Which two of the following actions are the individual(s) managing the audit programme responsible for?
Correct Answer: A,D
Establishing the audit programme objectives, scope and criteria Determining the resources necessary for the audit programme, such as the audit team members, the budget, the time, the tools, etc. Selecting and appointing the audit team leaders and auditors Reviewing and approving the audit plans and arrangements Ensuring the effective communication and coordination among the audit programme stakeholders, such as the auditors, the auditees, the certification bodies, the accreditation bodies, etc. Keeping informed the accreditation body on the progress of the audit programme, especially in case of any significant changes, issues, or nonconformities Monitoring and reviewing the performance and results of the audit programme and the audit teams Evaluating the feedback and satisfaction of the auditees and other interested parties Identifying and implementing the opportunities for improvement of the audit programme The individual(s) managing the audit programme are not responsible for the following tasks, which are delegated to the audit team leaders or the auditors12: Communicating with the auditee during the audit, such as conducting the opening and closing meetings, resolving any audit-related problems, reporting any audit findings, etc. Determining the legal requirements applicable to each audit, such as the confidentiality, the impartiality, the consent, the liability, etc. Defining the objectives, scope and criteria for an individual audit, which are derived from the audit programme and agreed with the auditee Defining the plan of an individual audit, which includes the audit schedule, the audit activities, the audit methods, the audit documents, etc. References: ISO 19011:2018 - Guidelines for auditing management systems PECB Candidate Handbook ISO 27001 Lead Auditor, pages 19-20
Question 177
Select the words that best complete the sentence: To complete the sentence with the best word(s), click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.
Correct Answer:
Question 178
You are conducting an ISMS audit in the despatch department of an international logistics organisation that provides shipping services to large organisations including local hospitals and government offices. Parcels typically contain pharmaceutical products, biological samples, and documents such as passports and driving licences. You note that the company records show a very large number of returned items with causes including misaddressed labels and, in 15% of cases, two or more labels for different addresses for the one package. You are interviewing the Shipping Manager (SM). You: Are items checked before being dispatched? SM: Any obviously damaged items are removed by the duty staff before being dispatched, but the small profit margin makes it uneconomic to implement a formal checking process. You: What action is taken when items are returned? SM: Most of these contracts are relatively low value, therefore it has been decided that it is easier and more convenient to simply reprint the label and re-send individual parcels than it is to implement an investigation. You raise a nonconformity. Referencing the scenario, which three of the following Annex A controls would you expect the auditee to have implemented when you conduct the follow-up audit?
Correct Answer: B,E,G
Explanation The three Annex A controls that you would expect the auditee to have implemented when you conduct the follow-up audit are: * B. 5.13 Labelling of information * E. 5.34 Privacy and protection of personal identifiable information (PII) * G. 6.3 Information security awareness, education, and training * B. This control requires the organisation to label information assets in accordance with the information classification scheme, and to handle them accordingly12. This control is relevant for the auditee because it could help them to avoid misaddressing labels and sending parcels to wrong destinations, which could compromise the confidentiality, integrity, and availability of the information assets. By labelling the information assets correctly, the auditee could also ensure that they are delivered to the intended recipients and that they are protected from unauthorized access, use, or disclosure. * E. This control requires the organisation to protect the privacy and the rights of individuals whose personal identifiable information (PII) is processed by the organisation, and to comply with the applicable legal and contractual obligations13. This control is relevant for the auditee because it could help them to prevent the unauthorized use of residents' personal data by a supplier, which could violate the privacy and the rights of the residents and their family members, and expose the auditee to legal and reputational risks. By protecting the PII of the residents and their family members, the auditee could also enhance their trust and satisfaction, and avoid complaints and disputes. * G. This control requires the organisation to ensure that all employees and contractors are aware of the information security policy, their roles and responsibilities, and the relevant information security procedures and controls14. This control is relevant for the auditee because it could help them to improve the information security culture and behaviour of their staff, and to reduce the human errors and negligence that could lead to information security incidents. By providing information security awareness, education, and training to their staff, the auditee could also increase their competence and performance, and ensure the effectiveness and efficiency of the information security processes and controls. References: 1: ISO/IEC 27001:2022 - Information technology - Security techniques - Information security management systems - Requirements, Annex A 2: ISO/IEC 27002:2022 - Information technology - Security techniques - Code of practice for information security controls, clause 8.2.1 3: ISO/IEC 27002:2022 - Information technology - Security techniques - Code of practice for information security controls, clause 18.1.4 4: ISO/IEC 27002:2022 - Information technology - Security techniques - Code of practice for information security controls, clause 7.2.2
Question 179
In the context of a third-party certification audit, confidentiality is an issue in an audit programme. Select two options which correctly state the function of confidentiality in an audit
Correct Answer: C,D
Confidentiality is one of the principles of audit conduct that auditors should adhere to when performing audits. Confidentiality means that auditors should exercise discretion in the use and protection of information acquired in the course of their duties3. Auditors should respect the intellectual property rights of the auditee and other parties involved in the audit, and should not disclose any information that is sensitive, proprietary, or confidential without prior approval from the auditee or other authorized parties3. Auditors should also obtain the auditee's permission before using a camera or recording equipment during an audit, as these devices may capture confidential information or infringe on the privacy of individuals3. Therefore, these two options correctly state the function of confidentiality in an audit. The other options are either incorrect or irrelevant to confidentiality. For example, auditors are not forced by regulatory requirements to maintain confidentiality in an audit, but rather by ethical obligations and contractual agreements3. Observers in an audit team can access confidential information if they have signed a confidentiality agreement and have been authorized by the auditee3. Audit information can be used for improving personal competence by the auditor only if it does not compromise confidentiality or conflict with other interests3. As an auditor is always accompanied by a guide, there is still a risk to the auditee's sensitive information if the guide is not trustworthy or authorized to access such information3. Reference: ISO 19011:2018 - Guidelines for auditing management systems
Question 180
Which two of the following standards are used as ISMS third-party certification audit criteria?
Correct Answer: D,E
The two standards that are used as ISMS third-party certification audit criteria are ISO/IEC 27001 and relevant legal, statutory, and regulatory requirements. ISO/IEC 27001 specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS)1. Relevant legal, statutory, and regulatory requirements are those that apply to the organization's information security aspects and objectives2. The other options are either not standards (E) or not directly related to the ISMS certification audit criteria (A, B, C, F). References: 1: ISO/IEC 27001:2022, Information technology - Security techniques - Information security management systems - Requirements, Clause 1 \n2: ISO/IEC 27001:2022, Information technology - Security techniques - Information security management systems - Requirements, Clause 4.2
