Free Access to PECB.ISO-IEC-27001-Lead-Auditor.v2026-01-12.q371 with Valid Practice Test (Page 29)

Question 136

You are the lead auditor of the courier company SpeeDelivery. You have carried out a risk analysis and now want to determine your risk strategy. You decide to take measures for the large risks but not for the small risks.
What is this risk strategy called?

A.Risk bearing
B.Risk avoidance
C.Risk neutral
D.Risk skipping

Question 137

You are an experienced ISMS audit team leader guiding an auditor in training. You are testing her understanding of follow-up audits by asking her a series of questions to which the answer is either "true* or
'false'. Which four of the following questions should the answer be true"'

A.A follow-up audit may be carried out where nonconformities are major
B.A follow-up audit may be carried out where nonconformities are minor
C.The outcomes of a follow-up audit should be reported to top management and the audit team leader who carried out the audit where the nonconformities were initially identified
D.The outcome of a follow-up audit could lower a major nonconformity to minor status
E.The outcome of a follow-up audit could be a recommendabon to suspend the client's certification
F.The outcomes of a follow-up audit should be reported to the individual managing the audit programme and the audit client
G.A follow-up audit is required in all instances where nonconformities have been identified
H.A follow-up audit is required only in instances where a major nonconformity has been identified

Correct Answer: A,B,C,F

Explanation
A follow-up audit may be carried out where nonconformities are major. This is true because a major nonconformity is a situation that raises significant doubt about the ability of the organization's management system to achieve its intended results, and therefore requires immediate corrective action. A follow-up audit is necessary to verify the effectiveness of the corrective action and the conformity of the management system12.
A follow-up audit may be carried out where nonconformities are minor. This is true because a minor nonconformity is a situation that does not affect the capability of the management system to achieve its intended results, but represents a deviation from the specified requirements. A follow-up audit may be conducted to check the implementation of the corrective action and the improvement of the management system12.
The outcomes of a follow-up audit should be reported to top management and the audit team leader who carried out the audit where the nonconformities were initially identified. This is true because the top management is responsible for ensuring the effectiveness and continual improvement of the management system, and the audit team leader is accountable for the audit process and the audit conclusions. The follow-up audit report should provide them with objective evidence of the status of the nonconformities and the corrective actions taken by the auditee13.
The outcomes of a follow-up audit should be reported to the individual managing the audit programme and the audit client. This is true because the individual managing the audit programme is responsible for planning, implementing, monitoring and reviewing the audit activities, and the audit client is the organization or person requesting an audit. The follow-up audit report should inform them of the results of the follow-up audit and any changes in the certification status of the auditee13.
References :=
ISO 19011:2022 Guidelines for auditing management systems
ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements ISO/IEC 17021-1:2022 Conformity assessment - Requirements for bodies providing audit and certification of management systems - Part 1: Requirements

Question 138

CMM stands for?

A.Capability Maturity Matrix
B.Capacity Maturity Matrix
C.Capability Maturity Model
D.Capable Mature Model

Question 139

Which measure is a preventive measure?

A.Putting sensitive information in a safe
B.Installing a logging system that enables changes in a system to be recognized
C.Shutting down all internet traffic after a hacker has gained access to the company systems

Question 140

Select the words that best complete the sentence to describe an audit finding.

Question 136

Question 137

Question 138

Question 139

Question 140

Download PDF File