Online Access Free ISO-IEC-27001-Lead-Auditor Practice Test

Scenario 8: Tess
a. Malik, and Michael are an audit team of independent and qualified experts in the field of security, compliance, and business planning and strategies. They are assigned to conduct a certification audit in Clastus, a large web design company. They have previously shown excellent work ethics, including impartiality and objectiveness, while conducting audits. This time, Clastus is positive that they will be one step ahead if they get certified against ISO/IEC 27001.
Tessa, the audit team leader, has expertise in auditing and a very successful background in IT-related issues, compliance, and governance. Malik has an organizational planning and risk management background. His expertise relies on the level of synthesis and analysis of an organization's security controls and its risk tolerance in accurately characterizing the risk level within an organization On the other hand, Michael is an expert in the practical security of controls assessment by following rigorous standardized programs.
After performing the required auditing activities, Tessa initiated an audit team meeting They analyzed one of Michael s findings to decide on the issue objectively and accurately. The issue Michael had encountered was a minor nonconformity in the organization's daily operations, which he believed was caused by one of the organization's IT technicians As such, Tessa met with the top management and told them who was responsible for the nonconformity after they inquired about the names of the persons responsible To facilitate clarity and understanding, Tessa conducted the closing meeting on the last day of the audit. During this meeting, she presented the identified nonconformities to the Clastus management. However, Tessa received advice to avoid providing unnecessary evidence in the audit report for the Clastus certification audit, ensuring that the report remains concise and focused on the critical findings.
Based on the evidence examined, the audit team drafted the audit conclusions and decided that two areas of the organization must be audited before the certification can be granted. These decisions were later presented to the auditee, who did not accept the findings and proposed to provide additional information. Despite the auditee's comments, the auditors, having already decided on the certification recommendation, did not accept the additional information. The auditee's top management insisted that the audit conclusions did not represent reality, but the audit team remained firm in their decision.
Based on the scenario above, answer the following question:
The audit team did not accept Clastus's additional information because they had already made the certification recommendation. Is this acceptable?

• A.No, the auditee can provide additional information if they disagree with the certification recommendation
• B.Yes, once the audit team decides on a certification recommendation, they cannot accept any additional information
• C.No, the auditor should not consider revisions that resulted from discussions with the auditee in the certification recommendation decision

In the context of a third-party certification audit, it is very important to have effective communication. Select an option that contains the correct answer about communication in an audit context.

• A.There is no need to establish a formal communication arrangement because an auditee can communicate with the auditor at any time during the audit
• B.During the audit, each auditor should periodically communicate any concerns to the auditee and audit client
• C.The formal communication channels between the audit team and the auditee can be established during the opening meeting
• D.During the audit, the responibility for communication rests with the audit team leader

Which one of the following conclusions in the audit report is not required by the certification body when deciding to grant certification?

• A.The organisation fully complies with all legal and other requirements applicable to the Information Security Management System.
• B.The plans to address corrective actions related to minor nonconformities have been accepted
• C.The scope of certification has been fulfilled
• D.The corrections taken by the organisation related to major nonconformities have been accepted.

The following are purposes of Information Security, except:

• A.Minimize Business Risk
• B.Increase Business Assets
• C.Ensure Business Continuity
• D.Maximize Return on Investment

You are performing an ISMS audit at a residential nursing home that provides healthcare services. The next step in your audit plan is to verify the information security of the business continuity management process. During the audit, you learned that the organisation activated one of the business continuity plans (BCPs) to make sure the nursing service continued during the recent pandemic. You ask Service Manager to explain how the organisation manages information security during the business continuity management process.
The Service Manager presents the nursing service continuity plan for a pandemic and summarises the process as follows:
Stop the admission of any NEW residents.
70% of administration staff and 30% of medical staff will work from home.
Regular staff self-testing including submitting a negative test report 1 day BEFORE they come to the office.
Install ABC's healthcare mobile app, tracking their footprint and presenting a GREEN Health Status QR-Code for checking on the spot.
You ask the Service Manager how to prevent non-relevant family members or interested parties from accessing residents' personal data when staff work from home. The Service Manager cannot answer and suggests the n" Security Manager should help with that.
You would like to further investigate other areas to collect more audit evidence Select three options that will be in your audit trail.

• A.Collect more evidence on how the organisation performs a business risk assessment to evaluate how fast the existing residents can be discharged from the nursing home. (Relevant to clause 6)
• B.Collect more evidence on what resources the organisation provides to support the staff working from home. (Relevant to clause 7.1)
• C.Collect more evidence on how the organisation makes sure only staff with a negative test result can enter the organisation (Relevant to control A.7.2)
• D.Collect more evidence by interviewing more staff about their feeling about working from home. (Relevant to clause 4.2)
• E.Collect more evidence on how the organisation manages information security on mobile devices and during teleworking (Relevant to control A.6.7)
• F.Collect more evidence on how and when the Business Continuity Wan has been tested. (Relevant to control A.5.29)