Free Access to PECB.ISO-IEC-27001-Lead-Auditor.v2025-07-02.q187 with Valid Practice Test (Page 17)

Question 76

The following are purposes of Information Security, except:

A.Ensure Business Continuity
B.Minimize Business Risk
C.Increase Business Assets
D.Maximize Return on Investment

Question 77

You are an audit team leader conducting a third-party surveillance audit of a telecom services provider. You have assigned responsibility for auditing the organisation's information security objectives to a junior member of your audit team. Before they begin their assessment, you ask them the following question to check their understanding of the requirements of ISO/IEC 27001:2022.
Which four of the following criteria must Information security objectives fulfil?

A.They must be communicated appropriately
B.They must be available as documented information
C.They must always be measured
D.They must always be monitored
E.They must be reviewed annually
F.They must be clear and unambiguous
G.They must be consistent with the IS Policy
H.They must be achievable

Correct Answer: A,B,G,H

According to ISO/IEC 27001:2022, clause 6.2, information security objectives are the specific results that an organisation intends to achieve with its information security management system (ISMS). The standard specifies that information security objectives must fulfil the following criteria:
They must be communicated appropriately (A): The organisation must ensure that the relevant internal and external parties are informed about the information security objectives and their roles and responsibilities in achieving them. This can help to create awareness, commitment, and accountability for information security. This criterion is related to clause 6.2.2 of ISO/IEC 27001:2022.
They must be available as documented information (B): The organisation must maintain and retain documented information on the information security objectives, including their scope, level, indicators, and time frame. This can help to provide evidence, traceability, and consistency for information security. This criterion is related to clause 6.2.1 of ISO/IEC 27001:2022.
They must be consistent with the IS Policy (G): The organisation must ensure that the information security objectives are aligned with the information security policy, which is the top-level statement of the organisation's intentions and direction for information security. This can help to support the strategic objectives and the context of the organisation. This criterion is related to clause 5.2 of ISO/IEC 27001:2022.
They must be achievable (H): The organisation must ensure that the information security objectives are realistic and attainable, considering the available resources, capabilities, and constraints. This can help to avoid setting unrealistic or unfeasible expectations and to monitor and measure the progress and performance of information security. This criterion is related to clause 6.2.1 of ISO/IEC 27001:2022.
Reference:
ISO/IEC 27001:2022, Information technology - Security techniques - Information security management systems - Requirements1 PECB Candidate Handbook ISO/IEC 27001 Lead Auditor2 ISO 27001:2022 Lead Auditor - PECB3 ISO 27001:2022 certified ISMS lead auditor - Jisc4 ISO/IEC 27001:2022 Lead Auditor Transition Training Course5 ISO 27001 - Information Security Lead Auditor Course - PwC Training Academy6

Question 78

How are internal audits and external audits related?

A.Internal audits ensure that the organization regularly monitors the external audit reports and action plans
B.Internal audits ensure the implementation of the corrective actions before the organization is recommended for certification by the external auditor
C.Internal audits and external audits are included in the certification cycle, which ensures the monitoring of the management system on a regular basis

Question 79

You ask the IT Manager why the organisation still uses the mobile app while personal data encryption and pseudonymisation tests failed. Also, whether the Service Manager is authorised to approve the test.
The IT Manager explains the test results should be approved by him according to the software security management procedure. The reason why the encryption and pseudonymisation functions failed is that these functions heavily slowed down the system and service performance. An extra 150% of resources are needed to cover this. The Service Manager agreed that access control is good enough and acceptable. That's why the Service Manager signed the approval.
You are preparing the audit findings. Select the correct option.

A.There is a nonconformity (NC). The organisation and developer do not perform acceptance tests.
(Relevant to clause 8.1, control A.8.29)
B.There is a nonconformity (NC). The Service Manager does not comply with the software security management procedure. (Relevant to clause 8.1, control A.8.30)
C.There is a nonconformity (NC). The organisation and developer perform security tests that fail.
(Relevant to clause 8.1, control A.8.29)
D.There is NO nonconformity (NC). The Service Manager makes a good decision to continue the service.
(Relevant to clause 8.1, control A.8.30)

Question 80

Which one of the following options is the definition of an interested party?

A.A third party can appeal to an organisation when it perceives itself to be affected by a decision or activity
B.A person or organisation that can affect, be affected by or perceive itself to be affected by a decision or activity
C.A group or organisation that can interfere in or perceive itself to be interfered with by a management decision
D.An individual or organisation that can control, be controlled by, or perceive itself to be controlled by a decision or activity

Question 76

Question 77

Question 78

Question 79

Question 80

Download PDF File