You are conducting an ISMS audit in the despatch department of an international logistics organisation that provides shipping services to large organisations including local hospitals and government offices. Parcels typically contain pharmaceutical products, biological samples, and documents such as passports and driving licences. You note that the company records show a very large number of returned items with causes including misaddressed labels and, in 15% of cases, two or more labels for different addresses for the one package. You are interviewing the Shipping Manager (SM). You: Are items checked before being dispatched? SM: Any obviously damaged items are removed by the duty staff before being dispatched, but the small profit margin makes it uneconomic to implement a formal checking process. You: What action is taken when items are returned? SM: Most of these contracts are relatively low value, therefore it has been decided that it is easier and more convenient to simply reprint the label and re-send individual parcels than it is to implement an investigation. You raise a nonconformity. Referencing the scenario, which three of the following Annex A controls would you expect the auditee to have implemented when you conduct the follow-up audit?
Correct Answer: B,E,G
The three Annex A controls that you would expect the auditee to have implemented when you conduct the follow-up audit are: * B. 5.13 Labelling of information * E. 5.34 Privacy and protection of personal identifiable information (PII) * G. 6.3 Information security awareness, education, and training * B. This control requires the organisation to label information assets in accordance with the information classification scheme, and to handle them accordingly12. This control is relevant for the auditee because it could help them to avoid misaddressing labels and sending parcels to wrong destinations, which could compromise the confidentiality, integrity, and availability of the information assets. By labelling the information assets correctly, the auditee could also ensure that they are delivered to the intended recipients and that they are protected from unauthorized access, use, or disclosure. * E. This control requires the organisation to protect the privacy and the rights of individuals whose personal identifiable information (PII) is processed by the organisation, and to comply with the applicable legal and contractual obligations13. This control is relevant for the auditee because it could help them to prevent the unauthorized use of residents' personal data by a supplier, which could violate the privacy and the rights of the residents and their family members, and expose the auditee to legal and reputational risks. By protecting the PII of the residents and their family members, the auditee could also enhance their trust and satisfaction, and avoid complaints and disputes. * G. This control requires the organisation to ensure that all employees and contractors are aware of the information security policy, their roles and responsibilities, and the relevant information security procedures and controls14. This control is relevant for the auditee because it could help them to improve the information security culture and behaviour of their staff, and to reduce the human errors and negligence that could lead to information security incidents. By providing information security * awareness, education, and training to their staff, the auditee could also increase their competence and performance, and ensure the effectiveness and efficiency of the information security processes and controls. References: 1: ISO/IEC 27001:2022 - Information technology - Security techniques - Information security management systems - Requirements, Annex A 2: ISO/IEC 27002:2022 - Information technology - Security techniques - Code of practice for information security controls, clause 8.2.1 3: ISO/IEC 27002:2022 - Information technology - Security techniques - Code of practice for information security controls, clause 18.1.4 4: ISO/IEC 27002:2022 - Information technology - Security techniques - Code of practice for information security controls, clause 7.2.2
Question 332
In a joint audit involving multiple audit teams, how many audit team leaders are typically designated per audit?
Correct Answer: A
Comprehensive and Detailed In-Depth A . Correct Answer: Joint audits involve multiple teams but require only one designated audit team leader to ensure: Consistent audit methodology Coordination among teams Unified reporting structure B . Incorrect: While each team may have a coordinator, there is only one main leader responsible for the audit. C . Incorrect: ISO 19011 mandates the presence of a designated audit team leader in all audits. Relevant Standard Reference:
Question 333
Which two of the following standards are used as ISMS third-party certification audit criteria?
Correct Answer: D,E
The two standards that are used as ISMS third-party certification audit criteria are ISO/IEC 27001 and relevant legal, statutory, and regulatory requirements. ISO/IEC 27001 specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS)1. Relevant legal, statutory, and regulatory requirements are those that apply to the organization's information security aspects and objectives2. The other options are either not standards (E) or not directly related to the ISMS certification audit criteria (A, B, C, F). Reference: 1: ISO/IEC 27001:2022, Information technology - Security techniques - Information security management systems - Requirements, Clause 1 \n2: ISO/IEC 27001:2022, Information technology - Security techniques - Information security management systems - Requirements, Clause 4.2
Question 334
A scenario wherein the city or location where the building(s) reside is / are not accessible.
Correct Answer: C
Explanation A scenario wherein the city or location where the building(s) reside is / are not accessible is called a city disaster scenario, according to the CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course. This scenario is one of the four types of disaster scenarios that should be considered in the business continuity planning process, along with component, facility and country scenarios. A city scenario may be caused by events such as natural disasters, civil unrest, terrorist attacks or pandemic outbreaks that affect the entire city or region where the organization operates. References: [CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course]
Question 335
There was a fire in a branch of the company Midwest Insurance. The fire department quickly arrived at the scene and could extinguish the fire before it spread and burned down the entire premises. The server, however, was destroyed in the fire. The backup tapes kept in another room had melted and many other documents were lost for good. What is an example of the indirect damage caused by this fire?
