Last Attempt ISO-IEC-27001-Lead-Auditor Questions

Page: 6 / 20

Question 24

You are an ISMS audit team leader tasked with conducting a follow-up audit at a client's data centre. Following two days on-site you conclude that of the original 12 minor and 1 major nonconformities that prompted the follow-up audit, only 1 minor nonconformity still remains outstanding.

Select four options for the actions you could take.

Options:

Book another follow-up audit on-site to review the one outstanding minor nonconformity once it has been cleared

Recommend that the outstanding minor nonconformity is dealt with at the next surveillance audit

Advise the auditee that you will arrange an online audit to deal with the outstanding nonconformity

Note the progress made but hold the audit open until all corrective action has been cleared

Agree with the auditee/audit client how the remaining nonconformity will be cleared, by when, and how its clearance will be verified

Advise the individual managing the audit programme of any decision taken regarding the outstanding nonconformity

Recommend suspension of the organisation's certification as they have failed to implement the agreed corrections and corrective actions within the agreed timescale

Answer:

B, E, F, H

Explanation:

According to ISO 19011:2018, which provides guidelines for auditing management systems, clause 6.7 requires the audit team leader to conduct a follow-up audit to verify the implementation and effectiveness of the corrective actions taken by the auditee in response to the nonconformities identified during a previous audit1. The follow-up audit should be conducted in accordance with the same principles and processes as the initial audit, and should result in a conclusion on the status of the nonconformities and any remaining issues1. Therefore, when conducting a follow-up audit, an ISMS auditor should consider the following actions:

Recommend that the outstanding minor nonconformity is dealt with at the next surveillance audit: This action is appropriate because it reflects the fact that the auditee has cleared most of the nonconformities, including the major one, and only one minor nonconformity remains outstanding. A minor nonconformity is defined as a failure to achieve one or more requirements of ISO/IEC 27001:2022 or a situation which raises significant doubt about the ability of an ISMS process to achieve its intended output, but does not affect its overall effectiveness or conformity2. Therefore, this finding does not prevent or preclude the continuation of certification, as long as it is addressed by appropriate corrective actions within a reasonable time frame. The auditor should recommend that the outstanding minor nonconformity is dealt with at the next surveillance audit, which is a regular audit conducted by the certification body to confirm the ongoing conformity and effectiveness of an ISMS3.
Agree with the auditee/audit client how the remaining nonconformity will be cleared, by when, and how its clearance will be verified: This action is appropriate because it reflects the fact that the auditee has demonstrated commitment and capability to implement corrective actions for the nonconformities identified during the previous audit. The auditor should agree with the auditee/audit client on a realistic, achievable, and effective corrective action plan for the remaining nonconformity, including a clear deadline and verification method. The auditor should also document this agreement in the follow-up audit report1.
Advise the individual managing the audit programme of any decision taken regarding the outstanding nonconformity: This action is appropriate because it reflects the fact that the auditor has followed a systematic and consistent approach to conducting and reporting the follow-up audit. The auditor should advise the individual managing the audit programme of any decision taken regarding the outstanding nonconformity, such as recommending its closure at the next surveillance audit or agreeing on a corrective action plan with the auditee/audit client. The auditor should also provide sufficient information and evidence to support their decision1.
Close the follow-up audit as the organisation has demonstrated it is committed to clearing the nonconformities raised: This action is appropriate because it reflects the fact that the organisation has achieved satisfactory results in the follow-up audit. The auditor should close the follow-up audit as the organisation has demonstrated it is committed to clearing the nonconformities raised by implementing effective corrective actions for most of them and agreeing on a plan for the remaining one. The auditor should also communicate the follow-up audit conclusion to the auditee/audit client and other relevant parties1.

Question 25

Scenario 3: NightCore is a multinational technology company based in the United States that focuses on e-commerce, cloud computing, digital streaming, and artificial intelligence. After having an information security management system (ISMS) implemented for over 8 months, they contracted a certification body to conduct a third party audit in order to get certified against ISO/IEC 27001.

The certification body set up a team of seven auditors. Jack, the most experienced auditor, was assigned as the audit team leader. Over the years, he received many well known certifications, such as the ISO/IEC 27001 Lead Auditor, CISA, CISSP, and CISM.

Jack conducted thorough analyses on each phase of the ISMS audit, by studying and evaluating every information security requirement and control that was implemented by NightCore. During stage 2 audit. Jack detected several nonconformities. After comparing the number of purchased invoices for software licenses with the software inventory, Jack found out that the company has been using the illegal versions of a software for many computers. He decided to ask for an explanation from the top management about this nonconformity and see whether they were aware about this. His next step was to audit NightCore's IT Department. The top management assigned Tom, NightCore's system administrator, to act as a guide and accompany Jack and the audit team toward the inner workings of their system and their digital assets infrastructure.

While interviewing a member of the Department of Finance, the auditors discovered that the company had recently made some unusual large transactions to one of their consultants. After gathering all the necessary details regarding the transactions. Jack decided to directly interview the top management.

When discussing about the first nonconformity, the top management told Jack that they willingly decided to use a copied software over the original one since it was cheaper. Jack explained to the top management of NightCore that using illegal versions of software is against the requirements of ISO/IEC 27001 and the national laws and regulations. However, they seemed to be fine with it.

Several months after the audit, Jack sold some of NightCore's information that he collected during the audit for a huge amount of money to competitors of NightCore.

Based on this scenario, answer the following question:

What type of audit evidence has Jack collected when he identified the first nonconformity regarding the software? Refer to scenario 3.

Options:

Analytical evidence

Verbal evidence

Mathematical evidence

Question 26

You are an experienced ISMS audit team leader. You are providing an introduction to ISO/IEC 27001:2022 to a class of Quality Management System Auditors who are seeking to retrain to enable them to carry out information security management system audits.

You ask them which of the following characteristics of information does an information security management system seek to preserve?

Which three answers should they provide?

Options:

Clarity

Accessibility

Completeness

Importance

Availability

Confidentiality

Integrity

Question 27

You are an experienced ISMS audit team leader who is currently conducting a third party initial certification audit of a new client, using ISO/IEC 27001:2022 as your criteria.

It is the afternoon of the second day of a 2-day audit, and you are just about to start writing your audit report. So far no nonconformities have been identified and you and your team have been impressed with both the site and the organisation's ISMS.

At this point, a member of your team approaches you and tells you that she has been unable to complete her assessment of leadership and commitment as she has spent too long reviewing the planning of changes.

Which one of the following actions will you take in response to this information?

Options:

Apologise to the client and tell them you will return at a later date to review leadership and commitment.

Suggest to the client that if they are prepared to upgrade your return flight to first class you will audit leadership and commitment in your own time tomorrow.

Advise the auditee and audit client that it is not possible to make a positive recommendation at this point.

Advise the auditee that the certification audit will need to be terminated and rescheduled.

Contact the individual managing the audit programme and seek their permission to record a positive recommendation in the audit report.

Contact your head office and await their further instructions of how to proceed.

Given there have been no nonconformities identified and the overall impression of the organisation has been a good one, record a positive recommendation for certification in the audit report.