Increase your chances of passing the PECB ISO-IEC-27001-Lead-Auditor exam questions on your first try. Practice with our free online ISO-IEC-27001-Lead-Auditor exam mock test designed to help you prepare effectively and confidently.
Scenario 8: EsBank provides banking and financial solutions to the Estonian banking sector since September
2010. The company has a network of 30 branches with over 100 ATMs across the country.
Operating in a highly regulated industry, EsBank must comply with many laws and regulations regarding the
security and privacy of data. They need to manage information security across their operations by
implementing technical and nontechnical controls. EsBank decided to implement an ISMS based on ISO/IEC
27001 because it provided better security, more risk control, and compliance with key requirements of laws
and regulations.
Nine months after the successful implementation of the ISMS, EsBank decided to pursue certification of their
ISMS by an independent certification body against ISO/IEC 27001 .The certification audit included all of
EsBank’s systems, processes, and technologies.
The stage 1 and stage 2 audits were conducted jointly and several nonconformities were detected. The first
nonconformity was related to EsBank’s labeling of information. The company had an information
classification scheme but there was no information labeling procedure. As a result, documents requiring the
same level of protection would be labeled differently (sometimes as confidential, other times sensitive).
Considering that all the documents were also stored electronically, the nonconformity also impacted media
handling. The audit team used sampling and concluded that 50 of 200 removable media stored sensitive
information mistakenly classified as confidential. According to the information classification scheme,
confidential information is allowed to be stored in removable media, whereas storing sensitive information is
strictly prohibited. This marked the other nonconformity.
They drafted the nonconformity report and discussed the audit conclusions with EsBank’s representatives,
who agreed to submit an action plan for the detected nonconformities within two months.
EsBank accepted the audit team leader's proposed solution. They resolved the nonconformities by drafting a
procedure for information labeling based on the classification scheme for both physical and electronic formats.
The removable media procedure was also updated based on this procedure.
Two weeks after the audit completion, EsBank submitted a general action plan. There, they addressed the
detected nonconformities and the corrective actions taken, but did not include any details on systems, controls,
or operations impacted. The audit team evaluated the action plan and concluded that it would resolve the
nonconformities. Yet, EsBank received an unfavorable recommendation for certification.
Based on the scenario above, answer the following question:
Which action illustrated in scenario 8 is unacceptable in an external audit?
What is social engineering?
What is the goal of classification of information?
© Copyrights FreeMockExams 2026. All Rights Reserved
We use cookies to ensure that we give you the best experience on our website (FreeMockExams). If you continue without changing your settings, we'll assume that you are happy to receive all cookies on the FreeMockExams.
Full Access to 434 Questions