Practice Free ISO-IEC-27001-Lead-Auditor PECB Certified ISO/IEC 27001 2022 Lead Auditor exam Exam Questions Answers With Explanation

From Exact Extract:

Explanation for C (Correct Response):

The audit team leader's primary responsibility is to manage the audit process effectively and efficiently according to the agreed-upon audit plan and schedule. A Stage 2 audit schedule is typically tightly managed to ensure all required elements of the management system are sampled within the allocated time. A 45-minute video presentation is a significant time commitment that would disrupt the planned audit activities. Politely but firmly stating the need to adhere to the schedule is professional and critical for maintaining audit integrity and achieving the audit objectives.

Comprehensive and Detailed In-Depth Explanation:

B. Correct Answer:

Audit plans must remain flexible to adapt to unforeseen findings and risks.

ISO 19011:2018 specifies that audit planning should allow dynamic adjustments.

A. Incorrect:

Audit procedures are part of execution, not planning.

C. Incorrect:

The audit team, not top management, prepares the audit plan.

Relevant Standard Reference:

ISO 19011:2018 Clause 5.4 (Audit Planning Flexibility)

One possible way to complete the sentence is:

“When reviewing the effectiveness of action taken in response to a nonconformity, an auditor seeks evidence of change that will prevent recurrence of the issue.”

According to ISO/IEC 27001:2022, clause 10.1, the organization shall continually improve the suitability, adequacy, and effectiveness of the ISMS by evaluating the performance and the effectiveness of the ISMS, ensuring that the policy and objectives are aligned with the strategic direction of the organization, and taking actions to achieve the intended outcomes of the ISMS. One of the ways to achieve continual improvement is to identify and correct nonconformities and take actions to eliminate their causes and prevent their recurrence. Therefore, when reviewing the effectiveness of the corrective actions, an auditor should look for evidence that the organization has analyzed the root cause of the nonconformity, implemented appropriate changes to the ISMS, and verified that the changes have resulted in the desired improvement and prevented the recurrence of the issue. References: =

ISO/IEC 27001:2022, clause 10.1, Nonconformity and corrective action

ISO/IEC 27001:2022, clause 10.2, Continual improvement

PECB Candidate Handbook ISO 27001 Lead Auditor, page 19, Audit Process

PECB Candidate Handbook ISO 27001 Lead Auditor, page 21, Audit Findings

Comprehensive and Detailed In-Depth Explanation:

B. Correct Answer:

ISO/IEC 27001:2022 Clause 6.1.3 (Information Security Risk Treatment) requires that any decision to accept risk be documented and justified.

Failure to document this decision creates compliance and audit tracking gaps.

A. Incorrect:

Risk acceptance must always be documented for accountability.

C. Incorrect:

Organizations are not required to mitigate every nonconformity but must justify their risk acceptance.

Relevant Standard Reference:

ISO/IEC 27001:2022 Clause 6.1.3 (Risk Treatment Documentation Requirements)

It is acceptable and often necessary for auditors to test technical controls such as firewalls to validate the operation and effectiveness of these processes during an ISMS audit. This hands-on testing provides concrete, technical evidence of the security measures' performance.

The correct answer is during the first and second years of certification, making option B correct. According to ISO/IEC 17021-1, ISO/IEC 27006, and standard certification cycle rules, ISO/IEC 27001 certification follows a three-year certification cycle. After the initial certification audit, the organization is subject to periodic surveillance audits to ensure continued conformity of the ISMS.

Surveillance audits are typically conducted annually during the first and second years following certification. Their purpose is to verify that the ISMS remains effective, that corrective actions are maintained, and that the organization continues to comply with ISO/IEC 27001 requirements. These audits are less extensive than the initial certification audit but still cover critical ISMS elements, changes, incidents, and improvement activities.

Option A is incorrect because surveillance audits are mandatory and scheduled by the certification body, not optional or request-based. Option C is incorrect because five years exceeds the standard certification cycle. Instead, a recertification audit is conducted in the third year, not a surveillance audit.

Therefore, surveillance audits are normally conducted during the first and second years after certification, confirming option B as correct.

Comprehensive and Detailed In-Depth Explanation:

Northstorm adopted an international standard for Personally Identifiable Information (PII) controllers and PII processors to ensure its data handling practices were secure and compliant with global regulations. This aligns directly with ISO/IEC 27701, which extends ISO/IEC 27001 and ISO/IEC 27002 to cover Privacy Information Management Systems (PIMS), specifically addressing the protection of PII.

A. ISO/IEC 27701 – Correct Answer. This standard is designed for organizations acting as PII controllers and processors and provides guidelines on privacy management, regulatory compliance, and data protection.

B. ISO/IEC 27009 – Incorrect because this standard provides guidance on sector-specific requirements for ISMS, not privacy or PII protection.

C. ISO/IEC 27003 – Incorrect because it provides general implementation guidance for ISMS, not specific controls for PII processing.

This aligns with ISO/IEC 27001:2022 Annex A Control A.5.34 (Privacy and Protection of PII), which focuses on ensuring compliance with privacy regulations and implementing privacy-enhancing security measures.

According to ISO 19011:2018, which provides guidelines for auditing management systems, clause 6.7 requires the audit team leader to conduct a follow-up audit to verify the implementation and effectiveness of the corrective actions taken by the auditee in response to the nonconformities identified during a previous audit1. The follow-up audit should be conducted in accordance with the same principles and processes as the initial audit, and should result in a conclusion on the status of the nonconformities and any remaining issues1. Therefore, when conducting a follow-up audit, an ISMS auditor should consider the following actions:

Recommend that the outstanding minor nonconformity is dealt with at the next surveillance audit: This action is appropriate because it reflects the fact that the auditee has cleared most of the nonconformities, including the major one, and only one minor nonconformity remains outstanding. A minor nonconformity is defined as a failure to achieve one or more requirements of ISO/IEC 27001:2022 or a situation which raises significant doubt about the ability of an ISMS process to achieve its intended output, but does not affect its overall effectiveness or conformity2. Therefore, this finding does not prevent or preclude the continuation of certification, as long as it is addressed by appropriate corrective actions within a reasonable time frame. The auditor should recommend that the outstanding minor nonconformity is dealt with at the next surveillance audit, which is a regular audit conducted by the certification body to confirm the ongoing conformity and effectiveness of an ISMS3.

Agree with the auditee/audit client how the remaining nonconformity will be cleared, by when, and how its clearance will be verified: This action is appropriate because it reflects the fact that the auditee has demonstrated commitment and capability to implement corrective actions for the nonconformities identified during the previous audit. The auditor should agree with the auditee/audit client on a realistic, achievable, and effective corrective action plan for the remaining nonconformity, including a clear deadline and verification method. The auditor should also document this agreement in the follow-up audit report1.

Advise the individual managing the audit programme of any decision taken regarding the outstanding nonconformity: This action is appropriate because it reflects the fact that the auditor has followed a systematic and consistent approach to conducting and reporting the follow-up audit. The auditor should advise the individual managing the audit programme of any decision taken regarding the outstanding nonconformity, such as recommending its closure at the next surveillance audit or agreeing on a corrective action plan with the auditee/audit client. The auditor should also provide sufficient information and evidence to support their decision1.

Close the follow-up audit as the organisation has demonstrated it is committed to clearing the nonconformities raised: This action is appropriate because it reflects the fact that the organisation has achieved satisfactory results in the follow-up audit. The auditor should close the follow-up audit as the organisation has demonstrated it is committed to clearing the nonconformities raised by implementing effective corrective actions for most of them and agreeing on a plan for the remaining one. The auditor should also communicate the follow-up audit conclusion to the auditee/audit client and other relevant parties1.

According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 9.3 requires top management to review the organization’s ISMS at planned intervals to ensure its continuing suitability, adequacy and effectiveness1. Clause 9.2 requires the organization to conduct internal audits at planned intervals to provide information on whether the ISMS conforms to its own requirements and those of ISO/IEC 27001:2022, and is effectively implemented and maintained1. Therefore, when reviewing the audit process and audit findings as a final check before the external certification body arrives, an internal ISMS auditor should verify that these clauses are met in accordance with the audit criteria.

Six of the following statements would cause concern in respect of conformity to ISO/IEC 27001:2022 requirements:

The audit programme shows management reviews taking place at irregular intervals during the year: This statement would cause concern because it implies that the organization is not conducting management reviews at planned intervals, as required by clause 9.3. This may affect the ability of top management to ensure the continuing suitability, adequacy and effectiveness of the ISMS.

The audit programme does not take into account the relative importance of information security processes: This statement would cause concern because it implies that the organization is not applying a risk-based approach to determine the audit frequency, methods, scope and criteria, as recommended by ISO 19011:2018, which provides guidelines for auditing management systems2. This may affect the ability of the organization to identify and address the most significant risks and opportunities for its ISMS.

Although the scope for each internal audit has been defined, there are no audit criteria defined for the audits carried out to date: This statement would cause concern because it implies that the organization is not establishing audit criteria for each internal audit, as required by clause 9.2. Audit criteria are the set of policies, procedures or requirements used as a reference against which audit evidence is compared2. Without audit criteria, it is not possible to determine whether the ISMS conforms to its own requirements and those of ISO/IEC 27001:2022.

Audit reports to date have used key performance indicator information to focus solely on the efficiency of ISMS processes: This statement would cause concern because it implies that the organization is not evaluating the effectiveness of ISMS processes, as required by clause 9.1. Effectiveness is the extent to which planned activities are realized and planned results achieved2. Efficiency is the relationship between the result achieved and the resources used2. Both aspects are important for measuring and evaluating ISMS performance and improvement.

The audit programme does not take into account the results of previous audits: This statement would cause concern because it implies that the organization is not using the results of previous audits as an input for planning and conducting subsequent audits, as recommended by ISO 19011:20182. This may affect the ability of the organization to identify and address any recurring or unresolved issues or nonconformities related to its ISMS.

Top management commitment to the ISMS will not be audited before the certification visit, according to the audit programme: This statement would cause concern because it implies that the organization is not verifying that top management demonstrates leadership and commitment with respect to its ISMS, as required by clause 5.1. This may affect the ability of top management to ensure that the ISMS policy and objectives are established and compatible with the strategic direction of the organization; that roles, responsibilities and authorities for relevant roles are assigned and communicated; that resources needed for the ISMS are available; that communication about information security matters is established; that continual improvement of the ISMS is promoted; that other relevant management reviews are aligned with those of information security; and that support is provided to other relevant roles1.

The other statements would not cause concern in respect of conformity to ISO/IEC 27001:2022 requirements:

Audit reports are not held in hardcopy (i.e. on paper). They are only stored as ".POF documents on the organisation’s intranet: This statement would not cause concern because it does not imply any nonconformity with ISO/IEC 27001:2022 requirements. The standard does not prescribe any specific format or media for documenting or storing audit reports, as long as they are controlled according to clause 7.5.

The audit programme mandates auditors must be independent of the areas they audit in order to satisfy the requirements of ISO/IEC 27001:2022: This statement would not cause concern because it does not imply any nonconformity with ISO/IEC 27001:2022 requirements. The standard does not prescribe any specific requirement for auditor independence, as long as the audit is conducted objectively and impartially, in accordance with ISO 19011:20182.

The audit programme does not reference audit methods or audit responsibilities: This statement would not cause concern because it does not imply any nonconformity with ISO/IEC 27001:2022 requirements. The standard does not prescribe any specific requirement for referencing audit methods or audit responsibilities in the audit programme, as long as they are defined and documented according to ISO 19011:20182.

The audit process states the results of audits will be made available to ‘relevant’ managers, not top management: This statement would not cause concern because it does not imply any nonconformity with ISO/IEC 27001:2022 requirements. The standard does not prescribe any specific requirement for communicating the results of audits to top management, as long as they are reported to the relevant parties and used as an input for management review, according to clause 9.3.

The following are guidelines to protect your password, except for easy recall use the same password for company and personal accounts; do not share passwords with anyone. Using the same password for company and personal accounts is not a guideline to protect your password, as it increases the risk of compromising your password if one of your accounts is hacked or breached. You should use different and unique passwords for each account, and change them regularly. Sharing passwords with anyone is not a guideline to protect your password, as it reduces the security and accountability of your password. You should keep your password confidential and never disclose it to anyone, even if they claim to be authorized or trustworthy. Don’t use the same password for various company system security access is a guideline to protect your password, as it prevents unauthorized access or misuse of your password if one of the systems is compromised or breached. You should use different and complex passwords for each system, and follow the password policies and standards of the organization. Change a temporary password on first log-on is a guideline to protect your password, as it prevents unauthorized access or misuse of your password if the temporary password is intercepted or leaked. You should change the temporary password to a personal and secure password as soon as possible, and avoid using default or predictable passwords. References: : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 43. : [ISO/IEC 27001 LEAD AUDITOR - PECB], page 15.

According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 4.1 requires an organization to determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcomes of its ISMS2. External issues are those that originate from outside the organization, such as legal, regulatory, cultural, social, political, economic, natural and competitive factors2. Internal issues are those that originate from within the organization, such as governance, structure, roles and responsibilities, policies, objectives, culture, capabilities, resources and information systems2. Therefore, based on this definition, four examples of external issues in the context of a management system to ISO/IEC 27001:2022 are a rise in interest rates in response to high inflation (which affects the economic environment of the organization), a reduction in grants as a result of a change in government policy (which affects the political and legal environment of the organization), higher labour costs as a result of an aging population (which affects the social and demographic environment of the organization), and inability to source raw materials due to government sanctions (which affects the trade and supply environment of the organization)2. The other options are examples of internal issues, as they originate from within the organization or its activities. For example, poor levels of staff competence as a result of cuts in training expenditure (which affects the capabilities and resources of the organization), increased absenteeism as a result of poor management (which affects the culture and performance of the organization), poor morale as a result of staff holidays being reduced (which affects the motivation and satisfaction of the organization’s personnel), and a fall in productivity linked to outdated production equipment (which affects the efficiency and quality of the organization’s processes)2. References: ISO/IEC 27001:2022 - Information technology – Security techniques – Information security management systems – Requirements

The auditors did not establish a thorough understanding of SendPay’s cloud environment, making option B the correct answer. ISO/IEC 27001:2022 requires organizations to define and control the scope of their ISMS, including the technologies and environments used to process information. Cloud-based platforms represent a significant component of SendPay’s operations, particularly in a financial services context where confidentiality, integrity, and availability are critical.

In the scenario, the auditors explicitly chose not to request an inventory of SendPay’s cloud activities due to resource limitations and instead relied on SendPay’s representations. While practical constraints can influence audit scope, ISO 19011 requires auditors to obtain sufficient and appropriate evidence to support audit conclusions. Without a clear inventory or understanding of cloud activities, auditors cannot adequately assess risks, controls, or responsibilities related to cloud usage.

Option A is incorrect because the scenario clearly states that cloud activities were not fully examined. Option C is incorrect because reliance on assurances without supporting evidence does not meet the evidence-based auditing principle. Auditor reliance must be supported by verifiable information, especially when assessing outsourced or cloud-based services.

Therefore, the absence of a cloud activity inventory indicates that the auditors did not gain a thorough understanding of SendPay’s cloud environment, which is why option B is the correct answer.

The best way to dispose of a hard copy of a customer design document is to shred it using a shredder. This is because shredding ensures that the document is destroyed and cannot be reconstructed or accessed by unauthorized persons. A customer design document may contain sensitive or confidential information that could cause harm or damage to the customer or the organization if disclosed. Therefore, it is important to protect the confidentiality and integrity of the document until it is securely disposed of. Throwing it in any dustbin, giving it to the office boy to reuse it for other purposes, or reusing it for writing are not secure ways of disposing of the document, as they could expose the document to unauthorized access, theft, loss or damage. ISO/IEC 27001:2022 requires the organization to implement procedures for the secure disposal of media containing information (see clause A.8.3.2). References: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements, What is Secure Disposal?

The correct response is A, because grading criteria provide a common basis for the evaluation of nonconformities across the organization. Grading criteria are the rules or standards that define the severity or impact of nonconformities, and help to determine the appropriate corrective actions and follow-up activities. Grading criteria are important for several reasons, such as:

They ensure consistency and objectivity in the assessment and reporting of nonconformities, and avoid subjective or arbitrary judgments.

They facilitate the communication and understanding of nonconformities among the auditors, the auditees, and the audit clients, and enable the comparison and benchmarking of nonconformities across different processes, functions, or locations.

They support the prioritization and allocation of resources for the resolution of nonconformities, and the monitoring and measurement of the effectiveness of the corrective actions.

They demonstrate the commitment and accountability of the organization to the continual improvement of the ISMS, and the compliance with the ISMS requirements and expectations.

In the context of a third-party certification audit, the management responsibilities of the audit team leader in managing the audit and the audit team include adopting a risk-based approach to planning the audit and establishing contact with the auditee. A risk-based approach to planning the audit means that the team leader should consider the risks and opportunities that may affect the achievement of the audit objectives, the scope and criteria, the audit methods and techniques, the allocation of resources and the assignment of tasks to the audit team members. Establishing contact with the auditee means that the team leader should communicate with the auditee before, during and after the audit, to confirm the audit arrangements, to obtain relevant information, to address any issues or concerns, to provide feedback and to report the audit results and conclusions. References: = ISO 19011:2022, clauses 6.4.1 and 6.4.2; PECB Candidate Handbook ISO 27001 Lead Auditor, pages 24 and 25.

The unfavorable recommendation for certification is best justified by the major nonconformity related to storing sensitive information in removable media, making option A the correct answer. ISO/IEC 27001 certification decisions are heavily influenced by the presence and effective resolution of major nonconformities, particularly those that expose the organization to significant information security risks.

In this scenario, sensitive information was stored on removable media in violation of Trustingo’s own information classification scheme. This represents a serious breakdown in control implementation and creates a high risk of data leakage, loss, or unauthorized disclosure. Such a condition is typically classified as a major nonconformity because it demonstrates a failure to effectively implement and enforce ISMS controls related to information handling and protection.

While the lack of an information labeling procedure is a valid nonconformity, it is generally considered minor when viewed in isolation. Option B therefore does not sufficiently justify an unfavorable certification recommendation on its own. Option C is also incorrect because submitting the action plan earlier than the agreed timeline is not a negative factor and does not breach certification requirements.

Even though Trustingo submitted an action plan, its lack of sufficient detail prevented the certification body from confirming that the major nonconformity would be effectively corrected and prevented from recurring. Therefore, the unresolved major nonconformity related to sensitive information on removable media is the primary justification for the unfavorable certification recommendation.

Comprehensive and Detailed In-Depth Explanation:

C. Correct Answer:

Internal audits detect nonconformities but do not actively prevent them.

A. Incorrect:

Internal audits verify corrective actions.

B. Incorrect:

Technology can reduce manual tasks in internal audits.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.4.7 (Audit Program Limitations)

Comprehensive and Detailed In-Depth Explanation:

Penetration testing (pen testing) is a simulated cyberattack used to assess security weaknesses in an ICT system.

B. Identifying failures in ICT protection schemes – Correct answer. The goal of penetration testing is to find vulnerabilities in networks, applications, and systems before attackers can exploit them. This aligns with ISO/IEC 27001:2022 Annex A Control A.8.16 (Monitoring Activities) and A.8.8 (Management of Technical Vulnerabilities).

A. Code reviews are not the primary goal of pen testing; static analysis tools are used for code security.

C. Physical inspections relate to hardware security audits, which are separate from penetration testing.

According to ISO 19011:2018, which provides guidelines for auditing management systems, an opening meeting is a formal communication between the audit team and the auditee at the start of an audit1. The purpose of the opening meeting is to confirm the audit objectives, scope and criteria, introduce the audit team and their roles, confirm the audit plan and logistics, explain the audit methods and procedures, and establish the communication channels1. Therefore, if the Managing Director of the client organization invites the audit team to view a new company video lasting 45 minutes during the opening meeting of a Stage 2 audit, the audit team leader should respond in a way that does not compromise the effectiveness and efficiency of the audit or create any misunderstanding or conflict with the auditee. Two possible ways to respond are to advise the Managing Director that the audit team has to keep to the planned schedule, as there may be limited time and resources available for the audit; or to suggest that the video could be viewed during a refreshment break, if it is relevant and useful for the audit and does not interfere with other audit activities1. The other options are not appropriate responses for the audit team leader to make in this situation. For example, stating that the audit team leader will stay behind after the opening meeting to view the video on behalf of the team may imply that the video is not important or relevant for the rest of the audit team; inviting the Managing Director to the auditors’ hotel for a viewing that evening may create an impression of bias or favouritism; stating that the audit team will make a decision on the viewing at a later time may be vague or indecisive; and advising the Managing Director that the audit team agrees to his request may result in wasting valuable audit time or losing focus on the audit objectives1. References: ISO 19011:2018 - Guidelines for auditing management systems

Comprehensive and Detailed In-Depth Explanation:

A. Correct Answer:

The primary goal of audit interviews is to validate compliance with ISO/IEC 27001.

ISO 19011:2018 states that interviews are a method to gather audit evidence.

B. Incorrect:

KPIs are relevant for performance measurement, but interviews focus on compliance validation.

C. Incorrect:

Understanding business challenges is secondary; the primary objective is ISO/IEC 27001 compliance verification.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.4.6 (Interviewing Techniques in Auditing)

The four controls from the list that are related to PHYSICAL aspects of the ISMS are:

•Access to and from the loading bay

•How power and data cables enter the building

•The operation of the site CCTV and door control systems

•The organisation’s arrangements for maintaining equipment

These controls are derived from the ISO 27001 Annex A, which provides a comprehensive list of information security controls that can be applied to an ISMS1. The other controls in the list are more related to ORGANIZATIONAL, LEGAL, or HUMAN aspects of the ISMS, which are also important, but not the focus of this question.

According to the ISMS Auditing Guideline2, the auditor in training should review the PHYSICAL controls by:

•Checking the SoA to identify the applicable controls and their implementation status

•Interviewing the relevant staff and management to verify their understanding and involvement in the controls

•Observing the physical and environmental conditions to confirm the existence and effectiveness of the controls

•Examining the relevant documents and records to validate the compliance and performance of the controls

I hope this helps you prepare for the exam. ????

A checklist is a tool that helps auditors to collect and verify information relevant to the audit objectives and scope. It can provide the following advantages:

Ensuring relevant audit trails are followed: A checklist can help auditors to identify and trace the sources of evidence that support the conformity or nonconformity of the audited criteria. It can also help auditors to avoid missing or overlooking any important aspects of the audit.

Ensuring the audit plan is implemented: A checklist can help auditors to follow and fulfil the audit plan, which describes the arrangements and details of the audit, such as the objectives, scope, criteria, schedule, roles, and responsibilities. It can also help auditors to manage their time and resources effectively and efficiently.

The other options are not advantages of using a checklist, but rather:

Using the same checklist for every audit without review: This is a disadvantage of using a checklist, as it can lead to a rigid and ineffective audit approach. A checklist should be tailored and adapted to each specific audit, taking into account the context, risks, and changes of the auditee and the audit criteria. A checklist should also be reviewed and updated periodically to ensure its validity and relevance.

Restricting interviews to nominated parties: This is a disadvantage of using a checklist, as it can limit the scope and depth of the audit. A checklist should not prevent auditors from interviewing other relevant parties or sources of information that may provide valuable evidence or insights for the audit. A checklist should be used as a guide, not as a constraint.

Reducing audit duration: This is not necessarily an advantage of using a checklist, as it depends on various factors, such as the complexity, size, and maturity of the auditee’s ISMS, the availability and quality of evidence, the competence and experience of the auditors, and the level of cooperation and communication between the auditors and the auditee. A checklist may help reduce audit duration by improving efficiency and organization, but it may also increase audit duration by requiring more evidence or verification.

Not varying from the checklist when necessary: This is a disadvantage of using a checklist, as it can result in a superficial or incomplete audit. A checklist should not prevent auditors from exploring or investigating any issues or concerns that arise during the audit, even if they are not included in the checklist. A checklist should be used as a support, not as a substitute.

The context of the organisation is the business environment in which the organisation operates and defines its information security management system (ISMS). It includes the internal and external factors and conditions that can influence the organisation’s information security objectives, strategies, and policies. The context of the organisation helps the organisation to identify the scope, boundaries, and requirements of the ISMS, as well as the interested parties and their expectations. The context of the organisation is determined by considering both internal and external issues, such as the organisational structure, culture, values, mission, vision, objectives, strategies, resources, capabilities, processes, activities, products, services, markets, customers, competitors, suppliers, partners, regulators, laws, regulations, standards, guidelines, best practices, risks, opportunities, threats, vulnerabilities, etc. References: ISO 27001:2022 Clause 4 Context of the organization, ISO 27001 Requirement 4.1 – Understanding the Context of the Organisation, ISO 27001 context of the organization – How to define it - Advisera

A first-party audit is an internal audit in which the organization’s own staff or contractors check the conformity and effectiveness of the ISMS. A certification body auditor and an audit team from an accreditation body are external auditors who conduct audits for the purpose of certification or accreditation. They do not participate in a first-party audit, but rather in a third-party audit. References: First & Second Party Audits - operational services, The ISO 27001 Audit Process | Blog | OneTrust, The ISO 27001 Audit Process | A Beginner’s Guide - IAS USA

Jack compromised the audit principle of confidentiality by selling NightCore's information after the audit. Confidentiality ensures that information is accessible only to those authorized to have access and is protected throughout its lifecycle.

Comprehensive and Detailed In-Depth Explanation:

A. Correct Answer:

ISO 19011:2018 (Guidelines for Auditing Management Systems) outlines diligent audit practices, including evidence-based assessment and professional skepticism.

The auditors critically reviewed records, interviewed staff, and validated incident response effectiveness.

They did not rely solely on verbal statements but sought concrete evidence, demonstrating due diligence and judgment.

B. Incorrect:

Employment contracts are not primary audit evidence for competence; training and certification records hold greater significance.

C. Incorrect:

The scenario does not mention that top management was excluded from interviews. However, their involvement is not mandatory for evaluating incident handling.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.4 (Conducting Audit Activities)

The word that best completes the sentence is “demonstrate”. According to ISO/IEC 27001:2022, Clause 7.5, the organization shall retain documented information as evidence of the performance of the processes and the conformity of the products and services with the requirements1. The purpose of retaining documented information is to demonstrate conformity with the requirements of the management system standard, not to maintain, audit, or certify it. References: 1: ISO/IEC 27001:2022, Information technology — Security techniques — Information security management systems — Requirements, Clause 7.5

Yes, it is acceptable for the work documents of the audit team leader to be reviewed by another auditor after reaching audit conclusions. This is part of the quality control and assurance processes within the audit to ensure the accuracy and reliability of the audit conclusions.

A certification body cannot certify an organization if it has provided consultancy services to that organization. This situation presents a conflict of interest, as the certification body is required to maintain impartiality and objectivity. The ISO/IEC 17021-1 standard, which sets out requirements for bodies providing audit and certification of management systems, specifies that providing both services to the same client is incompatible.

The auditor should validate that documented information conforms to both content and format requirements defined by the organization’s documentation procedure, making option A the correct answer. ISO/IEC 27001 clause 7.5 requires documented information to be controlled, which includes requirements for format, identification, version control, and approval, as defined by the organization.

During stage 1 audits, auditors assess whether the organization has appropriate procedures in place and whether documented information is created and managed in accordance with those procedures. This includes verifying that documents follow established templates, naming conventions, approval mechanisms, and version control practices.

Option B is incorrect because while ISO/IEC 27001 does not prescribe a specific format, it requires conformity to the organization’s own documented information controls. Ignoring format would ignore part of the control requirement. Option C is partially correct in general, but insufficient in this context because the scenario explicitly states that the evaluation was based on content and procedure. The auditor must verify conformance, not just existence.

Therefore, validating alignment with documentation procedures, including format, is the correct auditor action.

Comprehensive and Detailed In-Depth Explanation:

C. Correct Answer:

ISO 19011:2018 requires audit reports to include all relevant evidence supporting audit conclusions.

Omitting evidence for conciseness undermines transparency and credibility.

A. Incorrect:

Audit confidentiality is protected through controlled access, not by omitting evidence.

B. Incorrect:

Clarity is important, but not at the expense of completeness.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.7 (Audit Reporting Best Practices)

This approach aligns with ISO/IEC 27001:2022 because the standard explicitly allows top management to assign responsibilities and authorities for the effective operation of the ISMS, including reporting on its performance. Clause 5.3 of ISO/IEC 27001 requires top management to ensure that roles, responsibilities, and authorities related to information security are assigned and communicated within the organization.

While top management remains ultimately accountable for the ISMS, the standard does not require them to personally gather data, prepare reports, or perform operational monitoring activities. In practice, these tasks are often delegated to ISMS managers, security teams, or other designated personnel who are better positioned to collect and analyze performance data. What matters is that the information reaches top management in a timely and accurate manner so they can fulfill their governance responsibilities.

Option B is incorrect because it misunderstands accountability versus responsibility. Top management is accountable for ISMS performance, but they are not required to perform all related tasks themselves. Option C is incorrect because ISO/IEC 27001 does not mandate that a Chief Information Security Officer must be the reporting authority. The organization is free to define roles based on its structure, size, and context.

Therefore, assigning specific personnel to report on ISMS performance is fully consistent with ISO/IEC 27001 requirements.

The purpose of a management system audit is to evaluate the performance of an organization’s management system.

A management system audit is an independent and systematic analysis and evaluation of a company’s overall activities and performances1. It is a valuable tool used to determine the efficiency, functions, accomplishments and achievements of the company1. A management system audit can be conducted against a range of audit criteria, including (but not limited to) requirements set of in existing ISO standards2.

According to ISO 19011:2018, which provides guidelines for auditing management systems, the purpose of an audit is to enable the auditor to provide an audit conclusion that is related to the audit objectives2. The audit objectives are defined by the audit client and may include determining the extent of conformity or nonconformity of the audited management system against the audit criteria, evaluating the ability of the audited management system to ensure that the organization meets applicable statutory, regulatory and contractual requirements, identifying potential improvement opportunities for the audited management system, and facilitating continual improvement of the audited management system2.

Therefore, the correct answer is evaluate, as it best describes the purpose of a management system audit. The other options are not correct because they are not specific enough or do not reflect the intended outcome of an audit. For example, improve implies that the audit itself will enhance the performance of the management system, which is not necessarily true. Manage implies that the audit will control or direct the management system, which is not its role. Research implies that the audit will generate new knowledge or information about the management system, which is not its primary aim.

Comprehensive and Detailed In-Depth Explanation:

C. Correct Answer: ISO/IEC 27001 Clause 6.2 (Information Security Objectives and Planning to Achieve Them) requires information security objectives to be based on risk assessment results.

A. Incorrect: While objectives can be revised, they must be initially established based on risk assessment findings.

B. Incorrect: Objectives should be set after risk assessment, but security objectives are not dependent on full implementation.

Thus, Clinic did not follow the correct sequence in establishing security objectives before conducting a risk assessment.

Management review is a crucial component of an ISMS that helps determine opportunities for continual improvement. Through management review, an organization assesses the performance and effectiveness of its ISMS, including reviewing opportunities for improvements and the need for changes to the ISMS, including the security policy and security objectives.

The standard definition of ISMS is a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization’s information security to achieve business objectives. This definition is given in clause 3.17 of ISO/IEC 27001:2022, and it describes the main components and purpose of an ISMS. An ISMS is not a project-based approach, as it is an ongoing process that requires continual improvement. An ISMS is not a company wide business objective, as it is a management system that supports the organization’s objectives. An ISMS is not an information security systematic approach, as it is a broader concept that encompasses the organization’s context, risks, controls, and performance. References: : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 15. : ISO/IEC 27001:2022, clause 3.17.

Sinvestment should correct the documentation deficiencies before proceeding to the stage 2 audit, making option A the correct answer. The purpose of the stage 1 audit is to assess the organization’s readiness for certification, including the adequacy and completeness of required documented information. Identified gaps during stage 1 are intended to be resolved prior to stage 2 to avoid major nonconformities.

ISO/IEC 27001 requires organizations to maintain documented information for information security awareness, education, and training. While Sinvestment’s management stated that training was delivered, the absence of complete documentation represents a failure to demonstrate conformity. Audits rely on objective evidence, not verbal assurances.

Option B is incorrect because deferring corrective action until after certification contradicts the intent of the two-stage audit process. Stage 2 should only proceed once readiness gaps are addressed. Option C is incorrect because the issue is not a risk identification problem but a documentation and evidence problem. The existence of training is not in question; the lack of proper documentation is.

Therefore, Sinvestment should update the documentation promptly and provide it to the audit team before stage 2.

This option is appropriate for inclusion in the closing meeting agenda, as it is a requirement of the ISO 19011 standard, which provides guidelines for auditing management systems, including ISMS12. The standard states that the audit team leader should advise the auditee of any situations encountered during the audit that may decrease the confidence that can be placed in the audit conclusions, such as limitations in the audit scope, access, or sampling3. The standard also states that the audit report should include a statement that the audit is based on a sample of the information available at the time of the audit, and that the audit does not provide absolute assurance of the conformity or effectiveness of the audited management system4. Therefore, the audit team leader should include a disclaimer in the closing meeting agenda to inform the auditee of the nature and limitations of the audit, and to avoid any misunderstandings or false expectations. The other options are not appropriate for inclusion in the closing meeting agenda, as they are either irrelevant, incorrect, or incomplete. For example:

•A detailed explanation of the certification body’s complaints process is not relevant for the closing meeting agenda, as it is not related to the audit findings or conclusions. The certification body’s complaints process should be communicated to the auditee before the audit, as part of the audit agreement or contract5.

•An explanation of the audit plan and its purpose is not correct for the closing meeting agenda, as it should have been done at the opening meeting or before the audit. The audit plan is a document that describes the scope, objectives, criteria, and methodology of the audit, as well as the audit schedule, the audit team, the audit locations, and the audit deliverables . The audit plan should be communicated and agreed with the auditee in advance, and any changes or deviations should be notified during the audit.

•Names of auditees associated with nonconformities are not complete for the closing meeting agenda, as they do not provide the details or the evidence of the nonconformities. The audit team leader should present the audit findings, which include the description, the audit criteria, and the audit evidence of each nonconformity, as well as the audit conclusions and the audit recommendation . The audit team leader should also avoid naming or blaming individuals, and focus on the processes and the system.

This situation is unacceptable because UpNet should have requested and been granted an extension audit prior to announcing that the ISMS certification scope encompasses the whole company, including the new department. Proper procedures need to be followed to extend the certification to additional departments or processes.

Step 1 = Incident logging Step 2 = Incident categorisation Step 3 = Incident prioritisation Step 4 = Incident assignment Step 5 = Task creation and management Step 6 = SLA management and escalation Step 7 = Incident resolution Step 8 = Incident closure

The order of the stages in the information security incident management process should follow a logical sequence that ensures a quick, effective, and orderly response to the incidents, events, and weaknesses. The order should also be consistent with the best practices and guidance provided by ISO/IEC 27001:2022 and ISO/IEC 27035:2022. Therefore, the following order is suggested:

Step 1 = Incident logging: This step involves recording the details of the potential incident, event, or weakness, such as the date, time, source, description, impact, and reporter. This step is important to provide a traceable record of the incident and to facilitate the subsequent analysis and response. This step is related to control A.16.1.1 of ISO/IEC 27001:2022, which requires the organization to establish responsibilities and procedures for the management of information security incidents, events, and weaknesses. This step is also related to clause 6.2 of ISO/IEC 27035:2022, which provides guidance on how to log the incidents, events, and weaknesses.

Step 2 = Incident categorisation: This step involves determining the type and nature of the incident, event, or weakness, such as whether it is a hardware issue, network issue, or software issue. This step is important to classify the incident and to assign it to the appropriate resolver or team. This step is related to control A.16.1.2 of ISO/IEC 27001:2022, which requires the organization to report information security events and weaknesses as quickly as possible through appropriate management channels. This step is also related to clause 6.3 of ISO/IEC 27035:2022, which provides guidance on how to categorize the incidents, events, and weaknesses.

Step 3 = Incident prioritisation: This step involves assessing the severity and urgency of the incident, event, or weakness, and classifying it as critical, high, medium, or low. This step is important to prioritize the incident and to allocate the necessary resources and time for the response. This step is related to control A.16.1.3 of ISO/IEC 27001:2022, which requires the organization to assess and prioritize information security events and weaknesses in accordance with the defined criteria. This step is also related to clause 6.4 of ISO/IEC 27035:2022, which provides guidance on how to prioritize the incidents, events, and weaknesses.

Step 4 = Incident assignment: This step involves passing the incident, event, or weakness to the individual or team who is best suited to resolve it, based on their skills, knowledge, and availability. This step is important to ensure that the incident is handled by the right person or team and to avoid delays or confusion. This step is related to control A.16.1.4 of ISO/IEC 27001:2022, which requires the organization to respond to information security events and weaknesses in a timely manner, according to the agreed procedures. This step is also related to clause 6.5 of ISO/IEC 27035:2022, which provides guidance on how to assign the incidents, events, and weaknesses.

Step 5 = Task creation and management: This step involves identifying and coordinating the work needed to resolve the incident, event, or weakness, such as performing root cause analysis, testing solutions, implementing changes, and documenting actions. This step is important to ensure that the incident is resolved effectively and efficiently, and that the actions are tracked and controlled. This step is related to control A.16.1.5 of ISO/IEC 27001:2022, which requires the organization to apply lessons learned from information security events and weaknesses to take corrective and preventive actions. This step is also related to clause 6.6 of ISO/IEC 27035:2022, which provides guidance on how to create and manage the tasks for the incidents, events, and weaknesses.

Step 6 = SLA management and escalation: This step involves ensuring that any service level agreements (SLAs) are adhered to while the resolution is being implemented, and that the incident is escalated to a higher level of authority or support if a breach looks likely or occurs. This step is important to ensure that the incident is resolved within the agreed time frame and quality, and that any deviations or issues are communicated and addressed. This step is related to control A.16.1.6 of ISO/IEC 27001:2022, which requires the organization to communicate information security events and weaknesses to the relevant internal and external parties, as appropriate. This step is also related to clause 6.7 of ISO/IEC 27035:2022, which provides guidance on how to manage the SLAs and escalations for the incidents, events, and weaknesses.

Step 7 = Incident resolution: This step involves applying a temporary workaround or a permanent solution to resolve the incident, event, or weakness, and restoring the normal operation of the information and information processing facilities. This step is important to ensure that the incident is resolved completely and satisfactorily, and that the information security is restored to the desired level. This step is related to control A.16.1.7 of ISO/IEC 27001:2022, which requires the organization to identify the cause of information security events and weaknesses, and to take actions to prevent their recurrence or occurrence. This step is also related to clause 6.8 of ISO/IEC 27035:2022, which provides guidance on how to resolve the incidents, events, and weaknesses.

Step 8 = Incident closure: This step involves closing the incident, event, or weakness, after verifying that it has been resolved satisfactorily, and that all the actions have been completed and documented. This step is important to ensure that the incident is formally closed and that no further actions are required. This step is related to control A.16.1.8 of ISO/IEC 27001:2022, which requires the organization to collect evidence and document the information security events and weaknesses, and the actions taken. This step is also related to clause 6.9 of ISO/IEC 27035:2022, which provides guidance on how to close the incidents, events, and weaknesses.

Phishing is a type of information security incident that falls under the category of cracker/hacker attacks. Phishing is a form of fraud that uses deceptive emails or other messages to trick recipients into revealing sensitive information, such as passwords, credit card numbers, bank account details, etc. Phishing emails often impersonate legitimate organizations or individuals and create a sense of urgency or curiosity to lure the victims into clicking on malicious links, opening malicious attachments or providing personal information. Phishing is a common and serious threat to information security, as it can lead to identity theft, financial loss, data breach, malware infection or other damages. ISO/IEC 27001:2022 requires the organization to implement awareness and training programs to make users aware of the risks of social engineering attacks, such as phishing, and how to avoid them (see clause A.7.2.2). References: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements, What is Phishing?

Comprehensive and Detailed In-Depth Explanation:

A. OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) – Correct Answer. OCTAVE is a self-directed risk assessment methodology where organizations identify, evaluate, and manage information security risks based on their strategic objectives, aligning with Brian’s approach.

B. MEHARI is a quantitative risk analysis method, not self-directed.

C. EBIOS is focused on regulatory compliance and external risk factors, which Brian’s methodology did not emphasize.

Thus, Brian's approach aligns best with OCTAVE, as it is self-directed and focuses on organizational security practices.

The three options that will not be in your audit trail are A, C, and H. These options are either not relevant to the information security of ABC’s healthcare mobile app development, support, and lifecycle process, or not within the scope of your audit. The amount of money that residents’ family members pay to install the app (A) and the number of users of the app © are not related to the information security aspects or objectives of the ISMS1. The verification of the developer’s certifications (H) is not your responsibility as an ISMS auditor, as you should rely on the competence and impartiality of the certification bodies that issued them2. The other options are relevant and within the scope of your audit, as they relate to the security functions, testing, policies, and procedures of the mobile app development, support, and lifecycle process13. References: 1: ISO/IEC 27001:2022, Information technology — Security techniques — Information security management systems — Requirements, Clause 4.2 \n2: ISO/IEC 27006:2022, Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems, Clause 4.1 \n3: PECB Certified ISO/IEC 27001 Lead Auditor Exam Preparation Guide, Domain 5: Conducting an ISO/IEC 27001 audit

A legal technical expert (LTE) is a person who provides specific knowledge or expertise related to the legal aspects of the information security management system (ISMS) during a certification audit. The LTE is not an auditor, but a member of the audit team who supports the auditors in collecting and evaluating the audit evidence. The LTE is not responsible for evaluating the auditee’s legal knowledge, criticising the organisation’s legal compliance issues, or debating complex legal points with the auditee, as these tasks may be beyond the scope of the audit, or may compromise the objectivity and impartiality of the audit. The LTE is responsible for advising on legal checkpoints for the audit team, such as the applicable legal, regulatory, and contractual requirements, the relevant sources of information, the methods of verification, and the criteria of evaluation. The LTE is also responsible for verifying the legal status of the organisation, such as the registration, licensing, authorisation, or accreditation of the organisation, and the compliance with the relevant laws and regulations. References:

What is the role of a technical expert in ISO audit?

Roles, Responsibilities & Authorities for ISO 27001 5.3

Guide to Become an ISO 27001 Lead Auditor

Comprehensive and Detailed In-Depth Explanation:

B. Correct Answer:

The Stage 1 audit (preliminary assessment) focuses on understanding the organization and its processes, identifying key areas for in-depth auditing in Stage 2.

Materiality-based prioritization occurs in Stage 1 to ensure the Stage 2 audit focuses on critical areas.

A. Incorrect:

Initial contact is only for scheduling and preliminary discussions.

C. Incorrect:

By Stage 2, the key areas should already be identified and the focus is on detailed auditing.

Relevant Standard Reference:

ISO/IEC 27006:2020 Clause 9.2.2 (Stage 1 Audit and Planning for Stage 2 Audit)

According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), an organization should select and implement appropriate controls to achieve its information security objectives1. The controls should be derived from the results of risk assessment and risk treatment, and should be consistent with the Statement of Applicability (SoA), which is a document that identifies the controls that are applicable and necessary for the ISMS1. The controls can be selected from various sources, such as ISO/IEC 27002:2013, which provides a code of practice for information security controls2. Therefore, if an auditor in training has been tasked with reviewing the technological controls listed in the SoA and implemented at the site of an organization that stores data on behalf of external clients, four controls that would be expected to review are:

How protection against malware is implemented: This is a technological control that aims to prevent, detect and remove malicious software (such as viruses, worms, ransomware, etc.) that could compromise the confidentiality, integrity or availability of information or information systems2. This control is related to control A.12.2.1 of ISO/IEC 27002:20132.

How the organisation evaluates its exposure to technical vulnerabilities: This is a technological control that aims to identify and assess the potential weaknesses or flaws in information systems or networks that could be exploited by malicious actors or cause accidental failures2. This control is related to control A.12.6.1 of ISO/IEC 27002:20132.

How access to source code and development tools are managed: This is a technological control that aims to protect the intellectual property rights and integrity of software applications or systems that are developed or maintained by the organization or its external providers2. This control is related to control A.14.2.5 of ISO/IEC 27002:20132.

The operation of the site CCTV and door control systems: This is a technological control that aims to monitor and restrict physical access to the premises or facilities where information or information systems are stored or processed2. This control is related to control A.11.1.4 of ISO/IEC 27002:20132.

The other options are not examples of technological controls, but rather organizational, legal or procedural controls that may also be relevant for an ISMS audit, but are not within the scope of the auditor in training’s task. For example, the development and maintenance of an information asset inventory (related to control A.8.1.1), rules for transferring information within the organization and to other organizations (related to control A.13.2.1), confidentiality and nondisclosure agreements (related to control A.13.2.4), verification checks on personnel (related to control A.7.1.2), remote working arrangements (related to control A.6.2.1), information security within supplier agreements (related to control A.15.1.1), business continuity arrangements (related to control A.17), information deletion (related to control A.8.3), information security awareness, education and training (related to control A.7.2), equipment maintenance (related to control A.11.2), and how power and data cables enter the building (related to control A.11) are not technological controls, but rather organizational, legal or procedural controls that may also be relevant for an ISMS audit, but are not within the scope of the auditor in training’s task. References: ISO/IEC 27001:2022 - Information technology – Security techniques – Information security management systems – Requirements, ISO/IEC 27002:2013 - Information technology – Security techniques – Code of practice for information security controls

Comprehensive and Detailed In-Depth Explanation:

A. Correct Answer:

Due professional care refers to auditors carefully considering all relevant factors before initiating an audit.

In this scenario, the auditors assessed the auditee’s context, processes, and expectations, which aligns with ISO 19011:2018 Clause 4 (Principles of Auditing: Due Professional Care).

B. Incorrect:

Professional skepticism is about challenging evidence and avoiding assumptions, not about contextual planning.

C. Incorrect:

Integrity refers to acting honestly and ethically, which is not the focus here.

Relevant Standard Reference:

ISO 19011:2018 Clause 4.5 (Due Professional Care)

Comprehensive and Detailed In-Depth Explanation:

Detection Risk (Correct Answer) – Detection risk occurs when control mechanisms fail to identify significant defects or errors. Cobt identified that major defects were not detected or prevented by internal controls, making detection risk the correct answer.

Inherent Risk refers to the likelihood of a security event occurring without considering any controls. The scenario mentions control failures, not natural risks, so this is incorrect.

Control Risk is the risk of controls failing to prevent a risk. However, the scenario specifically mentions that the defects were not detected, making detection risk the more precise answer.

Relevant Standard Reference:

ISO/IEC 27001:2022 Clause 6.1.2 (Information Security Risk Assessment Process)

The auditor should verify that the selected controls are included in the Statement of Applicability (SoA), making option C the correct answer. ISO/IEC 27001:2022 requires organizations to document which Annex A controls are applicable based on the results of the risk assessment and risk treatment process. The SoA is the formal document that records these decisions, including justification for inclusion or exclusion of controls.

The existence of a risk assessment alone is not sufficient. Auditors must confirm traceability between identified risks, selected controls, and their formal documentation in the SoA. This ensures transparency, consistency, and accountability in how the organization manages information security risks.

Option A is incorrect because ISO/IEC 27001 does not require organizations to use external consultants for risk assessments. Risk assessments may be conducted internally, provided they follow a defined and systematic methodology. Option B is incorrect because controls can be preventive, detective, or corrective; there is no requirement that selected controls be corrective only.

Therefore, verifying that selected controls are properly reflected in the Statement of Applicability is a mandatory audit activity and a core requirement of ISO/IEC 27001 compliance.

No, the audit scope should reflect all of the organization's divisions that are covered by the ISMS. If the ISMS scope stated that it includes the whole company, the audit scope should align with this unless specifically justified and agreed upon by all stakeholders.

A. Advise the Shipping Manager that his request will be included in the audit report. This is true because the audit report should document all the relevant information and evidence related to the audit, including any requests or objections raised by the auditee. The audit report should also provide the rationale for the audit conclusions and recommendations12.

B. Advise management that the new information provided will be discussed when the auditors have more time. This is true because the auditors should not make hasty decisions based on incomplete or unverified information. The auditors should review and evaluate the new information in a systematic and objective manner, and determine whether it affects the audit findings, nonconformities, or conclusions12.

F. Thank the Shipping Manager for his honesty but advise that withdrawing the nonconformity is not the right way to proceed. This is true because the auditors should acknowledge and appreciate the cooperation and transparency of the auditee, but also maintain their professional integrity and independence. The auditors should not withdraw a nonconformity unless they are satisfied that it was raised in error or that it has been effectively corrected and verified12.

References :=

ISO 19011:2022 Guidelines for auditing management systems

ISO/IEC 17021-1:2022 Conformity assessment — Requirements for bodies providing audit and certification of management systems — Part 1: Requirements

The immediate consequence is suspension of certification, making option A correct. ISO/IEC 17021-1 clearly states that certified organizations must allow scheduled surveillance audits to verify continued conformity with the standard. Surveillance audits are mandatory and form part of the three-year certification cycle.

Refusing or failing to undergo a surveillance audit prevents the certification body from confirming that the ISMS remains effective and compliant. This creates a loss of confidence in the validity of the certification. As a result, certification bodies are required to suspend certification until the audit can be conducted and conformity re-established.

Option B is incorrect because certification validity is conditional upon ongoing surveillance. Certification does not remain valid if mandatory audits are refused. Option C is incorrect because transferring certification does not remove the obligation to undergo surveillance audits; a transfer would still require evidence of conformity and audit continuity.

Suspension is a protective mechanism to ensure that ISO/IEC 27001 certificates remain credible and trustworthy. If the organization later agrees to the audit and resolves issues, the certification may be reinstated. Therefore, refusal to undergo a surveillance audit leads to immediate suspension.

Comprehensive and Detailed In-Depth Explanation:

ISO/IEC 27001:2022 Clause 7.5 (Documented Information) defines the role of documentation in an ISMS.

A. Correct Statement:

Documented information serves as a guideline for ISMS operations and provides audit evidence.

B. Incorrect Statement:

Collecting documented information is not a goal in itself.

The purpose of documentation is to support the ISMS and ensure compliance, not just to generate paperwork.

C. Correct Statement:

Documents should be clear and concise, avoiding unnecessary complexity while still being detailed enough to be useful.

Thus, documentation should be purposeful and functional, not just a bureaucratic requirement.

Relevant Standard Reference:

ISO/IEC 27001:2022 Clause 7.5 (Documented Information)

The audit team’s approach is in line with recommended auditing practices, making option A the correct answer. ISO management system audits, including ISO/IEC 27001 audits, are designed to provide reasonable assurance, not absolute assurance, that the management system conforms to the standard requirements. This principle is explicitly supported by ISO 19011 and ISO/IEC 17021-1.

In the scenario, the audit team assessed conformity by reviewing key processes, questioning responsible personnel, examining representative evidence, and evaluating control effectiveness. Although access to IT systems was limited, the auditors compensated by gathering sufficient and appropriate evidence through alternative means. This approach reflects the reality of auditing complex environments, particularly those involving third-party service providers.

Option B is incorrect because ISO standards do not require auditors to assess every process in full detail. Audits are sample-based by design. Expecting a complete, exhaustive assessment of each process would be impractical and inconsistent with audit principles. Option C is incorrect because assessing the ISMS as a whole is not merely an efficiency-driven decision; it is an accepted and intentional audit approach aimed at evaluating system-level effectiveness.

Therefore, obtaining reasonable assurance through a structured, evidence-based approach confirms that the audit team acted in accordance with recommended audit practices.

Comprehensive and Detailed In-Depth Explanation:

A. Correct Answer:

ISO/IEC 27001:2022 Clause 10.1 (Improvement) requires organizations to submit action plans to address audit findings.

Clastus must document an action plan before corrective actions can be evaluated or followed up.

B. Incorrect:

Corrective actions can only be evaluated after action plans are submitted and implemented.

C. Incorrect:

Follow-up occurs after corrective actions have been executed and verified.

Relevant Standard Reference:

ISO/IEC 27001:2022 Clause 10.1 (Corrective Action Planning and Implementation)

According to ISO 27001:2022 clause 8.1.4, the organisation shall ensure that externally provided processes, products or services that are relevant to the information security management system are controlled. This includes implementing appropriate contractual requirements related to information security with external providers, such as customers who send ICT equipment for reclamation12

In this case, the organisation offers ICT reclamation services, which involves processing customer ICT equipment that may contain sensitive or confidential information. The organisation should have a process in place to ensure that the customer ICT equipment is handled securely and in accordance with the customer’s information security requirements. The process should include steps such as verifying the customer’s identity and authorisation, checking the inventory and condition of the equipment, removing or destroying any labels or stickers that contain information about the equipment or the customer, wiping or erasing any data stored on the equipment, and documenting the actions taken and the results achieved12

The fact that the auditor noticed two servers on a bench with stickers that reveal the server’s name, IP address and admin password indicates that the process for dealing with incoming shipments relating to customer IT security is not effective or not followed. This could pose a risk of unauthorised access, disclosure, or modification of the customer’s information or systems. Therefore, the auditor should note the audit finding and check the process for dealing with incoming shipments relating to customer IT security, and determine whether there is a nonconformity with clause 8.1.4 of ISO 27001:202212

The other actions are not appropriate for the following reasons:

A. Asking the ICT Manager to record an information security incident and initiate the information security incident management process is not appropriate because this is not an information security incident that affects the organisation’s own information or systems. An information security incident is defined as a single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security12 In this case, the information security event affects the customer’s information or systems, not the organisation’s. Therefore, the organisation should follow the process for dealing with incoming shipments relating to customer IT security, not the process for information security incident management.

C. Recording what the auditor has seen in the audit findings, but taking no further action is not appropriate because this would not address the root cause or the impact of the issue. The auditor has a responsibility to verify the effectiveness and compliance of the organisation’s information security management system, and to report any nonconformities or opportunities for improvement12 Therefore, the auditor should check the process for dealing with incoming shipments relating to customer IT security, and determine whether there is a nonconformity with clause 8.1.4 of ISO 27001:2022.

D. Raising a nonconformity against control 5.31 Legal, statutory, regulatory and contractual requirements is not appropriate because this control is not relevant to the issue. Control 5.31 requires the organisation to identify and comply with the legal, statutory, regulatory and contractual requirements that are applicable to the information security management system12 In this case, the issue is not about the organisation’s compliance with the legal, statutory, regulatory and contractual requirements, but about the organisation’s control of the externally provided processes, products or services that are relevant to the information security management system. Therefore, the auditor should check the process for dealing with incoming shipments relating to customer IT security, and determine whether there is a nonconformity with clause 8.1.4 of ISO 27001:2022.

E. Raising a nonconformity against control 8.20 'network security’ (networks and network devices shall be secured, managed and controlled to protect information in systems and applications) is not appropriate because this control is not relevant to the issue. Control 8.20 requires the organisation to secure, manage and control its own networks and network devices to protect the information in its systems and applications12 In this case, the issue is not about the organisation’s network security, but about the organisation’s control of the externally provided processes, products or services that are relevant to the information security management system. Therefore, the auditor should check the process for dealing with incoming shipments relating to customer IT security, and determine whether there is a nonconformity with clause 8.1.4 of ISO 27001:2022.

F. Asking the auditee to remove the labels, then carry on with the audit is not appropriate because this would not address the root cause or the impact of the issue. The auditor should not interfere with the auditee’s operations or suggest corrective actions during the audit, as this would compromise the auditor’s objectivity and impartiality12 The auditor should check the process for dealing with incoming shipments relating to customer IT security, and determine whether there is a nonconformity with clause 8.1.4 of ISO 27001:2022.

According to the PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, audit methods can be classified into two categories: with or without interaction with individuals representing the auditee (page 12). Audit methods with interaction include reviewing checklists with auditee and conducting interviews, as they involve direct communication and feedback from the auditee. Audit methods without interaction include sampling (e.g. products), observing work performed via live video streaming, checking legal compliance with local authorities, and analysing documents provided in advance of the audit, as they do not require any dialogue or exchange with the auditee. References: PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 12.

ISO/IEC 27001:2022 requires that the scope of the ISMS be established and maintained as documented information. This requirement is explicitly stated in clause 4.3, which requires organizations to determine the boundaries and applicability of the ISMS and to ensure that the scope is documented. While communication and awareness are important, verbal communication alone is not sufficient to meet this requirement.

In the scenario, Knight communicated the ISMS scope to employees during a weekly meeting. While this may support awareness, it does not satisfy the requirement for documented information. Employees, auditors, and other interested parties must be able to access the ISMS scope consistently over time, including new employees or external stakeholders. Relying on meetings creates a risk that the scope is misunderstood, forgotten, or inconsistently applied.

Option A is incorrect because documenting meeting minutes does not replace the requirement for a formally controlled ISMS scope document. The scope must exist independently as documented information, not merely as a record of communication. Option C is also incorrect because ISO/IEC 27001 does not mandate formal training sessions as the only acceptable communication method for scope awareness.

Therefore, the correct position is that while communicating the scope verbally is useful, it is not acceptable on its own, and the scope must be maintained as documented information.

Comprehensive and Detailed In-Depth Explanation:

C. Correct Answer:

ISO 19011:2018 (Audit Guidelines) allows process simulations to verify control effectiveness.

Webvue’s personnel conducted the test under audit supervision, ensuring realistic evaluation without operational disruption.

A. Incorrect:

Simulations are valid audit techniques and do not negatively impact operations if performed properly.

B. Incorrect:

Technical experts assist auditors, but the focus is on ensuring accurate control verification, not the auditor’s competence.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.4.8 (Process Simulation for Audit Evidence Collection)

Third-party accredited certification of information security management systems to ISO/IEC 27001:2022 provides assurance to organisations and interested parties that the organisation’s management system is maintained and effective, meaning that it conforms to the requirements of the standard, meets the organisation’s objectives and policies, and addresses the risks and opportunities related to information security. Third-party accredited certification also demonstrates that the organisation’s management system adopted a systematic approach to information security, meaning that it follows the Plan-Do-Check-Act (PDCA) cycle, applies the risk-based thinking principle, and considers the context and needs of the organisation and its stakeholders

The four controls from the list that the auditor in training should review are:

•B. How access to source code and development tools are managed: This control requires the organisation to restrict and monitor the access to the source code and development tools that are used to create, modify, or maintain the software applications and systems that process or store the data of external clients. This is important for ensuring the integrity, confidentiality, and availability of the software and the data, as well as for preventing unauthorized changes, errors, or malicious code injection.

•D. How protection against malware is implemented: This control requires the organisation to implement appropriate measures to detect, prevent, and remove malware from the IT systems and devices that process or store the data of external clients. This includes using antivirus software, firewalls, email filtering, web filtering, and other tools to protect against viruses, worms, ransomware, spyware, and other malicious software. This is essential for safeguarding the data and the systems from corruption, theft, or damage caused by malware.

•E. How the organisation evaluates its exposure to technical vulnerabilities: This control requires the organisation to identify and assess the technical vulnerabilities that may affect the IT systems and devices that process or store the data of external clients. This includes using vulnerability scanning tools, penetration testing tools, threat intelligence sources, and other methods to discover and evaluate the weaknesses and gaps in the security of the systems and the devices. This is necessary for prioritizing and implementing the appropriate corrective actions and controls to mitigate the risks posed by the vulnerabilities.

•G. The organisation’s arrangements for information deletion: This control requires the organisation to establish and implement policies and procedures for deleting the data of external clients from the IT systems and devices when it is no longer needed or required. This includes defining the criteria and methods for data deletion, such as secure erasure, encryption, or physical destruction. This is important for complying with the contractual obligations and the legal and regulatory requirements regarding the retention and disposal of the data, as well as for protecting the confidentiality and integrity of the data.

Comprehensive and Detailed In-Depth Explanation:

B. Correct Answer:

The organization is focusing on direct costs associated with running specific processes.

"Personnel, third-party services, and general fees" refer to operational costs of specific processes, not overall business operations.

A. Incorrect:

Cost of operations refers to the total business expenses, not individual processes.

C. Incorrect:

Potential cost of errors relates to risk assessment and impact analysis, not direct expenses.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.3.2 (Audit Planning and Materiality Considerations)

The use of clear text passwords for authentication in FTP is a vulnerability because it is a weakness that can be exploited by threat actors. Clear text passwords can be intercepted easily by network sniffers or through man-in-the-middle attacks, making them a significant security risk1. References: = This explanation is consistent with the understanding of vulnerabilities within the field of information security, particularly as it relates to network protocols like FTP and their associated risks

Regular security awareness and training sessions for employees are a control measure aimed at preventing security incidents by ensuring that personnel are aware of information security threats and concerns, and understand their roles and responsibilities in safeguarding organizational assets. This proactive approach is designed to educate employees on the importance of security practices and to avoid the occurrence of security incidents. References: = This answer is based on the principles of personnel security management as outlined in ISO/IEC 27001, particularly in Annex A.7 which deals with human resource security before, during, and after employment, and Annex A.9 which focuses on access control and ensuring that employees have access only to the information that is necessary for their job role

This situation represents an audit finding, making option A the correct answer. An audit finding is the result of evaluating audit evidence against audit criteria and identifying conformity, nonconformity, or opportunities for improvement. In this case, the auditor evaluated training records and discovered that two employees did not receive adequate information security training, which is a deviation from ISO/IEC 27001 training and awareness requirements.

Audit evidence consists of the records, interviews, or observations used to support findings. The training records themselves are evidence, not the finding. Information sources are where evidence originates, such as documents, personnel, or systems, but they are not the conclusion drawn by the auditor.

Option B is incorrect because the lack of training is not evidence; it is the conclusion derived from evaluating evidence. Option C is incorrect because employees or records may be information sources, but the situation described is the auditor’s evaluative conclusion.

ISO 19011 emphasizes that audit findings must be based on objective evidence and clearly documented. Therefore, identifying that some employees lacked adequate training constitutes an audit finding.

The technical expert can communicate their audit findings to the auditee only through one of the audit team members. This ensures that communications remain coordinated and that the audit team maintains control over the audit process.

The scenario described is a classic example of a phishing attack, which is a type of social engineering threat where attackers masquerade as a trustworthy entity in an electronic communication. The goal is to trick individuals into providing sensitive information. This represents an unauthorized action type of threat because it involves an attacker attempting to gain unauthorized access to personal information. References: = This understanding of phishing as a threat is consistent with the principles of information security management systems and is supported by resources that describe phishing attacks and their prevention

The purpose of including access rights in an information management system to ISO/IEC 27001:2022 is to provide, review, modify and remove these permissions in accordance with the organisation’s policy and rules for access control. 

Access rights are the permissions granted to users or groups of users to access, use, modify, or delete information assets. Access rights should be aligned with the organisation’s access control policy, which defines the objectives, principles, roles, and responsibilities for managing access to information systems. Access rights should also follow the organisation’s rules for access control, which specify the criteria, procedures, and controls for granting, reviewing, modifying, and revoking access rights. The purpose of including access rights in an information management system is to ensure that only authorised users can access information assets according to their business needs and roles, and to prevent unauthorised or inappropriate access that could compromise the confidentiality, integrity, or availability of information assets. References:

ISO/IEC 27001:2022 Annex A Control 5.181

ISO/IEC 27002:2022 Control 5.182

CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Training Course3

Sinvestment’s request to review documented information remotely during the stage 1 audit is acceptable and aligns with established auditing practices, making option A the correct answer. ISO/IEC 17021-1 and ISO 19011:2018 both permit flexibility in how audit activities are conducted, including the use of remote techniques, provided confidentiality, integrity, and effectiveness of the audit are maintained.

Stage 1 audits are primarily focused on reviewing documented information, understanding the organization’s context, confirming the ISMS scope, and assessing readiness for stage 2. Reviewing documents remotely is a widely accepted practice, especially when supported by appropriate confidentiality agreements, as was the case in this scenario. The auditors had already signed confidentiality agreements, mitigating the risk of information disclosure.

Option B is incorrect because remote document review does not inherently lead to a breach of confidentiality. Risks must be managed, not assumed. Secure document-sharing platforms and confidentiality agreements are sufficient safeguards when properly implemented. Option C is incorrect because the use of different locations or remote methods does not automatically reduce audit efficiency; in many cases, it enhances efficiency by reducing travel time and allowing better preparation.

Therefore, allowing remote review of documented information during stage 1 is fully consistent with ISO auditing standards and recognized certification body practices.

Review is the third stage of the Plan-Do-Check-Act (PDCA) cycle, which is a four-step model for implementing and improving an information security management system (ISMS) according to ISO/IEC 27001:202212. Review involves assessing and measuring the performance of the ISMS against the established policies, objectives, and criteria12.

Assess is the verb that describes the action of reviewing the ISMS. Assess means to evaluate, analyze, or measure something in a systematic and objective manner3. Assessing the ISMS involves collecting and verifying audit evidence, identifying strengths and weaknesses, and determining the degree of conformity or nonconformity12.

Regular is the adjective that describes the frequency or interval of reviewing the ISMS. Regular means occurring or done at fixed or uniform intervals4. Reviewing the ISMS at regular intervals means conducting internal audits and management reviews periodically, such as annually, quarterly, or monthly, depending on the needs and risks of the organization12.

Suitability is one of the attributes that describes the quality or outcome of reviewing the ISMS. Suitability means being appropriate or fitting for a particular purpose, person, or situation5. Reviewing the ISMS for suitability means ensuring that it is aligned with the organization’s strategic direction, business objectives, and information security requirements12.

References :=

ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements

ISO/IEC 27003:2022 Information technology — Security techniques — Information security management systems — Guidance

Assess | Definition of Assess by Merriam-Webster

Regular | Definition of Regular by Merriam-Webster

Suitability | Definition of Suitability by Merriam-Webster

Comprehensive and Detailed In-Depth Explanation:

B. Correct Answer:

The engagement letter serves to inform the auditee about the audit details, including:

Audit scope

Audit schedule

Expectations from both parties

It formally introduces the audit process and schedules the initial contact.

A. Incorrect:

The authority to conduct the audit is established by the certification body’s agreement, not just the engagement letter.

C. Incorrect:

Audit objectives are determined in the planning phase and are not the primary function of the engagement letter.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.2 (Initiating the Audit)

Audit evidence should be evaluated against the audit criteria in order to determine audit findings.

Audit evidence is the information obtained by the auditors during the audit process that is used as a basis for forming an audit opinion or conclusion12. Audit evidence could include records, documents, statements, observations, interviews, or test results12.

Audit criteria are the set of policies, procedures, standards, regulations, or requirements that are used as a reference against which audit evidence is compared12. Audit criteria could be derived from internal or external sources, such as ISO standards, industry best practices, or legal obligations12.

Audit findings are the results of a process that evaluates audit evidence and compares it against audit criteria13. Audit findings can show that audit criteria are being met (conformity) or that they are not being met (nonconformity). They can also identify best practices or improvement opportunities13.

References :=

ISO 19011:2022 Guidelines for auditing management systems

ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements

Components of Audit Findings - The Institute of Internal Auditors

According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 8.1 requires an organization to plan, implement and control its processes needed to meet ISMS requirements2. This includes determining what needs to be done, how it will be done, who will do it, when it will be done, what resources are required, how performance will be evaluated, etc2. Therefore, if an ISMS auditor conducting a third-party surveillance audit of a telecom’s provider notes that there has been a significant increase in the number of switches failing their initial configuration test and being returned for reprogramming due to a recent ISMS upgrade that reduced access to work instructions, this indicates a nonconformity against clause 8.1 of ISO/IEC 27001:2022. The organization has failed to plan and control its operational processes effectively to ensure information security and quality2. The other options are not correct clauses to raise a nonconformity against based solely on this information. For example, clause 7.5 deals with documented information required by ISMS or determined by an organization as necessary for its effectiveness2, but it does not specify how many copies or formats of work instructions should be available; clause 10.2 deals with nonconformity and corrective action as a response to an identified problem or incident2, but it does not address how to prevent or avoid such problems or incidents in operational processes; clause 7.3 deals with awareness of ISMS policy, objectives, roles and responsibilities among persons doing work under an organization’s control2, but it does not relate to how work instructions are accessed or followed; clause 7.2 deals with competence of persons doing work under an organization’s control that affects its ISMS performance2, but it does not imply that lack of competence is caused by insufficient work instructions; clause 7.4 deals with communication about ISMS among internal and external interested parties2, but it does not cover how operational information is communicated within an organization. References: ISO/IEC 27001:2022 - Information technology – Security techniques – Information security management systems – Requirements

This scenario represents an "audit finding." An audit finding refers to results that indicate a deviation from the expected performance or standards. Discovering that two employees have not received the required training is an audit finding indicating noncompliance with the organization's training requirements.

Materiality should be considered during the initial contact to obtain reasonable assurance that the audit can be successfully completed. Determining materiality helps establish the threshold for the significance of audit findings, ensuring that the audit focuses on substantial issues that could impact the audit conclusions.

ISO/IEC 27001 does not mandate the use of a specific risk assessment methodology. Organizations are free to choose their own approach as long as it is systematic, consistent, and capable of producing valid and comparable results. This allows organizations, such as the marketing agency in the question, to adapt the methodology to suit their specific needs and business context, provided it complies with the requirements set out in the standard.

According to ISO 19011:2018, clause 5.3, the person responsible for managing the audit programme should determine the resources necessary for the audit programme, such as the audit team members, the budget, the time, the tools, etc. The audit resources should be sufficient and appropriate to ensure the quality and effectiveness of the audit programme and the audit results. The audit resources include the following elements12:

Essential resources: These are the resources that are required to conduct the audit programme and the individual audits, such as the audit documents, the audit methods, the audit tools, the audit schedule, the audit budget, etc. The essential resources should be identified and allocated based on the audit objectives, scope, and criteria, and the availability and cooperation of the auditee. The essential resources should also be reviewed and updated as necessary to reflect any changes or deviations in the audit programme or the individual audits.

Competent personnel: These are the audit team members who have the appropriate knowledge, skills, and experience to conduct the audit effectively and efficiently, and to provide credible and reliable audit results and recommendations. The competent personnel should include the audit team leader, the auditors, and any technical experts or observers who support the audit team. The competent personnel should be selected and appointed based on the audit objectives, scope, and criteria, and the specific competence requirements for the audit programme and the individual audits. The competent personnel should also be independent and impartial, and avoid any conflicts of interest or self-interest that may affect the audit results or the audit decisions.

Audit methods are the techniques and procedures that auditors use to collect and evaluate audit evidence. Audit methods can be classified into two categories: those that involve human interaction and those that do not. Human interaction methods are those that require direct or indirect communication with the auditee or other relevant parties, such as interviews, questionnaires, surveys, observations, or walkthroughs. Non-human interaction methods are those that do not require any communication with the auditee or other parties, such as document reviews, data analysis, or remote surveillance.

Some examples of audit methods that do not involve human interaction are:

Performing a review of auditee’s procedures in preparation for an audit: This method involves examining the auditee’s documented information, such as policies, processes, records, or reports, to verify their adequacy and effectiveness in meeting the audit criteria. The auditor does not need to interact with the auditee or anyone else to perform this method.

Analysing data by remotely accessing the auditee’s server: This method involves accessing and processing the auditee’s data, such as performance indicators, logs, metrics, or statistics, to verify their accuracy and reliability in meeting the audit criteria. The auditor does not need to interact with the auditee or anyone else to perform this method.

Comprehensive and Detailed In-Depth Explanation:

B. Correct Answer:

Audit evidence can come from interviews, observations, and documentation.

Verbal evidence from top management is acceptable if documented and confirmed in writing.

A. Incorrect:

ISO 19011 allows verbal evidence as long as it is substantiated.

C. Incorrect:

Interviews alone are not sufficient—additional verification is required.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.4.6 (Reviewing Documented Information)

The unacceptable action in Scenario 8 is the audit team leader proposing a solution for resolving the nonconformities, making option A the correct answer. In external certification audits, auditors must remain impartial and independent. ISO/IEC 17021-1 strictly prohibits auditors from providing consultancy, advice, or specific solutions on how an organization should correct nonconformities.

Auditors are permitted to identify nonconformities, explain why they exist, and clarify the requirements of the standard. However, suggesting or proposing corrective solutions crosses the boundary into consultancy, which compromises auditor impartiality and could invalidate the certification process. In this scenario, Trustingo “accepted the audit team leader’s proposed solution,” which clearly indicates inappropriate auditor involvement.

Option B is not correct because conducting Stage 1 and Stage 2 audits jointly can be acceptable in certain cases, such as small organizations or mature ISMS implementations, provided the certification body justifies the approach and requirements are met. Option C is also not the best answer because the classification of the nonconformity (minor or major) is an auditor judgment issue, not inherently unacceptable.

Therefore, the critical violation of external audit rules is the auditor proposing corrective solutions, making option A correct.

Corrective action is a process of identifying and eliminating the root causes of nonconformities or incidents that have occurred or could potentially occur, in order to prevent their recurrence or occurrence. Corrective action is part of the improvement requirement of ISO 27001 and follows a standard workflow of identification, evaluation, implementation, review and documentation of corrections and corrective actions. References: Procedure for Corrective Action, Nonconformity & Corrective Action For ISO 27001 Requirement 10.1, PECB Candidate Handbook ISO 27001 Lead Auditor (page 12)

Internal audits and external audits are integral components of the certification cycle, ensuring regular monitoring of the management system. Internal audits help organizations prepare for external audits by identifying and addressing potential nonconformities, while external audits validate the compliance of the management system with ISO/IEC 27001 standards.

Comprehensive and Detailed In-Depth Explanation:

B. Correct Answer:

ISO 19011:2018 mandates that auditors must obtain permission before making copies of documents.

Virtual audits must adhere to confidentiality agreements to protect sensitive data.

A. Incorrect:

Screenshots cannot be taken without permission, even if the audit is not recorded.

C. Incorrect:

Screenshots are allowed with prior authorization, ensuring proper data handling.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.4.10 (Virtual Auditing and Data Handling)

Comprehensive and Detailed In-Depth Explanation:

B. Correct Answer:

Predictive analytics uses historical data, machine learning, and statistical models to predict future risk events.

It identifies patterns in security incidents, financial trends, and operational failures to anticipate risks before they occur.

A. Incorrect:

Real-time analysis is part of monitoring, but predictive analytics focuses on forecasting risks, not just real-time reporting.

C. Incorrect:

Data organization is essential but does not involve forecasting risks.

Relevant Standard Reference:

ISO 31000:2018 (Risk Management – Guidelines on Using Data Analytics in Risk Assessment)

You see a blue color sticker on certain physical assets. This signifies that the asset is high critical and its failure will affect a group/s/project’s work in the organization. A blue color sticker is a type of label that indicates the level of criticality of an asset, which is a measure of how important an asset is for the organization’s operations and objectives. A high critical asset is an asset that has a significant impact on the organization’s activities, and its loss or damage would cause major disruption or loss of service. A blue color sticker also implies that the asset requires a high level of protection and security, and should be handled with care. References: : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 36. : [ISO/IEC 27001 Brochures | PECB], page 6.

Comprehensive and Detailed In-Depth Explanation:

A. Correct Answer:

ISO 19011:2018 requires that closing meetings occur at the end of the audit to present findings to the auditee.

B. Incorrect:

Audit conclusions can be drafted later, but the closing meeting must still happen immediately post-audit.

C. Incorrect:

Delaying the closing meeting beyond the audit timeline is improper.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.6.2 (Closing Meeting Guidelines)

Comprehensive and Detailed In-Depth Explanation:

A. Correct Answer:

ISO 19011:2018 mandates that auditors present all nonconformities with sufficient detail and context to ensure proper understanding and corrective action planning.

Failure to explain nonconformities fully could lead to ineffective remediation.

B. Incorrect:

Minor nonconformities must also be presented to ensure full transparency.

C. Incorrect:

Aligning with standard clauses is necessary, but detailed analysis is more critical.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.6.2 (Presentation of Audit Findings in Closing Meetings)

The three audit findings that would prompt you to raise a nonconformity report are:

•The organisation is treating information security risks in the order in which they are identified

•The organisation’s risk assessment criteria have not been reviewed and approved by top management

•The organisation’s information security risk assessment process is based solely on an assessment of the impact of each risk

According to ISO/IEC 27001:2022, clause 6.1.2, the organisation must establish and maintain an information security risk management process that is consistent with the organisation’s context and aligned with its overall risk management approach1. This process must include the following steps:

•Establishing the risk assessment criteria, which must be approved by top management and reflect the organisation’s risk appetite and objectives2

•Identifying the information security risks, which must consider the assets, threats, vulnerabilities, impacts, and likelihoods3

•Analysing the information security risks, which must determine the levels of risk and compare them with the risk criteria4

•Evaluating the information security risks, which must prioritise the risks and decide whether they need treatment or not5

Therefore, the audit findings B, E, and F indicate that the organisation is not following the required steps of the information security risk management process, and thus are nonconformities with the standard.

The other audit findings are not necessarily nonconformities, as they may be acceptable depending on the organisation’s context and justification. For example:

•Audit finding A may be acceptable if the organisation has identified and treated the additional information security risks that are relevant to its scope and objectives, and has documented the rationale for doing so6

•Audit finding C may be acceptable if the organisation has assigned clear roles and responsibilities for the information security risk management process, and has ensured that the risk owners have the authority and competence to manage the risks7

•Audit finding D may be acceptable if the organisation has defined and communicated the meaning and implications of the emoji-based risk classification, and has ensured that it is consistent with the risk criteria and the risk treatment process8

•Audit finding G may be acceptable if the organisation has justified the use of discrete values for the probability of the information security risks, and has ensured that they are realistic and consistent with the risk criteria and the risk analysis method9

•Audit finding H may be acceptable if the organisation has established and maintained different systems for assessing operational and strategic information security risks, and has ensured that they are integrated and aligned with the overall risk management approach and the ISMS objectives10

A third-party audit is an independent assessment of an organisation’s management system by an external auditor, who is not affiliated with the organisation or its customers. The auditor verifies that the management system meets the requirements of a specific standard, such as ISO 27001, and evaluates its effectiveness and performance. The auditor also identifies any strengths, weaknesses, opportunities, or risks of the management system, and provides recommendations for improvement. The purpose of a third-party audit is to provide an objective and impartial evaluation of the organisation’s management system, and to inform a certification decision by a certification body. A certification body is an organisation that grants a certificate of conformity to the organisation, after reviewing the audit report and evidence, and confirming that the management system meets the certification criteria. A certification decision is the outcome of the certification process, which can be positive (granting, maintaining, renewing, or expanding the scope of certification) or negative (suspending, withdrawing, or reducing the scope of certification). References:

PECB Candidate Handbook ISO 27001 Lead Auditor, pages 19-25

ISO 19011:2018 - Guidelines for auditing management systems

The ISO 27001 audit process | ISMS.online

Comprehensive and Detailed In-Depth Explanation:

A. Assigning responsibilities to the audit team members (Correct Answer) – This is not Sarah’s responsibility. The certification body assigns the audit team and defines responsibilities, ensuring independence and objectivity.

B. Defining the audit criteria and objectives (Correct Responsibility) – Sarah, as the audit team leader, must establish audit criteria and objectives, per ISO 19011 (Guidelines for Auditing Management Systems).

C. Planning the audit (Correct Responsibility) – The audit team leader is responsible for planning the audit, including timelines and resource allocation.

Relevant Standard Reference:

ISO/IEC 27001:2022 Clause 9.2 (Internal Audit)

ISO 19011:2018 Clause 5.5.2 (Defining Audit Objectives and Criteria)

The number of days assigned to a third-party audit is not determined by the auditee’s availability, but by the audit program, which considers the audit scope, objectives, criteria, risks, and resources12. The auditee’s availability is only one factor that affects the audit planning and scheduling, but not the audit duration3. Auditors approved for conducting onsite audits do require additional training for virtual audits, as there are significant differences in the skillset required. Virtual audits pose different challenges and opportunities than onsite audits, such as communication, technology, security, and evidence collection4 . Auditors need to be familiar with the tools and techniques for conducting remote audits, as well as the ethical and professional behavior expected in a virtual environment . References:

PECB Candidate Handbook - ISO 27001 Lead Auditor, page 18

ISO 19011:2018, Guidelines for auditing management systems, clause 5.3.2

ISO 19011:2018, Guidelines for auditing management systems, clause 6.3.1

Deloitte - Conducting a Virtual Internal Audit, page 1

[A Guide to Conducting Effective and Efficient Remote Audits], page 1

[ISO 19011:2018, Guidelines for auditing management systems], clause 7.2.3

[Remote Auditing Best Practices & Checklist for Regulatory Compliance], page 1

Risk analysis is the process by which the nature of the risk is determined along with its probability and impact. Risk analysis involves estimating the likelihood and consequences of potential events or situations that could affect the organization’s information security objectives or requirements12. Risk analysis could use qualitative or quantitative methods, or a combination of both12.

Risk management is the process by which a risk is controlled at all stages of its life cycle by means of the application of organisational policies, procedures and practices. Risk management involves establishing the context, identifying, analyzing, evaluating, treating, monitoring, and reviewing the risks that could affect the organization’s information security performance or compliance12. Risk management aims to ensure that risks are identified and treated in a timely and effective manner, and that opportunities for improvement are exploited12.

Risk identification is the process by which a risk is recognised and described. Risk identification involves identifying and documenting the sources, causes, events, scenarios, and potential impacts of risks that could affect the organization’s information security objectives or requirements12. Risk identification could use various techniques, such as brainstorming, interviews, checklists, surveys, or historical data12.

Risk evaluation is the process by which the impact and/or probability of a risk is compared against risk criteria to determine if it is tolerable. Risk evaluation involves comparing the results of risk analysis with predefined criteria that reflect the organization’s risk appetite, tolerance, or acceptance12. Risk evaluation could use various methods, such as ranking, scoring, or matrix12. Risk evaluation helps to prioritize and decide on the appropriate risk treatment options12.

Risk mitigation is the process by which the impact and/or probability of a risk is reduced by means of the application of controls. Risk mitigation involves selecting and implementing measures that are designed to prevent, reduce, transfer, or accept risks that could affect the organization’s information security objectives or requirements12. Risk mitigation could include various types of controls, such as technical, organizational, legal, or physical12. Risk mitigation should be based on a cost-benefit analysis and a residual risk assessment12.

Risk transfer is the process by which a risk is passed to a third party, for example through obtaining appropriate insurance. Risk transfer involves sharing or shifting some or all of the responsibility or liability for a risk to another party that has more capacity or capability to manage it12. Risk transfer could include various methods, such as contracts, agreements, partnerships, outsourcing, or insurance12. Risk transfer should not be used as a substitute for effective risk management within the organization12.

References :=

ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements

ISO/IEC 27005:2022 Information technology — Security techniques — Information security risk management

The certification body had a valid reason to accept CyberShielding Systems Inc.’s objection, making option A the correct answer. ISO/IEC 17021-1 requires certification bodies to ensure that audit teams are competent and acceptable to the auditee, particularly where access to sensitive information, systems, or facilities is involved. Security clearance requirements set by the auditee are a legitimate consideration, especially for organizations operating in highly sensitive information security environments.

In this scenario, CyberShielding Systems Inc. operates in the cybersecurity sector and handles sensitive internal and customer information. Auditors without the necessary security clearance may be unable to access required information or systems, which would compromise the effectiveness and completeness of the audit. Accepting such an objection supports both audit quality and information protection.

Option B is incorrect because objections are not limited to cases of prior unprofessional conduct. Option C is incorrect because conflicts of interest are not the only valid grounds for objection. ISO/IEC 17021-1 allows auditees to object to auditors for justified reasons, including competence, impartiality, confidentiality, or access limitations.

Therefore, replacing the auditor due to insufficient security clearance was appropriate and consistent with certification body requirements and good auditing practice.

Comprehensive and Detailed In-Depth Explanation:

C. Correct Answer:

ISO/IEC 27001:2022 Clause 9.2.2 requires internal auditors to be independent of the activities they audit.

Inconsistencies in the internal audit report raise valid concerns about independence.

A. Incorrect:

Internal auditors must always be independent, not just for surveillance audits.

B. Incorrect:

Internal auditors have a compliance role, not just an advisory role.

Relevant Standard Reference:

ISO/IEC 27001:2022 Clause 9.2.2 (Internal Auditor Independence)

From Exact Extract:

1. Identification of potential impact

The scenario clearly states that the chatbot:

Sent random files to users

Encountered invalid inputs

Processed personally identifiable information (PII)

Operated in a live customer-facing environment

Sending random files to users represents a direct risk of unauthorized disclosure of information, which could include:

Customer records

Sensitive operational data

Personally identifiable information (PII)

This constitutes a customer privacy breach, which is a serious information security impact.

2. ISO/IEC 27001:2022 – Impact on confidentiality

Under ISO/IEC 27001:2022, one of the core objectives of an ISMS is to protect confidentiality, especially where PII is involved.

Clause 6.1.2 (Information security risk assessment) requires organizations to identify risks related to loss of confidentiality.

Clause 6.1.3 (Information security risk treatment) requires controls to be implemented where such risks exist.

A system that distributes random files creates a high-impact confidentiality risk.

3. ISO/IEC 27002:2022 – Privacy and PII protection

This scenario directly impacts Annex A control A.5.34 – Privacy and protection of PII, which requires organizations to:

Protect personal data against unauthorized access, disclosure, or misuse.

The chatbot’s behaviour violates the intent of this control and demonstrates a clear privacy impact.

4. Why the other options are incorrect

A. Temporary slowdown in internal system updatesThis is not supported by the scenario. There is no reference to internal system updates being affected.

C. Minor delays in customer service response timesWhile customer support was overwhelmed, the scenario describes a much more severe impact — uncontrolled file transmission and potential data exposure. This understates the risk.

Auditor Conclusion

The most significant and realistic impact arising from the chatbot issues is a breach of customer privacy due to the potential exposure of sensitive files. This aligns with ISO/IEC 27001’s focus on protecting confidentiality and PII.

The role of the audit team leader does not include setting up an ethics committee. The primary responsibilities of the audit team leader include planning the audit, directing the activities of the audit team, ensuring compliance with the auditing standards, managing conflicts that arise during the audit, and presenting audit conclusions.

Comprehensive and Detailed In-Depth Explanation:

ISO/IEC 27001 Clause 5.1 (Leadership and Commitment) defines top management's role in ensuring the effectiveness of the Information Security Management System (ISMS). It requires top management to:

Ensure the availability of resources for the ISMS (Correct Responsibility).

Promote continual improvement of the ISMS (Correct Responsibility).

Direct and support employees to contribute to ISMS effectiveness (Correct Responsibility).

B. Conducting regular internal audits – Incorrect Responsibility:

Internal audits are not a direct responsibility of top management. Instead, Clause 9.2 (Internal Audit) requires audits to be conducted independently of management.

Top management is responsible for ensuring audits are conducted but does not need to conduct them personally.

Thus, top management is responsible for oversight and support but not for conducting internal audits themselves.

Relevant Standard Reference:

ISO/IEC 27001:2022 Clause 5.1 (Leadership and Commitment)

ISO/IEC 27001:2022 Clause 9.2 (Internal Audit)

The IRT’s finding that FTP transmits authentication credentials in clear text represents a vulnerability in information security terms. A vulnerability is defined as a weakness in an asset, system, or control that can be exploited by a threat. In this scenario, FTP itself is not a threat, nor is it the risk; rather, it is the technical weakness that enabled the attackers to succeed.

The attackers (hackers) are the threat, and the potential loss of proprietary information is the impact. The risk arises from the combination of the threat exploiting the vulnerability and causing harm. However, the question specifically asks what the IRT’s finding about FTP represents, and that finding is the identification of a weakness in the system design. The use of clear-text authentication is a well-known security weakness, making it easier for attackers to capture credentials through network traffic interception.

ISO/IEC 27001:2022 risk assessment logic requires organizations to distinguish clearly between threats, vulnerabilities, and risks during incident analysis. The IRT did exactly this by identifying that the protocol itself lacked encryption, which is a vulnerability. This is further supported by the corrective action taken: replacing FTP with SSH. SSH provides encrypted communication, which directly addresses the vulnerability by removing the weakness that allowed credential exposure.

Therefore, the IRT’s findings correctly identify FTP as a vulnerability, making option A the correct answer.

CyberShielding Systems Inc. should have included the identification of areas for improvement when defining the audit objectives, making option A the correct answer. ISO/IEC 27001 audits are not limited to verifying compliance; they also support continual improvement of the ISMS. ISO 19011 encourages audits to provide value by identifying weaknesses, improvement opportunities, and areas where effectiveness can be enhanced.

In the scenario, the audit objectives were primarily focused on conformity with criteria and compliance with statutory and regulatory requirements. While this is essential, a well-defined audit objective should also include evaluating opportunities to improve security practices, control effectiveness, and risk management maturity. Identifying improvement areas helps the organization strengthen its ISMS beyond basic compliance and aligns with ISO/IEC 27001 clause 10 on continual improvement.

Option B is incorrect because audit objectives should not be narrowly focused only on recent incidents or management concerns, as this could lead to biased or incomplete coverage. Option C is incorrect because limiting the audit to documentation review undermines the effectiveness of the audit and contradicts the requirement for evidence-based evaluation of operational controls.

Therefore, including improvement identification as an audit objective would have strengthened the audit’s value and alignment with ISO/IEC 27001 principles.

The correct sequence of activities for the management of information security risk in accordance with the requirements of ISO/IEC 27001:2022 is as follows:

1st: Create and maintain information security risk criteria 2nd: Identify the risks that need to be considered when planning for the information security management system 3rd: Assess the potential consequences that would arise if the risk were to materialise 4th: Select appropriate risk treatment options 5th: Carry out information security risk assessments at planned intervals 6th: Consider the results of risk assessment and the status of the risk treatment plan at management review

This sequence is based on the information security risk management process described in ISO/IEC 27001:2022 clause 6.1, which includes the following activities:

establishing and maintaining information security risk criteria;

ensuring that repeated information security risk assessments produce consistent, valid and comparable results;

identifying the information security risks;

analyzing the information security risks;

evaluating the information security risks;

treating the information security risks;

accepting the information security risks and the residual information security risks;

communicating and consulting with stakeholders throughout the process;

monitoring and reviewing the information security risks and the risk treatment plan.

One of the advantages of having accredited certification of ISMS to ISO/IEC 27001:2022 is that it demonstrates the recognition of the credibility of the certification process. Accredited certification means that the certification body has been assessed and approved by an accreditation body, which ensures that the certification body operates according to international standards and follows impartiality, competence and consistency principles. Accredited certification also enhances the confidence of the organisation’s customers, partners, regulators and other interested parties in the organisation’s information security performance and compliance. References: = ISO/IEC 27001:2022, clause 0.2; [PECB Candidate Handbook ISO 27001 Lead Auditor], page 6; Key Benefits of ISO 27001 Certification - IT Governance.

 Information or data that are classified as public do not require labeling. Public information or data are those that are intended for general disclosure and have no impact on the organization’s operations or reputation if disclosed. Labeling is a method of implementing classification, which is a process of structuring information according to its sensitivity and value for the organization. Labeling helps to identify the level of protection and handling required for each type of information. Information or data that are classified as internal, confidential, or highly confidential require labeling, as they contain information that is not suitable for public disclosure and may cause harm or loss to the organization if disclosed. References: : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 34. : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 37. : [ISO/IEC 27001 LEAD AUDITOR - PECB], page 14.

The only option that is not prohibited in acceptable use of information assets is C: company-wide e-mails with supervisor/TL permission. This option implies that the sender has obtained the necessary authorization from their supervisor or team leader to send an e-mail to all employees in the organization. This could be done for legitimate business purposes, such as announcing important news, events or updates that are relevant to everyone. However, this option should still be used sparingly and responsibly, as it could cause unnecessary disruption or annoyance to the recipients if abused or misused. The other options are prohibited in acceptable use of information assets, as they could violate the information security policies and procedures of the organization, as well as waste resources and bandwidth. Electronic chain letters (A) are messages that urge recipients to forward them to multiple other people, often with false or misleading claims or promises. They are considered spam and could contain malicious links or attachments that could compromise information security. E-mail copies to non-essential readers (B) are messages that are sent to recipients who do not need to receive them or have no interest in them. They are considered unnecessary and could clutter the inbox and distract the recipients from more important messages. Messages with very large attachments or to a large number of recipients (D) are messages that consume a lot of network resources and could affect the performance or availability of the information systems. They could also exceed the storage capacity or quota limits of the recipients’ mailboxes and cause problems for them. ISO/IEC 27001:2022 requires the organization to implement rules for acceptable use of assets (see clause A.8.1.3). References: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements, What is Acceptable Use?

 Integrity of data means accuracy and completeness of the data. Integrity is one of the three main objectives of information security, along with confidentiality and availability. Integrity ensures that information and systems are not corrupted, modified, or deleted by unauthorized actions or events. Data should be viewable at all times is not related to integrity, but to availability. Data should be accessed by only the right people is not related to integrity, but to confidentiality. References: : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 24. : [ISO/IEC 27001 Brochures | PECB], page 4.

A follow-up audit may be carried out where nonconformities are major. This is true because a major nonconformity is a situation that raises significant doubt about the ability of the organization’s management system to achieve its intended results, and therefore requires immediate corrective action. A follow-up audit is necessary to verify the effectiveness of the corrective action and the conformity of the management system12.

A follow-up audit may be carried out where nonconformities are minor. This is true because a minor nonconformity is a situation that does not affect the capability of the management system to achieve its intended results, but represents a deviation from the specified requirements. A follow-up audit may be conducted to check the implementation of the corrective action and the improvement of the management system12.

The outcomes of a follow-up audit should be reported to top management and the audit team leader who carried out the audit where the nonconformities were initially identified. This is true because the top management is responsible for ensuring the effectiveness and continual improvement of the management system, and the audit team leader is accountable for the audit process and the audit conclusions. The follow-up audit report should provide them with objective evidence of the status of the nonconformities and the corrective actions taken by the auditee13.

The outcomes of a follow-up audit should be reported to the individual managing the audit programme and the audit client. This is true because the individual managing the audit programme is responsible for planning, implementing, monitoring and reviewing the audit activities, and the audit client is the organization or person requesting an audit. The follow-up audit report should inform them of the results of the follow-up audit and any changes in the certification status of the auditee13.

References :=

ISO 19011:2022 Guidelines for auditing management systems

ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements

ISO/IEC 17021-1:2022 Conformity assessment — Requirements for bodies providing audit and certification of management systems — Part 1: Requirements

An intrinsic vulnerability refers to a weakness that is inherent to a system or tool, such as a data processing tool’s inability to perform bound checking on arrays. This characteristic makes the system susceptible to issues like buffer overflows, which can lead to crashes or other types of failures. References: = The concept of intrinsic vulnerability is based on the understanding that certain vulnerabilities are built into the system and are not influenced by external factors. This aligns with the general principles of information security management systems and the content typically covered in ISMS ISO/IEC 27001 Lead Auditor training and certification programs

Comprehensive and Detailed In-Depth Explanation:

A. Correct Answer: ISO/IEC 27001 Clause 4.1 (Understanding the Organization and Its Context) and Clause 4.2 (Understanding the Needs and Expectations of Interested Parties) require organizations to consider both internal and external issues when defining the scope of the ISMS.

The scenario states that Clinic only considered internal issues but did not assess external factors, such as regulatory requirements, industry standards, or cybersecurity threats.

B. Incorrect: The scope is not fully correct because external factors were not considered.

C. Incorrect: Justifying exclusions is necessary in the SoA, not in the ISMS scope statement.

By failing to consider external issues, Clinic's ISMS does not meet the full requirements of ISO/IEC 27001.

According to ISO/IEC 27001:2022, clause 7.2.2, the organization shall ensure that all persons who have access to information are aware of the information security policy and their contribution to the effectiveness of the ISMS, including the benefits of improved information security performance2. Therefore, awareness training on information security is a requirement for all persons, not just new hires. References: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) | CQI | IRCA

According to ISO/IEC 17021-1, which specifies the requirements for bodies providing audit and certification of management systems, a certification body should ensure that its auditors are competent, impartial, and independent from the auditee organization2. Therefore, if a Management System Representative of a client organization asks for a specific auditor for the certification audit, the individual(s) managing the audit programme should respond in a way that does not compromise these principles or create any conflict of interest or undue influence2. Two possible ways to respond are to state that his request will be considered but may not be taken up, as there may be other factors that affect the auditor selection process; or to advise him that the audit team selection is a decision that the audit programme manager needs to make based on the resources available, such as auditor availability, competence, location, etc2. The other options are not suitable ways to respond in this situation. For example, advising him that his request can be accepted may raise doubts about the objectivity and credibility of the auditor and the certification body; suggesting that he chooses another certification body may imply that his request is unreasonable or unethical; and suggesting asking the certification body management to permit his request may suggest that there is room for negotiation or manipulation in auditor selection2. References: ISO/IEC 17021-1:2015 - Conformity assessment – Requirements for bodies providing audit and certification of management systems – Part 1: Requirements

Comprehensive and Detailed In-Depth Explanation:

C. Correct Answer:

Scenario 6 states that the audit team reviewed the content and format of the documents but does not mention an evaluation of the document management procedure.

ISO/IEC 27001 requires that procedures for managing documented information be reviewed.

A. Incorrect:

The content of documents was reviewed for compliance with ISO/IEC 27001 clauses.

B. Incorrect:

The audit team confirmed that all documents were in a standardized format.

Relevant Standard Reference:

ISO/IEC 27001:2022 Clause 7.5 (Documented Information Requirements)

Top management requests auditors from the organisation’s compliance department to audit the production process in order to ensure the final product meets quality requirements = First-party audit

Auditors from the buyer’s organisation audit their raw material supplier to ensure the supply fulfils the order and contract = Second-party audit

Auditors from an independent certification body conduct an audit of the organisation to verify conformity with an ISO Standard for certification purposes = Third-party audit

The organisation has been audited against two management system standards in one audit = Combined audit

According to the ISO/IEC 27001 standard, there are three main categories of audits: internal, external, and certification1. An internal audit, also known as a first-party audit, is an audit conducted by the organisation itself, or by an external party on its behalf, for management review and other internal purposes12. An external audit, also known as a second-party audit, is an audit conducted by a customer or other interested party on a supplier or contractor to verify compliance with contractual or other requirements12. A certification audit, also known as a third-party audit, is an audit conducted by an independent certification body to verify conformity with an ISO standard for certification purposes12. A combined audit is an audit where two or more management system standards are audited together3.

 1: PECB Candidate Handbook - ISO/IEC 27001 Lead Auditor, page 192: ISO 27001 Audit Types and How They are Conducted23: The Four ISO 27001 Audit Categories, Explained4

The audit team used documented information review and observation for evidence collection and evaluation for analysis, making option A the correct answer. This aligns directly with ISO 19011, which identifies document review, observation, and evaluation as primary audit techniques.

In the scenario, auditors reviewed ISMS documentation remotely, observed departmental practices during stage 2, and evaluated whether controls such as access rights management and training documentation met ISO/IEC 27001 requirements. These activities constitute classic evidence-based auditing methods.

Option B is incorrect because there is no indication that technical verification or extensive sampling of systems occurred. Option C is incorrect because the audit did not rely solely on interviews, nor was trend analysis the primary analytical method used. Interviews were supplementary, not exclusive.

ISO auditing requires auditors to triangulate evidence using multiple methods. The combination of document review, observation, and evaluative analysis reflects appropriate and recommended audit practice.

Comprehensive and Detailed In-Depth Explanation:

B. Correct Answer:

Audit test plans define the structured approach for conducting interviews, observations, and control testing.

ISO 19011:2018 describes audit test planning as essential for consistent evidence collection.

A. Incorrect:

Test plans do not generate reports—they outline procedures for evidence collection.

C. Incorrect:

Audit test plans focus on specific risks rather than evaluating all elements.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.4.5 (Audit Test Planning Procedures)

The requirements for Information Security objectives are found in ISO/IEC 27001:2022, clause 6.2:

Top management shall ensure that information security objectives are established.

Objectives must:

Be consistent with the information security policy.

Be measurable (if practicable).

Take into account applicable information security requirements, and results from risk assessments and risk treatment.

Be communicated.

Be monitored.

Be updated as appropriate.

When planning how to achieve objectives, organisations must determine:

What will be done.

What resources will be required.

Who will be responsible.

When it will be completed.

How the results will be evaluated.

Analysis of each option:

A. Reviewed at all management reviews ? Concern.ISO 27001 clause 9.3 (Management review) requires that the status of objectives is reviewed, but not at all management reviews — only at scheduled ones. Mandating every review is incorrect.

B. Communication ? Correct.Clause 6.2 requires objectives to be communicated. This is valid.

C. Completion date ? Correct.Clause 6.2 requires organisations to determine when it will be completed. Valid.

D. Measurable ? Correct.Clause 6.2 explicitly says objectives must be measurable (if practicable). Valid.

E. Distributed to all staff ? Concern.Clause 6.2 requires objectives to be communicated to those who need to be aware, not all staff. This is overreach and not aligned with the standard.

F. Budget/resources ? Correct.Clause 6.2 requires determining what resources will be required. Valid.

G. Process to revisit ? Correct.Clause 6.2 requires objectives to be updated as appropriate. Valid.

H. Top management determine annually ? Concern.Clause 6.2 requires top management to ensure objectives are established, but there is no requirement for an annual cycle. This could cause mis-audit findings.

ISO/IEC 27001:2022, Clause 6.2 (Information security objectives and planning to achieve them)

Comprehensive and Detailed In-Depth Explanation:

The CIA Triad (Confidentiality, Integrity, and Availability) is the foundation of information security principles.

Availability ensures that data and services are accessible when needed. By implementing regular, automated backups and offsite storage, the organization ensures that critical data remains accessible even after a security incident (e.g., data loss, cyberattacks, or hardware failures). This aligns with ISO/IEC 27001:2022 Annex A Control A.8.13 (Information Backup), which emphasizes maintaining and testing backups to ensure system resilience.

Integrity ensures that data remains unaltered and accurate, but backups do not inherently enforce integrity unless accompanied by checksum or validation mechanisms.

Confidentiality ensures that only authorized users can access data, which is not the primary goal of a backup procedure.

Comprehensive and Detailed In-Depth Explanation:

A. Preventive Control – Correct Answer. Access control software is designed to prevent unauthorized access by enforcing authentication and authorization mechanisms. This aligns with ISO/IEC 27001:2022 Annex A Control A.5.18 (Access Rights).

B. Detective controls identify and log unauthorized access attempts, but do not prevent them.

C. Corrective controls take action after a security event has occurred.

Identifying the source of information (already given)

Gathering audit evidence: This involves collecting information from various sources such as documents, records, interviews, and observations.

Sampling the available data: Due to the vast amount of information available, auditors typically use sampling techniques to select representative data for closer scrutiny.

Verifying objective evidence: This involves checking the accuracy, completeness, and reliability of the collected evidence.

Evaluating evidence against the audit criteria: Auditors compare the collected evidence to the established criteria (e.g., standards, policies, procedures) to assess compliance and effectiveness.

Recording audit findings: This involves documenting the results of the evaluation, including observations, conclusions, and recommendations.

Making audit conclusions: Based on the recorded findings, auditors formulate overall conclusions about the status of the management system.

Therefore, the correct sequence is:

1. Identifying the source of information 2. Gathering audit evidence 3. Sampling the available data 4. Verifying objective evidence 5. Evaluating evidence against the audit criteria 6. Recording audit findings 7. Making audit conclusions