Free Practice Questions for PECB ISO-IEC-27001-Lead-Auditor Exam

According to ISO/IEC 27001:2022 clause 8.1, the organization must plan, implement and control the processes needed to meet the information security requirements, and to implement the actions determined in clause 6.1. The organization must also ensure that the outsourced processes are controlled or influenced. According to control A.5.24, the organization must establish and maintain an information security incident management process that includes reporting information security events and weaknesses. Therefore, the use of lower grade machines for the secure disposal of confidential documents and media could pose a significant information security risk and a potential breach of contract with the clients. The auditor should respond to this information by:

A. Advising the individual managing the audit programme of any recommendation by you to conduct a further audit prior to certification. This is in accordance with ISO/IEC 27006:2022 clause 7.4.3, which states that the audit team leader shall report to the certification body any situation that may significantly affect the audit conclusions or the certification decision, and propose any necessary changes to the audit plan.

C. Considering the need for a subsequent audit within 4 weeks based on the additional information that has come to light. This is in accordance with ISO/IEC 27006:2022 clause 7.5.2, which states that the audit team leader shall review the audit findings and any other appropriate information collected during the audit to determine the audit conclusions, and to identify any need for a subsequent audit.

G. Verifying with the auditee that lower grade machines are used in certain circumstances. This is in accordance with ISO/IEC 27006:2022 clause 7.4.2, which states that the audit team leader shall ensure that the audit is conducted in accordance with the audit plan, and that any changes to the plan are agreed upon and documented.

The other options are not appropriate responses, as they either ignore the information, exceed the scope of the audit, or prematurely raise a nonconformity without sufficient evidence. For example:

B. Cancelling the production of the audit report and instead reviewing the organization’s contracts with its clients to determine whether they have permitted the use of lower grade machines. This is not a suitable response, as it would delay the audit process and the certification decision, and it would involve reviewing documents that are outside the scope of the ISMS audit. The auditor should focus on verifying the information security risk assessment and treatment process, and the information security incident management process, as they relate to the use of lower grade machines.

D. Doing nothing. All audits are based on a sample and the sample you took did not include a planned review of the lower grade machines. This is not a suitable response, as it would disregard a significant information security risk and a potential nonconformity that could affect the audit conclusions and the certification decision. The auditor should follow up on the information provided by the employee and verify its validity and impact.

E. Extending the certification audit duration to create additional time to audit the use of the lower grade machines. This is not a suitable response, as it would disrupt the audit schedule and the availability of the audit team and the auditee. The auditor should report the situation to the certification body and propose any necessary changes to the audit plan, such as conducting a subsequent audit.

F. Raising a nonconformity against 8.1 Operational Planning and Control as the organization has not been open about its processes. This is not a suitable response, as it would be based on a single source of information that has not been verified or corroborated. The auditor should collect sufficient and appropriate audit evidence to support any nonconformity, and should also consider the root cause and the severity of the nonconformity.

Comprehensive and Detailed In-Depth Explanation:

C. Correct Answer: Changes to the audit scope must be approved by the auditee, the auditor, and the certification body. This ensures fairness and maintains compliance with ISO 19011 guidelines on audit planning.

A. Incorrect: The audit schedule cannot be changed solely at Cobt’s request—approval is required.

B. Incorrect: Audit scope is not limited to technological changes but includes organizational and procedural changes as well.

Relevant Standard Reference:

ISO 19011:2018 Clause 5.5.2 (Determining the Audit Scope and Schedule)

The auditor should verify that the selected controls are included in the Statement of Applicability (SoA), making option C the correct answer. ISO/IEC 27001:2022 requires organizations to document which Annex A controls are applicable based on the results of the risk assessment and risk treatment process. The SoA is the formal document that records these decisions, including justification for inclusion or exclusion of controls.

The existence of a risk assessment alone is not sufficient. Auditors must confirm traceability between identified risks, selected controls, and their formal documentation in the SoA. This ensures transparency, consistency, and accountability in how the organization manages information security risks.

Option A is incorrect because ISO/IEC 27001 does not require organizations to use external consultants for risk assessments. Risk assessments may be conducted internally, provided they follow a defined and systematic methodology. Option B is incorrect because controls can be preventive, detective, or corrective; there is no requirement that selected controls be corrective only.

Therefore, verifying that selected controls are properly reflected in the Statement of Applicability is a mandatory audit activity and a core requirement of ISO/IEC 27001 compliance.

The correct answers for matching each of the descriptions with the appropriate risk term are:

The strategy chosen to respond to a specific information security risk: This is a definition of information security risk treatment. According to ISO/IEC 27000:2022, information security risk treatment is “the process of selecting and implementing measures to modify the information security risk” Section 3.33.

The effect of uncertainty on information security objectives: This is a definition of information security risk. According to ISO/IEC 27000:2022, information security risk is “the effect of uncertainty on information security objectives” Section 3.32.

The requirements against which information security risks are evaluated: This is a definition of information security risk criteria. According to ISO/IEC 27000:2022, information security risk criteria are “the terms of reference by which the significance of information security risks is assessed” Section 3.31.

A definition of the overall level of information security risk that is considered to be tolerable: This is a definition of information security risk acceptance criteria. According to ISO/IEC 27000:2022, information security risk acceptance criteria are “the level of information security risk that is acceptable” Section 3.30.

This scenario represents ordinary negligence, making option A the correct answer. Ordinary negligence occurs when an individual fails to exercise the level of care, competence, or diligence that would reasonably be expected under similar circumstances. In the context of ISO/IEC 27001 certification audits, this includes failing to follow established audit procedures, best practices, or competence requirements, even if there is no intent to cause harm.

In the scenario, the audit team leader failed to follow established best practices and lacked sufficient expertise in certain complex ISMS areas. These shortcomings resulted in weak audit coverage and suboptimal outcomes. However, the audit was still conducted, findings were reported, and there is no indication of reckless disregard, willful misconduct, or intentional violation of duties. This distinction is important when assessing the severity of negligence.

Gross negligence would require evidence of a serious departure from accepted standards, such as knowingly ignoring mandatory audit requirements, deliberately conducting an audit without any competence, or showing reckless indifference to the consequences. That threshold is not met here. Similarly, option C is incorrect because the presence of procedural failures and competence gaps clearly indicates some level of negligence.

ISO 19011:2018 emphasizes auditor competence, due professional care, and adherence to audit principles. Failure to meet these expectations constitutes negligence, but in this case, it remains within the bounds of ordinary negligence rather than gross negligence.

A legal technical expert (LTE) is a person who provides specific knowledge or expertise related to the legal aspects of the information security management system (ISMS) during a certification audit. The LTE is not an auditor, but a member of the audit team who supports the auditors in collecting and evaluating the audit evidence. The LTE is not responsible for evaluating the auditee’s legal knowledge, criticising the organisation’s legal compliance issues, or debating complex legal points with the auditee, as these tasks may be beyond the scope of the audit, or may compromise the objectivity and impartiality of the audit. The LTE is responsible for advising on legal checkpoints for the audit team, such as the applicable legal, regulatory, and contractual requirements, the relevant sources of information, the methods of verification, and the criteria of evaluation. The LTE is also responsible for verifying the legal status of the organisation, such as the registration, licensing, authorisation, or accreditation of the organisation, and the compliance with the relevant laws and regulations. References:

What is the role of a technical expert in ISO audit?

Roles, Responsibilities & Authorities for ISO 27001 5.3

Guide to Become an ISO 27001 Lead Auditor

Yes, it is acceptable for the internal auditor to follow-up on the implementation of corrective actions until verified by the external auditor during the next surveillance audit. This practice supports continuous improvement and ensures that corrective actions are effectively implemented and maintained over time.

Comprehensive and Detailed In-Depth Explanation:

Managerial controls (also called administrative controls) include policies, procedures, and processes to ensure effective security governance. These controls include training, internal audits, security awareness programs, and management reviews. These align with ISO/IEC 27001:2022 Annex A Control A.5.2 (Information Security Roles and Responsibilities) and A.5.3 (Segregation of Duties).

B. Organizational structure controls relate to segregation of duties and job rotations, making them structural controls rather than purely managerial.

C. Technical controls involve firewalls, IDSs, and other security mechanisms, which are not managerial but technical measures.

Comprehensive and Detailed In-Depth Explanation:

C. Correct Answer:

Data test techniques simulate transactions within financial software to verify logic, calculations, and programmed controls.

ISO 19011:2018 recognizes CAATs as audit tools that validate data processing integrity.

A. Incorrect:

Plotting and cartography software is used for geospatial analysis, not financial transaction testing.

B. Incorrect:

Utility software supports general IT functions but does not conduct audit simulations.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.4.10 (Use of CAATs in Auditing)

Comprehensive and Detailed In-Depth Explanation:

C. Correct Answer:

The classification-based security approach aligns with ISO/IEC 27001:2022 Annex A Control A.5.12 (Classification of Information).

The organization is applying a security control in accordance with the classification policy, ensuring conformity to information security best practices.

A. Incorrect:

Nonconformity occurs when a process does not comply with ISO/IEC 27001 requirements. However, in this case, the classification system is correctly implemented.

B. Incorrect:

Anomaly refers to unexpected deviations in operations, but this is an intentional implementation.

Relevant Standard Reference:

ISO/IEC 27001:2022 Annex A Control A.5.12 (Information Classification Policy)