Question 1

The auditor should consider (1)-------when determining the (2)--------

Options :

A : (1) Standard requirements. (2) audit criteria

B : (1) Audit risks, (2) audit objectives

C : (1) Penalties related to legal noncompliance, (2) materiality

Answer: B

Question 2

Based on the identified nonconformities. Company A established action plans that included the detected nonconformities, the root causes, and a general statement regarding each action that would be taken. Is this acceptable?

Options :

A :

No, the action plans should include information on the systems that will be installed and how these systems will eliminate the root causes

B :

No, the auditee is required to submit action plans that include detailed information on how every corrective action will be implemented

C :

Yes, the auditee is required to submit action plans that include a general statement regarding the actions that will be taken

Answer: B

Question 3

You are an experienced audit team leader guiding an auditor in training.

Your team is currently conducting a third-party surveillance audit of an organisation that stores data on behalf

of external clients. The auditor in training has been tasked with reviewing the PEOPLE controls listed in the

Statement of Applicability (SoA) and mplemented at the site.

Select four controls from the following that would you expect the auditor in training to review.

Options :

A : Confidentiality and nondisclosure agreements

B : How protection against malware is implemented

C : Information security awareness, education and training

D : Remote working arrangements

E : The conducting of verification checks on personnel

F : The operation of the site CCTV and door control systems

G : The organisation-s arrangements for information deletion

H : The organisation-s business continuity arrangements

Answer: A,C,D,E

Question 4

Scenario 8: EsBank provides banking and financial solutions to the Estonian banking sector since September

2010. The company has a network of 30 branches with over 100 ATMs across the country.

Operating in a highly regulated industry, EsBank must comply with many laws and regulations regarding the

security and privacy of data. They need to manage information security across their operations by

implementing technical and nontechnical controls. EsBank decided to implement an ISMS based on ISO/IEC

27001 because it provided better security, more risk control, and compliance with key requirements of laws

and regulations.

Nine months after the successful implementation of the ISMS, EsBank decided to pursue certification of their

ISMS by an independent certification body against ISO/IEC 27001 .The certification audit included all of

EsBank’s systems, processes, and technologies.

The stage 1 and stage 2 audits were conducted jointly and several nonconformities were detected. The first

nonconformity was related to EsBank’s labeling of information. The company had an information

classification scheme but there was no information labeling procedure. As a result, documents requiring the

same level of protection would be labeled differently (sometimes as confidential, other times sensitive).

Considering that all the documents were also stored electronically, the nonconformity also impacted media

handling. The audit team used sampling and concluded that 50 of 200 removable media stored sensitive

information mistakenly classified as confidential. According to the information classification scheme,

confidential information is allowed to be stored in removable media, whereas storing sensitive information is

strictly prohibited. This marked the other nonconformity.

They drafted the nonconformity report and discussed the audit conclusions with EsBank’s representatives,

who agreed to submit an action plan for the detected nonconformities within two months.

EsBank accepted the audit team leader's proposed solution. They resolved the nonconformities by drafting a

procedure for information labeling based on the classification scheme for both physical and electronic formats.

The removable media procedure was also updated based on this procedure.

Two weeks after the audit completion, EsBank submitted a general action plan. There, they addressed the

detected nonconformities and the corrective actions taken, but did not include any details on systems, controls,

or operations impacted. The audit team evaluated the action plan and concluded that it would resolve the

nonconformities. Yet, EsBank received an unfavorable recommendation for certification.

Based on the scenario above, answer the following question:

Which action illustrated in scenario 8 is unacceptable in an external audit?

Options :

A : The audit team leader suggested a specific solution on resolving the nonconformities

B : Stage 1 audit and stage 2 audits were performed at the same time

C : The lack of an information labeling procedure existed was marked as a minor nonconformity

Answer: A

Question 5

You are an experienced ISMS audit team leader who is currently conducting a third party initial certification

audit of a new client, using ISO/IEC 27001:2022 as your criteria.

It is the afternoon of the second day of a 2-day audit, and you are just about to start writing your audit report.

So far no nonconformities have been identified and you and your team have been impressed with both the site

and the organisation's ISMS.

At this point, a member of your team approaches you and tells you that she has been unable to complete her

assessment of leadership and commitment as she has spent too long reviewing the planning of changes.

Which one of the following actions will you take in response to this information?

Options :

A : Apologise to the client and tell them you will return at a later date to review leadership and commitment.

B : Suggest to the client that if they are prepared to upgrade your return flight to first class you will audit leadership and commitment in your own time tomorrow.

C : Advise the auditee and audit client that it is not possible to make a positive recommendation at this point.

D : Advise the auditee that the certification audit will need to be terminated and rescheduled.

E : Contact the individual managing the audit programme and seek their permission to record a positive recommendation in the audit report

F : Contact your head office and await their further instructions of how to proceed.

G : Given there have been no nonconformities identified and the overall impression of the organisation has been a good one, record a positive recommendation for certification in the audit report.

H : Review the audit plan and client availabilities to determine whether there is any opportunity for another member of your team to pick up this task before the closing meeting.

Answer: C

Free ISO-IEC-27001-Lead-Auditor Mock Exam – Practice Online Confidently

Buying Options: