Free Access to PECB.ISO-IEC-27001-Lead-Auditor.v2025-07-02.q187 with Valid Practice Test (Page 8)

Question 31

You are performing an ISMS audit at a residential nursing home (ABC) that provides healthcare services. The next step in your audit plan is to verify the information security of ABC's healthcare mobile app development, support, and lifecycle process. During the audit, you learned the organization outsourced the mobile app development to a professional software development company with CMMI Level 5, ITSM (ISO/IEC 20000-
1), BCMS (ISO 22301) and ISMS (ISO/IEC 27001) certified.
The IT Manager presented the software security management procedure and summarised the process as following:
The mobile app development shall adopt "security-by-design" and "security-by-default" principles, as a minimum. The following security functions for personal data protection shall be available:
Access control.
Personal data encryption, i.e., Advanced Encryption Standard (AES) algorithm, key lengths: 256 bits; and Personal data pseudonymization.
Vulnerability checked and no security backdoor
You sample the latest Mobile App Test report, details as follows:

You ask the IT Manager why the organisation still uses the mobile app while personal data encryption and pseudonymization tests failed. Also, whether the Service Manager is authorised to approve the test.
The IT Manager explains the test results should be approved by him according to the software security management procedure.
The reason why the encryption and pseudonymisation functions failed is that these functions heavily slowed down the system and service performance. An extra 150% of resources are needed to cover this. The Service Manager agreed that access control is good enough and acceptable. That's why the Service Manager signed the approval.
You are preparing the audit findings. Select the correct option.

A.There is NO nonconformity (NC). The Service Manager makes a good decision to continue the service.
(Relevant to clause 8.1, control A.8.30)
B.There is a nonconformity (NC). The organisation and developer do not perform acceptance tests.
(Relevant to clause 8.1, control A.8.29)
C.There is a nonconformity (NC). The organisation and developer perform security tests that fail.
(Relevant to clause 8.1, control A.8.29)
D.There is a nonconformity (NC). The Service Manager does not comply with the software security management procedure. (Relevant to clause 8.1, control A.8.30)

Question 32

Question 33

Which of the following is not a type of Information Security attack?

A.Legal Incidents
B.Vehicular Incidents
C.Technical Vulnerabilities
D.Privacy Incidents

Question 34

You are an experienced audit team leader guiding an auditor in training.
Your team is currently conducting a third-party surveillance audit of an organisation that stores data on behalf of external clients. The auditor in training has been tasked with reviewing the PEOPLE controls listed in the Statement of Applicability (SoA) and implemented at the site.
Select four controls from the following that would you expect the auditor in training to review.

A.Confidentiality and nondisclosure agreements
B.How protection against malware is implemented
C.Information security awareness, education and training
D.Remote working arrangements
E.The conducting of verification checks on personnel
F.The operation of the site CCTV and door control systems
G.The organisation's arrangements for information deletion
H.The organisation's business continuity arrangements

Correct Answer: A,C,D,E

The four controls from the list that the auditor in training should review are:
*A. Confidentiality and nondisclosure agreements: This control requires the organisation to ensure that all employees, contractors, and third parties who have access to sensitive information sign appropriate agreements that oblige them to protect the confidentiality and integrity of such information. This is especially important for an organisation that stores data on behalf of external clients, as it demonstrates its commitment to safeguarding their information assets and complying with their contractual obligations.
*C. Information security awareness, education and training: This control requires the organisation to provide regular and relevant information security awareness, education and training to all employees, contractors, and third parties who have access to the organisation's information systems and information assets. This is essential for ensuring that they are aware of their roles and responsibilities, the information security policies and procedures, the potential threats and risks, and the best practices for preventing and responding to information security incidents.
*D. Remote working arrangements: This control requires the organisation to establish and implement policies and procedures for managing the information security risks associated with remote working arrangements, such as teleworking, mobile working, or working from home. This includes defining the conditions and requirements for remote working, such as the authorised devices, applications, and networks, the encryption and authentication methods, the backup and recovery procedures, and the reporting and monitoring mechanisms. This is important for an organisation that stores data on behalf of external clients, as it ensures that the information security level is maintained regardless of the location of the workers and the devices they use.
*E. The conducting of verification checks on personnel: This control requires the organisation to conduct appropriate verification checks on the background, qualifications, and references of all employees, contractors, and third parties who have access to the organisation's information systems and information assets. This is necessary for verifying their identity, suitability, and trustworthiness, and for preventing the hiring of unauthorised or malicious individuals who could compromise the information security of the organisation and its clients.
References: = ISO/IEC 27001:2022, Annex A, clauses A.5.7, A.7.2, A.7.3, and A.7.4; ISO 27001 People Controls: How personnel ensures information security; What are the 11 new security controls in ISO
27001:2022? - Advisera.

Question 35

What type of legislation requires a proper controlled purchase process?

A.Personal data protection act
B.Computer criminality act
C.Government information act
D.Intellectual property rights act

Question 31

Question 32

Question 33

Question 34

Question 35

Download PDF File