ISO-IEC-27001-Lead-Auditor PECB Certified ISO/IEC 27001 2022 Lead Auditor exam Question and Answers

The correct answer is A, because a general action plan can be acceptable when multiple nonconformities share the same root cause, provided that the plan clearly addresses that root cause and demonstrates how recurrence will be prevented. ISO/IEC 27001 clause 10.1 requires organizations to determine the causes of nonconformities and implement corrective actions proportionate to the effects of those nonconformities. It does not mandate a one-to-one relationship between nonconformities and action plans.

In Scenario 8, both nonconformities stem from a common underlying issue: the absence of a formal information labeling procedure aligned with the information classification scheme. The mislabeling of information and the incorrect storage of sensitive information on removable media are consequences of this single systemic weakness. Therefore, a consolidated action plan targeting the root cause is conceptually acceptable.

However, the issue in the scenario is not that the plan was general, but that it lacked sufficient detail, such as clear action steps, responsibilities, timelines, and identification of affected systems and controls. Certification bodies require action plans to be specific, verifiable, and capable of being assessed for effectiveness.

Option B is incorrect because ISO standards do not require separate action plans for each nonconformity when a shared root cause exists. Option C is incorrect because audit team leader approval alone does not make an inadequate plan acceptable.

Thus, while a general action plan is acceptable in principle, it must still be detailed and robust to support certification.

Review is the third stage of the Plan-Do-Check-Act (PDCA) cycle, which is a four-step model for implementing and improving an information security management system (ISMS) according to ISO/IEC 27001:202212. Review involves assessing and measuring the performance of the ISMS against the established policies, objectives, and criteria12.

Assess is the verb that describes the action of reviewing the ISMS. Assess means to evaluate, analyze, or measure something in a systematic and objective manner3. Assessing the ISMS involves collecting and verifying audit evidence, identifying strengths and weaknesses, and determining the degree of conformity or nonconformity12.

Regular is the adjective that describes the frequency or interval of reviewing the ISMS. Regular means occurring or done at fixed or uniform intervals4. Reviewing the ISMS at regular intervals means conducting internal audits and management reviews periodically, such as annually, quarterly, or monthly, depending on the needs and risks of the organization12.

Suitability is one of the attributes that describes the quality or outcome of reviewing the ISMS. Suitability means being appropriate or fitting for a particular purpose, person, or situation5. Reviewing the ISMS for suitability means ensuring that it is aligned with the organization’s strategic direction, business objectives, and information security requirements12.

References :=

ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements

ISO/IEC 27003:2022 Information technology — Security techniques — Information security management systems — Guidance

Assess | Definition of Assess by Merriam-Webster

Regular | Definition of Regular by Merriam-Webster

Suitability | Definition of Suitability by Merriam-Webster

The audit team’s approach is in line with recommended auditing practices, making option A the correct answer. ISO management system audits, including ISO/IEC 27001 audits, are designed to provide reasonable assurance, not absolute assurance, that the management system conforms to the standard requirements. This principle is explicitly supported by ISO 19011 and ISO/IEC 17021-1.

In the scenario, the audit team assessed conformity by reviewing key processes, questioning responsible personnel, examining representative evidence, and evaluating control effectiveness. Although access to IT systems was limited, the auditors compensated by gathering sufficient and appropriate evidence through alternative means. This approach reflects the reality of auditing complex environments, particularly those involving third-party service providers.

Option B is incorrect because ISO standards do not require auditors to assess every process in full detail. Audits are sample-based by design. Expecting a complete, exhaustive assessment of each process would be impractical and inconsistent with audit principles. Option C is incorrect because assessing the ISMS as a whole is not merely an efficiency-driven decision; it is an accepted and intentional audit approach aimed at evaluating system-level effectiveness.

Therefore, obtaining reasonable assurance through a structured, evidence-based approach confirms that the audit team acted in accordance with recommended audit practices.

SendPay's inability to restore their services immediately after the contract termination indicates a lack of a comprehensive business continuity plan that addresses the potential impacts of such terminations. This oversight can result in significant operational disruptions, as observed.

ISO/IEC 27001:2022 explicitly requires that risk treatment decisions be based on the results of the information security risk assessment. Clause 6.1.3 states that, after completing a risk assessment, the organization shall determine appropriate risk treatment options and select controls to implement those options. This ensures that controls are proportionate, justified, and aligned with actual information security risks rather than arbitrary or purely cost-driven decisions.

In the scenario, Knight conducted a risk assessment after implementing SSH to replace FTP and then chose a risk treatment option based on the assessment results. This approach is fully compliant with ISO/IEC 27001. The organization first identified the risk, implemented a control to address the vulnerability, and then reassessed the residual risk to confirm whether it was reduced to an acceptable level. This demonstrates a structured and systematic risk management process.

Option B is incorrect because ISO/IEC 27001 does not allow financial considerations to override risk assessment outcomes. While cost is a factor, it must be balanced against the risk and potential impact. Option C is incorrect because random selection of risk treatment options contradicts the fundamental principles of risk-based decision-making and would undermine the effectiveness of the ISMS.

Therefore, selecting a risk treatment option based on risk assessment results is not only acceptable but required under ISO/IEC 27001:2022.

The number of days assigned to a third-party audit is not determined by the auditee’s availability, but by the audit program, which considers the audit scope, objectives, criteria, risks, and resources12. The auditee’s availability is only one factor that affects the audit planning and scheduling, but not the audit duration3. Auditors approved for conducting onsite audits do require additional training for virtual audits, as there are significant differences in the skillset required. Virtual audits pose different challenges and opportunities than onsite audits, such as communication, technology, security, and evidence collection4 . Auditors need to be familiar with the tools and techniques for conducting remote audits, as well as the ethical and professional behavior expected in a virtual environment . References:

PECB Candidate Handbook - ISO 27001 Lead Auditor, page 18

ISO 19011:2018, Guidelines for auditing management systems, clause 5.3.2

ISO 19011:2018, Guidelines for auditing management systems, clause 6.3.1

Deloitte - Conducting a Virtual Internal Audit, page 1

[A Guide to Conducting Effective and Efficient Remote Audits], page 1

[ISO 19011:2018, Guidelines for auditing management systems], clause 7.2.3

[Remote Auditing Best Practices & Checklist for Regulatory Compliance], page 1

An audit finding is the result of the evaluation of the collected audit evidence against audit criteria.

The scenario represents inherent risk, making option A the correct answer. Inherent risk refers to the susceptibility of a process, system, or organization to errors or failures due to its nature, environment, or complexity, independent of the effectiveness of internal controls.

ABC Manufacturing operates in a highly regulated and complex chemical industry. Such environments naturally involve complicated regulatory requirements, hazardous materials, and stringent compliance obligations. These characteristics increase the likelihood of errors or ISMS defects simply because of the industry’s complexity, even when internal controls exist. This is the defining feature of inherent risk.

Option B is incorrect because control risk relates to the possibility that internal controls fail to prevent or detect issues. In the scenario, controls are in place, but the risk arises from the complexity of the industry itself rather than a failure of controls. Option C is incorrect because detection risk concerns the auditor’s ability to detect existing issues during an audit, not the organization’s operational environment.

In ISO/IEC 27001 audits, understanding inherent risk is essential for planning audit focus and depth. Highly regulated industries naturally carry higher inherent risk due to complexity and compliance demands. Therefore, the scenario clearly represents inherent risk.

The most accurate description of the relationship between information security elements is that threats exploit vulnerabilities to damage or destroy assets. This relationship forms the foundational model used in information security risk management, including ISO/IEC 27001:2022.

In this model, assets are anything of value to the organization, such as information, systems, services, or people. Vulnerabilities are weaknesses or gaps in protection that could be exploited. Threats are potential causes of an unwanted incident, such as malicious actors, malware, system failures, or human error. A risk materializes when a threat successfully exploits a vulnerability, leading to an impact on an asset.

Option A correctly captures this causal chain and reflects the risk assessment logic required by ISO/IEC 27001 clause 6.1.2, which requires organizations to identify threats, vulnerabilities, and impacts in combination.

Option B is incorrect because controls do not reduce threats directly; they primarily reduce vulnerabilities or mitigate impacts. Threats often exist outside the organization’s control. Option C is also incorrect because risk is not solely a function of vulnerabilities; it is typically a combination of threats, vulnerabilities, likelihood, and impact.

Therefore, option A best represents the correct and complete relationship among the core information security elements.

The triad refers to the three elements of information security: confidentiality, integrity and availability3. Technology is the glue that ties the triad together, as it provides the means to implement various controls and measures to protect information from unauthorized access, modification or loss3. References: ISO/IEC 27001:2022 Lead Auditor Training Course - BSI

Comprehensive and Detailed In-Depth Explanation:

A. Correct Answer:

ISO/IEC 17021-1 allows extension audits to be conducted alongside surveillance audits.

This reduces redundancy and cost while maintaining compliance.

B. Incorrect:

Certification bodies have the authority to approve extension audits.

C. Incorrect:

Extensions are not restricted to the second year—they can occur at any time during the certification cycle.

Relevant Standard Reference:

ISO/IEC 17021-1:2015 Clause 9.6.5 (Extension Audits During Surveillance)

According to ISO/IEC 17021-1, which specifies the requirements for bodies providing audit and certification of management systems, a certification body should ensure that its auditors are competent, impartial, and independent from the auditee organization2. Therefore, if a Management System Representative of a client organization asks for a specific auditor for the certification audit, the individual(s) managing the audit programme should respond in a way that does not compromise these principles or create any conflict of interest or undue influence2. Two possible ways to respond are to state that his request will be considered but may not be taken up, as there may be other factors that affect the auditor selection process; or to advise him that the audit team selection is a decision that the audit programme manager needs to make based on the resources available, such as auditor availability, competence, location, etc2. The other options are not suitable ways to respond in this situation. For example, advising him that his request can be accepted may raise doubts about the objectivity and credibility of the auditor and the certification body; suggesting that he chooses another certification body may imply that his request is unreasonable or unethical; and suggesting asking the certification body management to permit his request may suggest that there is room for negotiation or manipulation in auditor selection2. References: ISO/IEC 17021-1:2015 - Conformity assessment – Requirements for bodies providing audit and certification of management systems – Part 1: Requirements

The use of new technologies such as big data presents new challenges in auditing, particularly the issue of combining structured and unstructured data. Big data environments often include diverse data sets that auditors need to understand and interpret, which requires new skills and approaches to ensure effective and comprehensive audit coverage.

A document review is a process of examining the documented information related to the management system before the on-site audit activities. The purpose of a document review is to: 12

Determine the conformity of the management system, as far as documented, with audit criteria, i.e., to check whether the documents are consistent, complete, and compliant with the requirements of ISO/IEC 27001 and any other applicable standards or regulations.

Gather information to support the on-site audit activities, i.e., to identify the scope, objectives, processes, controls, risks, and opportunities of the management system, and to plan the audit methods, techniques, and resources accordingly.

The other statements are not accurate, because:

A document review does not reveal or decide about the conformity or nonconformity of the management system as a whole, but only of the documented information. The conformity or nonconformity of the management system is determined by the on-site audit activities, which include interviews, observations, and tests12

A document review does not gather evidence or findings to support the audit report or process, but information to support the on-site audit activities. The evidence or findings are collected during the on-site audit activities, which are then documented and reported12

A document review does not detect any nonconformity of the management system, if documented, but determines the conformity of the documented information. The nonconformity of the management system is detected by the on-site audit activities, which evaluate the performance and effectiveness of the management system12

A document review does not identify information to support the audit plan, but gathers information to support the on-site audit activities. The audit plan is prepared before the document review, based on the audit scope, objectives, criteria, and program. The document review is part of the audit plan implementation12

The context of the organisation is the business environment in which the organisation operates and defines its information security management system (ISMS). It includes the internal and external factors and conditions that can influence the organisation’s information security objectives, strategies, and policies. The context of the organisation helps the organisation to identify the scope, boundaries, and requirements of the ISMS, as well as the interested parties and their expectations. The context of the organisation is determined by considering both internal and external issues, such as the organisational structure, culture, values, mission, vision, objectives, strategies, resources, capabilities, processes, activities, products, services, markets, customers, competitors, suppliers, partners, regulators, laws, regulations, standards, guidelines, best practices, risks, opportunities, threats, vulnerabilities, etc. References: ISO 27001:2022 Clause 4 Context of the organization, ISO 27001 Requirement 4.1 – Understanding the Context of the Organisation, ISO 27001 context of the organization – How to define it - Advisera

The four controls from the list that the auditor in training should review are:

•B. How access to source code and development tools are managed: This control requires the organisation to restrict and monitor the access to the source code and development tools that are used to create, modify, or maintain the software applications and systems that process or store the data of external clients. This is important for ensuring the integrity, confidentiality, and availability of the software and the data, as well as for preventing unauthorized changes, errors, or malicious code injection.

•D. How protection against malware is implemented: This control requires the organisation to implement appropriate measures to detect, prevent, and remove malware from the IT systems and devices that process or store the data of external clients. This includes using antivirus software, firewalls, email filtering, web filtering, and other tools to protect against viruses, worms, ransomware, spyware, and other malicious software. This is essential for safeguarding the data and the systems from corruption, theft, or damage caused by malware.

•E. How the organisation evaluates its exposure to technical vulnerabilities: This control requires the organisation to identify and assess the technical vulnerabilities that may affect the IT systems and devices that process or store the data of external clients. This includes using vulnerability scanning tools, penetration testing tools, threat intelligence sources, and other methods to discover and evaluate the weaknesses and gaps in the security of the systems and the devices. This is necessary for prioritizing and implementing the appropriate corrective actions and controls to mitigate the risks posed by the vulnerabilities.

•G. The organisation’s arrangements for information deletion: This control requires the organisation to establish and implement policies and procedures for deleting the data of external clients from the IT systems and devices when it is no longer needed or required. This includes defining the criteria and methods for data deletion, such as secure erasure, encryption, or physical destruction. This is important for complying with the contractual obligations and the legal and regulatory requirements regarding the retention and disposal of the data, as well as for protecting the confidentiality and integrity of the data.

According to the PECB Candidate Handbook1, one of the principles of auditing is confidentiality, which means that auditors should respect the confidentiality of information obtained during the audit and not disclose it to unauthorized parties. The handbook also states that auditors should only report audit results to those who have a legitimate need to know, such as the client, the auditee, and the certification body. Therefore, sharing the findings with other relevant managers in A or B’s other customers would be a breach of confidentiality, as they are not directly involved in the audit process or the information security management system of B. Sharing the findings with B’s Information Security Manager or other relevant managers in B would be appropriate, as they are part of the auditee organization and responsible for the implementation and improvement of the ISMS. Sharing the findings with A’s supplier evaluation team or B’s certification body would also be acceptable, as they have a legitimate need to know the audit results for the purpose of supplier selection or certification, respectively. References: 1: PECB Candidate Handbook - ISO 27001 Lead Auditor, pages 7-8.

A third-party audit team leader is a person who leads an audit team that conducts audits on behalf of an external organization, such as a certification body, that provides certification or accreditation services to other organizations12.

One of the main responsibilities of a third-party audit team leader is to act on behalf of the certification body, which means to represent its interests, policies, and procedures during the audit process12.

Acting on behalf of the certification body involves communicating with the audit client and the auditee, planning and conducting the audit, reporting and evaluating the audit results, and making recommendations for certification or accreditation decisions12.

Acting on behalf of the certification body also requires maintaining professional integrity, impartiality, confidentiality, and competence throughout the audit process12.

References :=

ISO 19011:2022 Guidelines for auditing management systems

ISO/IEC 17021-1:2022 Conformity assessment — Requirements for bodies providing audit and certification of management systems — Part 1: Requirements

Comprehensive and Detailed In-Depth Explanation:

B. Correct Answer:

The engagement letter serves to inform the auditee about the audit details, including:

Audit scope

Audit schedule

Expectations from both parties

It formally introduces the audit process and schedules the initial contact.

A. Incorrect:

The authority to conduct the audit is established by the certification body’s agreement, not just the engagement letter.

C. Incorrect:

Audit objectives are determined in the planning phase and are not the primary function of the engagement letter.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.2 (Initiating the Audit)

Comprehensive and Detailed In-Depth Explanation:

A. Correct Answer:

Techmanic misrepresented its certification scope, which is a violation of ISO certification rules.

Suspension allows time for corrective action before withdrawal is considered.

B. Incorrect:

Certification withdrawal is only necessary if corrective actions fail after suspension.

C. Incorrect:

Transfer does not resolve misrepresentation issues.

Relevant Standard Reference:

ISO/IEC 17021-1:2015 Clause 9.6.5 (Certification Suspension and Misrepresentation Issues)

Comprehensive and Detailed In-Depth Explanation:

C. Correct Answer – This is a Threat. A cyberattack exploiting a zero-day vulnerability is an active security threat, as it causes harm to the organization.

A. Employee accessing unauthorized files is a vulnerability (insider risk) rather than an external threat.

B. Lack of MFA is a security weakness (vulnerability), not a threat.

This aligns with ISO/IEC 27001:2022 Annex A Control A.8.25 (Assessment and Decision on Information Security Events).

The auditors handled partially verifiable information appropriately by applying professional judgment, which makes option A the correct answer. ISO 19011:2018 emphasizes that auditing is not a purely mechanical process and requires auditors to apply due professional care when evaluating evidence. Audit evidence is often based on samples and may vary in its degree of verifiability. The key requirement is that auditors assess the reliability, relevance, and sufficiency of the evidence before using it to support audit conclusions.

In the scenario, the audit team explicitly recognized that some information could only be verified to a limited extent and responded by carefully evaluating how much reliance could be placed on that information. This aligns with ISO 19011 principles, particularly the evidence-based approach and due professional care. Auditors are expected to exercise judgment when full verification is impractical, provided they clearly understand the limitations of the evidence and do not overstate its reliability.

Option B is incorrect because ISO standards do not require auditors to discard all partially verifiable information. Doing so could lead to incomplete audit conclusions and an unrealistic audit process. Option C is also incorrect because while external experts may be used in certain specialized cases, ISO 19011 does not mandate their involvement whenever evidence is difficult to verify. The auditors’ approach in the scenario demonstrates appropriate competence and professional judgment, consistent with ISO auditing guidance.

Audit methods are techniques used by auditors to obtain audit evidence. Audit methods can be classified into two categories: those that involve human interaction and those that do not2. Audit methods that involve human interaction require direct communication between the auditor and the auditee or other relevant parties, such as interviews, questionnaires, surveys, meetings, etc. Audit methods that do not involve human interaction rely on observation, inspection, measurement, testing, sampling, analysis, etc., without requiring any verbal or written exchange2. Therefore, performing an independent review of procedures in preparation for an audit and reviewing the auditee’s response to an audit finding are examples of audit methods that involve human interaction, as they require reading and evaluating documents provided by the auditee or other sources. On the other hand, analysing data by remotely accessing the auditee’s server and observing work performed by remote surveillance are examples of audit methods that do not involve human interaction, as they do not require any direct communication with the auditee or other parties. References: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) | CQI | IRCA

In the Act phase of the PDCA cycle, the process is reviewed and evaluated based on the results from the Check phase. The actions taken in this phase aim to continually improve the process performance by addressing the root causes of problems, implementing corrective and preventive actions, and updating the process documentation1. References: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) | CQI | IRCA

One of the advantages of having accredited certification of ISMS to ISO/IEC 27001:2022 is that it demonstrates the recognition of the credibility of the certification process. Accredited certification means that the certification body has been assessed and approved by an accreditation body, which ensures that the certification body operates according to international standards and follows impartiality, competence and consistency principles. Accredited certification also enhances the confidence of the organisation’s customers, partners, regulators and other interested parties in the organisation’s information security performance and compliance. References: = ISO/IEC 27001:2022, clause 0.2; [PECB Candidate Handbook ISO 27001 Lead Auditor], page 6; Key Benefits of ISO 27001 Certification - IT Governance.

A legal technical expert (LTE) is a person who provides specific knowledge or expertise related to the legal aspects of the information security management system (ISMS) during a certification audit. The LTE is not an auditor, but a member of the audit team who supports the auditors in collecting and evaluating the audit evidence. The LTE is not responsible for evaluating the auditee’s legal knowledge, criticising the organisation’s legal compliance issues, or debating complex legal points with the auditee, as these tasks may be beyond the scope of the audit, or may compromise the objectivity and impartiality of the audit. The LTE is responsible for advising on legal checkpoints for the audit team, such as the applicable legal, regulatory, and contractual requirements, the relevant sources of information, the methods of verification, and the criteria of evaluation. The LTE is also responsible for verifying the legal status of the organisation, such as the registration, licensing, authorisation, or accreditation of the organisation, and the compliance with the relevant laws and regulations. References:

What is the role of a technical expert in ISO audit?

Roles, Responsibilities & Authorities for ISO 27001 5.3

Guide to Become an ISO 27001 Lead Auditor

According to ISO/IEC 27001, organizations must control planned changes and review the consequences of unintended changes in order to ensure continued alignment with information security requirements. In this scenario, the organization failed to perform appropriate testing after an emergency update to the mobile app, which constitutes a nonconformity with clause 8.1 of the standard.

**References**:

- ISO/IEC 27001 Lead Auditor Reference Materials

- PECB Candidate Handbook for ISO 27001 Lead Auditor

ISO/IEC 27001 requires that organizations adhere to their established procedures for software security management. The IT Manager's approval of the app despite failed security tests and lack of proper documentation for the new version indicates noncompliance with the procedure, thus reflecting a nonconformity.

**References**:

- ISO/IEC 27001 Lead Auditor Reference Materials

- PECB Candidate Handbook for ISO 27001 Lead Auditor

Comprehensive and Detailed In-Depth Explanation:

A. Correct Answer:

ISO 19011:2018 requires that closing meetings occur at the end of the audit to present findings to the auditee.

B. Incorrect:

Audit conclusions can be drafted later, but the closing meeting must still happen immediately post-audit.

C. Incorrect:

Delaying the closing meeting beyond the audit timeline is improper.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.6.2 (Closing Meeting Guidelines)

The main purpose of a Stage 2 third-party audit is to evaluate the implementation and effectiveness of the organisation’s management system and to identify any nonconformances against the requirements of the standard12. The other options are either the objectives of a Stage 1 audit (A, D) or a specific aspect of the audit scope (B). References: 1: ISO/IEC 27006:2022, Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems, Clause 9.2 \n2: PECB Certified ISO/IEC 27001 Lead Auditor Exam Preparation Guide, Domain 4: Preparing an ISO/IEC 27001 audit

The following are guidelines to protect your password, except for easy recall use the same password for company and personal accounts; do not share passwords with anyone. Using the same password for company and personal accounts is not a guideline to protect your password, as it increases the risk of compromising your password if one of your accounts is hacked or breached. You should use different and unique passwords for each account, and change them regularly. Sharing passwords with anyone is not a guideline to protect your password, as it reduces the security and accountability of your password. You should keep your password confidential and never disclose it to anyone, even if they claim to be authorized or trustworthy. Don’t use the same password for various company system security access is a guideline to protect your password, as it prevents unauthorized access or misuse of your password if one of the systems is compromised or breached. You should use different and complex passwords for each system, and follow the password policies and standards of the organization. Change a temporary password on first log-on is a guideline to protect your password, as it prevents unauthorized access or misuse of your password if the temporary password is intercepted or leaked. You should change the temporary password to a personal and secure password as soon as possible, and avoid using default or predictable passwords. References: : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 43. : [ISO/IEC 27001 LEAD AUDITOR - PECB], page 15.

Comprehensive and Detailed In-Depth Explanation:

A. Correct Answer:

ISO/IEC 27001:2022 Clause 10.1 (Improvement) requires organizations to submit action plans to address audit findings.

Clastus must document an action plan before corrective actions can be evaluated or followed up.

B. Incorrect:

Corrective actions can only be evaluated after action plans are submitted and implemented.

C. Incorrect:

Follow-up occurs after corrective actions have been executed and verified.

Relevant Standard Reference:

ISO/IEC 27001:2022 Clause 10.1 (Corrective Action Planning and Implementation)

CyberShielding Systems Inc. should have included the identification of areas for improvement when defining the audit objectives, making option A the correct answer. ISO/IEC 27001 audits are not limited to verifying compliance; they also support continual improvement of the ISMS. ISO 19011 encourages audits to provide value by identifying weaknesses, improvement opportunities, and areas where effectiveness can be enhanced.

In the scenario, the audit objectives were primarily focused on conformity with criteria and compliance with statutory and regulatory requirements. While this is essential, a well-defined audit objective should also include evaluating opportunities to improve security practices, control effectiveness, and risk management maturity. Identifying improvement areas helps the organization strengthen its ISMS beyond basic compliance and aligns with ISO/IEC 27001 clause 10 on continual improvement.

Option B is incorrect because audit objectives should not be narrowly focused only on recent incidents or management concerns, as this could lead to biased or incomplete coverage. Option C is incorrect because limiting the audit to documentation review undermines the effectiveness of the audit and contradicts the requirement for evidence-based evaluation of operational controls.

Therefore, including improvement identification as an audit objective would have strengthened the audit’s value and alignment with ISO/IEC 27001 principles.

The four statements that are true are:

•Major nonconformities may be subject to on-site follow up

•The action taken to address major nonconformities is typically more substantial than the action taken to address minor nonconformities

•Several minor nonconformities can be grouped into a major nonconformity

•Nonconformities may be graded to indicate their significance

According to ISO 19011:2018, a nonconformity is the non-fulfilment of a requirement1. Nonconformities may be graded to indicate their significance, based on the criteria established by the audit programme or the audit client2. The grading of nonconformities may use different terms or levels, such as major, minor, critical, etc., depending on the nature and context of the audit3. However, some common definitions of major and minor nonconformities are:

•A major nonconformity is a nonconformity that affects the ability of the management system to achieve its intended results, or that represents a significant breakdown of the management system4. Major nonconformities may require immediate corrective action and on-site follow up by the auditor to verify their closure5.

•A minor nonconformity is a nonconformity that does not affect the ability of the management system to achieve its intended results, or that represents an isolated lapse of the management system4. Minor nonconformities may require corrective action within a specified time frame and off-site verification by the auditor to confirm their closure5.

The action taken to address nonconformities depends on the severity and impact of the nonconformity, and the risk of recurrence or escalation. Typically, the action taken to address major nonconformities is more substantial than the action taken to address minor nonconformities, as it may involve identifying and eliminating the root cause of the problem, implementing preventive measures, and monitoring the effectiveness of the solution.

Several minor nonconformities can be grouped into a major nonconformity if they are related to the same requirement, process, or area, and if they indicate a systemic failure or a significant risk to the management system. The auditor should use professional judgment and evidence-based approach to decide whether to group or report nonconformities individually.

The other statements are false, based on the guidance of ISO 19011:2018. For example:

•Option B is false, because nonconformities can be graded using different terms or levels, depending on the criteria established by the audit programme or the audit client2. The terms ‘major’ and ‘minor’ are not mandatory or universal, but rather examples of possible grading levels3.

•Option D is false, because very minor nonconformities should not be re-graded as opportunities for improvement, but rather reported as nonconformities, as they still represent a non-fulfilment of a requirement1. An opportunity for improvement is a suggestion for enhancing the performance or effectiveness of the management system, but it is not a nonconformity or a requirement.

•Option F is false, because the grading of nonconformities does not have to be explained to the auditee at the opening meeting, but rather at the closing meeting, where the audit findings and conclusions are presented and discussed. The opening meeting is intended to provide an overview of the audit objectives, scope, criteria, and methods, and to confirm the audit arrangements and logistics.

•Option G is false, because the auditee is not always responsible for determining the criteria for grading nonconformities, but rather the audit programme or the audit client, in consultation with the auditee and other relevant parties2. The auditee is responsible for taking corrective action to address the nonconformities, and for providing evidence of their completion and effectiveness.

 Information or data that are classified as public do not require labeling. Public information or data are those that are intended for general disclosure and have no impact on the organization’s operations or reputation if disclosed. Labeling is a method of implementing classification, which is a process of structuring information according to its sensitivity and value for the organization. Labeling helps to identify the level of protection and handling required for each type of information. Information or data that are classified as internal, confidential, or highly confidential require labeling, as they contain information that is not suitable for public disclosure and may cause harm or loss to the organization if disclosed. References: : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 34. : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 37. : [ISO/IEC 27001 LEAD AUDITOR - PECB], page 14.

Yes, this action is acceptable. The internal audits being outsourced ensure independence and objectivity and allow the audit function to serve its advisory role effectively, in line with ISO/IEC 27001 requirements. The independence enhances the credibility and reliability of the audit results.

This statement encapsulates the relationship between threats, vulnerabilities, and assets within the context of information security. Threats are potential causes of an unwanted incident, which may result in harm to a system or organization. Vulnerabilities are weaknesses that can be exploited by threats to cause harm. Assets are valuable resources to an organization that need protection. Therefore, when threats exploit vulnerabilities, they can damage or destroy assets. References: = The explanation is based on the foundational concepts of information security as outlined in ISO/IEC 27001, which includes understanding the interplay between threats, vulnerabilities, and assets as part of an information security management system (ISMS)

Determine source of information

Collect by means of appropriate sampling

Reviewing

Audit evidence

Evaluating against audit criteria

Audit findings

Audit conclusions

The reviewing step involves checking the accuracy, completeness, and relevance of the collected information. The audit evidence step involves documenting the information in a verifiable and traceable manner. The evaluating against audit criteria step involves comparing the audit evidence with the requirements of the ISO 27001 standard and the organization’s own policies and objectives. The audit findings step involves identifying any nonconformities, weaknesses, or opportunities for improvement in the ISMS. The audit conclusions step involves summarizing the audit results and providing recommendations for corrective actions or enhancements.

Comprehensive and Detailed In-Depth Explanation:

B. Correct Answer:

Audit evidence can come from interviews, observations, and documentation.

Verbal evidence from top management is acceptable if documented and confirmed in writing.

A. Incorrect:

ISO 19011 allows verbal evidence as long as it is substantiated.

C. Incorrect:

Interviews alone are not sufficient—additional verification is required.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.4.6 (Reviewing Documented Information)

Management review is a crucial component of an ISMS that helps determine opportunities for continual improvement. Through management review, an organization assesses the performance and effectiveness of its ISMS, including reviewing opportunities for improvements and the need for changes to the ISMS, including the security policy and security objectives.

Qualitative evidence in an audit typically involves observations, interviews, and reviews that provide insights into the processes and compliance through subjective but informed assessments. An interview with information security personnel to validate compliance with the standard requirements is an example of qualitative evidence, where the quality and effectiveness of processes are assessed based on expert judgments rather than measurable metrics.

The correct response is A, because grading criteria provide a common basis for the evaluation of nonconformities across the organization. Grading criteria are the rules or standards that define the severity or impact of nonconformities, and help to determine the appropriate corrective actions and follow-up activities. Grading criteria are important for several reasons, such as:

They ensure consistency and objectivity in the assessment and reporting of nonconformities, and avoid subjective or arbitrary judgments.

They facilitate the communication and understanding of nonconformities among the auditors, the auditees, and the audit clients, and enable the comparison and benchmarking of nonconformities across different processes, functions, or locations.

They support the prioritization and allocation of resources for the resolution of nonconformities, and the monitoring and measurement of the effectiveness of the corrective actions.

They demonstrate the commitment and accountability of the organization to the continual improvement of the ISMS, and the compliance with the ISMS requirements and expectations.

Comprehensive and Detailed In-Depth Explanation:

C. Correct Answer:

Internal audits detect nonconformities but do not actively prevent them.

A. Incorrect:

Internal audits verify corrective actions.

B. Incorrect:

Technology can reduce manual tasks in internal audits.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.4.7 (Audit Program Limitations)

Establishing the audit programme objectives, scope and criteria

Determining the resources necessary for the audit programme, such as the audit team members, the budget, the time, the tools, etc.

Selecting and appointing the audit team leaders and auditors

Reviewing and approving the audit plans and arrangements

Ensuring the effective communication and coordination among the audit programme stakeholders, such as the auditors, the auditees, the certification bodies, the accreditation bodies, etc.

Keeping informed the accreditation body on the progress of the audit programme, especially in case of any significant changes, issues, or nonconformities

Monitoring and reviewing the performance and results of the audit programme and the audit teams

Evaluating the feedback and satisfaction of the auditees and other interested parties

Identifying and implementing the opportunities for improvement of the audit programme

The individual(s) managing the audit programme are not responsible for the following tasks, which are delegated to the audit team leaders or the auditors12:

Communicating with the auditee during the audit, such as conducting the opening and closing meetings, resolving any audit-related problems, reporting any audit findings, etc.

Determining the legal requirements applicable to each audit, such as the confidentiality, the impartiality, the consent, the liability, etc.

Defining the objectives, scope and criteria for an individual audit, which are derived from the audit programme and agreed with the auditee

Defining the plan of an individual audit, which includes the audit schedule, the audit activities, the audit methods, the audit documents, etc.

From Exact Extract:

Explanation for A (Sole Responsibility of Audit Team Leader):

The audit team leader is ultimately responsible for ensuring the audit team has the necessary competence and resources to conduct the audit effectively and achieve its objectives. This includes the crucial task of selecting the appropriate team members, considering their individual competencies, sector experience, and linguistic capabilities to cover the audit scope. While the certification body might provide a pool of auditors, the specific selection for a given audit is the team leader's responsibility to ensure the team is fit for purpose.

The three options that will not be in your audit trail are A, C, and H. These options are either not relevant to the information security of ABC’s healthcare mobile app development, support, and lifecycle process, or not within the scope of your audit. The amount of money that residents’ family members pay to install the app (A) and the number of users of the app © are not related to the information security aspects or objectives of the ISMS1. The verification of the developer’s certifications (H) is not your responsibility as an ISMS auditor, as you should rely on the competence and impartiality of the certification bodies that issued them2. The other options are relevant and within the scope of your audit, as they relate to the security functions, testing, policies, and procedures of the mobile app development, support, and lifecycle process13. References: 1: ISO/IEC 27001:2022, Information technology — Security techniques — Information security management systems — Requirements, Clause 4.2 \n2: ISO/IEC 27006:2022, Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems, Clause 4.1 \n3: PECB Certified ISO/IEC 27001 Lead Auditor Exam Preparation Guide, Domain 5: Conducting an ISO/IEC 27001 audit

The certification body had a valid reason to accept CyberShielding Systems Inc.’s objection, making option A the correct answer. ISO/IEC 17021-1 requires certification bodies to ensure that audit teams are competent and acceptable to the auditee, particularly where access to sensitive information, systems, or facilities is involved. Security clearance requirements set by the auditee are a legitimate consideration, especially for organizations operating in highly sensitive information security environments.

In this scenario, CyberShielding Systems Inc. operates in the cybersecurity sector and handles sensitive internal and customer information. Auditors without the necessary security clearance may be unable to access required information or systems, which would compromise the effectiveness and completeness of the audit. Accepting such an objection supports both audit quality and information protection.

Option B is incorrect because objections are not limited to cases of prior unprofessional conduct. Option C is incorrect because conflicts of interest are not the only valid grounds for objection. ISO/IEC 17021-1 allows auditees to object to auditors for justified reasons, including competence, impartiality, confidentiality, or access limitations.

Therefore, replacing the auditor due to insufficient security clearance was appropriate and consistent with certification body requirements and good auditing practice.

The audit procedure used here is "analysis." The audit team analyzed server logs to verify if they can be edited or deleted, focusing on evaluating the logs' properties and the controls over their manipulation to ensure they comply with ISO/IEC 27001 requirements.

According to ISO 27001:2022 clause 4.1, the organisation shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system (ISMS)12

External issues are factors outside the organisation that it cannot control, but can influence or adapt to. They include political, economic, social, technological, legal, and environmental factors that may affect the organisation’s information security objectives, risks, and opportunities12

Internal issues are factors within the organisation that it can control or change. They include the organisation’s structure, culture, values, policies, objectives, strategies, capabilities, resources, processes, activities, relationships, and performance that may affect the organisation’s information security management system12

Therefore, the following issues are considered ‘internal’ in the context of a management system to ISO 27001:2022:

Poor levels of staff competence as a result of cuts in training expenditure: This is an internal issue because it relates to the organisation’s capability, resource, and process of developing and maintaining the competence of its personnel involved in the ISMS. The organisation can control or change its training expenditure and its impact on staff competence12

Poor morale as a result of staff holidays being reduced: This is an internal issue because it relates to the organisation’s culture, value, and relationship with its employees. The organisation can control or change its staff holiday policy and its impact on staff morale12

Increased absenteeism as a result of poor management: This is an internal issue because it relates to the organisation’s performance, structure, and accountability of its management. The organisation can control or change its management practices and its impact on staff absenteeism12

A fall in productivity linked to outdated production equipment: This is an internal issue because it relates to the organisation’s capability, resource, and process of ensuring the availability and suitability of its production equipment. The organisation can control or change its equipment maintenance and upgrade and its impact on productivity12

The following issues are considered ‘external’ in the context of a management system to ISO 27001:2022:

Higher labour costs as a result of an aging population: This is an external issue because it relates to the social and demographic factor that affects the availability and cost of labour in the market. The organisation cannot control or change the aging population, but can influence or adapt to its impact on labour costs12

A rise in interest rates in response to high inflation: This is an external issue because it relates to the economic and monetary factor that affects the cost and availability of capital in the market. The organisation cannot control or change the interest rates or inflation, but can influence or adapt to its impact on capital costs12

A reduction in grants as a result of a change in government policy: This is an external issue because it relates to the political and legal factor that affects the availability and conditions of public funding for the organisation. The organisation cannot control or change the government policy, but can influence or adapt to its impact on grants12

Inability to source raw materials due to government sanctions: This is an external issue because it relates to the political and legal factor that affects the availability and cost of raw materials in the market. The organisation cannot control or change the government sanctions, but can influence or adapt to its impact on raw materials12

Comprehensive and Detailed In-Depth Explanation:

B. Correct Answer:

ISO 19011:2018 mandates that auditors must obtain permission before making copies of documents.

Virtual audits must adhere to confidentiality agreements to protect sensitive data.

A. Incorrect:

Screenshots cannot be taken without permission, even if the audit is not recorded.

C. Incorrect:

Screenshots are allowed with prior authorization, ensuring proper data handling.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.4.10 (Virtual Auditing and Data Handling)

According to ISO 19011:2018, which provides guidelines for auditing management systems, an auditor conducting a certification audit should prepare for an audit by reviewing relevant information about the auditee’s context and processes1. This may include reviewing documented information related to the audited management system (such as policies, procedures, manuals), previous audit reports and records (such as findings, nonconformities, corrective actions), relevant legal and regulatory requirements (such as laws, standards), relevant risks and opportunities (such as internal and external issues), relevant performance indicators (such as objectives, targets), etc1. Therefore, an auditor may need work documents such as an audit plan (which defines what will be done during an audit), a sample plan (which defines how many samples will be taken from a population), and a checklist (which helps to ensure that all relevant aspects are covered during an audit)1. However, an auditor does not need work documents such as an organisation’s financial statement (which is not directly related to information security management), a career history of the IT manager (which is not relevant to assessing conformity with ISO/IEC 27001:2022), or a list of external providers (which is not necessary for planning an audit)1. References: ISO 19011:2018 - Guidelines for auditing management systems

According to ISO 27001:2022 clause 9.1.2, the organisation shall conduct internal audits at planned intervals to provide information on whether the information security management system conforms to the organisation’s own requirements, the requirements of ISO 27001:2022, and is effectively implemented and maintained12

According to ISO 27001:2022 clause 10.1, the organisation shall react to the nonconformities and take action, as applicable, to control and correct them and deal with the consequences. The organisation shall also evaluate the need for action to eliminate the causes of nonconformities, in order to prevent recurrence or occurrence. The organisation shall implement any action needed, review the effectiveness of any corrective action taken, and make changes to the information security management system, if necessary12

A follow-up audit is a type of internal audit that is conducted after a previous audit to verify whether the nonconformities and corrective actions have been addressed and resolved, and whether the information security management system has been improved12

Therefore, the following statements are true for preparing a follow-up audit plan:

Verification should focus on whether any action undertaken is complete. This means that the auditor should check whether the organisation has implemented all the planned actions to correct and prevent the nonconformities, and whether the actions have been documented and communicated as required12

Verification should focus on whether any action undertaken has been undertaken effectively. This means that the auditor should check whether the organisation has achieved the intended results and objectives of the actions, and whether the actions have eliminated or reduced the nonconformities and their causes and consequences12

The following statements are false for preparing a follow-up audit plan:

Verification should focus on whether any action undertaken has been undertaken efficiently. This is false because efficiency is not a criterion for verifying the actions taken to address the nonconformities and corrective actions. Efficiency refers to the optimal use of resources to achieve the desired outcomes, but it is not a requirement of ISO 27001:2022. The auditor should focus on the effectiveness and completeness of the actions, not on the efficiency12

Corrections should be verified first, followed by corrective actions and finally opportunities for improvement. This is false because there is no prescribed order for verifying the corrections, corrective actions, and opportunities for improvement. The auditor should verify all the actions taken by the organisation, regardless of their sequence or priority. The auditor may choose to verify the actions based on their relevance, significance, or impact, but this is not a mandatory requirement12

Opportunities for improvement should be verified first, followed by corrections and finally corrective actions. This is false because there is no prescribed order for verifying the opportunities for improvement, corrections, and corrective actions. The auditor should verify all the actions taken by the organisation, regardless of their sequence or priority. The auditor may choose to verify the actions based on their relevance, significance, or impact, but this is not a mandatory requirement12

Corrective actions should be reviewed first, followed by corrections and finally opportunities for improvement. This is false because there is no prescribed order for reviewing the corrective actions, corrections, and opportunities for improvement. The auditor should review all the actions taken by the organisation, regardless of their sequence or priority. The auditor may choose to review the actions based on their relevance, significance, or impact, but this is not a mandatory requirement12

According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 8.1 requires an organization to plan, implement and control its processes needed to meet ISMS requirements2. This includes determining what needs to be done, how it will be done, who will do it, when it will be done, what resources are required, how performance will be evaluated, etc2. Therefore, if an ISMS auditor conducting a third-party surveillance audit of a telecom’s provider notes that there has been a significant increase in the number of switches failing their initial configuration test and being returned for reprogramming due to a recent ISMS upgrade that reduced access to work instructions, this indicates a nonconformity against clause 8.1 of ISO/IEC 27001:2022. The organization has failed to plan and control its operational processes effectively to ensure information security and quality2. The other options are not correct clauses to raise a nonconformity against based solely on this information. For example, clause 7.5 deals with documented information required by ISMS or determined by an organization as necessary for its effectiveness2, but it does not specify how many copies or formats of work instructions should be available; clause 10.2 deals with nonconformity and corrective action as a response to an identified problem or incident2, but it does not address how to prevent or avoid such problems or incidents in operational processes; clause 7.3 deals with awareness of ISMS policy, objectives, roles and responsibilities among persons doing work under an organization’s control2, but it does not relate to how work instructions are accessed or followed; clause 7.2 deals with competence of persons doing work under an organization’s control that affects its ISMS performance2, but it does not imply that lack of competence is caused by insufficient work instructions; clause 7.4 deals with communication about ISMS among internal and external interested parties2, but it does not cover how operational information is communicated within an organization. References: ISO/IEC 27001:2022 - Information technology – Security techniques – Information security management systems – Requirements

As an employee, you should do the following when you see a visitor roaming around without visitor’s ID, except saying “hi” and offering coffee. Saying “hi” and offering coffee is not an appropriate action, as it may imply that you are welcoming or endorsing the visitor without verifying their identity or purpose. This may also give the visitor an opportunity to gain your trust or exploit your kindness. Calling the receptionist and informing about the visitor is an appropriate action, as it alerts the responsible staff to handle the situation and ensure that the visitor is authorized and registered. Greeting and asking him what is his business is an appropriate action, as it shows your concern and curiosity about the visitor’s presence and intention. Escorting him to his destination is an appropriate action, as it prevents the visitor from wandering around unattended and accessing unauthorized areas or information. References: : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 42. : [ISO/IEC 27001 LEAD AUDITOR - PECB], page 15.

From Exact Extract:

Explanation for B (True):

This statement is true because ISO 27001 requires an organization to establish processes for identifying, reviewing, and complying with applicable legal, statutory, regulatory, and contractual obligations. A key part of this is being aware of changes to these requirements to maintain ongoing compliance. An auditor's role is to verify that the organization has such a process in place and that it is effective.

Comprehensive and Detailed In-Depth Explanation:

A. Correct Answer:

Combining multiple audit test plans ensures different perspectives and validation techniques are applied, improving audit accuracy.

ISO 19011:2018 encourages a diversified approach to auditing to ensure comprehensive results.

B. Incorrect:

Not all areas require equal auditing—risk-based focus is preferred.

C. Incorrect:

Frequent audits may still be required depending on organizational needs.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.4.3 (Using Multiple Audit Test Methods for Assurance)

The correct answer is A, because peer review or independent review of audit working documents is an accepted and recommended auditing practice when performed by a qualified and authorized individual. ISO/IEC 17021-1 requires certification bodies to maintain quality assurance mechanisms, including review of audit documentation, to ensure audit consistency, impartiality, and technical validity.

Reviewing working documents before audit conclusions are finalized helps identify gaps, inconsistencies, or errors while corrective action is still possible. This strengthens the reliability of the audit outcome and supports sound certification decisions.

Option B is incorrect because limiting review to after conclusions are finalized reduces the effectiveness of quality control and may require rework. Option C is incorrect because auditors should not review their own work exclusively; independent review is a key safeguard against bias and oversight.

Therefore, a qualified auditor appointed by the certification body reviewing working documents prior to final conclusions is fully aligned with good auditing practice and accreditation requirements.

The correct sequence of activities for the management of information security risk in accordance with the requirements of ISO/IEC 27001:2022 is as follows:

1st: Create and maintain information security risk criteria 2nd: Identify the risks that need to be considered when planning for the information security management system 3rd: Assess the potential consequences that would arise if the risk were to materialise 4th: Select appropriate risk treatment options 5th: Carry out information security risk assessments at planned intervals 6th: Consider the results of risk assessment and the status of the risk treatment plan at management review

This sequence is based on the information security risk management process described in ISO/IEC 27001:2022 clause 6.1, which includes the following activities:

establishing and maintaining information security risk criteria;

ensuring that repeated information security risk assessments produce consistent, valid and comparable results;

identifying the information security risks;

analyzing the information security risks;

evaluating the information security risks;

treating the information security risks;

accepting the information security risks and the residual information security risks;

communicating and consulting with stakeholders throughout the process;

monitoring and reviewing the information security risks and the risk treatment plan.

According to the ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) course, the following actions should be taken when a nonconformity identified for completion before the follow-up audit is still outstanding:

A. Report the failure to address the corrective action for the outstanding nonconformity to the organisation’s top management. This is part of the auditor’s responsibility to communicate the audit results and ensure that the audit objectives are met12.

C. If the delay is justified agree on a revised date for clearing the nonconformity with the auditee/audit client. This is part of the auditor’s responsibility to verify the effectiveness of the corrective actions taken by the auditee and to close the nonconformity when the evidence is satisfactory12.

E. Decide whether the delay in addressing the nonconformity is justified. This is part of the auditor’s responsibility to evaluate the evidence presented by the auditee and to use professional judgement and objectivity to determine the validity of the reasons for the delay12.

G. Note the nonconformity is still outstanding and follow audit trails to determine why. This is part of the auditor’s responsibility to collect and verify audit evidence and to identify the root causes of the nonconformity12.

A checklist is a tool that helps auditors to collect and verify information relevant to the audit objectives and scope. It can provide the following advantages:

Ensuring relevant audit trails are followed: A checklist can help auditors to identify and trace the sources of evidence that support the conformity or nonconformity of the audited criteria. It can also help auditors to avoid missing or overlooking any important aspects of the audit.

Ensuring the audit plan is implemented: A checklist can help auditors to follow and fulfil the audit plan, which describes the arrangements and details of the audit, such as the objectives, scope, criteria, schedule, roles, and responsibilities. It can also help auditors to manage their time and resources effectively and efficiently.

The other options are not advantages of using a checklist, but rather:

Using the same checklist for every audit without review: This is a disadvantage of using a checklist, as it can lead to a rigid and ineffective audit approach. A checklist should be tailored and adapted to each specific audit, taking into account the context, risks, and changes of the auditee and the audit criteria. A checklist should also be reviewed and updated periodically to ensure its validity and relevance.

Restricting interviews to nominated parties: This is a disadvantage of using a checklist, as it can limit the scope and depth of the audit. A checklist should not prevent auditors from interviewing other relevant parties or sources of information that may provide valuable evidence or insights for the audit. A checklist should be used as a guide, not as a constraint.

Reducing audit duration: This is not necessarily an advantage of using a checklist, as it depends on various factors, such as the complexity, size, and maturity of the auditee’s ISMS, the availability and quality of evidence, the competence and experience of the auditors, and the level of cooperation and communication between the auditors and the auditee. A checklist may help reduce audit duration by improving efficiency and organization, but it may also increase audit duration by requiring more evidence or verification.

Not varying from the checklist when necessary: This is a disadvantage of using a checklist, as it can result in a superficial or incomplete audit. A checklist should not prevent auditors from exploring or investigating any issues or concerns that arise during the audit, even if they are not included in the checklist. A checklist should be used as a support, not as a substitute.

The purpose of a Stage 2 audit is to evaluate the implementation of the management system, in this case, the ISMS, according to the requirements of ISO/IEC 27001:2022 and the organisation’s own policies and procedures. The Stage 2 audit involves collecting evidence of the effectiveness and performance of the ISMS, as well as verifying the conformity and suitability of the organisation’s controls. The Stage 2 audit also assesses the organisation’s ability to achieve its information security objectives and to manage information security risks. References: = ISO/IEC 27006:2022, clause 9.2.2.2; PECB Candidate Handbook ISO 27001 Lead Auditor, page 28.

The main purpose of a Stage 1 audit is to evaluate the adequacy and effectiveness of the organisation’s ISMS documentation, and to assess whether the organisation is prepared for the Stage 2 audit, where the implementation and operation of the ISMS will be verified. The Stage 1 audit also involves verifying the scope, objectives, and context of the ISMS, as well as identifying any areas of concern or nonconformities that need to be addressed before the Stage 2 audit.

Comprehensive and Detailed In-Depth Explanation:

Specific controls are tailored security controls chosen based on risk assessments, industry best practices, and regulatory requirements. These align with ISO/IEC 27001:2022 Annex A controls, which organizations select based on their risk landscape.

General controls refer to broad security measures that apply to all organizations.

Strategic controls focus on high-level governance and long-term security goals, not detailed security implementations.

The audit objectives are the purpose and scope of an audit, as defined by the audit client and the auditor. According to the ISO/IEC 27001 standard, the audit objectives for an ISMS audit may include determining the extent of conformity of the ISMS with the audit criteria, evaluating the ability of the ISMS to ensure the organization meets its information security objectives, and identifying potential areas for improvement of the ISMS12. References: = 1: PECB Candidate Handbook - ISO/IEC 27001 Lead Auditor, page 192: ISO/IEC 27007:2011 Information technology — Security techniques — Guidelines for information security management systems auditing, clause 4.2.1.

Comprehensive and Detailed In-Depth Explanation:

A. Correct Answer:

ISO 19011:2018 mandates that auditors present all nonconformities with sufficient detail and context to ensure proper understanding and corrective action planning.

Failure to explain nonconformities fully could lead to ineffective remediation.

B. Incorrect:

Minor nonconformities must also be presented to ensure full transparency.

C. Incorrect:

Aligning with standard clauses is necessary, but detailed analysis is more critical.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.6.2 (Presentation of Audit Findings in Closing Meetings)

The correct answer is during the first and second years of certification, making option B correct. According to ISO/IEC 17021-1, ISO/IEC 27006, and standard certification cycle rules, ISO/IEC 27001 certification follows a three-year certification cycle. After the initial certification audit, the organization is subject to periodic surveillance audits to ensure continued conformity of the ISMS.

Surveillance audits are typically conducted annually during the first and second years following certification. Their purpose is to verify that the ISMS remains effective, that corrective actions are maintained, and that the organization continues to comply with ISO/IEC 27001 requirements. These audits are less extensive than the initial certification audit but still cover critical ISMS elements, changes, incidents, and improvement activities.

Option A is incorrect because surveillance audits are mandatory and scheduled by the certification body, not optional or request-based. Option C is incorrect because five years exceeds the standard certification cycle. Instead, a recertification audit is conducted in the third year, not a surveillance audit.

Therefore, surveillance audits are normally conducted during the first and second years after certification, confirming option B as correct.

The purpose of a management system audit is to evaluate the performance of an organization’s management system.

A management system audit is an independent and systematic analysis and evaluation of a company’s overall activities and performances1. It is a valuable tool used to determine the efficiency, functions, accomplishments and achievements of the company1. A management system audit can be conducted against a range of audit criteria, including (but not limited to) requirements set of in existing ISO standards2.

According to ISO 19011:2018, which provides guidelines for auditing management systems, the purpose of an audit is to enable the auditor to provide an audit conclusion that is related to the audit objectives2. The audit objectives are defined by the audit client and may include determining the extent of conformity or nonconformity of the audited management system against the audit criteria, evaluating the ability of the audited management system to ensure that the organization meets applicable statutory, regulatory and contractual requirements, identifying potential improvement opportunities for the audited management system, and facilitating continual improvement of the audited management system2.

Therefore, the correct answer is evaluate, as it best describes the purpose of a management system audit. The other options are not correct because they are not specific enough or do not reflect the intended outcome of an audit. For example, improve implies that the audit itself will enhance the performance of the management system, which is not necessarily true. Manage implies that the audit will control or direct the management system, which is not its role. Research implies that the audit will generate new knowledge or information about the management system, which is not its primary aim.

If an organization like OrgXY informs the certification body that it is not ready to conduct the surveillance audit as scheduled, the certification may be suspended. This is because the surveillance audit is a critical part of the ongoing certification maintenance, required to ensure continued compliance with the standard.

While competence is important for an effective ISMS, the specific competence records of the ISMS manager are less relevant when determining resources for the internal audit program. The focus should be on resources directly related to the audit process itself. Here's why the other options matter:

•A. Availability of competent auditors and technical experts: Crucial for conducting thorough audits and accurately assessing the ISMS.

•C. Availability of the necessary documented information: Essential for auditors to review policies, procedures, and records related to the ISMS.

•D. Impact of different time zones: Can affect scheduling, coordination, and communication during the audit, potentially requiring additional resources.

The correct answer is A, because ISO/IEC 27001 and ISO 19011 require internal audits to be objective and impartial, but they do not impose an absolute prohibition on individuals holding both operational and audit roles. What is required is that auditors do not audit their own work and that conflicts of interest are avoided.

In smaller organizations, it is common for staff to perform multiple roles. ISO 19011 recognizes this reality and allows auditors to conduct internal audits provided they are independent of the activities being audited. Clearly documented job descriptions, role separation, and audit assignment controls help ensure impartiality.

Option B is incorrect because ISO standards do not mandate a fixed “cooling-off” period such as one year. The key consideration is whether the auditor is independent of the audited activities, not the passage of time. Option C is incorrect because it imposes an unrealistic and unnecessary restriction, especially for small or medium-sized organizations.

Objectivity is achieved through planning, role separation, competence, and management oversight, not by rigid role exclusion rules. Therefore, allowing auditors to perform unrelated operational roles with proper safeguards is acceptable and standards-compliant.

The unacceptable action in Scenario 8 is the audit team leader proposing a solution for resolving the nonconformities, making option A the correct answer. In external certification audits, auditors must remain impartial and independent. ISO/IEC 17021-1 strictly prohibits auditors from providing consultancy, advice, or specific solutions on how an organization should correct nonconformities.

Auditors are permitted to identify nonconformities, explain why they exist, and clarify the requirements of the standard. However, suggesting or proposing corrective solutions crosses the boundary into consultancy, which compromises auditor impartiality and could invalidate the certification process. In this scenario, Trustingo “accepted the audit team leader’s proposed solution,” which clearly indicates inappropriate auditor involvement.

Option B is not correct because conducting Stage 1 and Stage 2 audits jointly can be acceptable in certain cases, such as small organizations or mature ISMS implementations, provided the certification body justifies the approach and requirements are met. Option C is also not the best answer because the classification of the nonconformity (minor or major) is an auditor judgment issue, not inherently unacceptable.

Therefore, the critical violation of external audit rules is the auditor proposing corrective solutions, making option A correct.

1. An auditor using a copy of ISO/IEC 27001:2022 to check that its requirements are met:

Termed: Reviewing audit criteria.

Justification: The auditor is comparing the auditee's information security management system (ISMS) against the established criteria outlined in the ISO/IEC 27001:2022 standard. This activity falls under the use of audit criteria to determine conformity or nonconformity.

2. An auditor's note that the auditee is not adhering to its clear desk policy:

Termed: Identifying an audit finding.

Justification: The auditor has observed a deviation from the auditee's established policy on clear desks. This observation is documented as a potential nonconformity, which requires further investigation and evaluation.

3. An auditor making a decision regarding the auditee's conformity or otherwise to criteria:

Termed: Determining an audit conclusion.

Justification: Based on the collected audit evidence and evaluation against the established criteria, the auditor forms an opinion about the overall compliance of the auditee's ISMS. This opinion is the audit conclusion and is a key element of the audit report.

4. An auditor examining verifiable records relevant to the audit process:

Termed: Collecting audit evidence.

Justification: The auditor is gathering objective and verifiable information to support their findings and conclusions. This information comes from various sources, including documents, records, interviews, and observations.

The four controls from the list that the auditor in training should review are:

•A. Confidentiality and nondisclosure agreements: This control requires the organisation to ensure that all employees, contractors, and third parties who have access to sensitive information sign appropriate agreements that oblige them to protect the confidentiality and integrity of such information. This is especially important for an organisation that stores data on behalf of external clients, as it demonstrates its commitment to safeguarding their information assets and complying with their contractual obligations.

•C. Information security awareness, education and training: This control requires the organisation to provide regular and relevant information security awareness, education and training to all employees, contractors, and third parties who have access to the organisation’s information systems and information assets. This is essential for ensuring that they are aware of their roles and responsibilities, the information security policies and procedures, the potential threats and risks, and the best practices for preventing and responding to information security incidents.

•D. Remote working arrangements: This control requires the organisation to establish and implement policies and procedures for managing the information security risks associated with remote working arrangements, such as teleworking, mobile working, or working from home. This includes defining the conditions and requirements for remote working, such as the authorised devices, applications, and networks, the encryption and authentication methods, the backup and recovery procedures, and the reporting and monitoring mechanisms. This is important for an organisation that stores data on behalf of external clients, as it ensures that the information security level is maintained regardless of the location of the workers and the devices they use.

•E. The conducting of verification checks on personnel: This control requires the organisation to conduct appropriate verification checks on the background, qualifications, and references of all employees, contractors, and third parties who have access to the organisation’s information systems and information assets. This is necessary for verifying their identity, suitability, and trustworthiness, and for preventing the hiring of unauthorised or malicious individuals who could compromise the information security of the organisation and its clients.

Comprehensive and Detailed In-Depth Explanation:

The CIA Triad (Confidentiality, Integrity, and Availability) is the foundation of information security principles.

Availability ensures that data and services are accessible when needed. By implementing regular, automated backups and offsite storage, the organization ensures that critical data remains accessible even after a security incident (e.g., data loss, cyberattacks, or hardware failures). This aligns with ISO/IEC 27001:2022 Annex A Control A.8.13 (Information Backup), which emphasizes maintaining and testing backups to ensure system resilience.

Integrity ensures that data remains unaltered and accurate, but backups do not inherently enforce integrity unless accompanied by checksum or validation mechanisms.

Confidentiality ensures that only authorized users can access data, which is not the primary goal of a backup procedure.

From Exact Extract:

Explanation for C (Correct Response):

The audit team leader's primary responsibility is to manage the audit process effectively and efficiently according to the agreed-upon audit plan and schedule. A Stage 2 audit schedule is typically tightly managed to ensure all required elements of the management system are sampled within the allocated time. A 45-minute video presentation is a significant time commitment that would disrupt the planned audit activities. Politely but firmly stating the need to adhere to the schedule is professional and critical for maintaining audit integrity and achieving the audit objectives.

Comprehensive and Detailed In-Depth Explanation:

B. Correct Answer: ISO 19011:2018 (Guidelines for Auditing Management Systems) states that all evidence must be treated equally and evaluated based on relevance, credibility, and objectivity.

Both sources should have been retained, reviewed, and verified rather than selectively prioritizing one over the other.

A. Incorrect:

A former employee may have insider knowledge, but their credibility must be verified—it is not inherently more reliable.

C. Incorrect:

While a client is independent, their evidence is not automatically more credible than a former employee's.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.4.7 (Collecting and Verifying Information)

According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 9.3 requires top management to review the organization’s ISMS at planned intervals to ensure its continuing suitability, adequacy and effectiveness1. Clause 9.2 requires the organization to conduct internal audits at planned intervals to provide information on whether the ISMS conforms to its own requirements and those of ISO/IEC 27001:2022, and is effectively implemented and maintained1. Therefore, when reviewing the audit process and audit findings as a final check before the external certification body arrives, an internal ISMS auditor should verify that these clauses are met in accordance with the audit criteria.

Six of the following statements would cause concern in respect of conformity to ISO/IEC 27001:2022 requirements:

The audit programme shows management reviews taking place at irregular intervals during the year: This statement would cause concern because it implies that the organization is not conducting management reviews at planned intervals, as required by clause 9.3. This may affect the ability of top management to ensure the continuing suitability, adequacy and effectiveness of the ISMS.

The audit programme does not take into account the relative importance of information security processes: This statement would cause concern because it implies that the organization is not applying a risk-based approach to determine the audit frequency, methods, scope and criteria, as recommended by ISO 19011:2018, which provides guidelines for auditing management systems2. This may affect the ability of the organization to identify and address the most significant risks and opportunities for its ISMS.

Although the scope for each internal audit has been defined, there are no audit criteria defined for the audits carried out to date: This statement would cause concern because it implies that the organization is not establishing audit criteria for each internal audit, as required by clause 9.2. Audit criteria are the set of policies, procedures or requirements used as a reference against which audit evidence is compared2. Without audit criteria, it is not possible to determine whether the ISMS conforms to its own requirements and those of ISO/IEC 27001:2022.

Audit reports to date have used key performance indicator information to focus solely on the efficiency of ISMS processes: This statement would cause concern because it implies that the organization is not evaluating the effectiveness of ISMS processes, as required by clause 9.1. Effectiveness is the extent to which planned activities are realized and planned results achieved2. Efficiency is the relationship between the result achieved and the resources used2. Both aspects are important for measuring and evaluating ISMS performance and improvement.

The audit programme does not take into account the results of previous audits: This statement would cause concern because it implies that the organization is not using the results of previous audits as an input for planning and conducting subsequent audits, as recommended by ISO 19011:20182. This may affect the ability of the organization to identify and address any recurring or unresolved issues or nonconformities related to its ISMS.

Top management commitment to the ISMS will not be audited before the certification visit, according to the audit programme: This statement would cause concern because it implies that the organization is not verifying that top management demonstrates leadership and commitment with respect to its ISMS, as required by clause 5.1. This may affect the ability of top management to ensure that the ISMS policy and objectives are established and compatible with the strategic direction of the organization; that roles, responsibilities and authorities for relevant roles are assigned and communicated; that resources needed for the ISMS are available; that communication about information security matters is established; that continual improvement of the ISMS is promoted; that other relevant management reviews are aligned with those of information security; and that support is provided to other relevant roles1.

The other statements would not cause concern in respect of conformity to ISO/IEC 27001:2022 requirements:

Audit reports are not held in hardcopy (i.e. on paper). They are only stored as ".POF documents on the organisation’s intranet: This statement would not cause concern because it does not imply any nonconformity with ISO/IEC 27001:2022 requirements. The standard does not prescribe any specific format or media for documenting or storing audit reports, as long as they are controlled according to clause 7.5.

The audit programme mandates auditors must be independent of the areas they audit in order to satisfy the requirements of ISO/IEC 27001:2022: This statement would not cause concern because it does not imply any nonconformity with ISO/IEC 27001:2022 requirements. The standard does not prescribe any specific requirement for auditor independence, as long as the audit is conducted objectively and impartially, in accordance with ISO 19011:20182.

The audit programme does not reference audit methods or audit responsibilities: This statement would not cause concern because it does not imply any nonconformity with ISO/IEC 27001:2022 requirements. The standard does not prescribe any specific requirement for referencing audit methods or audit responsibilities in the audit programme, as long as they are defined and documented according to ISO 19011:20182.

The audit process states the results of audits will be made available to ‘relevant’ managers, not top management: This statement would not cause concern because it does not imply any nonconformity with ISO/IEC 27001:2022 requirements. The standard does not prescribe any specific requirement for communicating the results of audits to top management, as long as they are reported to the relevant parties and used as an input for management review, according to clause 9.3.

According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 5.2 requires top management to establish an information security policy that provides the framework for setting information security objectives1. Clause 6.2 requires top management to ensure that the information security objectives are established at relevant functions and levels1. Therefore, when verifying that the information security policy and objectives have been established by top management, an ISMS auditor should review relevant documents and records that demonstrate top management’s involvement and commitment.

To verify that the mobile device policy and objectives are implemented and effective, an ISMS auditor should review relevant documents and records that demonstrate how the policy and objectives are communicated, monitored, measured, analyzed, and evaluated. The auditor should also sample and verify the implementation of the controls that are stated in the policy.

Three options for the audit trail that are relevant to verifying the mobile device policy and objectives are:

Review the internal audit report to make sure the IT department has been audited: This option is relevant because it can provide evidence of how the IT department, which is responsible for managing the mobile devices and their security, has been evaluated for its conformity and effectiveness in implementing the mobile device policy and objectives. The internal audit report can also reveal any nonconformities, corrective actions, or opportunities for improvement related to the mobile device policy and objectives.

Sampling some mobile devices from on-duty medical staff and validate the mobile device information with the asset register: This option is relevant because it can provide evidence of how the mobile devices that are used by the medical staff, who are involved in processing and storing residents’ data, are registered in the asset register and have physical protection enabled. This can verify the implementation and effectiveness of two of the controls that are stated in the mobile device policy.

Review the asset register to make sure all company’s mobile devices are registered: This option is relevant because it can provide evidence of how the company’s mobile devices that are within the ISMS scope are identified and accounted for. This can verify the implementation and effectiveness of one of the controls that are stated in the mobile device policy.

The other options for the audit trail are not relevant to verifying the mobile device policy and objectives, as they are not related to the policy or objectives or their implementation or effectiveness. For example:

Interview the reception personnel to make sure all visitor and employee bags are checked before entering the nursing home: This option is not relevant because it does not provide evidence of how the mobile device policy and objectives are implemented or effective. It may be related to another policy or objective regarding physical security or access control, but not specifically to mobile devices.

Review visitors’ register book to make sure no visitor can have their personal mobile phone in the nursing home: This option is not relevant because it does not provide evidence of how the mobile device policy and objectives are implemented or effective. It may be related to another policy or objective regarding information security awareness or compliance, but not specifically to mobile devices.

Interview the supplier of the devices to make sure they are aware of the ISMS policy: This option is not relevant because it does not provide evidence of how the mobile device policy and objectives are implemented or effective. It may be related to another policy or objective regarding information security within supplier relationships, but not specifically to mobile devices.

Interview top management to verify their involvement in establishing the information security policy and the information security objectives: This option is not relevant because it does not provide evidence of how the mobile device policy and objectives are implemented or effective. It may be related to verifying that the information security policy and objectives have been established by top management, but not specifically to mobile devices.

A third-party audit is an independent assessment of an organisation’s management system by an external auditor, who is not affiliated with the organisation or its customers. The auditor verifies that the management system meets the requirements of a specific standard, such as ISO 27001, and evaluates its effectiveness and performance. The auditor also identifies any strengths, weaknesses, opportunities, or risks of the management system, and provides recommendations for improvement. The purpose of a third-party audit is to provide an objective and impartial evaluation of the organisation’s management system, and to inform a certification decision by a certification body. A certification body is an organisation that grants a certificate of conformity to the organisation, after reviewing the audit report and evidence, and confirming that the management system meets the certification criteria. A certification decision is the outcome of the certification process, which can be positive (granting, maintaining, renewing, or expanding the scope of certification) or negative (suspending, withdrawing, or reducing the scope of certification). References:

PECB Candidate Handbook ISO 27001 Lead Auditor, pages 19-25

ISO 19011:2018 - Guidelines for auditing management systems

The ISO 27001 audit process | ISMS.online

Comprehensive and Detailed In-Depth Explanation:

C. Correct Answer:

A missing reference to continual improvement is a documentation issue, not an immediate security risk, making it a minor nonconformity.

A. Incorrect:

Lack of employee training poses a direct security risk (major nonconformity).

B. Incorrect:

Missing multi-factor authentication significantly weakens security (major nonconformity).

Relevant Standard Reference:

ISO/IEC 27001:2022 Clause 10.1 (Continual Improvement)

The AES (Advanced Encryption Standard) method is a symmetric-key algorithm, meaning the same key is used for both encrypting and decrypting data1. This type of control is considered preventive because it is implemented to prevent unauthorized access to confidential information by ensuring that the data is unreadable to anyone who does not have the key. References: = The explanation is based on the general understanding of encryption as a security control within the field of information security, particularly as it pertains to the ISO/IEC 27001 standard for information security management systems (ISMS), which includes encryption as a preventive control measure.

The definition of information that is not correct is C: mature and measurable data. This is not a valid definition of information, as information does not have to be mature or measurable to be considered as such. Information can be any data that has meaning or value for someone or something in a certain context. Information can be subjective, qualitative, incomplete or uncertain, depending on how it is interpreted or used. Mature and measurable data are characteristics that may apply to some types of information, but not all. The other definitions of information are correct, as they describe different aspects of information, such as accuracy and timeliness (A), specificity and organization (B), and understanding and uncertainty reduction (D). ISO/IEC 27001:2022 defines information as “any data that has meaning” (see clause 3.25). References: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements, What is Information?

According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 4.1 requires an organization to determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcomes of its ISMS2. External issues are those that originate from outside the organization, such as legal, regulatory, cultural, social, political, economic, natural and competitive factors2. Internal issues are those that originate from within the organization, such as governance, structure, roles and responsibilities, policies, objectives, culture, capabilities, resources and information systems2. Therefore, based on this definition, four examples of external issues in the context of a management system to ISO/IEC 27001:2022 are a rise in interest rates in response to high inflation (which affects the economic environment of the organization), a reduction in grants as a result of a change in government policy (which affects the political and legal environment of the organization), higher labour costs as a result of an aging population (which affects the social and demographic environment of the organization), and inability to source raw materials due to government sanctions (which affects the trade and supply environment of the organization)2. The other options are examples of internal issues, as they originate from within the organization or its activities. For example, poor levels of staff competence as a result of cuts in training expenditure (which affects the capabilities and resources of the organization), increased absenteeism as a result of poor management (which affects the culture and performance of the organization), poor morale as a result of staff holidays being reduced (which affects the motivation and satisfaction of the organization’s personnel), and a fall in productivity linked to outdated production equipment (which affects the efficiency and quality of the organization’s processes)2. References: ISO/IEC 27001:2022 - Information technology – Security techniques – Information security management systems – Requirements

Comprehensive and Detailed In-Depth Explanation:

B. Correct Answer:

Qualitative evidence assesses whether processes comply with audit criteria based on descriptive, observational, and interview-based data.

Quantitative evidence uses numerical data (e.g., metrics, statistics, or performance indicators) to assess if a process is functional and effective.

A. Incorrect:

Qualitative evidence is not limited to sampling and quantitative evidence is based on measurable data.

C. Incorrect:

Qualitative evidence does not estimate populations; it is subjective and descriptive.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.4.7 (Types of Audit Evidence: Qualitative vs. Quantitative)

The Act phase of the PDCA cycle is where the organisation takes actions to improve its processes and performance based on the results of the Check phase. This may involve resetting objectives to make them more realistic, achievable or challenging, or implementing changes to address the root causes of problems and achieve the desired outcomes. The Act phase is also where the organisation monitors the effects of the actions taken and evaluates their effectiveness and efficiency. The Act phase is important because it enables the organisation to learn from its experience and continually improve its ISMS. References: What is ‘Plan, Do, Check, Act’? A framework for continuous improvement, PDCA in ISO27001 - Free guide to learn | Dr. Erdal Ozkaya, PECB Candidate Handbook ISO 27001 Lead Auditor (page 12)

This option is appropriate for inclusion in the closing meeting agenda, as it is a requirement of the ISO 19011 standard, which provides guidelines for auditing management systems, including ISMS12. The standard states that the audit team leader should advise the auditee of any situations encountered during the audit that may decrease the confidence that can be placed in the audit conclusions, such as limitations in the audit scope, access, or sampling3. The standard also states that the audit report should include a statement that the audit is based on a sample of the information available at the time of the audit, and that the audit does not provide absolute assurance of the conformity or effectiveness of the audited management system4. Therefore, the audit team leader should include a disclaimer in the closing meeting agenda to inform the auditee of the nature and limitations of the audit, and to avoid any misunderstandings or false expectations. The other options are not appropriate for inclusion in the closing meeting agenda, as they are either irrelevant, incorrect, or incomplete. For example:

•A detailed explanation of the certification body’s complaints process is not relevant for the closing meeting agenda, as it is not related to the audit findings or conclusions. The certification body’s complaints process should be communicated to the auditee before the audit, as part of the audit agreement or contract5.

•An explanation of the audit plan and its purpose is not correct for the closing meeting agenda, as it should have been done at the opening meeting or before the audit. The audit plan is a document that describes the scope, objectives, criteria, and methodology of the audit, as well as the audit schedule, the audit team, the audit locations, and the audit deliverables . The audit plan should be communicated and agreed with the auditee in advance, and any changes or deviations should be notified during the audit.

•Names of auditees associated with nonconformities are not complete for the closing meeting agenda, as they do not provide the details or the evidence of the nonconformities. The audit team leader should present the audit findings, which include the description, the audit criteria, and the audit evidence of each nonconformity, as well as the audit conclusions and the audit recommendation . The audit team leader should also avoid naming or blaming individuals, and focus on the processes and the system.

The role and responsibility that system users should not observe in the event of an information security incident is D: make the information security incident details known to all employees. This is not a proper role or responsibility for system users, as it could cause unnecessary panic, confusion or speculation among employees who are not involved in the incident response process. It could also compromise the confidentiality and integrity of the incident information, which could be sensitive or confidential in nature. Making the information security incident details known to all employees could also violate the information security policies and procedures of the organization, which may require a certain level of discretion and confidentiality when dealing with incidents. The other roles and responsibilities are correct, as they describe what system users should do in the event of an information security incident, such as reporting the incident to the Servicedesk (A), preserving evidence if necessary (B), and cooperating with investigative personnel if needed ©. These roles and responsibilities help to ensure a quick, effective and orderly response to information security incidents. ISO/IEC 27001:2022 requires the organization to implement procedures for reporting and managing information security incidents (see clause A.16.1). References: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements, What is Information Security Incident Management?

The words that best complete the sentence are assess and recommendation. The sentence would read as follows:

“An audit plan is a statement of the intent of the audit team to assess all areas of the company with a view to determining a recommendation for certification approval.”

According to the web search results from my predefined tool, a third-party audit plan is a document that describes the scope, objectives, criteria, and methodology of an external audit conducted by an independent certification body to verify the conformity of an organization’s ISMS with the ISO 27001 standard12. The audit plan also includes the audit schedule, the audit team, the audit locations, and the audit deliverables23. One of the main deliverables of a third-party audit is the audit report, which summarizes the audit findings, the audit conclusions, and the audit recommendation34. The audit recommendation is the opinion of the audit team on whether the organization’s ISMS meets the certification requirements and whether the certification should be granted, maintained, suspended, or withdrawn45.

Therefore, the purpose of the audit plan is to state the intention of the audit team to assess all areas of the company, meaning to evaluate the performance and effectiveness of the ISMS, and to determine a recommendation for certification approval, meaning to provide a judgment on the certification status of the ISMS. The other words in the options, such as verdict, permit, report, inspect, and question, do not accurately reflect the meaning of the audit plan. A verdict is a formal decision made by a judge or a jury, not by an audit team. A permit is a legal authorization to do something, not a certification of conformity. A report is a document that presents the audit results, not the audit intention. An inspection is a visual examination of something, not a comprehensive assessment of an ISMS. A question is a request for information, not a determination of a recommendation.

According to ISO 19011:2018, clause 5.3, the person responsible for managing the audit programme should determine the resources necessary for the audit programme, such as the audit team members, the budget, the time, the tools, etc. The audit resources should be sufficient and appropriate to ensure the quality and effectiveness of the audit programme and the audit results. The audit resources include the following elements12:

Essential resources: These are the resources that are required to conduct the audit programme and the individual audits, such as the audit documents, the audit methods, the audit tools, the audit schedule, the audit budget, etc. The essential resources should be identified and allocated based on the audit objectives, scope, and criteria, and the availability and cooperation of the auditee. The essential resources should also be reviewed and updated as necessary to reflect any changes or deviations in the audit programme or the individual audits.

Competent personnel: These are the audit team members who have the appropriate knowledge, skills, and experience to conduct the audit effectively and efficiently, and to provide credible and reliable audit results and recommendations. The competent personnel should include the audit team leader, the auditors, and any technical experts or observers who support the audit team. The competent personnel should be selected and appointed based on the audit objectives, scope, and criteria, and the specific competence requirements for the audit programme and the individual audits. The competent personnel should also be independent and impartial, and avoid any conflicts of interest or self-interest that may affect the audit results or the audit decisions.

Audit planning for certification audits is defined by ISO 19011:2018, clause 6.3 (Preparing audit activities) and ISO/IEC 27006.

Key audit planning documents include:

Audit plan (mandatory, prepared by team leader)

Checklists (supporting tool for consistency and coverage of requirements)

List of external providers (required to check compliance with ISO/IEC 27001 Annex A.5.19 – supplier relationships and A.5.20 – supplier agreements)

Sample plans (used when sampling evidence across sites, processes, or records is needed, especially in Stage 2 audits)

However, the following are not required:

B. Career history of the IT manager – Personnel competence may be verified during interviews and evidence review, but an auditor does not need career histories as part of audit planning. ISO 19011 only requires access to competence records if needed but not CVs.

F. Organisation’s financial statement – Financial performance is not part of ISMS audit planning unless it relates to identified risks or contractual obligations. ISO/IEC 27001 focuses on information security risks, not financial audit compliance.

ISO 19011:2018 (clause 6.3.2) clearly defines the required planning inputs as:

Audit objectives, scope, and criteria

Audit team roles and responsibilities

Allocation of resources

Information about the auditee’s ISMS (e.g., documented scope, processes, external provider relationships, relevant legal/regulatory requirements)

There is no mention of personnel CVs or financial statements being required.

Final Correct Answer: B and F

The correct answer is A, because internal and external audits serve different but complementary purposes within an ISO/IEC 27001-based ISMS. Internal audits are conducted by or on behalf of the organization to regularly assess the effectiveness, conformity, and continual improvement of the ISMS. Their results help management identify weaknesses, risks, and opportunities for improvement before they become systemic issues.

ISO/IEC 27001 requires organizations to conduct internal audits at planned intervals to ensure the ISMS conforms to both internal requirements and the standard. These audits provide valuable input into management reviews, corrective actions, and readiness for external audits. In this way, internal audits act as an early warning and improvement mechanism.

External audits, conducted by an independent certification body, rely partly on the maturity demonstrated through internal audit outcomes. They verify whether the organization’s ISMS meets ISO/IEC 27001 requirements and whether internal audits are effective and properly implemented.

Option B is incorrect because internal audits are not passive reviews of external audit outputs; they are independent assessments with their own scope and objectives. Option C is incorrect because the roles are reversed: internal audits focus on ongoing internal improvement, while external audits focus on certification conformity.

Therefore, internal audits directly support and complement external audits by strengthening ISMS readiness and effectiveness.

Comprehensive and Detailed In-Depth Explanation:

B. Correct Answer:

ISO/IEC 27001:2022 Clause 6.1.3 (Information Security Risk Treatment) requires that any decision to accept risk be documented and justified.

Failure to document this decision creates compliance and audit tracking gaps.

A. Incorrect:

Risk acceptance must always be documented for accountability.

C. Incorrect:

Organizations are not required to mitigate every nonconformity but must justify their risk acceptance.

Relevant Standard Reference:

ISO/IEC 27001:2022 Clause 6.1.3 (Risk Treatment Documentation Requirements)

The overall competence of the12:

The audit scope and criteria: The audit scope defines the extent and boundaries of the audit, such as the locations, processes, functions, and time period to be audited. The audit criteria are the set of policies, procedures, standards, or requirements used as a reference against which the audit evidence is compared. The audit scope and criteria determine the complexity and extent of the audit, and thus influence the number and expertise of the auditors needed to cover all the relevant aspects of the audit.

The overall competence of the audit team needed to achieve audit objectives: The audit team should have the appropriate knowledge, skills, and experience to conduct the audit effectively and efficiently, and to provide credible and reliable audit results. The audit team competence should include the following elements12:

Generic competence: The ability to apply the principles and methods of auditing, such as planning, conducting, reporting, and following up the audit, as well as the personal behaviour and attributes of the auditors, such as ethical conduct, fair presentation, professional care, independence, and impartiality.

Discipline and sector-specific competence: The ability to understand and apply the audit criteria and the relevant technical or industry aspects of the audited organization, such as the information security management system (ISMS) requirements, the information security risks and controls, the legal and regulatory obligations, the organizational context and culture, the processes and activities, the products and services, etc.

Audit team leader competence: The ability to manage the audit team and the audit process, such as coordinating the audit activities, communicating with the audit programme manager and the auditee, resolving any audit-related problems, ensuring the quality and consistency of the audit work and the audit report, etc.

The person responsible for managing the audit programme should not consider the following factors when deciding the size and composition of the audit team for a specific audit, as they are either irrelevant or inappropriate for the audit process12:

Customer relationships: The audit team should not be influenced by any personal or professional relationships with the auditee or other interested parties, as this may compromise the objectivity and impartiality of the audit. The audit team should avoid any conflicts of interest or self-interest that may affect the audit results or the audit decisions.

Seniority of the audit team leader: The audit team leader should be selected based on their competence and experience, not on their seniority or rank within the organization or the audit programme. The audit team leader should have the authority and responsibility to manage the audit team and the audit process, regardless of their seniority or position.

The cost of the audit: The cost of the audit should not be the primary factor for determining the size and composition of the audit team, as this may compromise the quality and effectiveness of the audit. The audit team should have sufficient resources and time to conduct the audit in accordance with the audit objectives, scope, and criteria, and to provide accurate and reliable audit results and recommendations.

The duration preferred by the auditee: The duration of the audit should be based on the audit objectives, scope, and criteria, and the availability and cooperation of the auditee, not on the preference or convenience of the auditee. The audit team should have enough time to conduct the audit in a thorough and systematic manner, and to collect and evaluate sufficient and relevant audit evidence.

Comprehensive and Detailed In-Depth Explanation:

Security controls can be classified by type (administrative, technical, physical) and function (preventive, detective, corrective).

A. Detective and administrative – Correct Answer. Reviewing access rights is an administrative control because it involves procedural security measures (such as policy enforcement and auditing). It is also a detective control because it helps identify inappropriate or unauthorized access by auditing and verifying user permissions.

B. Corrective and managerial – Incorrect because reviewing user access rights does not correct an issue but rather detects potential unauthorized access. It is also administrative, not managerial.

C. Legal and technical – Incorrect because reviewing user access rights is an administrative policy-based action, not a legal or technical control.

This aligns with ISO/IEC 27001:2022 Annex A Control A.5.18 (Access Rights), which mandates regular review of user access to prevent unauthorized access and enforce security policies.

In the context of ISO/IEC 27001 audits, the audit team is appointed by the certification body, not by the organization being audited. Data Grid Inc. is responsible for specifying the audit criteria and defining the audit scope, but not for appointing the audit team.

Comprehensive and Detailed In-Depth Explanation:

The Statement of Applicability (SoA) is a mandatory document in ISO/IEC 27001:2022 that lists all Annex A controls, their applicability, and justifications for inclusion or exclusion.

C. Correct Answer: The SoA must include justifications for excluding Annex A controls. The scenario states that the project team excluded certain controls but does not mention that justifications were documented. This violates ISO/IEC 27001 Clause 6.1.3 (Information Security Risk Treatment), which requires documenting exclusions with reasons.

A. Incorrect: While the SoA should include an exhaustive list of controls, simply listing applicable controls from Annex A and other sources does not meet the requirement if exclusions are not justified.

B. Incorrect: Including security controls from other sources is allowed and does not invalidate the SoA, as organizations can define additional controls beyond Annex A based on their risk assessment.

Thus, Clinic's SoA is incomplete because it does not provide a justification for the exclusions of Annex A controls, making it non-compliant with ISO/IEC 27001 requirements.

Comprehensive and Detailed In-Depth Explanation:

A. Correct Answer: ISO/IEC 27001 Clause 4.1 (Understanding the Organization and Its Context) and Clause 4.2 (Understanding the Needs and Expectations of Interested Parties) require organizations to consider both internal and external issues when defining the scope of the ISMS.

The scenario states that Clinic only considered internal issues but did not assess external factors, such as regulatory requirements, industry standards, or cybersecurity threats.

B. Incorrect: The scope is not fully correct because external factors were not considered.

C. Incorrect: Justifying exclusions is necessary in the SoA, not in the ISMS scope statement.

By failing to consider external issues, Clinic's ISMS does not meet the full requirements of ISO/IEC 27001.

competence of the audit team and decision made by the certification body

According to ISO/IEC 17021-1, which specifies the requirements for bodies providing audit and certification of management systems, an accredited certification means that the certification body has been evaluated by an accreditation body against recognized standards to demonstrate its competence, impartiality and performance capability1. Therefore, an accredited certification assures the competence of the audit team that conducts the audit in accordance with ISO 19011 and ISO/IEC 27001:2022, and the decision made by the certification body that grants or maintains the certification based on the audit evidence and findings2. References: ISO/IEC 17021-1:2015 - Conformity assessment – Requirements for bodies providing audit and certification of management systems – Part 1: Requirements, ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) | CQI | IRCA

According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 7.2 requires an organization to determine the necessary competence of persons doing work under its control that affects its ISMS performance, and to provide training or take other actions to acquire or maintain the necessary competence1. Control A.6.3 requires an organization to ensure that all employees and contractors are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational policies and procedures in this respect2. Therefore, if an ISMS auditor finds that the information security incident training effectiveness can be improved, this indicates an opportunity for improvement (OFI) that is relevant to clause 7.2 and control A.6.3.

According to ISO/IEC 27001:2022, clause 9.1 requires an organization to monitor, measure, analyze and evaluate its ISMS performance and effectiveness1. Control A.5.24 requires an organization to define and apply procedures for reporting information security events and weaknesses2. Therefore, if an ISMS auditor finds that based on sampling interview results, none of the interviewees were able to describe the incident management procedure reporting process including the role and responsibilities of personnel, this indicates a nonconformity (NC) that is not conforming with clause 9.1 and control A.5.24.

The other options are not correct options for preparing the audit findings based on the given information. For example, there is no nonconformance if the information security weaknesses, events, and incidents are reported, as this conforms with clause 9.1 and control A.5.24; there is no nonconformance if the information security handling training has performed, and its effectiveness was evaluated, as this conforms with clause 7.2 and control A.6.3; there is no nonconformity if the information security incident training has failed, as this may not necessarily indicate a lack of conformity with clause 7.2 or control A.6.3; there is no opportunity for improvement if the information security weaknesses, events, and incidents are reported, as this is already conforming with clause 9.1 and control A.5.24. References: ISO/IEC 27001:2022 - Information technology – Security techniques – Information security management systems – Requirements, ISO/IEC 27002:2013 - Information technology – Security techniques – Code of practice for information security controls

Comprehensive and Detailed In-Depth Explanation:

A. Correct Answer:

Internal auditors focus on internal audit nonconformities, while external auditors oversee external audit follow-ups.

B. Incorrect:

Minor nonconformities do not change the role of internal auditors.

C. Incorrect:

Internal auditors do not follow up on external audit findings—this is the certification body’s responsibility.

Relevant Standard Reference:

ISO/IEC 27001:2022 Clause 9.2.2 (Internal Audit Responsibilities)

From Exact Extract:

1. Definition of control types (ISO-aligned understanding)

In information security management:

Preventive controls are designed to prevent an incident from occurring.

Detective controls are designed to identify and detect incidents or anomalies after or as they occur.

Corrective controls are designed to correct issues after detection.

2. Analysis of the controls implemented by Fintive

The scenario explicitly states that Fintive implemented the following controls:

Comprehensive audit logging

Automated alert systems to flag unusual activities

Periodic access reviews

Monitoring system behavior for anomalies

All of these controls are designed to:

Detect unauthorized access

Detect errors

Detect suspicious activities

Enable investigation after detection

This aligns directly with detective controls, not preventive or corrective.

3. ISO/IEC 27002:2022 – Exact control alignment

The controls implemented correspond to Annex A technological and organisational detective controls, including:

A.8.15 – Logging

Logging enables the detection and investigation of security events.

A.8.16 – Monitoring activities

Monitoring is used to detect anomalous behaviour and potential security incidents.

A.5.18 – Access rights (periodic reviews)

Access reviews detect inappropriate or excessive access.

These controls do not prevent the chatbot from malfunctioning, nor do they directly fix it — they detect issues so that action can be taken.

4. Why the other options are incorrect

A. Preventive – IncorrectPreventive controls would include secure coding practices, input validation, sandboxing, or improved testing before release. These were not the controls described.

C. Corrective – IncorrectCorrective controls would involve fixing the chatbot logic, retraining the model, or disabling unsafe features. The scenario explicitly focuses on detection and monitoring, not correction.

Auditor Conclusion

Fintive implemented detective controls to identify unauthorized access, errors, and suspicious activity arising from the chatbot’s behaviour. This is consistent with ISO/IEC 27001:2022 risk treatment and monitoring requirements.

The correct sequence of activities is:

Establish the management system

Plan the audit programme

Conduct internal audits

Hold a Management Review

Engage a Certification Body for stage 1 and stage 2 audits

Complete any corrective actions

Comprehensive but Short Explanation: = According to the PECB Candidate Handbook - ISO/IEC 27001 Lead Auditor, the steps for achieving certification are as follows1:

Establish the management system: This involves defining the scope, objectives, policies, procedures, and controls of the ISMS, as well as ensuring the availability of resources and top management commitment.

Plan the audit programme: This involves defining the audit objectives, criteria, scope, frequency, methods, and responsibilities for conducting internal audits of the ISMS.

Conduct internal audits: This involves verifying the conformity and effectiveness of the ISMS, as well as identifying any nonconformities or opportunities for improvement.

Hold a Management Review: This involves reviewing the performance and suitability of the ISMS, as well as deciding on any changes or actions needed to improve it.

Engage a Certification Body for stage 1 and stage 2 audits: This involves selecting a reputable and accredited certification body to conduct an external audit of the ISMS, consisting of two stages: a documentation review and an on-site assessment.

Complete any corrective actions: This involves addressing any nonconformities or findings identified by the certification body, and providing evidence of their implementation and effectiveness.

= 1: PECB Candidate Handbook - ISO/IEC 27001 Lead Auditor, pages 25-26.

Even though the marketing department was not included in the audit scope, the issue of employees' access rights control must be communicated to Sinvestment's representatives and included in the audit report because it is part of Sinvestment’s information security policy. It reflects on the overall adherence to the ISMS requirements.

This is the definition of an interested party according to ISO 27001:2013, clause 3.16. An interested party is essentially a stakeholder, i.e., a person or organization that can influence or be influenced by the information security management system (ISMS) or its activities. Interested parties can have different needs and expectations regarding the ISMS, and these should be identified and addressed by the organization. References:

ISO/IEC 27001:2013, Information technology — Security techniques — Information security management systems — Requirements, clause 3.16

PECB Candidate Handbook ISO 27001 Lead Auditor, page 10

Identifying interested parties and their expectations for an ISO 27001 ISMS

Examples of ISO 27001 interested parties

According to the PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, the audit team leader should obtain information about the additional sites to inform the individual(s) managing the audit programme, as this may affect the audit objectives, scope, criteria, duration, resources, and risks. The audit team leader should also review the audit plan and make any necessary adjustments in consultation with the auditee and the audit client1. References: 1: PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 27, section 4.3.2.2.

Sinvestment’s request to review documented information remotely during the stage 1 audit is acceptable and aligns with established auditing practices, making option A the correct answer. ISO/IEC 17021-1 and ISO 19011:2018 both permit flexibility in how audit activities are conducted, including the use of remote techniques, provided confidentiality, integrity, and effectiveness of the audit are maintained.

Stage 1 audits are primarily focused on reviewing documented information, understanding the organization’s context, confirming the ISMS scope, and assessing readiness for stage 2. Reviewing documents remotely is a widely accepted practice, especially when supported by appropriate confidentiality agreements, as was the case in this scenario. The auditors had already signed confidentiality agreements, mitigating the risk of information disclosure.

Option B is incorrect because remote document review does not inherently lead to a breach of confidentiality. Risks must be managed, not assumed. Secure document-sharing platforms and confidentiality agreements are sufficient safeguards when properly implemented. Option C is incorrect because the use of different locations or remote methods does not automatically reduce audit efficiency; in many cases, it enhances efficiency by reducing travel time and allowing better preparation.

Therefore, allowing remote review of documented information during stage 1 is fully consistent with ISO auditing standards and recognized certification body practices.

According to the PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, the auditee should take the following actions in response to a nonconformity against clause 6.1.3.e of ISO/IEC 27001:20221:

Implement the appropriate risk treatment for each of the applicable controls, as this is the main requirement of clause 6.1.3.e and the objective of the risk treatment process2.

Revise the relevant content in the Statement of Applicability to justify their exclusion, as this is the expected output of the risk treatment process and the evidence of the risk-based decisions3.

Revisit the risk assessment process relating to the three controls, as this is the input for the risk treatment process and the source of identifying the risks and the controls4.

The other options are not correct because:

Allocating responsibility for producing evidence to prove to auditors that the controls are implemented is not a valid action, as the audit team already found that there was no evidence of the implementation of the three controls.

Compiling plans for the periodic assessment of the risks associated with the controls is not a valid action, as this is part of the risk monitoring and review process, not the risk treatment process5.

Incorporating written procedures for the controls into the organisation’s Security Manual is not a valid action, as this is part of the documentation and operation of the ISMS, not the risk treatment process.

Removing the three controls from the Statement of Applicability is not a valid action, as this is not a sufficient justification for their exclusion and does not reflect the risk treatment process.

Undertaking a survey of customers to find out if the controls are needed by them is not a valid action, as this is not a relevant criterion for the risk assessment and treatment process, which should be based on the organisation’s own context and objectives.

 1: PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 36, section 4.5.22: ISO/IEC 27001:2022, clause 6.1.3.e3: ISO/IEC 27001:2022, clause 6.1.3.f4: ISO/IEC 27001:2022, clause 6.1.25: ISO/IEC 27001:2022, clause 6.2. : ISO/IEC 27001:2022, clause 7.5 and 8. : ISO/IEC 27001:2022, clause 6.1.3.d. : ISO/IEC 27001:2022, clause 4.1 and 4.2.

Risk analysis is the process by which the nature of the risk is determined along with its probability and impact. Risk analysis involves estimating the likelihood and consequences of potential events or situations that could affect the organization’s information security objectives or requirements12. Risk analysis could use qualitative or quantitative methods, or a combination of both12.

Risk management is the process by which a risk is controlled at all stages of its life cycle by means of the application of organisational policies, procedures and practices. Risk management involves establishing the context, identifying, analyzing, evaluating, treating, monitoring, and reviewing the risks that could affect the organization’s information security performance or compliance12. Risk management aims to ensure that risks are identified and treated in a timely and effective manner, and that opportunities for improvement are exploited12.

Risk identification is the process by which a risk is recognised and described. Risk identification involves identifying and documenting the sources, causes, events, scenarios, and potential impacts of risks that could affect the organization’s information security objectives or requirements12. Risk identification could use various techniques, such as brainstorming, interviews, checklists, surveys, or historical data12.

Risk evaluation is the process by which the impact and/or probability of a risk is compared against risk criteria to determine if it is tolerable. Risk evaluation involves comparing the results of risk analysis with predefined criteria that reflect the organization’s risk appetite, tolerance, or acceptance12. Risk evaluation could use various methods, such as ranking, scoring, or matrix12. Risk evaluation helps to prioritize and decide on the appropriate risk treatment options12.

Risk mitigation is the process by which the impact and/or probability of a risk is reduced by means of the application of controls. Risk mitigation involves selecting and implementing measures that are designed to prevent, reduce, transfer, or accept risks that could affect the organization’s information security objectives or requirements12. Risk mitigation could include various types of controls, such as technical, organizational, legal, or physical12. Risk mitigation should be based on a cost-benefit analysis and a residual risk assessment12.

Risk transfer is the process by which a risk is passed to a third party, for example through obtaining appropriate insurance. Risk transfer involves sharing or shifting some or all of the responsibility or liability for a risk to another party that has more capacity or capability to manage it12. Risk transfer could include various methods, such as contracts, agreements, partnerships, outsourcing, or insurance12. Risk transfer should not be used as a substitute for effective risk management within the organization12.

References :=

ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements

ISO/IEC 27005:2022 Information technology — Security techniques — Information security risk management

ISO/IEC 27001:2022, clause 10.2 (Nonconformity and corrective action):

When a nonconformity occurs, the organization shall … take action to control and correct it, and deal with the consequences; evaluate the need for action to eliminate the cause(s) of the nonconformity, in order that it does not recur or occur elsewhere; implement any action needed; review the effectiveness of any corrective action taken.

The auditor’s responsibility is to verify effectiveness of corrective actions. This means the auditor must look for evidence of change that actually addresses the root cause and prevents recurrence — not just temporary fixes, promises, or documentation.

Let’s analyse the distractors:

A. Incorrect — corrective action should not allow recurrence.

B. Incorrect — refers to preventive action, which ISO 27001:2022 no longer uses as a separate concept; instead, it is integrated into risk management.

C. Weak — merely “reducing probability” is not sufficient; ISO 27001 requires elimination of causes to prevent recurrence.

D. Incorrect — “assurance from the auditee” is not acceptable evidence; auditors need objective evidence, not verbal commitment.

E. Incorrect — “comfort” is not an audit principle; ISO 19011 requires objective evidence.

F. Correct — aligns directly with ISO 27001 clause 10.2: “review the effectiveness of any corrective action taken … so that nonconformity does not recur.”

Thus, the correct nonconformity statement is:

“When reviewing the effectiveness of action taken in response to a nonconformity, an auditor seeks evidence of change that will prevent recurrence of the issue.”

The correct answer is Materiality, because materiality involves evaluating the significance and potential impact of issues identified during an audit, including financial, legal, contractual, and reputational consequences. In auditing, materiality helps determine which matters are important enough to influence audit conclusions or stakeholder decisions.

When defining materiality, auditors consider factors such as the cost of nonconformities, potential regulatory penalties, contractual breaches, and the broader business impact of noncompliance. For an ISO/IEC 27001 audit, this may include assessing whether failures in information security controls could lead to fines under data protection laws, loss of customer trust, or breach of service-level agreements. These considerations help auditors decide where to focus audit effort and how to prioritize findings.

Option B is incorrect because audit risk relates to the risk that auditors may reach incorrect conclusions due to inherent, control, or detection risks. While costs and penalties may influence risk assessment, they are not evaluated specifically when defining audit risk. Option C is incorrect because reasonable assurance refers to the level of confidence an audit can provide, not the evaluation of financial or legal impacts.

ISO 19011 supports the use of materiality concepts to ensure audits focus on issues that matter most to the organization and interested parties. Therefore, evaluating costs and penalties is directly linked to defining materiality.

The appropriate actions to take next are to investigate whether pest infestation is an identified risk and if so, what risk treatment is to be applied, to determine whether the high levels of rainfall have had other impacts on data centre operations, and to check with the guide that they intend to initiate the organisation’s information security incident process. These actions are relevant to the ISMS audit objectives and criteria, as they relate to the organisation’s risk assessment and treatment, security performance, and incident management processes. The other actions are either not within the scope of the ISMS audit, not required by the ISO/IEC 27001 standard, or not the responsibility of the auditor. References: PECB Candidate Handbook1, page 21-22; ISO/IEC 27001:2022 (en)2, clauses 6.1, 8.2, 9.1, and 10.2.

•C. Collect more evidence on how and when the Human Resources manager pays the ransom fee to unlock personal mobile data, i.e., credit card, and bank transfer. (Relevant to control A.5.26)

This is not relevant to the audit of the organization's incident management process. The HR manager's personal phone and how they handle a ransomware attack on it falls outside the scope of the ISMS audit. The organization is not responsible for personal devices.

•B. Collect more evidence on how and when the company pays the ransom fee to unlock the company's mobile phone and data, i.e., credit card, and bank transfer. (Relevant to control A.5.26)

While seemingly relevant, this focuses on the method of payment for the ransom. The core issue is the organization paying the ransom at all, which is generally not best practice in incident response. The audit should focus on why this decision was made and if alternative solutions were considered (e.g., data backups, device wiping and restoration).

Why the other options ARE relevant:

•A. Collect more evidence by interviewing more staff about their understanding of the reporting process. (Relevant to control A.6.8) This directly addresses the identified discrepancy in understanding "weakness, event, and incident," which is crucial for proper incident reporting.

•D. Collect more evidence on how the organisation determined the incident recovery time. (Relevant to control A.5.27) This investigates the basis for the 24-hour recovery time, which seems arbitrary and may not be appropriate for all incidents.

•E. Collect more evidence on how the organization determined no further action was needed after the incident. (Relevant to control A.5.26) This probes the adequacy of the incident response, especially the lack of preventative measures after paying the ransom.

•F. Collect more evidence on the incident recovery procedures. (Relevant to control A.5.26) This examines the actual procedures to assess their effectiveness and alignment with best practices.

According to the PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, the audit reports should be produced by the audit team leader with input from the audit team, as they are responsible for collecting and analysing the audit evidence1. The audit reports should also include or refer to the audit plan, as it provides the basis for the audit objectives, scope, criteria, and methodology2. Furthermore, the audit reports should be produced within an agreed timescale, as it is part of the audit programme management and ensures timely communication of the audit results3. Additionally, the audit reports should always be reviewed by the client, dated, and signed as ‘accepted’, as it confirms the audit completion and the formal agreement on the audit findings and conclusions4.

The other statements are false because:

Audit reports should not be sent to the organisation’s top management first because their contents could be embarrassing, as this would compromise the audit impartiality and confidentiality5. Audit reports should be distributed according to the audit programme procedures and the audit plan.

Audit reports should not be assumed suitable for general circulation unless they are specifically marked confidential, as this would violate the audit confidentiality and the protection of personal information. Audit reports should be treated as confidential documents and only shared with the authorised parties.

Audit reports should not only evidence nonconformity, as this would limit the audit scope and value. Audit reports should also evidence conformity, improvement opportunities, good practices, and audit observations.

Audit reports that are no longer required should not be destroyed as part of the organisation’s general waste, as this would pose a risk to the audit confidentiality and the information security. Audit reports should be retained, disposed, or destroyed according to the audit programme procedures and the applicable legal requirements.

 1: PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 32, section 4.4.32: PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 33, section 4.4.43: PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 31, section 4.4.14: PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 34, section 4.4.55: PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 24, section 4.3.1. : PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 33, section 4.4.4. : PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 24, section 4.3.1. : PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 33, section 4.4.4. : PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 32, section 4.4.3. : PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 33, section 4.4.4. : PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 24, section 4.3.1. : PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 34, section 4.4.5.

Yes, assessing the ISMS as a whole can be acceptable if the audit team obtains reasonable assurance that the system conforms to the standard requirements. The approach taken by the audit team must still ensure that all significant aspects of the ISMS are evaluated adequately, and if this is achieved through a holistic assessment, it is considered sufficient.

A management system audit is a systematic, independent and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled. The audit criteria are a set of requirements that may include policies, procedures, standards, regulations, etc. The purpose of a management system audit is to evaluate the performance of an organisation’s management system in terms of its effectiveness, efficiency, compliance, and improvement. A management system audit can also identify strengths, weaknesses, opportunities, and risks of the management system and provide recommendations for improvement.