ISO-IEC-27001-Lead-Auditor PECB Certified ISO/IEC 27001 2022 Lead Auditor exam Free Practice Exam Questions (2026 Updated)

Auditor competence is a combination of knowledge and skills. Which two of the following activities are predominately related to "knowledge"?

Scenario 3

NightCore, a multinational technology enterprise headquartered in the United States, specializes in e-commerce, cloud computing, digital streaming, and artificial intelligence (AI). After having an information security management system (ISMS) implemented for over a year, NightCore contracted a certification body to perform an audit for ISO/IEC 27001 certification.

The certification body formed a team of five auditors, with Jack as a team leader. Jack is renowned for his extensive auditing experience in risk management, information security controls, and incident management. His skill set aligns well with the requirements of auditing principles and processes, enabling him to effectively comprehend the audit scope and apply relevant criteria effectively. Jack also demonstrates a solid understanding of NightCore’s organizational structure, purpose, and management practices and the statutory and regulatory requirements applicable to its activities.

The audit carried out by the audit team followed a rational method to reach reliable and reproducible conclusions systematically. The audit team recognized that only information capable of being verified to some extent should be considered valid evidence. In some rare instances during the audit where the verification of certain information posed challenges and where its degree of verifiability was low, the auditors exercised their professional judgment to assess the reliability and determine the level of reliance that could be placed on such evidence.

During the audit, the auditors documented their observations and inspection notes regarding the operational planning and control of NightCore’s ISMS operations. They also recorded observations of NightCore’s inventory of information and associated assets. Additionally, the auditors reviewed the configuration of firewalls implemented to secure connections to network services.

As the audit approached its final stages, NightCore’s commitment to upholding the highest levels of information security became evident. With ISO/IEC 27001 certification within reach, NightCore is well-positioned to achieve ISO/IEC 27001 certification, enhancing its reputation in the technology sector.

Question

During the audit at NightCore, the auditors focused on key areas of ISMS operations, including operational planning, asset inventory, and firewall configurations. What type of evidence did the auditors collect during the audit conducted at NightCore?

Select the words that best complete the sentence:

"The purpose of maintaining regulatory compliance in a management system is to

To complete the sentence with the best word(s), click on the blank section you want to complete so that it is highlighted in red,

and then click on the applicable text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.

Scenario 5: Data Grid Inc. is a well-known company that delivers security services across the entire information technology infrastructure. It provides cybersecurity software, including endpoint security, firewalls, and antivirus software. For two decades, Data Grid Inc. has helped various companies secure their networks through advanced products and services. Having achieved reputation in the information and network security field, Data Grid Inc. decided to obtain the ISO/IEC 27001 certification to better secure its internal and customer assets and gain competitive advantage.

Data Grid Inc. appointed the audit team, who agreed on the terms of the audit mandate. In addition, Data Grid Inc. defined the audit scope, specified the audit criteria, and proposed to close the audit within five days. The audit team rejected Data Grid Inc.'s proposal to conduct the audit within five days, since the company has a large number of employees and complex processes. Data Grid Inc. insisted that they have planned to complete the audit within five days, so both parties agreed upon conducting the audit within the defined duration. The audit team followed a risk-based auditing approach.

To gain an overview of the main business processes and controls, the audit team accessed process descriptions and organizational charts. They were unable to perform a deeper analysis of the IT risks and controls because their access to the IT infrastructure and applications was restricted. However, the audit team stated that the risk that a significant defect could occur to Data Grid Inc.'s ISMS was low since most of the company's processes were automated. They therefore evaluated that the ISMS, as a whole, conforms to the standard requirements by asking the representatives of Data Grid Inc. the following questions:

•How are responsibilities for IT and IT controls defined and assigned?

•How does Data Grid Inc. assess whether the controls have achieved the desired results?

•What controls does Data Grid Inc. have in place to protect the operating environment and data from malicious software?

•Are firewall-related controls implemented?

Data Grid Inc.'s representatives provided sufficient and appropriate evidence to address all these questions.

The audit team leader drafted the audit conclusions and reported them to Data Grid Inc.'s top management. Though Data Grid Inc. was recommended for certification by the auditors, misunderstandings were raised between Data Grid Inc. and the certification body in regards to audit objectives. Data Grid Inc. stated that even though the audit objectives included the identification of areas for potential improvement, the audit team did not provide such information.

Based on this scenario, answer the following question:

Based on scenario 5, the audit team disagreed with the proposed audit duration by Data Grid Inc. for the ISMS audit. How do you describe such a situation?

Scenario 2: Knight is an electronics company from Northern California, US that develops video game consoles. Knight has more than 300 employees worldwide. On the

fifth anniversary of their establishment, they have decided to deliver the G-Console, a new generation video game console aimed for worldwide markets. G-Console is

considered to be the ultimate media machine of 2021 which will give the best gaming experience to players. The console pack will include a pair of VR headset, two

games, and other gifts.

Over the years, the company has developed a good reputation by showing integrity, honesty, and respect toward their customers. This good reputation is one of the

reasons why most passionate gamers aim to have Knight's G-console as soon as it is released in the market. Besides being a very customer-oriented company, Knight

also gained wide recognition within the gaming industry because of the developing quality. Their prices are a bit higher than the reasonable standards allow.

Nonetheless, that is not considered an issue for most loyal customers of Knight, as their quality is top-notch.

Being one of the top video game console developers in the world, Knight is also often the center of attention for malicious activities. The company has had an

operational ISMS for over a year. The ISMS scope includes all departments of Knight, except Finance and HR departments.

Recently, a number of Knight's files containing proprietary information were leaked by hackers. Knight's incident response team (IRT) immediately started to analyze

every part of the system and the details of the incident.

The IRT's first suspicion was that Knight's employees used weak passwords and consequently were easily cracked by hackers who gained unauthorized access to their

accounts. However, after carefully investigating the incident, the IRT determined that hackers accessed accounts by capturing the file transfer protocol (FTP) traffic.

FTP is a network protocol for transferring files between accounts. It uses clear text passwords for authentication.

Following the impact of this information security incident and with IRT's suggestion, Knight decided to replace the FTP with Secure Shell (SSH) protocol, so anyone

capturing the traffic can only see encrypted data.

Following these changes, Knight conducted a risk assessment to verify that the implementation of controls had minimized the risk of similar incidents. The results of

the process were approved by the ISMS project manager who claimed that the level of risk after the implementation of new controls was in accordance with the

company's risk acceptance levels.

Based on this scenario, answer the following question:

According to scenario 2, the ISMS scope was not applied to the Finance and HR Department of Knight. Is this acceptable?

You are performing an ISMS audit at a residential nursing home that provides healthcare services. The next step in your audit plan is to verify the information security incident management process. The IT Security Manager presents the information security incident management procedure and explains that the process is based on ISO/IEC 27035-1:2016.

You review the document and notice a statement "any information security weakness, event, and incident should be reported to the Point of Contact (PoC) within 1 hour after identification". When interviewing staff, you found that there were differences in the understanding of the meaning of "weakness, event, and incident".

You sample incident report records from the event tracking system for the last 6 months with summarized results in the following table.

You would like to further investigate other areas to collect more audit evidence. Select two options that will not be in your audit trail.

Question

An organization requires all employees to undergo security awareness training every six months. The training covers topics such as recognizing phishing attacks, handling sensitive data, and reporting security incidents. After completing the training, employees must pass a short quiz to demonstrate their understanding.

What type of control does this activity represent?

Scenario 3: Rebuildy is a construction company located in Bangkok.. Thailand, that specializes in designing, building, and maintaining residential buildings. To ensure the security of sensitive project data and client information, Rebuildy decided to implement an ISMS based on ISO/IEC 27001. This included a comprehensive understanding of information security risks, a defined continual improvement approach, and robust business solutions.

The ISMS implementation outcomes are presented below

•Information security is achieved by applying a set of security controls and establishing policies, processes, and procedures.

•Security controls are implemented based on risk assessment and aim to eliminate or reduce risks to an acceptable level.

•All processes ensure the continual improvement of the ISMS based on the plan-do-check-act (PDCA) model.

•The information security policy is part of a security manual drafted based on best security practices Therefore, it is not a stand-alone document.

•Information security roles and responsibilities have been clearly stated in every employees job description

•Management reviews of the ISMS are conducted at planned intervals.

Rebuildy applied for certification after two midterm management reviews and one annual internal audit Before the certification audit one of Rebuildy’s former employees approached one of the audit team members to tell them that Rebuildy has several security problems that the company is trying to conceal. The former employee presented the documented evidence to the audit team member Electra, a key client of Rebuildy, also submitted evidence on the same issues, and the auditor determined to retain this evidence instead of the former employee's. The audit team member remained in contact with Electra until the audit was completed, discussing the nonconformities found during the audit. Electra provided additional evidence to support these findings.

At the beginning of the audit, the audit team interviewed the company’s top management They discussed, among other things, the top management's commitment to the ISMS implementation. The evidence obtained from these discussions was documented in written confirmation, which was used to determine Rebuildy’s conformity to several clauses of ISO/IEC 27001

The documented evidence obtained from Electra was attached to the audit report, along with the nonconformities report. Among others, the following nonconformities were detected:

•An instance of improper user access control settings was detected within the company's financial reporting system.

•A stand-alone information security policy has not been established. Instead, the company uses a security manual drafted based on best security practices.

After receiving these documents from the audit team, the team leader met Rebuildy’s top management to present the audit findings. The audit team reported the findings related to the financial reporting system and the lack of a stand-alone information security policy. The top management expressed dissatisfaction with the findings and suggested that the audit team leader's conduct was unprofessional, implying they might request a replacement. Under pressure, the audit team leader decided to cooperate with top management to downplay the significance of the detected nonconformities. Consequently, the audit team leader adjusted the report to present a more favorable view, thus misrepresenting the true extent of Rebuildy's compliance issues.

Based on the scenario above, answer the following question:

Question:

Did the audit team adhere to audit best practices regarding the situation with the financial reporting system?

You are an experienced audit team leader guiding an auditor in training,

Your team is currently conducting a third-party surveillance audit of an organisation that stores data on behalf of external clients. The auditor in training has been tasked with reviewing the TECHNOLOGICAL controls listed in the Statement of Applicability (SoA) and implemented at the site.

Select four controls from the following that would you expect the auditor in training to review.

Scenario 6: Sinvestment is an insurance company that offers home, commercial, and life insurance. The company was founded in North Carolina, but have recently expanded in other locations, including Europe and Africa.

Sinvestment is committed to complying with laws and regulations applicable to their industry and preventing any information security incident. They have implemented an ISMS based on ISO/IEC 27001 and have applied for ISO/IEC 27001 certification.

Two auditors were assigned by the certification body to conduct the audit. After signing a confidentiality agreement with Sinvestment. they started the audit activities. First, they reviewed the documentation required by the standard, including the declaration of the ISMS scope, information security policies, and internal audits reports. The review process was not easy because, although Sinvestment stated that they had a documentation procedure in place, not all documents had the same format.

Then, the audit team conducted several interviews with Sinvestment's top management to understand their role in the ISMS implementation. All activities of the stage 1 audit were performed remotely, except the review of documented information, which took place on-site, as requested by Sinvestment.

During this stage, the auditors found out that there was no documentation related to information security training and awareness program. When asked, Sinvestment's representatives stated that the company has provided information security training sessions to all employees. Stage 1 audit gave the audit team a general understanding of Sinvestment's operations and ISMS.

The stage 2 audit was conducted three weeks after stage 1 audit. The audit team observed that the marketing department (which was not included in the audit scope) had no procedures in place to control employees’ access rights. Since controlling employees' access rights is one of the ISO/IEC 27001 requirements and was included in the information security policy of the company, the issue was included in the audit report. In addition, during stage 2 audit, the audit team observed that Sinvestment did not record logs of user activities. The procedures of the company stated that "Logs recording user activities should be retained and regularly reviewed," yet the company did not present any evidence of the implementation of such procedure.

During all audit activities, the auditors used observation, interviews, documented information review, analysis, and technical verification to collect information and evidence. All the audit findings during stages 1 and 2 were analyzed and the audit team decided to issue a positive recommendation for certification.

According to scenario 6, the marketing department employees were not following the access control policy. Which option is correct in this case?

You are an experienced ISMS audit team leader providing guidance to an auditor in training. She asks you why it is important to have specific criteria relating to the grading of nonconformities.

Which one of the following responses is correct?

Because grading criteria provide a common basis for the evaluation of nonconformities across the organization

You are an experienced ISMS audit team leader providing instruction to an auditor in training. They are unclear in their understanding of risk processes and ask you to provide them with an example of each of the processes detailed below.

Match each of the descriptions provided to one of the following risk management processes.

To complete the table click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop each option to the appropriate blank section.

You are an experienced ISMS audit team leader. You are currently conducting a third-party surveillance audit of an

international haulage organisation. You have sampled four internal audit reports which state:

Report 1 - Auditor: Mr James.

Over the year the organisation has failed to meet its promised delivery dates on 23 occasions out of 100. This is against a target of '95% of deliveries on time'.

Grading - Minor

Corrective Action due: Within 9 months.

Report 2 - Auditor: Mr James.

Between January and March, it was noted 125 complaints were received about the Service Desk Team. Clients

accused them of being rude and unresponsive.

Grading - Minor

Corrective Action due: Within 12 months.

Report 3 - Auditor: Mr James.

Of the 40 customer orders received last month, 38 were correctly processed. Of the remaining 2, one was missing a

signature and one was missing a date.

Grading -

Corrections due: Within 3 weeks

Report 4 - Auditor: Mr Rogers.

Of the 30 personnel records examined, 26 were found to be fully completed whilst the remaining 4 were all missing

the individual's start date.

Grading – Major

Corrections due: Within 1 week

Which four of the options demonstrate the concerns you would have about these reports?

You are an experienced ISMS auditor conducting a third-party surveillance audit at an organisation which offers ICT reclamation services. ICT equipment which companies no longer require is processed by the organisation. It is either recommissioned and reused or is securely destroyed.

You notice two servers on a bench in the corner of the room. Both have stickers on them with the server's name, IP address and admin password. You ask the ICT Manager about them, and he tells you they were part of a shipment received yesterday from a regular customer.

Which one action should you take?

Scenario 8: Tessa. Malik, and Michael are an audit team of independent and qualified experts in the field of security, compliance, and business planning and strategies. They are assigned to conduct a certification audit in Clastus, a large web design company. They have previously shown excellent work ethics, including impartiality and objectiveness, while conducting audits. This time, Clastus is positive that they will be one step ahead if they get certified against ISO/IEC 27001.

Tessa, the audit team leader, has expertise in auditing and a very successful background in IT-related issues, compliance, and governance. Malik has an organizational planning and risk management background. His expertise relies on the level of synthesis and analysis of an organization's security controls and its risk tolerance in accurately characterizing the risk level within an organization On the other hand, Michael is an expert in the practical security of controls assessment by following rigorous standardized programs.

After performing the required auditing activities, Tessa initiated an audit team meeting They analyzed one of Michael s findings to decide on the issue objectively and accurately. The issue Michael had encountered was a minor nonconformity in the organization's daily operations, which he believed was caused by one of the organization's IT technicians As such, Tessa met with the top management and told them who was responsible for the nonconformity after they inquired about the names of the persons responsible

To facilitate clarity and understanding, Tessa conducted the closing meeting on the last day of the audit. During this meeting, she presented the identified nonconformities to the Clastus management. However, Tessa received advice to avoid providing unnecessary evidence in the audit report for the Clastus certification audit, ensuring that the report remains concise and focused on the critical findings.

Based on the evidence examined, the audit team drafted the audit conclusions and decided that two areas of the organization must be audited before the certification can be granted. These decisions were later presented to the auditee, who did not accept the findings and proposed to provide additional information. Despite the auditee's comments, the auditors, having already decided on the certification recommendation, did not accept the additional information. The auditee's top management insisted that the audit conclusions did not represent reality, but the audit team remained firm in their decision.

Based on the scenario above, answer the following question:

Question:

What must Tessa do regarding the presentation of nonconformities during the closing meeting?

Which is an example of a qualitative evidence?

Which two of the following work documents are not required for audit planning by an auditor conducting a certification audit?

Scenario 6

Sinvestment is an insurance provider that offers a wide range of coverage options, including home, commercial, and life insurance. Originally established in North California, the company has expanded its operations to other locations, including Europe and Africa. In addition to its growth, Sinvestment is committed to complying with laws and regulations applicable to its industry and preventing any information security incident. They have implemented an information security management system (ISMS) based on ISO/IEC 27001 and have applied for certification.

A team of auditors was assigned by the certification body to conduct the audit. After signing a confidentiality agreement with Sinvestment, they started the audit activities. For the activities of the stage 1 audit, it was decided that they would be performed on site, except the review of documented information, which took place remotely, as requested by Sinvestment.

The audit team started the stage 1 audit by reviewing the documentation required, including the declaration of the ISMS scope, information security policies, and internal audit reports. The evaluation of the documented information was based on the content and procedure for managing the documented information.

In addition, the auditors found out that the documentation related to information security training and awareness programs was incomplete and lacked essential details. When asked, Sinvestment’s top management stated that the company has provided information security training sessions to all employees.

The stage 2 audit was conducted three weeks after the stage 1 audit. The audit team observed that the marketing department (not included in the audit scope) had no procedures to control employees’ access rights. Since controlling employees' access rights is one of the ISO/IEC 27001 requirements and was included in the company's information security policy, the issue was included in the audit report.

Question

What steps should Sinvestment take in regard to the missing information security training and awareness procedures during the stage 1 audit? Refer to Scenario 6.

You are conducting an ISMS audit. The next step in your audit plan is to verify that the organisation's

information security risk treatment plan has been established and implemented properly. You decide to

interview the IT security manager.

You: Can you please explain how the organisation performs its information security risk assessment and

treatment process?

IT Security Manager: We follow the information security risk management procedure which generates a

risk treatment plan.

Narrator: You review risk treatment plan No. 123 relating to the planned installation of an electronic

(invisible) fence to improve the physical security of the nursing home. You found the risk treatment plan was

approved by IT Security Manager.

You: Who is responsible for physical security risks?

IT Security Manager: The Facility Manager is responsible for the physical security risk. The IT department helps them to monitor the alarm. The Facility Manager is authorized to approve the budget for risk treatment plan No. 123.

You: What residual information security risks exist after risk treatment plan No. 123 was implemented?

IT Security Manager: There is no information for the acceptance of residual information security risks as far as I know.

You prepare your audit findings. Select three options for findings that are justified in the scenario.