What is the relationship between data and information?
Correct Answer: B
Explanation The relationship between data and information is that information is the meaning and value assigned to a collection of data. Data is a set of facts, figures, symbols or characters that can be processed by a computer or other means. Data by itself has no inherent meaning or context. Information is data that has been processed, organized, interpreted or presented in a way that makes it useful or meaningful for a specific purpose or audience. Information can be used to convey knowledge, support decision making or communicate messages. ISO/IEC 27001:2022 defines data as "representation of facts, concepts or instructions in a formalized manner suitable for communication, interpretation or processing by humans or by automatic means" (see clause 3.12) and information as "meaningful data" (see clause 3.25). References: [CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course], ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, What is Data and Information?
Question 102
An external auditor received an offer to conduct an ISMS audit at a research development company. Before accepting it, they discussed with the internal auditor of the auditee, who was their friend, about previous audit reports. Is this acceptable?
Correct Answer: C
No, the auditor should uphold objectivity even when deciding whether to accept the audit mandate or not. Discussing previous audit reports with a friend who is an internal auditor at the auditee may compromise the external auditor's objectivity and independence.
Question 103
There is a network printer in the hallway of the company where you work. Many employees don't pick up their printouts immediately and leave them on the printer. What are the consequences of this to the reliability of the information?
Correct Answer: D
Question 104
During a Stage 1 audit opening meeting, the Management System Representative (MSR) asks to extend the audit scope to include a new site overseas which they have expanded into since the certification application was made. Select two options for how the auditor should respond.
Correct Answer: A,D
Explanation The correct options for how the auditor should respond are: * A. Advise the MSR that an extension of the scope may be incorporated but will have to go through established procedures * D. Determine whether the Management System covers the processes at the new site and, if so, proceed with the audit These options are consistent with the ISO/IEC 27006:2015 standard, which states that any changes to the scope of certification should be notified by the client to the certification body, and that the certification body should evaluate and decide on these changes in accordance with its procedures1. The auditor should also verify that the ISMS is implemented and maintained at all sites included in the scope of certification1. The other options are not appropriate for how the auditor should respond, because: * B. Advise the MSR that the audit scope has been determined based on their initial application so the audit has to proceed as planned: This option is too rigid and does not allow for any flexibility or adaptation to the client's situation. The auditor should be open to consider any changes to the scope of certification that may have occurred since the initial application, as long as they are properly notified and evaluated by the certification body. * C. Suggest that the MSR cancels the audit contract and reapplies for the new situation: This option is too * drastic and unnecessary, as it would cause delays and costs for both the client and the certification body. The auditor should not suggest that the client cancels the audit contract, but rather that they follow the established procedures for requesting and approving an extension of the scope of certification. * E. Advise the MSR that, within the existing scope, the new work area can be included without any problem: This option is too lenient and does not ensure that the new work area meets the requirements of ISO/IEC 27001 and the ISMS. The auditor should not assume that the new work area can be included within the existing scope without any problem, but rather that they need to verify that the ISMS is implemented and maintained at the new site, and that any changes to the scope of certification are approved by the certification body. * F. Confirm that the auditor will advise the auditee that the audit scope will be revised to include the new work area: This option is too presumptuous and does not respect the authority of the certification body. The auditor should not confirm that they will revise the audit scope to include the new work area, but rather that they will advise the certification body of the client's request for an extension of the scope of certification, and wait for their decision.
Question 105
You are conducting a third-party surveillance audit when another member of the audit team approaches you seeking clarification. They have been asked to assess the organisation's application of control 5.7 - Threat Intelligence. They are aware that this is one of the new controls introduced in the 2022 edition of ISO/IEC 27001, and they want to make sure they audit the control correctly. They have prepared a checklist to assist them with their audit and want you to confirm that their planned activities are aligned with the control's requirements. Which three of the following options represent valid audit trails?
Correct Answer: D,F,G
These three options represent valid audit trails for control 5.7, as they are aligned with the control's requirements and objectives. According to the web search results from my predefined tool, control 5.7 requires organisations to collect and analyse information relating to information security threats and use that information to take mitigation actions12. The control also specifies that threat intelligence should be relevant, perceptive, contextual, and actionable, and that it should be used to prevent, detect, or respond to threats34. Therefore, the auditor should verify how the organisation collects, analyses, and produces threat intelligence, how it uses threat intelligence to protect its information assets, and how it monitors and evaluates the effectiveness of its threat intelligence arrangements. The other options are not valid audit trails, as they are either irrelevant, incorrect, or incomplete. For example: *The task of producing threat intelligence is not assigned to the organisation's internal audit team, but to the person or team responsible for the ISMS, such as the information security manager or the information security committee5 . *The organisation's risk assessment process does not begin with effective threat intelligence, but with the identification of the context, scope, and objectives of the ISMS . Threat intelligence is an input for the risk identification and analysis, but not the starting point of the risk assessment process. *Speaking to top management to make sure all staff are aware of the importance of reporting threats is not sufficient to audit the control, as it does not address how the organisation collects, analyses, and produces threat intelligence, nor how it uses it to take mitigation actions. The auditor should also speak to the staff involved in the threat intelligence process, and review the relevant documents and records. *Checking that the organisation has a fully documented threat intelligence process is not enough to audit the control, as it does not verify the implementation and effectiveness of the process. The auditor should also observe the process in action, and examine the outputs and outcomes of the process. *Determining whether internal and external sources of information are used in the production of threat intelligence is a partial audit trail, as it only covers one aspect of the control. The auditor should also assess the quality, reliability, and relevance of the sources, and how the information is analysed and used. References: = 1: ISO 27001:2022 Annex A 5.7 - Threat Intelligence - ISMS.online12: ISO 27001 Annex A 5.7 Threat Intelligence - High Table23: ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, clause A.5.74: ISO 27002 Emphasizes Need For Threat Intelligence - Rapid745: ISO/IEC 27007:2011 Information technology - Security techniques - Guidelines for information security management systems auditing, clause 6.3.2. : ISO 27001 Statement of Applicability [Updated 2024] - Sprinto3 : ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, clause 6.1.1. : ISO 27001 Requirement 6.1.1 - Actions to address risks and opportunities | ISMS.online1
