What is the standard definition of ISMS?

• A.Is an information security systematic approach to achieve business objectives for implementation, establishing, reviewing,operating and maintaining organization's reputation.
• B.A company wide business objectives to achieve information security awareness for establishing, implementing, operating, monitoring, reviewing, maintaining and improving
• C.A project-based approach to achieve business objectives for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization's information security
• D.A systematic approach for establishing, implementing, operating,monitoring, reviewing, maintaining and improving an organization's information security to achieve business objectives.

Comment: *

Name: *

Email: *

Verification: *

Auditors need to communicate effectively with auditees. Therefore, their personal behaviour is a key characteristic needed to ensure a successful audit. Below there are the characteristics and a brief related description. Match the characteristics to the descriptions.

Correct Answer:

Explanation:
The possible matches of the characteristics to the descriptions are:
* Tenacious: Persistent and focused on objectives
* Ethical: Fair, truthful, sincere, honest, discreet
* Diplomatic: Tactful in dealing with individuals
* Observant: Actively observing surroundings/activities
* Perceptive: Aware of and able to understand situations
* Open to improvement: Willing to learn from situations
Actively observing surroundings/activities = Observant
Fair, truthful, sincere, honest, discreet = Ethical
Persistent and focused on objectives = Tenacious
Willing to learn from situations = Open to improvement
Tactful in dealing with individuals = Diplomatic
Aware of and able to understand situations = Perceptive
These are the auditor's characteristics and their descriptions as defined by ISO 19011:2022, Clause 7.2.21. The auditor's personal behaviour is essential for building trust and confidence with the auditee and for ensuring the credibility and effectiveness of the audit12. References: 1: ISO 19011:2022, Guidelines for auditing management systems, Clause 7.2.2 \n2: PECB Certified ISO/IEC 27001 Lead Auditor Exam Preparation Guide, Domain 3: Fundamental audit concepts and principles

Comment: *

Name: *

Email: *

Verification: *

You are performing an ISMS audit at a residential nursing home that provides healthcare services and are reviewing the Software Code Management (SCM) system. You found a total of 10 user accounts on the SCM.
You confirm that one of the users, Scott, resigned 9-months
ago. The SCM System Administrator confirmed Scott's last check-out of the source code was found 1 month ago. He was using one of the uthorized desktops from the local network in a secure area.
You check with the user de-registration procedure which states "Managers have to make sure of deregistration of the user account and authorisation immediately from the relevant ICT system and/or equipment after resignation approval." There was no deregistration record for user Scott.
The IT Security Manager explains that Scott still comes back to the office every month after he resigned to provide support on source code maintenance. That's why his account on SCM still exists.
You would like to investigate other areas further to collect more audit evidence. Select three options that would not be valid audit trails.

• A.Collect more evidence on how access controls are periodically reviewed to maintain security (Relevant to control A.5.35)
• B.Collect more evidence on how the transition of Scott from full-time to part-time employment was managed (relevant to control A.6.5)
• C.Collect more evidence from Scott's background verification checks performed by the human resource department under the new employment relationship. (Relevant to control A.6.1)
• D.Collect more evidence of why Scott resigned and whether his re-engagement represents a conflict of interest. (relevant to control A.5.3)
• E.Collect more evidence on how Scott can access the employee's desktop and local network. (Relevant to control A.5.15)
• F.Collect more evidence on how Scott can access the secure area. (Relevant to control A.8.4)
• G.Collect more evidence on how the organization pays for Scott's source code maintenance support service. (Relevant to control A.6.2)
• H.Collect more evidence on where Scott kept the source code that he checked out and how it was secured.
  (Relevant to control A.8.4)

Comment: *

Name: *

Email: *

Verification: *

A telecommunications company uses the AES method for ensuring that confidential information is protected. This means that they use a single key to encrypt and decrypt the information. What kind of control does the company use?

• A.Detective
• B.Corrective
• C.Preventive

Comment: *

Name: *

Email: *

Verification: *

The audit lifecycle describes the ISO 19011 process for conducting an individual audit. Drag and drop the steps of the audit lifecycle into the correct sequence.

Correct Answer:

Explanation:
The correct sequence of the steps of the audit lifecycle according to ISO 19011:2018 is:
* Step 1: Audit initiation
* Step 2: Audit preparation
* Step 3: Conducting the audit
* Step 4: Preparing and distributing the audit report
* Step 5: Audit completion
* Step 6: Audit follow-up
This sequence reflects the logical order of the audit activities, from establishing the audit objectives, scope and criteria, to verifying the implementation and effectiveness of the corrective actions. However, ISO 19011:2018 also recognizes that some audit activities can be iterative or concurrent, depending on the nature and complexity of the audit. For example, audit preparation and conducting the audit can overlap when new information or changes occur during the audit. Similarly, audit follow-up can be integrated with audit completion when the corrective actions are verified shortly after the audit. Therefore, the audit lifecycle should be adapted to the specific context and needs of each audit.

Comment: *

Name: *

Email: *

Verification: *