PECB ISO-IEC-27001-Lead-Auditor Dumps

Comprehensive and Detailed In-Depth Explanation:

B. Correct Answer:

Audit test plans define the structured approach for conducting interviews, observations, and control testing.

ISO 19011:2018 describes audit test planning as essential for consistent evidence collection.

A. Incorrect:

Test plans do not generate reports—they outline procedures for evidence collection.

C. Incorrect:

Audit test plans focus on specific risks rather than evaluating all elements.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.4.5 (Audit Test Planning Procedures)

According to ISO 27001:2022 clause 8.1.4, the organisation shall ensure that externally provided processes, products or services that are relevant to the information security management system are controlled. This includes implementing appropriate contractual requirements related to information security with external providers, such as customers who send ICT equipment for reclamation12

In this case, the organisation offers ICT reclamation services, which involves processing customer ICT equipment that may contain sensitive or confidential information. The organisation should have a process in place to ensure that the customer ICT equipment is handled securely and in accordance with the customer’s information security requirements. The process should include steps such as verifying the customer’s identity and authorisation, checking the inventory and condition of the equipment, removing or destroying any labels or stickers that contain information about the equipment or the customer, wiping or erasing any data stored on the equipment, and documenting the actions taken and the results achieved12

The fact that the auditor noticed two servers on a bench with stickers that reveal the server’s name, IP address and admin password indicates that the process for dealing with incoming shipments relating to customer IT security is not effective or not followed. This could pose a risk of unauthorised access, disclosure, or modification of the customer’s information or systems. Therefore, the auditor should note the audit finding and check the process for dealing with incoming shipments relating to customer IT security, and determine whether there is a nonconformity with clause 8.1.4 of ISO 27001:202212

The other actions are not appropriate for the following reasons:

A. Asking the ICT Manager to record an information security incident and initiate the information security incident management process is not appropriate because this is not an information security incident that affects the organisation’s own information or systems. An information security incident is defined as a single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security12 In this case, the information security event affects the customer’s information or systems, not the organisation’s. Therefore, the organisation should follow the process for dealing with incoming shipments relating to customer IT security, not the process for information security incident management.

C. Recording what the auditor has seen in the audit findings, but taking no further action is not appropriate because this would not address the root cause or the impact of the issue. The auditor has a responsibility to verify the effectiveness and compliance of the organisation’s information security management system, and to report any nonconformities or opportunities for improvement12 Therefore, the auditor should check the process for dealing with incoming shipments relating to customer IT security, and determine whether there is a nonconformity with clause 8.1.4 of ISO 27001:2022.

D. Raising a nonconformity against control 5.31 Legal, statutory, regulatory and contractual requirements is not appropriate because this control is not relevant to the issue. Control 5.31 requires the organisation to identify and comply with the legal, statutory, regulatory and contractual requirements that are applicable to the information security management system12 In this case, the issue is not about the organisation’s compliance with the legal, statutory, regulatory and contractual requirements, but about the organisation’s control of the externally provided processes, products or services that are relevant to the information security management system. Therefore, the auditor should check the process for dealing with incoming shipments relating to customer IT security, and determine whether there is a nonconformity with clause 8.1.4 of ISO 27001:2022.

E. Raising a nonconformity against control 8.20 'network security’ (networks and network devices shall be secured, managed and controlled to protect information in systems and applications) is not appropriate because this control is not relevant to the issue. Control 8.20 requires the organisation to secure, manage and control its own networks and network devices to protect the information in its systems and applications12 In this case, the issue is not about the organisation’s network security, but about the organisation’s control of the externally provided processes, products or services that are relevant to the information security management system. Therefore, the auditor should check the process for dealing with incoming shipments relating to customer IT security, and determine whether there is a nonconformity with clause 8.1.4 of ISO 27001:2022.

F. Asking the auditee to remove the labels, then carry on with the audit is not appropriate because this would not address the root cause or the impact of the issue. The auditor should not interfere with the auditee’s operations or suggest corrective actions during the audit, as this would compromise the auditor’s objectivity and impartiality12 The auditor should check the process for dealing with incoming shipments relating to customer IT security, and determine whether there is a nonconformity with clause 8.1.4 of ISO 27001:2022.

The incorrect statement is B, because auditors are permitted to adjust the audit plan based on materiality considerations identified during the stage 2 audit. ISO 19011 explicitly allows auditors to adapt audit plans as new information emerges, provided such changes are justified and documented. Preventing adjustments would contradict the principles of risk-based and evidence-based auditing.

Materiality is evaluated throughout the audit lifecycle. During initial contact and audit planning, inherent risks and organizational complexity influence audit duration and resource allocation, making statement A correct. During stage 1 audits, auditors review documentation and high-level processes to identify key areas that warrant deeper examination during stage 2, making statement C correct.

Statement B incorrectly suggests that once stage 2 begins, the audit plan is fixed and cannot be adjusted. In practice, if auditors discover that certain processes or assets are more material than initially assessed, they may legitimately reallocate audit time or adjust focus to ensure sufficient coverage of high-impact areas. This flexibility is essential to achieve reasonable assurance.

Therefore, statement B is not correct, as it contradicts established auditing norms and ISO guidance on audit adaptability.

Comprehensive and Detailed In-Depth Explanation:

Penetration testing (pen testing) is a simulated cyberattack used to assess security weaknesses in an ICT system.

B. Identifying failures in ICT protection schemes – Correct answer. The goal of penetration testing is to find vulnerabilities in networks, applications, and systems before attackers can exploit them. This aligns with ISO/IEC 27001:2022 Annex A Control A.8.16 (Monitoring Activities) and A.8.8 (Management of Technical Vulnerabilities).

A. Code reviews are not the primary goal of pen testing; static analysis tools are used for code security.

C. Physical inspections relate to hardware security audits, which are separate from penetration testing.

The auditors handled partially verifiable information appropriately by applying professional judgment, which makes option A the correct answer. ISO 19011:2018 emphasizes that auditing is not a purely mechanical process and requires auditors to apply due professional care when evaluating evidence. Audit evidence is often based on samples and may vary in its degree of verifiability. The key requirement is that auditors assess the reliability, relevance, and sufficiency of the evidence before using it to support audit conclusions.

In the scenario, the audit team explicitly recognized that some information could only be verified to a limited extent and responded by carefully evaluating how much reliance could be placed on that information. This aligns with ISO 19011 principles, particularly the evidence-based approach and due professional care. Auditors are expected to exercise judgment when full verification is impractical, provided they clearly understand the limitations of the evidence and do not overstate its reliability.

Option B is incorrect because ISO standards do not require auditors to discard all partially verifiable information. Doing so could lead to incomplete audit conclusions and an unrealistic audit process. Option C is also incorrect because while external experts may be used in certain specialized cases, ISO 19011 does not mandate their involvement whenever evidence is difficult to verify. The auditors’ approach in the scenario demonstrates appropriate competence and professional judgment, consistent with ISO auditing guidance.

•C. Collect more evidence on how and when the Human Resources manager pays the ransom fee to unlock personal mobile data, i.e., credit card, and bank transfer. (Relevant to control A.5.26)

This is not relevant to the audit of the organization's incident management process. The HR manager's personal phone and how they handle a ransomware attack on it falls outside the scope of the ISMS audit. The organization is not responsible for personal devices.

•B. Collect more evidence on how and when the company pays the ransom fee to unlock the company's mobile phone and data, i.e., credit card, and bank transfer. (Relevant to control A.5.26)

While seemingly relevant, this focuses on the method of payment for the ransom. The core issue is the organization paying the ransom at all, which is generally not best practice in incident response. The audit should focus on why this decision was made and if alternative solutions were considered (e.g., data backups, device wiping and restoration).

Why the other options ARE relevant:

•A. Collect more evidence by interviewing more staff about their understanding of the reporting process. (Relevant to control A.6.8) This directly addresses the identified discrepancy in understanding "weakness, event, and incident," which is crucial for proper incident reporting.

•D. Collect more evidence on how the organisation determined the incident recovery time. (Relevant to control A.5.27) This investigates the basis for the 24-hour recovery time, which seems arbitrary and may not be appropriate for all incidents.

•E. Collect more evidence on how the organization determined no further action was needed after the incident. (Relevant to control A.5.26) This probes the adequacy of the incident response, especially the lack of preventative measures after paying the ransom.

•F. Collect more evidence on the incident recovery procedures. (Relevant to control A.5.26) This examines the actual procedures to assess their effectiveness and alignment with best practices.

Comprehensive and Detailed In-Depth Explanation:

B. Correct Answer:

ISO/IEC 27001:2022 Clause 6.1.3 (Information Security Risk Treatment) requires that any decision to accept risk be documented and justified.

Failure to document this decision creates compliance and audit tracking gaps.

A. Incorrect:

Risk acceptance must always be documented for accountability.

C. Incorrect:

Organizations are not required to mitigate every nonconformity but must justify their risk acceptance.

Relevant Standard Reference:

ISO/IEC 27001:2022 Clause 6.1.3 (Risk Treatment Documentation Requirements)

The three Annex A controls that you would expect the auditee to have implemented when you conduct the follow-up audit are:

B. 5.13 Labelling of information

E. 5.34 Privacy and protection of personal identifiable information (PII)

G. 6.3 Information security awareness, education, and training

B. This control requires the organisation to label information assets in accordance with the information classification scheme, and to handle them accordingly12. This control is relevant for the auditee because it could help them to avoid misaddressing labels and sending parcels to wrong destinations, which could compromise the confidentiality, integrity, and availability of the information assets. By labelling the information assets correctly, the auditee could also ensure that they are delivered to the intended recipients and that they are protected from unauthorized access, use, or disclosure.

E. This control requires the organisation to protect the privacy and the rights of individuals whose personal identifiable information (PII) is processed by the organisation, and to comply with the applicable legal and contractual obligations13. This control is relevant for the auditee because it could help them to prevent the unauthorized use of residents’ personal data by a supplier, which could violate the privacy and the rights of the residents and their family members, and expose the auditee to legal and reputational risks. By protecting the PII of the residents and their family members, the auditee could also enhance their trust and satisfaction, and avoid complaints and disputes.

G. This control requires the organisation to ensure that all employees and contractors are aware of the information security policy, their roles and responsibilities, and the relevant information security procedures and controls14. This control is relevant for the auditee because it could help them to improve the information security culture and behaviour of their staff, and to reduce the human errors and negligence that could lead to information security incidents. By providing information security awareness, education, and training to their staff, the auditee could also increase their competence and performance, and ensure the effectiveness and efficiency of the information security processes and controls.

The correct answer is the certification body, because ISO/IEC 17021-1 clearly assigns responsibility for establishing the audit scope and audit criteria to the certification body, not to the audit team or the auditee. The certification body is responsible for managing the certification process, ensuring consistency, impartiality, and compliance with accreditation requirements.

The audit scope defines the boundaries of the certification audit, including organizational units, locations, activities, and processes to be audited. The audit criteria define the set of policies, procedures, and requirements against which conformity is assessed, such as ISO/IEC 27001 requirements, statutory obligations, and internal ISMS policies. While the audit team leader may plan how the audit will be conducted within the defined scope, they do not determine the scope itself.

Option A is incorrect because the audit team leader’s role is to manage the audit execution, prepare the audit plan, and coordinate audit activities, not to establish the official scope or criteria. Option B is incorrect because although discussions with the auditee are necessary to understand the organization and confirm scope feasibility, the final authority remains with the certification body.

This separation of responsibility ensures independence and prevents organizations from unduly influencing the certification boundaries. Therefore, the certification body is the entity that establishes the audit scope and audit criteria.

The possible matches of the characteristics to the descriptions are:

Tenacious: Persistent and focused on objectives

Ethical: Fair, truthful, sincere, honest, discreet

Diplomatic: Tactful in dealing with individuals

Observant: Actively observing surroundings/activities

Perceptive: Aware of and able to understand situations

Open to improvement: Willing to learn from situations

Actively observing surroundings/activities = Observant

Fair, truthful, sincere, honest, discreet = Ethical

Persistent and focused on objectives = Tenacious

Willing to learn from situations = Open to improvement

Tactful in dealing with individuals = Diplomatic

Aware of and able to understand situations = Perceptive

These are the auditor’s characteristics and their descriptions as defined by ISO 19011:2022, Clause 7.2.21. The auditor’s personal behaviour is essential for building trust and confidence with the auditee and for ensuring the credibility and effectiveness of the audit12. References: 1: ISO 19011:2022, Guidelines for auditing management systems, Clause 7.2.2 \n2: PECB Certified ISO/IEC 27001 Lead Auditor Exam Preparation Guide, Domain 3: Fundamental audit concepts and principles

Yes, Jack should communicate such situations to the certification body. It is essential for auditors to report potential nonconformities and ethical breaches to the certification body to maintain the integrity and credibility of the audit process, without necessarily informing top management of these steps.

8.1 Information stored on, processed by, or accessible via user endpoint devices shall be protected = Technological control 7.8 Equipment shall be sited securely and protected = Physical control 5.2 Information security roles and responsibilities shall be defined and allocated according to the organisation’s needs = Organisational control 6.7 Security measures shall be implemented when personnel are working remotely to protect information processed, processed, or stored outside the organisation’s premises = People control

According to the web search results from my predefined tool, ISO 27001:2022 has restructured and consolidated the Annex A controls into four categories: organisational, people, physical, and technological12. These categories reflect the different aspects and dimensions of information security, and are aligned with the cybersecurity concepts of identify, protect, detect, respond, and recover3. The controls in each category are as follows4:

Organisational controls: These are controls that relate to the governance, management, and coordination of information security activities within the organisation. They include controls such as information security policies, roles and responsibilities, risk assessment and treatment, performance evaluation, and improvement.

People controls: These are controls that relate to the behaviour, awareness, and competence of the people involved in information security, both within and outside the organisation. They include controls such as human resource security, training and awareness, access control, incident management, and business continuity.

Physical controls: These are controls that relate to the protection of physical assets and environments that store, process, or transmit information. They include controls such as physical security, environmental security, equipment security, and media security.

Technological controls: These are controls that relate to the use of technology to implement, monitor, and maintain information security. They include controls such as cryptography, network security, system security, application security, and threat intelligence.

Based on these categories, the controls listed in the question can be matched as follows:

8.1 Information stored on, processed by, or accessible via user endpoint devices shall be protected: This is a technological control, as it involves the use of technology to protect information on devices such as laptops, smartphones, tablets, etc. It may include measures such as encryption, authentication, antivirus, firewall, etc.

7.8 Equipment shall be sited securely and protected: This is a physical control, as it involves the protection of physical assets and environments that store, process, or transmit information. It may include measures such as locks, alarms, CCTV, fire suppression, etc.

5.2 Information security roles and responsibilities shall be defined and allocated according to the organisation’s needs: This is an organisational control, as it involves the governance, management, and coordination of information security activities within the organisation. It may include measures such as defining the authority and accountability of information security personnel, establishing reporting lines and communication channels, assigning tasks and duties, etc.

6.7 Security measures shall be implemented when personnel are working remotely to protect information processed, processed, or stored outside the organisation’s premises: This is a people control, as it involves the behaviour, awareness, and competence of the people involved in information security, both within and outside the organisation. It may include measures such as providing guidance and training on remote working, enforcing policies and procedures, monitoring and auditing remote activities, etc.

= 1: A Breakdown of ISO 27001:2022 Annex A Controls - BARR Advisory42: ISO 27001:2022 Annex A Controls - What’s New? | ISMS.Online13: How many controls are there in ISO 27001:2022? - Strike Graph34: ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements, Annex A.

The role and responsibility that system users should not observe in the event of an information security incident is D: make the information security incident details known to all employees. This is not a proper role or responsibility for system users, as it could cause unnecessary panic, confusion or speculation among employees who are not involved in the incident response process. It could also compromise the confidentiality and integrity of the incident information, which could be sensitive or confidential in nature. Making the information security incident details known to all employees could also violate the information security policies and procedures of the organization, which may require a certain level of discretion and confidentiality when dealing with incidents. The other roles and responsibilities are correct, as they describe what system users should do in the event of an information security incident, such as reporting the incident to the Servicedesk (A), preserving evidence if necessary (B), and cooperating with investigative personnel if needed ©. These roles and responsibilities help to ensure a quick, effective and orderly response to information security incidents. ISO/IEC 27001:2022 requires the organization to implement procedures for reporting and managing information security incidents (see clause A.16.1). References: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements, What is Information Security Incident Management?

Comprehensive and Detailed In-Depth Explanation:

ISO/IEC 27001:2022 Clause 7.5 (Documented Information) defines the role of documentation in an ISMS.

A. Correct Statement:

Documented information serves as a guideline for ISMS operations and provides audit evidence.

B. Incorrect Statement:

Collecting documented information is not a goal in itself.

The purpose of documentation is to support the ISMS and ensure compliance, not just to generate paperwork.

C. Correct Statement:

Documents should be clear and concise, avoiding unnecessary complexity while still being detailed enough to be useful.

Thus, documentation should be purposeful and functional, not just a bureaucratic requirement.

Relevant Standard Reference:

ISO/IEC 27001:2022 Clause 7.5 (Documented Information)

Comprehensive and Detailed In-Depth Explanation:

C. Incorrect Statement – Not all vulnerabilities require immediate remediation. Risk assessment determines whether controls are necessary. Some vulnerabilities pose low risks and may not need urgent fixes.

A. Correct Statement – Vulnerabilities can be intrinsic (inherent flaws) or extrinsic (caused by external misconfigurations).

B. Correct Statement – Threats must exploit vulnerabilities to cause harm.

This aligns with ISO/IEC 27001:2022 Annex A Control A.8.8 (Management of Technical Vulnerabilities).

Comprehensive and Detailed In-Depth Explanation:

ISO/IEC 27001 Clause 5.1 (Leadership and Commitment) defines top management's role in ensuring the effectiveness of the Information Security Management System (ISMS). It requires top management to:

Ensure the availability of resources for the ISMS (Correct Responsibility).

Promote continual improvement of the ISMS (Correct Responsibility).

Direct and support employees to contribute to ISMS effectiveness (Correct Responsibility).

B. Conducting regular internal audits – Incorrect Responsibility:

Internal audits are not a direct responsibility of top management. Instead, Clause 9.2 (Internal Audit) requires audits to be conducted independently of management.

Top management is responsible for ensuring audits are conducted but does not need to conduct them personally.

Thus, top management is responsible for oversight and support but not for conducting internal audits themselves.

Relevant Standard Reference:

ISO/IEC 27001:2022 Clause 5.1 (Leadership and Commitment)

ISO/IEC 27001:2022 Clause 9.2 (Internal Audit)

In the context of ISO/IEC 27001, the approval of the risk assessment and the acceptance of the remaining risk levels after treatment are typically responsibilities of the top management. This is because top management is accountable for the information security management system and its outcomes, and they have the authority to accept risks on behalf of the organization12. References: = The information provided is based on the standard practices of ISO/IEC 27001 risk assessment and treatment processes, which emphasize the role of top management in the approval and acceptance of risks

CyberShielding Systems Inc. should have included the identification of areas for improvement when defining the audit objectives, making option A the correct answer. ISO/IEC 27001 audits are not limited to verifying compliance; they also support continual improvement of the ISMS. ISO 19011 encourages audits to provide value by identifying weaknesses, improvement opportunities, and areas where effectiveness can be enhanced.

In the scenario, the audit objectives were primarily focused on conformity with criteria and compliance with statutory and regulatory requirements. While this is essential, a well-defined audit objective should also include evaluating opportunities to improve security practices, control effectiveness, and risk management maturity. Identifying improvement areas helps the organization strengthen its ISMS beyond basic compliance and aligns with ISO/IEC 27001 clause 10 on continual improvement.

Option B is incorrect because audit objectives should not be narrowly focused only on recent incidents or management concerns, as this could lead to biased or incomplete coverage. Option C is incorrect because limiting the audit to documentation review undermines the effectiveness of the audit and contradicts the requirement for evidence-based evaluation of operational controls.

Therefore, including improvement identification as an audit objective would have strengthened the audit’s value and alignment with ISO/IEC 27001 principles.

Corrective action is a process of identifying and eliminating the root causes of nonconformities or incidents that have occurred or could potentially occur, in order to prevent their recurrence or occurrence. Corrective action is part of the improvement requirement of ISO 27001 and follows a standard workflow of identification, evaluation, implementation, review and documentation of corrections and corrective actions. References: Procedure for Corrective Action, Nonconformity & Corrective Action For ISO 27001 Requirement 10.1, PECB Candidate Handbook ISO 27001 Lead Auditor (page 12)

According to the PECB Candidate Handbook1, one of the principles of auditing is confidentiality, which means that auditors should respect the confidentiality of information obtained during the audit and not disclose it to unauthorized parties. The handbook also states that auditors should only report audit results to those who have a legitimate need to know, such as the client, the auditee, and the certification body. Therefore, sharing the findings with other relevant managers in A or B’s other customers would be a breach of confidentiality, as they are not directly involved in the audit process or the information security management system of B. Sharing the findings with B’s Information Security Manager or other relevant managers in B would be appropriate, as they are part of the auditee organization and responsible for the implementation and improvement of the ISMS. Sharing the findings with A’s supplier evaluation team or B’s certification body would also be acceptable, as they have a legitimate need to know the audit results for the purpose of supplier selection or certification, respectively. References: 1: PECB Candidate Handbook - ISO 27001 Lead Auditor, pages 7-8.

ISO/IEC 27001:2022, clause 10.2 (Nonconformity and corrective action):

When a nonconformity occurs, the organization shall … take action to control and correct it, and deal with the consequences; evaluate the need for action to eliminate the cause(s) of the nonconformity, in order that it does not recur or occur elsewhere; implement any action needed; review the effectiveness of any corrective action taken.

The auditor’s responsibility is to verify effectiveness of corrective actions. This means the auditor must look for evidence of change that actually addresses the root cause and prevents recurrence — not just temporary fixes, promises, or documentation.

Let’s analyse the distractors:

A. Incorrect — corrective action should not allow recurrence.

B. Incorrect — refers to preventive action, which ISO 27001:2022 no longer uses as a separate concept; instead, it is integrated into risk management.

C. Weak — merely “reducing probability” is not sufficient; ISO 27001 requires elimination of causes to prevent recurrence.

D. Incorrect — “assurance from the auditee” is not acceptable evidence; auditors need objective evidence, not verbal commitment.

E. Incorrect — “comfort” is not an audit principle; ISO 19011 requires objective evidence.

F. Correct — aligns directly with ISO 27001 clause 10.2: “review the effectiveness of any corrective action taken … so that nonconformity does not recur.”

Thus, the correct nonconformity statement is:

“When reviewing the effectiveness of action taken in response to a nonconformity, an auditor seeks evidence of change that will prevent recurrence of the issue.”

Comprehensive and Detailed In-Depth Explanation:

C. Correct Answer: ISO/IEC 27001 Clause 6.2 (Information Security Objectives and Planning to Achieve Them) requires information security objectives to be based on risk assessment results.

A. Incorrect: While objectives can be revised, they must be initially established based on risk assessment findings.

B. Incorrect: Objectives should be set after risk assessment, but security objectives are not dependent on full implementation.

Thus, Clinic did not follow the correct sequence in establishing security objectives before conducting a risk assessment.

The audit procedure used here is "analysis." The audit team analyzed server logs to verify if they can be edited or deleted, focusing on evaluating the logs' properties and the controls over their manipulation to ensure they comply with ISO/IEC 27001 requirements.

Auditors have the authority to object or even refuse an audit mandate if they believe that the audit duration proposed by the auditee is not sufficient to thoroughly assess the ISMS. It is crucial for the audit to be comprehensive enough to cover all necessary aspects of the system, ensuring its effectiveness and compliance.

The three options of the corrections and corrective actions listed that you would expect ABC to make in response to the nonconformity are:

B. ABC cancels the service agreement with WeCare.

E. ABC introduces background checks on information security performance for all suppliers.

F. ABC periodically monitors compliance with all applicable legislation and contractual requirements involving third parties.

B. This option is a possible correction and corrective action that ABC could take to address the nonconformity. A correction is the action taken to eliminate a detected nonconformity, while a corrective action is the action taken to eliminate the cause of a nonconformity and to prevent its recurrence1. By cancelling the service agreement with WeCare, ABC could stop the unauthorized use of residents’ personal data and protect their privacy and rights. This could also prevent further complaints and legal issues from the residents and their family members. However, this option may also have some drawbacks, such as the loss of a service provider, the need to find an alternative solution, and the potential impact on the residents’ well-being.

E. This option is a possible corrective action that ABC could take to address the nonconformity. By introducing background checks on information security performance for all suppliers, ABC could ensure that they select and work with reliable and trustworthy partners who respect the confidentiality, integrity, and availability of the information they handle. This could also help ABC to comply with information security control A.15.1.1 (Information security policy for supplier relationships), which requires the organisation to agree and document information security requirements for mitigating the risks associated with supplier access to the organisation’s assets2.

F. This option is a possible corrective action that ABC could take to address the nonconformity. By periodically monitoring compliance with all applicable legislation and contractual requirements involving third parties, ABC could verify that the suppliers are fulfilling their obligations and responsibilities regarding information security. This could also help ABC to comply with information security control A.18.1.1 (Identification of applicable legislation and contractual requirements), which requires the organisation to identify, document, and keep up to date the relevant legislative, regulatory, contractual, and other requirements to which the organisation is subject3.

This scenario represents a conformity because ABC Inc. has implemented procedures for managing removable storage media that align with the classification scheme of the information stored. When information is classified as "confidential," more stringent procedures apply, whereas for "public" information, the procedures focus only on integrity and availability, following the organization's defined information classification policy.

These three characteristics are the fundamental properties of information security, as defined by the ISO/IEC 27000 standard, which provides the overview and vocabulary of information security, cybersecurity, and privacy protection12. They are also the basis for the information security objectives and controls of the ISO/IEC 27001 standard, which specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system34. The definitions of these characteristics are as follows12:

•Availability: The property of being accessible and usable upon demand by an authorized entity.

•Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes.

•Integrity: The property of safeguarding the accuracy and completeness of information and processing methods.

The other characteristics listed in the question, such as clarity, accessibility, completeness, importance, and efficiency, are not directly related to information security, although they may be relevant for other aspects of information management, such as quality, usability, or performance.

The Check stage of the PDCA cycle involves monitoring and measuring the performance of the process and comparing it with the planned objectives and criteria. In the context of managing an internal audit programme, this stage includes verifying the effectiveness of the internal audit programme by evaluating whether it meets its objectives, scope, and criteria, and whether it is implemented in accordance with ISO 19011 guidelines1. It also includes reviewing the trends in internal audit results by analyzing the data collected from the audits, such as audit findings, nonconformities, corrective actions, opportunities for improvement, and customer feedback1. References: ISO 19011:2018 - Guidelines for auditing management systems

According to ISO 19011:2018, which provides guidelines for auditing management systems, a sampling plan is a method for selecting a representative subset of the audit evidence from a defined population1. A sampling plan can have several advantages for the audit, such as providing a suitable understanding of the ISMS by covering its key processes, activities, and controls; implementing the audit plan efficiently by optimizing the use of time and resources; and giving confidence in the audit results by ensuring that the sample is sufficient, reliable, and unbiased1. Therefore, these three options are examples of advantages of using a sampling plan for the audit. The other options are not advantages, but rather disadvantages or risks of using a sampling plan. For example, overruling the auditor’s instincts may lead to missing important evidence or issues that are not covered by the sampling plan; using the same plan for consecutive audits may reduce the effectiveness and validity of the audit results; and missing key issues may result from an inadequate or inappropriate sampling plan1. References: ISO 19011:2018 - Guidelines for auditing management systems

According to ISO/IEC 27001:2022 clause 8.1, the organization must plan, implement and control the processes needed to meet the information security requirements, and to implement the actions determined in clause 6.1. The organization must also ensure that the outsourced processes are controlled or influenced. According to control A.5.24, the organization must establish and maintain an information security incident management process that includes reporting information security events and weaknesses. Therefore, the use of lower grade machines for the secure disposal of confidential documents and media could pose a significant information security risk and a potential breach of contract with the clients. The auditor should respond to this information by:

A. Advising the individual managing the audit programme of any recommendation by you to conduct a further audit prior to certification. This is in accordance with ISO/IEC 27006:2022 clause 7.4.3, which states that the audit team leader shall report to the certification body any situation that may significantly affect the audit conclusions or the certification decision, and propose any necessary changes to the audit plan.

C. Considering the need for a subsequent audit within 4 weeks based on the additional information that has come to light. This is in accordance with ISO/IEC 27006:2022 clause 7.5.2, which states that the audit team leader shall review the audit findings and any other appropriate information collected during the audit to determine the audit conclusions, and to identify any need for a subsequent audit.

G. Verifying with the auditee that lower grade machines are used in certain circumstances. This is in accordance with ISO/IEC 27006:2022 clause 7.4.2, which states that the audit team leader shall ensure that the audit is conducted in accordance with the audit plan, and that any changes to the plan are agreed upon and documented.

The other options are not appropriate responses, as they either ignore the information, exceed the scope of the audit, or prematurely raise a nonconformity without sufficient evidence. For example:

B. Cancelling the production of the audit report and instead reviewing the organization’s contracts with its clients to determine whether they have permitted the use of lower grade machines. This is not a suitable response, as it would delay the audit process and the certification decision, and it would involve reviewing documents that are outside the scope of the ISMS audit. The auditor should focus on verifying the information security risk assessment and treatment process, and the information security incident management process, as they relate to the use of lower grade machines.

D. Doing nothing. All audits are based on a sample and the sample you took did not include a planned review of the lower grade machines. This is not a suitable response, as it would disregard a significant information security risk and a potential nonconformity that could affect the audit conclusions and the certification decision. The auditor should follow up on the information provided by the employee and verify its validity and impact.

E. Extending the certification audit duration to create additional time to audit the use of the lower grade machines. This is not a suitable response, as it would disrupt the audit schedule and the availability of the audit team and the auditee. The auditor should report the situation to the certification body and propose any necessary changes to the audit plan, such as conducting a subsequent audit.

F. Raising a nonconformity against 8.1 Operational Planning and Control as the organization has not been open about its processes. This is not a suitable response, as it would be based on a single source of information that has not been verified or corroborated. The auditor should collect sufficient and appropriate audit evidence to support any nonconformity, and should also consider the root cause and the severity of the nonconformity.

The correct sequence of activities for the management of information security risk in accordance with the requirements of ISO/IEC 27001:2022 is as follows:

1st: Create and maintain information security risk criteria 2nd: Identify the risks that need to be considered when planning for the information security management system 3rd: Assess the potential consequences that would arise if the risk were to materialise 4th: Select appropriate risk treatment options 5th: Carry out information security risk assessments at planned intervals 6th: Consider the results of risk assessment and the status of the risk treatment plan at management review

This sequence is based on the information security risk management process described in ISO/IEC 27001:2022 clause 6.1, which includes the following activities:

establishing and maintaining information security risk criteria;

ensuring that repeated information security risk assessments produce consistent, valid and comparable results;

identifying the information security risks;

analyzing the information security risks;

evaluating the information security risks;

treating the information security risks;

accepting the information security risks and the residual information security risks;

communicating and consulting with stakeholders throughout the process;

monitoring and reviewing the information security risks and the risk treatment plan.

Comprehensive and Detailed In-Depth Explanation:

A. Correct Answer:

ISO 19011:2018 allows auditors to report significant issues that impact the audit scope, even if they arise outside the predefined scope.

Security Training Department nonconformities directly affected CloudWebvue's ISMS, justifying its inclusion in the audit report.

B. Incorrect:

Transparency is crucial in audits, and Keith correctly informed the auditee before reporting.

C. Incorrect:

Issues affecting ISMS implementation must be reported, as they pose risks to the certification scope.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.6.1 (Audit Reporting on Nonconformities Outside Scope but with Impact)

No, a general action plan is not acceptable in this context because it lacks specific details on systems, controls, or operations impacted by the nonconformities. An effective action plan should detail the specific corrective actions for each nonconformity to ensure comprehensive resolution and prevent recurrence.

Comprehensive and Detailed In-Depth Explanation:

A. Correct Answer:

Remote follow-ups are acceptable for minor nonconformities, as long as auditors can verify corrective actions.

ISO/IEC 17021-1:2015 allows remote follow-ups when the effectiveness of corrective actions can be demonstrated.

B. Incorrect:

Follow-ups are required, but remote verification is acceptable for minor issues.

C. Incorrect:

An on-site follow-up is not mandatory unless major nonconformities are present.

Relevant Standard Reference:

ISO/IEC 17021-1:2015 Clause 9.6.8 (Remote Audit Follow-Ups)

Comprehensive and Detailed In-Depth Explanation:

A. Correct Answer:

Joint audits involve multiple teams but require only one designated audit team leader to ensure:

Consistent audit methodology

Coordination among teams

Unified reporting structure

B. Incorrect:

While each team may have a coordinator, there is only one main leader responsible for the audit.

C. Incorrect:

ISO 19011 mandates the presence of a designated audit team leader in all audits.

Relevant Standard Reference:

ISO 19011:2018 Clause 5.5.5 (Assigning Responsibility to the Audit Team Leader)

The scenario represents planning risk, making option A the correct answer. Planning risk arises when an audit is inadequately planned, resulting in incomplete coverage, misaligned objectives, or failure to address critical areas. ISO 19011 emphasizes that defining the audit scope, objectives, and criteria is a fundamental step in audit planning and is essential to achieving effective audit outcomes.

In this case, the organization failed to define the audit scope and objectives clearly. As a direct consequence, the auditor overlooked departments handling sensitive information, which are typically high-risk areas in an ISMS. This oversight undermines the effectiveness of the audit and increases the likelihood that significant risks or nonconformities remain undetected.

Option B is incorrect because communication risk relates to misunderstandings or ineffective information exchange between auditors and auditees. While communication issues may exist, the root cause here is inadequate planning. Option C is incorrect because resource risk concerns insufficient auditor time, competence, or tools. The problem in this scenario is not a lack of resources but the absence of structured planning.

ISO/IEC 27001 internal audits rely heavily on proper planning to ensure that all relevant processes and assets are evaluated. Therefore, the primary risk present is planning risk.

The correct answer is Analytical evidence, because the auditors relied heavily on analysis, calculations, and evaluation of performance data to validate the effectiveness of SendPay’s ISMS. Analytical evidence involves examining trends, metrics, ratios, averages, and performance indicators to draw conclusions about how well processes are functioning.

In the scenario, the auditors calculated the number of training hours employees received on ISMS topics and computed the average resolution time of information security incidents based on sampled data. These activities are clear examples of analytical techniques, as they involve processing numerical and performance-related information to assess alignment with objectives and effectiveness of controls. Additionally, the auditors assessed the reliability of evidence by comparing different sources and considering timing factors, which further supports the use of analytical judgment rather than purely technical inspection.

Option B is incorrect because mathematical evidence is not a recognized audit evidence category under ISO standards. While calculations were performed, the purpose was analytical evaluation, not mathematical proof. Option C is incorrect because technical evidence would primarily involve direct inspection of systems, configurations, or infrastructure, such as firewall rule reviews or system settings. While some technical elements existed in the audit, the question focuses on the type of evidence used to validate ISMS performance broadly, which was predominantly analytical.

Therefore, analytical evidence best describes the evidence utilized by the auditors during SendPay’s audit.

Yes, outsourcing the internal audit function can positively impact the internal audit process by increasing its independence and impartiality. This helps ensure that the internal audits are conducted without any bias or influence from the company’s internal management.

A. Advise the Shipping Manager that his request will be included in the audit report. This is true because the audit report should document all the relevant information and evidence related to the audit, including any requests or objections raised by the auditee. The audit report should also provide the rationale for the audit conclusions and recommendations12.

B. Advise management that the new information provided will be discussed when the auditors have more time. This is true because the auditors should not make hasty decisions based on incomplete or unverified information. The auditors should review and evaluate the new information in a systematic and objective manner, and determine whether it affects the audit findings, nonconformities, or conclusions12.

F. Thank the Shipping Manager for his honesty but advise that withdrawing the nonconformity is not the right way to proceed. This is true because the auditors should acknowledge and appreciate the cooperation and transparency of the auditee, but also maintain their professional integrity and independence. The auditors should not withdraw a nonconformity unless they are satisfied that it was raised in error or that it has been effectively corrected and verified12.

References :=

ISO 19011:2022 Guidelines for auditing management systems

ISO/IEC 17021-1:2022 Conformity assessment — Requirements for bodies providing audit and certification of management systems — Part 1: Requirements

A document review is a process of examining the documented information related to the management system before the on-site audit activities. The purpose of a document review is to: 12

Determine the conformity of the management system, as far as documented, with audit criteria, i.e., to check whether the documents are consistent, complete, and compliant with the requirements of ISO/IEC 27001 and any other applicable standards or regulations.

Gather information to support the on-site audit activities, i.e., to identify the scope, objectives, processes, controls, risks, and opportunities of the management system, and to plan the audit methods, techniques, and resources accordingly.

The other statements are not accurate, because:

A document review does not reveal or decide about the conformity or nonconformity of the management system as a whole, but only of the documented information. The conformity or nonconformity of the management system is determined by the on-site audit activities, which include interviews, observations, and tests12

A document review does not gather evidence or findings to support the audit report or process, but information to support the on-site audit activities. The evidence or findings are collected during the on-site audit activities, which are then documented and reported12

A document review does not detect any nonconformity of the management system, if documented, but determines the conformity of the documented information. The nonconformity of the management system is detected by the on-site audit activities, which evaluate the performance and effectiveness of the management system12

A document review does not identify information to support the audit plan, but gathers information to support the on-site audit activities. The audit plan is prepared before the document review, based on the audit scope, objectives, criteria, and program. The document review is part of the audit plan implementation12

In the context of a third-party certification audit, it is very important to have effective communication between the audit team and the auditee. The formal communication channels, such as the names and contact details of the audit team members, the auditee representatives, the audit client and any other relevant parties, can be established during the opening meeting. This helps to ensure that the audit objectives, scope, criteria, methods, schedule and any other arrangements are clearly understood and agreed by all parties. It also facilitates the exchange of information, feedback, requests, concerns and complaints during the audit process. References: = ISO 19011:2022, clause 6.4.2; PECB Candidate Handbook ISO 27001 Lead Auditor, page 25.

The use of clear text passwords for authentication in FTP is a vulnerability because it is a weakness that can be exploited by threat actors. Clear text passwords can be intercepted easily by network sniffers or through man-in-the-middle attacks, making them a significant security risk1. References: = This explanation is consistent with the understanding of vulnerabilities within the field of information security, particularly as it relates to network protocols like FTP and their associated risks

The best way to dispose of a hard copy of a customer design document is to shred it using a shredder. This is because shredding ensures that the document is destroyed and cannot be reconstructed or accessed by unauthorized persons. A customer design document may contain sensitive or confidential information that could cause harm or damage to the customer or the organization if disclosed. Therefore, it is important to protect the confidentiality and integrity of the document until it is securely disposed of. Throwing it in any dustbin, giving it to the office boy to reuse it for other purposes, or reusing it for writing are not secure ways of disposing of the document, as they could expose the document to unauthorized access, theft, loss or damage. ISO/IEC 27001:2022 requires the organization to implement procedures for the secure disposal of media containing information (see clause A.8.3.2). References: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements, What is Secure Disposal?

Comprehensive and Detailed In-Depth Explanation:

A. Correct Answer:

Combining multiple audit test plans ensures different perspectives and validation techniques are applied, improving audit accuracy.

ISO 19011:2018 encourages a diversified approach to auditing to ensure comprehensive results.

B. Incorrect:

Not all areas require equal auditing—risk-based focus is preferred.

C. Incorrect:

Frequent audits may still be required depending on organizational needs.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.4.3 (Using Multiple Audit Test Methods for Assurance)

In the context of a third-party certification audit, the management responsibilities of the audit team leader in managing the audit and the audit team include adopting a risk-based approach to planning the audit and establishing contact with the auditee. A risk-based approach to planning the audit means that the team leader should consider the risks and opportunities that may affect the achievement of the audit objectives, the scope and criteria, the audit methods and techniques, the allocation of resources and the assignment of tasks to the audit team members. Establishing contact with the auditee means that the team leader should communicate with the auditee before, during and after the audit, to confirm the audit arrangements, to obtain relevant information, to address any issues or concerns, to provide feedback and to report the audit results and conclusions. References: = ISO 19011:2022, clauses 6.4.1 and 6.4.2; PECB Candidate Handbook ISO 27001 Lead Auditor, pages 24 and 25.

The auditors did not establish a thorough understanding of SendPay’s cloud environment, making option B the correct answer. ISO/IEC 27001:2022 requires organizations to define and control the scope of their ISMS, including the technologies and environments used to process information. Cloud-based platforms represent a significant component of SendPay’s operations, particularly in a financial services context where confidentiality, integrity, and availability are critical.

In the scenario, the auditors explicitly chose not to request an inventory of SendPay’s cloud activities due to resource limitations and instead relied on SendPay’s representations. While practical constraints can influence audit scope, ISO 19011 requires auditors to obtain sufficient and appropriate evidence to support audit conclusions. Without a clear inventory or understanding of cloud activities, auditors cannot adequately assess risks, controls, or responsibilities related to cloud usage.

Option A is incorrect because the scenario clearly states that cloud activities were not fully examined. Option C is incorrect because reliance on assurances without supporting evidence does not meet the evidence-based auditing principle. Auditor reliance must be supported by verifiable information, especially when assessing outsourced or cloud-based services.

Therefore, the absence of a cloud activity inventory indicates that the auditors did not gain a thorough understanding of SendPay’s cloud environment, which is why option B is the correct answer.

The main purpose of a Stage 1 third-party audit is to determine readiness for a Stage 2 audit. A Stage 1 audit is a preliminary assessment that evaluates the organization’s ISMS documentation, scope, context, and objectives, and identifies any major gaps or nonconformities that need to be addressed before the Stage 2 audit. A Stage 1 audit does not introduce the audit team to the client, as this is done during the audit planning phase. A Stage 1 audit does not check for legal compliance by the organization, as this is done during the Stage 2 audit. A Stage 1 audit does not prepare an independent audit report, as this is done after the Stage 2 audit. References: : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 70. : ISO/IEC 27001 LEAD AUDITOR - PECB, page 23.

The appropriate actions to take next are to investigate whether pest infestation is an identified risk and if so, what risk treatment is to be applied, to determine whether the high levels of rainfall have had other impacts on data centre operations, and to check with the guide that they intend to initiate the organisation’s information security incident process. These actions are relevant to the ISMS audit objectives and criteria, as they relate to the organisation’s risk assessment and treatment, security performance, and incident management processes. The other actions are either not within the scope of the ISMS audit, not required by the ISO/IEC 27001 standard, or not the responsibility of the auditor. References: PECB Candidate Handbook1, page 21-22; ISO/IEC 27001:2022 (en)2, clauses 6.1, 8.2, 9.1, and 10.2.

The word that best completes the sentence is “demonstrate”. According to ISO/IEC 27001:2022, Clause 7.5, the organization shall retain documented information as evidence of the performance of the processes and the conformity of the products and services with the requirements1. The purpose of retaining documented information is to demonstrate conformity with the requirements of the management system standard, not to maintain, audit, or certify it. References: 1: ISO/IEC 27001:2022, Information technology — Security techniques — Information security management systems — Requirements, Clause 7.5

Comprehensive and Detailed In-Depth Explanation:

B. Correct Answer:

Corroboration is the process of validating verbal statements with documented evidence.

ISO 19011:2018 emphasizes cross-verification of audit evidence to ensure accuracy.

A. Incorrect:

Observation involves witnessing real-time processes, but here, the audit team compared interview data with documentation.

C. Incorrect:

Evaluation assesses compliance with criteria, but corroboration focuses on evidence validation.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.4.7 (Corroboration of Audit Evidence)

The PDCA cycle is a four-step method for managing and improving processes. The steps are Plan, Do, Check, and Act. In the Plan phase, the objectives and scope of the process are defined, and the resources and activities are planned. In the Do phase, the process is implemented on a test basis, and the results are recorded and analyzed1. References: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) | CQI | IRCA

This option is appropriate for inclusion in the closing meeting agenda, as it is a requirement of the ISO 19011 standard, which provides guidelines for auditing management systems, including ISMS12. The standard states that the audit team leader should advise the auditee of any situations encountered during the audit that may decrease the confidence that can be placed in the audit conclusions, such as limitations in the audit scope, access, or sampling3. The standard also states that the audit report should include a statement that the audit is based on a sample of the information available at the time of the audit, and that the audit does not provide absolute assurance of the conformity or effectiveness of the audited management system4. Therefore, the audit team leader should include a disclaimer in the closing meeting agenda to inform the auditee of the nature and limitations of the audit, and to avoid any misunderstandings or false expectations. The other options are not appropriate for inclusion in the closing meeting agenda, as they are either irrelevant, incorrect, or incomplete. For example:

•A detailed explanation of the certification body’s complaints process is not relevant for the closing meeting agenda, as it is not related to the audit findings or conclusions. The certification body’s complaints process should be communicated to the auditee before the audit, as part of the audit agreement or contract5.

•An explanation of the audit plan and its purpose is not correct for the closing meeting agenda, as it should have been done at the opening meeting or before the audit. The audit plan is a document that describes the scope, objectives, criteria, and methodology of the audit, as well as the audit schedule, the audit team, the audit locations, and the audit deliverables . The audit plan should be communicated and agreed with the auditee in advance, and any changes or deviations should be notified during the audit.

•Names of auditees associated with nonconformities are not complete for the closing meeting agenda, as they do not provide the details or the evidence of the nonconformities. The audit team leader should present the audit findings, which include the description, the audit criteria, and the audit evidence of each nonconformity, as well as the audit conclusions and the audit recommendation . The audit team leader should also avoid naming or blaming individuals, and focus on the processes and the system.

 According to ISO/IEC 27001:2022 clause 6.1, the organization must establish, implement and maintain an information security risk management process that includes the following activities:

establishing and maintaining information security risk criteria;

ensuring that repeated information security risk assessments produce consistent, valid and comparable results;

identifying the information security risks;

analyzing the information security risks;

evaluating the information security risks;

treating the information security risks;

accepting the information security risks and the residual information security risks;

communicating and consulting with stakeholders throughout the process;

monitoring and reviewing the information security risks and the risk treatment plan.

According to control A.5.29, the organization must establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during a disruptive situation. The organization must also:

determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster;

establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation;

verify the availability of information processing facilities.

Therefore, the following options will not be in your audit trail, as they are not relevant to the information security risk management process or the information security continuity process:

E. Collect more evidence on how the organisation makes sure all staff periodically conduct a positive Covid test (Relevant to control A.7.2). This is not relevant to the information security aspects of business continuity management, as it is related to the health and safety of the staff, not the protection of information assets. Control A.7.2 is about screening of personnel prior to employment, not during employment.

G. Collect more evidence on how the organisation performs a business risk assessment to evaluate how fast the existing residents can be discharged from the nursing home. (Relevant to clause 6). This is not relevant to the information security aspects of business continuity management, as it is related to the operational and financial aspects of the business, not the identification and treatment of information security risks. Clause 6 is about the information security risk management process, not the business risk management process.

H. Collect more evidence on what resources the organisation provides to support the staff working from home. (Relevant to clause 7.1). This is not relevant to the information security aspects of business continuity management, as it is related to the general provision of resources for the ISMS, not the specific processes, procedures and controls to ensure the continuity of information security during a disruptive situation. Clause 7.1 is about determining and providing the resources needed for the establishment, implementation, maintenance and continual improvement of the ISMS, not the resources needed for the staff working from home.

This statement encapsulates the relationship between threats, vulnerabilities, and assets within the context of information security. Threats are potential causes of an unwanted incident, which may result in harm to a system or organization. Vulnerabilities are weaknesses that can be exploited by threats to cause harm. Assets are valuable resources to an organization that need protection. Therefore, when threats exploit vulnerabilities, they can damage or destroy assets. References: = The explanation is based on the foundational concepts of information security as outlined in ISO/IEC 27001, which includes understanding the interplay between threats, vulnerabilities, and assets as part of an information security management system (ISMS)

The auditor should consider "audit risks" when determining the "audit objectives." Understanding the risks associated with the audit helps define the objectives clearly, ensuring that the audit focuses on the most significant areas of concern, aligns with the audit scope, and adequately addresses the risks identified.

Comprehensive and Detailed In-Depth Explanation:

C. Correct Answer:

Professional skepticism involves challenging evidence, verifying claims, and avoiding assumptions.

The auditors critically assessed the validity of evidence, ensuring claims made by Techvology were backed by concrete proof.

A. Incorrect:

Risk-based auditing prioritizes high-risk areas, but the paragraph focuses on verifying claims and evidence.

B. Incorrect:

Fair presentation ensures accurate reporting of findings, but the paragraph focuses on questioning evidence, not reporting.

Relevant Standard Reference:

ISO 19011:2018 Clause 4 (Principles of Auditing: Professional Skepticism)

The IRT’s finding that FTP transmits authentication credentials in clear text represents a vulnerability in information security terms. A vulnerability is defined as a weakness in an asset, system, or control that can be exploited by a threat. In this scenario, FTP itself is not a threat, nor is it the risk; rather, it is the technical weakness that enabled the attackers to succeed.

The attackers (hackers) are the threat, and the potential loss of proprietary information is the impact. The risk arises from the combination of the threat exploiting the vulnerability and causing harm. However, the question specifically asks what the IRT’s finding about FTP represents, and that finding is the identification of a weakness in the system design. The use of clear-text authentication is a well-known security weakness, making it easier for attackers to capture credentials through network traffic interception.

ISO/IEC 27001:2022 risk assessment logic requires organizations to distinguish clearly between threats, vulnerabilities, and risks during incident analysis. The IRT did exactly this by identifying that the protocol itself lacked encryption, which is a vulnerability. This is further supported by the corrective action taken: replacing FTP with SSH. SSH provides encrypted communication, which directly addresses the vulnerability by removing the weakness that allowed credential exposure.

Therefore, the IRT’s findings correctly identify FTP as a vulnerability, making option A the correct answer.

The audit team employed an evidence-based approach, making option A the correct answer. This is explicitly demonstrated throughout the scenario and aligns directly with ISO 19011:2018, which defines evidence-based auditing as one of the fundamental principles of auditing management systems. An evidence-based approach requires that audit conclusions are based on verifiable information and objective evidence rather than assumptions, opinions, or hypothetical scenarios.

In the scenario, the audit team clearly states that only information capable of being verified to some extent was considered valid audit evidence. This reflects the ISO 19011 requirement that audit evidence should be verifiable, relevant, and based on samples of available information. The auditors documented observations, inspection notes, asset inventories, and firewall configurations, all of which are tangible and verifiable sources of audit evidence. Even in situations where evidence was difficult to verify, the auditors applied professional judgment to assess reliability, which is consistent with the principle of due professional care rather than speculative analysis.

Option B is incorrect because a risk-based approach focuses on prioritizing audit activities based on risk levels, not on how conclusions are reached. While risk awareness may influence audit planning, it does not define the method of forming conclusions. Option C is incorrect because hypothetical analysis is not recognized as an acceptable audit method under ISO standards. ISO audits must be grounded in factual, verifiable evidence.

Therefore, the audit team’s systematic reliance on verifiable information confirms that an evidence-based approach was used.

Furthermore, Jack’s understanding of NightCore’s organizational context, management practices, and applicable statutory and regulatory requirements demonstrates competence in applying audit criteria within the organization’s specific environment. His ability to exercise professional judgment when evidence is difficult to verify further supports his suitability as an audit team leader.

Option A is incorrect because Jack’s experience spans multiple relevant domains, not just a few limited areas. Option B is incorrect because auditor competence is not based solely on understanding organizational structure; it requires a broader combination of auditing, technical, and contextual knowledge, all of which Jack clearly demonstrates.

Explanation (ISO-aligned)

Security awareness training is an administrative (organizational) control.

ISO/IEC 27002:2022 A.6.3 (Information security awareness, education and training) explicitly categorizes training as an administrative control.

It governs human behavior through policy, procedures, and education, not technology or law.

Legal controls relate to regulations.

Managerial controls relate to governance decisions.

✅ Correct classification: Administrative control.

Comprehensive and Detailed In-Depth Explanation:

A. Correct Answer:

The primary goal of audit interviews is to validate compliance with ISO/IEC 27001.

ISO 19011:2018 states that interviews are a method to gather audit evidence.

B. Incorrect:

KPIs are relevant for performance measurement, but interviews focus on compliance validation.

C. Incorrect:

Understanding business challenges is secondary; the primary objective is ISO/IEC 27001 compliance verification.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.4.6 (Interviewing Techniques in Auditing)

The four controls from the list that the auditor in training should review are:

•B. How access to source code and development tools are managed: This control requires the organisation to restrict and monitor the access to the source code and development tools that are used to create, modify, or maintain the software applications and systems that process or store the data of external clients. This is important for ensuring the integrity, confidentiality, and availability of the software and the data, as well as for preventing unauthorized changes, errors, or malicious code injection.

•D. How protection against malware is implemented: This control requires the organisation to implement appropriate measures to detect, prevent, and remove malware from the IT systems and devices that process or store the data of external clients. This includes using antivirus software, firewalls, email filtering, web filtering, and other tools to protect against viruses, worms, ransomware, spyware, and other malicious software. This is essential for safeguarding the data and the systems from corruption, theft, or damage caused by malware.

•E. How the organisation evaluates its exposure to technical vulnerabilities: This control requires the organisation to identify and assess the technical vulnerabilities that may affect the IT systems and devices that process or store the data of external clients. This includes using vulnerability scanning tools, penetration testing tools, threat intelligence sources, and other methods to discover and evaluate the weaknesses and gaps in the security of the systems and the devices. This is necessary for prioritizing and implementing the appropriate corrective actions and controls to mitigate the risks posed by the vulnerabilities.

•G. The organisation’s arrangements for information deletion: This control requires the organisation to establish and implement policies and procedures for deleting the data of external clients from the IT systems and devices when it is no longer needed or required. This includes defining the criteria and methods for data deletion, such as secure erasure, encryption, or physical destruction. This is important for complying with the contractual obligations and the legal and regulatory requirements regarding the retention and disposal of the data, as well as for protecting the confidentiality and integrity of the data.

According to the PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, the auditee should take the following actions in response to a nonconformity against clause 6.1.3.e of ISO/IEC 27001:20221:

Implement the appropriate risk treatment for each of the applicable controls, as this is the main requirement of clause 6.1.3.e and the objective of the risk treatment process2.

Revise the relevant content in the Statement of Applicability to justify their exclusion, as this is the expected output of the risk treatment process and the evidence of the risk-based decisions3.

Revisit the risk assessment process relating to the three controls, as this is the input for the risk treatment process and the source of identifying the risks and the controls4.

The other options are not correct because:

Allocating responsibility for producing evidence to prove to auditors that the controls are implemented is not a valid action, as the audit team already found that there was no evidence of the implementation of the three controls.

Compiling plans for the periodic assessment of the risks associated with the controls is not a valid action, as this is part of the risk monitoring and review process, not the risk treatment process5.

Incorporating written procedures for the controls into the organisation’s Security Manual is not a valid action, as this is part of the documentation and operation of the ISMS, not the risk treatment process.

Removing the three controls from the Statement of Applicability is not a valid action, as this is not a sufficient justification for their exclusion and does not reflect the risk treatment process.

Undertaking a survey of customers to find out if the controls are needed by them is not a valid action, as this is not a relevant criterion for the risk assessment and treatment process, which should be based on the organisation’s own context and objectives.

 1: PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 36, section 4.5.22: ISO/IEC 27001:2022, clause 6.1.3.e3: ISO/IEC 27001:2022, clause 6.1.3.f4: ISO/IEC 27001:2022, clause 6.1.25: ISO/IEC 27001:2022, clause 6.2. : ISO/IEC 27001:2022, clause 7.5 and 8. : ISO/IEC 27001:2022, clause 6.1.3.d. : ISO/IEC 27001:2022, clause 4.1 and 4.2.

According to the PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, a correction is an action to eliminate a detected nonconformity, such as rework, repair, or replacement1. The examples of A, B, C, and E are corrections because they fix the errors or defects that caused the nonconformities, such as a missing signature, a missing guide, a wrong date, or a wrong colour code. The other examples (D, F, G, and H) are not corrections, but corrective actions, because they address the root causes of the nonconformities, such as inadequate training, poor planning, ineffective documentation, or unclear responsibility2. References: 1: PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 35, section 4.5.12: PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 36, section 4.5.2.

The technical expert can communicate their audit findings to the auditee only through one of the audit team members. This ensures that communications remain coordinated and that the audit team maintains control over the audit process.

Management review is a crucial component of an ISMS that helps determine opportunities for continual improvement. Through management review, an organization assesses the performance and effectiveness of its ISMS, including reviewing opportunities for improvements and the need for changes to the ISMS, including the security policy and security objectives.

The auditor should validate that documented information conforms to both content and format requirements defined by the organization’s documentation procedure, making option A the correct answer. ISO/IEC 27001 clause 7.5 requires documented information to be controlled, which includes requirements for format, identification, version control, and approval, as defined by the organization.

During stage 1 audits, auditors assess whether the organization has appropriate procedures in place and whether documented information is created and managed in accordance with those procedures. This includes verifying that documents follow established templates, naming conventions, approval mechanisms, and version control practices.

Option B is incorrect because while ISO/IEC 27001 does not prescribe a specific format, it requires conformity to the organization’s own documented information controls. Ignoring format would ignore part of the control requirement. Option C is partially correct in general, but insufficient in this context because the scenario explicitly states that the evaluation was based on content and procedure. The auditor must verify conformance, not just existence.

Therefore, validating alignment with documentation procedures, including format, is the correct auditor action.

The auditee is the organization or part of it that is subject to the audit. The auditee could be internal or external to the audit client . The auditee should cooperate with the audit team and provide them with access to relevant information, documents, records, personnel, and facilities .

The audit client is the organization or person that requests an audit. The audit client could be internal or external to the auditee . The audit client should define the audit objectives, scope, criteria, and programme, and appoint the audit team leader .

The technical expert is a person who provides specific knowledge or expertise relating to the organization, activity, process, product, service, or discipline to be audited. The technical expert could be internal or external to the audit team . The technical expert should support the audit team in collecting and evaluating audit evidence, but should not act as an auditor .

The observer is a person who accompanies the audit team but does not act as an auditor. The observer could be internal or external to the audit team . The observer should observe the audit activities without interfering or influencing them, unless agreed otherwise by the audit team leader and the auditee .

References :=

[ISO 19011:2022 Guidelines for auditing management systems]

[ISO/IEC 17021-1:2022 Conformity assessment — Requirements for bodies providing audit and certification of management systems — Part 1: Requirements]

This activity is permitted, provided that the certification body minimizes disturbance to the certification process, making option A the correct answer. ISO/IEC 17021-1, which governs certification bodies providing management system certification, explicitly allows certification bodies to evaluate the competence and performance of their auditors. This includes on-site witnessing of auditors during actual certification audits.

The purpose of such evaluations is to ensure auditor competence, consistency, and adherence to certification procedures. ISO/IEC 17021-1 requires certification bodies to maintain confidence in their certification activities by monitoring and evaluating auditors in real audit situations. Conducting these evaluations on-site is a common and accepted practice, especially for initial competence assessments or periodic performance reviews.

However, the certification body must ensure that the evaluation does not interfere with the audit objectives or disrupt the client’s operations. Option B is incorrect because there is no requirement or justification for suspending the client’s business activities. Certification audits are designed to be conducted alongside normal operations whenever possible. Option C is incorrect because while remote evaluations may be used in some circumstances, the standard does not prohibit on-site evaluations.

Therefore, an on-site evaluation of an auditor during a certification audit is permitted, provided that it is carefully managed and does not disrupt the certification process or the auditee’s normal operations.

The four controls from the list that are related to PHYSICAL aspects of the ISMS are:

•Access to and from the loading bay

•How power and data cables enter the building

•The operation of the site CCTV and door control systems

•The organisation’s arrangements for maintaining equipment

These controls are derived from the ISO 27001 Annex A, which provides a comprehensive list of information security controls that can be applied to an ISMS1. The other controls in the list are more related to ORGANIZATIONAL, LEGAL, or HUMAN aspects of the ISMS, which are also important, but not the focus of this question.

According to the ISMS Auditing Guideline2, the auditor in training should review the PHYSICAL controls by:

•Checking the SoA to identify the applicable controls and their implementation status

•Interviewing the relevant staff and management to verify their understanding and involvement in the controls

•Observing the physical and environmental conditions to confirm the existence and effectiveness of the controls

•Examining the relevant documents and records to validate the compliance and performance of the controls

I hope this helps you prepare for the exam. ????

Comprehensive and Detailed In-Depth Explanation:

C. Correct Answer:

The audit team documented findings, but the scenario does not confirm whether sufficient supporting evidence was included.

ISO 19011:2018 requires audit findings to be properly documented and justified with evidence.

Failing to document evidence reduces audit credibility.

A. Incorrect:

Preparing for the audit by reviewing policies and procedures is correct practice.

B. Incorrect:

Evaluating management responsibility for ISMS compliance is a required step in Stage 1.

Relevant Standard Reference:

ISO/IEC 27001:2022 Clause 9.2 (Internal Audit)

ISO 19011:2018 Clause 6.5.3 (Audit Documentation Requirements)

According to ISO/IEC 17021-1, which specifies the requirements for bodies providing audit and certification of management systems, a certification body should establish criteria for determining audit time and audit team composition based on factors such as the scope of certification, size and complexity of the organization, risks associated with its activities, etc2. Therefore, if an auditee requests to extend the audit scope to include two additional sites after completing Stage 1 of an initial certification audit, the audit team leader should obtain information about the additional sites to inform the certification body, so that they can review and approve the change in scope and adjust the audit time and audit team accordingly2. The other options are not appropriate actions for the audit team leader to take in this situation. For example, increasing the length of the Stage 2 audit to include the extra sites without informing the certification body may violate their procedures and policies; arranging to complete a remote Stage 1 audit of the two sites using a video conferencing platform may not be feasible or effective depending on the nature and location of the sites; and informing the auditee that the request can be accepted but a full Stage 1 audit must be repeated may not be necessary or reasonable if there are no significant changes in the auditee’s ISMS since Stage 12. References: ISO/IEC 17021-1:2015 - Conformity assessment – Requirements for bodies providing audit and certification of management systems – Part 1: Requirements

Phishing is a type of information security incident that falls under the category of cracker/hacker attacks. Phishing is a form of fraud that uses deceptive emails or other messages to trick recipients into revealing sensitive information, such as passwords, credit card numbers, bank account details, etc. Phishing emails often impersonate legitimate organizations or individuals and create a sense of urgency or curiosity to lure the victims into clicking on malicious links, opening malicious attachments or providing personal information. Phishing is a common and serious threat to information security, as it can lead to identity theft, financial loss, data breach, malware infection or other damages. ISO/IEC 27001:2022 requires the organization to implement awareness and training programs to make users aware of the risks of social engineering attacks, such as phishing, and how to avoid them (see clause A.7.2.2). References: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements, What is Phishing?

The Plan-Do-Check-Act (PDCA) cycle is a four-step method for implementing and improving processes, products, or services. The “plan” phase involves establishing the objectives and processes necessary to deliver the desired results. This may include setting SMART goals, identifying resources, defining roles and responsibilities, conducting risk assessments, and developing plans for training, communication, and monitoring.

Qualitative evidence in an audit typically involves observations, interviews, and reviews that provide insights into the processes and compliance through subjective but informed assessments. An interview with information security personnel to validate compliance with the standard requirements is an example of qualitative evidence, where the quality and effectiveness of processes are assessed based on expert judgments rather than measurable metrics.

Comprehensive and Detailed In-Depth Explanation:

A preventive control is a security measure implemented to prevent security incidents or risks from occurring. It proactively protects information systems and mitigates potential threats.

A. Using an application that prioritized orders based on its prior knowledge – This is an operational enhancement but not a security control. It improves efficiency but does not directly prevent security breaches or risks.

B. Signing a confidentiality agreement – This is a preventive control because it ensures that sensitive business information remains protected from unauthorized disclosure before transitioning to an outsourced service provider. It mitigates the risk of intellectual property theft or data misuse by legally binding the parties to confidentiality.

C. Expanding the capacity of the in-house data center – This is a corrective or operational control, as it addresses the issue of insufficient infrastructure but does not prevent security-related threats.

This aligns with ISO/IEC 27001:2022 Annex A Control A.5.6 (Contact with Special Interest Groups), which includes legal agreements and confidentiality measures to protect sensitive information.

Comprehensive and Detailed In-Depth Explanation:

The Statement of Applicability (SoA) is a mandatory document in ISO/IEC 27001:2022 that lists all Annex A controls, their applicability, and justifications for inclusion or exclusion.

C. Correct Answer: The SoA must include justifications for excluding Annex A controls. The scenario states that the project team excluded certain controls but does not mention that justifications were documented. This violates ISO/IEC 27001 Clause 6.1.3 (Information Security Risk Treatment), which requires documenting exclusions with reasons.

A. Incorrect: While the SoA should include an exhaustive list of controls, simply listing applicable controls from Annex A and other sources does not meet the requirement if exclusions are not justified.

B. Incorrect: Including security controls from other sources is allowed and does not invalidate the SoA, as organizations can define additional controls beyond Annex A based on their risk assessment.

Thus, Clinic's SoA is incomplete because it does not provide a justification for the exclusions of Annex A controls, making it non-compliant with ISO/IEC 27001 requirements.

According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 7.2 requires an organization to determine the necessary competence of persons doing work under its control that affects its ISMS performance, and to provide training or take other actions to acquire or maintain the necessary competence1. Control A.6.3 requires an organization to ensure that all employees and contractors are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational policies and procedures in this respect2. Therefore, if an ISMS auditor finds that the information security incident training effectiveness can be improved, this indicates an opportunity for improvement (OFI) that is relevant to clause 7.2 and control A.6.3.

According to ISO/IEC 27001:2022, clause 9.1 requires an organization to monitor, measure, analyze and evaluate its ISMS performance and effectiveness1. Control A.5.24 requires an organization to define and apply procedures for reporting information security events and weaknesses2. Therefore, if an ISMS auditor finds that based on sampling interview results, none of the interviewees were able to describe the incident management procedure reporting process including the role and responsibilities of personnel, this indicates a nonconformity (NC) that is not conforming with clause 9.1 and control A.5.24.

The other options are not correct options for preparing the audit findings based on the given information. For example, there is no nonconformance if the information security weaknesses, events, and incidents are reported, as this conforms with clause 9.1 and control A.5.24; there is no nonconformance if the information security handling training has performed, and its effectiveness was evaluated, as this conforms with clause 7.2 and control A.6.3; there is no nonconformity if the information security incident training has failed, as this may not necessarily indicate a lack of conformity with clause 7.2 or control A.6.3; there is no opportunity for improvement if the information security weaknesses, events, and incidents are reported, as this is already conforming with clause 9.1 and control A.5.24. References: ISO/IEC 27001:2022 - Information technology – Security techniques – Information security management systems – Requirements, ISO/IEC 27002:2013 - Information technology – Security techniques – Code of practice for information security controls

Even though the marketing department was not included in the audit scope, the issue of employees' access rights control must be communicated to Sinvestment's representatives and included in the audit report because it is part of Sinvestment’s information security policy. It reflects on the overall adherence to the ISMS requirements.

Comprehensive and Detailed In-Depth Explanation:

C. Correct Answer:

Internal audits detect nonconformities but do not actively prevent them.

A. Incorrect:

Internal audits verify corrective actions.

B. Incorrect:

Technology can reduce manual tasks in internal audits.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.4.7 (Audit Program Limitations)

The following are guidelines to protect your password, except for easy recall use the same password for company and personal accounts; do not share passwords with anyone. Using the same password for company and personal accounts is not a guideline to protect your password, as it increases the risk of compromising your password if one of your accounts is hacked or breached. You should use different and unique passwords for each account, and change them regularly. Sharing passwords with anyone is not a guideline to protect your password, as it reduces the security and accountability of your password. You should keep your password confidential and never disclose it to anyone, even if they claim to be authorized or trustworthy. Don’t use the same password for various company system security access is a guideline to protect your password, as it prevents unauthorized access or misuse of your password if one of the systems is compromised or breached. You should use different and complex passwords for each system, and follow the password policies and standards of the organization. Change a temporary password on first log-on is a guideline to protect your password, as it prevents unauthorized access or misuse of your password if the temporary password is intercepted or leaked. You should change the temporary password to a personal and secure password as soon as possible, and avoid using default or predictable passwords. References: : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 43. : [ISO/IEC 27001 LEAD AUDITOR - PECB], page 15.

A third-party audit team leader is a person who leads an audit team that conducts audits on behalf of an external organization, such as a certification body, that provides certification or accreditation services to other organizations12.

One of the main responsibilities of a third-party audit team leader is to act on behalf of the certification body, which means to represent its interests, policies, and procedures during the audit process12.

Acting on behalf of the certification body involves communicating with the audit client and the auditee, planning and conducting the audit, reporting and evaluating the audit results, and making recommendations for certification or accreditation decisions12.

Acting on behalf of the certification body also requires maintaining professional integrity, impartiality, confidentiality, and competence throughout the audit process12.

References :=

ISO 19011:2022 Guidelines for auditing management systems

ISO/IEC 17021-1:2022 Conformity assessment — Requirements for bodies providing audit and certification of management systems — Part 1: Requirements

The two standards that are used as ISMS third-party certification audit criteria are ISO/IEC 27001 and relevant legal, statutory, and regulatory requirements. ISO/IEC 27001 specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS)1. Relevant legal, statutory, and regulatory requirements are those that apply to the organization’s information security aspects and objectives2. The other options are either not standards (E) or not directly related to the ISMS certification audit criteria (A, B, C, F). References: 1: ISO/IEC 27001:2022, Information technology — Security techniques — Information security management systems — Requirements, Clause 1 \n2: ISO/IEC 27001:2022, Information technology — Security techniques — Information security management systems — Requirements, Clause 4.2

Comprehensive and Detailed In-Depth Explanation:

B. Correct Answer:

Stage 1 audits identify gaps and allow the organization to correct major nonconformities before Stage 2 certification.

ISO/IEC 27006 requires organizations to address major nonconformities before proceeding to Stage 2.

A. Incorrect:

Organizations are allowed to correct nonconformities identified in Stage 1.

C. Incorrect:

Major changes must be addressed, not just minor modifications.

Relevant Standard Reference:

ISO/IEC 27006:2020 Clause 9.2.3 (Stage 1 and Stage 2 Audit Process)

The unfavorable recommendation for certification is best justified by the major nonconformity related to storing sensitive information in removable media, making option A the correct answer. ISO/IEC 27001 certification decisions are heavily influenced by the presence and effective resolution of major nonconformities, particularly those that expose the organization to significant information security risks.

In this scenario, sensitive information was stored on removable media in violation of Trustingo’s own information classification scheme. This represents a serious breakdown in control implementation and creates a high risk of data leakage, loss, or unauthorized disclosure. Such a condition is typically classified as a major nonconformity because it demonstrates a failure to effectively implement and enforce ISMS controls related to information handling and protection.

While the lack of an information labeling procedure is a valid nonconformity, it is generally considered minor when viewed in isolation. Option B therefore does not sufficiently justify an unfavorable certification recommendation on its own. Option C is also incorrect because submitting the action plan earlier than the agreed timeline is not a negative factor and does not breach certification requirements.

Even though Trustingo submitted an action plan, its lack of sufficient detail prevented the certification body from confirming that the major nonconformity would be effectively corrected and prevented from recurring. Therefore, the unresolved major nonconformity related to sensitive information on removable media is the primary justification for the unfavorable certification recommendation.

Comprehensive and Detailed In-Depth Explanation:

B. Correct Answer:

ISO/IEC 17021-1 (Conformity assessment – Requirements for bodies providing audit and certification of management systems) states that the auditee may request a replacement of an auditor only for valid reasons.

A former employee of the company serving as an auditor presents a potential conflict of interest (real or perceived).

Therefore, Company X’s request is valid.

A. Incorrect:

While a conflict of interest is a valid reason, the replacement must be based on an objective, justified claim, and not just personal preference.

C. Incorrect:

Auditees can request an auditor’s replacement, but only under justified circumstances.

Relevant Standard Reference:

ISO/IEC 17021-1:2015 Clause 9.1.3 (Impartiality and Objectivity of Auditors)

Comprehensive and Detailed In-Depth Explanation:

B. Correct Answer: ISO 19011:2018 (Guidelines for Auditing Management Systems) states that all evidence must be treated equally and evaluated based on relevance, credibility, and objectivity.

Both sources should have been retained, reviewed, and verified rather than selectively prioritizing one over the other.

A. Incorrect:

A former employee may have insider knowledge, but their credibility must be verified—it is not inherently more reliable.

C. Incorrect:

While a client is independent, their evidence is not automatically more credible than a former employee's.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.4.7 (Collecting and Verifying Information)

The audit team used documented information review and observation for evidence collection and evaluation for analysis, making option A the correct answer. This aligns directly with ISO 19011, which identifies document review, observation, and evaluation as primary audit techniques.

In the scenario, auditors reviewed ISMS documentation remotely, observed departmental practices during stage 2, and evaluated whether controls such as access rights management and training documentation met ISO/IEC 27001 requirements. These activities constitute classic evidence-based auditing methods.

Option B is incorrect because there is no indication that technical verification or extensive sampling of systems occurred. Option C is incorrect because the audit did not rely solely on interviews, nor was trend analysis the primary analytical method used. Interviews were supplementary, not exclusive.

ISO auditing requires auditors to triangulate evidence using multiple methods. The combination of document review, observation, and evaluative analysis reflects appropriate and recommended audit practice.

Third-party accredited certification of information security management systems to ISO/IEC 27001:2022 provides assurance to organisations and interested parties that the organisation’s management system is maintained and effective, meaning that it conforms to the requirements of the standard, meets the organisation’s objectives and policies, and addresses the risks and opportunities related to information security. Third-party accredited certification also demonstrates that the organisation’s management system adopted a systematic approach to information security, meaning that it follows the Plan-Do-Check-Act (PDCA) cycle, applies the risk-based thinking principle, and considers the context and needs of the organisation and its stakeholders

No, the audit scope should reflect all of the organization's divisions that are covered by the ISMS. If the ISMS scope stated that it includes the whole company, the audit scope should align with this unless specifically justified and agreed upon by all stakeholders.

Comprehensive and Detailed In-Depth Explanation:

A. Correct Answer:

ISO 19011:2018 (Guidelines for Auditing Management Systems) outlines diligent audit practices, including evidence-based assessment and professional skepticism.

The auditors critically reviewed records, interviewed staff, and validated incident response effectiveness.

They did not rely solely on verbal statements but sought concrete evidence, demonstrating due diligence and judgment.

B. Incorrect:

Employment contracts are not primary audit evidence for competence; training and certification records hold greater significance.

C. Incorrect:

The scenario does not mention that top management was excluded from interviews. However, their involvement is not mandatory for evaluating incident handling.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.4 (Conducting Audit Activities)

The option that best describes how Information Security Management System (ISMS) audits should be conducted, aligning with best practices and standards like ISO/IEC 27001:2022, is:

D. Audit methods should be used to assess objective evidence in order to generate audit findings. Then, the audit conclusion should be created and presented to the auditee at the closing meeting.

This option accurately reflects the audit process, emphasizing the use of systematic audit methods to assess objective evidence, which is crucial for impartiality and accuracy in auditing. Audit findings are the results derived from evaluating the objective evidence against the audit criteria. The conclusion, based on the audit findings, provides a comprehensive summary of the audit's outcomes, indicating whether the audited ISMS meets the established criteria. Presenting these conclusions to the auditee during the closing meeting ensures transparency and provides an opportunity for immediate clarification and discussion of the results and potential next steps.

Comprehensive and Detailed In-Depth Explanation:

A. Correct Answer:

Due professional care refers to auditors carefully considering all relevant factors before initiating an audit.

In this scenario, the auditors assessed the auditee’s context, processes, and expectations, which aligns with ISO 19011:2018 Clause 4 (Principles of Auditing: Due Professional Care).

B. Incorrect:

Professional skepticism is about challenging evidence and avoiding assumptions, not about contextual planning.

C. Incorrect:

Integrity refers to acting honestly and ethically, which is not the focus here.

Relevant Standard Reference:

ISO 19011:2018 Clause 4.5 (Due Professional Care)

The best action to take in this scenario is to determine whether any additional effective arrangements are in place to verify individual access to secure areas, such as CCTV. This action is consistent with the audit principle of evidence-based approach, which requires the auditor to obtain sufficient and appropriate audit evidence to support the audit findings and conclusions1. By verifying the existence and effectiveness of other security controls, the auditor can assess the extent and impact of the nonconformity observed, and determine the appropriate audit finding and recommendation.

The other options are not the best actions to take in this scenario, because they are either premature or inappropriate. For example:

•Option A is inappropriate, because it is not the auditor’s role to suggest specific solutions or improvements to the auditee, but rather to report the audit findings and recommendations based on the audit criteria and objectives2. A large sign in reception may not be an effective or feasible solution to address the issue of tailgating, and it may not reflect the root cause of the problem.

•Option C is premature, because it assumes that the control A.7.1 ‘security perimeters’ is not adequately implemented, without verifying the existence and effectiveness of other security controls that may compensate for the observed nonconformity. The auditor should not jump to conclusions based on a single observation, but rather gather sufficient and appropriate audit evidence to support the audit finding3.

•Option D is premature, because it assumes that the control A.7.6 ‘working in secure areas’ is not adequately implemented, without verifying the existence and effectiveness of other security controls that may compensate for the observed nonconformity. The auditor should not jump to conclusions based on a single observation, but rather gather sufficient and appropriate audit evidence to support the audit finding3.

•Option E is inappropriate, because it is not related to the observed nonconformity, which is about the access control to secure areas, not the information security requirements agreed upon with the supplier. The auditor should not raise a nonconformity based on irrelevant or incorrect audit criteria4.

•Option F is inappropriate, because it is not the auditor’s role to suggest specific solutions or improvements to the auditee, but rather to report the audit findings and recommendations based on the audit criteria and objectives2. Requiring contractors to be accompanied at all times when accessing secure facilities may not be an effective or feasible solution to address the issue of tailgating, and it may not reflect the root cause of the problem.

Audit methods are techniques used by auditors to obtain audit evidence. Audit methods can be classified into two categories: those that involve human interaction and those that do not2. Audit methods that involve human interaction require direct communication between the auditor and the auditee or other relevant parties, such as interviews, questionnaires, surveys, meetings, etc. Audit methods that do not involve human interaction rely on observation, inspection, measurement, testing, sampling, analysis, etc., without requiring any verbal or written exchange2. Therefore, performing an independent review of procedures in preparation for an audit and reviewing the auditee’s response to an audit finding are examples of audit methods that involve human interaction, as they require reading and evaluating documents provided by the auditee or other sources. On the other hand, analysing data by remotely accessing the auditee’s server and observing work performed by remote surveillance are examples of audit methods that do not involve human interaction, as they do not require any direct communication with the auditee or other parties. References: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) | CQI | IRCA

The requirements for Information Security objectives are found in ISO/IEC 27001:2022, clause 6.2:

Top management shall ensure that information security objectives are established.

Objectives must:

Be consistent with the information security policy.

Be measurable (if practicable).

Take into account applicable information security requirements, and results from risk assessments and risk treatment.

Be communicated.

Be monitored.

Be updated as appropriate.

When planning how to achieve objectives, organisations must determine:

What will be done.

What resources will be required.

Who will be responsible.

When it will be completed.

How the results will be evaluated.

Analysis of each option:

A. Reviewed at all management reviews → Concern.ISO 27001 clause 9.3 (Management review) requires that the status of objectives is reviewed, but not at all management reviews — only at scheduled ones. Mandating every review is incorrect.

B. Communication → Correct.Clause 6.2 requires objectives to be communicated. This is valid.

C. Completion date → Correct.Clause 6.2 requires organisations to determine when it will be completed. Valid.

D. Measurable → Correct.Clause 6.2 explicitly says objectives must be measurable (if practicable). Valid.

E. Distributed to all staff → Concern.Clause 6.2 requires objectives to be communicated to those who need to be aware, not all staff. This is overreach and not aligned with the standard.

F. Budget/resources → Correct.Clause 6.2 requires determining what resources will be required. Valid.

G. Process to revisit → Correct.Clause 6.2 requires objectives to be updated as appropriate. Valid.

H. Top management determine annually → Concern.Clause 6.2 requires top management to ensure objectives are established, but there is no requirement for an annual cycle. This could cause mis-audit findings.

ISO/IEC 27001:2022, Clause 6.2 (Information security objectives and planning to achieve them)

The auditors primarily collected physical and technical evidence, making option B the correct answer. Physical and technical evidence refers to evidence obtained through direct observation of systems, configurations, and operational practices, as well as inspection of tangible or technical elements within the organization’s environment.

In the scenario, the auditors reviewed firewall configurations, examined operational planning and control activities, and inspected the inventory of information and associated assets. Firewall configurations are a clear example of technical evidence, as they involve system settings and security mechanisms that can be directly reviewed and validated. Asset inventories, while documented, are often verified through physical or system-level inspection to confirm their accuracy and completeness. Operational planning and control observations involve witnessing how processes are executed in practice, which also constitutes physical or technical evidence.

Option A is incorrect because analytical and documentary evidence would primarily involve reports, metrics, trend analysis, or formal documents without direct system inspection. While some documentation was reviewed, the scenario emphasizes inspection and observation of operational and technical controls. Option C is incorrect because mathematical evidence is not a recognized audit evidence category under ISO standards.

ISO 19011 recognizes observation and inspection as valid methods for collecting audit evidence, particularly when assessing the effectiveness of technical and operational controls. Therefore, the evidence collected in this audit is best classified as physical and technical evidence.

ISO/IEC 27001 focuses on the core principles of the CIA triad:

•Confidentiality: Ensuring information is accessible only to authorized individuals.

•Integrity: Maintaining the accuracy and completeness of information, protecting it from unauthorized modification.

•Availability: Information should be accessible to authorized users when needed (this is also important, but not one of the choices in this specific question).

According to ISO/IEC 27001:2022 clause 7.2, the organization must ensure that the persons doing work under its control are aware of the information security policy, their contribution to the effectiveness of the ISMS, the implications of not conforming to the ISMS requirements, and the benefits of improved information security performance. The organization must also provide information security awareness education and training to its personnel and relevant interested parties. According to control A.6.3, the organization must ensure that all employees and contractors are made aware of the information security incident management procedures and their expected roles and responsibilities. Therefore, an opportunity for improvement (OFI) can be identified if the information security incident training effectiveness can be improved, as evidenced by the differences in the understanding of the meaning of “weakness, event, and incident” among the staff.

According to ISO/IEC 27001:2022 clause 9.1, the organization must monitor, measure, analyze and evaluate the information security performance and the effectiveness of the ISMS. The organization must also retain appropriate documented information as evidence of the monitoring and measurement results. According to control A.5.24, the organization must establish and maintain an information security incident management process that includes the following activities:

•reporting information security events and weaknesses;

•assessing and deciding on information security events;

•responding to information security incidents;

•learning from information security incidents;

•collecting evidence and disclosing information.

Therefore, a nonconformity (NC) can be identified if the terminology of the incident management reporting process is unclear, as evidenced by the staff misunderstanding of the meaning of “weakness, event, and incident”. This could lead to inconsistent or inaccurate reporting, assessment, response, learning, and disclosure of information security incidents, which could affect the information security performance and the effectiveness of the ISMS.

Detection risk refers to the risk that the auditor will not detect a material misstatement or significant issue within the organization's ISMS. In this case, the auditor's inability to identify Company A's insecure network architecture is a detection risk.

Risk analysis is the process by which the nature of the risk is determined along with its probability and impact. Risk analysis involves estimating the likelihood and consequences of potential events or situations that could affect the organization’s information security objectives or requirements12. Risk analysis could use qualitative or quantitative methods, or a combination of both12.

Risk management is the process by which a risk is controlled at all stages of its life cycle by means of the application of organisational policies, procedures and practices. Risk management involves establishing the context, identifying, analyzing, evaluating, treating, monitoring, and reviewing the risks that could affect the organization’s information security performance or compliance12. Risk management aims to ensure that risks are identified and treated in a timely and effective manner, and that opportunities for improvement are exploited12.

Risk identification is the process by which a risk is recognised and described. Risk identification involves identifying and documenting the sources, causes, events, scenarios, and potential impacts of risks that could affect the organization’s information security objectives or requirements12. Risk identification could use various techniques, such as brainstorming, interviews, checklists, surveys, or historical data12.

Risk evaluation is the process by which the impact and/or probability of a risk is compared against risk criteria to determine if it is tolerable. Risk evaluation involves comparing the results of risk analysis with predefined criteria that reflect the organization’s risk appetite, tolerance, or acceptance12. Risk evaluation could use various methods, such as ranking, scoring, or matrix12. Risk evaluation helps to prioritize and decide on the appropriate risk treatment options12.

Risk mitigation is the process by which the impact and/or probability of a risk is reduced by means of the application of controls. Risk mitigation involves selecting and implementing measures that are designed to prevent, reduce, transfer, or accept risks that could affect the organization’s information security objectives or requirements12. Risk mitigation could include various types of controls, such as technical, organizational, legal, or physical12. Risk mitigation should be based on a cost-benefit analysis and a residual risk assessment12.

Risk transfer is the process by which a risk is passed to a third party, for example through obtaining appropriate insurance. Risk transfer involves sharing or shifting some or all of the responsibility or liability for a risk to another party that has more capacity or capability to manage it12. Risk transfer could include various methods, such as contracts, agreements, partnerships, outsourcing, or insurance12. Risk transfer should not be used as a substitute for effective risk management within the organization12.

References :=

ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements

ISO/IEC 27005:2022 Information technology — Security techniques — Information security risk management

A sampling plan for the audit is a method of selecting a representative subset of the audit evidence to evaluate the conformity of the ISMS1. The advantages of using a sampling plan are:

It reduces the audit duration by focusing on the most relevant and significant aspects of the ISMS2.

It gives confidence in the audit results by ensuring that the sample is sufficient, reliable, and unbiased3.

 1: ISMS Auditing Guideline - ISO27000, page 9; 2: Internal Audit Plan – ISO Templates and Documents Download; 3: A Step-by-Step Guide to Conducting an ISO 27001 Internal Audit, Step 4; : ISMS Auditing Guideline - ISO27000; : Internal Audit Plan – ISO Templates and Documents Download; : A Step-by-Step Guide to Conducting an ISO 27001 Internal Audit

The purpose of including access rights in an information management system to ISO/IEC 27001:2022 is to provide, review, modify and remove these permissions in accordance with the organisation’s policy and rules for access control. 

Access rights are the permissions granted to users or groups of users to access, use, modify, or delete information assets. Access rights should be aligned with the organisation’s access control policy, which defines the objectives, principles, roles, and responsibilities for managing access to information systems. Access rights should also follow the organisation’s rules for access control, which specify the criteria, procedures, and controls for granting, reviewing, modifying, and revoking access rights. The purpose of including access rights in an information management system is to ensure that only authorised users can access information assets according to their business needs and roles, and to prevent unauthorised or inappropriate access that could compromise the confidentiality, integrity, or availability of information assets. References:

ISO/IEC 27001:2022 Annex A Control 5.181

ISO/IEC 27002:2022 Control 5.182

CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Training Course3

The correct answer is A, because peer review or independent review of audit working documents is an accepted and recommended auditing practice when performed by a qualified and authorized individual. ISO/IEC 17021-1 requires certification bodies to maintain quality assurance mechanisms, including review of audit documentation, to ensure audit consistency, impartiality, and technical validity.

Reviewing working documents before audit conclusions are finalized helps identify gaps, inconsistencies, or errors while corrective action is still possible. This strengthens the reliability of the audit outcome and supports sound certification decisions.

Option B is incorrect because limiting review to after conclusions are finalized reduces the effectiveness of quality control and may require rework. Option C is incorrect because auditors should not review their own work exclusively; independent review is a key safeguard against bias and oversight.

Therefore, a qualified auditor appointed by the certification body reviewing working documents prior to final conclusions is fully aligned with good auditing practice and accreditation requirements.

Comprehensive and Detailed In-Depth Explanation:

Managerial controls (also called administrative controls) include policies, procedures, and processes to ensure effective security governance. These controls include training, internal audits, security awareness programs, and management reviews. These align with ISO/IEC 27001:2022 Annex A Control A.5.2 (Information Security Roles and Responsibilities) and A.5.3 (Segregation of Duties).

B. Organizational structure controls relate to segregation of duties and job rotations, making them structural controls rather than purely managerial.

C. Technical controls involve firewalls, IDSs, and other security mechanisms, which are not managerial but technical measures.

The four controls from the list that the auditor in training should review are:

•A. Confidentiality and nondisclosure agreements: This control requires the organisation to ensure that all employees, contractors, and third parties who have access to sensitive information sign appropriate agreements that oblige them to protect the confidentiality and integrity of such information. This is especially important for an organisation that stores data on behalf of external clients, as it demonstrates its commitment to safeguarding their information assets and complying with their contractual obligations.

•C. Information security awareness, education and training: This control requires the organisation to provide regular and relevant information security awareness, education and training to all employees, contractors, and third parties who have access to the organisation’s information systems and information assets. This is essential for ensuring that they are aware of their roles and responsibilities, the information security policies and procedures, the potential threats and risks, and the best practices for preventing and responding to information security incidents.

•D. Remote working arrangements: This control requires the organisation to establish and implement policies and procedures for managing the information security risks associated with remote working arrangements, such as teleworking, mobile working, or working from home. This includes defining the conditions and requirements for remote working, such as the authorised devices, applications, and networks, the encryption and authentication methods, the backup and recovery procedures, and the reporting and monitoring mechanisms. This is important for an organisation that stores data on behalf of external clients, as it ensures that the information security level is maintained regardless of the location of the workers and the devices they use.

•E. The conducting of verification checks on personnel: This control requires the organisation to conduct appropriate verification checks on the background, qualifications, and references of all employees, contractors, and third parties who have access to the organisation’s information systems and information assets. This is necessary for verifying their identity, suitability, and trustworthiness, and for preventing the hiring of unauthorised or malicious individuals who could compromise the information security of the organisation and its clients.

According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), control A.5.29 requires an organization to establish and maintain a business continuity management process to ensure the continued availability of information and information systems at the required level following disruptive incidents1. The organization should identify and prioritize critical information assets and processes, assess the risks and impacts of disruptive incidents, develop and implement business continuity plans (BCPs), test and review the BCPs, and ensure that relevant parties are aware of their roles and responsibilities1. Therefore, when verifying the information security of the business continuity management process, an ISMS auditor should verify that these aspects are met in accordance with the audit criteria.

Three options that will be in the audit trail for verifying control A.5.29 are:

Collect more evidence on how the organisation manages information security on mobile devices and during teleworking (Relevant to control A.6.7): This option is relevant because it can provide evidence of how the organization has implemented appropriate controls to protect the confidentiality, integrity and availability of information and information systems when staff work from home using mobile devices, such as laptops, tablets or smartphones. This is related to control A.6.7, which requires an organization to establish a policy and procedures for teleworking and use of mobile devices1.

Collect more evidence on how and when the Business Continuity Plan has been tested (Relevant to control A.5.29): This option is relevant because it can provide evidence of how the organization has tested and reviewed the BCPs to ensure their effectiveness and suitability for different scenarios, such as a pandemic. This is related to control A.5.29, which requires an organization to test and review the BCPs at planned intervals or when significant changes occur1.

Collect more evidence on how the organisation makes sure only staff with a negative test result can enter the organisation (Relevant to control A.7.2): This option is relevant because it can provide evidence of how the organization has implemented appropriate controls to prevent or reduce the risk of infection or transmission of diseases among staff or residents, such as requiring regular staff self-testing and using a health status app. This is related to control A.7.2, which requires an organization to ensure that all employees and contractors are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational policies and procedures in this respect1.

The other options are not relevant to verifying control A.5.29, as they are not related to the control or its requirements. For example:

Collect more evidence by interviewing more staff about their feeling about working from home (Relevant to clause 4.2): This option is not relevant because it does not provide evidence of how the organization has established and maintained a business continuity management process or ensured the continued availability of information and information systems following disruptive incidents. It may be related to clause 4.2, which requires an organization to understand the needs and expectations of interested parties, but not specifically to control A.5.29.

Collect more evidence on what resources the organisation provides to support the staff working from home (Relevant to clause 7.1): This option is not relevant because it does not provide evidence of how the organization has established and maintained a business continuity management process or ensured the continued availability of information and information systems following disruptive incidents. It may be related to clause 7.1, which requires an organization to determine and provide the resources needed for its ISMS, but not specifically to control A.5.29.

Collect more evidence on how the organisation performs a business risk assessment to evaluate how fast the existing residents can be discharged from the nursing home (Relevant to clause 6): This option is not relevant because it does not provide evidence of how the organization has established and maintained a business continuity management process or ensured the continued availability of information and information systems following disruptive incidents. It may be related to clause 6, which requires an organization to plan actions to address risks and opportunities for its ISMS, but not specifically to control A.5.29.

Comprehensive and Detailed In-Depth Explanation:

B. Correct Answer:

Audit evidence can come from interviews, observations, and documentation.

Verbal evidence from top management is acceptable if documented and confirmed in writing.

A. Incorrect:

ISO 19011 allows verbal evidence as long as it is substantiated.

C. Incorrect:

Interviews alone are not sufficient—additional verification is required.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.4.6 (Reviewing Documented Information)

The standard definition of ISMS is a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization’s information security to achieve business objectives. This definition is given in clause 3.17 of ISO/IEC 27001:2022, and it describes the main components and purpose of an ISMS. An ISMS is not a project-based approach, as it is an ongoing process that requires continual improvement. An ISMS is not a company wide business objective, as it is a management system that supports the organization’s objectives. An ISMS is not an information security systematic approach, as it is a broader concept that encompasses the organization’s context, risks, controls, and performance. References: : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 15. : ISO/IEC 27001:2022, clause 3.17.

If an organization like OrgXY informs the certification body that it is not ready to conduct the surveillance audit as scheduled, the certification may be suspended. This is because the surveillance audit is a critical part of the ongoing certification maintenance, required to ensure continued compliance with the standard.

Yes, it is acceptable for Sinvestment to request that the review of documented information occur on-site. The company has the right to stipulate that no documents be carried off-site, especially to maintain control over sensitive information and ensure confidentiality, which aligns with the security controls expected in ISO/IEC 27001.

Comprehensive and Detailed In-Depth Explanation:

C. Correct Answer:

Technical verification involves directly testing or simulating controls.

Webvue’s personnel simulated the encryption process, confirming test data security measures.

A. Incorrect:

Document review is passive, while technical verification is active and includes real-time assessments.

B. Incorrect:

Corroboration is about cross-checking information, whereas technical verification tests controls in practice.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.4.9 (Technical Verification in Audits)

NightCore underwent a third-party audit, making option C the correct answer. A third-party audit is conducted by an independent certification body for the purpose of assessing conformity against a recognized international standard, such as ISO/IEC 27001. This type of audit is required when an organization seeks formal certification.

In the scenario, NightCore explicitly contracted a certification body to perform an audit for ISO/IEC 27001 certification. The audit team was formed by the certification body, not by NightCore itself or by a customer or supplier. This independence is the defining characteristic of a third-party audit. The objective of such an audit is to determine whether the ISMS conforms to ISO/IEC 27001 requirements and whether certification can be granted.

Option A is incorrect because a first-party audit is an internal audit conducted by or on behalf of the organization itself. Although NightCore had conducted internal audits previously, the scenario clearly refers to a certification audit performed by an external body. Option B is incorrect because a second-party audit is conducted by an interested party, such as a customer auditing a supplier, which is not the case here.

Therefore, based on the involvement of an independent certification body and the goal of ISO/IEC 27001 certification, the audit conducted at NightCore is correctly classified as a third-party audit.

According to ISO/IEC 27000:2018, which provides an overview and vocabulary of information security management systems, an information security event is an identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation that may be security relevant1. An information security incident is a single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security1. Therefore, based on this definition, three examples of information security incidents are:

A contractor who has not been paid deletes top management ICT accounts: This is an example of an unwanted or unexpected information security event that has a significant probability of compromising business operations and threatening information security, as it may result in loss of access, data, or functionality for the top management.

An unhappy employee changes payroll records without permission: This is an example of an unwanted or unexpected information security event that has a significant probability of compromising business operations and threatening information security, as it may result in financial fraud, legal liability, or reputational damage for the organization.

The organisation’s marketing data is copied by hackers and sold to a competitor: This is an example of an unwanted or unexpected information security event that has a significant probability of compromising business operations and threatening information security, as it may result in loss of confidentiality, competitive advantage, or customer trust for the organization.

The other options are not examples of information security incidents, but rather information security events that may or may not lead to incidents depending on their impact and severity. For example:

The organisation’s malware protection software prevents a virus: This is an example of an identified occurrence of a system state indicating a possible breach of information security policy or failure of safeguards, but it does not have a significant probability of compromising business operations and threatening information security, as it is prevented by the malware protection software.

A hard drive is used after its recommended replacement date: This is an example of an identified occurrence of a system state indicating a possible breach of information security policy or failure of safeguards, but it does not have a significant probability of compromising business operations and threatening information security, unless it fails or causes other problems.

The organisation receives a phishing email: This is an example of an identified occurrence of a network state indicating a possible breach of information security policy or failure of safeguards, but it does not have a significant probability of compromising business operations and threatening information security, unless it is opened or responded to by the recipient.

An employee fails to clear their desk at the end of their shift: This is an example of an identified occurrence of a service state indicating a possible breach of information security policy or failure of safeguards, but it does not have a significant probability of compromising business operations and threatening information security, unless the desk contains sensitive or confidential information that is accessed by unauthorized persons.

The organisation fails a third-party penetration test: This is an example of an identified occurrence of a system state indicating a possible breach of information security policy or failure of safeguards, but it does not have a significant probability of compromising business operations and threatening information security, unless the penetration test reveals serious vulnerabilities that are exploited by malicious actors.

Risk modification involves implementing controls to reduce the likelihood or impact of a risk. By replacing FTP with SSH, Knight has modified the risk associated with the transfer of files by ensuring that the data is encrypted, thereby reducing the likelihood of unauthorized access through traffic capturing1. References: = This answer is based on the standard risk treatment options provided in ISO/IEC 27001, which include avoiding, modifying, sharing, or retaining risks as part of the risk management process

B. 8.12 Data leakage protection. This is true because the auditee should have implemented measures to prevent unauthorized disclosure of sensitive information, such as personal data, medical records, or official documents, that are contained in the parcels. Data leakage protection could include encryption, authentication, access control, logging, and monitoring of data transfers12.

D. 6.3 Information security awareness, education, and training. This is true because the auditee should have ensured that all employees and contractors involved in the shipping process are aware of the information security policies and procedures, and have received appropriate training on how to handle and protect the information assets in their custody. Information security awareness, education, and training could include induction programmes, periodic refreshers, awareness campaigns, e-learning modules, and feedback mechanisms13.

E. 7.10 Storage media. This is true because the auditee should have implemented controls to protect the storage media that contain information assets from unauthorized access, misuse, theft, loss, or damage. Storage media could include paper documents, optical disks, magnetic tapes, flash drives, or hard disks14. Storage media controls could include physical locks, encryption, backup, disposal, or destruction14.

F. 8.3 Information access restriction. This is true because the auditee should have implemented controls to restrict access to information assets based on the principle of least privilege and the need-to-know basis. Information access restriction could include identification, authentication, authorization, accountability, and auditability of users and systems that access information assets15.

I. 7.4 Physical security monitoring. This is true because the auditee should have implemented controls to monitor the physical security of the premises where information assets are stored or processed. Physical security monitoring could include CCTV cameras, alarms, sensors, guards, or patrols16. Physical security monitoring could help detect and deter unauthorized physical access or intrusion attempts16.

J. 5.13 Labelling of information. This is true because the auditee should have implemented controls to label information assets according to their classification level and handling instructions. Labelling of information could include markings, tags, stamps, stickers, or barcodes1 . Labelling of information could help identify and protect information assets from unauthorized disclosure or misuse1 .

References :=

ISO/IEC 27002:2022 Information technology — Security techniques — Code of practice for information security controls

ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements

ISO/IEC 27003:2022 Information technology — Security techniques — Information security management systems — Guidance

ISO/IEC 27004:2022 Information technology — Security techniques — Information security management systems — Monitoring measurement analysis and evaluation

ISO/IEC 27005:2022 Information technology — Security techniques — Information security risk management

ISO/IEC 27006:2022 Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems

[ISO/IEC 27007:2022 Information technology — Security techniques — Guidelines for information security management systems auditing]

The correct answer is No, all processes listed in the ISMS scope must be audited, because the audit scope for certification must be consistent with the ISMS scope defined by the organization. ISO/IEC 27001 requires that the certification audit assess conformity of the entire ISMS as defined by its scope, not a selective subset of processes.

If HR processes are included in the ISMS scope, they are considered relevant to information security, for example through access management, onboarding and offboarding, training, and disciplinary procedures. Excluding such processes from the audit would result in incomplete coverage and undermine the validity of the certification decision.

Option A is incorrect because while audit programs and objectives influence audit planning, they cannot override the requirement to audit the full ISMS scope. The audit scope cannot be narrower than the ISMS scope for a certification audit. Option C is incorrect because ISO/IEC 27001 applies to people, processes, and technology, not only IT-related processes.

ISO/IEC 17021-1 requires certification bodies to ensure that audits cover all elements of the management system within scope. Therefore, excluding HR processes that are part of the ISMS scope is not acceptable.

No, copies of files are not generally kept as audit records unless specifically required and agreed upon in the audit plan. Audit records typically include notes and observations made by auditors, not copies of the auditee's files, unless these are essential and explicitly allowed by the auditee.

A legal technical expert (LTE) is a person who provides specific knowledge or expertise related to the legal aspects of the information security management system (ISMS) during a certification audit. The LTE is not an auditor, but a member of the audit team who supports the auditors in collecting and evaluating the audit evidence. The LTE is not responsible for evaluating the auditee’s legal knowledge, criticising the organisation’s legal compliance issues, or debating complex legal points with the auditee, as these tasks may be beyond the scope of the audit, or may compromise the objectivity and impartiality of the audit. The LTE is responsible for advising on legal checkpoints for the audit team, such as the applicable legal, regulatory, and contractual requirements, the relevant sources of information, the methods of verification, and the criteria of evaluation. The LTE is also responsible for verifying the legal status of the organisation, such as the registration, licensing, authorisation, or accreditation of the organisation, and the compliance with the relevant laws and regulations. References:

What is the role of a technical expert in ISO audit?

Roles, Responsibilities & Authorities for ISO 27001 5.3

Guide to Become an ISO 27001 Lead Auditor

According to ISO 27001:2022 clause 4.1, the organisation shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system (ISMS)12

External issues are factors outside the organisation that it cannot control, but can influence or adapt to. They include political, economic, social, technological, legal, and environmental factors that may affect the organisation’s information security objectives, risks, and opportunities12

Internal issues are factors within the organisation that it can control or change. They include the organisation’s structure, culture, values, policies, objectives, strategies, capabilities, resources, processes, activities, relationships, and performance that may affect the organisation’s information security management system12

Therefore, the following issues are considered ‘internal’ in the context of a management system to ISO 27001:2022:

Poor levels of staff competence as a result of cuts in training expenditure: This is an internal issue because it relates to the organisation’s capability, resource, and process of developing and maintaining the competence of its personnel involved in the ISMS. The organisation can control or change its training expenditure and its impact on staff competence12

Poor morale as a result of staff holidays being reduced: This is an internal issue because it relates to the organisation’s culture, value, and relationship with its employees. The organisation can control or change its staff holiday policy and its impact on staff morale12

Increased absenteeism as a result of poor management: This is an internal issue because it relates to the organisation’s performance, structure, and accountability of its management. The organisation can control or change its management practices and its impact on staff absenteeism12

A fall in productivity linked to outdated production equipment: This is an internal issue because it relates to the organisation’s capability, resource, and process of ensuring the availability and suitability of its production equipment. The organisation can control or change its equipment maintenance and upgrade and its impact on productivity12

The following issues are considered ‘external’ in the context of a management system to ISO 27001:2022:

Higher labour costs as a result of an aging population: This is an external issue because it relates to the social and demographic factor that affects the availability and cost of labour in the market. The organisation cannot control or change the aging population, but can influence or adapt to its impact on labour costs12

A rise in interest rates in response to high inflation: This is an external issue because it relates to the economic and monetary factor that affects the cost and availability of capital in the market. The organisation cannot control or change the interest rates or inflation, but can influence or adapt to its impact on capital costs12

A reduction in grants as a result of a change in government policy: This is an external issue because it relates to the political and legal factor that affects the availability and conditions of public funding for the organisation. The organisation cannot control or change the government policy, but can influence or adapt to its impact on grants12

Inability to source raw materials due to government sanctions: This is an external issue because it relates to the political and legal factor that affects the availability and cost of raw materials in the market. The organisation cannot control or change the government sanctions, but can influence or adapt to its impact on raw materials12

The integrity principle of information security has been affected in this case. The chatbot’s inability to provide accurate answers and its unintended behavior (sending random files) due to insufficient testing and lack of proper training samples compromised the integrity of the system.