Free Access PECB.ISO-IEC-27001-Lead-Auditor.v2025-07-30.q306 Practice Test (Page 28)

Question 131

A marketing agency has developed its own risk assessment approach as part of the ISMS implementation. Is this acceptable?

A.Yes, any risk assessment methodology that complies with the ISO/IEC 27001 requirements can be used

B.Yes, only if the risk assessment methodology is aligned with recognized risk assessment methodologies

C.No, when implementing an ISMS, the risk assessment methodology provided by ISO/IEC 27001 should be used

Question 132

Which two of the following are examples of audit methods that 'do' involve human interaction?

A.Performing an independent review of procedures in preparation for an audit

B.Reviewing the auditee's response to an audit finding

C.Analysing data by remotely accessing the auditee's server

D.Observing work performed by remote surveillance

E.Analysing data by remotely accessing the auditee's server

Question 133

You are an experienced ISMS internal auditor.
You have just completed a scheduled information security audit of your organisation when the IT Manager approaches you and asks for your assistance in the revision of the company's Statement of Applicability.
The IT Manager is attempting to update the ISO/IEC 27001:2013 based Statement of Applicability to a Statement aligned to the 4 control themes present in ISO/IEC 27001:2022 (Organizational controls, People Controls, Physical Controls, Technical Controls).
The IT Manager is happy with their reassignment of controls, with the following exceptions. He asks you which of the four control categories each of the following should appear under.

Correct Answer:

Explanation

8.1 Information stored on, processed by, or accessible via user endpoint devices shall be protected
= Technological control 7.8 Equipment shall be sited securely and protected = Physical control 5.2 Information security roles and responsibilities shall be defined and allocated according to the organisation's needs = Organisational control 6.7 Security measures shall be implemented when personnel are working remotely to protect information processed, processed, or stored outside the organisation's premises = People control Explanation: According to the web search results from my predefined tool, ISO 27001:2022 has restructured and consolidated the Annex A controls into four categories: organisational, people, physical, and technological12. These categories reflect the different aspects and dimensions of information security, and are aligned with the cybersecurity concepts of identify, protect, detect, respond, and recover3. The controls in each category are as follows4:
* Organisational controls: These are controls that relate to the governance, management, and coordination of information security activities within the organisation. They include controls such as information security policies, roles and responsibilities, risk assessment and treatment, performance evaluation, and improvement.
* People controls: These are controls that relate to the behaviour, awareness, and competence of the people involved in information security, both within and outside the organisation. They include controls such as human resource security, training and awareness, access control, incident management, and business continuity.
* Physical controls: These are controls that relate to the protection of physical assets and environments that store, process, or transmit information. They include controls such as physical security, environmental security, equipment security, and media security.
* Technological controls: These are controls that relate to the use of technology to implement, monitor, and maintain information security. They include controls such as cryptography, network security, system security, application security, and threat intelligence.
Based on these categories, the controls listed in the question can be matched as follows:
* 8.1 Information stored on, processed by, or accessible via user endpoint devices shall be protected: This is a technological control, as it involves the use of technology to protect information on devices such as laptops, smartphones, tablets, etc. It may include measures such as encryption, authentication, antivirus, firewall, etc.
* 7.8 Equipment shall be sited securely and protected: This is a physical control, as it involves the protection of physical assets and environments that store, process, or transmit information. It may include measures such as locks, alarms, CCTV, fire suppression, etc.
* 5.2 Information security roles and responsibilities shall be defined and allocated according to the organisation's needs: This is an organisational control, as it involves the governance, management, and coordination of information security activities within the organisation. It may include measures such as defining the authority and accountability of information security personnel, establishing reporting lines and communication channels, assigning tasks and duties, etc.
* 6.7 Security measures shall be implemented when personnel are working remotely to protect information processed, processed, or stored outside the organisation's premises: This is a people control, as it involves the behaviour, awareness, and competence of the people involved in information security, both within and outside the organisation. It may include measures such as providing guidance and training on remote working, enforcing policies and procedures, monitoring and auditing remote activities, etc.
References: = 1: A Breakdown of ISO 27001:2022 Annex A Controls - BARR Advisory42: ISO 27001:2022 Annex A Controls - What's New? | ISMS.Online13: How many controls are there in ISO 27001:2022? - Strike Graph34: ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, Annex A.

Question 134

You are performing an ISMS audit at a residential nursing home (ABC) that provides healthcare services. The next step in your audit plan is to verify the information security of ABC's healthcare mobile app development, support, and lifecycle process. During the audit, you learned the organization outsourced the mobile app development to a professional software development company with CMMI Level 5, ITSM (ISO/IEC
20000-1), BCMS (ISO 22301) and ISMS (ISO/IEC 27001) certified.
The IT Manager presented the software security management procedure and summarised the process as following:
The mobile app development shall adopt "security-by-design" and "security-by-default" principles, as a minimum. The following security functions for personal data protection shall be available:
Access control.
Personal data encryption, i.e., Advanced Encryption Standard (AES) algorithm, key lengths: 256 bits; and Personal data pseudonymization.
Vulnerability checked and no security backdoor
You sample the latest Mobile App Test report, details as follows:

You ask the IT Manager why the organisation still uses the mobile app while personal data encryption and pseudonymization tests failed. Also, whether the Service Manager is authorised to approve the test.
The IT Manager explains the test results should be approved by him according to the software security management procedure.
The reason why the encryption and pseudonymisation functions failed is that these functions heavily slowed down the system and service performance. An extra 150% of resources are needed to cover this. The Service Manager agreed that access control is good enough and acceptable. That's why the Service Manager signed the approval.
You are preparing the audit findings. Select the correct option.

A.There is NO nonconformity (NC). The Service Manager makes a good decision to continue the service.
(Relevant to clause 8.1, control A.8.30)

B.There is a nonconformity (NC). The organisation and developer do not perform acceptance tests.
(Relevant to clause 8.1, control A.8.29)

C.There is a nonconformity (NC). The organisation and developer perform security tests that fail.
(Relevant to clause 8.1, control A.8.29)

D.There is a nonconformity (NC). The Service Manager does not comply with the software security management procedure. (Relevant to clause 8.1, control A.8.30)

Question 135

Which two of the following phrases would apply to "audit objectives"?

A.Audit duration

B.Identifying opportunities for improvement, if required

C.Determining conformity

D.Checking legal compliance

E.Revising management policy

F.Auditor competence

Other Version: 3102PECB.ISO-IEC-27001-Lead-Auditor.v2024-10-22.q296; 2281PECB.ISO-IEC-27001-Lead-Auditor.v2024-07-04.q280; 1651PECB.ISO-IEC-27001-Lead-Auditor.v2024-05-07.q128; 1515PECB.ISO-IEC-27001-Lead-Auditor.v2023-05-01.q35; 1548PECB.ISO-IEC-27001-Lead-Auditor.v2022-05-18.q33; 1777PECB.ISO-IEC-27001-Lead-Auditor.v2022-01-24.q33; 118PECB.Exams4sures.ISO-IEC-27001-Lead-Auditor.v2021-11-27.by.elva.33q.pdf

Latest Upload: 203PaloAltoNetworks.NGFW-Engineer.v2026-05-01.q43; 305Nokia.4A0-113.v2026-05-01.q69; 270EC-COUNCIL.312-49v11.v2026-04-30.q214; 230Microsoft.MB-820.v2026-04-30.q101; 213Salesforce.MC-202.v2026-04-30.q57; 208BICSI.INSTC_V8.v2026-04-29.q53; 340NMLS.MLO.v2026-04-28.q82; 245NCARB.Project-Management.v2026-04-28.q27; 466EMC.D-AV-DY-23.v2026-04-27.q184; 1126ServiceNow.CSA.v2026-04-27.q483

Question 131

Question 132

Question 133

Question 134

Question 135

Download PDF File