As the ISMS audit team leader, you are conducting a second-party audit of an international logistics company on behalf of an online retailer. During the audit, one of your team members reports a nonconformity relating to control 5.18 (Access rights) of Appendix A of ISO/IEC 27001:2022. She found evidence that removing the server access protocols of 20 people who left in the last 3 months took up to 1 week whereas the policy required removing access within 24 hours of their departure.
Complete the sentence with the best word(s), dick on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.

Correct Answer:

Explanation
The purpose of including access rights in an information management system to ISO/IEC 27001:2022 is to provide, review, modify and remove these permissions in accordance with the organisation's policy and rules for access control.
Access rights are the permissions granted to users or groups of users to access, use, modify, or delete information assets. Access rights should be aligned with the organisation's access control policy, which defines the objectives, principles, roles, and responsibilities for managing access to information systems.
Access rights should also follow the organisation's rules for access control, which specify the criteria, procedures, and controls for granting, reviewing, modifying, and revoking access rights. The purpose of including access rights in an information management system is to ensure that only authorised users can access information assets according to their business needs and roles, and to prevent unauthorised or inappropriate access that could compromise the confidentiality, integrity, or availability of information assets. References:
* ISO/IEC 27001:2022 Annex A Control 5.181
* ISO/IEC 27002:2022 Control 5.182
* CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Training Course3

Comment: *

Name: *

Email: *

Verification: *

Which six of the following actions are the individual(s) managing the audit programme responsible for?

• A.Selecting the audit team
• B.Retaining documented information of the audit results
• C.Defining the objectives, scope and criteria for an individual audit
• D.Defining the plan of an individual audit
• E.Establishing the extent of the audit programme
• F.Establishing the audit programme
• G.Determining the resources necessary for the audit programme
• H.Communicating with the auditee during the audit

Comment: *

Name: *

Email: *

Verification: *

Which two of the following statements are true?

• A.Responsibility for managing the audit programme rests with the audit team leader.
• B.The audit plan describes the arrangements for a set of one or more audits planned for a specific time frame and directed towards a specific purpose.
• C.Once agreed, the audit plan is fixed and cannot be changed during the conducting of the audi.
• D.The audit programme describes the arrangements for a set of one or more audits planned for a specific time frame and directed towards a specific purpose.
• E.The audit plan describes the activities and arrangements for an audit.
• F.The audit programme describes the activities and arrangements for an audit.

Comment: *

Name: *

Email: *

Verification: *

Select the words that best complete the sentence:
"The purpose of maintaining regulatory compliance in a management system is to To complete the sentence with the best word(s), click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.

Correct Answer:

Explanation:

According to ISO 27001:2013, clause 5.2, the top management of an organization must establish, implement and maintain an information security policy that is appropriate to the purpose of the organization and provides a framework for setting information security objectives. The information security policy must also include a commitment to comply with the applicable legal, regulatory and contractual requirements, as well as any other requirements that the organization subscribes to. Therefore, maintaining regulatory compliance is part of fulfilling the management system policy and ensuring its effectiveness and suitability. References:
* ISO/IEC 27001:2013, Information technology - Security techniques - Information security management systems - Requirements, clause 5.2
* PECB Candidate Handbook ISO 27001 Lead Auditor, page 10
* ISO 27001 Policy: How to write it according to ISO 27001

Comment: *

Name: *

Email: *

Verification: *

Which is not a requirement of HR prior to hiring?

• A.Undergo background verification
• B.Applicant must complete pre-employment documentation requirements
• C.Must undergo Awareness training on information security.
• D.Must successfully pass Background Investigation

Comment: *

Name: *

Email: *

Verification: *