Complete ISO-IEC-27001-Lead-Auditor PECB Materials

The four controls from the list that are related to PHYSICAL aspects of the ISMS are:

•Access to and from the loading bay

•How power and data cables enter the building

•The operation of the site CCTV and door control systems

•The organisation’s arrangements for maintaining equipment

These controls are derived from the ISO 27001 Annex A, which provides a comprehensive list of information security controls that can be applied to an ISMS1. The other controls in the list are more related to ORGANIZATIONAL, LEGAL, or HUMAN aspects of the ISMS, which are also important, but not the focus of this question.

According to the ISMS Auditing Guideline2, the auditor in training should review the PHYSICAL controls by:

•Checking the SoA to identify the applicable controls and their implementation status

•Interviewing the relevant staff and management to verify their understanding and involvement in the controls

•Observing the physical and environmental conditions to confirm the existence and effectiveness of the controls

•Examining the relevant documents and records to validate the compliance and performance of the controls

I hope this helps you prepare for the exam. ????

References: 1: What Are ISO 27001 Controls? A Guide to Annex A | Secureframe; 2: ISMS Auditing Guideline - ISO27000

The number of days assigned to a third-party audit is not determined by the auditee’s availability, but by the audit program, which considers the audit scope, objectives, criteria, risks, and resources12. The auditee’s availability is only one factor that affects the audit planning and scheduling, but not the audit duration3. Auditors approved for conducting onsite audits do require additional training for virtual audits, as there are significant differences in the skillset required. Virtual audits pose different challenges and opportunities than onsite audits, such as communication, technology, security, and evidence collection4 . Auditors need to be familiar with the tools and techniques for conducting remote audits, as well as the ethical and professional behavior expected in a virtual environment . References:

• PECB Candidate Handbook - ISO 27001 Lead Auditor, page 18
• ISO 19011:2018, Guidelines for auditing management systems, clause 5.3.2
• ISO 19011:2018, Guidelines for auditing management systems, clause 6.3.1
• Deloitte - Conducting a Virtual Internal Audit, page 1
• [A Guide to Conducting Effective and Efficient Remote Audits], page 1
• [ISO 19011:2018, Guidelines for auditing management systems], clause 7.2.3
• [Remote Auditing Best Practices & Checklist for Regulatory Compliance], page 1

The three options for findings that are justified in the scenario are:

•Nonconformity (NC) - The information for the acceptance of residual information security risks should be updated after the risk treatment is implemented. Clause 6.1.3.f

•Nonconformity (NC) - The IT security manager should be aware of and understand his authority and area of responsibility. Clause 7.3

•Nonconformity (NC) - The risk treatment plan No. 123 should be approved by the risk owner, the Facility Manager in this case. Clause 6.1.3.f

According to ISO/IEC 27001:2022, clause 6.1.3.f, the organisation must retain documented information that includes the information for the acceptance of residual information security risks, and the approval of the risk treatment plan by the risk owner1. Therefore, option A and G are justified as nonconformities, because the organisation failed to update the information for the acceptance of residual risks, and the risk treatment plan was approved by the IT security manager, who is not the risk owner.

According to ISO/IEC 27001:2022, clause 7.3, the organisation must ensure that the persons assigned to perform the roles and responsibilities for the ISMS are competent, and are aware of the consequences of not conforming to the ISMS requirements2. Therefore, option E is justified as a nonconformity, because the IT security manager, who is responsible for the information security risk management process, was not aware of his authority and area of responsibility.

The other options are not justified as findings, because they are either irrelevant or incorrect. For example:

•Option B is irrelevant, because it is not related to the information security risk treatment plan No. 123, which is the focus of the audit.

•Option C is incorrect, because it is not an opportunity for improvement, but rather a benefit of the risk treatment plan No. 123, which is already implemented.

•Option D is incorrect, because it is not a nonconformity, but rather a requirement for the organisation to provide the resources needed for the ISMS, which is not the same as the resources needed for the risk treatment plan No. 123.

•Option F is incorrect, because it is not a nonconformity, but rather a requirement for the organisation to provide the resources needed for the continual improvement of the ISMS, which is not the same as the resources needed for the risk treatment plan No. 123.

•Option H is irrelevant, because it is not a finding, but rather a good practice, which is not the objective of the audit.

References: 1: ISO/IEC 27001:2022, 6.1.3.f; 2: ISO/IEC 27001:2022, 7.3; : ISO/IEC 27001:2022; : ISO/IEC 27001:2022

Information security is a matter of building and maintaining trust. Trust is the confidence that information and information processing facilities are protected from unauthorized or malicious actions that could compromise their confidentiality, integrity or availability. Trust is essential for establishing and maintaining relationships with customers, partners, suppliers, employees and other stakeholders who rely on the organization’s information and services. Trust is also a key factor for achieving compliance with legal, regulatory and contractual obligations, as well as meeting the organization’s own information security objectives and policies. ISO/IEC 27001:2022 defines information security as “preservation of confidentiality, integrity and availability of information” (see clause 3.28) and states that “the purpose of an information security management system is to provide a framework for managing activities that influence the trustworthiness of information” (see Introduction). References: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements, What is Trust?