[Feb 20, 2025] Ultimate ISO-IEC-27001-Lead-Auditor Guide to Prepare Free Latest PECB Practice Tests Dumps [Q113-Q133]

Share

[Feb 20, 2025] Ultimate ISO-IEC-27001-Lead-Auditor Guide to Prepare Free Latest PECB Practice Tests Dumps

Get Top-Rated PECB ISO-IEC-27001-Lead-Auditor Exam Dumps Now


The ISO-IEC-27001-Lead-Auditor certification exam is ideal for professionals who are responsible for managing and maintaining the security of information in their organizations. This includes IT professionals, security managers, auditors, consultants, and other professionals who are involved in the design, implementation, and maintenance of ISMS.


In order to prepare for the exam, candidates are advised to review the ISO/IEC 27001 standard and to familiarize themselves with the key concepts and terminology used in information security management. They should also review relevant case studies and practical scenarios to gain a better understanding of how the concepts covered in the exam can be applied in the real world.


PECB is a leading provider of professional certifications in the field of information security management. The PECB ISO-IEC-27001-Lead-Auditor certification exam is one of the most widely recognized certifications in the industry. It is designed to provide professionals with the knowledge and skills needed to effectively audit and assess an organization's ISMS to ensure compliance with the ISO/IEC 27001 standard.

 

NEW QUESTION # 113
A well-executed risk analysis provides a great deal of useful information. A risk analysis has four main objectives.
What is not one of the four main objectives of a risk analysis?

  • A. Determining relevant vulnerabilities and threats
  • B. Establishing a balance between the costs of an incident and the costs of a security measure
  • C. Identifying assets and their value
  • D. Implementing counter measures

Answer: D

Explanation:
Explanation
Implementing countermeasures is not one of the four main objectives of a risk analysis. A risk analysis is a systematic process that involves identifying, assessing, and evaluating potential risks to understand their likelihood and impact. Its objective is to develop strategies to manage or mitigate those risks effectively. The four main objectives of a risk analysis are:
* Identifying assets and their value: This involves determining what are the information assets that need to be protected and how valuable they are for the organization.
* Determining relevant vulnerabilities and threats: This involves identifying what are the weaknesses or flaws in the information assets or systems that could be exploited by malicious actors or events and what are the sources or causes of those potential attacks or incidents.
* Establishing a balance between the costs of an incident and the costs of a security measure: This involves estimating what are the potential consequences or impacts of a risk occurrence in terms of financial, operational, reputational, or legal losses and comparing them with what are the costs or benefits of implementing a security measure to prevent or reduce that risk.
* Providing a basis for risk treatment decisions: This involves prioritizing the risks based on their likelihood and impact and selecting the most appropriate risk treatment options such as avoiding, transferring, reducing, or accepting the risk.
Implementing countermeasures is not an objective but an outcome of a risk analysis. Countermeasures are specific actions or controls that are designed to prevent or mitigate a risk occurrence or impact.
Countermeasures are selected based on the results of a risk analysis and aligned with the organization's risk appetite and objectives. Therefore, the correct answer is B. References: [ISO/IEC 27005:2018], clauses
6-9; Risk Analysis - What Is It, Benefits, Example, Methods - WallStreetMojo.


NEW QUESTION # 114
You see a blue color sticker on certain physical assets. What does this signify?

  • A. The asset is very high critical and its failure affects the entire organization
  • B. The asset with blue stickers should be kept air conditioned at all times
  • C. The asset is high critical and its failure will affect a group/s/project's work in the organization
  • D. The asset is critical and the impact is restricted to an employee only

Answer: C


NEW QUESTION # 115
In regard to generating an audit finding, select the words that best complete the following sentence.
To complete the sentence with the best word(s), click on the blank section you want to complete so that it Is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.

Answer:

Explanation:

Reference:
ISO 19011:2022 Guidelines for auditing management systems
ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements Components of Audit Findings - The Institute of Internal Auditors


NEW QUESTION # 116
Which of the following is a possible event that can have a disruptive effect on the reliability of information?

  • A. Risk
  • B. Dependency
  • C. Threat
  • D. Vulnerability

Answer: C

Explanation:
Explanation
A possible event that can have a disruptive effect on the reliability of information is a threat. A threat is anything that has the potential to harm an asset or its protection, such as a natural disaster, a human error, a malicious attack, etc. A threat can exploit a vulnerability or weakness in an asset or its protection and cause an adverse impact on the confidentiality, integrity or availability of information. ISO/IEC 27001:2022 defines threat as "potential cause of an unwanted incident, which can result in harm to a system or organization" (see clause 3.48). References: [CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course], ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, What is Threat?


NEW QUESTION # 117
Select the words that best complete the sentence:

Answer:

Explanation:

Explanation:
"In a third-party audit an observation can indicate conformity at organisation is not required to take action." According to the PECB Candidate Handbook1, an observation is "a statement of fact made during an audit and substantiated by objective evidence". An observation can indicate conformity or nonconformity, but it does not require any corrective action from the audited organisation. A recommendation, on the other hand, is "a suggestion for improvement based on an observation". A recommendation may or may not be accepted by the audited organisation.
According to the Fundamentals - Third parties2, a third-party audit is "an audit conducted by an external organisation that has the legal right to audit an organisation's processes and procedures". A third-party audit can result in a finding, which is "a conclusion reached by the auditor based on the audit evidence collected". A finding can be positive or negative, depending on whether the audited organisation meets the audit criteria or not. A nonconformity is "a finding that indicates the non-fulfilment of a requirement". A nonconformity requires corrective action from the audited organisation to prevent recurrence.


NEW QUESTION # 118
You are conducting an ISMS audit in the despatch department of an international logistics organisation that provides shipping services to large organisations including local hospitals and government offices. Parcels typically contain pharmaceutical products, biological samples, and documents such as passports and driving licences. You note that the company records show a very large number of returned items with causes including mis-addressed labels and, in 15% of company cases, two or more labels for different addresses for the one package. You are interviewing the Shipping Manager (SM).
You: Are items checked before being dispatched?
SH: Any obviously damaged items are removed by the duty staff before being dispatched, but the small profit margin makes it uneconomic to implement a formal checking process.
You: What action is taken when items are returned?
SM: Most of these contracts are relatively low value, therefore it has been decided that it is easier and more convenient to simply reprint the label and re-send individual parcels than it is to implement an investigation.
You raise a nonconformity. Referencing the scenario, which six of the following Appendix A controls would you expect the auditee to have implemented when you conduct the follow-up audit?

  • A. 5.6 Contact with special interest groups
  • B. 7.4 Physical security monitoring
  • C. 8.3 Information access restriction
  • D. 8.12 Data leakage protection
  • E. 5.13 Labelling of information
  • F. 6.4 Disciplinary process
  • G. 5.11 Return of assets
  • H. 5.32 Intellectual property rights
  • I. 5.3 Segregation of duties
  • J. 7.10 Storage media
  • K. 6.3 Information security awareness, education, and training

Answer: B,C,D,E,J,K

Explanation:
Explanation
* B. 8.12 Data leakage protection. This is true because the auditee should have implemented measures to prevent unauthorized disclosure of sensitive information, such as personal data, medical records, or official documents, that are contained in the parcels. Data leakage protection could include encryption, authentication, access control, logging, and monitoring of data transfers12.
* D. 6.3 Information security awareness, education, and training. This is true because the auditee should have ensured that all employees and contractors involved in the shipping process are aware of the information security policies and procedures, and have received appropriate training on how to handle and protect the information assets in their custody. Information security awareness, education, and training could include induction programmes, periodic refreshers, awareness campaigns, e-learning modules, and feedback mechanisms13.
* E. 7.10 Storage media. This is true because the auditee should have implemented controls to protect the storage media that contain information assets from unauthorized access, misuse, theft, loss, or damage. Storage media could include paper documents, optical disks, magnetic tapes, flash drives, or hard disks14. Storage media controls could include physical locks, encryption, backup, disposal, or destruction14.
* F. 8.3 Information access restriction. This is true because the auditee should have implemented controls to restrict access to information assets based on the principle of least privilege and the need-to-know basis. Information access restriction could include identification, authentication, authorization, accountability, and auditability of users and systems that access information assets15.
* I. 7.4 Physical security monitoring. This is true because the auditee should have implemented controls to monitor the physical security of the premises where information assets are stored or processed. Physical security monitoring could include CCTV cameras, alarms, sensors, guards, or patrols16. Physical security monitoring could help detect and deter unauthorized physical access or intrusion attempts16.
* J. 5.13 Labelling of information. This is true because the auditee should have implemented controls to label information assets according to their classification level and handling instructions. Labelling of information could include markings, tags, stamps, stickers, or barcodes1 . Labelling of information could help identify and protect information assets from unauthorized disclosure or misuse1 .
References :=
* ISO/IEC 27002:2022 Information technology - Security techniques - Code of practice for information security controls
* ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements
* ISO/IEC 27003:2022 Information technology - Security techniques - Information security management systems - Guidance
* ISO/IEC 27004:2022 Information technology - Security techniques - Information security management systems - Monitoring measurement analysis and evaluation
* ISO/IEC 27005:2022 Information technology - Security techniques - Information security risk management
* ISO/IEC 27006:2022 Information technology - Security techniques - Requirements for bodies providing audit and certification of information security management systems
* [ISO/IEC 27007:2022 Information technology - Security techniques - Guidelines for information security management systems auditing]


NEW QUESTION # 119
You are the audit team leader conducting a third-party audit of an online insurance company. During Stage 1, you found that the organization took a very cautious risk approach and included all the information security controls in ISO/IEC 27001:2022 Appendix A in their Statement of Applicability.
During the Stage 2 audit, your audit team found that there was no evidence of a risk treatment plan for the implementation of the three controls (5.3 Segregation of duties, 6.1 Screening, 7.12 Cabling security). You raise a nonconformity against clause 6.1.3.e of ISO 27001:2022.
At the closing meeting, the Technical Director issues an extract from an amended Statement of Applicability (as shown) and asks for the nonconformity to be withdrawn.

Select three options of the correct responses of an audit team leader to the request of the Technical Director.

  • A. Ask the auditor who raised the issue for their opinion on how you should respond to the request.
  • B. Review the documentation produced and withdraw the nonconformity.
  • C. Advise the Technical Director that his request will be included in the audit report.
  • D. State that a follow up audit will be necessary to review the evidence for the updated Statement of Applicability.
  • E. Inform the Technical Director that the nonconformity will be changed to an Opportunity for Improvement.
  • F. Advise the Technical Director that the nonconformity must stand since the evidence obtained for it was clear.
  • G. Advise management that the information provided will be reviewed when the auditors have more time.
  • H. Advise the Technical Director that once a nonconformity is raised it cannot be withdrawn.

Answer: C,D,F

Explanation:
Explanation
The three options of the correct responses of an audit team leader to the request of the Technical Director are:
* B. Advise the Technical Director that his request will be included in the audit report.
* D. Advise the Technical Director that the nonconformity must stand since the evidence obtained for it was clear.
* H. State that a follow up audit will be necessary to review the evidence for the updated Statement of Applicability.
* B. This response is correct because the audit team leader should document the request of the Technical Director and include it in the audit report, along with the audit findings and conclusions12. This will ensure transparency and traceability of the audit process and the audit results.
* D. This response is correct because the audit team leader should not withdraw the nonconformity based on the amended Statement of Applicability alone. The nonconformity was raised against clause 6.1.3.e of ISO 27001:2022, which requires the organisation to produce and maintain a risk treatment plan that defines how the information security risks are treated, including the controls selected and their implementation status34. The Statement of Applicability is only one part of the risk treatment plan, and it does not provide sufficient evidence that the controls have been implemented effectively. The audit team leader should base the nonconformity on the objective evidence obtained during the audit, not on the subjective claims of the auditee12.
* H. This response is correct because the audit team leader should state that a follow up audit will be necessary to review the evidence for the updated Statement of Applicability. A follow up audit is an audit that is conducted after a previous audit to verify the implementation and effectiveness of the corrective actions and/or opportunities for improvement that were agreed upon as a result of the previous audit56. The follow up audit should seek to ensure that the nonconformity has been effectively addressed and that the ISMS is compliant and effective. The follow up audit should also consider any new or changed risks or requirements that may affect the ISMS56.
References:
1: PECB Candidate Handbook - ISO 27001 Lead Auditor, page 25 2: ISO 19011:2018 - Guidelines for auditing management systems, clause 6.7 3: ISO/IEC 27001:2022 - Information technology - Security techniques - Information security management systems - Requirements, clause 6.1.3.e 4: ISO/IEC
27005:2022 - Information technology - Security techniques - Information security risk management, clause
8.3.2 5: PECB Candidate Handbook - ISO 27001 Lead Auditor, page 25 6: ISO 19011:2018 - Guidelines for auditing management systems, clause 6.7


NEW QUESTION # 120
Which four of the following statements about audit reports are true?

  • A. Audit reports should include or refer to the audit plan
  • B. Audit reports should be produced by the audit team leader with input from the audit team
  • C. Audit reports that are no longer required can be destroyed as part of the organisation's general waste
  • D. Audit reports should only evidence nonconformity
  • E. Audit reports should be sent to the organisation's top management first because their contents could be embarrassing
  • F. Audit reports should always be reviewed by the client, dated, and signed as 'accepted'
  • G. Audit reports should be assumed suitable for general circulation unless they are specifically marked confidential
  • H. Audit reports should be produced within an agreed timescale

Answer: A,B,F,H


NEW QUESTION # 121
What is a definition of compliance?

  • A. The state or fact of according with or meeting rules or standards
  • B. Laws, considered collectively or the process of making or enacting laws
  • C. An official or authoritative instruction
  • D. A rule or directive made and maintained by an authority.

Answer: A

Explanation:
Explanation
Compliance is the state or fact of according with or meeting rules or standards1. In the context of information security, compliance means adhering to the applicable laws, regulations, policies, and contractual obligations that affect the organization's information assets2. Compliance is one of the objectives of an information security management system (ISMS) based on ISO/IEC 27001:2022, which requires the organization to identify and evaluate the relevant legal, regulatory, and contractual requirements that apply to its scope and operations3. References: Oxford Languages; ISO/IEC 27000:2022, clause 3.9; ISO/IEC 27001:2022, clause
6.1.3.


NEW QUESTION # 122
You are an audit team leader who has just completed a third-party audit of a mobile telecommunication provider. You are preparing your audit report and are just about to complete a section headed 'confidentiality'.
An auditor in training on your team asks you if there are any circumstances under which the confidential report can be released to third parties.
Which four of the following responses are false?

  • A. Our duty of confidentiality is not something that lasts forever. As a certification body, we can decide how long we wish to keep reports confidential. After this, they can be accessed by third parties making a subject access request
  • B. Subcontracted auditors are considered to be third parties regarding confidentiality and are therefore typically bound by confidentiality agreements
  • C. Although we advise the client the report is confidential we can decide to release it to third parties if we feel this is justified. We would always tell the client afterwards
  • D. There are no circumstances under which the report can be released to a third party. Confidential means confidential and releasing the document would be a breach of trust
  • E. The report can be released to third parties but only with the explicit, prior approval of the audit client
  • F. The starting position is always that third parties have no automatic right to access an audit report
  • G. Any auditor employed by the auditing organisation can access the audit report
  • H. If the third party has gained a legal notice for us to disclose the report then we must do so. In all such cases we would advise the audit client and, as appropriate, the auditee

Answer: A,B,C,G

Explanation:
The audit report is a confidential document that contains sensitive information about the auditee's ISMS and its performance. The audit team has a duty to protect the confidentiality of the audit report and only disclose it to authorized parties, such as the audit client, the certification body, and the accreditation body. Therefore, the following responses are false:
* A: The audit team cannot decide to release the report to third parties without the consent of the audit client, as this would breach the confidentiality agreement and the audit code of conduct. The audit team should always inform the audit client before disclosing the report to any third party, and obtain their explicit, prior approval.
* F: Not every auditor employed by the auditing organization can access the audit report, as this would violate the principle of need-to-know. Only auditors who are involved in the audit process, such as the audit team leader, the audit team members, the audit programme manager, and the certification decision maker, can access the audit report. Other auditors who are not related to the audit have no legitimate reason to access the report, and should be prevented from doing so by appropriate security measures.
* G: The duty of confidentiality does not expire after a certain period of time, as this would compromise the trust and integrity of the audit process. The audit report remains confidential indefinitely, unless there is a legal or contractual obligation to disclose it, or the audit client agrees to release it. Third parties cannot access the audit report by making a subject access request, as this would infringe the privacy and data protection rights of the audit client and the auditee.
* H: Subcontracted auditors are not considered to be third parties regarding confidentiality, as they are part of the audit team and have a contractual relationship with the auditing organization. Subcontracted auditors are typically bound by the same confidentiality agreement and audit code of conduct as the employed auditors, and have the same rights and responsibilities to access and protect the audit report.
References: =
* ISO/IEC 27001:2022, clause 9.2, Internal audit
* ISO/IEC 27006:2015, clause 7.2.3, Confidentiality
* PECB Candidate Handbook ISO 27001 Lead Auditor, page 22, Audit Report
* PECB Candidate Handbook ISO 27001 Lead Auditor, page 24, Audit Code of Conduct


NEW QUESTION # 123
You have to carry out a third-party virtual audit. Which two of the following issues would you need to inform the auditee about before you start conducting the audit ?

  • A. You will not record any part of the audit, unless permitted.
  • B. You expect the auditee to have assessed all risks associated with online activities.
  • C. You will ask those being interviewed to state their name and position beforehand.
  • D. You will take photos of every person you interview.
  • E. You will ask for a 360-degree view of the room where the audit is being carried out.
  • F. You will ask to see the ID card of the person that is on the screen.

Answer: C,E

Explanation:
A third-party virtual audit is an external audit conducted by an independent certification body using remote technology such as video conferencing, screen sharing, and electronic document exchange. The purpose of a third-party virtual audit is to verify the conformity and effectiveness of the information security management system (ISMS) and to issue a certificate of compliance12 Before you start conducting the audit, you would need to inform the auditee about the following issues: 12
* You will ask those being interviewed to state their name and position beforehand, i.e., to confirm their identity and role in the ISMS. This is to ensure that you are interviewing the relevant personnel and that they are authorized to provide information and evidence for the audit.
* You will ask for a 360-degree view of the room where the audit is being carried out, i.e., to verify the physical and environmental security of the audit location. This is to ensure that there are no unauthorized persons or devices in the vicinity that could compromise the confidentiality, integrity, or availability of the information being audited.
The other issues are not relevant or appropriate for a third-party virtual audit, because:
* You will ask to see the ID card of the person that is on the screen, i.e., to verify their identity. This is not necessary if you have already asked them to state their name and position beforehand, and if you have access to the auditee's organizational chart or staff directory. Asking to see the ID card could also be seen as intrusive or disrespectful by the auditee.
* You will take photos of every person you interview, i.e., to document the audit process. This is not advisable as it could violate the privacy or consent of the auditee and the interviewees. Taking photos could also be seen as unprofessional or suspicious by the auditee. You should rely on the audit records and evidence provided by the auditee and the audit tool instead.
* You will not record any part of the audit, unless permitted, i.e., to respect the auditee's preferences and rights. This is not a valid issue to inform the auditee about, as you should always record the audit for
* quality assurance and verification purposes. Recording the audit is also a requirement of the ISO/IEC
27001 standard and the certification body. You should inform the auditee that you will record the audit and obtain their consent before the audit begins.
* You expect the auditee to have assessed all risks associated with online activities, i.e., to ensure the security of the audit process. This is not an issue to inform the auditee about, as it is part of the auditee's responsibility and obligation to have a risk assessment and treatment process for their ISMS. You should assess the auditee's risk management practices and controls during the audit, not before it.
References:
1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1 2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2


NEW QUESTION # 124
A hacker gains access to a web server and reads the credit card numbers stored on that server. Which security principle is violated?

  • A. Availability
  • B. Authenticity
  • C. Integrity
  • D. Confidentiality

Answer: D

Explanation:
Explanation
Confidentiality is one of the security principles that states that only authorized parties should have access to information assets. Confidentiality protects the secrecy and privacy of information from unauthorized disclosure or exposure. A hacker gaining access to a web server and reading the credit card numbers stored on that server violates the confidentiality principle, as he or she is not an authorized party and has access to sensitive information that belongs to others. Therefore, the correct answer is B. References: ISO/IEC
27000:2022, clause 3.8; Defining Security Principles - Pearson IT Certification.


NEW QUESTION # 125
Select the words that best complete the sentence:

Answer:

Explanation:

Explanation:
"In a third-party audit an observation can indicate conformity at organisation is not required to take action." According to the PECB Candidate Handbook1, an observation is "a statement of fact made during an audit and substantiated by objective evidence". An observation can indicate conformity or nonconformity, but it does not require any corrective action from the audited organisation. A recommendation, on the other hand, is "a suggestion for improvement based on an observation". A recommendation may or may not be accepted by the audited organisation.
According to the Fundamentals - Third parties2, a third-party audit is "an audit conducted by an external organisation that has the legal right to audit an organisation's processes and procedures". A third-party audit can result in a finding, which is "a conclusion reached by the auditor based on the audit evidence collected". A finding can be positive or negative, depending on whether the audited organisation meets the audit criteria or not. A nonconformity is "a finding that indicates the non-fulfilment of a requirement". A nonconformity requires corrective action from the audited organisation to prevent recurrence.


NEW QUESTION # 126
Which of the following factors does NOT contribute to the value of data for an organisation?

  • A. The content of data
  • B. The correctness of data
  • C. The indispensability of data
  • D. The importance of data for processes

Answer: A

Explanation:
Explanation
The value of data for an organisation depends on various factors, such as the correctness, indispensability, importance, relevance, timeliness, completeness, and uniqueness of data. The content of data, however, does not contribute to its value, as it is merely the representation of data in a specific format or structure. The content of data can change depending on how it is processed, stored, or presented, but the value of data is derived from its meaning and usefulness for the organisation. Therefore, the correct answer is D: References: Putting a value on data - PwC UK, page 3; What is Data Value? How to Define the Value of Your Data.


NEW QUESTION # 127
The auditor used sampling to ensure that event logs recording information security events are maintained and regularly reviewed. Sampling was based on the audit objectives, whereas the sample selection process was based on the probability theory. What type of sampling was used?

  • A. Statistical sampling
  • B. Judgment-based sampling
  • C. Systematic sampling

Answer: A

Explanation:
The use of probability theory in the sample selection process indicates that "statistical sampling" was used.
Statistical sampling allows auditors to make inferences about the population based on the properties of the sample, relying on the principles of probability to select representative elements.
References: ISO 19011:2018, Guidelines for auditing management systems


NEW QUESTION # 128
You are the lead auditor of the courier company SpeeDelivery. You have carried out a risk analysis and now want to determine your risk strategy. You decide to take measures for the large risks but not for the small risks.
What is this risk strategy called?

  • A. Risk avoidance
  • B. Risk neutral
  • C. Risk bearing
  • D. Risk skipping

Answer: C

Explanation:
Explanation
The risk strategy that involves taking measures for the large risks but not for the small risks is called risk bearing. Risk bearing is a strategy that accepts the existence of risks and their potential consequences without implementing any specific controls to reduce them. Risk bearing is usually applied to risks that have low likelihood and low impact, or when the cost of controls outweighs the benefits. Risk bearing implies that the organization has enough resources and resilience to cope with the risks if they materialize. ISO/IEC
27001:2022 defines risk acceptance as "decision to accept risk" (see clause 3.4). References: [CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course], ISO/IEC 27001:2022 Information technology
- Security techniques - Information security management systems - Requirements, [What is Risk Bearing?]


NEW QUESTION # 129
A hacker gains access to a webserver and can view a file on the server containing credit card numbers.
Which of the Confidentiality, Integrity, Availability (CIA) principles of the credit card file are violated?

  • A. Availability
  • B. Integrity
  • C. Compliance
  • D. Confidentiality

Answer: D

Explanation:
Confidentiality is one of the Confidentiality, Integrity, Availability (CIA) principles of information security that states that only authorized parties should have access to information assets. Confidentiality protects the secrecy and privacy of information from unauthorized disclosure or exposure. A hacker gaining access to a web server and viewing a file containing credit card numbers violates the confidentiality principle, as he or she is not an authorized party and has access to sensitive information that belongs to others. Therefore, the correct answer is B. Reference: ISO/IEC 27000:2022, clause 3.8; Defining Security Principles - Pearson IT Certification.


NEW QUESTION # 130
During a Stage 1 audit opening meeting, the Management System Representative (MSR) asks to extend the audit scope to include a new site overseas which they have expanded into since the certification application was made.
Select two options for how the auditor should respond.

  • A. Advise the MSR that the audit scope has been determined based on their initial application so the audit has to proceed as planned
  • B. Confirm that the auditor will advise the auditee that the audit scope will be revised to include the new work area
  • C. Suggest that the MSR cancels the audit contract and reapplies for the new situation
  • D. Determine whether the Management System covers the processes at the new site and, if so, proceed with the audit
  • E. Advise the MSR that an extension of the scope may be incorporated but will have to go through established procedures
  • F. Advise the MSR that, within the existing scope, the new work area can be included without any problem

Answer: D,E

Explanation:
Explanation
The correct options for how the auditor should respond are:
* A. Advise the MSR that an extension of the scope may be incorporated but will have to go through established procedures
* D. Determine whether the Management System covers the processes at the new site and, if so, proceed with the audit These options are consistent with the ISO/IEC 27006:2015 standard, which states that any changes to the scope of certification should be notified by the client to the certification body, and that the certification body should evaluate and decide on these changes in accordance with its procedures1. The auditor should also verify that the ISMS is implemented and maintained at all sites included in the scope of certification1.
The other options are not appropriate for how the auditor should respond, because:
* B. Advise the MSR that the audit scope has been determined based on their initial application so the audit has to proceed as planned: This option is too rigid and does not allow for any flexibility or adaptation to the client's situation. The auditor should be open to consider any changes to the scope of certification that may have occurred since the initial application, as long as they are properly notified and evaluated by the certification body.
* C. Suggest that the MSR cancels the audit contract and reapplies for the new situation: This option is too
* drastic and unnecessary, as it would cause delays and costs for both the client and the certification body.
The auditor should not suggest that the client cancels the audit contract, but rather that they follow the established procedures for requesting and approving an extension of the scope of certification.
* E. Advise the MSR that, within the existing scope, the new work area can be included without any problem: This option is too lenient and does not ensure that the new work area meets the requirements of ISO/IEC 27001 and the ISMS. The auditor should not assume that the new work area can be included within the existing scope without any problem, but rather that they need to verify that the ISMS is implemented and maintained at the new site, and that any changes to the scope of certification are approved by the certification body.
* F. Confirm that the auditor will advise the auditee that the audit scope will be revised to include the new work area: This option is too presumptuous and does not respect the authority of the certification body.
The auditor should not confirm that they will revise the audit scope to include the new work area, but rather that they will advise the certification body of the client's request for an extension of the scope of certification, and wait for their decision.


NEW QUESTION # 131
Which one option best describes the purpose of retaining documented information related to the Information Security Management System (ISMS) of an organisation?

  • A. To show objective evidence to third-party auditors.
  • B. To ensure that all workers will follow the established procedure.
  • C. To show compliance with legal requirements.
  • D. To the extent necessary, to have confidence that the processes have been carried out as planned.

Answer: D

Explanation:
The purpose of retaining documented information related to the ISMS of an organisation is to the extent necessary, to have confidence that the processes have been carried out as planned. This means that the documented information provides evidence of the conformity and effectiveness of the ISMS, as well as the achievement of the information security objectives and the continual improvement of the ISMS. Documented information also supports the analysis and evaluation of the ISMS performance and the identification of opportunities for improvement. References: = ISO/IEC 27001:2022, clause 7.5.1; PECB Candidate Handbook ISO 27001 Lead Auditor, page 17.


NEW QUESTION # 132
You are carrying out your first third-party ISMS surveillance audit as an audit team leader. You are presently in the auditee's data centre with another member of your audit team and the organisation's guide.
You request access to a locked room protected by a combination lock and iris scanner. The room contains several rows of uninterruptable power supplies along with several data cabinets containing client-supplied equipment, predominantly servers, and switches.
You note that there is a gas-based fire extinguishing system in place. A label indicates that the system requires testing every 6 months however the most recent test recorded on the label was carried out by the manufacturer 12 months ago.
Based on the scenario above which two of the following actions would you now take?

  • A. Providing water-based extinguishers are accessible in the room, take no further action as these provide an alternative means to put out a fire
  • B. Raise a nonconformity against control A.7.11 'supporting utilities' as information processing facilities are not adequately protected against possible disruption
  • C. Raise a nonconformity against control A.5.7 'threat intelligence' as the organisation has not identified the need to take action against the threat of fire
  • D. Make a note to ask the site maintenance manager for evidence that a fire extinguishing system test was carried out 6 months ago
  • E. Determine if requirements for recording fire extinguisher checks have been revised within the last year.
    If so, suggest these are referenced on the existing labels as an opportunity for improvement
  • F. Require the guide to initiate the organisation's information security incident process

Answer: B,D


NEW QUESTION # 133
......

Passing Key To Getting ISO-IEC-27001-Lead-Auditor Certified Exam Engine PDF: https://www.torrentvce.com/ISO-IEC-27001-Lead-Auditor-valid-vce-collection.html

ISO-IEC-27001-Lead-Auditor Exam Dumps Pass with Updated Tests Dumps: https://drive.google.com/open?id=19YR3vkDOnHteH7CZm2YM4C4LLzexDovW