ISO-IEC-27001-Lead-Auditor PECB Certified ISO/IEC 27001 2022 Lead Auditor exam Questions and Answers

According to ISO 27001:2022 Annex A Control 8.30, the organisation shall ensure that externally provided processes, products or services that are relevant to the information security management system are controlled. This includes developing and entering into licensing agreements that cover code ownership and intellectual property rights, and implementing appropriate contractual requirements related to secure design and coding in accordance with Annex A 8.25 and 8.2912

In this case, the organisation and the developer have performed security tests that failed, which indicates that the secure design and coding requirements of Annex A 8.29 were not met. The IT Manager explains that the encryption and pseudonymisation functions failed because they slowed down the system and service performance, and that an extra 150% of resources are needed to cover this. However, this does not justify the acceptance of the test results by the Service Manager, who is not authorised to approve the test according to the software security management procedure. The Service Manager should have consulted with the IT Manager, who is the owner of the process, and followed the procedure for handling nonconformities and corrective actions. The Service Manager’s decision to continue the service based on access control alone exposes the organisation to the risk of compromising the confidentiality, integrity, and availability of personal data processed by the mobile app. Therefore, there is a nonconformity (NC) with clause 8.1, control A.8.30.

This scenario represents an "audit finding." An audit finding refers to results that indicate a deviation from the expected performance or standards. Discovering that two employees have not received the required training is an audit finding indicating noncompliance with the organization's training requirements.

This is a minor nonconformity. The backup frequency not adhering to the company's procedure of daily backups but occurring once a month represents a deviation from established processes, yet it might not immediately impact the effectiveness of the information security management system.

The correct answer is Corrective controls, because the organization is responding to an incident that has already occurred and is taking actions to remove the malware and restore normal operations. Corrective controls are designed to limit damage, eradicate the cause of an incident, and return systems to an acceptable operational state after a security event has been detected.

In this scenario, the malware infection has already bypassed existing security measures, meaning preventive controls failed to stop the incident. The focus now is not on detection, as the infection is already known, but on remediation and recovery. Activities such as malware removal, system restoration from backups, reinstallation of compromised systems, and application of patches are classic examples of corrective controls.

ISO/IEC 27001:2022 addresses this through clause 10.2 on nonconformity and corrective action, which requires organizations to take action to control and correct incidents and deal with their consequences. Additionally, ISO/IEC 27002:2022 includes controls related to incident response and recovery that support corrective actions after an event.

Option B is incorrect because detective controls, such as monitoring and logging, are intended to identify incidents, not resolve them. Option C is incorrect because preventive controls aim to stop incidents from occurring in the first place, such as antivirus software or access controls. Since the malware has already caused harm, corrective controls are the most appropriate response.

Comprehensive and Detailed In-Depth Explanation:

B. Correct Answer:

ISO/IEC 17021-1 (Conformity assessment – Requirements for bodies providing audit and certification of management systems) states that the auditee may request a replacement of an auditor only for valid reasons.

A former employee of the company serving as an auditor presents a potential conflict of interest (real or perceived).

Therefore, Company X’s request is valid.

A. Incorrect:

While a conflict of interest is a valid reason, the replacement must be based on an objective, justified claim, and not just personal preference.

C. Incorrect:

Auditees can request an auditor’s replacement, but only under justified circumstances.

Relevant Standard Reference:

ISO/IEC 17021-1:2015 Clause 9.1.3 (Impartiality and Objectivity of Auditors)

Comprehensive and Detailed In-Depth Explanation:

A. Correct Answer:

Statistical sampling follows probability theory and ensures objective selection.

ISO 19011:2018 supports statistical sampling for unbiased audit conclusions.

B. Incorrect:

Judgment-based sampling is subjective, not probability-based.

C. Incorrect:

Multi-site sampling applies to organizations with multiple locations.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.4.9 (Using Statistical Sampling for Audits)

The integrity principle of information security has been affected in this case. The chatbot’s inability to provide accurate answers and its unintended behavior (sending random files) due to insufficient testing and lack of proper training samples compromised the integrity of the system.

Comprehensive and Detailed In-Depth Explanation:

A. Correct Answer:

Virtual audits require predefined remote access protocols to ensure secure, authorized connections for data review.

ISO 19011:2018 provides guidelines for virtual auditing security measures.

B. Incorrect:

Internal audits may use remote access, but agreement is not mandatory.

C. Incorrect:

External audits may involve remote access but do not require predefined agreements in all cases.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.4.10 (Remote and Virtual Auditing Procedures)

The correct response is A, because grading criteria provide a common basis for the evaluation of nonconformities across the organization. Grading criteria are the rules or standards that define the severity or impact of nonconformities, and help to determine the appropriate corrective actions and follow-up activities. Grading criteria are important for several reasons, such as:

They ensure consistency and objectivity in the assessment and reporting of nonconformities, and avoid subjective or arbitrary judgments.

They facilitate the communication and understanding of nonconformities among the auditors, the auditees, and the audit clients, and enable the comparison and benchmarking of nonconformities across different processes, functions, or locations.

They support the prioritization and allocation of resources for the resolution of nonconformities, and the monitoring and measurement of the effectiveness of the corrective actions.

They demonstrate the commitment and accountability of the organization to the continual improvement of the ISMS, and the compliance with the ISMS requirements and expectations.

According to ISO/IEC 27001, the scope of an ISMS must be defined and documented. This documentation should include the boundaries and applicability of the information security management system, which helps in defining what information, locations, and assets are covered under the ISMS.

Corrective action is a process of identifying and eliminating the root causes of nonconformities or incidents that have occurred or could potentially occur, in order to prevent their recurrence or occurrence. Corrective action is part of the improvement requirement of ISO 27001 and follows a standard workflow of identification, evaluation, implementation, review and documentation of corrections and corrective actions. References: Procedure for Corrective Action, Nonconformity & Corrective Action For ISO 27001 Requirement 10.1, PECB Candidate Handbook ISO 27001 Lead Auditor (page 12)

A legal technical expert (LTE) is a person who provides specific knowledge or expertise related to the legal aspects of the information security management system (ISMS) during a certification audit. The LTE is not an auditor, but a member of the audit team who supports the auditors in collecting and evaluating the audit evidence. The LTE is not responsible for evaluating the auditee’s legal knowledge, criticising the organisation’s legal compliance issues, or debating complex legal points with the auditee, as these tasks may be beyond the scope of the audit, or may compromise the objectivity and impartiality of the audit. The LTE is responsible for advising on legal checkpoints for the audit team, such as the applicable legal, regulatory, and contractual requirements, the relevant sources of information, the methods of verification, and the criteria of evaluation. The LTE is also responsible for verifying the legal status of the organisation, such as the registration, licensing, authorisation, or accreditation of the organisation, and the compliance with the relevant laws and regulations. References:

What is the role of a technical expert in ISO audit?

Roles, Responsibilities & Authorities for ISO 27001 5.3

Guide to Become an ISO 27001 Lead Auditor

The correct answers for matching each of the descriptions with the appropriate risk term are:

The strategy chosen to respond to a specific information security risk: This is a definition of information security risk treatment. According to ISO/IEC 27000:2022, information security risk treatment is “the process of selecting and implementing measures to modify the information security risk” Section 3.33.

The effect of uncertainty on information security objectives: This is a definition of information security risk. According to ISO/IEC 27000:2022, information security risk is “the effect of uncertainty on information security objectives” Section 3.32.

The requirements against which information security risks are evaluated: This is a definition of information security risk criteria. According to ISO/IEC 27000:2022, information security risk criteria are “the terms of reference by which the significance of information security risks is assessed” Section 3.31.

A definition of the overall level of information security risk that is considered to be tolerable: This is a definition of information security risk acceptance criteria. According to ISO/IEC 27000:2022, information security risk acceptance criteria are “the level of information security risk that is acceptable” Section 3.30.

Explanation (ISO-aligned)

Security awareness training is an administrative (organizational) control.

ISO/IEC 27002:2022 A.6.3 (Information security awareness, education and training) explicitly categorizes training as an administrative control.

It governs human behavior through policy, procedures, and education, not technology or law.

Legal controls relate to regulations.

Managerial controls relate to governance decisions.

✅ Correct classification: Administrative control.

According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), control A.7.2 requires an organization to implement appropriate physical entry controls to prevent unauthorized access to secure areas1. The organization should define and document the criteria for granting and revoking access rights to secure areas, and should monitor and record the use of such access rights1. Therefore, when auditing the organization’s application of control A.7.2, an ISMS auditor should verify that these aspects are met in accordance with the audit criteria.

Based on the scenario above, the auditor should raise a nonconformity against control A.7.2, as the secure area is not adequately protected from unauthorized access. The auditor should provide the following evidence and justification for the nonconformity:

Evidence: The auditor observed two external contractors using a swipe card and combination number provided by the centre’s reception desk to gain access to a client’s suite to carry out authorized electrical repairs. The auditor checked the door access record for the client’s suite and found that only one card was swiped. The auditor asked the receptionist and was told that it was a common problem that contractors tend to swipe one card and tailgate their way in, but they were known from the reception sign-in.

Justification: This evidence indicates that the organization has not implemented appropriate physical entry controls to prevent unauthorized access to secure areas, as required by control A.7.2. The organization has not defined and documented the criteria for granting and revoking access rights to secure areas, as there is no verification or authorization process for providing swipe cards and combination numbers to external contractors. The organization has not monitored and recorded the use of access rights to secure areas, as there is no mechanism to ensure that each individual swipes their card and enters their combination number before entering a secure area. The organization has relied on the reception sign-in as a means of identification, which is not sufficient or reliable for ensuring information security.

The other options are not valid actions for auditing control A.7.2, as they are not related to the control or its requirements, or they are not appropriate or effective for addressing the nonconformity. For example:

Take no action: This option is not valid because it implies that the auditor ignores or accepts the nonconformity, which is contrary to the audit principles and objectives of ISO 19011:20182, which provides guidelines for auditing management systems.

Raise a nonconformity against control A.5.20 ‘addressing information security in supplier relationships’ as information security requirements have not been agreed upon with the supplier: This option is not valid because it does not address the root cause of the nonconformity, which is related to physical entry controls, not supplier relationships. Control A.5.20 requires an organization to agree on information security requirements with suppliers that may access, process, store, communicate or provide IT infrastructure components for its information assets1. While this control may be relevant for ensuring information security in supplier relationships, it does not address the issue of unauthorized access to secure areas by external contractors.

Raise a nonconformity against control A.7.6 ‘working in secure areas’ as security measures for working in secure areas have not been defined: This option is not valid because it does not address the root cause of the nonconformity, which is related to physical entry controls, not working in secure areas. Control A.7.6 requires an organization to define and apply security measures for working in secure areas1. While this control may be relevant for ensuring information security when working in secure areas, it does not address the issue of unauthorized access to secure areas by external contractors.

Determine whether any additional effective arrangements are in place to verify individual access to secure areas e.g. CCTV: This option is not valid because it does not address or resolve the nonconformity, but rather attempts to find alternative or compensating controls that may mitigate its impact or likelihood. While additional arrangements such as CCTV may be useful for verifying individual access to secure areas, they do not replace or substitute the requirement for appropriate physical entry controls as specified by control A.7.2.

Raise an opportunity for improvement that contractors must be accompanied at all times when accessing secure facilities: This option is not valid because it does not address or resolve the nonconformity, but rather suggests a possible improvement action that may prevent or reduce its recurrence or severity. While accompanying contractors at all times when accessing secure facilities may be a good practice for ensuring information security, it does not replace or substitute the requirement for appropriate physical entry controls as specified by control A.7.2.

Raise an opportunity for improvement to have a large sign in reception reminding everyone requiring access must use their swipe card at all times: This option is not valid because it does not address or resolve the nonconformity, but rather suggests a possible improvement action that may increase awareness or compliance with the existing controls. While having a large sign in reception reminding everyone requiring access must use their swipe card at all times may be a helpful reminder for ensuring information security, it does not replace or substitute the requirement for appropriate physical entry controls as specified by control A.7.2.

Tell the organisation they must write to their contractors, reminding them of the need to use access cards appropriately: This option is not valid because it does not address or resolve the nonconformity, but rather instructs the organization to take a corrective action that may not be effective or sufficient for ensuring information security. While writing to contractors, reminding them of the need to use access cards appropriately may be a communication measure for ensuring information security, it does not replace or substitute the requirement for appropriate physical entry controls as specified by control A.7.2.

The overall competence of the12:

The audit scope and criteria: The audit scope defines the extent and boundaries of the audit, such as the locations, processes, functions, and time period to be audited. The audit criteria are the set of policies, procedures, standards, or requirements used as a reference against which the audit evidence is compared. The audit scope and criteria determine the complexity and extent of the audit, and thus influence the number and expertise of the auditors needed to cover all the relevant aspects of the audit.

The overall competence of the audit team needed to achieve audit objectives: The audit team should have the appropriate knowledge, skills, and experience to conduct the audit effectively and efficiently, and to provide credible and reliable audit results. The audit team competence should include the following elements12:

Generic competence: The ability to apply the principles and methods of auditing, such as planning, conducting, reporting, and following up the audit, as well as the personal behaviour and attributes of the auditors, such as ethical conduct, fair presentation, professional care, independence, and impartiality.

Discipline and sector-specific competence: The ability to understand and apply the audit criteria and the relevant technical or industry aspects of the audited organization, such as the information security management system (ISMS) requirements, the information security risks and controls, the legal and regulatory obligations, the organizational context and culture, the processes and activities, the products and services, etc.

Audit team leader competence: The ability to manage the audit team and the audit process, such as coordinating the audit activities, communicating with the audit programme manager and the auditee, resolving any audit-related problems, ensuring the quality and consistency of the audit work and the audit report, etc.

The person responsible for managing the audit programme should not consider the following factors when deciding the size and composition of the audit team for a specific audit, as they are either irrelevant or inappropriate for the audit process12:

Customer relationships: The audit team should not be influenced by any personal or professional relationships with the auditee or other interested parties, as this may compromise the objectivity and impartiality of the audit. The audit team should avoid any conflicts of interest or self-interest that may affect the audit results or the audit decisions.

Seniority of the audit team leader: The audit team leader should be selected based on their competence and experience, not on their seniority or rank within the organization or the audit programme. The audit team leader should have the authority and responsibility to manage the audit team and the audit process, regardless of their seniority or position.

The cost of the audit: The cost of the audit should not be the primary factor for determining the size and composition of the audit team, as this may compromise the quality and effectiveness of the audit. The audit team should have sufficient resources and time to conduct the audit in accordance with the audit objectives, scope, and criteria, and to provide accurate and reliable audit results and recommendations.

The duration preferred by the auditee: The duration of the audit should be based on the audit objectives, scope, and criteria, and the availability and cooperation of the auditee, not on the preference or convenience of the auditee. The audit team should have enough time to conduct the audit in a thorough and systematic manner, and to collect and evaluate sufficient and relevant audit evidence.

The benefits of implementing an ISMS are not limited to a reduction in information security risks, but also include improved business performance, customer satisfaction, legal compliance, and stakeholder confidence. The benefit of certifying an ISMS is not only to obtain contracts from governmental institutions, but also to demonstrate the organisation’s commitment to information security to other potential customers, partners, and regulators. The purpose of an ISMS is to apply a risk management process for preserving information security, which means identifying, analysing, evaluating, treating, monitoring, and reviewing the information security risks that the organisation faces. The purpose of an ISMS is not to demonstrate compliance with regulatory requirements, but rather to ensure that the organisation meets its own information security objectives and obligations.

While competence is important for an effective ISMS, the specific competence records of the ISMS manager are less relevant when determining resources for the internal audit program. The focus should be on resources directly related to the audit process itself. Here's why the other options matter:

•A. Availability of competent auditors and technical experts: Crucial for conducting thorough audits and accurately assessing the ISMS.

•C. Availability of the necessary documented information: Essential for auditors to review policies, procedures, and records related to the ISMS.

•D. Impact of different time zones: Can affect scheduling, coordination, and communication during the audit, potentially requiring additional resources.

Yes, it is acceptable for Sinvestment to request that the review of documented information occur on-site. The company has the right to stipulate that no documents be carried off-site, especially to maintain control over sensitive information and ensure confidentiality, which aligns with the security controls expected in ISO/IEC 27001.

Jack clearly possesses the necessary knowledge and skills required of an auditor, making option C the correct answer. ISO 19011:2018, which provides guidance on auditing management systems, defines auditor competence as a combination of knowledge, skills, and personal attributes applied during audit activities. The scenario explicitly demonstrates that Jack meets these competence requirements.

Jack has extensive experience in risk management, information security controls, and incident management, which are core knowledge areas for an ISO/IEC 27001 audit. These competencies enable him to understand ISMS requirements, assess controls, and evaluate incident handling processes. In addition, the scenario highlights his understanding of auditing principles and processes, including the use of systematic, rational methods to achieve reliable and reproducible audit conclusions. This directly aligns with ISO 19011 principles such as evidence-based auditing and due professional care.

Comprehensive and Detailed In-Depth Explanation:

The CIA Triad (Confidentiality, Integrity, and Availability) is the foundation of information security principles.

Availability ensures that data and services are accessible when needed. By implementing regular, automated backups and offsite storage, the organization ensures that critical data remains accessible even after a security incident (e.g., data loss, cyberattacks, or hardware failures). This aligns with ISO/IEC 27001:2022 Annex A Control A.8.13 (Information Backup), which emphasizes maintaining and testing backups to ensure system resilience.

Integrity ensures that data remains unaltered and accurate, but backups do not inherently enforce integrity unless accompanied by checksum or validation mechanisms.

Confidentiality ensures that only authorized users can access data, which is not the primary goal of a backup procedure.

According to ISO 19011:2018, which provides guidelines for auditing management systems, the audit objectives are defined by the audit client and may include determining the extent of conformity or nonconformity of the audited management system against the audit criteria, evaluating the ability of the audited management system to ensure that the organization meets applicable statutory, regulatory and contractual requirements, identifying potential improvement opportunities for the audited management system, and facilitating continual improvement of the audited management system1. Therefore, these three phrases are examples of objectives in relation to an audit. The other options are not objectives, but rather elements or factors that may influence or affect an audit. For example, an international standard is a source of audit criteria, a management policy is a part of the audited management system, and completing an audit on time is a requirement for an effective audit. References: ISO 19011:2018 - Guidelines for auditing management systems

A vulnerability is a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source. In this case, not checking the source code of an updated application can lead to unauthorized modifications, thus representing a vulnerability that may impact the integrity of the information, as integrity refers to the accuracy and completeness of the information. References: = The explanation aligns with the general principles of information security management systems and the content typically covered in ISMS ISO/IEC 27001 Lead Auditor training and certification programs, which include understanding vulnerabilities and their impact on information security attributes like integrity.

The words that best complete the sentence are assess and recommendation. The sentence would read as follows:

“An audit plan is a statement of the intent of the audit team to assess all areas of the company with a view to determining a recommendation for certification approval.”

According to the web search results from my predefined tool, a third-party audit plan is a document that describes the scope, objectives, criteria, and methodology of an external audit conducted by an independent certification body to verify the conformity of an organization’s ISMS with the ISO 27001 standard12. The audit plan also includes the audit schedule, the audit team, the audit locations, and the audit deliverables23. One of the main deliverables of a third-party audit is the audit report, which summarizes the audit findings, the audit conclusions, and the audit recommendation34. The audit recommendation is the opinion of the audit team on whether the organization’s ISMS meets the certification requirements and whether the certification should be granted, maintained, suspended, or withdrawn45.

Therefore, the purpose of the audit plan is to state the intention of the audit team to assess all areas of the company, meaning to evaluate the performance and effectiveness of the ISMS, and to determine a recommendation for certification approval, meaning to provide a judgment on the certification status of the ISMS. The other words in the options, such as verdict, permit, report, inspect, and question, do not accurately reflect the meaning of the audit plan. A verdict is a formal decision made by a judge or a jury, not by an audit team. A permit is a legal authorization to do something, not a certification of conformity. A report is a document that presents the audit results, not the audit intention. An inspection is a visual examination of something, not a comprehensive assessment of an ISMS. A question is a request for information, not a determination of a recommendation.

According to ISO/IEC 27000:2018, which provides an overview and vocabulary of information security management systems, an information security event is an identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation that may be security relevant1. An information security incident is a single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security1. Therefore, based on this definition, three examples of information security incidents are:

A contractor who has not been paid deletes top management ICT accounts: This is an example of an unwanted or unexpected information security event that has a significant probability of compromising business operations and threatening information security, as it may result in loss of access, data, or functionality for the top management.

An unhappy employee changes payroll records without permission: This is an example of an unwanted or unexpected information security event that has a significant probability of compromising business operations and threatening information security, as it may result in financial fraud, legal liability, or reputational damage for the organization.

The organisation’s marketing data is copied by hackers and sold to a competitor: This is an example of an unwanted or unexpected information security event that has a significant probability of compromising business operations and threatening information security, as it may result in loss of confidentiality, competitive advantage, or customer trust for the organization.

The other options are not examples of information security incidents, but rather information security events that may or may not lead to incidents depending on their impact and severity. For example:

The organisation’s malware protection software prevents a virus: This is an example of an identified occurrence of a system state indicating a possible breach of information security policy or failure of safeguards, but it does not have a significant probability of compromising business operations and threatening information security, as it is prevented by the malware protection software.

A hard drive is used after its recommended replacement date: This is an example of an identified occurrence of a system state indicating a possible breach of information security policy or failure of safeguards, but it does not have a significant probability of compromising business operations and threatening information security, unless it fails or causes other problems.

The organisation receives a phishing email: This is an example of an identified occurrence of a network state indicating a possible breach of information security policy or failure of safeguards, but it does not have a significant probability of compromising business operations and threatening information security, unless it is opened or responded to by the recipient.

An employee fails to clear their desk at the end of their shift: This is an example of an identified occurrence of a service state indicating a possible breach of information security policy or failure of safeguards, but it does not have a significant probability of compromising business operations and threatening information security, unless the desk contains sensitive or confidential information that is accessed by unauthorized persons.

The organisation fails a third-party penetration test: This is an example of an identified occurrence of a system state indicating a possible breach of information security policy or failure of safeguards, but it does not have a significant probability of compromising business operations and threatening information security, unless the penetration test reveals serious vulnerabilities that are exploited by malicious actors.

Even though the marketing department was not included in the audit scope, the issue of employees' access rights control must be communicated to Sinvestment's representatives and included in the audit report because it is part of Sinvestment’s information security policy. It reflects on the overall adherence to the ISMS requirements.

No, the auditor should uphold objectivity even when deciding whether to accept the audit mandate or not. Discussing previous audit reports with a friend who is an internal auditor at the auditee may compromise the external auditor's objectivity and independence.

This is the definition of an interested party according to ISO 27001:2013, clause 3.16. An interested party is essentially a stakeholder, i.e., a person or organization that can influence or be influenced by the information security management system (ISMS) or its activities. Interested parties can have different needs and expectations regarding the ISMS, and these should be identified and addressed by the organization. References:

ISO/IEC 27001:2013, Information technology — Security techniques — Information security management systems — Requirements, clause 3.16

PECB Candidate Handbook ISO 27001 Lead Auditor, page 10

Identifying interested parties and their expectations for an ISO 27001 ISMS

Examples of ISO 27001 interested parties

The two statements that are valid audit conclusions are:

•The ISMS policy has been effectively communicated to the organisation

•The organisation’s ISMS objectives meet the requirements of ISO/IEC 27001:2022

According to ISO 19011:2018, an audit conclusion is the outcome of an audit, provided by the audit team after considering the audit objectives and all audit findings1. An audit conclusion can be positive or negative, depending on whether the audit criteria are fulfilled or not. An audit conclusion can also include recommendations for improvement or recognition of good practices.

The statements D and E are valid audit conclusions, because they express the outcome of the audit based on the audit criteria and findings. For example:

•Statement D is a positive audit conclusion, because it indicates that the organisation has fulfilled the requirement of clause 5.2.2 of ISO/IEC 27001:2022, which states that the ISMS policy must be communicated within the organisation and to relevant interested parties2. The audit team must have obtained sufficient and appropriate audit evidence to support this conclusion, such as records of communication, awareness activities, feedback, etc.

•Statement E is a positive audit conclusion, because it indicates that the organisation has fulfilled the requirement of clause 6.2 of ISO/IEC 27001:2022, which states that the organisation must establish ISMS objectives that are consistent with the ISMS policy and relevant to the information security risks3. The audit team must have obtained sufficient and appropriate audit evidence to support this conclusion, such as records of objective setting, risk assessment, alignment with policy, etc.

The other statements are not valid audit conclusions, because they do not express the outcome of the audit based on the audit criteria and findings. They are rather examples of audit findings, which are the results of the evaluation of the collected audit evidence against the audit criteria4. Audit findings can indicate either conformity or nonconformity with the audit criteria, or opportunities for improvement. For example:

•Statement A is a negative audit finding, because it indicates a nonconformity with the requirement of clause 7.2.2 of ISO/IEC 27001:2022, which states that the organisation must provide information security awareness education and training to persons under its control5. The audit team must have identified and documented this nonconformity, and reported it to the auditee.

•Statement B is a negative audit finding, because it indicates a nonconformity with the requirement of clause 6.1.2 of ISO/IEC 27001:2022, which states that the organisation must maintain and review the information security risk assessment at planned intervals or when significant changes occur6. The audit team must have identified and documented this nonconformity, and reported it to the auditee.

•Statement C is a negative audit finding, because it indicates a nonconformity with the requirement of clause 10.1 of ISO/IEC 27001:2022, which states that the organisation must take action to eliminate the causes of nonconformities and prevent recurrence7. The audit team must have identified and documented this nonconformity, and reported it to the auditee.

•Statement F is a negative audit finding, because it indicates a nonconformity with the requirement of clause 6.1.3 of ISO/IEC 27001:2022, which states that the organisation must determine the controls that are necessary to implement the risk treatment plan, and document them in the statement of applicability8. The audit team must have identified and documented this nonconformity, and reported it to the auditee.

Comprehensive and Detailed In-Depth Explanation:

ISO/IEC 27001:2022 Clause 7.5 (Documented Information) defines the role of documentation in an ISMS.

A. Correct Statement:

Documented information serves as a guideline for ISMS operations and provides audit evidence.

B. Incorrect Statement:

Collecting documented information is not a goal in itself.

The purpose of documentation is to support the ISMS and ensure compliance, not just to generate paperwork.

C. Correct Statement:

Documents should be clear and concise, avoiding unnecessary complexity while still being detailed enough to be useful.

Thus, documentation should be purposeful and functional, not just a bureaucratic requirement.

Relevant Standard Reference:

ISO/IEC 27001:2022 Clause 7.5 (Documented Information)

The only option that is not prohibited in acceptable use of information assets is C: company-wide e-mails with supervisor/TL permission. This option implies that the sender has obtained the necessary authorization from their supervisor or team leader to send an e-mail to all employees in the organization. This could be done for legitimate business purposes, such as announcing important news, events or updates that are relevant to everyone. However, this option should still be used sparingly and responsibly, as it could cause unnecessary disruption or annoyance to the recipients if abused or misused. The other options are prohibited in acceptable use of information assets, as they could violate the information security policies and procedures of the organization, as well as waste resources and bandwidth. Electronic chain letters (A) are messages that urge recipients to forward them to multiple other people, often with false or misleading claims or promises. They are considered spam and could contain malicious links or attachments that could compromise information security. E-mail copies to non-essential readers (B) are messages that are sent to recipients who do not need to receive them or have no interest in them. They are considered unnecessary and could clutter the inbox and distract the recipients from more important messages. Messages with very large attachments or to a large number of recipients (D) are messages that consume a lot of network resources and could affect the performance or availability of the information systems. They could also exceed the storage capacity or quota limits of the recipients’ mailboxes and cause problems for them. ISO/IEC 27001:2022 requires the organization to implement rules for acceptable use of assets (see clause A.8.1.3). References: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements, What is Acceptable Use?

Yes, according to ISO/IEC 27001, the company needs to provide evidence of the implementation of procedures regarding the logging of user activities. This requirement is essential to ensure that events are recorded and regularly reviewed, supporting the detection and prevention of security incidents.

Yes, assessing the ISMS as a whole can be acceptable if the audit team obtains reasonable assurance that the system conforms to the standard requirements. The approach taken by the audit team must still ensure that all significant aspects of the ISMS are evaluated adequately, and if this is achieved through a holistic assessment, it is considered sufficient.

The correct answer is A, because a general action plan can be acceptable when multiple nonconformities share the same root cause, provided that the plan clearly addresses that root cause and demonstrates how recurrence will be prevented. ISO/IEC 27001 clause 10.1 requires organizations to determine the causes of nonconformities and implement corrective actions proportionate to the effects of those nonconformities. It does not mandate a one-to-one relationship between nonconformities and action plans.

In Scenario 8, both nonconformities stem from a common underlying issue: the absence of a formal information labeling procedure aligned with the information classification scheme. The mislabeling of information and the incorrect storage of sensitive information on removable media are consequences of this single systemic weakness. Therefore, a consolidated action plan targeting the root cause is conceptually acceptable.

However, the issue in the scenario is not that the plan was general, but that it lacked sufficient detail, such as clear action steps, responsibilities, timelines, and identification of affected systems and controls. Certification bodies require action plans to be specific, verifiable, and capable of being assessed for effectiveness.

Option B is incorrect because ISO standards do not require separate action plans for each nonconformity when a shared root cause exists. Option C is incorrect because audit team leader approval alone does not make an inadequate plan acceptable.

Thus, while a general action plan is acceptable in principle, it must still be detailed and robust to support certification.

According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 4.2 requires an organization to determine the needs and expectations of interested parties that are relevant to its ISMS1. This includes identifying the legal, regulatory, contractual and other requirements that apply to its information security activities1. Therefore, collecting more evidence on what the service requirements of healthcare monitoring are may not be relevant to verifying the information security incident management process, as it is not directly related to the audit objective or criteria. This option will not be in the audit trail.

Comprehensive and Detailed In-Depth Explanation:

A. Correct Answer:

ISO 19011:2018 mandates that auditors present all nonconformities with sufficient detail and context to ensure proper understanding and corrective action planning.

Failure to explain nonconformities fully could lead to ineffective remediation.

B. Incorrect:

Minor nonconformities must also be presented to ensure full transparency.

C. Incorrect:

Aligning with standard clauses is necessary, but detailed analysis is more critical.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.6.2 (Presentation of Audit Findings in Closing Meetings)

Machine learning is a subset of artificial intelligence that involves the use of algorithms and statistical models to enable systems to improve their performance on a specific task over time with experience or data, without being explicitly programmed. In the context of the scenario, machine learning would be the technology that allows the chatbot to learn from patterns in queries to provide the right answers.

Comprehensive and Detailed In-Depth Explanation:

B. Correct Answer:

The financial reporting system issue is a critical security concern, and the audit team should have reported the situation to the certification body for further action.

ISO 19011:2018 mandates auditors to escalate issues that impact compliance.

A. Incorrect:

Financial systems fall within ISMS scope if they contain sensitive data—it is not beyond the scope.

C. Incorrect:

Withdrawal is unnecessary unless legal violations prevent an effective audit.

Relevant Standard Reference:

ISO/IEC 27001:2022 Clause 9.2 (Internal Audit) & ISO 19011:2018 Clause 6.7 (Audit Follow-Up and Reporting of Serious Issues)

A property of information that has the ability to prove occurrence of a claimed event is integrity. Integrity is one of the three main objectives of information security, along with confidentiality and availability. Integrity ensures that information and systems are not corrupted, modified, or deleted by unauthorized actions or events. Integrity also implies that information and systems can be verified and validated as authentic and accurate. Electronic chain letters are not a property of information, but a type of spam or hoax message that may contain malicious or misleading content. Availability means that service should be accessible at the required time and usable only by the authorized entity. Accessibility is not a property of information, but a characteristic of usability that refers to how easy it is for users to access and interact with information and systems. References: : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 24. : [ISO/IEC 27001 Brochures | PECB], page 4. : [ISO/IEC 27001 LEAD AUDITOR - PECB], page 13.

Qualitative evidence in an audit typically involves observations, interviews, and reviews that provide insights into the processes and compliance through subjective but informed assessments. An interview with information security personnel to validate compliance with the standard requirements is an example of qualitative evidence, where the quality and effectiveness of processes are assessed based on expert judgments rather than measurable metrics.

The main purpose of a Stage 2 third-party audit is to evaluate the implementation and effectiveness of the organisation’s management system and to identify any nonconformances against the requirements of the standard12. The other options are either the objectives of a Stage 1 audit (A, D) or a specific aspect of the audit scope (B). References: 1: ISO/IEC 27006:2022, Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems, Clause 9.2 \n2: PECB Certified ISO/IEC 27001 Lead Auditor Exam Preparation Guide, Domain 4: Preparing an ISO/IEC 27001 audit

Comprehensive and Detailed In-Depth Explanation:

B. Correct Answer:

The organization is focusing on direct costs associated with running specific processes.

"Personnel, third-party services, and general fees" refer to operational costs of specific processes, not overall business operations.

A. Incorrect:

Cost of operations refers to the total business expenses, not individual processes.

C. Incorrect:

Potential cost of errors relates to risk assessment and impact analysis, not direct expenses.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.3.2 (Audit Planning and Materiality Considerations)

According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 6.2 requires an organization to establish information security objectives at relevant functions and levels1. The objectives should be consistent with the information security policy; measurable (if practicable) or capable of being evaluated; monitored; communicated; updated as appropriate1. Therefore, when auditing an organization’s information security objectives, an ISMS auditor should verify these aspects in accordance with the audit criteria.

Three responses from the ISMS auditor in training that would cause concern in relation to conformity with ISO/IEC 27001:2022 are:

I am going to check that top management have determined the Information Security objectives for the current year. If not, I will check that this task has been programmed to be completed: This response would cause concern because it implies that the auditor in training is not aware of the requirement to establish information security objectives at relevant functions and levels, not just at the top management level. It also implies that the auditor in training is willing to accept a delay or postponement in determining the information security objectives, which may affect the ISMS performance and effectiveness.

I am going to check that the Information Security objectives are written down on paper so that everyone is clear on what needs to be achieved, how it will be achieved, and by when it will be achieved: This response would cause concern because it implies that the auditor in training is not aware of the requirement to establish information security objectives that are measurable (if practicable) or capable of being evaluated, not just written down on paper. It also implies that the auditor in training is not aware of the flexibility and suitability of different media or formats for documenting and communicating information security objectives, such as electronic or digital records, posters, newsletters, etc.

I am going to check that a completion date has been set for each objective and that there are no objectives with missing ‘achieve by’ dates: This response would cause concern because it implies that the auditor in training is not aware of the requirement to establish information security objectives that are monitored, not just completed by a certain date. It also implies that the auditor in training is not aware of the possibility and necessity of updating information security objectives as appropriate, such as when changes occur in the internal or external context of the organization, or when new risks or opportunities arise.

The other responses from the ISMS auditor in training are acceptable and do not cause concern in relation to conformity with ISO/IEC 27001:2022. For example, checking how each Information Security objective has been communicated to those who need to be aware of it in order for the objective to be achieved is relevant to verifying the communication aspect of clause 6.2; checking that there is a process in place to periodically revisit Information Security objectives, with a view to amending or cancelling them if circumstances necessitate this is relevant to verifying the updating aspect of clause 6.2; checking that the necessary budget, manpower and materials to achieve each objective has been determined is relevant to verifying the planning aspect of clause 6.2; checking that all the Information Security objectives are measurable. If they are not measurable the organisation will not be able to track progress against them is relevant to verifying the measurability aspect of clause 6.2. References: ISO/IEC 27001:2022 - Information technology – Security techniques – Information security management systems – Requirements

The three audit findings that would prompt you to raise a nonconformity report are:

•The organisation is treating information security risks in the order in which they are identified

•The organisation’s risk assessment criteria have not been reviewed and approved by top management

•The organisation’s information security risk assessment process is based solely on an assessment of the impact of each risk

According to ISO/IEC 27001:2022, clause 6.1.2, the organisation must establish and maintain an information security risk management process that is consistent with the organisation’s context and aligned with its overall risk management approach1. This process must include the following steps:

•Establishing the risk assessment criteria, which must be approved by top management and reflect the organisation’s risk appetite and objectives2

•Identifying the information security risks, which must consider the assets, threats, vulnerabilities, impacts, and likelihoods3

•Analysing the information security risks, which must determine the levels of risk and compare them with the risk criteria4

•Evaluating the information security risks, which must prioritise the risks and decide whether they need treatment or not5

Therefore, the audit findings B, E, and F indicate that the organisation is not following the required steps of the information security risk management process, and thus are nonconformities with the standard.

The other audit findings are not necessarily nonconformities, as they may be acceptable depending on the organisation’s context and justification. For example:

•Audit finding A may be acceptable if the organisation has identified and treated the additional information security risks that are relevant to its scope and objectives, and has documented the rationale for doing so6

•Audit finding C may be acceptable if the organisation has assigned clear roles and responsibilities for the information security risk management process, and has ensured that the risk owners have the authority and competence to manage the risks7

•Audit finding D may be acceptable if the organisation has defined and communicated the meaning and implications of the emoji-based risk classification, and has ensured that it is consistent with the risk criteria and the risk treatment process8

•Audit finding G may be acceptable if the organisation has justified the use of discrete values for the probability of the information security risks, and has ensured that they are realistic and consistent with the risk criteria and the risk analysis method9

•Audit finding H may be acceptable if the organisation has established and maintained different systems for assessing operational and strategic information security risks, and has ensured that they are integrated and aligned with the overall risk management approach and the ISMS objectives10

The IRT’s finding that FTP transmits authentication credentials in clear text represents a vulnerability in information security terms. A vulnerability is defined as a weakness in an asset, system, or control that can be exploited by a threat. In this scenario, FTP itself is not a threat, nor is it the risk; rather, it is the technical weakness that enabled the attackers to succeed.

The attackers (hackers) are the threat, and the potential loss of proprietary information is the impact. The risk arises from the combination of the threat exploiting the vulnerability and causing harm. However, the question specifically asks what the IRT’s finding about FTP represents, and that finding is the identification of a weakness in the system design. The use of clear-text authentication is a well-known security weakness, making it easier for attackers to capture credentials through network traffic interception.

ISO/IEC 27001:2022 risk assessment logic requires organizations to distinguish clearly between threats, vulnerabilities, and risks during incident analysis. The IRT did exactly this by identifying that the protocol itself lacked encryption, which is a vulnerability. This is further supported by the corrective action taken: replacing FTP with SSH. SSH provides encrypted communication, which directly addresses the vulnerability by removing the weakness that allowed credential exposure.

Therefore, the IRT’s findings correctly identify FTP as a vulnerability, making option A the correct answer.

According to ISO/IEC 27001:2022 clause 8.1, the organization must plan, implement and control the processes needed to meet the information security requirements, and to implement the actions determined in clause 6.1. The organization must also ensure that the outsourced processes are controlled or influenced. According to control A.5.24, the organization must establish and maintain an information security incident management process that includes reporting information security events and weaknesses. Therefore, the use of lower grade machines for the secure disposal of confidential documents and media could pose a significant information security risk and a potential breach of contract with the clients. The auditor should respond to this information by:

A. Advising the individual managing the audit programme of any recommendation by you to conduct a further audit prior to certification. This is in accordance with ISO/IEC 27006:2022 clause 7.4.3, which states that the audit team leader shall report to the certification body any situation that may significantly affect the audit conclusions or the certification decision, and propose any necessary changes to the audit plan.

C. Considering the need for a subsequent audit within 4 weeks based on the additional information that has come to light. This is in accordance with ISO/IEC 27006:2022 clause 7.5.2, which states that the audit team leader shall review the audit findings and any other appropriate information collected during the audit to determine the audit conclusions, and to identify any need for a subsequent audit.

G. Verifying with the auditee that lower grade machines are used in certain circumstances. This is in accordance with ISO/IEC 27006:2022 clause 7.4.2, which states that the audit team leader shall ensure that the audit is conducted in accordance with the audit plan, and that any changes to the plan are agreed upon and documented.

The other options are not appropriate responses, as they either ignore the information, exceed the scope of the audit, or prematurely raise a nonconformity without sufficient evidence. For example:

B. Cancelling the production of the audit report and instead reviewing the organization’s contracts with its clients to determine whether they have permitted the use of lower grade machines. This is not a suitable response, as it would delay the audit process and the certification decision, and it would involve reviewing documents that are outside the scope of the ISMS audit. The auditor should focus on verifying the information security risk assessment and treatment process, and the information security incident management process, as they relate to the use of lower grade machines.

D. Doing nothing. All audits are based on a sample and the sample you took did not include a planned review of the lower grade machines. This is not a suitable response, as it would disregard a significant information security risk and a potential nonconformity that could affect the audit conclusions and the certification decision. The auditor should follow up on the information provided by the employee and verify its validity and impact.

E. Extending the certification audit duration to create additional time to audit the use of the lower grade machines. This is not a suitable response, as it would disrupt the audit schedule and the availability of the audit team and the auditee. The auditor should report the situation to the certification body and propose any necessary changes to the audit plan, such as conducting a subsequent audit.

F. Raising a nonconformity against 8.1 Operational Planning and Control as the organization has not been open about its processes. This is not a suitable response, as it would be based on a single source of information that has not been verified or corroborated. The auditor should collect sufficient and appropriate audit evidence to support any nonconformity, and should also consider the root cause and the severity of the nonconformity.

competence of the audit team and decision made by the certification body

According to ISO/IEC 17021-1, which specifies the requirements for bodies providing audit and certification of management systems, an accredited certification means that the certification body has been evaluated by an accreditation body against recognized standards to demonstrate its competence, impartiality and performance capability1. Therefore, an accredited certification assures the competence of the audit team that conducts the audit in accordance with ISO 19011 and ISO/IEC 27001:2022, and the decision made by the certification body that grants or maintains the certification based on the audit evidence and findings2. References: ISO/IEC 17021-1:2015 - Conformity assessment – Requirements for bodies providing audit and certification of management systems – Part 1: Requirements, ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) | CQI | IRCA

Comprehensive and Detailed In-Depth Explanation:

A. Correct Answer:

ISO 19011:2018 states that the audit team leader is responsible for compiling and finalizing the audit report.

B. Incorrect:

Team members contribute findings, but the leader ensures finalization.

C. Incorrect:

The certification body reviews but does not prepare the report.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.7.1 (Audit Report Preparation and Approval)

The audit team’s approach is in line with recommended auditing practices, making option A the correct answer. ISO management system audits, including ISO/IEC 27001 audits, are designed to provide reasonable assurance, not absolute assurance, that the management system conforms to the standard requirements. This principle is explicitly supported by ISO 19011 and ISO/IEC 17021-1.

In the scenario, the audit team assessed conformity by reviewing key processes, questioning responsible personnel, examining representative evidence, and evaluating control effectiveness. Although access to IT systems was limited, the auditors compensated by gathering sufficient and appropriate evidence through alternative means. This approach reflects the reality of auditing complex environments, particularly those involving third-party service providers.

Option B is incorrect because ISO standards do not require auditors to assess every process in full detail. Audits are sample-based by design. Expecting a complete, exhaustive assessment of each process would be impractical and inconsistent with audit principles. Option C is incorrect because assessing the ISMS as a whole is not merely an efficiency-driven decision; it is an accepted and intentional audit approach aimed at evaluating system-level effectiveness.

Therefore, obtaining reasonable assurance through a structured, evidence-based approach confirms that the audit team acted in accordance with recommended audit practices.

Comprehensive and Detailed In-Depth Explanation:

C. Fraud (Correct Answer):

The audit team leader knowingly falsified the audit report to downplay nonconformities.

Fraud involves intentional deception or misrepresentation of information, making this a fraudulent act.

A. Ordinary negligence (Incorrect):

Ordinary negligence is a failure to exercise reasonable care, but this case involved intentional misconduct.

B. Gross negligence (Incorrect):

Gross negligence is extreme carelessness but does not involve deliberate misrepresentation.

Relevant Standard Reference:

ISO 19011:2018 Clause 4 (Principles of Auditing: Integrity and Objectivity)

Comprehensive and Detailed In-Depth Explanation:

A. Correct Answer: ISO/IEC 27001 Clause 4.1 (Understanding the Organization and Its Context) and Clause 4.2 (Understanding the Needs and Expectations of Interested Parties) require organizations to consider both internal and external issues when defining the scope of the ISMS.

The scenario states that Clinic only considered internal issues but did not assess external factors, such as regulatory requirements, industry standards, or cybersecurity threats.

B. Incorrect: The scope is not fully correct because external factors were not considered.

C. Incorrect: Justifying exclusions is necessary in the SoA, not in the ISMS scope statement.

By failing to consider external issues, Clinic's ISMS does not meet the full requirements of ISO/IEC 27001.

The purpose of a management system audit is to evaluate the performance of an organization’s management system.

A management system audit is an independent and systematic analysis and evaluation of a company’s overall activities and performances1. It is a valuable tool used to determine the efficiency, functions, accomplishments and achievements of the company1. A management system audit can be conducted against a range of audit criteria, including (but not limited to) requirements set of in existing ISO standards2.

According to ISO 19011:2018, which provides guidelines for auditing management systems, the purpose of an audit is to enable the auditor to provide an audit conclusion that is related to the audit objectives2. The audit objectives are defined by the audit client and may include determining the extent of conformity or nonconformity of the audited management system against the audit criteria, evaluating the ability of the audited management system to ensure that the organization meets applicable statutory, regulatory and contractual requirements, identifying potential improvement opportunities for the audited management system, and facilitating continual improvement of the audited management system2.

Therefore, the correct answer is evaluate, as it best describes the purpose of a management system audit. The other options are not correct because they are not specific enough or do not reflect the intended outcome of an audit. For example, improve implies that the audit itself will enhance the performance of the management system, which is not necessarily true. Manage implies that the audit will control or direct the management system, which is not its role. Research implies that the audit will generate new knowledge or information about the management system, which is not its primary aim.

A third-party audit team leader is a person who leads an audit team that conducts audits on behalf of an external organization, such as a certification body, that provides certification or accreditation services to other organizations12.

One of the main responsibilities of a third-party audit team leader is to act on behalf of the certification body, which means to represent its interests, policies, and procedures during the audit process12.

Acting on behalf of the certification body involves communicating with the audit client and the auditee, planning and conducting the audit, reporting and evaluating the audit results, and making recommendations for certification or accreditation decisions12.

Acting on behalf of the certification body also requires maintaining professional integrity, impartiality, confidentiality, and competence throughout the audit process12.

References :=

ISO 19011:2022 Guidelines for auditing management systems

ISO/IEC 17021-1:2022 Conformity assessment — Requirements for bodies providing audit and certification of management systems — Part 1: Requirements

Yes, this action is acceptable. The internal audits being outsourced ensure independence and objectivity and allow the audit function to serve its advisory role effectively, in line with ISO/IEC 27001 requirements. The independence enhances the credibility and reliability of the audit results.

The best way to dispose of a hard copy of a customer design document is to shred it using a shredder. This is because shredding ensures that the document is destroyed and cannot be reconstructed or accessed by unauthorized persons. A customer design document may contain sensitive or confidential information that could cause harm or damage to the customer or the organization if disclosed. Therefore, it is important to protect the confidentiality and integrity of the document until it is securely disposed of. Throwing it in any dustbin, giving it to the office boy to reuse it for other purposes, or reusing it for writing are not secure ways of disposing of the document, as they could expose the document to unauthorized access, theft, loss or damage. ISO/IEC 27001:2022 requires the organization to implement procedures for the secure disposal of media containing information (see clause A.8.3.2). References: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements, What is Secure Disposal?

The correct answer is A, because ISO/IEC 27001 and ISO 19011 require internal audits to be objective and impartial, but they do not impose an absolute prohibition on individuals holding both operational and audit roles. What is required is that auditors do not audit their own work and that conflicts of interest are avoided.

In smaller organizations, it is common for staff to perform multiple roles. ISO 19011 recognizes this reality and allows auditors to conduct internal audits provided they are independent of the activities being audited. Clearly documented job descriptions, role separation, and audit assignment controls help ensure impartiality.

Option B is incorrect because ISO standards do not mandate a fixed “cooling-off” period such as one year. The key consideration is whether the auditor is independent of the audited activities, not the passage of time. Option C is incorrect because it imposes an unrealistic and unnecessary restriction, especially for small or medium-sized organizations.

Objectivity is achieved through planning, role separation, competence, and management oversight, not by rigid role exclusion rules. Therefore, allowing auditors to perform unrelated operational roles with proper safeguards is acceptable and standards-compliant.

Knowledge is the understanding of facts, concepts, principles, theories and practices related to a specific subject or discipline. Skills are the ability to apply knowledge and use know-how to complete tasks and solve problems. According to ISO 19011:2018, the knowledge and skills of an auditor include the following:

Knowledge of audit principles, procedures and methods

Knowledge of management system standards and reference documents

Knowledge of the organization’s context, scope, processes and objectives

Knowledge of relevant legal, regulatory and contractual requirements

Knowledge of applicable industry, sector or technical disciplines

Knowledge of risk management and risk-based thinking

Skill in collecting and verifying information

Skill in evaluating conformity and effectiveness of management systems

Skill in reporting and communicating audit results

Skill in managing audit activities and teams

Based on this, the activities that are predominately related to knowledge are designing a checklist and determining what evidence to gather, as they require the auditor to understand the audit criteria, scope, objectives and methods, as well as the organization’s context, processes and risks. The other activities are more related to skills, as they involve applying knowledge and using know-how to perform tasks and solve problems during the audit.

Comprehensive and Detailed In-Depth Explanation:

B. Correct Answer:

ISO 19011:2018 (Guidelines for Auditing) requires auditors to consider all relevant evidence before making a final recommendation.

Clastus has the right to present additional evidence if they disagree with findings.

A. Incorrect:

Certification recommendations should remain open to valid new evidence until officially finalized.

C. Incorrect:

Auditors must consider revisions if they provide relevant clarification or evidence.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.6.3 (Handling Disputes and Additional Evidence in Audits)

The auditee is the organization or part of it that is subject to the audit. The auditee could be internal or external to the audit client . The auditee should cooperate with the audit team and provide them with access to relevant information, documents, records, personnel, and facilities .

The audit client is the organization or person that requests an audit. The audit client could be internal or external to the auditee . The audit client should define the audit objectives, scope, criteria, and programme, and appoint the audit team leader .

The technical expert is a person who provides specific knowledge or expertise relating to the organization, activity, process, product, service, or discipline to be audited. The technical expert could be internal or external to the audit team . The technical expert should support the audit team in collecting and evaluating audit evidence, but should not act as an auditor .

The observer is a person who accompanies the audit team but does not act as an auditor. The observer could be internal or external to the audit team . The observer should observe the audit activities without interfering or influencing them, unless agreed otherwise by the audit team leader and the auditee .

References :=

[ISO 19011:2022 Guidelines for auditing management systems]

[ISO/IEC 17021-1:2022 Conformity assessment — Requirements for bodies providing audit and certification of management systems — Part 1: Requirements]

Comprehensive and Detailed In-Depth Explanation:

C. Correct Answer:

Internal audits detect nonconformities but do not actively prevent them.

A. Incorrect:

Internal audits verify corrective actions.

B. Incorrect:

Technology can reduce manual tasks in internal audits.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.4.7 (Audit Program Limitations)

According to ISO 19011:2018, which provides guidelines for auditing management systems, an opening meeting is a formal communication between the audit team and the auditee at the start of an audit1. The purpose of the opening meeting is to confirm the audit objectives, scope and criteria, introduce the audit team and their roles, confirm the audit plan and logistics, explain the audit methods and procedures, and establish the communication channels1. Therefore, if the Managing Director of the client organization invites the audit team to view a new company video lasting 45 minutes during the opening meeting of a Stage 2 audit, the audit team leader should respond in a way that does not compromise the effectiveness and efficiency of the audit or create any misunderstanding or conflict with the auditee. Two possible ways to respond are to advise the Managing Director that the audit team has to keep to the planned schedule, as there may be limited time and resources available for the audit; or to suggest that the video could be viewed during a refreshment break, if it is relevant and useful for the audit and does not interfere with other audit activities1. The other options are not appropriate responses for the audit team leader to make in this situation. For example, stating that the audit team leader will stay behind after the opening meeting to view the video on behalf of the team may imply that the video is not important or relevant for the rest of the audit team; inviting the Managing Director to the auditors’ hotel for a viewing that evening may create an impression of bias or favouritism; stating that the audit team will make a decision on the viewing at a later time may be vague or indecisive; and advising the Managing Director that the audit team agrees to his request may result in wasting valuable audit time or losing focus on the audit objectives1. References: ISO 19011:2018 - Guidelines for auditing management systems

The correct order of the stages is:

Prepare the audit checklist

Gather objective evidence

Review audit evidence

Document findings

Audit preparation: This stage involves defining the audit objectives, scope, criteria, and plan. The auditor also prepares the audit checklist, which is a list of questions or topics that will be covered during the audit. The audit checklist helps the auditor to ensure that all relevant aspects of the ISMS are addressed and that the audit evidence is collected in a systematic and consistent manner12.

Audit execution: This stage involves conducting the audit activities, such as opening meeting, interviews, observations, document review, and closing meeting. The auditor gathers objective evidence, which is any information that supports the audit findings and conclusions. Objective evidence can be qualitative or quantitative, and can be obtained from various sources, such as records, statements, physical objects, or observations123.

Audit reporting: This stage involves reviewing the audit evidence, evaluating the audit findings, and documenting the audit results. The auditor reviews the audit evidence to determine whether it is sufficient, reliable, and relevant to support the audit findings. The auditor evaluates the audit findings to determine the degree of conformity or nonconformity of the ISMS with the audit criteria. The auditor documents the audit results in an audit report, which is a formal record of the audit process and outcomes. The audit report typically includes the following elements123:

An introduction clarifying the scope, objectives, timing and extent of the work performed

An executive summary indicating the key findings, a brief analysis and a conclusion

The intended report recipients and, where appropriate, guidelines on classification and circulation

Detailed findings and analysis

Recommendations for improvement, where applicable

A statement of conformity or nonconformity with the audit criteria

Any limitations or exclusions of the audit scope or evidence

Any deviations from the audit plan or procedures

Any unresolved issues or disagreements between the auditor and the auditee

A list of references, abbreviations, and definitions used in the report

A list of appendices, such as audit plan, audit checklist, audit evidence, audit team members, etc.

Audit follow-up: This stage involves verifying the implementation and effectiveness of the corrective actions taken by the auditee to address the audit findings. The auditor monitors the progress and completion of the corrective actions, and evaluates their impact on the ISMS performance and conformity. The auditor may conduct a follow-up audit to verify the corrective actions on-site, or may rely on other methods, such as document review, remote interviews, or self-assessment by the auditee. The auditor documents the follow-up results and updates the audit report accordingly123.

From Exact Extract:

Explanation for B (True):

This statement is true because ISO 27001 requires an organization to establish processes for identifying, reviewing, and complying with applicable legal, statutory, regulatory, and contractual obligations. A key part of this is being aware of changes to these requirements to maintain ongoing compliance. An auditor's role is to verify that the organization has such a process in place and that it is effective.

It was appropriate for the audit team to include the observed deficiency in the audit report, making option A the correct answer. ISO/IEC 17021-1 and ISO 19011 require auditors to report all relevant findings that relate to conformity with the audit criteria, regardless of whether the affected department is formally listed within the audit scope. What matters is whether the issue relates to ISMS requirements or policies.

In this scenario, access rights control is explicitly included in Sinvestment’s information security policy and is a core requirement of ISO/IEC 27001. The absence of access control procedures in the marketing department represents a weakness in the implementation of an ISMS requirement. Even though the marketing department was not part of the defined audit scope, the auditors became aware of a condition that could negatively affect the effectiveness of the ISMS as a whole.

Option B is incorrect because merely communicating the issue informally would undermine transparency and traceability. Audit reports must provide a complete and accurate record of findings. Option C is incorrect because marketing departments frequently handle personal data and sensitive information, particularly in an insurance context, and therefore clearly pose potential ISMS risks.

Auditors are required to report relevant findings objectively and without omission. Therefore, inclusion of the issue in the audit report was appropriate.

The two true statements are B and E. According to ISO 19011:2022, the audit plan describes the arrangements for a set of one or more audits planned for a specific time frame and directed towards a specific purpose1, while the audit programme describes the activities and arrangements for an audit2. The other options are either false or irrelevant. The responsibility for managing the audit programme rests with the audit programme manager, not the audit team leader (A)3. The audit plan can be changed during the conducting of the audit if necessary, with the agreement of the audit client and the auditee ©4. The audit programme and the audit plan are not the same thing, so D and F are incorrect. References: 1: ISO 19011:2022, Guidelines for auditing management systems, Clause 3.8 \n2: ISO 19011:2022, Guidelines for auditing management systems, Clause 3.9 \n3: ISO 19011:2022, Guidelines for auditing management systems, Clause 5.3.1 \n4: ISO 19011:2022, Guidelines for auditing management systems, Clause 6.4.2

Comprehensive and Detailed In-Depth Explanation:

Managerial controls (also called administrative controls) include policies, procedures, and processes to ensure effective security governance. These controls include training, internal audits, security awareness programs, and management reviews. These align with ISO/IEC 27001:2022 Annex A Control A.5.2 (Information Security Roles and Responsibilities) and A.5.3 (Segregation of Duties).

B. Organizational structure controls relate to segregation of duties and job rotations, making them structural controls rather than purely managerial.

C. Technical controls involve firewalls, IDSs, and other security mechanisms, which are not managerial but technical measures.

No, the audit scope should reflect all of the organization's divisions that are covered by the ISMS. If the ISMS scope stated that it includes the whole company, the audit scope should align with this unless specifically justified and agreed upon by all stakeholders.

Comprehensive and Detailed In-Depth Explanation:

B. Correct Answer:

The engagement letter serves to inform the auditee about the audit details, including:

Audit scope

Audit schedule

Expectations from both parties

It formally introduces the audit process and schedules the initial contact.

A. Incorrect:

The authority to conduct the audit is established by the certification body’s agreement, not just the engagement letter.

C. Incorrect:

Audit objectives are determined in the planning phase and are not the primary function of the engagement letter.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.2 (Initiating the Audit)

1. An auditor using a copy of ISO/IEC 27001:2022 to check that its requirements are met:

Termed: Reviewing audit criteria.

Justification: The auditor is comparing the auditee's information security management system (ISMS) against the established criteria outlined in the ISO/IEC 27001:2022 standard. This activity falls under the use of audit criteria to determine conformity or nonconformity.

2. An auditor's note that the auditee is not adhering to its clear desk policy:

Termed: Identifying an audit finding.

Justification: The auditor has observed a deviation from the auditee's established policy on clear desks. This observation is documented as a potential nonconformity, which requires further investigation and evaluation.

3. An auditor making a decision regarding the auditee's conformity or otherwise to criteria:

Termed: Determining an audit conclusion.

Justification: Based on the collected audit evidence and evaluation against the established criteria, the auditor forms an opinion about the overall compliance of the auditee's ISMS. This opinion is the audit conclusion and is a key element of the audit report.

4. An auditor examining verifiable records relevant to the audit process:

Termed: Collecting audit evidence.

Justification: The auditor is gathering objective and verifiable information to support their findings and conclusions. This information comes from various sources, including documents, records, interviews, and observations.

Explanation (Audit & analytics perspective)

Data mining focuses on discovering patterns, anomalies, and relationships in historical datasets.

Identifying repeated transactions just below approval thresholds is a classic data mining technique.

Predictive analytics focuses on forecasting future outcomes, not detecting historical anomalies.

Data management is concerned with storage and governance, not analysis.

The use of probability theory in the sample selection process indicates that "statistical sampling" was used. Statistical sampling allows auditors to make inferences about the population based on the properties of the sample, relying on the principles of probability to select representative elements.

A management system audit is a systematic, independent and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled. The audit criteria are a set of requirements that may include policies, procedures, standards, regulations, etc. The purpose of a management system audit is to evaluate the performance of an organisation’s management system in terms of its effectiveness, efficiency, compliance, and improvement. A management system audit can also identify strengths, weaknesses, opportunities, and risks of the management system and provide recommendations for improvement.

The correct sequence of activities is:

Establish the management system

Plan the audit programme

Conduct internal audits

Hold a Management Review

Engage a Certification Body for stage 1 and stage 2 audits

Complete any corrective actions

Comprehensive but Short Explanation: = According to the PECB Candidate Handbook - ISO/IEC 27001 Lead Auditor, the steps for achieving certification are as follows1:

Establish the management system: This involves defining the scope, objectives, policies, procedures, and controls of the ISMS, as well as ensuring the availability of resources and top management commitment.

Plan the audit programme: This involves defining the audit objectives, criteria, scope, frequency, methods, and responsibilities for conducting internal audits of the ISMS.

Conduct internal audits: This involves verifying the conformity and effectiveness of the ISMS, as well as identifying any nonconformities or opportunities for improvement.

Hold a Management Review: This involves reviewing the performance and suitability of the ISMS, as well as deciding on any changes or actions needed to improve it.

Engage a Certification Body for stage 1 and stage 2 audits: This involves selecting a reputable and accredited certification body to conduct an external audit of the ISMS, consisting of two stages: a documentation review and an on-site assessment.

Complete any corrective actions: This involves addressing any nonconformities or findings identified by the certification body, and providing evidence of their implementation and effectiveness.

= 1: PECB Candidate Handbook - ISO/IEC 27001 Lead Auditor, pages 25-26.

A follow-up audit may be carried out where nonconformities are major. This is true because a major nonconformity is a situation that raises significant doubt about the ability of the organization’s management system to achieve its intended results, and therefore requires immediate corrective action. A follow-up audit is necessary to verify the effectiveness of the corrective action and the conformity of the management system12.

A follow-up audit may be carried out where nonconformities are minor. This is true because a minor nonconformity is a situation that does not affect the capability of the management system to achieve its intended results, but represents a deviation from the specified requirements. A follow-up audit may be conducted to check the implementation of the corrective action and the improvement of the management system12.

The outcomes of a follow-up audit should be reported to top management and the audit team leader who carried out the audit where the nonconformities were initially identified. This is true because the top management is responsible for ensuring the effectiveness and continual improvement of the management system, and the audit team leader is accountable for the audit process and the audit conclusions. The follow-up audit report should provide them with objective evidence of the status of the nonconformities and the corrective actions taken by the auditee13.

The outcomes of a follow-up audit should be reported to the individual managing the audit programme and the audit client. This is true because the individual managing the audit programme is responsible for planning, implementing, monitoring and reviewing the audit activities, and the audit client is the organization or person requesting an audit. The follow-up audit report should inform them of the results of the follow-up audit and any changes in the certification status of the auditee13.

References :=

ISO 19011:2022 Guidelines for auditing management systems

ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements

ISO/IEC 17021-1:2022 Conformity assessment — Requirements for bodies providing audit and certification of management systems — Part 1: Requirements

ISO/IEC 27001 requires organizations to comply with applicable legal, statutory, regulatory, and contractual requirements, including those pertaining to information security. These requirements must be identified, documented, and kept up to date as part of the organization's ISMS.

According to the PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, audit methods can be classified into two categories: with or without interaction with individuals representing the auditee (page 12). Audit methods with interaction include reviewing checklists with auditee and conducting interviews, as they involve direct communication and feedback from the auditee. Audit methods without interaction include sampling (e.g. products), observing work performed via live video streaming, checking legal compliance with local authorities, and analysing documents provided in advance of the audit, as they do not require any dialogue or exchange with the auditee. References: PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 12.

Audit evidence should be evaluated against the audit criteria in order to determine audit findings.

Audit evidence is the information obtained by the auditors during the audit process that is used as a basis for forming an audit opinion or conclusion12. Audit evidence could include records, documents, statements, observations, interviews, or test results12.

Audit criteria are the set of policies, procedures, standards, regulations, or requirements that are used as a reference against which audit evidence is compared12. Audit criteria could be derived from internal or external sources, such as ISO standards, industry best practices, or legal obligations12.

Audit findings are the results of a process that evaluates audit evidence and compares it against audit criteria13. Audit findings can show that audit criteria are being met (conformity) or that they are not being met (nonconformity). They can also identify best practices or improvement opportunities13.

References :=

ISO 19011:2022 Guidelines for auditing management systems

ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements

Components of Audit Findings - The Institute of Internal Auditors

Internal audits and external audits are integral components of the certification cycle, ensuring regular monitoring of the management system. Internal audits help organizations prepare for external audits by identifying and addressing potential nonconformities, while external audits validate the compliance of the management system with ISO/IEC 27001 standards.

The three options that will not be in your audit trail are A, C, and H. These options are either not relevant to the information security of ABC’s healthcare mobile app development, support, and lifecycle process, or not within the scope of your audit. The amount of money that residents’ family members pay to install the app (A) and the number of users of the app © are not related to the information security aspects or objectives of the ISMS1. The verification of the developer’s certifications (H) is not your responsibility as an ISMS auditor, as you should rely on the competence and impartiality of the certification bodies that issued them2. The other options are relevant and within the scope of your audit, as they relate to the security functions, testing, policies, and procedures of the mobile app development, support, and lifecycle process13. References: 1: ISO/IEC 27001:2022, Information technology — Security techniques — Information security management systems — Requirements, Clause 4.2 \n2: ISO/IEC 27006:2022, Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems, Clause 4.1 \n3: PECB Certified ISO/IEC 27001 Lead Auditor Exam Preparation Guide, Domain 5: Conducting an ISO/IEC 27001 audit

ISO/IEC 27001:2022 requires that the scope of the ISMS be established and maintained as documented information. This requirement is explicitly stated in clause 4.3, which requires organizations to determine the boundaries and applicability of the ISMS and to ensure that the scope is documented. While communication and awareness are important, verbal communication alone is not sufficient to meet this requirement.

In the scenario, Knight communicated the ISMS scope to employees during a weekly meeting. While this may support awareness, it does not satisfy the requirement for documented information. Employees, auditors, and other interested parties must be able to access the ISMS scope consistently over time, including new employees or external stakeholders. Relying on meetings creates a risk that the scope is misunderstood, forgotten, or inconsistently applied.

Option A is incorrect because documenting meeting minutes does not replace the requirement for a formally controlled ISMS scope document. The scope must exist independently as documented information, not merely as a record of communication. Option C is also incorrect because ISO/IEC 27001 does not mandate formal training sessions as the only acceptable communication method for scope awareness.

Therefore, the correct position is that while communicating the scope verbally is useful, it is not acceptable on its own, and the scope must be maintained as documented information.

•C. Collect more evidence on how and when the Human Resources manager pays the ransom fee to unlock personal mobile data, i.e., credit card, and bank transfer. (Relevant to control A.5.26)

This is not relevant to the audit of the organization's incident management process. The HR manager's personal phone and how they handle a ransomware attack on it falls outside the scope of the ISMS audit. The organization is not responsible for personal devices.

•B. Collect more evidence on how and when the company pays the ransom fee to unlock the company's mobile phone and data, i.e., credit card, and bank transfer. (Relevant to control A.5.26)

While seemingly relevant, this focuses on the method of payment for the ransom. The core issue is the organization paying the ransom at all, which is generally not best practice in incident response. The audit should focus on why this decision was made and if alternative solutions were considered (e.g., data backups, device wiping and restoration).

Why the other options ARE relevant:

•A. Collect more evidence by interviewing more staff about their understanding of the reporting process. (Relevant to control A.6.8) This directly addresses the identified discrepancy in understanding "weakness, event, and incident," which is crucial for proper incident reporting.

•D. Collect more evidence on how the organisation determined the incident recovery time. (Relevant to control A.5.27) This investigates the basis for the 24-hour recovery time, which seems arbitrary and may not be appropriate for all incidents.

•E. Collect more evidence on how the organization determined no further action was needed after the incident. (Relevant to control A.5.26) This probes the adequacy of the incident response, especially the lack of preventative measures after paying the ransom.

•F. Collect more evidence on the incident recovery procedures. (Relevant to control A.5.26) This examines the actual procedures to assess their effectiveness and alignment with best practices.

CyberShielding Systems Inc. should have included the identification of areas for improvement when defining the audit objectives, making option A the correct answer. ISO/IEC 27001 audits are not limited to verifying compliance; they also support continual improvement of the ISMS. ISO 19011 encourages audits to provide value by identifying weaknesses, improvement opportunities, and areas where effectiveness can be enhanced.

In the scenario, the audit objectives were primarily focused on conformity with criteria and compliance with statutory and regulatory requirements. While this is essential, a well-defined audit objective should also include evaluating opportunities to improve security practices, control effectiveness, and risk management maturity. Identifying improvement areas helps the organization strengthen its ISMS beyond basic compliance and aligns with ISO/IEC 27001 clause 10 on continual improvement.

Option B is incorrect because audit objectives should not be narrowly focused only on recent incidents or management concerns, as this could lead to biased or incomplete coverage. Option C is incorrect because limiting the audit to documentation review undermines the effectiveness of the audit and contradicts the requirement for evidence-based evaluation of operational controls.

Therefore, including improvement identification as an audit objective would have strengthened the audit’s value and alignment with ISO/IEC 27001 principles.

This situation is unacceptable because UpNet should have requested and been granted an extension audit prior to announcing that the ISMS certification scope encompasses the whole company, including the new department. Proper procedures need to be followed to extend the certification to additional departments or processes.

Jack compromised the audit principle of confidentiality by selling NightCore's information after the audit. Confidentiality ensures that information is accessible only to those authorized to have access and is protected throughout its lifecycle.

Jack collected mathematical evidence when he identified nonconformities by comparing the number of purchased invoices for software licenses with the software inventory. This type of evidence involves numerical, quantifiable data that highlights discrepancies and supports findings of compliance or non-compliance.

The stages of information are creation, distribution, use, maintenance, and disposition. These are the phases that information goes through during its lifecycle, from the moment it is generated to the moment it is destroyed or archived. Each stage of information has different security requirements and risks, and should be managed accordingly. Creation, evolution, maintenance, use, and disposition are not the correct stages of information, as evolution is not a distinct stage, but a process that can occur in any stage. Creation, use, disposition, maintenance, and evolution are not the correct stages of information, as they are not in the right order. Creation, distribution, maintenance, disposition, and use are not the correct stages of information, as they are not in the right order. References: : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 32. : [ISO/IEC 27001 LEAD AUDITOR - PECB], page 12.

Comprehensive and Detailed In-Depth Explanation:

B. Correct Answer:

ISO/IEC 27001:2022 Clause 6.1.3 (Information Security Risk Treatment) requires that any decision to accept risk be documented and justified.

Failure to document this decision creates compliance and audit tracking gaps.

A. Incorrect:

Risk acceptance must always be documented for accountability.

C. Incorrect:

Organizations are not required to mitigate every nonconformity but must justify their risk acceptance.

Relevant Standard Reference:

ISO/IEC 27001:2022 Clause 6.1.3 (Risk Treatment Documentation Requirements)

Establishing the audit programme objectives, scope and criteria

Determining the resources necessary for the audit programme, such as the audit team members, the budget, the time, the tools, etc.

Selecting and appointing the audit team leaders and auditors

Reviewing and approving the audit plans and arrangements

Ensuring the effective communication and coordination among the audit programme stakeholders, such as the auditors, the auditees, the certification bodies, the accreditation bodies, etc.

Keeping informed the accreditation body on the progress of the audit programme, especially in case of any significant changes, issues, or nonconformities

Monitoring and reviewing the performance and results of the audit programme and the audit teams

Evaluating the feedback and satisfaction of the auditees and other interested parties

Identifying and implementing the opportunities for improvement of the audit programme

The individual(s) managing the audit programme are not responsible for the following tasks, which are delegated to the audit team leaders or the auditors12:

Communicating with the auditee during the audit, such as conducting the opening and closing meetings, resolving any audit-related problems, reporting any audit findings, etc.

Determining the legal requirements applicable to each audit, such as the confidentiality, the impartiality, the consent, the liability, etc.

Defining the objectives, scope and criteria for an individual audit, which are derived from the audit programme and agreed with the auditee

Defining the plan of an individual audit, which includes the audit schedule, the audit activities, the audit methods, the audit documents, etc.

Comprehensive and Detailed In-Depth Explanation:

C. Correct Answer:

ISO 19011:2018 (Audit Guidelines) allows process simulations to verify control effectiveness.

Webvue’s personnel conducted the test under audit supervision, ensuring realistic evaluation without operational disruption.

A. Incorrect:

Simulations are valid audit techniques and do not negatively impact operations if performed properly.

B. Incorrect:

Technical experts assist auditors, but the focus is on ensuring accurate control verification, not the auditor’s competence.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.4.8 (Process Simulation for Audit Evidence Collection)

The definition of information that is not correct is C: mature and measurable data. This is not a valid definition of information, as information does not have to be mature or measurable to be considered as such. Information can be any data that has meaning or value for someone or something in a certain context. Information can be subjective, qualitative, incomplete or uncertain, depending on how it is interpreted or used. Mature and measurable data are characteristics that may apply to some types of information, but not all. The other definitions of information are correct, as they describe different aspects of information, such as accuracy and timeliness (A), specificity and organization (B), and understanding and uncertainty reduction (D). ISO/IEC 27001:2022 defines information as “any data that has meaning” (see clause 3.25). References: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements, What is Information?

This situation represents a sampling error, making option B the correct answer. ISO 19011:2018 explicitly states that management system audits are conducted using sampling techniques because it is impractical to examine all available information within the constraints of time and resources. When auditors select a subset of records, there is an inherent risk that the sample may not fully represent the entire population.

In this scenario, the audit team reviewed training records for 15 out of 50 employees to assess conformity with ISO/IEC 27001 training and awareness requirements. While this is an acceptable and standard audit practice, it introduces the possibility that the selected sample may not reflect gaps or issues present in the remaining records. This uncertainty is known as sampling risk or sampling error.

Option A is incorrect because a “risk related to the auditor” generally refers to competence, impartiality, or ethical behavior issues, none of which are indicated here. The auditors followed a recognized audit method. Option C is incorrect because inherent risk relates to the nature of the organization or its environment, not to the audit technique used.

Sampling error does not imply that the audit conclusion is invalid; rather, it reflects a known limitation of audits that auditors must manage through professional judgment and appropriate sample selection. Therefore, reviewing a subset of training records represents sampling error.

Prior to the initiation of stage 2 audit, Lawsy should review and confirm the audit plan with the certification body. This ensures that both parties agree on the objectives, scope, and procedures for the stage 2 audit, thus aligning expectations and facilitating a smoother audit process.

The responsibilities described fit those of a "guide." A guide in an audit context is typically someone from the auditee's organization who facilitates audit activities, manages logistics, ensures compliance with health and safety policies, and may also witness the audit process, assisting the audit team.

Comprehensive and Detailed In-Depth Explanation:

ISO/IEC 27001 does not prescribe a specific risk assessment methodology but instead provides general requirements for risk assessment. Organizations are free to develop their own risk assessment methods, as long as they:

Identify risks and impacts on information security.

Define risk criteria for evaluating risks.

Implement risk treatment plans based on the organization's context.

A. Correct Answer:

ISO/IEC 27001 Clause 6.1.2 (Information Security Risk Assessment) states that organizations may define their own risk assessment methodology.

This approach must be systematic, measurable, and aligned with business objectives.

B. Incorrect:

Organizations are not required to use a recognized methodology like OCTAVE, MEHARI, or EBIOS, as long as their approach meets ISO requirements.

C. Incorrect:

ISO/IEC 27001 does not mandate a specific risk assessment method, only that a consistent and structured approach is used.

Relevant Standard Reference:

ISO/IEC 27001:2022 Clause 6.1.2 (Information Security Risk Assessment Process)

•Minor Nonconformities: The identified nonconformities are minor, meaning they don't pose a significant risk to the information security management system (ISMS). They are likely to be easily rectified with focused corrective actions.

•Opportunity for Improvement: This is not a nonconformity but a suggestion for enhancing the ISMS. It doesn't require immediate corrective action but should be addressed in the organization's continual improvement efforts.

•Initial Certification: As this is an initial certification audit, the organization is expected to demonstrate its commitment to addressing any gaps identified. A partial audit allows for a focused follow-up on the specific areas of nonconformity, ensuring they have been adequately addressed.

Why other options are not suitable:

•A. Recommend certification after your approval of the proposed corrective action plan: While certification is the goal, it's premature to recommend it before verifying the effectiveness of the corrective actions.

•B. Recommend that a full scope re-audit is required within 6 months: This is too extensive for minor nonconformities. A full re-audit is usually reserved for major nonconformities or systemic issues.

•D. Recommend that the findings can be closed out at a surveillance audit in 1 year: This is too long a timeframe for addressing the nonconformities. Prompt corrective action is necessary to demonstrate commitment to the ISMS.

In summary, recommending a partial audit within 3 months strikes the right balance between allowing the organization time to implement corrective actions and ensuring timely verification of their effectiveness. This approach aligns with the principles of ISO 27001 and supports the organization's journey towards certification.

The audit team primarily considered the objectivity of the evidence, making option B the correct answer. ISO 19011:2018 emphasizes that the reliability of audit evidence depends on several factors, including its objectivity, source, timing, and method of collection. Among these, objectivity is particularly important because it determines how free the evidence is from bias, interpretation, or subjective influence.

In the scenario, the auditors explicitly compared evidence from surveillance cameras with photos and concluded that surveillance footage provided more objective proof. This comparison directly highlights objectivity as a key consideration. Surveillance footage records events continuously and without human intervention, reducing the risk of manipulation or selective representation. Photos, by contrast, can be staged, selectively captured, or taken out of context, making them less objective.

The auditors also considered timing, such as transaction recording, which further supports objectivity by ensuring that events are recorded as they occur. While independence of the source is an important reliability factor, the scenario does not emphasize independence as the primary consideration. Instead, it focuses on how objective and trustworthy different forms of evidence are. Evidence collection techniques are also relevant, but the scenario describes the evaluation of evidence quality rather than how the evidence was gathered.

Therefore, based on the explicit examples provided, objectivity of the evidence was the primary factor considered when evaluating reliability.

Comprehensive and Detailed In-Depth Explanation:

A. Assigning responsibilities to the audit team members (Correct Answer) – This is not Sarah’s responsibility. The certification body assigns the audit team and defines responsibilities, ensuring independence and objectivity.

B. Defining the audit criteria and objectives (Correct Responsibility) – Sarah, as the audit team leader, must establish audit criteria and objectives, per ISO 19011 (Guidelines for Auditing Management Systems).

C. Planning the audit (Correct Responsibility) – The audit team leader is responsible for planning the audit, including timelines and resource allocation.

Relevant Standard Reference:

ISO/IEC 27001:2022 Clause 9.2 (Internal Audit)

ISO 19011:2018 Clause 5.5.2 (Defining Audit Objectives and Criteria)

According to ISO 19011:2018, which provides guidelines for auditing management systems, clause 6.6 requires the audit team leader to conduct a closing meeting with the auditee’s representatives at the end of the audit to present the audit conclusions and any findings1. The closing meeting should also provide an opportunity for the auditee to ask questions, clarify issues, acknowledge the findings, and comment on the audit process1. Therefore, when preparing for the closing meeting, an ISMS auditor should consider the following actions:

I will advise the auditee that the purpose of the closing meeting is for the audit team to communicate our findings. It is not an opportunity for the auditee to challenge these: This action is appropriate because it reflects the fact that the auditor has followed a systematic and consistent approach to collecting and evaluating audit evidence and reaching audit conclusions. The auditor should advise the auditee that the purpose of the closing meeting is for the audit team to communicate their findings, which are based on objective evidence and professional judgement. The auditor should also explain that it is not an opportunity for the auditee to challenge these findings, as they have already been discussed and confirmed during the audit. However, the auditor should also invite the auditee to ask questions, clarify issues, acknowledge the findings, and comment on the audit process1.

I will schedule a closing meeting with the auditee’s representatives at which the audit conclusions will be presented: This action is appropriate because it reflects the fact that the auditor has followed a planned and agreed audit programme and schedule. The auditor should schedule a closing meeting with the auditee’s representatives at which the audit conclusions will be presented, in accordance with clause 6.6 of ISO 19011:20181. The auditor should also ensure that the closing meeting is attended by those responsible for managing or implementing the ISMS, as well as any other relevant parties1.

I will discuss any follow-up required with my audit team: This action is appropriate because it reflects the fact that the auditor has followed a risk-based approach to determining and reporting any follow-up actions required by the auditee or the certification body. The auditor should discuss any follow-up required with their audit team, such as verifying corrective actions for nonconformities or conducting a subsequent audit1. The auditor should also document any follow-up actions in the audit report1.

I will review and, as appropriate, approve my teams audit conclusions: This action is appropriate because it reflects the fact that the auditor has followed a rigorous and professional process to reaching and reporting audit conclusions. The auditor should review and, as appropriate, approve their teams audit conclusions, which are based on objective evidence and professional judgement. The auditor should also ensure that their teams audit conclusions are consistent with the audit objectives and scope, and reflect the overall performance and conformity of the ISMS1.

According to ISO 19011:2018, which provides guidelines for auditing management systems, a sampling plan is a method for selecting a representative subset of the audit evidence from a defined population1. A sampling plan can have several advantages for the audit, such as providing a suitable understanding of the ISMS by covering its key processes, activities, and controls; implementing the audit plan efficiently by optimizing the use of time and resources; and giving confidence in the audit results by ensuring that the sample is sufficient, reliable, and unbiased1. Therefore, these three options are examples of advantages of using a sampling plan for the audit. The other options are not advantages, but rather disadvantages or risks of using a sampling plan. For example, overruling the auditor’s instincts may lead to missing important evidence or issues that are not covered by the sampling plan; using the same plan for consecutive audits may reduce the effectiveness and validity of the audit results; and missing key issues may result from an inadequate or inappropriate sampling plan1. References: ISO 19011:2018 - Guidelines for auditing management systems

The context of the organisation is the business environment in which the organisation operates and defines its information security management system (ISMS). It includes the internal and external factors and conditions that can influence the organisation’s information security objectives, strategies, and policies. The context of the organisation helps the organisation to identify the scope, boundaries, and requirements of the ISMS, as well as the interested parties and their expectations. The context of the organisation is determined by considering both internal and external issues, such as the organisational structure, culture, values, mission, vision, objectives, strategies, resources, capabilities, processes, activities, products, services, markets, customers, competitors, suppliers, partners, regulators, laws, regulations, standards, guidelines, best practices, risks, opportunities, threats, vulnerabilities, etc. References: ISO 27001:2022 Clause 4 Context of the organization, ISO 27001 Requirement 4.1 – Understanding the Context of the Organisation, ISO 27001 context of the organization – How to define it - Advisera

By drafting a procedure for information labeling, EsBank has submitted an action plan to resolve the nonconformity. This step addresses the immediate issue identified during the audit by establishing a consistent approach to labeling information according to its classification.

Information is an asset like other important business assets, as it has value to an organization and consequently needs to be protected. Information can be in any form, such as electronic, paper, or verbal. Information security is the protection of information from unauthorized access, use, disclosure, modification, or destruction2. References: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) | CQI | IRCA

A third-party audit is an independent assessment of an organisation’s management system by an external auditor, who is not affiliated with the organisation or its customers. The auditor verifies that the management system meets the requirements of a specific standard, such as ISO 27001, and evaluates its effectiveness and performance. The auditor also identifies any strengths, weaknesses, opportunities, or risks of the management system, and provides recommendations for improvement. The purpose of a third-party audit is to provide an objective and impartial evaluation of the organisation’s management system, and to inform a certification decision by a certification body. A certification body is an organisation that grants a certificate of conformity to the organisation, after reviewing the audit report and evidence, and confirming that the management system meets the certification criteria. A certification decision is the outcome of the certification process, which can be positive (granting, maintaining, renewing, or expanding the scope of certification) or negative (suspending, withdrawing, or reducing the scope of certification). References:

PECB Candidate Handbook ISO 27001 Lead Auditor, pages 19-25

ISO 19011:2018 - Guidelines for auditing management systems

The ISO 27001 audit process | ISMS.online

Comprehensive and Detailed In-Depth Explanation:

C. Correct Answer – This is a Threat. A cyberattack exploiting a zero-day vulnerability is an active security threat, as it causes harm to the organization.

A. Employee accessing unauthorized files is a vulnerability (insider risk) rather than an external threat.

B. Lack of MFA is a security weakness (vulnerability), not a threat.

This aligns with ISO/IEC 27001:2022 Annex A Control A.8.25 (Assessment and Decision on Information Security Events).

A third-party virtual audit is an external audit conducted by an independent certification body using remote technology such as video conferencing, screen sharing, and electronic document exchange. The purpose of a third-party virtual audit is to verify the conformity and effectiveness of the information security management system (ISMS) and to issue a certificate of compliance12

Before you start conducting the audit, you would need to inform the auditee about the following issues: 12

You will ask those being interviewed to state their name and position beforehand, i.e., to confirm their identity and role in the ISMS. This is to ensure that you are interviewing the relevant personnel and that they are authorized to provide information and evidence for the audit.

You will ask for a 360-degree view of the room where the audit is being carried out, i.e., to verify the physical and environmental security of the audit location. This is to ensure that there are no unauthorized persons or devices in the vicinity that could compromise the confidentiality, integrity, or availability of the information being audited.

The other issues are not relevant or appropriate for a third-party virtual audit, because:

You will ask to see the ID card of the person that is on the screen, i.e., to verify their identity. This is not necessary if you have already asked them to state their name and position beforehand, and if you have access to the auditee’s organizational chart or staff directory. Asking to see the ID card could also be seen as intrusive or disrespectful by the auditee.

You will take photos of every person you interview, i.e., to document the audit process. This is not advisable as it could violate the privacy or consent of the auditee and the interviewees. Taking photos could also be seen as unprofessional or suspicious by the auditee. You should rely on the audit records and evidence provided by the auditee and the audit tool instead.

You will not record any part of the audit, unless permitted, i.e., to respect the auditee’s preferences and rights. This is not a valid issue to inform the auditee about, as you should always record the audit for quality assurance and verification purposes. Recording the audit is also a requirement of the ISO/IEC 27001 standard and the certification body. You should inform the auditee that you will record the audit and obtain their consent before the audit begins.

You expect the auditee to have assessed all risks associated with online activities, i.e., to ensure the security of the audit process. This is not an issue to inform the auditee about, as it is part of the auditee’s responsibility and obligation to have a risk assessment and treatment process for their ISMS. You should assess the auditee’s risk management practices and controls during the audit, not before it.

The option that best describes how Information Security Management System (ISMS) audits should be conducted, aligning with best practices and standards like ISO/IEC 27001:2022, is:

D. Audit methods should be used to assess objective evidence in order to generate audit findings. Then, the audit conclusion should be created and presented to the auditee at the closing meeting.

This option accurately reflects the audit process, emphasizing the use of systematic audit methods to assess objective evidence, which is crucial for impartiality and accuracy in auditing. Audit findings are the results derived from evaluating the objective evidence against the audit criteria. The conclusion, based on the audit findings, provides a comprehensive summary of the audit's outcomes, indicating whether the audited ISMS meets the established criteria. Presenting these conclusions to the auditee during the closing meeting ensures transparency and provides an opportunity for immediate clarification and discussion of the results and potential next steps.

The correct action to take in this situation is to raise it as an opportunity for improvement. This is because the auditee is not violating any requirement of the standard, but rather using outdated terminology that does not reflect the current version of the standard. An opportunity for improvement is a suggestion for enhancing the performance or effectiveness of the ISMS1. It is not a nonconformity, which is a failure to fulfil a requirement2. Therefore, option B is incorrect. Option A is also incorrect, because noting the issue in the audit report without raising it as an opportunity for improvement would not provide any value or feedback to the auditee. Option D is also incorrect, because bringing the matter up at the closing meeting without documenting it as an opportunity for improvement would not ensure that the auditee takes any action to address it. References: 1: ISMS Auditing Guideline - ISO27000, page 11; 2: ISO/IEC 27000:2022, 3.28; : ISMS Auditing Guideline - ISO27000; : ISO/IEC 27000:2022

The correct responsibility with each participant of a second-party audit is:

Prepares the audit report: Audit Team Leader. The audit team leader is responsible for coordinating the audit activities, communicating with the auditee and the customer, and preparing and delivering the audit report that summarizes the audit findings and conclusions1.

Prepares audit checklists for use during the audit: Auditor. The auditor is responsible for collecting and verifying objective evidence during the audit, using audit checklists as a tool to guide the audit process and ensure that all relevant aspects of the audit criteria are covered1.

Supports an auditor and provides feedback on their experience: Auditor in training. The auditor in training is a person who is learning how to perform audits under the supervision of an experienced auditor. The auditor in training supports the auditor by observing and participating in the audit activities, and provides feedback on their experience to improve their skills and competence1.

Follows-up on audit findings within an agreed timeframe: Auditee. The auditee is the organisation that is being audited by the customer or a third party on behalf of the customer. The auditee is responsible for providing access and cooperation to the auditors, and for following up on the audit findings within an agreed timeframe, by implementing corrective actions or improvement measures as needed1.

Provides an independent account of the audit but does not participate in the audit: Observer. The observer is a person who accompanies the audit team but does not participate in the audit activities. The observer may be a representative of the customer, a regulatory body, or another interested party. The observer provides an independent account of the audit but does not interfere with or influence the audit process or outcome1.

Escorts the auditors but does not participate in the audit: Guide. The guide is a person who is appointed by the auditee to assist the audit team during the audit. The guide may escort the auditors to different locations, facilitate access to information and personnel, or provide clarification or explanation as requested by the auditors. The guide does not participate in the audit or influence its results1.

Comprehensive and Detailed In-Depth Explanation:

A. Correct Answer:

Joint audits involve multiple teams but require only one designated audit team leader to ensure:

Consistent audit methodology

Coordination among teams

Unified reporting structure

B. Incorrect:

While each team may have a coordinator, there is only one main leader responsible for the audit.

C. Incorrect:

ISO 19011 mandates the presence of a designated audit team leader in all audits.

Relevant Standard Reference:

ISO 19011:2018 Clause 5.5.5 (Assigning Responsibility to the Audit Team Leader)

The three options that would not be valid audit trails are:

•Collect more evidence on how the organisation manages the Point of Contact (PoC) which monitors vulnerabilities. (Relevant to clause 8.1)

•Collect more evidence on whether terms and definitions are contained in the information security policy. (Relevant to control 5.32)

•Collect more evidence to determine if ISO 27035 (Information security incident management) is used as internal audit criteria. (Relevant to clause 8.13)

These options are not valid audit trails because they are not directly related to the information security incident management process, which is the focus of the audit. The audit trails should be relevant to the objectives, scope, and criteria of the audit, and should provide sufficient and reliable evidence to support the audit findings and conclusions1.

Option E is not valid because the PoC is not a part of the information security incident management process, but rather a role that is responsible for reporting and escalating information security incidents to the appropriate authorities2. The audit trail should focus on how the PoC performs this function, not how the organisation manages the PoC.

Option G is not valid because the terms and definitions are not a part of the information security incident management process, but rather a part of the information security policy, which is a high-level document that defines the organisation’s information security objectives, principles, and responsibilities3. The audit trail should focus on how the information security policy is communicated, implemented, and reviewed, not whether it contains terms and definitions.

Option H is not valid because ISO 27035 is not a part of the information security incident management process, but rather a guidance document that provides best practices for managing information security incidents4. The audit trail should focus on how the organisation follows the requirements of ISO/IEC 27001:2022 for information security incident management, not whether it uses ISO 27035 as an internal audit criteria.

The other options are valid audit trails because they are related to the information security incident management process, and they can provide useful evidence to evaluate the conformity and effectiveness of the process. For example:

•Option A is valid because it relates to control A.5.29, which requires the organisation to establish procedures to isolate and quarantine areas subject to information security incidents, in order to prevent further damage and preserve evidence5. The audit trail should collect evidence on how the organisation implements and tests these procedures, and how they ensure the continuity of information security during disruption.

•Option B is valid because it relates to control A.6.8, which requires the organisation to establish mechanisms for reporting information security events and weaknesses, and to ensure that they are communicated in a timely manner to the appropriate levels within the organisation6. The audit trail should collect evidence on how the organisation defines and uses these mechanisms, and how they monitor and review the reporting process.

•Option C is valid because it relates to clause 7.2, which requires the organisation to provide information security awareness, education, and training to all persons under its control, and to evaluate the effectiveness of these activities7. The audit trail should collect evidence on how the organisation identifies the information security training needs, how they deliver and record the training, and how they measure the learning outcomes and feedback.

•Option D is valid because it relates to control A.5.27, which requires the organisation to learn from information security incidents and to implement corrective actions to prevent recurrence or reduce impact8. The audit trail should collect evidence on how the organisation analyses and documents the root causes and consequences of information security incidents, how they identify and implement corrective actions, and how they verify the effectiveness of these actions.

•Option F is valid because it relates to control A.5.30, which requires the organisation to establish and maintain a business continuity plan to ensure the availability of information and information processing facilities in the event of a severe information security incident9. The audit trail should collect evidence on how the organisation develops and updates the business continuity plan, how they test and review the plan, and how they communicate and train the relevant personnel on the plan.

According to ISO 27001:2022 clause 8.1.4, the organisation shall ensure that externally provided processes, products or services that are relevant to the information security management system are controlled. This includes implementing appropriate contractual requirements related to information security with external providers, such as customers who send ICT equipment for reclamation12

In this case, ABC is a residential nursing home that provides healthcare services to its residents and collects their personal data and their family members’ personal data. ABC has a signed service agreement with the residents’ family members that states that the collected personal data will not be used for marketing or any other purposes than nursing and medical care. However, ABC has violated this contractual requirement by sharing the personal data with WeCare, a medical device manufacturer, who has used the data to send promotional advertisements to the residents’ family members via email and SMS. This has caused dissatisfaction and complaints from the residents’ family members, who have a strong reason to believe that ABC is leaking their personal information to a non-relevant third party.

Therefore, the audit finding is a nonconformity with clause 8.1.4 of ISO 27001:2022, as ABC has failed to control the externally provided processes, products or services that are relevant to the information security management system, and has breached the contractual requirements related to information security with its customers. The fact that ABC has taken corrective actions to stop working with WeCare and to apologise to the customers does not eliminate the nonconformity, but only mitigates its consequences. The nonconformity still needs to be recorded, evaluated, and reviewed for effectiveness and improvement.

Comprehensive and Detailed In-Depth Explanation:

A. Correct Answer:

ISO/IEC 27001:2022 Clause 10.1 (Improvement) requires organizations to submit action plans to address audit findings.

Clastus must document an action plan before corrective actions can be evaluated or followed up.

B. Incorrect:

Corrective actions can only be evaluated after action plans are submitted and implemented.

C. Incorrect:

Follow-up occurs after corrective actions have been executed and verified.

Relevant Standard Reference:

ISO/IEC 27001:2022 Clause 10.1 (Corrective Action Planning and Implementation)

Comprehensive and Detailed In-Depth Explanation:

A. Correct Answer:

Auditors conducted interviews (verbal evidence) and analyzed incident resolution records, employee training logs, and governance policies (documentary evidence).

ISO 19011:2018 (Clause 6.4.7) states that audit evidence can be verbal, documented, observed, or analytical.

B. Incorrect:

Confirmative evidence involves third-party validation, which was not explicitly mentioned.

C. Incorrect:

Mathematical analysis was not conducted in this audit.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.4.7 (Audit Evidence Collection Methods)

One of the advantages of having accredited certification of ISMS to ISO/IEC 27001:2022 is that it demonstrates the recognition of the credibility of the certification process. Accredited certification means that the certification body has been assessed and approved by an accreditation body, which ensures that the certification body operates according to international standards and follows impartiality, competence and consistency principles. Accredited certification also enhances the confidence of the organisation’s customers, partners, regulators and other interested parties in the organisation’s information security performance and compliance. References: = ISO/IEC 27001:2022, clause 0.2; [PECB Candidate Handbook ISO 27001 Lead Auditor], page 6; Key Benefits of ISO 27001 Certification - IT Governance.

Regular security awareness and training sessions for employees are a control measure aimed at preventing security incidents by ensuring that personnel are aware of information security threats and concerns, and understand their roles and responsibilities in safeguarding organizational assets. This proactive approach is designed to educate employees on the importance of security practices and to avoid the occurrence of security incidents. References: = This answer is based on the principles of personnel security management as outlined in ISO/IEC 27001, particularly in Annex A.7 which deals with human resource security before, during, and after employment, and Annex A.9 which focuses on access control and ensuring that employees have access only to the information that is necessary for their job role

ISO/IEC 27001 emphasizes the need for organizations to have a comprehensive incident management and recovery plan for various situations, including the termination of contracts with key service providers. In the case of SendPay, having a specific, documented recovery plan that outlines steps and protocols in case of sudden termination is necessary to ensure business continuity and compliance with the standard.

The scenario represents inherent risk, making option A the correct answer. Inherent risk refers to the susceptibility of a process, system, or organization to errors or failures due to its nature, environment, or complexity, independent of the effectiveness of internal controls.

ABC Manufacturing operates in a highly regulated and complex chemical industry. Such environments naturally involve complicated regulatory requirements, hazardous materials, and stringent compliance obligations. These characteristics increase the likelihood of errors or ISMS defects simply because of the industry’s complexity, even when internal controls exist. This is the defining feature of inherent risk.

Option B is incorrect because control risk relates to the possibility that internal controls fail to prevent or detect issues. In the scenario, controls are in place, but the risk arises from the complexity of the industry itself rather than a failure of controls. Option C is incorrect because detection risk concerns the auditor’s ability to detect existing issues during an audit, not the organization’s operational environment.

In ISO/IEC 27001 audits, understanding inherent risk is essential for planning audit focus and depth. Highly regulated industries naturally carry higher inherent risk due to complexity and compliance demands. Therefore, the scenario clearly represents inherent risk.