
Question # 72

Which two options are benefits of third-party accredited certification of information security management systems to ISO/IEC 27001:2022 for organisations and interested parties?

A.

Third-party accredited certification demonstrates that the organisation complies with the legal and legislation requirements expected by interested parties

B.

Third-party accredited certification demonstrates that the organisation's ICT products are secured and certified

C.

Third-party accredited certification demonstrates that the organisation's management system is maintained and effective

D.

Third-party accredited certification demonstrates the organisation's management system adopted a systematic approach to information security

E.

Third-party accredited certification makes sure the organisation will obtain more customers

F.

Third-party accredited certification makes sure the organisation's IT system will be protected from external interference

Full Access
Question # 73

Which two of the following phrases would apply to "audit objectives"?

A.

Audit duration

B.

Determining conformity

C.

Checking legal compliance

D.

Auditor competence

E.

Revising management policy

F.

Identifying opportunities for improvement, if required

Full Access
Question # 74

A telecommunications company uses the AES method for ensuring that confidential information is protected. This means that they use a single key to encrypt and

decrypt the information. What kind of control does the company use?

A.

Detective

B.

Corrective

C.

Preventive

Full Access
Question # 75

Select the words that best complete the sentence:

Full Access
Question # 76

You are performing an ISO 27001 ISMS surveillance audit at a residential nursing home, ABC Healthcare Services. ABC uses a healthcare mobile app designed and maintained by a supplier, WeCare, to monitor residents' well-being. During the audit, you learn that 90% erf the residents' family members regularly receive medical device advertisements from WeCare, by email and SMS once a week. The service agreement between ABC and WeCare prohibits the supplier from using residents' personal data. ABC has received many complaints from residents and their family members.

The Service Manager says that the complaints were investigated as an information security incident which found that they were justified. Corrective actions have been planned and implemented according to the nonconformity and corrective action management procedure.

You write a nonconformity "ABC failed to comply with information security control A.5.34 (Privacy and protection of PII) relating to the personal data of residents' and their family members. A supplier, WeCare, used residents' personal information to send advertisements to family members"

Select three options of the corrections and corrective actions listed that you would expect ABC to make in response to the nonconformity

A.

ABC confirms that information security control A.5.34 is contained in the Statement of Applicability (SoA)

B.

The Service Manager provides evidence of analysis of the cause of nonconformity and how the ABC evaluates the effectiveness of implemented corrective actions

C.

ABC instructs all staff to follow the signed healthcare service agreement with residents' family members

D.

ABC conducts a management review to take the feedback from residents' family members into consideration

E.

ABC needs to collect more evidence on how the organisation defines the management system scope and find out if they covered WeCare the medical device manufacturer

F.

ABC identifies and checks compliance with all applicable legislation and contractual requirements involving third parties

G.

The Service Manager implements the corrective actions and Customer Service Representatives evaluate the effectiveness of implemented corrective actions

Full Access
Question # 77

All are prohibited in acceptable use of information assets, except:

A.

Electronic chain letters

B.

E-mail copies to non-essential readers

C.

Company-wide e-mails with supervisor/TL permission.

D.

Messages with very large attachments or to a large number ofrecipients.

Full Access
Question # 78

Scenario 2: Knight is an electronics company from Northern California, US that develops video game consoles. Knight has more than 300 employees worldwide. On the

fifth anniversary of their establishment, they have decided to deliver the G-Console, a new generation video game console aimed for worldwide markets. G-Console is

considered to be the ultimate media machine of 2021 which will give the best gaming experience to players. The console pack will include a pair of VR headset, two

games, and other gifts.

Over the years, the company has developed a good reputation by showing integrity, honesty, and respect toward their customers. This good reputation is one of the

reasons why most passionate gamers aim to have Knight's G-console as soon as it is released in the market. Besides being a very customer-oriented company, Knight

also gained wide recognition within the gaming industry because of the developing quality. Their prices are a bit higher than the reasonable standards allow.

Nonetheless, that is not considered an issue for most loyal customers of Knight, as their quality is top-notch.

Being one of the top video game console developers in the world, Knight is also often the center of attention for malicious activities. The company has had an

operational ISMS for over a year. The ISMS scope includes all departments of Knight, except Finance and HR departments.

Recently, a number of Knight's files containing proprietary information were leaked by hackers. Knight's incident response team (IRT) immediately started to analyze

every part of the system and the details of the incident.

The IRT's first suspicion was that Knight's employees used weak passwords and consequently were easily cracked by hackers who gained unauthorized access to their

accounts. However, after carefully investigating the incident, the IRT determined that hackers accessed accounts by capturing the file transfer protocol (FTP) traffic.

FTP is a network protocol for transferring files between accounts. It uses clear text passwords for authentication.

Following the impact of this information security incident and with IRT's suggestion, Knight decided to replace the FTP with Secure Shell (SSH) protocol, so anyone

capturing the traffic can only see encrypted data.

Following these changes, Knight conducted a risk assessment to verify that the implementation of controls had minimized the risk of similar incidents. The results of

the process were approved by the ISMS project manager who claimed that the level of risk after the implementation of new controls was in accordance with the

company's risk acceptance levels.

Based on this scenario, answer the following question:

Based on scenario 2, the ISMS project manager approved the results of risk assessment. Is this acceptable?

A.

No, the risk remaining after the treatment of risk should be approved by the top management at any stage

B.

No, the risk remaining after the implementation of new controls for the ISMS should be approved by the ISMS team

C.

Yes, the risk remaining after the treatment of risk should be approved by the ISMS project manager

Full Access
Question # 79

Which two of the following statements are true?

A.

Responsibility for managing the audit programme rests with the audit team leader.

B.

The audit plan describes the arrangements for a set of one or more audits planned for a specific time frame and directed towards a specific purpose.

C.

Once agreed, the audit plan is fixed and cannot be changed during the conducting of the audi.

D.

The audit programme describes the arrangements for a set of one or more audits planned for a specific time frame and directed towards a specific purpose.

E.

The audit plan describes the activities and arrangements for an audit.

F.

The audit programme describes the activities and arrangements for an audit.

Full Access
Question # 80

Which situation presented below represents a threat?

A.

HackX uses and distributes pirated software

B.

The information security training was provided to only the IT team members of the organization

C.

Hackers compromised the administrator's account by cracking the password

Full Access
Question # 81

Select a word from the following options that best completes the sentence:

To complete the sentence with the word(s) click on the blank section you want to complete so that it is highlighted in red, and then click on the application text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.

Full Access
Question # 82

You are an experienced ISMS audit team leader. An auditor in training has approached you to ask you to clarify the different types of audits she may be required to undertake.

Match the following audit types to the descriptions.

To complete the table click on the blank section you want to complete so that It is highlighted In fed, and then click on the applicable text from the options below. Alternatively, you may drag and drop each option to the appropriate blank section.

Full Access