11.11 Special Sale - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: mxmas70

Home > PECB > ISO 27001 > ISO-IEC-27001-Lead-Auditor

ISO-IEC-27001-Lead-Auditor PECB Certified ISO/IEC 27001 2022 Lead Auditor exam Question and Answers

Question # 4

You are performing an ISMS audit at a residential nursing home that provides healthcare services. The next step in your audit plan is to verify the information security incident management process. The IT Security Manager presents the information security incident management procedure and explains that the process is based on ISO/IEC 27035-1:2016.

You review the document and notice a statement "any information security weakness, event, and incident should be reported to the Point of Contact (PoC) within 1 hour after identification". When interviewing staff, you found that there were differences in the understanding of the meaning of "weakness, event, and incident".

You sample incident report records from the event tracking system for the last 6 months with summarized results in the following table.

You would like to further investigate other areas to collect more audit evidence. Select two options that will not be in your audit trail.

A.

Collect more evidence on how and when the Human Resources manager pays the ransom fee to unlock personal mobile data, i.e., credit card, and bank transfer. (Relevant to control A.5.26)

B.

Collect more evidence on what the service requirements of healthcare monitoring are. (Relevant to clause 4.2)

C.

Collect more evidence on how the organization determined no further action was needed after the incident. (Relevant to control A.5.26)

D.

Collect more evidence on how the organisation determined the incident recovery time. (Relevant to control A.5.27)

E.

Collect more evidence on the incident recovery procedures. (Relevant to control A.5.26)

F.

Collect more evidence by interviewing more staff about their understanding of the reporting process. (Relevant to control A.6.8)

G.

Collect more evidence on how and when the company pays the ransom fee to unlock the company's mobile phone and data, i.e., credit card, and bank transfer. (Relevant to control A.5.26)

Full Access
Question # 5

Scenario 1: Fintive is a distinguished security provider for online payments and protection solutions. Founded in 1999 by Thomas Fin in San Jose, California, Fintive

offers services to companies that operate online and want to improve their information security, prevent fraud, and protect user information such as PII. Fintive centers

its decision-making and operating process based on previous cases. They gather customer data, classify them depending on the case, and analyze them. The company

needed a large number of employees to be able to conduct such complex analyses. After some years, however, the technology that assists in conducting such analyses

advanced as well. Now, Fintive is planning on using a modern tool, a chatbot, to achieve pattern analyses toward preventing fraud in real-time. This tool would also be

used to assist in improving customer service.

This initial idea was communicated to the software development team, who supported it and were assigned to work on this project. They began integrating the chatbot

on their existing system. In addition, the team set an objective regarding the chatbot which was to answer 85% of all chat queries.

After the successful integration of the chatbot, the company immediately released it to their customers for use. The chatbot, however, appeared to have some issues.

Due to insufficient testing and lack of samples provided to the chatbot during the training phase, in which it was supposed "to learn" the queries pattern, the chatbot

failed to address user queries and provide the right answers. Furthermore, the chatbot sent random files to users when it received invalid inputs such as odd patterns

of dots and special characters. Therefore, the chatbot was unable to properly answer customer queries and the traditional customer support was overwhelmed with

chat queries and thus was unable to help customers with their requests.

Consequently, Fintive established a software development policy. This policy specified that whether the software is developed in-house or outsourced, it will undergo a

black box testing prior to its implementation on operational systems.

Based on this scenario, answer the following question:

The chatbot was supposed "to learn" the queries pattern to address user queries and provide the right answers. What type of technology enables

this?

A.

Artificial intelligence

B.

Cloud computing

C.

Machine learning

Full Access
Question # 6

Stages of Information 

A.

creation, evolution, maintenance, use, disposition

B.

creation, use, disposition, maintenance, evolution

C.

creation, distribution, use, maintenance, disposition 

D.

creation, distribution, maintenance, disposition, use

Full Access
Question # 7

Which two of the following phrases are 'objectives' in relation to a first-party audit?

A.

Apply international standards

B.

Prepare the audit report for the certification body

C.

Confirm the scope of the management system is accurate

D.

Complete the audit on time

E.

Apply Regulatory requirements

F.

Update the management policy

Full Access
Question # 8

You are performing an ISMS audit at a residential nursing home that provides healthcare services. The next step in your audit plan is to verify the information security incident management process. The IT Security Manager presents the information security incident management procedure (Document reference ID: ISMS_L2_16, version 4).

You review the document and notice a statement "Any information security weakness, event, and incident should be reported to the Point of Contact (PoC) within 1 hour after identification". When interviewing staff, you found that there were differences in the understanding of the meaning of the phrase "weakness, event, and incident".

The IT Security Manager explained that an online "information security handling" training seminar was conducted 6 months ago. All the people interviewed participated in and passed the reporting exercise and course assessment.

You would like to investigate other areas further to collect more audit evidence. Select three

options that would not be valid audit trails.

A.

Collect more evidence on how areas subject to information security incidents are quarantined to maintain information security during disruption (relevant to control A.5.29)

B.

Collect more evidence on how information security incidents are reported via appropriate channels (relevant to control A.6.8)

C.

Collect more evidence on how the organisation conducts information security incident training and evaluates its effectiveness. (Relevant to clause 7.2)

D.

Collect more evidence on how the organisation learns from information security incidents and makes improvements. (Relevant to control A.5.27)

E.

Collect more evidence on how the organisation manages the Point of Contact (PoC) which monitors vulnerabilities. (Relevant to clause 8.1)

F.

Collect more evidence on how the organisation tests the business continuity plan. (Relevant to control A.5.30)

G.

Collect more evidence on whether terms and definitions are contained in the information security policy. (Relevant to control 5.32)

Full Access
Question # 9

After conducting an external audit, the auditor decided that the internal auditor would follow-up on the implementation of corrective actions until the next surveillance audit. Is this acceptable?

A.

No, only the external auditor should follow up on the implementation of corrective actions after the completion of the audit

B.

Yes, the internal auditor may verify the implementation of corrective actions if it cannot be done by the external auditor

C.

Yes, the internal auditor may follow-up on the implementation of corrective actions until a verification from the external auditor during the surveillance audit

Full Access
Question # 10

A data processing tool crashed when a user added more data in the buffer than its storage capacity allows. The incident was caused by the tool's inability to bound check arrays. What kind of vulnerability is this?

A.

Intrinsic vulnerability, because inability to bound check arrays is a characteristic of the data processing tool

B.

Extrinsic vulnerability, because inability to bound check arrays is related to external factors

C.

None, the tool's inability to bound check arrays is not a vulnerability, but a threat

Full Access
Question # 11

What is the standard definition of ISMS? 

A.

Is an information security systematic approach to achieve business objectives for implementation, establishing, reviewing,operating and maintaining organization's reputation.

B.

A company wide business objectives to achieve information security awareness for establishing, implementing, operating, monitoring, reviewing, maintaining and improving

C.

A project-based approach to achieve business objectives for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization’s information security

D.

A systematic approach for establishing, implementing, operating,monitoring, reviewing,  maintaining and improving an organization’s information security to achieve business objectives.

Full Access
Question # 12

During an audit, the audit team leader reached timely conclusions based on logical reasoning and analysis. What professional behaviour was displayed by the audit team leader?

A.

Decisive

B.

Open minded

C.

Ethical

D.

Perceptive

Full Access
Question # 13

Which three of the following work documents are not required for audit planning by an auditor conducting a certification audit?

A.

An audit plan

B.

A sample plan

C.

An organisation's financial statement

D.

A checklist

E.

A career history of the IT manager

F.

A list of external providers

Full Access
Question # 14

Scenario 9: UpNet, a networking company, has been certified against ISO/IEC 27001. It provides network security, virtualization, cloud computing, network hardware, network management software, and networking technologies.

The company's recognition has increased drastically since gaining ISO/IEC 27001 certification. The certification confirmed the maturity of UpNefs operations and its compliance with a widely recognized and accepted standard.

But not everything ended after the certification. UpNet continually reviewed and enhanced its security controls and the overall effectiveness and efficiency of the ISMS by conducting internal audits. The top management was not willing to employ a full-time team of internal auditors, so they decided to outsource the internal audit function. This form of internal audits ensured independence, objectivity, and that they had an advisory role about the continual improvement of the ISMS.

Not long after the initial certification audit, the company created a new department specialized in data and storage products. They offered routers and switches optimized for data centers and software-based networking devices, such as network virtualization and network security appliances. This caused changes to the operations of the other departments already covered in the ISMS certification scope.

Therefore. UpNet initiated a risk assessment process and an internal audit. Following the internal audit result, the company confirmed the effectiveness and efficiency of the existing and new processes and controls.

The top management decided to include the new department in the certification scope since it complies with ISO/IEC 27001 requirements. UpNet announced that it is ISO/IEC 27001 certified and the certification scope encompasses the whole company.

One year after the initial certification audit, the certification body conducted another audit of UpNefs ISMS. This audit aimed to determine the UpNefs ISMS fulfillment of specified ISO/IEC 27001 requirements and ensure that the ISMS is being continually improved. The audit team confirmed that the certified ISMS continues to fulfill

the requirements of the standard. Nonetheless, the new department caused a significant impact on governing the management system. Moreover, the certification body was not informed about any changes. Thus, the UpNefs certification was suspended.

Based on the scenario above, answer the following question:

UpNet outsourced the internal audit function, as provided in scenario 9. Does it impact the internal audit process?

A.

No, internal audits do not necessarily have to be independent and objective because they have an advisory role

B.

No, because the internal audit process can comprise more than an audit program

C.

Yes, it increases the independence and impartiality of the internal audit because auditors do not have operational roles related to the ISMS

Full Access
Question # 15

You are performing an ISMS audit at a residential nursing home that provides healthcare services. The next step in your audit plan is to verify the information security incident management process. The IT Security Manager presents the information

security incident management procedure (Document reference ID: ISMS_L2_16, version 4) and explains that the process is

based on ISO/IEC 27035-1:2016.

You review the document and notice a statement "any information security weakness, event, and incident should be reported

to the Point of Contact (PoC) within 1 hour after identification". When interviewing staff, you found that there were differences

in the understanding of the meaning of "weakness, event, and incident".

The IT Security Manager explained that an online "information security handling" training seminar was conducted 6 months

ago. All of the interviewed persons participated in and passed the reporting exercise and course assessment.

You are preparing the audit findings. Select two options that are correct.

A.

There is a nonconformity (NC). The information security incident training has failed. This is not conforming with clause 7.2 and control A.6.3.

B.

There is a nonconformity (NC). The terminology of the the incident management reporting process is unclear as evidenced by staff misunderstanding of the meaning of "weakness, event and incident". This is not conforming with clause 9.1 and control A.5.24.

C.

There is an opportunity for improvement (OFI). The information security incident training effectiveness can be improved. This is relevant to clause 7.2 and control A.6.3.

D.

There is an opportunity for improvement (OFI). The information security weaknesses, events, and incidents are reported. This is relevant to clause 9.1 and control A.5.24.

E.

There is no nonconformance. The information security handling training has been effective. This conforms with clause 7.2 and control A.6.3.

F.

There is no nonconformance. The information security weaknesses, events, and incidents are reported. This conforms with clause 9.1 and control A.5.24.

Full Access
Question # 16

You are conducting an ISMS audit. The next step in your audit plan is to verify that the organisation's

information security risk treatment plan has been established and implemented properly. You decide to

interview the IT security manager.

You: Can you please explain how the organisation performs its information security risk assessment and

treatment process?

IT Security Manager: We follow the information security risk management procedure which generates a

risk treatment plan.

Narrator: You review risk treatment plan No. 123 relating to the planned installation of an electronic

(invisible) fence to improve the physical security of the nursing home. You found the risk treatment plan was

approved by IT Security Manager.

You: Who is responsible for physical security risks?

IT Security Manager: The Facility Manager is responsible for the physical security risk. The IT department helps them to monitor the alarm. The Facility Manager is authorized to approve the budget for risk treatment plan No. 123.

You: What residual information security risks exist after risk treatment plan No. 123 was implemented?

IT Security Manager: There is no information for the acceptance of residual information security risks as far as I know.

You prepare your audit findings. Select three options for findings that are justified in the scenario.

A.

Nonconformity (NC) - The information for the acceptance of residual information security risks should be updated after the risk treatment is implemented. Clause 6.1.3.f

B.

There is an opportunity for improvement (OI) to conduct security checks on the perimetre fence

C.

There is an opportunity for improvement (OI) once the Electronic (invisible) fence is installed. Residents' physical security is improved

D.

Nonconformity (NC) - Top management must ensure that the resources needed for the ISMS are available. Clause 5.1.c

E.

Nonconformity (NC) - The IT security manager should be aware of and understand his authority and area of responsibility. Clause 7.3

F.

Nonconformity (NC) - The organization should provide the resources needed for the continual improvement of the ISMS. Clause 7.1

G.

Nonconformity (NC) - The risk treatment plan No. 123 should be approved by the risk owner, the Facility Manager in this case. Clause 6.1.3.f

Full Access
Question # 17

Which two of the following are examples of audit methods that 'do' involve human interaction?

A.

Performing an independent review of procedures in preparation for an audit

B.

Reviewing the auditee's response to an audit finding

C.

Analysing data by remotely accessing the auditee's server

D.

Observing work performed by remote surveillance

E.

Analysing data by remotely accessing the auditee's server

Full Access
Question # 18

The responsibilities of a------------ include facilitating audit activities, maintaining logistics, ensuring that health and safety policies are observed, and witnessing

the audit process on behalf of the auditee.

A.

Internal auditor

B.

Observer

C.

Guide

Full Access
Question # 19

Scenario 6: Sinvestment is an insurance company that offers home, commercial, and life insurance. The company was founded in North Carolina, but have recently expanded in other locations, including Europe and Africa.

Sinvestment is committed to complying with laws and regulations applicable to their industry and preventing any information security incident. They have implemented an ISMS based on ISO/IEC 27001 and have applied for ISO/IEC 27001 certification.

Two auditors were assigned by the certification body to conduct the audit. After signing a confidentiality agreement with Sinvestment. they started the audit activities. First, they reviewed the documentation required by the standard, including the declaration of the ISMS scope, information security policies, and internal audits reports. The review process was not easy because, although Sinvestment stated that they had a documentation procedure in place, not all documents had the same format.

Then, the audit team conducted several interviews with Sinvestment's top management to understand their role in the ISMS implementation. All activities of the stage 1 audit were performed remotely, except the review of documented information, which took place on-site, as requested by Sinvestment.

During this stage, the auditors found out that there was no documentation related to information security training and awareness program. When asked, Sinvestment's representatives stated that the company has provided information security training sessions to all employees. Stage 1 audit gave the audit team a general understanding of Sinvestment's operations and ISMS.

The stage 2 audit was conducted three weeks after stage 1 audit. The audit team observed that the marketing department (which was not included in the audit scope) had no procedures in place to control employees’ access rights. Since controlling employees' access rights is one of the ISO/IEC 27001 requirements and was included in the information security policy of the company, the issue was included in the audit report. In addition, during stage 2 audit, the audit team observed that Sinvestment did not record logs of user activities. The procedures of the company stated that "Logs recording user activities should be retained and regularly reviewed," yet the company did not present any evidence of the implementation of such procedure.

During all audit activities, the auditors used observation, interviews, documented information review, analysis, and technical verification to collect information and evidence. All the audit findings during stages 1 and 2 were analyzed and the audit team decided to issue a positive recommendation for certification.

According to ISO/IEC 27001 requirements, does the company need to provide evidence of implementation of the procedure regarding logs recording user activities? Refer to scenario 6.

A.

Yes, event logs recording user activities must be kept and regularly reviewed

B.

No, because the implementation of this procedure is not a requirement of the standard

C.

No, the company only recommended implementing this procedure

Full Access
Question # 20

Which two activities align with the “Check’’ stage of the Plan-Do-Check-Act cycle when applied to the process of managing an internal audit program as described in ISO 19011?

A.

Retains records of internal audits

B.

Define audit criteria and scope for each internal audit

C.

Update the internal audit programme

D.

Establish a risk-based internal audit programme

E.

Conduct internal audits

F.

Verify effectiveness of the internal audit programme

G.

Review trends in internal audit result

Full Access
Question # 21

You are an ISMS audit team leader assigned by your certification body to carry out a follow-up audit of a Data Centre client.

According to ISO 19011:2018, the purpose of a follow-up audit is to verify which one of the following?

A.

The effectiveness of the management system

B.

Implementation of ISMS objectives

C.

Implementation of risk treatment plans

D.

Completion and effectiveness of corrective actions

Full Access
Question # 22

After completing Stage 1 and in preparation for a Stage 2 initial certification audit, the auditee informs the audit team leader that they wish to extend the audit scope to include two additional sites that have recently been acquired by the organisation.

Considering this information, what action would you expect the audit team leader to take?

A.

Increase the length of the Stage 2 audit to include the extra sites

B.

Obtain information about the additional sites to inform the certification body

C.

Arrange to complete a remote Stage 1 audit of the two sites using a video conferencing platform

D.

Inform the auditee that the request can be accepted but a full Stage 1 audit must be repeated

Full Access
Question # 23

You are an experienced ISMS audit team leader guiding an auditor in training. Your team has just completed a third-party surveillance audit of a mobile telecom provider. The auditor in training asks you how you intend to prepare for the Closing meeting. Which four of the following are appropriate responses?

A.

I will advise the auditee that the purpose of the closing meeting is for the audit team to communicate our findings. It is not an opportunity for the auditee to challenge the findings

B.

I will instruct my audit team to wait outside the auditee's offices so we can leave as quickly as possible after the closing meeting. This saves our time and the client's time too

C.

It is not necessary to prepare for the closing meeting. Once you have carried out as many audits as I have you already know what needs to be discussed

D.

I will schedule a closing meeting with the auditee's representatives at which the audit conclusions will be presented

E.

I will contact head office to ensure our invoice has been paid, If not, I will cancel the closing meeting and temporarily withhold the audit report

F.

I will discuss any follow-up required with my audit team

G.

I will review and, as appropriate, approve my teams audit conclusions

Full Access
Question # 24

You are performing an ISMS initial certification audit at a residential nursing home that provides healthcare services. The next step in your audit plan is to conduct the closing meeting. During the final audit team meeting, as an audit team leader, you agree to report 2 minor nonconformities and 1 opportunity for improvement as below:

Select one option of the recommendation to the audit programme manager you are going to advise to the auditee at the closing meeting.

A.

Recommend certification immediately

B.

Recommend that a full scope re-audit is required within 6 months

C.

Recommend that an unannounced audit is carried out at a future date

D.

Recommend certification after your approval of the proposed corrective action plan Recommend that the findings can be closed out at a surveillance audit in 1 year

E.

Recommend that a partial audit is required within 3 months

Full Access
Question # 25

Auditors need to communicate effectively with auditees. Therefore, their personal behaviour is a key characteristic needed to ensure a successful audit. Below there are the characteristics and a brief related description. Match the characteristics to the descriptions.

Full Access
Question # 26

Select the words that best complete the sentence:

To complete the sentence with the word(s) click on the blank section you want to complete so that it is highlighted in red, and then click on the application text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.

Full Access
Question # 27

Which situation presented below represents a threat?

A.

HackX uses and distributes pirated software

B.

The information security training was provided to only the IT team members of the organization

C.

Hackers compromised the administrator's account by cracking the password

Full Access
Question # 28

Review the following statements and determine which two are false:

A.

Conducting a technology check in advance of a virtual audit can improve the effectiveness and efficiency of the audit

B.

During a virtual audit, auditees participating in interviews are strongly recommended to keep their webcam enabled

C.

The number of days assigned to a third-party audit is determined by the auditee's availability

D.

Due to confidentiality and security concerns, screen sharing during a virtual audit is one method by which the audit team can review the auditee's documentation

E.

The selection of onsite, virtual or combination audits should take into consideration historical performance and previous audit results

F.

Auditors approved for conducting onsite audits do not require additional training for virtual audits, as there are no significant differences in the skillset required

Full Access
Question # 29

The following are the guidelines to protect your password, except: 

A.

Don't use the same password for various company system security access

B.

Do not share passwords with anyone

C.

For easy recall, use the same password for company and personal accounts

D.

Change a temporary password on first log-on

Full Access
Question # 30

Select the option which best describes how Information Security Management System audits should be conducted:

A.

Audit criteria should be used to assess circumstantial evidence in order to generate audit outcomes. Then, the audit report should be created and presented to the audit team at the audit team meeting.

B.

Audit criteria should be used to assess objective evidence in order to generate audit outcomes. Then, the audit report should be created and presented to the audit team leader at the closing meeting.

C.

Audit methods should be used to assess audit evidence in order to generate audit recommendations. Then, the audit recommendations should be created and presented to the auditee at the closing meeting.

D.

Audit methods should be used to assess objective evidence in order to generate audit findings. Then, the audit conclusion should be created and presented to the auditee at the closing meeting.

E.

Audit objectives should be used to assess audit evidence in order to generate audit conclusions. Then, the audit findings should be created and presented to the audit client at the closing meeting.

F.

Audit objectives should be used to assess objective evidence in order to generate audit conclusions. Then, the audit recommendations should be created and presented to top management at management review.

Full Access
Question # 31

Who are allowed to access highly confidential files?

A.

Employees with a business need-to-know

B.

Contractors with a business need-to-know

C.

Employees with signed NDA have a business need-to-know

D.

Non-employees designated with approved access and have signed NDA

Full Access
Question # 32

Which two of the following statements are true?

A.

The benefit of certifying an ISMS is to show the accreditation certificate on the website.

B.

The purpose of an ISMS is to demonstrate awareness of information security issues by management.

C.

The benefit of certifying an ISMS is to increase the number of customers.

D.

The benefits of implementing an ISMS primarily result from a reduction in information security risks.

E.

The purpose of an ISMS is to apply a risk management process for preserving information security.

F.

The purpose of an ISMS is to demonstrate compliance with regulatory requirements.

Full Access
Question # 33

Select the words that best complete the sentence:

To complete the sentence with the best word(s), click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.

Full Access
Question # 34

A decent visitor is roaming around without visitor's ID. As an employee you should do the following, except:

A.

Say "hi" and offer coffee

B.

Call the receptionist and inform about the visitor

C.

Greet and ask him what is his business

D.

Escort him to his destination

Full Access
Question # 35

Based on the identified nonconformities. Company A established action plans that included the detected nonconformities, the root causes, and a general statement regarding each action that would be taken. Is this acceptable?

A.

No, the action plans should include information on the systems that will be installed and how these systems will eliminate the root causes

B.

No, the auditee is required to submit action plans that include detailed information on how every corrective action will be implemented

C.

Yes, the auditee is required to submit action plans that include a general statement regarding the actions that will be taken

Full Access
Question # 36

Which one of the following options best describes the main purpose of a Stage 2 third-party audit?

A.

To determine readiness for certification

B.

To check for legal compliance by the organisation

C.

To identify nonconformances against a standard

D.

To get to know the organisation's management system

Full Access
Question # 37

Which two of the following phrases would apply to "audit objectives"?

A.

Audit duration

B.

Determining conformity

C.

Checking legal compliance

D.

Auditor competence

E.

Revising management policy

F.

Identifying opportunities for improvement, if required

Full Access
Question # 38

Scenario 2: Knight is an electronics company from Northern California, US that develops video game consoles. Knight has more than 300 employees worldwide. On the

fifth anniversary of their establishment, they have decided to deliver the G-Console, a new generation video game console aimed for worldwide markets. G-Console is

considered to be the ultimate media machine of 2021 which will give the best gaming experience to players. The console pack will include a pair of VR headset, two

games, and other gifts.

Over the years, the company has developed a good reputation by showing integrity, honesty, and respect toward their customers. This good reputation is one of the

reasons why most passionate gamers aim to have Knight's G-console as soon as it is released in the market. Besides being a very customer-oriented company, Knight

also gained wide recognition within the gaming industry because of the developing quality. Their prices are a bit higher than the reasonable standards allow.

Nonetheless, that is not considered an issue for most loyal customers of Knight, as their quality is top-notch.

Being one of the top video game console developers in the world, Knight is also often the center of attention for malicious activities. The company has had an

operational ISMS for over a year. The ISMS scope includes all departments of Knight, except Finance and HR departments.

Recently, a number of Knight's files containing proprietary information were leaked by hackers. Knight's incident response team (IRT) immediately started to analyze

every part of the system and the details of the incident.

The IRT's first suspicion was that Knight's employees used weak passwords and consequently were easily cracked by hackers who gained unauthorized access to their

accounts. However, after carefully investigating the incident, the IRT determined that hackers accessed accounts by capturing the file transfer protocol (FTP) traffic.

FTP is a network protocol for transferring files between accounts. It uses clear text passwords for authentication.

Following the impact of this information security incident and with IRT's suggestion, Knight decided to replace the FTP with Secure Shell (SSH) protocol, so anyone

capturing the traffic can only see encrypted data.

Following these changes, Knight conducted a risk assessment to verify that the implementation of controls had minimized the risk of similar incidents. The results of

the process were approved by the ISMS project manager who claimed that the level of risk after the implementation of new controls was in accordance with the

company's risk acceptance levels.

Based on this scenario, answer the following question:

Based on scenario 2, Knight decided to replace the FTP with Secure Shell (SSH) protocol. Should the Statement of Applicability (SoA) be updated in this case?

A.

No, the usage of SSH protocol is not an ISO/IEC 27001 requirement and; therefore, does not need to be included in the SoA

B.

No, because the SoA should be updated only when new controls are added, not when old ones are canceled

C.

Yes, the implementation of the new control should be justified and included in the SoA

Full Access
Question # 39

In acceptable use of Information Assets, which is the best practice?

A.

Access to information and communication systems are provided for business purpose only

B.

Interfering with or denying service to any user other than the employee's host

C.

Playing any computer games during office hours

D.

Accessing phone or network transmissions, including wireless or wifi transmissions

Full Access
Question # 40

Scenario 2: Knight is an electronics company from Northern California, US that develops video game consoles. Knight has more than 300 employees worldwide. On the

fifth anniversary of their establishment, they have decided to deliver the G-Console, a new generation video game console aimed for worldwide markets. G-Console is

considered to be the ultimate media machine of 2021 which will give the best gaming experience to players. The console pack will include a pair of VR headset, two

games, and other gifts.

Over the years, the company has developed a good reputation by showing integrity, honesty, and respect toward their customers. This good reputation is one of the

reasons why most passionate gamers aim to have Knight's G-console as soon as it is released in the market. Besides being a very customer-oriented company, Knight

also gained wide recognition within the gaming industry because of the developing quality. Their prices are a bit higher than the reasonable standards allow.

Nonetheless, that is not considered an issue for most loyal customers of Knight, as their quality is top-notch.

Being one of the top video game console developers in the world, Knight is also often the center of attention for malicious activities. The company has had an

operational ISMS for over a year. The ISMS scope includes all departments of Knight, except Finance and HR departments.

Recently, a number of Knight's files containing proprietary information were leaked by hackers. Knight's incident response team (IRT) immediately started to analyze

every part of the system and the details of the incident.

The IRT's first suspicion was that Knight's employees used weak passwords and consequently were easily cracked by hackers who gained unauthorized access to their

accounts. However, after carefully investigating the incident, the IRT determined that hackers accessed accounts by capturing the file transfer protocol (FTP) traffic.

FTP is a network protocol for transferring files between accounts. It uses clear text passwords for authentication.

Following the impact of this information security incident and with IRT's suggestion, Knight decided to replace the FTP with Secure Shell (SSH) protocol, so anyone

capturing the traffic can only see encrypted data.

Following these changes, Knight conducted a risk assessment to verify that the implementation of controls had minimized the risk of similar incidents. The results of

the process were approved by the ISMS project manager who claimed that the level of risk after the implementation of new controls was in accordance with the

company's risk acceptance levels.

Based on this scenario, answer the following question:

According to scenario 2, the ISMS scope was not applied to the Finance and HR Department of Knight. Is this acceptable?

A.

Yes, the ISMS must be applied only to processes and assets that may directly impact information security

B.

Yes, the ISMS scope can include the whole organization or only particular departments within the organization

C.

No, the ISMS scope must include all organizational units and processes

Full Access
Question # 41

Information Security is a matter of building and maintaining ________ .

A.

Confidentiality

B.

Trust

C.

Protection

D.

Firewalls

Full Access
Question # 42

You are carrying out your first third-party ISMS surveillance audit as an Audit Team Leader. You are presently in the auditee's data centre with another member of your audit team.

Your colleague seems unsure as to the difference between an information security event and an information security incident. You attempt to explain the difference by providing examples.

Which three of the following scenarios can be defined as information security incidents?

A.

The organisation's malware protection software prevents a virus

B.

A hard drive is used after its recommended replacement date

C.

The organisation receives a phishing email

D.

An employee fails to clear their desk at the end of their shift

E.

A contractor who has not been paid deletes top management ICT accounts

F.

An unhappy employee changes payroll records without permission

G.

The organisation fails a third-party penetration test

Full Access
Question # 43

Which one of the following options is the definition of the context of an organisation?

A.

The control of internal and external issues that can have an effect on an organisation's desire to achieve its objectives

B.

Complexity of internal and external issues that can have an effect on an organisation's approach to developing and achieving its purpose

C.

A combination of internal and external issues that can have an effect on an organisation's approach to developing and achieving its objectives

D.

The coordination of internal and external issues that can have a positive or negative effect on an organisation's success

Full Access
Question # 44

Which statement below best describes the relationship between information security aspects?

A.

Threats exploit vulnerabilities to damage or destroy assets

B.

Controls protect assets by reducing threats

C.

Risk is a function of vulnerabilities that harm assets

Full Access
Question # 45

PayBell, a finance corporation, is using an accounting software to track financial transactions. The software can be accessed from anywhere with an internet connection. It also enables PayBell's employees to easily collaborate with each other to ensure accurate financial reporting. What type of services is PayBell using?

A.

Machine learning

B.

Cloud computing

C.

Artificial intelligence

Full Access
Question # 46

You are an experienced ISMS auditor, currently providing support to an ISMS auditor in training who is carrying out her first initial certification audit. She asks you what she should be verifying when auditing an organisation's Information Security objectives. You ask her what she has included in her audit checklist and she provides the following replies.

Which three of these responses would you cause you concern in relation to conformity with ISO/IEC 27001:2022?

A.

I am going to check how each Information Security objective has been communicated to those who need to be aware of it in order for the objective to be achieved

B.

I am going to check that top management have determined the Information Security objectives for the current year. If not, I will check that this task has been programmed to be completed

C.

I am going to check that the Information Security objectives are written down on paper so that everyone is clear on what needs to be achieved, how it will be achieved, and by when it will be achieved

D.

I am going to check that there is a process in place to periodically revisit Information Security objectives, with a view to amending or cancelling them if circumstances necessitate this

E.

I am going to check that a completion date has been set for each objective and that there are no objectives with missing 'achieve by' dates

F.

I am going to check that the necessary budget, manpower and materials to achieve each objective has been determined

G.

I am going to check that all the Information Security objectives are measurable. If they are not measurable the organisation will not be able to track progress against them

Full Access
Question # 47

You are performing an ISMS audit at a residential nursing home called ABC that provides healthcare services. You find all nursing home residents wear an electronic wristband for monitoring their location, heartbeat, and blood pressure always. You learned that the electronic wristband automatically uploads all data to the artificial intelligence (AI) cloud server for healthcare monitoring and analysis by healthcare staff.

To verify the scope of ISMS, you interview the management system representative (MSR) who explains that the ISMS scope covers an outsourced data center.

Select one option of the correct statement which defines the content of the scope of the ISMS.

A.

The ISMS scope should not cover external service providers because they can have compliance difficulties with the information security policy and requirements

B.

The ISMS scope should take any information security issues that have occurred and any interested parties' requirements into consideration

C.

The most likely ISMS scope is to cover the IT department and the outsourced data centre

D.

The organisation should only follow the government's recommendation, i.e., legal and legislation to define the ISMS scope

Full Access
Question # 48

Select two of the following options that are the responsibility of a legal technical expert on the audit team during a certification audit.

A.

Evaluating the auditee's legal knowledge

B.

Criticising the organisation's legal compliance issues

C.

Debating complex legal points with the auditee

D.

Advising on legal checkpoints for the audit team

E.

Verifying the legal status of the organisation

F.

Meeting the organisation's legal representative

Full Access
Question # 49

Which is not a requirement of HR prior to hiring?

A.

Undergo background verification

B.

Applicant must complete pre-employment documentation requirements

C.

Must undergo Awareness training on information security.

D.

Must successfully pass Background Investigation

Full Access
Question # 50

Scenario 5: Data Grid Inc. is a well-known company that delivers security services across the entire information technology infrastructure. It provides cybersecurity software, including endpoint security, firewalls, and antivirus software. For two decades, Data Grid Inc. has helped various companies secure their networks through advanced products and services. Having achieved reputation in the information and network security field, Data Grid Inc. decided to obtain the ISO/IEC 27001 certification to better secure its internal and customer assets and gain competitive advantage.

Data Grid Inc. appointed the audit team, who agreed on the terms of the audit mandate. In addition, Data Grid Inc. defined the audit scope, specified the audit criteria, and proposed to close the audit within five days. The audit team rejected Data Grid Inc.'s proposal to conduct the audit within five days, since the company has a large number of employees and complex processes. Data Grid Inc. insisted that they have planned to complete the audit within five days, so both parties agreed upon conducting the audit within the defined duration. The audit team followed a risk-based auditing approach.

To gain an overview of the main business processes and controls, the audit team accessed process descriptions and organizational charts. They were unable to perform a deeper analysis of the IT risks and controls because their access to the IT infrastructure and applications was restricted. However, the audit team stated that the risk that a significant defect could occur to Data Grid Inc.'s ISMS was low since most of the company's processes were automated. They therefore evaluated that the ISMS, as a whole, conforms to the standard requirements by asking the representatives of Data Grid Inc. the following questions:

•How are responsibilities for IT and IT controls defined and assigned?

•How does Data Grid Inc. assess whether the controls have achieved the desired results?

•What controls does Data Grid Inc. have in place to protect the operating environment and data from malicious software?

•Are firewall-related controls implemented?

Data Grid Inc.'s representatives provided sufficient and appropriate evidence to address all these questions.

The audit team leader drafted the audit conclusions and reported them to Data Grid Inc.'s top management. Though Data Grid Inc. was recommended for certification by the auditors, misunderstandings were raised between Data Grid Inc. and the certification body in regards to audit objectives. Data Grid Inc. stated that even though the audit objectives included the identification of areas for potential improvement, the audit team did not provide such information.

Based on this scenario, answer the following question:

Which type of audit risk was defined as “low* by the audit team? Refer to scenario 5.

A.

Inherent

B.

Control

C.

Detection

Full Access
Question # 51

You are an experienced audit team leader guiding an auditor in training.

Your team is currently conducting a third-party surveillance audit of an organisation that stores data on behalf of external clients. The auditor in training has been tasked with reviewing the PEOPLE controls listed in the Statement of Applicability (SoA) and mplemented at the site.

Select four controls from the following that would you expect the auditor in training to review.

A.

Confidentiality and nondisclosure agreements

B.

How protection against malware is implemented

C.

Information security awareness, education and training

D.

Remote working arrangements

E.

The conducting of verification checks on personnel

F.

The operation of the site CCTV and door control systems

G.

The organisation's arrangements for information deletion

Full Access
Question # 52

Scenario 4: SendPay is a financial company that provides its services through a network of agents and financial institutions. One of their main services is transferring money worldwide. SendPay, as a new company, seeks to offer top quality services to its clients. Since the company offers international transactions, it requires from their clients to provide personal information, such as their identity, the reason for the transactions, and other details that might be needed to complete the transaction. Therefore, SendPay has implemented security measures to protect their clients' information, including detecting, investigating, and responding to any information security threats that may emerge. Their commitment to offering secure services was also reflected during the ISMS implementation where the company invested a lot of time and resources.

Last year, SendPay unveiled their digital platform that allows money transactions through electronic devices, such as smartphones or laptops, without requiring an additional fee. Through this platform, SendPay's clients can send and receive money from anywhere and at any time. The digital platform helped SendPay to simplify the company's operations and further expand its business. At the time, SendPay was outsourcing its software operations, hence the project was completed by the software development team of the outsourced company. The same team was also responsible for maintaining the technology infrastructure of SendPay.

Recently, the company applied for ISO/IEC 27001 certification after having an ISMS in place for almost a year. They contracted a certification body that fit their criteria. Soon after, the certification body appointed a team of four auditors to audit SendPay's ISMS.

During the audit, among others, the following situations were observed:

1.The outsourced software company had terminated the contract with SendPay without prior notice. As a result, SendPay was unable to immediately bring the services back in-house and its operations were disrupted for five days. The auditors requested from SendPay's representatives to provide evidence that they have a plan to follow in cases of contract terminations. The representatives did not provide any documentary evidence but during an interview, they told the auditors that the top management of SendPay had identified two other software development companies that could provide services immediately if similar situations happen again.

2.There was no evidence available regarding the monitoring of the activities that were outsourced to the software development company. Once again, the representatives of SendPay told the auditors that they regularly communicate with the software development company and that they are appropriately informed for any possible change that might occur.

3.There was no nonconformity found during the firewall testing. The auditors tested the firewall configuration in order to determine the level of security provided by

these services. They used a packet analyzer to test the firewall policies which enabled them to check the packets sent or received in real-time.

Based on this scenario, answer the following question:

Why could SendPay not restore their services back in-house after the contract termination? Refer to scenario 4.

A.

Because SendPay did not monitor the technology infrastructure of the outsourced software operations

B.

Because SendPay lacked a comprehensive business continuity plan with potential impact of contract terminations

C.

Because the outsourced software company terminated the contract with SendPay without prior notice

Full Access
Question # 53

Which two of the following are valid audit conclusions?

A.

ISMS induction training does not provide guidance on malware prevention

B.

The risk register had not been updated since June 202X

C.

Corrective action was outstanding for two internal audits

D.

The ISMS policy has been effectively communicated to the organisation

E.

The organisation's ISMS objectives meet the requirements of ISO/IEC 27001:2022

F.

The schedule of applicability was based on the 2013 edition of ISO/IEC 27001, not the 2022 edition

Full Access
Question # 54

Scenario 7: Lawsy is a leading law firm with offices in New Jersey and New York City. It has over 50 attorneys offering sophisticated legal services to clients in business and commercial law, intellectual property, banking, and financial services. They believe they have a comfortable position in the market thanks to their commitment to implement information security best practices and remain up to date with technological developments.

Lawsy has implemented, evaluated, and conducted internal audits for an ISMS rigorously for two years now. Now, they have applied for ISO/IEC 27001 certification to ISMA, a well-known and trusted certification body.

During stage 1 audit, the audit team reviewed all the ISMS documents created during the implementation. They also reviewed and evaluated the records from management reviews and internal audits.

Lawsy submitted records of evidence that corrective actions on nonconformities were performed when necessary, so the audit team interviewed the internal auditor. The interview validated the adequacy and frequency of the internal audits by providing detailed insight into the internal audit plan and procedures.

The audit team continued with the verification of strategic documents, including the information security policy and risk evaluation criteria. During the information security policy review, the team noticed inconsistencies between the documented information describing governance framework (i.e., the information security policy) and the procedures.

Although the employees were allowed to take the laptops outside the workplace, Lawsy did not have procedures in place regarding the use of laptops in such cases. The policy only provided general information about the use of laptops. The company relied on employees' common knowledge to protect the confidentiality and integrity of information stored in the laptops. This issue was documented in the stage 1 audit report.

Upon completing stage 1 audit, the audit team leader prepared the audit plan, which addressed the audit objectives, scope, criteria, and procedures.

During stage 2 audit, the audit team interviewed the information security manager, who drafted the information security policy. He justified the Issue identified in stage 1 by stating that Lawsy conducts mandatory information security training and awareness sessions every three months.

Following the interview, the audit team examined 15 employee training records (out of 50) and concluded that Lawsy meets requirements of ISO/IEC 27001 related to training and awareness. To support this conclusion, they photocopied the examined employee training records.

Based on the scenario above, answer the following question:

The audit team concluded that Lawsy meets the ISO/IEC 27001's requirements related to training and awareness by examining 15 out of 50 employee training records, as provided in scenario 7. This is a risk or error related to:

A.

The auditor

B.

Sampling

C.

The sample size

Full Access
Question # 55

Scenario 3: NightCore is a multinational technology company based in the United States that focuses on e-commerce, cloud computing, digital streaming, and artificial intelligence. After having an information security management system (ISMS) implemented for over 8 months, they contracted a certification body to conduct a third party audit in order to get certified against ISO/IEC 27001.

The certification body set up a team of seven auditors. Jack, the most experienced auditor, was assigned as the audit team leader. Over the years, he received many well known certifications, such as the ISO/IEC 27001 Lead Auditor, CISA, CISSP, and CISM.

Jack conducted thorough analyses on each phase of the ISMS audit, by studying and evaluating every information security requirement and control that was implemented by NightCore. During stage 2 audit. Jack detected several nonconformities. After comparing the number of purchased invoices for software licenses with the software inventory, Jack found out that the company has been using the illegal versions of a software for many computers. He decided to ask for an explanation from the top management about this nonconformity and see whether they were aware about this. His next step was to audit NightCore's IT Department. The top management assigned Tom, NightCore's system administrator, to act as a guide and accompany Jack and the audit team toward the inner workings of their system and their digital assets infrastructure.

While interviewing a member of the Department of Finance, the auditors discovered that the company had recently made some unusual large transactions to one of their consultants. After gathering all the necessary details regarding the transactions. Jack decided to directly interview the top management.

When discussing about the first nonconformity, the top management told Jack that they willingly decided to use a copied software over the original one since it was cheaper. Jack explained to the top management of NightCore that using illegal versions of software is against the requirements of ISO/IEC 27001 and the national laws and regulations. However, they seemed to be fine with it.

Several months after the audit, Jack sold some of NightCore's information that he collected during the audit for a huge amount of money to competitors of NightCore.

Based on this scenario, answer the following question:

According to scenario 3, which audit principle has Jack compromised when he sold NightCore’s information after the audit?

A.

Independence

B.

Integrity

C.

Confidentiality

Full Access
Question # 56

Select the correct sequence for the information security risk assessment process in an ISMS.

To complete the sequence click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the options to the appropriate blank

Full Access
Question # 57

You are performing an ISMS audit at a residential nursing home called ABC that provides healthcare services. You find all nursing home residents wear an electronic wristband for monitoring their location, heartbeat, and blood pressure always. You learned that he electronic wristband automatically uploads all data to the artificial intelligence (AI) cloud server for healthcare monitoring and analysis by healthcare staff.

To verify the scope of ISMS, you interview the management system representative (MSR) who explains that the ISMS scope covers an outsourced data center.

Select four options for the clauses and/or controls of ISO/IEC 27001:2022 that are directly relevant to the verification of the scope of the ISMS.

A.

Control 5.3 Organizational roles, responsibilites and authorities

B.

Clause 4.2 Understanding the needs and expectations of interested parties

C.

Control 5.3 Legal, statutory, regulatory and contractual requirements

D.

Control 6.3 Information security awareness, education, and training

E.

Clause 5.2 Policy

F.

Clause 4.1 Understanding the organization and its context

G.

Control 7.6 Working in secure areas

Full Access
Question # 58

You are conducting a third-party surveillance audit when another member of the audit team approaches you seeking clarification. They have been asked to assess the organisation's application of control 5.7 - Threat Intelligence. They are aware that this is one of the new controls introduced in the 2022 edition of ISO/IEC 27001, and they want to make sure they audit the control correctly.

They have prepared a checklist to assist them with their audit and want you to confirm that their planned activities are aligned with the control's requirements.

Which three of the following options represent valid audit trails?

A.

I will determine whether internal and external sources of information are used in the production of threat intelligence

B.

I will ensure that the task of producing threat intelligence is assigned to the organisation's internal audit team

C.

I will ensure that the organisation's risk assessment process begins with effective threat intelligence

D.

I will check that the organisation has a fully documented threat intelligence process

E.

I will check that threat intelligence is actively used to protect the confidentiality, integrity and availability of the organisation's information assets

F.

I will speak to top management to make sure all staff are aware of the importance of reporting threats

G.

I will ensure that appropriate measures have been introduced to inform top management as to the effectiveness of current threat intelligence arrangements

Full Access
Question # 59

You are conducting an ISMS audit in the despatch department of an international logistics organisation that provides shipping services to large organisations including local hospitals and government offices. Parcels typically contain pharmaceutical products, biological samples, and documents such as passports and driving licences. You note that the company records show a very large number of returned items with causes including mis-addressed labels and, in 15% of company cases, two or more labels for different addresses for the one package. You are interviewing the Shipping Manager (SM).

You: Are items checked before being dispatched?

SH: Any obviously damaged items are removed by the duty staff before being dispatched, but the small profit margin makes it uneconomic to implement a formal checking process.

You: What action is taken when items are returned?

SM: Most of these contracts are relatively low value, therefore it has been decided that it is easier and more convenient to simply reprint the label and re-send individual parcels than it is to implement an investigation.

You raise a nonconformity. Referencing the scenario, which six of the following Appendix A controls would you expect the auditee to have implemented when you conduct the follow-up audit?

A.

5.11 Return of assets

B.

8.12 Data leakage protection

C.

5.3 Segregation of duties

D.

6.3 Information security awareness, education, and training

E.

7.10 Storage media

F.

8.3 Information access restriction

G.

5.6 Contact with special interest groups

Full Access
Question # 60

During discussions with the individual(s) managing the audit programme of a certification body, the Management System Representative of the client organisation asks for a specific auditor for the certification audit. Select two of the following options for how the individual(s) managing the audit programme should respond.

A.

Advise the Management System Representative that his request can be accepted

B.

Suggest that the Management System Representative chooses another certification body

C.

State that his request will be considered but may not be taken up

D.

Suggest asking the certification body management to permit the request

E.

Advise the Management System Representative that the audit team selection is a decision that the audit programme manager needs to make based on the resources available

Full Access
Question # 61

You are an experienced ISMS audit team leader providing instruction to an auditor in training. They are unclear in their understanding of risk processes and ask you to provide them with an example of each of the processes detailed below.

Match each of the descriptions provided to one of the following risk management processes.

To complete the table click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop each option to the appropriate blank section.

Full Access
Question # 62

You are carrying out your first third-party ISMS surveillance audit as an Audit Team Leader. You are presently in the auditee's data centre with another member of your audit team.

You are currently in a large room that is subdivided into several smaller rooms, each of which has a numeric combination lock and swipe card reader on the door. You notice two external contractors using a swipe card and combination number provided by the centre's reception desk to gain access to a client's suite to carry out authorised electrical repairs.

You go to reception and ask to see the door access record for the client's suite. This indicates only one card was swiped. You ask the receptionist and they reply, "yes it's a common problem. We ask everyone to swipe their cards but with contractors especially, one tends to swipe and the rest simply 'tailgate' their way in" but we know who they are from the reception sign-in.

Based on the scenario above which one of the following actions would you now take?

A.

Take no action. Irrespective of any recommendations, contractors will always act in this way

B.

Raise a nonconformity against control A.5.20 'addressing information security in supplier relationships' as information security requirements have not been agreed upon with the supplier

C.

Raise a nonconformity against control A.7.6 'working in secure areas' as security measures for working in secure areas have not been defined

D.

Determine whether any additional effective arrangements are in place to verify individual access to secure areas e.g. CCTV

E.

Raise an opportunity for improvement that contractors must be accompanied at all times when accessing secure facilities

F.

Raise an opportunity for improvement to have a large sign in reception reminding everyone requiring access must use their swipe card at all times

G.

Raise a nonconformity against control A.7.2 'physical entry' as a secure area is not adequately protected

Full Access
Question # 63

Scenario 1: Fintive is a distinguished security provider for online payments and protection solutions. Founded in 1999 by Thomas Fin in San Jose, California, Fintive

offers services to companies that operate online and want to improve their information security, prevent fraud, and protect user information such as PII. Fintive centers

its decision-making and operating process based on previous cases. They gather customer data, classify them depending on the case, and analyze them. The company

needed a large number of employees to be able to conduct such complex analyses. After some years, however, the technology that assists in conducting such analyses

advanced as well. Now, Fintive is planning on using a modern tool, a chatbot, to achieve pattern analyses toward preventing fraud in real-time. This tool would also be

used to assist in improving customer service.

This initial idea was communicated to the software development team, who supported it and were assigned to work on this project. They began integrating the chatbot

on their existing system. In addition, the team set an objective regarding the chatbot which was to answer 85% of all chat queries.

After the successful integration of the chatbot, the company immediately released it to their customers for use. The chatbot, however, appeared to have some issues.

Due to insufficient testing and lack of samples provided to the chatbot during the training phase, in which it was supposed "to learn" the queries pattern, the chatbot

failed to address user queries and provide the right answers. Furthermore, the chatbot sent random files to users when it received invalid inputs such as odd patterns

of dots and special characters. Therefore, the chatbot was unable to properly answer customer queries and the traditional customer support was overwhelmed with

chat queries and thus was unable to help customers with their requests.

Consequently, Fintive established a software development policy. This policy specified that whether the software is developed in-house or outsourced, it will undergo a

black box testing prior to its implementation on operational systems.

Based on this scenario, answer the following question:

Insufficient testing and lack of samples provided to Fintive's chatbot during the training phase are considered as 1.

Refer to scenario

A.

Threats

B.

Vulnerabilities

C.

Risks

Full Access
Question # 64

Phishing is what type of Information Security Incident?

A.

Private Incidents

B.

Cracker/Hacker Attacks

C.

Technical Vulnerabilities

D.

Legal Incidents

Full Access
Question # 65

Scenario 6: Sinvestment is an insurance company that offers home, commercial, and life insurance. The company was founded in North Carolina, but have recently expanded in other locations, including Europe and Africa.

Sinvestment is committed to complying with laws and regulations applicable to their industry and preventing any information security incident. They have implemented an ISMS based on ISO/IEC 27001 and have applied for ISO/IEC 27001 certification.

Two auditors were assigned by the certification body to conduct the audit. After signing a confidentiality agreement with Sinvestment. they started the audit activities. First, they reviewed the documentation required by the standard, including the declaration of the ISMS scope, information security policies, and internal audits reports. The review process was not easy because, although Sinvestment stated that they had a documentation procedure in place, not all documents had the same format.

Then, the audit team conducted several interviews with Sinvestment's top management to understand their role in the ISMS implementation. All activities of the stage 1 audit were performed remotely, except the review of documented information, which took place on-site, as requested by Sinvestment.

During this stage, the auditors found out that there was no documentation related to information security training and awareness program. When asked, Sinvestment's representatives stated that the company has provided information security training sessions to all employees. Stage 1 audit gave the audit team a general understanding of Sinvestment's operations and ISMS.

The stage 2 audit was conducted three weeks after stage 1 audit. The audit team observed that the marketing department (which was not included in the audit scope) had no procedures in place to control employees’ access rights. Since controlling employees' access rights is one of the ISO/IEC 27001 requirements and was included in the information security policy of the company, the issue was included in the audit report. In addition, during stage 2 audit, the audit team observed that Sinvestment did not record logs of user activities. The procedures of the company stated that "Logs recording user activities should be retained and regularly reviewed," yet the company did not present any evidence of the implementation of such procedure.

During all audit activities, the auditors used observation, interviews, documented information review, analysis, and technical verification to collect information and evidence. All the audit findings during stages 1 and 2 were analyzed and the audit team decided to issue a positive recommendation for certification.

During stage 1 audit, the audit team found out that Sinvestment did not have records on information security training and awareness. What Sinvestment do in this case? Refer to scenario 6.

A.

Correct the identified issue before the stage 2 audit

B.

Document the identified issue and correct it after the certification audit is completed

C.

Perform a new risk assessment process to understand whether the issue needs modification or not

Full Access
Question # 66

Scenario 7: Lawsy is a leading law firm with offices in New Jersey and New York City. It has over 50 attorneys offering sophisticated legal services to clients in business and commercial law, intellectual property, banking, and financial services. They believe they have a comfortable position in the market thanks to their commitment to implement information security best practices and remain up to date with technological developments.

Lawsy has implemented, evaluated, and conducted internal audits for an ISMS rigorously for two years now. Now, they have applied for ISO/IEC 27001 certification to ISMA, a well-known and trusted certification body.

During stage 1 audit, the audit team reviewed all the ISMS documents created during the implementation. They also reviewed and evaluated the records from management reviews and internal audits.

Lawsy submitted records of evidence that corrective actions on nonconformities were performed when necessary, so the audit team interviewed the internal auditor. The interview validated the adequacy and frequency of the internal audits by providing detailed insight into the internal audit plan and procedures.

The audit team continued with the verification of strategic documents, including the information security policy and risk evaluation criteria. During the information security policy review, the team noticed inconsistencies between the documented information describing governance framework (i.e., the information security policy) and the procedures.

Although the employees were allowed to take the laptops outside the workplace, Lawsy did not have procedures in place regarding the use of laptops in such cases. The policy only provided general information about the use of laptops. The company relied on employees' common knowledge to protect the confidentiality and integrity of information stored in the laptops. This issue was documented in the stage 1 audit report.

Upon completing stage 1 audit, the audit team leader prepared the audit plan, which addressed the audit objectives, scope, criteria, and procedures.

During stage 2 audit, the audit team interviewed the information security manager, who drafted the information security policy. He justified the Issue identified in stage 1 by stating that Lawsy conducts mandatory information security training and awareness sessions every three months.

Following the interview, the audit team examined 15 employee training records (out of 50) and concluded that Lawsy meets requirements of ISO/IEC 27001 related to training and awareness. To support this conclusion, they photocopied the examined employee training records.

Based on the scenario above, answer the following question:

The audit team photocopied the examined employee training records to support their conclusion. Should the audit team obtain an approval from Lawsy before taking this action? Refer to scenario 7.

A.

Yes. the audit team should obtain the approval of the auditee when verifying the existence of a process in all cases, including when taking notes and photocopying documents

B.

Yes, the audit team can photocopy documents observed during the audit if the auditee agrees to it

C.

No, the audit team has the authority to photocopy documents in order to verify the conformity of a certain document to the audit criteria

Full Access
Question # 67

The auditor was unable to identify that Company A hid their insecure network architecture. What type of audit risk is this?

A.

Inherent

B.

Control

C.

Detection

Full Access
Question # 68

Scenario 1: Fintive is a distinguished security provider for online payments and protection solutions. Founded in 1999 by Thomas Fin in San Jose, California, Fintive

offers services to companies that operate online and want to improve their information security, prevent fraud, and protect user information such as PII. Fintive centers

its decision-making and operating process based on previous cases. They gather customer data, classify them depending on the case, and analyze them. The company

needed a large number of employees to be able to conduct such complex analyses. After some years, however, the technology that assists in conducting such analyses

advanced as well. Now, Fintive is planning on using a modern tool, a chatbot, to achieve pattern analyses toward preventing fraud in real-time. This tool would also be

used to assist in improving customer service.

This initial idea was communicated to the software development team, who supported it and were assigned to work on this project. They began integrating the chatbot

on their existing system. In addition, the team set an objective regarding the chatbot which was to answer 85% of all chat queries.

After the successful integration of the chatbot, the company immediately released it to their customers for use. The chatbot, however, appeared to have some issues.

Due to insufficient testing and lack of samples provided to the chatbot during the training phase, in which it was supposed "to learn" the queries pattern, the chatbot

failed to address user queries and provide the right answers. Furthermore, the chatbot sent random files to users when it received invalid inputs such as odd patterns

of dots and special characters. Therefore, the chatbot was unable to properly answer customer queries and the traditional customer support was overwhelmed with

chat queries and thus was unable to help customers with their requests.

Consequently, Fintive established a software development policy. This policy specified that whether the software is developed in-house or outsourced, it will undergo a

black box testing prior to its implementation on operational systems.

What type of security control does the use of black box testing represent? Refer to scenario 1.

A.

Corrective and technical

B.

Detective and managerial

C.

Preventive and technical

Full Access
Question # 69

You are carrying out your first third-party ISMS surveillance audit as an audit team leader. You are presently in the auditee's data centre with another member of your audit team and the organisation's guide.

You request access to a locked room protected by a combination lock and iris scanner. In the corner of the room is a collection of hard drives piled on a desk. You ask the guide what the status of

the drives is. He tells you the drives are redundant and awaiting disposal. They should have been picked up last week, but the organisation's external provider of secure destruction services was

unable to source a driver due to staff sickness. He says this has recently become more common though he does not know why. He then presents you with a job ticket that confirms the pickup has

been rescheduled for tomorrow.

Based on the scenario above which three of the following actions would you now take?

A.

Record a nonconformity against control A.5.13 'labelling of information' as the disk drives' status was unclear

B.

Raise a nonconformity against control A.7.7, 'clear desk and clear screen' because the drives have been left unprotected on the desktop.

C.

Record an opportunity for improvement in respect of the external provider's inventory management arrangements.

D.

Ensure that the organisation's arrangements for the secure disposal and reuse of equipment have been adhered to.

E.

Record the finding but note no further action is required as the pickup has now been rescheduled.

F.

Raise a nonconformity against control A.7.5, 'protecting against physical and environmental threats' because the drives have been left exposed on the desktop.

G.

Ensure that the organisation's arrangements for the life cycle management of storage media have been adhered to.

Full Access
Question # 70

Which two of the following statements are true?

A.

The benefits of implementing an ISMS primarily result from a reduction in information security risks

B.

The benefit of certifying an ISMS is to obtain contracts from governmental institutions

C.

The purpose of an ISMS is to apply a risk management process for preserving information security

D.

The purpose of an ISMS is to demonstrate compliance with regulatory requirements

Full Access
Question # 71

You see a blue color sticker on certain physical assets. What does this signify?

A.

The asset is very high critical and its failure affects the entire organization

B.

The asset with blue stickers should be kept air conditioned at all times

C.

The asset is high critical and its failure will affect a group/s/project's work in the organization

D.

The asset is critical and the impact is restricted to an employee only

Full Access
Question # 72

Which two of the following phrases would apply to "plan" in relation to the Plan-Do-Check-Act cycle for a business process?

A.

Retaining documentation

B.

Retaining documentation

C.

Organising changes

D.

Setting objectives

E.

Training staff

F.

Providing ICT assets

Full Access
Question # 73

Select the word that best completes the sentence:

Full Access
Question # 74

You are an experienced ISMS audit team leader, talking to an Auditor in training who has been assigned to your audit team. You want to ensure that they understand the importance of the Check stage of the Plan-Do-Check-Act cycle in respect of the operation of the information security management system.

You do this by asking him to select the words that best complete the sentence:

To complete the sentence with the best word(s), click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.

Full Access
Question # 75

Why should materiality be considered during the initial contact?

A.

To determine the audit duration

B.

To obtain reasonable assurance that the audit can be successfully completed

C.

To define processes for minimizing detection risks

Full Access
Question # 76

Scenario 3: NightCore is a multinational technology company based in the United States that focuses on e-commerce, cloud computing, digital streaming, and artificial intelligence. After having an information security management system (ISMS) implemented for over 8 months, they contracted a certification body to conduct a third party audit in order to get certified against ISO/IEC 27001.

The certification body set up a team of seven auditors. Jack, the most experienced auditor, was assigned as the audit team leader. Over the years, he received many well known certifications, such as the ISO/IEC 27001 Lead Auditor, CISA, CISSP, and CISM.

Jack conducted thorough analyses on each phase of the ISMS audit, by studying and evaluating every information security requirement and control that was implemented by NightCore. During stage 2 audit. Jack detected several nonconformities. After comparing the number of purchased invoices for software licenses with the software inventory, Jack found out that the company has been using the illegal versions of a software for many computers. He decided to ask for an explanation from the top management about this nonconformity and see whether they were aware about this. His next step was to audit NightCore's IT Department. The top management assigned Tom, NightCore's system administrator, to act as a guide and accompany Jack and the audit team toward the inner workings of their system and their digital assets infrastructure.

While interviewing a member of the Department of Finance, the auditors discovered that the company had recently made some unusual large transactions to one of their consultants. After gathering all the necessary details regarding the transactions. Jack decided to directly interview the top management.

When discussing about the first nonconformity, the top management told Jack that they willingly decided to use a copied software over the original one since it was cheaper. Jack explained to the top management of NightCore that using illegal versions of software is against the requirements of ISO/IEC 27001 and the national laws and regulations. However, they seemed to be fine with it.

Several months after the audit, Jack sold some of NightCore's information that he collected during the audit for a huge amount of money to competitors of NightCore.

Based on this scenario, answer the following question:

Based on scenario 3. which ISO/IEC 27001 control has NightCore ignored when they used an illegal version of software?

A.

Annex A 5.1 Policies for information security

B.

Annex A 5.10 Acceptable use of information and other associated assets

C.

Annex A 5.32 Intellectual property rights

Full Access
Question # 77

The following are definitions of Information, except:

A.

accurate and timely data

B.

specific and organized data for a purpose

C.

mature and measurable data

D.

can lead to understanding and decrease in uncertainty

Full Access
Question # 78

During a third-party certification audit, you are presented with a list of issues by an auditee. Which four of the following constitute 'internal' issues in the context of a management system to ISO 27001:2022?

A.

Higher labour costs as a result of an aging population

B.

A rise in interest rates in response to high inflation

C.

Poor levels of staff competence as a result of cuts in training expenditure

D.

Poor morale as a result of staff holidays being reduced

E.

Increased absenteeism as a result of poor management

F.

A reduction in grants as a result of a change in government policy

G.

A fall in productivity linked to outdated production equipment

Full Access
Question # 79

The auditor used sampling to ensure that event logs recording information security events are maintained and regularly reviewed. Sampling was based on the audit objectives, whereas the sample selection process was based on the probability theory. What type of sampling was used?

A.

Statistical sampling

B.

Judgment-based sampling

C.

Systematic sampling

Full Access
Question # 80

Scenario 2: Knight is an electronics company from Northern California, US that develops video game consoles. Knight has more than 300 employees worldwide. On the

fifth anniversary of their establishment, they have decided to deliver the G-Console, a new generation video game console aimed for worldwide markets. G-Console is

considered to be the ultimate media machine of 2021 which will give the best gaming experience to players. The console pack will include a pair of VR headset, two

games, and other gifts.

Over the years, the company has developed a good reputation by showing integrity, honesty, and respect toward their customers. This good reputation is one of the

reasons why most passionate gamers aim to have Knight's G-console as soon as it is released in the market. Besides being a very customer-oriented company, Knight

also gained wide recognition within the gaming industry because of the developing quality. Their prices are a bit higher than the reasonable standards allow.

Nonetheless, that is not considered an issue for most loyal customers of Knight, as their quality is top-notch.

Being one of the top video game console developers in the world, Knight is also often the center of attention for malicious activities. The company has had an

operational ISMS for over a year. The ISMS scope includes all departments of Knight, except Finance and HR departments.

Recently, a number of Knight's files containing proprietary information were leaked by hackers. Knight's incident response team (IRT) immediately started to analyze

every part of the system and the details of the incident.

The IRT's first suspicion was that Knight's employees used weak passwords and consequently were easily cracked by hackers who gained unauthorized access to their

accounts. However, after carefully investigating the incident, the IRT determined that hackers accessed accounts by capturing the file transfer protocol (FTP) traffic.

FTP is a network protocol for transferring files between accounts. It uses clear text passwords for authentication.

Following the impact of this information security incident and with IRT's suggestion, Knight decided to replace the FTP with Secure Shell (SSH) protocol, so anyone

capturing the traffic can only see encrypted data.

Following these changes, Knight conducted a risk assessment to verify that the implementation of controls had minimized the risk of similar incidents. The results of

the process were approved by the ISMS project manager who claimed that the level of risk after the implementation of new controls was in accordance with the

company's risk acceptance levels.

Based on this scenario, answer the following question:

Which risk treatment option has Knight used in replacing FTP with SSH? Refer to scenario 2.

A.

Risk retention

B.

Risk avoidance

C.

Risk modification

Full Access
Question # 81

An organisation is looking for management system initial certification. Please identify the sequence of the activities to be undertaken by the organisation.

To complete the sequence click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the options to the appropriate blank section.

Full Access
Question # 82

You have a hard copy of a customer design document that you want to dispose off. What would you do

A.

Throw it in any dustbin

B.

Shred it using a shredder

C.

Give it to the office boy to reuse it for other purposes

D.

Be environment friendly and reuse it for writing

Full Access