Winter Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: bigdisc65

Changed ISO-IEC-27001-Lead-Auditor Exam Questions

Page: 5 / 20
Question 20

Which one of the following conclusions in the audit report is not required by the certification body when deciding to grant certification?

Options:

A.

The corrections taken by the organisation related to major nonconformities have been accepted.

B.

The organisation fully complies with all legal and other requirements applicable to the Information Security Management System.

C.

The plans to address corrective actions related to minor nonconformities have been accepted

D.

The scope of certification has been fulfilled

Question 21

You are performing an ISMS audit at a residential nursing home that provides healthcare services. The next step in your audit

plan is to verify the information security of the business continuity management process. During the audit, you learned that

the organisation activated one of the business continuity plans (BCPs) to make sure the nursing service continued during the

recent pandemic. You ask the Service Manager to explain how the organization manages information security during the

business continuity management process.

The Service Manager presented the nursing service continuity plan for a pandemic and summarised the process as follows:

Stop the admission of any NEW residents.

70% of administration staff and 30% of medical staff will work from home.

Regular staff self-testing, including submitting a negative test report 1 day BEFORE they come to the office.

Install ABC's healthcare mobile app, tracking their footprint and presenting a GREEN Health Status QR-Code for checking on the spot.

You ask the Service Manager how to prevent non-relevant family members or interested parties from accessing residents' personal data when staff work from home. The Service Manager cannot answer and suggests the IT Security Manager should help with that.

You would like to further investigate other areas to collect more audit evidence. Select three options that will not be in your audit trail.

Options:

A.

Collect more evidence on how information security protocols are maintained during disruption (relevant to control A.5.29)

B.

Collect more evidence that staff only use IT equipment protected from malware when working from home (relevant to control A.8.7)

C.

Collect more evidence by interviewing additional staff to ensure they are aware of the need to sometimes work from home (Relevant to clause 7.3)

D.

Collect more evidence on how and when the Business Continuity Plan has been tested. (Relevant to control A.5.29)

E.

Collect more evidence on how the organisation makes sure all staff periodically conduct a positive Covid test (Relevant to control A.7.2)

F.

Collect more evidence on how the organisation manages information security on mobile devices and during teleworking (Relevant to control A.6.7)

G.

Collect more evidence on how the organisation performs a business risk assessment to evaluate how fast the existing residents can be discharged from the nursing home. (Relevant to clause 6)

Question 22

You are an audit team leader who has just completed a third-party audit of a mobile telecommunication provider. You are preparing your audit report and are just about to complete a section headed 'confidentiality'.

An auditor in training on your team asks you if there are any circumstances under which the confidential report can be released to third parties.

Which four of the following responses are false?

Options:

A.

Although we advise the client the report is confidential we can decide to release it to third parties if we feel this is justified. We would always tell the client afterwards

B.

The report can be released to third parties but only with the explicit, prior approval of the audit client

C.

There are no circumstances under which the report can be released to a third party. Confidential means confidential and releasing the document would be a breach of trust

D.

The starting position is always that third parties have no automatic right to access an audit report

E.

If the third party has gained a legal notice for us to disclose the report then we must do so. In all such cases we would advise the audit client and, as appropriate, the auditee

F.

Any auditor employed by the auditing organisation can access the audit report

G.

Our duty of confidentiality is not something that lasts forever. As a certification body, we can decide how long we wish to keep reports confidential. After this, they can be accessed by third parties making a subject access request

Question 23

You are an experienced ISMS audit team leader. During the conducting of a third-party surveillance audit, you decide to test your auditee's knowledge of ISO/IEC 27001's risk management requirements.

You ask her a series of questions to which the answer is either 'that is true' or 'that is false'. Which four of the following should she answer 'that is true'?

Options:

A.

The results of risk assessments must be maintained

B.

Risk identification is used to determine the severity of an information security risk

C.

ISO/IEC 27001 provides an outline approach for the management of risk

D.

The organisation must produce a risk treatment plan for every business risk identified

E.

The organisation must operate a risk treatment process to eliminate it's information security risks

F.

The initial phase in an organisation's risk management process should be information security risk assessment

G.

Risks assessments should be undertaken at monthly intervals

Page: 5 / 20
Exam Name: PECB Certified ISO/IEC 27001 2022 Lead Auditor exam
Last Update: Nov 21, 2024
Questions: 289
ISO-IEC-27001-Lead-Auditor pdf

ISO-IEC-27001-Lead-Auditor PDF

$28  $80
ISO-IEC-27001-Lead-Auditor Engine

ISO-IEC-27001-Lead-Auditor Testing Engine

$33.25  $95
ISO-IEC-27001-Lead-Auditor PDF + Engine

ISO-IEC-27001-Lead-Auditor PDF + Testing Engine

$45.5  $130