Scenario 6: Cyber ACrypt is a cybersecurity company that provides endpoint protection by offering anti-malware and device security, asset life cycle management, and device encryption. To validate its ISMS against ISO/IEC 27001 and demonstrate its commitment to cybersecurity excellence, the company underwent a meticulous audit process led by John, the appointed audit team leader.
Upon accepting the audit mandate, John promptly organized a meeting to outline the audit plan and team roles This phase was crucial for aligning the team with the audit's objectives and scope However, the initial presentation to Cyber ACrypt's staff revealed a significant gap in understanding the audit's scope and objectives, indicating potential readiness challenges within the company As the stage 1 audit commenced, the team prepared for on-site activities. They reviewed Cyber ACrypt's documented information, including the information security policy and operational procedures ensuring each piece conformed to and was standardized in format with author identification, production date, version number, and approval date Additionally, the audit team ensured that each document contained the information required by the respective clause of the standard This phase revealed that a detailed audit of the documentation describing task execution was unnecessary, streamlining the process and focusing the team's efforts on critical areas During the phase of conducting on-site activities, the team evaluated management responsibility for the Cyber Acrypt's policies This thorough examination aimed to ascertain continual improvement and adherence to ISMS requirements Subsequently, in the document, the stage 1 audit outputs phase, the audit team meticulously documented their findings, underscoring their conclusions regarding the fulfillment of the stage 1 objectives. This documentation was vital for the audit team and Cyber ACrypt to understand the preliminary audit outcomes and areas requiring attention.
The audit team also decided to conduct interviews with key interested parties. This decision was motivated by the objective of collecting robust audit evidence to validate the management system's compliance with ISO/IEC 27001 requirements. Engaging with interested parties across various levels of Cyber ACrypt provided the audit team with invaluable perspectives and an understanding of the ISMS's implementation and effectiveness.
The stage 1 audit report unveiled critical areas of concern. The Statement of Applicability (SoA) and the ISMS policy were found to be lacking in several respects, including insufficient risk assessment, inadequate access controls, and lack of regular policy reviews. This prompted Cyber ACrypt to take immediate action to address these shortcomings. Their prompt response and modifications to the strategic documents reflected a strong commitment to achieving compliance.
The technical expertise introduced to bridge the audit team's cybersecurity knowledge gap played a pivotal role in identifying shortcomings in the risk assessment methodology and reviewing network architecture. This included evaluating firewalls, intrusion detection and prevention systems, and other network security measures, as well as assessing how Cyber ACrypt detects, responds to, and recovers from external and internal threats. Under John's supervision, the technical expert communicated the audit findings to the representatives of Cyber ACrypt. However, the audit team observed that the expert s objectivity might have been compromised due to receiving consultancy fees from the auditee. Considering the behavior of the technical expert during the audit, the audit team leader decided to discuss this concern with the certification body.
Based on the scenario above, answer the following question:
Based on Scenario 6, is the audit team leader's decision regarding the technical expert's behavior acceptable?

• A.No, the audit team leader should have reported the issue directly to the top management instead
• B.No, questioning the expert's objectivity is not a valid reason for the audit team leader to discuss the matter with the certification body
• C.Yes, if the auditor is skeptical about the technical expert's objectivity, he must discuss his concerns with the certification body

Comment: *

Name: *

Email: *

Verification: *

Scenario 5: Cobt. an insurance company in London, offers various commercial, industrial, and life insurance solutions. In recent years, the number of Cobt's clients has increased enormously. Having a huge amount of data to process, the company decided that certifying against ISO/IEC 27001 would bring many benefits to securing information and show its commitment to continual improvement. While the company was well-versed in conducting regular risk assessments, implementing an ISMS brought major changes to its daily operations. During the risk assessment process, a risk was identified where significant defects occurred without being detected or prevented by the organizations internal control mechanisms.
The company followed a methodology to implement the ISMS and had an operational ISMS in place after only a few months After successfully implementing the ISMS, Cobt applied for ISO/IEC 27001 certification Sarah, an experienced auditor, was assigned to the audit Upon thoroughly analyzing the audit offer, Sarah accepted her responsibilities as an audit team leader and immediately started to obtain general information about Cobt She established the audit criteria and objective, planned the audit, and assigned the audit team members' responsibilities.
Sarah acknowledged that although Cobt has expanded significantly by offering diverse commercial and insurance solutions, it still relies on some manual processes Therefore, her initial focus was to gather information on how the company manages its information security risks Sarah contacted Cobt's representatives to request access to information related to risk management for the off-site review, as initially agreed upon for part of the audit However, Cobt later refused, claiming that such information is too sensitive to be accessed outside of the company This refusal raised concerns about the audit's feasibility, particularly regarding the availability and cooperation of the auditee and access to evidence Moreover, Cobt raised concerns about the audit schedule, stating that it does not properly reflect the recent changes the company made It pointed out that the actions to be performed during the audit apply only to the initial scope and do not encompass the latest changes made in the audit scope Sarah also evaluated the materiality of the situation, considering the significance of the information denied for the audit objectives. In this case, the refusal by Cobt raised questions about the completeness of the audit and its ability to provide reasonable assurance. Following these situations, Sarah decided to withdraw from the audit before a certification agreement was signed and communicated her decision to Cobt and the certification body. This decision was made to ensure adherence to audit principles and maintain transparency, highlighting her commitment to consistently upholding these principles.
Based on the scenario above, answer the following question:
Based on the information provided in Scenario 5, Cobt refused to provide the auditors with information on risk management. How would you, as an auditor, resolve such a situation?

• A.By only accessing such information on-site or when Cobt's representatives are present
• B.By refusing the audit mandate since it is within an auditor's right to do so when the confidentiality agreement is not followed
• C.By reminding Cobt's representatives that the audit team leader decides the access that the audit team should have to information during the audit process

Comment: *

Name: *

Email: *

Verification: *

You are conducting an Information Security Management System audit in the despatch department of an international logistics organisation that provides shipping services to large organisations including local hospitals and government offices.
Parcels typically contain pharmaceutical products, biological samples and documents such as passports and driving licences.
You note that the company records show a very large number of returned items with causes including misaddressed labels and, in 15% of cases, two or more labels for different addresses for the one package. You are interviewing the Shipping Manager (SM).
You: Are items checked before being dispatched?
SM: Any obviously damaged items are removed by the duty staff before being dispatched, but the small profit margin makes it uneconomic to implement a formal checking process.
You: What action is taken when items are returned?
SM: Most of these contracts are relatively low value, therefore it has been decided that it is easier and more convenient to simply reprint the label and re-send individual parcels than it is to implement an investigation.
You raise a non-conformity against clause 8.1 of ISO 27001:2022.
Which one option below that best describes the non-conformity you have identified?

• A.The organisation does not have an approved process in place that ensures service requirements and regulatory requirements for data protection are met. Records show that 15% of returned parcels have corrected information intended for another party to the recipient (which may include sensitive medical information or government department communications) without adequate operational methods to meet information security requirements.
• B.The organisation does not have an audited process in place that ensures service requirements and regulatory requirements for data protection are met. Records show that 15% of returned parcels have inaccurate information intended for another party to the recipient (which may include sensitive medical information or government department communications) without adequate operational rules to meet information security requirements.
• C.The organisation does not have an effective process in place that ensures service requirements and regulatory requirements for data protection are met. Records show that 15% of returned parcels have disclosed information intended for another party to the recipient (which may include sensitive medical information or government department communications) without adequate operational controls to meet information security requirements.
• D.The organisation does not have an efficient process in place that ensures service requirements and regulatory requirements for data protection are met. Records show that 15% of returned parcels have detailed information intended for another party to the recipient (which may include sensitive medical information or government department communications) without adequate operational procedures to meet information security requirements.
• E.The organisation does not have an efficient process in place that ensures service requirements and regulatory requirements for data protection are met. Records show that 15% of returned parcels have protected information intended for another party to the recipient (which may include sensitive medical information or government department communications) without adequate operational processes to meet information security requirements.

Comment: *

Name: *

Email: *

Verification: *

A telecommunications company uses the AES method for ensuring that confidential information is protected. This means that they use a single key to encrypt and decrypt the information. What kind of control does the company use?

• A.Detective
• B.Corrective
• C.Preventive

Comment: *

Name: *

Email: *

Verification: *

Please match the following situations to the type of audit required.

Correct Answer:

Explanation:
* Top management requests auditors from the organisation's compliance department to audit the production process in order to ensure the final product meets quality requirements = First-party audit
* Auditors from the buyer's organisation audit their raw material supplier to ensure the supply fulfils the order and contract = Second-party audit
* Auditors from an independent certification body conduct an audit of the organisation to verify
* conformity with an ISO Standard for certification purposes = Third-party audit
* The organisation has been audited against two management system standards in one audit = Combined audit Explanation: According to the ISO/IEC 27001 standard, there are three main categories of audits: internal, external, and certification1. An internal audit, also known as a first-party audit, is an audit conducted by the organisation itself, or by an external party on its behalf, for management review and other internal purposes12. An external audit, also known as a second-party audit, is an audit conducted by a customer or other interested party on a supplier or contractor to verify compliance with contractual or other requirements12. A certification audit, also known as a third-party audit, is an audit conducted by an independent certification body to verify conformity with an ISO standard for certification purposes12. A combined audit is an audit where two or more management system standards are audited together3.
References: 1: PECB Candidate Handbook - ISO/IEC 27001 Lead Auditor, page 192: ISO 27001 Audit Types and How They are Conducted23: The Four ISO 27001 Audit Categories, Explained4

Comment: *

Name: *

Email: *

Verification: *