Question No. 1

You are carrying out your first third-party ISMS surveillance audit as an audit team leader. You are presently in the auditee's data centre with another member of your audit team and the organisation's guide.

You request access to a locked room protected by a combination lock and iris scanner. In the corner of the room is a collection of hard drives piled on a desk. You ask the guide what the status of

the drives is. He tells you the drives are redundant and awaiting disposal. They should have been picked up last week, but the organisation's external provider of secure destruction services was

unable to source a driver due to staff sickness. He says this has recently become more common though he does not know why. He then presents you with a job ticket that confirms the pickup has

been rescheduled for tomorrow.

Based on the scenario above which three of the following actions would you now take?

ARecord a nonconformity against control A.5.13 'labelling of information' as the disk drives' status was unclear

BRaise a nonconformity against control A.7.7, 'clear desk and clear screen' because the drives have been left unprotected on the desktop.

CRecord an opportunity for improvement in respect of the external provider's inventory management arrangements.

DEnsure that the organisation's arrangements for the secure disposal and reuse of equipment have been adhered to.

ERecord the finding but note no further action is required as the pickup has now been rescheduled.

FRaise a nonconformity against control A.7.5, 'protecting against physical and environmental threats' because the drives have been left exposed on the desktop.

GEnsure that the organisation's arrangements for the life cycle management of storage media have been adhered to.

HFollow an audit trail to determine whether the organisation is complying with its obligations in respect of control A.5.22 'monitoring, review and change management of supplier services'.

Show Answer

Correct Answer: D, G, H

Question No. 2

CMM stands for?

ACapability Maturity Matrix

BCapacity Maturity Matrix

CCapability Maturity Model

DCapable Mature Model

Show Answer

Correct Answer: C

Capability Maturity Model (CMM) is a framework that describes the key elements of an effective software process. It defines five levels of maturity for software development organizations, from initial to optimized.The CMM helps organizations to assess their current level of process capability and identify the areas for improvement1.Reference:ISO/IEC 27001:2022 Lead Auditor - IECB

Question No. 3

Who are allowed to access highly confidential files?

AEmployees with a business need-to-know

BContractors with a business need-to-know

CEmployees with signed NDA have a business need-to-know

DNon-employees designated with approved access and have signed NDA

Show Answer

Correct Answer: A

According to ISO/IEC 27001:2022, clause 8.2.1, the organization shall ensure that access to information and information processing facilities is limited to authorized users based on the access control policy and in accordance with the business requirements of access control2. Therefore, only employees with a business need-to-know are allowed to access highly confidential files, and not contractors, non-employees or employees with signed NDA.Reference:ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) | CQI | IRCA

Question No. 4

You are performing an ISMS audit at a residential nursing home railed ABC that provides healthcare services. The next step in your audit plan is to verify the effectiveness of the continual improvement process. During the audit, you learned most of the residents' family members (90%) receive WeCare medical device promotional advertisements through email and SMS once a week via ABC's healthcare mobile app. All of them do not agree on the use of the collected personal data (or marketing or any other purposes than nursing and medical care on the signed service agreement with ABC. They have very strong reason to believe that ABC is leaking residents' and family members' personal information to a non-relevant third party and they have filed complaints.

The Service Manager says that all these complaints have been treated as nonconformities, and the corrective actions have been planned and implemented according to the Nonconformity and Corrective management procedure. The corrective action involved stopping working with WeCare the medical device manufacturer immediately and asking them to delete all personal data received as well as sending an apology email to all residents and their family members.

You are preparing the audit findings. Select one option of the correct finding.

ANonconformity: ABC does not follow the signed healthcare service agreement with residents' family members

BNo nonconformity: I would like to collect more evidence on how the organisation defines the management system scope and see if they covered WeCare medical device manufacture

CNo nonconformity: The Service Manager implemented the corrective actions and the Customer Service Representative evaluates the effectiveness of implemented corrective actions

DNonconformity: The management review does not take the feedback from residents' family members into consideration

Show Answer

Correct Answer: A

According to ISO 27001:2022 clause 8.1.4, the organisation shall ensure that externally provided processes, products or services that are relevant to the information security management system are controlled. This includes implementing appropriate contractual requirements related to information security with external providers, such as customers who send ICT equipment for reclamation12

In this case, ABC is a residential nursing home that provides healthcare services to its residents and collects their personal data and their family members' personal data. ABC has a signed service agreement with the residents' family members that states that the collected personal data will not be used for marketing or any other purposes than nursing and medical care. However, ABC has violated this contractual requirement by sharing the personal data with WeCare, a medical device manufacturer, who has used the data to send promotional advertisements to the residents' family members via email and SMS. This has caused dissatisfaction and complaints from the residents' family members, who have a strong reason to believe that ABC is leaking their personal information to a non-relevant third party.

Therefore, the audit finding is a nonconformity with clause 8.1.4 of ISO 27001:2022, as ABC has failed to control the externally provided processes, products or services that are relevant to the information security management system, and has breached the contractual requirements related to information security with its customers. The fact that ABC has taken corrective actions to stop working with WeCare and to apologise to the customers does not eliminate the nonconformity, but only mitigates its consequences. The nonconformity still needs to be recorded, evaluated, and reviewed for effectiveness and improvement.

1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1 2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2

Question No. 5

You are performing an ISMS audit at a residential nursing home (ABC) that provides healthcare services. The next

step in your audit plan is to verify the information security of ABC's healthcare mobile app development, support,

and lifecycle process. During the audit, you learned the organization outsourced the mobile app development to a

professional software development company with CMMI Level 5, ITSM (ISO/IEC 20000-1), BCMS (ISO 22301) and

ISMS (ISO/IEC 27001) certified.

The IT Manager presented the software security management procedure and summarised the process as following:

The mobile app development shall adopt "security-by-design" and "security-by-default" principles, as a minimum.

The following security functions for personal data protection shall be available:

Access control.

Personal data encryption, i.e., Advanced Encryption Standard (AES) algorithm, key lengths: 256 bits; and

Personal data pseudonymization.

Vulnerability checked and no security backdoor

You sample the latest Mobile App Test report, details as follows:

The IT Manager explains the test results should be approved by him according to the software security management procedure. The reason why the encryption and pseudonymisation functions failed is that these functions heavily slowed down the system and service performance. An extra 150% of resources are needed to cover this. The Service Manager agreed that access control is good enough and acceptable. That's why the Service Manager signed the approval.

You are preparing the audit findings. Select the correct option.

AThere is a nonconformity (NC). The organisation and developer do not perform acceptance tests. (Relevant to clause 8.1, control A.8.29)

BThere is a nonconformity (NC). The organisation and developer perform security tests that fail. (Relevant to clause 8.1, control A.8.29)

CThere is a nonconformity (NC). The Service Manager does not comply with the software security management procedure. (Relevant to clause 8.1, control A.8.30)

DThere is NO nonconformity (NC). The Service Manager makes a good decision to continue the service. (Relevant to clause 8.1, control A.8.30)

Show Answer

Correct Answer: C

Free PECB ISO-IEC-27001-Lead-Auditor Exam Actual Questions

The questions for ISO-IEC-27001-Lead-Auditor were last updated On Dec 19, 2024