ISO 27001 ISO-IEC-27001-Lead-Auditor Book

Page: 9 / 20

Question 36

You are an experienced ISMS audit team leader providing guidance to an auditor in training.

The auditor in training appears to be confused about the interpretation of competence in ISO 27001:2022 and is seeking clarification from you that his understanding is correct. He sets out a series of mini scenarios and asks you which of these you would attribute to a lack of competence. Select four correct options.

Options:

An employee recently transferred from the IT networks team to Software development was unaware of the need to complete product release forms prior to shipping

A senior programmer did not check their coding for errors as they were running late for a doctor's appointment

A new starter was unable to switch on CCTV monitoring because they had not been shown how to do this

An IT technician failed to configure a new model of server correctly as a result of not reading the supplied instructions

An experienced receptionist allowed a contractor she recognised to enter the data centre without his access card

A system administrator deleted two live accounts as well as five redundant accounts as a result of receiving an incorrect instruction

A data centre operator inadvertently placed a backup tape into an incorrect drive because they were in a hurry to move on to another task

Question 37

Which two options are benefits of third-party accredited certification of information security management systems to ISO/IEC 27001:2022 for organisations and interested parties?

Options:

Third-party accredited certification demonstrates that the organisation complies with the legal and legislation requirements expected by interested parties

Third-party accredited certification demonstrates that the organisation's ICT products are secured and certified

Third-party accredited certification demonstrates that the organisation's management system is maintained and effective

Third-party accredited certification demonstrates the organisation's management system adopted a systematic approach to information security

Third-party accredited certification makes sure the organisation will obtain more customers

Third-party accredited certification makes sure the organisation's IT system will be protected from external interference

Question 38

Scenario 6: Sinvestment is an insurance company that offers home, commercial, and life insurance. The company was founded in North Carolina, but have recently expanded in other locations, including Europe and Africa.

Sinvestment is committed to complying with laws and regulations applicable to their industry and preventing any information security incident. They have implemented an ISMS based on ISO/IEC 27001 and have applied for ISO/IEC 27001 certification.

Two auditors were assigned by the certification body to conduct the audit. After signing a confidentiality agreement with Sinvestment. they started the audit activities. First, they reviewed the documentation required by the standard, including the declaration of the ISMS scope, information security policies, and internal audits reports. The review process was not easy because, although Sinvestment stated that they had a documentation procedure in place, not all documents had the same format.

Then, the audit team conducted several interviews with Sinvestment's top management to understand their role in the ISMS implementation. All activities of the stage 1 audit were performed remotely, except the review of documented information, which took place on-site, as requested by Sinvestment.

During this stage, the auditors found out that there was no documentation related to information security training and awareness program. When asked, Sinvestment's representatives stated that the company has provided information security training sessions to all employees. Stage 1 audit gave the audit team a general understanding of Sinvestment's operations and ISMS.

The stage 2 audit was conducted three weeks after stage 1 audit. The audit team observed that the marketing department (which was not included in the audit scope) had no procedures in place to control employees’ access rights. Since controlling employees' access rights is one of the ISO/IEC 27001 requirements and was included in the information security policy of the company, the issue was included in the audit report. In addition, during stage 2 audit, the audit team observed that Sinvestment did not record logs of user activities. The procedures of the company stated that "Logs recording user activities should be retained and regularly reviewed," yet the company did not present any evidence of the implementation of such procedure.

During all audit activities, the auditors used observation, interviews, documented information review, analysis, and technical verification to collect information and evidence. All the audit findings during stages 1 and 2 were analyzed and the audit team decided to issue a positive recommendation for certification.

According to scenario 6, the marketing department employees were not following the access control policy. Which option is correct in this case?

Options:

The marketing department is not included in the audit scope, so the issue should only be communicated to Sinvestment's representatives

The employees' access right control is included in Sinvestment’s information security policy, so the issue must be communicated to Sinvestment's representatives and included in the audit report

Sinvestment is not controlling the employees' access rights, which represents a potential information security risk and should be reported as a major nonconformity

Question 39

The auditor used sampling to ensure that event logs recording information security events are maintained and regularly reviewed. Sampling was based on the audit objectives, whereas the sample selection process was based on the probability theory. What type of sampling was used?