Free Access to PECB.ISO-IEC-27001-Lead-Auditor.v2025-07-02.q187 with Valid Practice Test (Page 12)

Question 51

Which controls are related to the Annex A controls of ISO/IEC 27001 and are often selected from other guides and standards or defined by the organization to meet its specific needs?

A.General controls
B.Strategic controls
C.Specific controls

Question 52

You are an experienced ISMS audit team leader who is currently conducting a third party initial certification audit of a new client, using ISO/IEC 27001:2022 as your criteria.
It is the afternoon of the second day of a 2-day audit, and you are just about to start writing your audit report.
So far no nonconformities have been identified and you and your team have been impressed with both the site and the organisation's ISMS.
At this point, a member of your team approaches you and tells you that she has been unable to complete her assessment of leadership and commitment as she has spent too long reviewing the planning of changes.
Which one of the following actions will you take in response to this information?

A.Apologise to the client and tell them you will return at a later date to review leadership and commitment.
B.Suggest to the client that if they are prepared to upgrade your return flight to first class you will audit leadership and commitment in your own time tomorrow.
C.Advise the auditee and audit client that it is not possible to make a positive recommendation at this point.
D.Advise the auditee that the certification audit will need to be terminated and rescheduled.
E.Contact the individual managing the audit programme and seek their permission to record a positive recommendation in the audit report.
F.Contact your head office and await their further instructions of how to proceed.
G.Given there have been no nonconformities identified and the overall impression of the organisation has been a good one, record a positive recommendation for certification in the audit report.
H.Review the audit plan and client availabilities to determine whether there is any opportunity for another member of your team to pick up this task before the closing meeting.

Question 53

An organization does not check the source code of the updated version of an application when it is updated automatically. Thus, the application may be open to unauthorized modifications. This represents a _________________ that may impact information
___________________

A.Threat, (2) confidentiality
B.Risk, (2) availability
C.Vulnerability, (2) integrity

Question 54

Which option below about the ISMS scope is correct?

A.ISMS scope should be available as documented information
B.ISMS scope should ensure continual improvement
C.ISMS scope should be compatible with the strategic orientation of the organization

Question 55

You are performing an ISMS audit at a residential nursing home called ABC that provides healthcare services.
You find all nursing home residents wear an electronic wristband for monitoring their location, heartbeat, and blood pressure always. You learned that he electronic wristband automatically uploads all data to the artificial intelligence (AI) cloud server for healthcare monitoring and analysis by healthcare staff.
To verify the scope of ISMS, you interview the management system representative (MSR) who explains that the ISMS scope covers an outsourced data center.
Select four options for the clauses and/or controls of ISO/IEC 27001:2022 that are directly relevant to the verification of the scope of the ISMS.

A.Control 5.3 Organizational roles, responsibilites and authorities
B.Clause 4.2 Understanding the needs and expectations of interested parties
C.Control 5.3 Legal, statutory, regulatory and contractual requirements
D.Control 6.3 Information security awareness, education, and training
E.Clause 5.2 Policy
F.Clause 4.1 Understanding the organization and its context
G.Control 7.6 Working in secure areas
H.Clause 4.3 Determining the scope of the information security management system

Correct Answer: B,E,F,H

Explanation
B: This clause requires the organisation to determine the interested parties that are relevant to the ISMS, and the requirements of these interested parties12. This clause is relevant to the verification of the scope of the ISMS because it helps the organisation to identify the stakeholders that have an influence or an interest in the information security of the organisation, such as customers, suppliers, regulators, employees, etc. The organisation should also consider the needs and expectations of these interested parties when defining the scope of the ISMS, and ensure that they are met and communicated.
E: This clause requires the organisation to establish an information security policy that provides the framework for setting the information security objectives and guiding the information security activities13. This clause is relevant to the verification of the scope of the ISMS because it helps the organisation to define the direction and principles of the ISMS, and to align them with the strategic goals and context of the organisation. The information security policy should also be consistent with the scope of the ISMS, and should be communicated and understood within the organisation and by relevant interested parties.
F: This clause requires the organisation to determine the internal and external issues that are relevant to the purpose and the context of the organisation, and that affect its ability to achieve the intended outcomes of the ISMS14. This clause is relevant to the verification of the scope of the ISMS because it helps the organisation to understand the factors and conditions that influence the information security of the organisation, such as the legal, technological, social, economic, environmental, etc. The organisation should also monitor and review these issues, and consider them when defining the scope of the ISMS.
H: This clause requires the organisation to determine the boundaries and applicability of the ISMS to establish its scope15. This clause is relevant to the verification of the scope of the ISMS because it helps the organisation to describe the information and processes that are included in the ISMS, and to document the scope in a clear and concise manner. The organisation should also consider the issues, requirements, and interfaces identified in clauses 4.1, 4.2, and 4.3 when determining the scope of the ISMS, and ensure that the scope is appropriate to the nature and scale of the organisation.
References:
1: PECB Candidate Handbook - ISO 27001 Lead Auditor, page 17 2: ISO/IEC 27001:2022 - Information technology - Security techniques - Information security management systems - Requirements, clause
4.2 3: ISO/IEC 27001:2022 - Information technology - Security techniques - Information security management systems - Requirements, clause 5.2 4: ISO/IEC 27001:2022 - Information technology - Security techniques - Information security management systems - Requirements, clause 4.1 5: ISO/IEC
27001:2022 - Information technology - Security techniques - Information security management systems - Requirements, clause 4.3

Question 51

Question 52

Question 53

Question 54

Question 55

Download PDF File