You are an ISMS auditor conducting a third-party surveillance audit of a telecom's provider. You are in the equipment staging room where network switches are pre-programmed before being despatched to clients. You note that recently there has been a significant increase in the number of switches failing their initial configuration test and being returned for reprogramming. You ask the Chief Tester why and she says, 'It's a result of the recent ISMS upgrade'. Before the upgrade each technician had their own hard copy work instructions. Now, the eight members of my team have to share two laptops to access the clients' configuration instructions online. These delays put pressure on the technicians, resulting in more mistakes being made'. Based solely on the information above, which clause of ISO to raise a nonconformity against' Select one.
Correct Answer: B
Explanation According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 8.1 requires an organization to plan, implement and control its processes needed to meet ISMS requirements2. This includes determining what needs to be done, how it will be done, who will do it, when it will be done, what resources are required, how performance will be evaluated, etc2. Therefore, if an ISMS auditor conducting a third-party surveillance audit of a telecom's provider notes that there has been a significant increase in the number of switches failing their initial configuration test and being returned for reprogramming due to a recent ISMS upgrade that reduced access to work instructions, this indicates a nonconformity against clause 8.1 of ISO/IEC 27001:2022. The organization has failed to plan and control its operational processes effectively to ensure information security and quality2. The other options are not correct clauses to raise a nonconformity against based solely on this information. For example, clause 7.5 deals with documented information required by ISMS or determined by an organization as necessary for its effectiveness2, but it does not specify how many copies or formats of work instructions should be available; clause 10.2 deals with nonconformity and corrective action as a response to an identified problem or incident2, but it does not address how to prevent or avoid such problems or incidents in operational processes; clause 7.3 deals with awareness of ISMS policy, objectives, roles and responsibilities among persons doing work under an organization's control2, but it does not relate to how work instructions are accessed or followed; clause 7.2 deals with competence of persons doing work under an organization's control that affects its ISMS performance2, but it does not imply that lack of competence is caused by insufficient work instructions; clause 7.4 deals with communication about ISMS among internal and external interested parties2, but it does not cover how operational information is communicated within an organization. References: ISO/IEC 27001:2022 - Information technology - Security techniques - Information security management systems - Requirements
Question 142
During a third-party certification audit, you are presented with a list of issues by an auditee. Which four of the following constitute 'internal' issues in the context of a management system to ISO 27001:2022?
Correct Answer: C,D,E,G
According to ISO 27001:2022 clause 4.1, the organisation shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system (ISMS)12 External issues are factors outside the organisation that it cannot control, but can influence or adapt to. They include political, economic, social, technological, legal, and environmental factors that may affect the organisation's information security objectives, risks, and opportunities12 Internal issues are factors within the organisation that it can control or change. They include the organisation's structure, culture, values, policies, objectives, strategies, capabilities, resources, processes, activities, relationships, and performance that may affect the organisation's information security management system12 Therefore, the following issues are considered 'internal' in the context of a management system to ISO 27001:2022: * Poor levels of staff competence as a result of cuts in training expenditure: This is an internal issue because it relates to the organisation's capability, resource, and process of developing and maintaining the competence of its personnel involved in the ISMS. The organisation can control or change its training expenditure and its impact on staff competence12 * Poor morale as a result of staff holidays being reduced: This is an internal issue because it relates to the organisation's culture, value, and relationship with its employees. The organisation can control or * change its staff holiday policy and its impact on staff morale12 * Increased absenteeism as a result of poor management: This is an internal issue because it relates to the organisation's performance, structure, and accountability of its management. The organisation can control or change its management practices and its impact on staff absenteeism12 * A fall in productivity linked to outdated production equipment: This is an internal issue because it relates to the organisation's capability, resource, and process of ensuring the availability and suitability of its production equipment. The organisation can control or change its equipment maintenance and upgrade and its impact on productivity12 The following issues are considered 'external' in the context of a management system to ISO 27001:2022: * Higher labour costs as a result of an aging population: This is an external issue because it relates to the social and demographic factor that affects the availability and cost of labour in the market. The organisation cannot control or change the aging population, but can influence or adapt to its impact on labour costs12 * A rise in interest rates in response to high inflation: This is an external issue because it relates to the economic and monetary factor that affects the cost and availability of capital in the market. The organisation cannot control or change the interest rates or inflation, but can influence or adapt to its impact on capital costs12 * A reduction in grants as a result of a change in government policy: This is an external issue because it relates to the political and legal factor that affects the availability and conditions of public funding for the organisation. The organisation cannot control or change the government policy, but can influence or adapt to its impact on grants12 * Inability to source raw materials due to government sanctions: This is an external issue because it relates to the political and legal factor that affects the availability and cost of raw materials in the market. The organisation cannot control or change the government sanctions, but can influence or adapt to its impact on raw materials12 References: 1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1 2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2
Question 143
Select the words that best complete the sentence: To complete the sentence with the word(s) click on the blank section you want to complete so that it is highlighted in red, and then click on the application text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.
Correct Answer:
Explanation: competence of the audit team and decision made by the certification body According to ISO/IEC 17021-1, which specifies the requirements for bodies providing audit and certification of management systems, an accredited certification means that the certification body has been evaluated by an accreditation body against recognized standards to demonstrate its competence, impartiality and performance capability1. Therefore, an accredited certification assures the competence of the audit team that conducts the audit in accordance with ISO 19011 and ISO/IEC 27001:2022, and the decision made by the certification body that grants or maintains the certification based on the audit evidence and findings2. References: ISO/IEC 17021-1:2015 - Conformity assessment - Requirements for bodies providing audit and certification of management systems - Part 1: Requirements, ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) | CQI | IRCA
Question 144
An auditor of organisation A performs an audit of supplier B. Which two of the following actions is likely to represent a breach of confidentiality by the auditor after having identified findings in B's information security management system?
Correct Answer: A,D
Explanation According to the PECB Candidate Handbook1, one of the principles of auditing is confidentiality, which means that auditors should respect the confidentiality of information obtained during the audit and not disclose it to unauthorized parties. The handbook also states that auditors should only report audit results to those who have a legitimate need to know, such as the client, the auditee, and the certification body. Therefore, sharing the findings with other relevant managers in A or B's other customers would be a breach of confidentiality, as they are not directly involved in the audit process or the information security management system of B. Sharing the findings with B's Information Security Manager or other relevant managers in B would be appropriate, as they are part of the auditee organization and responsible for the implementation and improvement of the ISMS. Sharing the findings with A's supplier evaluation team or B's certification body would also be acceptable, as they have a legitimate need to know the audit results for the purpose of supplier selection or certification, respectively. References: 1: PECB Candidate Handbook - ISO 27001 Lead Auditor, pages 7-8.
Question 145
The following are the guidelines to protect your password, except:
