
Ace PECB ISO-IEC-27001-Lead-Auditor Certification with Actual Questions Oct 20, 2023 Updated
2023 The Most Effective ISO-IEC-27001-Lead-Auditor with 140 Questions Answers
NEW QUESTION # 32
Changes to the information processing facilities shall be done in controlled manner.
- A. False
- B. True
Answer: B
NEW QUESTION # 33
As a new member of the IT department you have noticed that confidential information has been leaked several times. This may damage the reputation of the company. You have been asked to propose an organisational measure to protect laptop computers. What is the first step in a structured approach to come up with this measure?
- A. Formulate a policy
- B. Set up an access control procedure
- C. Encrypt all sensitive information
- D. Appoint security staff
Answer: A
Explanation:
An organisational measure is a measure that involves the establishment of policies, procedures, roles, responsibilities, and structures to manage information security within an organization. Examples of organisational measures include security policies, awareness programs, risk assessments, audits, and incident response plans. A policy is a statement of intent or direction that provides guidance for decision making and actions within an organization. A policy defines the scope, objectives, principles, and roles for information security management. Therefore, formulating a policy is the first step in a structured approach to come up with an organisational measure to protect laptop computers. Reference: ISO/IEC 27000:2022, clause 3.47; ISO/IEC 27001:2022, clause 5.2.
NEW QUESTION # 34
Which three of the following options are an advantage of using a sampling plan for the audit?
- A. Misses key issues
- B. Gives confidence in the audit results
- C. Provides a suitable understanding of the ISMS
- D. Implements the audit plan efficiently
- E. Overrules the auditor's instincts
- F. Use of the plan for consecutive audits
Answer: B,C,D
Explanation:
According to ISO 19011:2018, which provides guidelines for auditing management systems, a sampling plan is a method for selecting a representative subset of the audit evidence from a defined population1. A sampling plan can have several advantages for the audit, such as providing a suitable understanding of the ISMS by covering its key processes, activities, and controls; implementing the audit plan efficiently by optimizing the use of time and resources; and giving confidence in the audit results by ensuring that the sample is sufficient, reliable, and unbiased1. Therefore, these three options are examples of advantages of using a sampling plan for the audit. The other options are not advantages, but rather disadvantages or risks of using a sampling plan. For example, overruling the auditor's instincts may lead to missing important evidence or issues that are not covered by the sampling plan; using the same plan for consecutive audits may reduce the effectiveness and validity of the audit results; and missing key issues may result from an inadequate or inappropriate sampling plan1. Reference: ISO 19011:2018 - Guidelines for auditing management systems
NEW QUESTION # 35
Which two of the following statements are true?
- A. Curing a third-party audit, the auditor evaluates how the organisation ensures that 4 6 made aware of changes to the legal requirements
- B. The role of a certification body auditor involves evaluating the organisation's processes for ensuring compliance with their legal requirements
- C. As part of a certification body audit the auditor is resporable for verifying the organisation's legal compliance status
Answer: A,B
Explanation:
The following statements are true:
The role of a certification body auditor involves evaluating the organization's processes for ensuring compliance with their legal requirements. This is part of the auditor's responsibility to assess the effectiveness and conformity of the organization's ISMS against the ISO/IEC 27001:2022 standard and the applicable legal and regulatory requirements.
During a third-party audit, the auditor evaluates how the organization ensures that they are made aware of changes to the legal requirements. This is part of the auditor's responsibility to verify that the organization has established and maintained a process for identifying and updating their legal and other requirements related to information security. The following statement is false:
As part of a certification body audit, the auditor is responsible for verifying the organization's legal compliance status. This is not true, as the auditor is not authorized or qualified to provide legal advice or judgment on the organization's compliance status. The auditor can only report on the evidence of compliance or noncompliance observed during the audit, but the ultimate responsibility for ensuring legal compliance lies with the organization. Reference: : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 66. : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 67. : ISO/IEC 27001 LEAD AUDITOR - PECB, page 22.
NEW QUESTION # 36
You receive the following mail from the IT support team: Dear User,Starting next week, we will be deleting all inactive email accounts in order to create spaceshare the below details in order to continue using your account. In case of no response, Name:
Email ID:
Password:
DOB:
Kindly contact the webmail team for any further support. Thanks for your attention.
Which of the following is the best response?
- A. Ignore the email
- B. One should not respond to these mails and report such email to your supervisor
- C. Respond it by saying that one should not share the password with anyone
Answer: B
NEW QUESTION # 37
A decent visitor is roaming around without visitor's ID. As an employee you should do the following, except:
- A. Greet and ask him what is his business
- B. Escort him to his destination
- C. Say "hi" and offer coffee
- D. Call the receptionist and inform about the visitor
Answer: C
NEW QUESTION # 38
Which measure is a preventive measure?
- A. Installing a logging system that enables changes in a system to be recognized
- B. Shutting down all internet traffic after a hacker has gained access to the company systems
- C. Putting sensitive information in a safe
Answer: C
Explanation:
A preventive measure is a measure that aims to avoid or reduce the likelihood or impact of an unwanted incident. Putting sensitive information in a safe is an example of such a measure, as it protects the information from unauthorized access, theft, damage or loss. Installing a logging system, shutting down internet traffic or restoring data from backups are not preventive measures, but rather detective, corrective or recovery measures. They do not prevent incidents from happening, but rather help to identify, stop or recover from them. ISO/IEC 27001:2022 defines preventive action as "action to eliminate the cause of a potential nonconformity or other undesirable potential situation" (see clause 3.38). Reference: [CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course], ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, What is Preventive Measure?
NEW QUESTION # 39
Someone from a large tech company calls you on behalf of your company to check the health of your PC, and therefore needs your user-id and password. What type of threat is this?
- A. Social engineering threat
- B. Technical threat
- C. Malware threat
- D. Organisational threat
Answer: A
Explanation:
The type of threat that occurs when someone from a large tech company calls you on behalf of your company to check the health of your PC, and therefore needs your user-id and password, is a social engineering threat. Social engineering is a technique that manipulates people into revealing confidential or sensitive information, such as passwords, personal data, bank details, etc., by impersonating someone trustworthy or authoritative, such as an IT support staff, a manager, a colleague, etc. Social engineering can be done through various channels, such as phone calls, emails, text messages, etc., and can exploit human emotions, such as curiosity, fear, greed or sympathy. Social engineering is often used by hackers or cybercriminals to gain unauthorized access to information systems or networks, or to perform malicious or fraudulent activities. Reference: [CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course], ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, What is Social Engineering?
NEW QUESTION # 40
Which of the following is a possible event that can have a disruptive effect on the reliability of information?
- A. Threat
- B. Vulnerability
- C. Dependency
- D. Risk
Answer: A
NEW QUESTION # 41
Which department maintain's contacts with law enforcement authorities, regulatory bodies, information service providers and telecommunications service providers depending on the service required.
- A. COO
- B. MRO
- C. CISO
- D. CSM
Answer: C
Explanation:
The department that maintains contacts with law enforcement authorities, regulatory bodies, information service providers and telecommunications service providers depending on the service required is CISO. CISO stands for Chief Information Security Officer. A CISO is a senior-level executive who is responsible for overseeing the information security strategy and governance of an organization. A CISO also leads the information security function and coordinates with other departments and stakeholders to ensure compliance with laws, regulations and standards related to information security. A CISO may also act as a liaison between the organization and external parties, such as law enforcement authorities or service providers, in case of incidents or investigations involving information security issues. ISO/IEC 27001:2022 requires the organization to assign top management roles and responsibilities for ensuring that information security objectives are established and achieved (see clause 5.3). Reference: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, What is CISO?
NEW QUESTION # 42
Which of the following does an Asset Register contain? (Choose two)
- A. Asset Owner
- B. Asset Type
- C. Process ID
- D. Asset Modifier
Answer: A,B
NEW QUESTION # 43
During discussions with the individual(s) managing the audit programme of a certification body, the Management System Representative of the client organisation asks for a specific auditor for the certification audit. Select two of the following options for how the individual(s) managing the audit programme should respond.
- A. Advise the Management System Representative that his request can be accepted
- B. State that his request will be considered but may not be taken up
- C. Advise the Management System Representative that the audit team selection is a decision that the audit programme manager needs to make based on the resources available
- D. Suggest asking the certification body management to permit the request
- E. Suggest that the Management System Representative chooses another certification body
Answer: B,C
Explanation:
According to ISO/IEC 17021-1, which specifies the requirements for bodies providing audit and certification of management systems, a certification body should ensure that its auditors are competent, impartial, and independent from the auditee organization2. Therefore, if a Management System Representative of a client organization asks for a specific auditor for the certification audit, the individual(s) managing the audit programme should respond in a way that does not compromise these principles or create any conflict of interest or undue influence2. Two possible ways to respond are to state that his request will be considered but may not be taken up, as there may be other factors that affect the auditor selection process; or to advise him that the audit team selection is a decision that the audit programme manager needs to make based on the resources available, such as auditor availability, competence, location, etc2. The other options are not suitable ways to respond in this situation. For example, advising him that his request can be accepted may raise doubts about the objectivity and credibility of the auditor and the certification body; suggesting that he chooses another certification body may imply that his request is unreasonable or unethical; and suggesting asking the certification body management to permit his request may suggest that there is room for negotiation or manipulation in auditor selection2. Reference: ISO/IEC 17021-1:2015 - Conformity assessment - Requirements for bodies providing audit and certification of management systems - Part 1: Requirements
NEW QUESTION # 44
What type of legislation requires a proper controlled purchase process?
- A. Computer criminality act
- B. Personal data protection act
- C. Government information act
- D. Intellectual property rights act
Answer: D
NEW QUESTION # 45
What is we do in ACT - From PDCA cycle
- A. Take actions to continually monitor process performance
- B. Take actions to continually improve people performance
- C. Take actions to continually improve process performance
- D. Take actions to continually monitor process performance
Answer: C
NEW QUESTION # 46
Does the security have the right to ask you to display your ID badges and check your bags?
- A. False
- B. True
Answer: B
Explanation:
The security has the right to ask you to display your ID badges and check your bags. This statement is true, as it is part of the physical security measures that the organization implements to prevent unauthorized physical access, damage and interference to its information and information processing facilities. The security personnel are authorized to verify the identity and authorization of anyone entering or leaving the premises, as well as to inspect any bags or items that may contain information or information processing equipment. This is done to ensure that no information or assets are stolen, lost, damaged or compromised by unauthorized persons. ISO/IEC 27001:2022 requires the organization to implement physical and environmental security controls to prevent unauthorized physical access, damage and interference to the organization's information and information processing facilities (see clause A.11). Reference: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, What is Physical Security?
NEW QUESTION # 47
......
Try Free and Start Using Realistic Verified ISO-IEC-27001-Lead-Auditor Dumps Instantly.: https://www.fast2test.com/ISO-IEC-27001-Lead-Auditor-premium-file.html
ISO-IEC-27001-Lead-Auditor Actual Questions - Instant Download 140 Questions: https://drive.google.com/open?id=1z0GVJOaCewhr5wIHLdhVAH3pQI0IfUBu