Which of these reliability aspects is "completeness" a part of?
Correct Answer: B
Question 37
What should an organization allocate to ensure the maintenance and improvement of the information security management system?
Correct Answer: B
Explanation According to ISO/IEC 27001:2022, clause 10.2.2, the organization shall define and apply an information security incident management process that includes the following activities: reporting information security events and weaknesses; assessing information security events and classifying them as information security incidents; responding to information security incidents according to their classification; learning from information security incidents, including identifying causes, taking corrective actions and preventive actions, and communicating the results and actions taken; collecting evidence, where applicable. The standard does not specify who should perform these activities, as long as they are done in a consistent and effective manner. Therefore, the organization may choose to conduct forensic investigation internally or by using external consultants, depending on its needs, resources, and capabilities. However, the organization should ensure that the external consultants are competent, trustworthy, and comply with the organization's policies and procedures. References: ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection - Information security management systems - Requirements, clause 10.2.2; PECB ISO/IEC 27001 Lead Implementer Course, Module 10: Incident Management.
Question 38
An employee of the organization accidentally deleted customers' data stored in the database. What is the impact of this action?
Correct Answer: A
According to ISO/IEC 27001:2022, availability is one of the three principles of information security, along with confidentiality and integrity1. Availability means that information is accessible and usable by authorized persons whenever it is needed2. If an employee of the organization accidentally deleted customers' data stored in the database, this would affect the availability of the information, as it would not be accessible when required by the authorized persons, such as the customers themselves, the organization's staff, or other stakeholders. This could result in loss of trust, reputation, or business opportunities for the organization, as well as dissatisfaction or inconvenience for the customers. Reference: ISO/IEC 27001:2022 - Information security, cybersecurity and privacy protection - Information security management systems - Requirements What is ISO 27001? A detailed and straightforward guide - Advisera
Question 39
Which of the situations below can negatively affect the internal audit process?
Correct Answer: A
According to the ISO/IEC 27001 : 2022 Lead Implementer course, one of the factors that can negatively affect the internal audit process is the lack of cooperation from the auditees, which can manifest as restricting the internal auditor's access to offices and documentation1. This can hinder the auditor's ability to collect sufficient and appropriate audit evidence, verify the conformity of the information security management system (ISMS) with the audit criteria, and identify any nonconformities or opportunities for improvement2. Therefore, the auditees should be informed of the audit objectives, scope, criteria, and schedule in advance, and should provide the auditor with all the necessary information and resources to conduct the audit effectively3.
Question 40
A small organization that is implementing an ISMS based on ISO/lEC 27001 has decided to outsource the internal audit function to a third party. Is this acceptable?
Correct Answer: A
According to the ISO/IEC 27001:2022 standard, an internal audit is an audit conducted by the organization itself to evaluate the conformity and effectiveness of its information security management system (ISMS). The standard requires that the internal audit should be performed by auditors who are objective and impartial, meaning that they should not have any personal or professional interest or bias that could influence their judgment or compromise their integrity. The standard also allows the organization to outsource the internal audit function to a third party, as long as the criteria of objectivity and impartiality are met. Outsourcing the internal audit function to a third party can be a better option for small organizations that may not have enough resources, skills, or experience to perform an internal audit by themselves. By hiring an external auditor, the organization can benefit from the following advantages: The external auditor can provide a fresh and independent perspective on the organization's ISMS, identifying strengths, weaknesses, opportunities, and threats that may not be apparent to the internal staff. The external auditor can bring in specialized knowledge, expertise, and best practices from other organizations and industries, helping the organization to improve its ISMS and achieve its objectives. The external auditor can reduce the risk of conflict of interest, bias, or influence that may arise when the internal staff audit their own work or the work of their colleagues. The external auditor can save the organization time and money by conducting the internal audit more efficiently and effectively, avoiding duplication of work or unnecessary delays. Therefore, outsourcing the internal audit function to a third party is acceptable and often preferable for small organizations that are implementing an ISMS based on ISO/IEC 27001. Reference: ISO/IEC 27001:2022, Information technology - Security techniques - Information security management systems - Requirements, Clause 9.2, Internal audit ISO/IEC 27007:2023, Information technology - Security techniques - Guidelines for information security management systems auditing PECB, ISO/IEC 27001 Lead Implementer Course, Module 12, Internal audit A Complete Guide to an ISO 27001 Internal Audit - Sprinto
