You are conducting an ISMS audit in the despatch department of an international logistics organisation that provides shipping services to large organisations including local hospitals and government offices. Parcels typically contain pharmaceutical products, biological samples, and documents such as passports and driving licences. You note that the company records show a very large number of returned items with causes including misaddressed labels and, in 15% of cases, two or more labels for different addresses for the one package. You are interviewing the Shipping Manager (SM).
You: Are items checked before being dispatched?
SM: Any obviously damaged items are removed by the duty staff before being dispatched, but the small profit margin makes it uneconomic to implement a formal checking process.
You: What action is taken when items are returned?
SM: Most of these contracts are relatively low value, therefore it has been decided that it is easier and more convenient to simply reprint the label and re-send individual parcels than it is to implement an investigation.
You raise a nonconformity against ISO 27001:2022 based on the lack of control of the labelling process.
At the closing meeting, the Shipping Manager issues an apology to you that his comments may have been misunderstood. He says that he did not realise that there is a background IT process that automatically checks that the right label goes onto the right parcel otherwise the parcel is ejected at labelling. He asks that you withdraw your nonconformity.
Select three options of the correct responses that you as the audit team leader would make to the request of the Shipping Manager.

• A.Advise the Shipping Manager that his request will be included in the audit report
• B.Advise management that the new information provided will be discussed when the auditors have more time
• C.Inform the Shipping Manager that the nonconformity is minor and should be quickly corrected
• D.Ask the audit team members to state what they think should happen
• E.Inform him of your understanding and withdraw the nonconformity
• F.Thank the Shipping Manager for his honesty but advise that withdrawing the nonconformity is not the right way to proceed
• G.Advise the Shipping Manager that the nonconformity must stand since the evidence obtained for it was dear
• H.Indicate that the nonconformity is evidence of a deeper system failure that needs to be rectified

Comment: *

Name: *

Email: *

Verification: *

You are performing an ISMS audit at a residential nursing home called ABC that provides healthcare services.
The next step in your audit plan is to verify the information security of ABC's healthcare mobile app development, support, and lifecycle process. During the audit, you learned the organisation outsourced the mobile app development to a professional software development organisation with CMMI Level 5, ITSM (ISO/IEC 20000-1), BCMS (ISO 22301) and ISMS (ISO/IEC 27001) certified.
The IT Manager presents the software security management procedure and summarises the process as follows:
The mobile app development shall adopt "security-by-design" and "security-by-default" principles, as a minimum. The following security functions for personal data protection shall be available:
Access control.
Personal data encryption, i.e., Advanced Encryption Standard (AES) algorithm, key lengths: 256 bits; and Personal data pseudonymization.
Vulnerability checked and no security backdoor
You sample the latest Mobile App Test report - Reference ID: 0098, details as follows:


You would like to investigate other areas further to collect more audit evidence. Select three options that will not be in your audit trail.

• A.Collect more evidence on how much residents' family members pay to install ABC's healthcare mobile app. (Relevant to clause 4.2)
• B.Collect more evidence by downloading and testing the mobile app on your phone. (Relevant to control A.8.1)
• C.Collect more evidence to determine the number of users of ABC's healthcare mobile app. (relevant to clause 4.2)
• D.Collect more evidence on how the organisation performs testing of personal data handling. (Relevant to control A.5.34)
• E.Collect more evidence on the organisation's business continuity policy. (Relevant to control A.5.30)
• F.Collect more evidence on how the organisation manages information security in the selection of an external service provider. (Relevant to control A.5.19)
• G.Collect more evidence on how the developer trains its product support personnel. (Relevant to clause 7.2)
• H.Collect more evidence to verify the developer's CMMI Level 5, ITSM (ISO/IEC 20000-1), BCMS (ISO22301) and ISMS (ISO/IEC 27001) certification. (Relevant to control A.5.21)

Comment: *

Name: *

Email: *

Verification: *

Please match the roles to the following descriptions:

To complete the table click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable test from the options below. Alternatively, you may drag and drop each option to the appropriate blank section.

Correct Answer:

Explanation:

* The auditee is the organization or part of it that is subject to the audit. The auditee could be internal or external to the audit client . The auditee should cooperate with the audit team and provide them with access to relevant information, documents, records, personnel, and facilities .
* The audit client is the organization or person that requests an audit. The audit client could be internal or external to the auditee . The audit client should define the audit objectives, scope, criteria, and programme, and appoint the audit team leader .
* The technical expert is a person who provides specific knowledge or expertise relating to the organization, activity, process, product, service, or discipline to be audited. The technical expert could be internal or external to the audit team . The technical expert should support the audit team in collecting and evaluating audit evidence, but should not act as an auditor .
* The observer is a person who accompanies the audit team but does not act as an auditor. The observer could be internal or external to the audit team . The observer should observe the audit activities without interfering or influencing them, unless agreed otherwise by the audit team leader and the auditee .
References :=
* [ISO 19011:2022 Guidelines for auditing management systems]
* [ISO/IEC 17021-1:2022 Conformity assessment - Requirements for bodies providing audit and certification of management systems - Part 1: Requirements]

Comment: *

Name: *

Email: *

Verification: *

Which one of the following options best describes the main purpose of a Stage 1 third-party audit?

• A.To introduce the audit team to the client
• B.To learn about the organisation's procurement
• C.To determine redness for a stage 2 audit
• D.To check for legal compliance by the organisation
• E.To prepare an independent audit report
• F.To get to know the organisation's customers

Comment: *

Name: *

Email: *

Verification: *

Select the words that best complete the sentence to describe an audit finding.

Correct Answer:

Explanation:
"An audit finding is the result of the evaluation of the collected audit evidence against audit criteria." The words that best complete the sentence to describe an audit finding are evaluation and evidence. According to ISO 19011:2022, an audit finding is the result of the evaluation of the collected audit evidence against audit criteria12. The other options are either not related to the definition of an audit finding or do not fit the sentence grammatically. References: 1: ISO 19011:2022, Guidelines for auditing management systems, Clause 3.11
\n2: PECB Certified ISO/IEC 27001 Lead Auditor Exam Preparation Guide, Domain 5: Conducting an ISO/IEC 27001 audit

Comment: *

Name: *

Email: *

Verification: *