Who are allowed to access highly confidential files?
Correct Answer: A
Explanation According to ISO/IEC 27001:2022, clause 8.2.1, the organization shall ensure that access to information and information processing facilities is limited to authorized users based on the access control policy and in accordance with the business requirements of access control2. Therefore, only employees with a business need-to-know are allowed to access highly confidential files, and not contractors, non-employees or employees with signed NDA. References: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) | CQI | IRCA
Question 47
An audit team leader is planning a follow-up audit after the completion of a third-party surveillance audit earlier in the year. They have decided they will verify the nonconformities that require corrections before they move on to consider corrective actions. Based on the descriptions below, which four of the following are corrections for nonconformities identified at the surveillance?
Correct Answer: A,B,C,E
According to the PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, a correction is an action to eliminate a detected nonconformity, such as rework, repair, or replacement1. The examples of A, B, C, and E are corrections because they fix the errors or defects that caused the nonconformities, such as a missing signature, a missing guide, a wrong date, or a wrong colour code. The other examples (D, F, G, and H) are not corrections, but corrective actions, because they address the root causes of the nonconformities, such as inadequate training, poor planning, ineffective documentation, or unclear responsibility2. Reference: 1: PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 35, section 4.5.12: PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 36, section 4.5.2.
Question 48
Which two of the following actions are the individual(s) managing the audit programme responsible for?
Correct Answer: A,D
Explanation Establishing the audit programme objectives, scope and criteria Determining the resources necessary for the audit programme, such as the audit team members, the budget, the time, the tools, etc. Selecting and appointing the audit team leaders and auditors Reviewing and approving the audit plans and arrangements Ensuring the effective communication and coordination among the audit programme stakeholders, such as the auditors, the auditees, the certification bodies, the accreditation bodies, etc. Keeping informed the accreditation body on the progress of the audit programme, especially in case of any significant changes, issues, or nonconformities Monitoring and reviewing the performance and results of the audit programme and the audit teams Evaluating the feedback and satisfaction of the auditees and other interested parties Identifying and implementing the opportunities for improvement of the audit programme The individual(s) managing the audit programme are not responsible for the following tasks, which are delegated to the audit team leaders or the auditors12: Communicating with the auditee during the audit, such as conducting the opening and closing meetings, resolving any audit-related problems, reporting any audit findings, etc. Determining the legal requirements applicable to each audit, such as the confidentiality, the impartiality, the consent, the liability, etc. Defining the objectives, scope and criteria for an individual audit, which are derived from the audit programme and agreed with the auditee Defining the plan of an individual audit, which includes the audit schedule, the audit activities, the audit methods, the audit documents, etc. References: ISO 19011:2018 - Guidelines for auditing management systems PECB Candidate Handbook ISO 27001 Lead Auditor, pages 19-20
Question 49
Correct Answer:
Explanation An audit finding is the result of the evaluation of the collected audit evidence against audit criteria.
Question 50
Select two options that describe an advantage of using a checklist.
Correct Answer: C,D
A checklist is a tool that helps auditors to collect and verify information relevant to the audit objectives and scope. It can provide the following advantages: Ensuring relevant audit trails are followed: A checklist can help auditors to identify and trace the sources of evidence that support the conformity or nonconformity of the audited criteria. It can also help auditors to avoid missing or overlooking any important aspects of the audit. Ensuring the audit plan is implemented: A checklist can help auditors to follow and fulfil the audit plan, which describes the arrangements and details of the audit, such as the objectives, scope, criteria, schedule, roles, and responsibilities. It can also help auditors to manage their time and resources effectively and efficiently. The other options are not advantages of using a checklist, but rather: Using the same checklist for every audit without review: This is a disadvantage of using a checklist, as it can lead to a rigid and ineffective audit approach. A checklist should be tailored and adapted to each specific audit, taking into account the context, risks, and changes of the auditee and the audit criteria. A checklist should also be reviewed and updated periodically to ensure its validity and relevance. Restricting interviews to nominated parties: This is a disadvantage of using a checklist, as it can limit the scope and depth of the audit. A checklist should not prevent auditors from interviewing other relevant parties or sources of information that may provide valuable evidence or insights for the audit. A checklist should be used as a guide, not as a constraint. Reducing audit duration: This is not necessarily an advantage of using a checklist, as it depends on various factors, such as the complexity, size, and maturity of the auditee's ISMS, the availability and quality of evidence, the competence and experience of the auditors, and the level of cooperation and communication between the auditors and the auditee. A checklist may help reduce audit duration by improving efficiency and organization, but it may also increase audit duration by requiring more evidence or verification. Not varying from the checklist when necessary: This is a disadvantage of using a checklist, as it can result in a superficial or incomplete audit. A checklist should not prevent auditors from exploring or investigating any issues or concerns that arise during the audit, even if they are not included in the checklist. A checklist should be used as a support, not as a substitute. References: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) objectives and content from Quality.org and PECB ISO 19011:2018 Guidelines for auditing management systems [Section 6.2.2]
