• Home
  • Articles
  • 2024 Correct Practice Tests of ISO-IEC-27001-Lead-Auditor Dumps with Practice Exam [Q104-Q129]

2024 Correct Practice Tests of ISO-IEC-27001-Lead-Auditor Dumps with Practice Exam [Q104-Q129]

Share

2024 Correct Practice Tests of ISO-IEC-27001-Lead-Auditor Dumps with Practice Exam

Certification Sample Questions of ISO-IEC-27001-Lead-Auditor Dumps With 100% Exam Passing Guarantee

NEW QUESTION # 104
You are an experienced ISMS audit team leader providing instruction to an auditor in training. They are unclear in their understanding of risk processes and ask you to provide them with an example of each of the processes detailed below.
Match each of the descriptions provided to one of the following risk management processes.
To complete the table click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop each option to the appropriate blank section.

Answer:

Explanation:

Explanation

Risk analysis is the process by which the nature of the risk is determined along with its probability and impact. Risk analysis involves estimating the likelihood and consequences of potential events or situations that could affect the organization's information security objectives or requirements12. Risk analysis could use qualitative or quantitative methods, or a combination of both12.
Risk management is the process by which a risk is controlled at all stages of its life cycle by means of the application of organisational policies, procedures and practices. Risk management involves establishing the context, identifying, analyzing, evaluating, treating, monitoring, and reviewing the risks that could affect the organization's information security performance or compliance12. Risk management aims to ensure that risks are identified and treated in a timely and effective manner, and that opportunities for improvement are exploited12.
Risk identification is the process by which a risk is recognised and described. Risk identification involves identifying and documenting the sources, causes, events, scenarios, and potential impacts of risks that could affect the organization's information security objectives or requirements12. Risk identification could use various techniques, such as brainstorming, interviews, checklists, surveys, or historical data12.
Risk evaluation is the process by which the impact and/or probability of a risk is compared against risk criteria to determine if it is tolerable. Risk evaluation involves comparing the results of risk analysis with predefined criteria that reflect the organization's risk appetite, tolerance, or acceptance12. Risk evaluation could use various methods, such as ranking, scoring, or matrix12. Risk evaluation helps to prioritize and decide on the appropriate risk treatment options12.
Risk mitigation is the process by which the impact and/or probability of a risk is reduced by means of the application of controls. Risk mitigation involves selecting and implementing measures that are designed to prevent, reduce, transfer, or accept risks that could affect the organization's information security objectives or requirements12. Risk mitigation could include various types of controls, such as technical, organizational, legal, or physical12. Risk mitigation should be based on a cost-benefit analysis and a residual risk assessment12.
Risk transfer is the process by which a risk is passed to a third party, for example through obtaining appropriate insurance. Risk transfer involves sharing or shifting some or all of the responsibility or liability for a risk to another party that has more capacity or capability to manage it12. Risk transfer could include various methods, such as contracts, agreements, partnerships, outsourcing, or insurance12. Risk transfer should not be used as a substitute for effective risk management within the organization12.
References :=
ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements ISO/IEC 27005:2022 Information technology - Security techniques - Information security risk management


NEW QUESTION # 105
What type of compliancy standard, regulation or legislation provides a code of practice for information security?

  • A. Computer criminality act
  • B. Personal data protection act
  • C. IT Service Management
  • D. ISO/IEC 27002

Answer: D

Explanation:
ISO/IEC 27002:2022 is an international standard that provides a code of practice for information security controls4. A code of practice is a set of guidelines and recommendations for implementing, maintaining, and improving information security in an organization5. ISO/IEC 27002:2022 covers various aspects of information security, such as organizational, human, technical, physical, and environmental controls. It is designed to be used as a reference for selecting, implementing, and managing controls within the process of establishing an ISMS based on ISO/IEC 27001:20224. Reference: ISO/IEC 27002:2022, Foreword and Introduction; ISO/IEC 27000:2022, clause 3.10.


NEW QUESTION # 106
The audit lifecycle describes the ISO 19011 process for conducting an individual audit. Drag and drop the steps of the audit lifecycle into the correct sequence.

Answer:

Explanation:

Explanation
The correct sequence of the steps of the audit lifecycle according to ISO 19011:2018 is:
Step 1: Audit initiation
Step 2: Audit preparation
Step 3: Conducting the audit
Step 4: Preparing and distributing the audit report
Step 5: Audit completion
Step 6: Audit follow-up
This sequence reflects the logical order of the audit activities, from establishing the audit objectives, scope and criteria, to verifying the implementation and effectiveness of the corrective actions. However, ISO 19011:2018 also recognizes that some audit activities can be iterative or concurrent, depending on the nature and complexity of the audit. For example, audit preparation and conducting the audit can overlap when new information or changes occur during the audit. Similarly, audit follow-up can be integrated with audit completion when the corrective actions are verified shortly after the audit. Therefore, the audit lifecycle should be adapted to the specific context and needs of each audit.


NEW QUESTION # 107
Which department maintain's contacts with law enforcement authorities, regulatory bodies, information service providers and telecommunications service providers depending on the service required.

  • A. COO
  • B. MRO
  • C. CISO
  • D. CSM

Answer: C


NEW QUESTION # 108
An administration office is going to determine the dangers to which it is exposed.
What do we call a possible event that can have a disruptive effect on the reliability of information?

  • A. threat
  • B. dependency
  • C. risk
  • D. vulnerability

Answer: A

Explanation:
Explanation
A possible event that can have a disruptive effect on the reliability of information is a threat. A threat is anything that has the potential to harm an asset or its protection, such as a natural disaster, a human error, a malicious attack, etc. A threat can exploit a vulnerability or weakness in an asset or its protection and cause an adverse impact on the confidentiality, integrity or availability of information. ISO/IEC 27001:2022 defines threat as "potential cause of an unwanted incident, which can result in harm to a system or organization" (see clause 3.48). References: [CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course], ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, What is Threat?


NEW QUESTION # 109
You are performing an ISMS initial certification audit at a residential nursing home that provides healthcare services. The next step in your audit plan is to conduct the closing meeting. During the final audit team meeting, as an audit team leader, you agree to report 2 minor nonconformities and 1 opportunity for improvement as below:

Select one option of the recommendation to the audit programme manager you are going to advise to the auditee at the closing meeting.

  • A. Recommend that a full scope re-audit is required within 6 months
  • B. Recommend certification immediately
  • C. Recommend that a partial audit is required within 3 months
  • D. Recommend that an unannounced audit is carried out at a future date
  • E. Recommend certification after your approval of the proposed corrective action plan Recommend that the findings can be closed out at a surveillance audit in 1 year

Answer: E

Explanation:
Explanation
According to ISO/IEC 17021-1:2015, which specifies the requirements for bodies providing audit and certification of management systems, clause 9.4.9 requires the certification body to make a certification decision based on the information obtained during the audit and any other relevant information1. The certification body should also consider the effectiveness of the corrective actions taken by the auditee to address any nonconformities identified during the audit1. Therefore, when making a recommendation to the audit programme manager, an ISMS auditor should consider the nature and severity of the nonconformities and the proposed corrective actions.
Based on the scenario above, the auditor should recommend certification after their approval of the proposed corrective action plan and recommend that the findings can be closed out at a surveillance audit in 1 year. The auditor should provide the following justification for their recommendation:
* Justification: This recommendation is appropriate because it reflects the fact that the auditee has only two minor nonconformities and one opportunity for improvement, which do not indicate a significant or systemic failure of their ISMS. A minor nonconformity is defined as a failure to achieve one or more requirements of ISO/IEC 27001:2022 or a situation which raises significant doubt about the ability of an ISMS process to achieve its intended output, but does not affect its overall effectiveness or conformity2. An opportunity for improvement is defined as a suggestion for improvement beyond what is required by ISO/IEC 27001:20222. Therefore, these findings do not prevent or preclude certification, as long as they are addressed by appropriate corrective actions within a reasonable time frame. The auditor should approve the proposed corrective action plan before recommending certification, to ensure that it is realistic, achievable, and effective. The auditor should also recommend that the findings can be closed out at a surveillance audit in 1 year, to verify that the corrective actions have been implemented and are working as intended.
The other options are not valid recommendations for the audit programme manager, as they are either too lenient or too strict for the given scenario. For example:
* Recommend certification immediately: This option is not valid because it implies that the auditor ignores or accepts the nonconformities, which is contrary to the audit principles and objectives of ISO
19011:20182, which provides guidelines for auditing management systems. It also contradicts the requirement of ISO/IEC 17021-1:20151, which requires the certification body to consider the effectiveness of the corrective actions taken by the auditee before making a certification decision.
* Recommend that a full scope re-audit is required within 6 months: This option is not valid because it implies that the auditor overreacts or exaggerates the nonconformities, which is contrary to the audit principles and objectives of ISO 19011:20182. It also contradicts the requirement of ISO/IEC
17021-1:20151, which requires the certification body to determine whether a re-audit is necessary based on the nature and extent of nonconformities and other relevant factors. A full scope re-audit is usually reserved for major nonconformities or multiple minor nonconformities that indicate a serious or widespread failure of an ISMS.
* Recommend that an unannounced audit is carried out at a future date: This option is not valid because it implies that the auditor distrusts or doubts the auditee's commitment or capability to implement corrective actions, which is contrary to the audit principles and objectives of ISO 19011:20182. It also contradicts the requirement of ISO/IEC 17021-1:20151, which requires the certification body to conduct unannounced audits only under certain conditions, such as when there are indications of serious problems with an ISMS or when required by sector-specific schemes.
* Recommend that a partial audit is required within 3 months: This option is not valid because it implies that the auditor imposes or prescribes a specific time frame or scope for verifying corrective actions, which is contrary to the audit principles and objectives of ISO 19011:20182. It also contradicts the requirement of ISO/IEC 17021-1:20151, which requires the certification body to determine whether a partial audit is necessary based on the nature and extent of nonconformities and other relevant factors. A partial audit may be appropriate for minor nonconformities, but the time frame and scope should be agreed upon with the auditee and based on the proposed corrective action plan.
References: ISO/IEC 17021-1:2015 - Conformity assessment - Requirements for bodies providing audit and certification of management systems - Part 1: Requirements, ISO 19011:2018 - Guidelines for auditing management systems


NEW QUESTION # 110
You are the lead auditor of the courier company SpeeDelivery. You have carried out a risk analysis and now want to determine your risk strategy. You decide to take measures for the large risks but not for the small risks.
What is this risk strategy called?

  • A. Risk avoidance
  • B. Risk skipping
  • C. Risk neutral
  • D. Risk bearing

Answer: D

Explanation:
Explanation
The risk strategy that involves taking measures for the large risks but not for the small risks is called risk bearing. Risk bearing is a strategy that accepts the existence of risks and their potential consequences without implementing any specific controls to reduce them. Risk bearing is usually applied to risks that have low likelihood and low impact, or when the cost of controls outweighs the benefits. Risk bearing implies that the organization has enough resources and resilience to cope with the risks if they materialize. ISO/IEC
27001:2022 defines risk acceptance as "decision to accept risk" (see clause 3.4). References: [CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course], ISO/IEC 27001:2022 Information technology
- Security techniques - Information security management systems - Requirements, [What is Risk Bearing?]


NEW QUESTION # 111
The following are definitions of Information, except:

  • A. mature and measurable data
  • B. specific and organized data for a purpose
  • C. can lead to understanding and decrease in uncertainty
  • D. accurate and timely data

Answer: A

Explanation:
Explanation
The definition of information that is not correct is C: mature and measurable data. This is not a valid definition of information, as information does not have to be mature or measurable to be considered as such. Information can be any data that has meaning or value for someone or something in a certain context. Information can be subjective, qualitative, incomplete or uncertain, depending on how it is interpreted or used. Mature and measurable data are characteristics that may apply to some types of information, but not all. The other definitions of information are correct, as they describe different aspects of information, such as accuracy and timeliness (A), specificity and organization (B), and understanding and uncertainty reduction (D). ISO/IEC
27001:2022 defines information as "any data that has meaning" (see clause 3.25). References: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology
- Security techniques - Information security management systems - Requirements, What is Information?


NEW QUESTION # 112
Information or data that are classified as ______ do not require labeling.

  • A. Confidential
  • B. Internal
  • C. Highly Confidential
  • D. Public

Answer: D

Explanation:
Explanation
Information or data that are classified as public do not require labeling. Public information or data are those that are intended for general disclosure and have no impact on the organization's operations or reputation if disclosed. Labeling is a method of implementing classification, which is a process of structuring information according to its sensitivity and value for the organization. Labeling helps to identify the level of protection and handling required for each type of information. Information or data that are classified as internal, confidential, or highly confidential require labeling, as they contain information that is not suitable for public disclosure and may cause harm or loss to the organization if disclosed. References: : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 34. : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page
37. : [ISO/IEC 27001 LEAD AUDITOR - PECB], page 14.


NEW QUESTION # 113
What is the security management term for establishing whether someone's identity is correct?

  • A. Authentication
  • B. Identification
  • C. Authorisation
  • D. Verification

Answer: A


NEW QUESTION # 114
Changes to the information processing facilities shall be done in controlled manner.

  • A. True
  • B. False

Answer: A

Explanation:
Explanation
Changes to the information processing facilities shall be done in a controlled manner, according to clause
12.1.2 of ISO/IEC 27001:2022. This is to ensure that the security of information and systems is not compromised by the changes, and that the changes are authorized, documented, tested, and approved before implementation. References: : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 63. :
ISO/IEC 27001:2022, clause 12.1.2.


NEW QUESTION # 115
In order to take out a fire insurance policy, an administration office must determine the value of the data that it manages.
Which factor is [b]not[/b] important for determining the value of data for an organization?

  • A. The degree to which missing, incomplete or incorrect data can be recovered.
  • B. The content of data.
  • C. The importance of the business processes that make use of the data.
  • D. The indispensability of data for the business processes.

Answer: B

Explanation:
The content of data is not an important factor for determining the value of data for an organization. The content of data refers to the representation or format of data, such as text, numbers, images, audio, video, etc. The content of data can change depending on how it is processed, stored, or presented, but the value of data is derived from its meaning and usefulness for the organization. Therefore, the content of data is not relevant for taking out a fire insurance policy, as it does not reflect the potential loss or damage that the organization would suffer if the data was destroyed by fire. The other factors, such as the degree of recoverability, the indispensability, and the importance of data for the business processes, are important for determining the value of data for an organization. These factors indicate how critical the data is for the organization's operations, performance, and competitiveness, and how difficult or costly it would be to restore or replace the data in case of a fire. Therefore, the correct answer is A. Reference: Putting a value on data - PwC UK, page 3; What is Data Value? How to Define the Value of Your Data.


NEW QUESTION # 116
What type of legislation requires a proper controlled purchase process?

  • A. Computer criminality act
  • B. Intellectual property rights act
  • C. Government information act
  • D. Personal data protection act

Answer: B

Explanation:
Explanation
An intellectual property rights act is a type of legislation that requires a proper controlled purchase process.
Intellectual property rights are legal rights that protect creations of the mind, such as inventions, literary and artistic works, designs, symbols, names and images. Intellectual property rights can include patents, trademarks, copyrights, trade secrets, etc. A proper controlled purchase process is a process that ensures that the organization obtains valid licenses or permissions from the owners or authorized parties of the intellectual property rights before using or acquiring any intellectual property assets. This process helps to avoid infringing on the intellectual property rights of others, which may result in legal actions, fines, damages or reputational harm. ISO/IEC 27001:2022 requires the organization to comply with relevant legal and contractual obligations related to intellectual property rights (see clause A.18.1.4). References: [CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course], ISO/IEC 27001:2022 Information technology
- Security techniques - Information security management systems - Requirements, What is Intellectual Property?


NEW QUESTION # 117
There was a fire in a branch of the company Midwest Insurance. The fire department quickly arrived at the scene and could extinguish the fire before it spread and burned down the entire premises. The server, however, was destroyed in the fire. The backup tapes kept in another room had melted and many other documents were lost for good.
What is an example of the indirect damage caused by this fire?

  • A. Burned computer systems
  • B. Water damage due to the fire extinguishers
  • C. Melted backup tapes
  • D. Burned documents

Answer: B

Explanation:
An example of the indirect damage caused by the fire in the branch of Midwest Insurance is water damage due to the fire extinguishers. Indirect damage is the damage that occurs as a consequence of an incident, but not directly caused by it. Indirect damage can include loss of revenue, reputation, customers, market share, etc. In this case, the water damage due to the fire extinguishers is not directly caused by the fire itself, but by the actions taken to stop it. The water damage can affect other assets or information that were not burned by the fire, such as furniture, carpets, documents, etc. ISO/IEC 27001:2022 defines indirect impact as "impact resulting from consequences of an unwanted incident" (see clause 3.26). Reference: [CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course], ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, [What is Indirect Damage?]


NEW QUESTION # 118
CMM stands for?

  • A. Capacity Maturity Matrix
  • B. Capable Mature Model
  • C. Capability Maturity Matrix
  • D. Capability Maturity Model

Answer: D


NEW QUESTION # 119
Which two of the following are examples of audit methods that 'do' involve human interaction?

  • A. Performing an independent review of procedures in preparation for an audit
  • B. Analysing data by remotely accessing the auditee's server
  • C. Reviewing the auditee's response to an audit finding
  • D. Analysing data by remotely accessing the auditee's server
  • E. Observing work performed by remote surveillance

Answer: A,C

Explanation:
Audit methods are techniques used by auditors to obtain audit evidence. Audit methods can be classified into two categories: those that involve human interaction and those that do not2. Audit methods that involve human interaction require direct communication between the auditor and the auditee or other relevant parties, such as interviews, questionnaires, surveys, meetings, etc. Audit methods that do not involve human interaction rely on observation, inspection, measurement, testing, sampling, analysis, etc., without requiring any verbal or written exchange2. Therefore, performing an independent review of procedures in preparation for an audit and reviewing the auditee's response to an audit finding are examples of audit methods that involve human interaction, as they require reading and evaluating documents provided by the auditee or other sources. On the other hand, analysing data by remotely accessing the auditee's server and observing work performed by remote surveillance are examples of audit methods that do not involve human interaction, as they do not require any direct communication with the auditee or other parties. Reference: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) | CQI | IRCA


NEW QUESTION # 120
Which of the following does an Asset Register contain? (Choose two)

  • A. Asset Owner
  • B. Asset Type
  • C. Asset Modifier
  • D. Process ID

Answer: A,B

Explanation:
An asset register is a document that contains information about the assets associated with information and information processing facilities within the scope of the information security management system. An asset register should include, among other things, the asset type and the asset owner. The asset type is a category or classification of the asset, such as hardware, software, data, document, service, etc. The asset owner is a person or entity that has been assigned the responsibility for managing and protecting the asset throughout its lifecycle. The asset type and the asset owner are important information for identifying and controlling the assets, as well as for performing risk assessments and applying security controls. ISO/IEC 27001:2022 requires the organization to maintain an inventory of assets within the scope of the information security management system (see clause A.8.1.1). Reference: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, What is an Asset Register?


NEW QUESTION # 121
You are an experienced ISMS audit team leader, talking to an Auditor in training who has been assigned to your audit team. You want to ensure that they understand the importance of the Check stage of the Plan-Do-Check-Act cycle in respect of the operation of the information security management system.
You do this by asking him to select the words that best complete the sentence:
To complete the sentence with the best word(s), click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.

Answer:

Explanation:

Explanation
* Review is the third stage of the Plan-Do-Check-Act (PDCA) cycle, which is a four-step model for implementing and improving an information security management system (ISMS) according to ISO/IEC
27001:202212. Review involves assessing and measuring the performance of the ISMS against the established policies, objectives, and criteria12.
* Assess is the verb that describes the action of reviewing the ISMS. Assess means to evaluate, analyze, or measure something in a systematic and objective manner3. Assessing the ISMS involves collecting and verifying audit evidence, identifying strengths and weaknesses, and determining the degree of conformity or nonconformity12.
* Regular is the adjective that describes the frequency or interval of reviewing the ISMS. Regular means occurring or done at fixed or uniform intervals4. Reviewing the ISMS at regular intervals means conducting internal audits and management reviews periodically, such as annually, quarterly, or monthly, depending on the needs and risks of the organization12.
* Suitability is one of the attributes that describes the quality or outcome of reviewing the ISMS. Suitability means being appropriate or fitting for a particular purpose, person, or situation5. Reviewing the ISMS for suitability means ensuring that it is aligned with the organization's strategic direction, business objectives, and information security requirements12.
References :=
* ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements
* ISO/IEC 27003:2022 Information technology - Security techniques - Information security management systems - Guidance
* Assess | Definition of Assess by Merriam-Webster
* Regular | Definition of Regular by Merriam-Webster
* Suitability | Definition of Suitability by Merriam-Webster


NEW QUESTION # 122
Which is not a requirement of HR prior to hiring?

  • A. Must successfully pass Background Investigation
  • B. Applicant must complete pre-employment documentation requirements
  • C. Undergo background verification
  • D. Must undergo Awareness training on information security.

Answer: D


NEW QUESTION # 123
After a fire has occurred, what repressive measure can be taken?

  • A. Repairing all systems after the fire
  • B. Extinguishing the fire after the fire alarm sounds
  • C. Buying in a proper fire insurance policy

Answer: B

Explanation:
Explanation
A repressive security measure is a measure that aims to stop or limit an ongoing incident from causing further harm, or to restore normal operations as soon as possible. A repressive security measure can be a policy, a procedure, a device, a technique or an action that responds to an incident and mitigates its consequences.
Extinguishing the fire after the fire alarm sounds is an example of a repressive security measure, because it stops the fire from spreading and damaging more assets or endangering more people. ISO/IEC 27001:2022 defines repressive control as "control that modifies risk by reducing the consequences of an unwanted incident" (see clause 3.38). References: [CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course], ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, [What is Repressive Security?]


NEW QUESTION # 124
You work in the office of a large company. You receive a call from a person claiming to be from the Helpdesk. He asks you for your password.
What kind of threat is this?

  • A. Social Engineering
  • B. Arason
  • C. Natural threat
  • D. Organizational threat

Answer: A


NEW QUESTION # 125
Which of the following factors does NOT contribute to the value of data for an organisation?

  • A. The correctness of data
  • B. The importance of data for processes
  • C. The indispensability of data
  • D. The content of data

Answer: D


NEW QUESTION # 126
Which six of the following actions are the individual(s) managing the audit programme responsible for?

  • A. Retaining documented information of the audit results
  • B. Selecting the audit team
  • C. Defining the plan of an individual audit
  • D. Establishing the audit programme
  • E. Communicating with the auditee during the audit
  • F. Establishing the extent of the audit programme
  • G. Determining the resources necessary for the audit programme
  • H. Defining the objectives, scope and criteria for an individual audit

Answer: A,B,C,D,F,H

Explanation:
According to ISO 19011:2018, which provides guidelines for auditing management systems, an audit programme is a set of one or more audits planned for a specific time frame and directed towards a specific purpose1. The individual(s) managing the audit programme are responsible for establishing, implementing and maintaining the audit programme in accordance with the organization's policies and objectives1. This includes defining the extent of the audit programme based on strategic direction, risks and opportunities; establishing the audit programme by defining its objectives, scope and criteria; determining the resources necessary for the audit programme; selecting competent auditors and assigning them to appropriate audits; defining the objectives, scope and criteria for each individual audit; defining the plan of each individual audit; retaining documented information of the audit results; reviewing and improving the performance of the audit programme1. Therefore, these six actions are part of the responsibilities of the individual(s) managing the audit programme. The other option, communicating with the auditee during the audit, is not a responsibility of the individual(s) managing the audit programme, but rather a responsibility of the audit team leader1. Reference: ISO 19011:2018 - Guidelines for auditing management systems


NEW QUESTION # 127
You have to carry out a third-party virtual audit. Which two of the following issues would you need to inform the auditee about before you start conducting the audit ??

  • A. You expect the auditee to have assessed all risks associated with online activities.
  • B. You will ask to see the ID card of the person that is on the screen.
  • C. You will take photos of every person you interview.
  • D. You will ask those being interviewed to state their name and position beforehand.
  • E. You will ask for a 360-degree view of the room where the audit is being carried out.
  • F. You will not record any part of the audit, unless permitted.

Answer: D,E

Explanation:
Explanation
A third-party virtual audit is an external audit conducted by an independent certification body using remote technology such as video conferencing, screen sharing, and electronic document exchange. The purpose of a third-party virtual audit is to verify the conformity and effectiveness of the information security management system (ISMS) and to issue a certificate of compliance12 Before you start conducting the audit, you would need to inform the auditee about the following issues: 12
* You will ask those being interviewed to state their name and position beforehand, i.e., to confirm their identity and role in the ISMS. This is to ensure that you are interviewing the relevant personnel and that they are authorized to provide information and evidence for the audit.
* You will ask for a 360-degree view of the room where the audit is being carried out, i.e., to verify the physical and environmental security of the audit location. This is to ensure that there are no unauthorized persons or devices in the vicinity that could compromise the confidentiality, integrity, or availability of the information being audited.
The other issues are not relevant or appropriate for a third-party virtual audit, because:
* You will ask to see the ID card of the person that is on the screen, i.e., to verify their identity. This is not necessary if you have already asked them to state their name and position beforehand, and if you have access to the auditee's organizational chart or staff directory. Asking to see the ID card could also be seen as intrusive or disrespectful by the auditee.
* You will take photos of every person you interview, i.e., to document the audit process. This is not advisable as it could violate the privacy or consent of the auditee and the interviewees. Taking photos could also be seen as unprofessional or suspicious by the auditee. You should rely on the audit records and evidence provided by the auditee and the audit tool instead.
* You will not record any part of the audit, unless permitted, i.e., to respect the auditee's preferences and rights. This is not a valid issue to inform the auditee about, as you should always record the audit for quality assurance and verification purposes. Recording the audit is also a requirement of the ISO/IEC
27001 standard and the certification body. You should inform the auditee that you will record the audit and obtain their consent before the audit begins.
* You expect the auditee to have assessed all risks associated with online activities, i.e., to ensure the security of the audit process. This is not an issue to inform the auditee about, as it is part of the auditee's responsibility and obligation to have a risk assessment and treatment process for their ISMS. You should assess the auditee's risk management practices and controls during the audit, not before it.
References:
1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1 2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2


NEW QUESTION # 128
There is a scheduled fire drill in your facility. What should you do?

  • A. None of the above
  • B. Participate in the drill
  • C. Excuse yourself by saying you have an urgent deliverable
  • D. Call in sick

Answer: B


NEW QUESTION # 129
......

ISO-IEC-27001-Lead-Auditor Sample Practice Exam Questions 2024 Updated Verified: https://www.realexamfree.com/ISO-IEC-27001-Lead-Auditor-real-exam-dumps.html

Pass Key features of ISO-IEC-27001-Lead-Auditor Course with Updated 195 Questions: https://drive.google.com/open?id=1Ab_9ersmCOTDar0i6afNpOO9QnDtlOsr

Related Articles

more
PECB ISO-IEC-27001-Lead-Auditor Certification Practice Exam

The passing rate of our valid exam braindumps for most certifications is high up to 99%. A small PDF dumps free is ready to download for new customers to tell if our exam dumps are suitable for their real exam.

Latest Exams Dumps

Useful Links

Contact Us

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now 

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Copyright © 2026 RealExamFree NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy