How does the use of new technologies such as big data impact auditing?

• A.It presents new challenges, for example, combining structured and unstructured data
• B.It enhances the audit quality by enabling auditors to collect higher quality audit evidence
• C.It causes significant disruptions, for example, introducing data that is too large or complex for processing by traditional database management tools

Comment: *

Name: *

Email: *

Verification: *

Which of the following does a lack of adequate security controls represent?

• A.Vulnerability
• B.Asset
• C.Threat
• D.Impact

Comment: *

Name: *

Email: *

Verification: *

You are an experienced ISMS audit team leader, assisting an auditor in training to write their first audit report.
You want to check the auditor in training's understanding of terminology relating to the contents of an audit report and chose to do this by presenting the following examples.
For each example, you ask the auditor in training what the correct term is that describes the activity Match the activity to the description.

Correct Answer:

Explanation
1. An auditor using a copy of ISO/IEC 27001:2022 to check that its requirements are met:
Termed: Reviewing audit criteria.
Justification: The auditor is comparing the auditee's information security management system (ISMS) against the established criteria outlined in the ISO/IEC 27001:2022 standard. This activity falls under the use of audit criteria to determine conformity or nonconformity.
2. An auditor's note that the auditee is not adhering to its clear desk policy:
Termed: Identifying an audit finding.
Justification: The auditor has observed a deviation from the auditee's established policy on clear desks. This observation is documented as a potential nonconformity, which requires further investigation and evaluation.
3. An auditor making a decision regarding the auditee's conformity or otherwise to criteria:
Termed: Determining an audit conclusion.
Justification: Based on the collected audit evidence and evaluation against the established criteria, the auditor forms an opinion about the overall compliance of the auditee's ISMS. This opinion is the audit conclusion and is a key element of the audit report.
4. An auditor examining verifiable records relevant to the audit process:
Termed: Collecting audit evidence.
Justification: The auditor is gathering objective and verifiable information to support their findings and conclusions. This information comes from various sources, including documents, records, interviews, and observations.

Comment: *

Name: *

Email: *

Verification: *

The auditor used sampling to ensure that event logs recording information security events are maintained and regularly reviewed. Sampling was based on the audit objectives, whereas the sample selection process was based on the probability theory. What type of sampling was used?

• A.Statistical sampling
• B.Judgment-based sampling
• C.Systematic sampling

Comment: *

Name: *

Email: *

Verification: *

You are conducting an ISMS audit. The next step in your audit plan is to verify that the organisation's information security risk treatment plan has been established and implemented properly. You decide to interview the IT security manager.
You: Can you please explain how the organisation performs its information security risk assessment and treatment process?
IT Security Manager: We follow the information security risk management procedure which generates a risk treatment plan.
Narrator: You review risk treatment plan No. 123 relating to the planned installation of an electronic (invisible) fence to improve the physical security of the nursing home. You found the risk treatment plan was approved by IT Security Manager.
You: Who is responsible for physical security risks?
IT Security Manager: The Facility Manager is responsible for the physical security risk. The IT department helps them to monitor the alarm. The Facility Manager is authorized to approve the budget for risk treatment plan No. 123.
You: What residual information security risks exist after risk treatment plan No. 123 was implemented?
IT Security Manager: There is no information for the acceptance of residual information security risks as far as I know.
You prepare your audit findings. Select three options for findings that are justified in the scenario.

• A.Nonconformity (NC) - The information for the acceptance of residual information security risks should be updated after the risk treatment is implemented. Clause 6.1.3.f
• B.There is an opportunity for improvement (OI) to conduct security checks on the perimetre fence
• C.There is an opportunity for improvement (OI) once the Electronic (invisible) fence is installed.
  Residents' physical security is improved
• D.Nonconformity (NC) - Top management must ensure that the resources needed for the ISMS are available. Clause 5.1.c
• E.Nonconformity (NC) - The IT security manager should be aware of and understand his authority and area of responsibility. Clause 7.3
• F.Nonconformity (NC) - The organization should provide the resources needed for the continual improvement of the ISMS. Clause 7.1
• G.Nonconformity (NC) - The risk treatment plan No. 123 should be approved by the risk owner, the Facility Manager in this case. Clause 6.1.3.f
• H.It is good practice to adopt state-of-the-art technology as part of the continual improvement process

Comment: *

Name: *

Email: *

Verification: *