New Year Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: Board70

Sure Pass Exam ISO-IEC-27001-Lead-Auditor PDF

Page: 20 / 20
Question 80

You are an experienced ISMS auditor, currently providing support to an ISMS auditor in training who is carrying out her first initial certification audit. She asks you what she should be verifying when auditing an organisation's Information Security objectives. You ask her what she has included in her audit checklist and she provides the following replies.

Which three of these responses would you cause you concern in relation to conformity with ISO/IEC 27001:2022?

Options:

A.

I am going to check how each Information Security objective has been communicated to those who need to be aware of it in order for the objective to be achieved

B.

I am going to check that top management have determined the Information Security objectives for the current year. If not, I will check that this task has been programmed to be completed

C.

I am going to check that the Information Security objectives are written down on paper so that everyone is clear on what needs to be achieved, how it will be achieved, and by when it will be achieved

D.

I am going to check that there is a process in place to periodically revisit Information Security objectives, with a view to amending or cancelling them if circumstances necessitate this

E.

I am going to check that a completion date has been set for each objective and that there are no objectives with missing 'achieve by' dates

F.

I am going to check that the necessary budget, manpower and materials to achieve each objective has been determined

G.

I am going to check that all the Information Security objectives are measurable. If they are not measurable the organisation will not be able to track progress against them

Question 81

Scenario 5: Data Grid Inc. is a well-known company that delivers security services across the entire information technology infrastructure. It provides cybersecurity software, including endpoint security, firewalls, and antivirus software. For two decades, Data Grid Inc. has helped various companies secure their networks through advanced products and services. Having achieved reputation in the information and network security field, Data Grid Inc. decided to obtain the ISO/IEC 27001 certification to better secure its internal and customer assets and gain competitive advantage.

Data Grid Inc. appointed the audit team, who agreed on the terms of the audit mandate. In addition, Data Grid Inc. defined the audit scope, specified the audit criteria, and proposed to close the audit within five days. The audit team rejected Data Grid Inc.'s proposal to conduct the audit within five days, since the company has a large number of employees and complex processes. Data Grid Inc. insisted that they have planned to complete the audit within five days, so both parties agreed upon conducting the audit within the defined duration. The audit team followed a risk-based auditing approach.

To gain an overview of the main business processes and controls, the audit team accessed process descriptions and organizational charts. They were unable to perform a deeper analysis of the IT risks and controls because their access to the IT infrastructure and applications was restricted. However, the audit team stated that the risk that a significant defect could occur to Data Grid Inc.'s ISMS was low since most of the company's processes were automated. They therefore evaluated that the ISMS, as a whole, conforms to the standard requirements by asking the representatives of Data Grid Inc. the following questions:

•How are responsibilities for IT and IT controls defined and assigned?

•How does Data Grid Inc. assess whether the controls have achieved the desired results?

•What controls does Data Grid Inc. have in place to protect the operating environment and data from malicious software?

•Are firewall-related controls implemented?

Data Grid Inc.'s representatives provided sufficient and appropriate evidence to address all these questions.

The audit team leader drafted the audit conclusions and reported them to Data Grid Inc.'s top management. Though Data Grid Inc. was recommended for certification by the auditors, misunderstandings were raised between Data Grid Inc. and the certification body in regards to audit objectives. Data Grid Inc. stated that even though the audit objectives included the identification of areas for potential improvement, the audit team did not provide such information.

Based on this scenario, answer the following question:

What would prevent the misunderstanding between the certification body and the Data Grid Inc.?

Refer to scenario 5.

Options:

A.

Validating the audit offer

B.

Signing the certification agreement

C.

Defining the audit schedule

Question 82

Which two of the following phrases would apply to "act" in relation to the Plan-Do-Check-Act cycle for a business process?

Options:

A.

Auditing processes

B.

Planning changes

C.

Measuring objectives

D.

Resetting objectives

E.

Achieving improvements

F.

Verifying training

Page: 20 / 20
Exam Name: PECB Certified ISO/IEC 27001 2022 Lead Auditor exam
Last Update: Dec 22, 2024
Questions: 289
ISO-IEC-27001-Lead-Auditor pdf

ISO-IEC-27001-Lead-Auditor PDF

$25.5  $84.99
ISO-IEC-27001-Lead-Auditor Engine

ISO-IEC-27001-Lead-Auditor Testing Engine

$28.5  $94.99
ISO-IEC-27001-Lead-Auditor PDF + Engine

ISO-IEC-27001-Lead-Auditor PDF + Testing Engine

$40.5  $134.99