ISO-IEC-27001-Lead-Auditor PECB Certified ISO/IEC 27001 2022 Lead Auditor exam Questions and Answers

Comprehensive and Detailed In-Depth Explanation:

A. Correct Answer:

ISO 19011:2018 allows auditors to report significant issues that impact the audit scope, even if they arise outside the predefined scope.

Security Training Department nonconformities directly affected CloudWebvue's ISMS, justifying its inclusion in the audit report.

B. Incorrect:

Transparency is crucial in audits, and Keith correctly informed the auditee before reporting.

C. Incorrect:

Issues affecting ISMS implementation must be reported, as they pose risks to the certification scope.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.6.1 (Audit Reporting on Nonconformities Outside Scope but with Impact)

 Integrity of data means accuracy and completeness of the data. Integrity is one of the three main objectives of information security, along with confidentiality and availability. Integrity ensures that information and systems are not corrupted, modified, or deleted by unauthorized actions or events. Data should be viewable at all times is not related to integrity, but to availability. Data should be accessed by only the right people is not related to integrity, but to confidentiality. References: : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 24. : [ISO/IEC 27001 Brochures | PECB], page 4.

No, the auditor should uphold objectivity even when deciding whether to accept the audit mandate or not. Discussing previous audit reports with a friend who is an internal auditor at the auditee may compromise the external auditor's objectivity and independence.

According to ISO/IEC 27001, the scope of an ISMS must be defined and documented. This documentation should include the boundaries and applicability of the information security management system, which helps in defining what information, locations, and assets are covered under the ISMS.

This scenario represents a conformity because ABC Inc. has implemented procedures for managing removable storage media that align with the classification scheme of the information stored. When information is classified as "confidential," more stringent procedures apply, whereas for "public" information, the procedures focus only on integrity and availability, following the organization's defined information classification policy.

Comprehensive and Detailed In-Depth Explanation:

Northstorm adopted an international standard for Personally Identifiable Information (PII) controllers and PII processors to ensure its data handling practices were secure and compliant with global regulations. This aligns directly with ISO/IEC 27701, which extends ISO/IEC 27001 and ISO/IEC 27002 to cover Privacy Information Management Systems (PIMS), specifically addressing the protection of PII.

A. ISO/IEC 27701 – Correct Answer. This standard is designed for organizations acting as PII controllers and processors and provides guidelines on privacy management, regulatory compliance, and data protection.

B. ISO/IEC 27009 – Incorrect because this standard provides guidance on sector-specific requirements for ISMS, not privacy or PII protection.

C. ISO/IEC 27003 – Incorrect because it provides general implementation guidance for ISMS, not specific controls for PII processing.

This aligns with ISO/IEC 27001:2022 Annex A Control A.5.34 (Privacy and Protection of PII), which focuses on ensuring compliance with privacy regulations and implementing privacy-enhancing security measures.

This scenario represents ordinary negligence, making option A the correct answer. Ordinary negligence occurs when an individual fails to exercise the level of care, competence, or diligence that would reasonably be expected under similar circumstances. In the context of ISO/IEC 27001 certification audits, this includes failing to follow established audit procedures, best practices, or competence requirements, even if there is no intent to cause harm.

In the scenario, the audit team leader failed to follow established best practices and lacked sufficient expertise in certain complex ISMS areas. These shortcomings resulted in weak audit coverage and suboptimal outcomes. However, the audit was still conducted, findings were reported, and there is no indication of reckless disregard, willful misconduct, or intentional violation of duties. This distinction is important when assessing the severity of negligence.

Gross negligence would require evidence of a serious departure from accepted standards, such as knowingly ignoring mandatory audit requirements, deliberately conducting an audit without any competence, or showing reckless indifference to the consequences. That threshold is not met here. Similarly, option C is incorrect because the presence of procedural failures and competence gaps clearly indicates some level of negligence.

ISO 19011:2018 emphasizes auditor competence, due professional care, and adherence to audit principles. Failure to meet these expectations constitutes negligence, but in this case, it remains within the bounds of ordinary negligence rather than gross negligence.

Comprehensive and Detailed In-Depth Explanation:

C. Correct Answer:

Materiality helps auditors identify significant areas for audit focus and is used to set audit objectives appropriately.

Materiality determines which processes, risks, or controls are critical for achieving effective ISMS implementation.

A. Incorrect:

Materiality affects audit scope but does not directly determine duration.

B. Incorrect:

Team roles are assigned based on expertise, not materiality considerations.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.2.3 (Determining Feasibility of Audit)

The auditee is required to submit action plans that include detailed information on how every corrective action will be implemented. General statements are not sufficient; the action plans must specify the corrective actions in detail to ensure that the root causes of the nonconformities are addressed effectively.

The possible matches of the characteristics to the descriptions are:

Tenacious: Persistent and focused on objectives

Ethical: Fair, truthful, sincere, honest, discreet

Diplomatic: Tactful in dealing with individuals

Observant: Actively observing surroundings/activities

Perceptive: Aware of and able to understand situations

Open to improvement: Willing to learn from situations

Actively observing surroundings/activities = Observant

Fair, truthful, sincere, honest, discreet = Ethical

Persistent and focused on objectives = Tenacious

Willing to learn from situations = Open to improvement

Tactful in dealing with individuals = Diplomatic

Aware of and able to understand situations = Perceptive

These are the auditor’s characteristics and their descriptions as defined by ISO 19011:2022, Clause 7.2.21. The auditor’s personal behaviour is essential for building trust and confidence with the auditee and for ensuring the credibility and effectiveness of the audit12. References: 1: ISO 19011:2022, Guidelines for auditing management systems, Clause 7.2.2 \n2: PECB Certified ISO/IEC 27001 Lead Auditor Exam Preparation Guide, Domain 3: Fundamental audit concepts and principles

According to ISO/IEC 27001:2022 clause 8.1, the organization must plan, implement and control the processes needed to meet the information security requirements, and to implement the actions determined in clause 6.1. The organization must also ensure that the outsourced processes are controlled or influenced. According to control A.5.24, the organization must establish and maintain an information security incident management process that includes reporting information security events and weaknesses. Therefore, the use of lower grade machines for the secure disposal of confidential documents and media could pose a significant information security risk and a potential breach of contract with the clients. The auditor should respond to this information by:

A. Advising the individual managing the audit programme of any recommendation by you to conduct a further audit prior to certification. This is in accordance with ISO/IEC 27006:2022 clause 7.4.3, which states that the audit team leader shall report to the certification body any situation that may significantly affect the audit conclusions or the certification decision, and propose any necessary changes to the audit plan.

C. Considering the need for a subsequent audit within 4 weeks based on the additional information that has come to light. This is in accordance with ISO/IEC 27006:2022 clause 7.5.2, which states that the audit team leader shall review the audit findings and any other appropriate information collected during the audit to determine the audit conclusions, and to identify any need for a subsequent audit.

G. Verifying with the auditee that lower grade machines are used in certain circumstances. This is in accordance with ISO/IEC 27006:2022 clause 7.4.2, which states that the audit team leader shall ensure that the audit is conducted in accordance with the audit plan, and that any changes to the plan are agreed upon and documented.

The other options are not appropriate responses, as they either ignore the information, exceed the scope of the audit, or prematurely raise a nonconformity without sufficient evidence. For example:

B. Cancelling the production of the audit report and instead reviewing the organization’s contracts with its clients to determine whether they have permitted the use of lower grade machines. This is not a suitable response, as it would delay the audit process and the certification decision, and it would involve reviewing documents that are outside the scope of the ISMS audit. The auditor should focus on verifying the information security risk assessment and treatment process, and the information security incident management process, as they relate to the use of lower grade machines.

D. Doing nothing. All audits are based on a sample and the sample you took did not include a planned review of the lower grade machines. This is not a suitable response, as it would disregard a significant information security risk and a potential nonconformity that could affect the audit conclusions and the certification decision. The auditor should follow up on the information provided by the employee and verify its validity and impact.

E. Extending the certification audit duration to create additional time to audit the use of the lower grade machines. This is not a suitable response, as it would disrupt the audit schedule and the availability of the audit team and the auditee. The auditor should report the situation to the certification body and propose any necessary changes to the audit plan, such as conducting a subsequent audit.

F. Raising a nonconformity against 8.1 Operational Planning and Control as the organization has not been open about its processes. This is not a suitable response, as it would be based on a single source of information that has not been verified or corroborated. The auditor should collect sufficient and appropriate audit evidence to support any nonconformity, and should also consider the root cause and the severity of the nonconformity.

According to ISO 19011:2018, which provides guidelines for auditing management systems, an opening meeting is a formal communication between the audit team and the auditee at the start of an audit1. The purpose of the opening meeting is to confirm the audit objectives, scope and criteria, introduce the audit team and their roles, confirm the audit plan and logistics, explain the audit methods and procedures, and establish the communication channels1. Therefore, if the Managing Director of the client organization invites the audit team to view a new company video lasting 45 minutes during the opening meeting of a Stage 2 audit, the audit team leader should respond in a way that does not compromise the effectiveness and efficiency of the audit or create any misunderstanding or conflict with the auditee. Two possible ways to respond are to advise the Managing Director that the audit team has to keep to the planned schedule, as there may be limited time and resources available for the audit; or to suggest that the video could be viewed during a refreshment break, if it is relevant and useful for the audit and does not interfere with other audit activities1. The other options are not appropriate responses for the audit team leader to make in this situation. For example, stating that the audit team leader will stay behind after the opening meeting to view the video on behalf of the team may imply that the video is not important or relevant for the rest of the audit team; inviting the Managing Director to the auditors’ hotel for a viewing that evening may create an impression of bias or favouritism; stating that the audit team will make a decision on the viewing at a later time may be vague or indecisive; and advising the Managing Director that the audit team agrees to his request may result in wasting valuable audit time or losing focus on the audit objectives1. References: ISO 19011:2018 - Guidelines for auditing management systems

According to ISO 27001:2013, clause 5.2, the top management of an organization must establish, implement and maintain an information security policy that is appropriate to the purpose of the organization and provides a framework for setting information security objectives. The information security policy must also include a commitment to comply with the applicable legal, regulatory and contractual requirements, as well as any other requirements that the organization subscribes to. Therefore, maintaining regulatory compliance is part of fulfilling the management system policy and ensuring its effectiveness and suitability. References:

ISO/IEC 27001:2013, Information technology — Security techniques — Information security management systems — Requirements, clause 5.2

PECB Candidate Handbook ISO 27001 Lead Auditor, page 10

ISO 27001 Policy: How to write it according to ISO 27001

Yes, the audit team should obtain approval from Lawsy before photocopying documents. This is a best practice to ensure that the auditee agrees to the duplication of documents, which might contain sensitive or confidential information. Although auditors can observe and note down information, copying documents typically requires explicit permission to maintain trust and ensure compliance with confidentiality agreements.

No, a general action plan is not acceptable in this context because it lacks specific details on systems, controls, or operations impacted by the nonconformities. An effective action plan should detail the specific corrective actions for each nonconformity to ensure comprehensive resolution and prevent recurrence.

According to the PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, audit methods can be classified into two categories: with or without interaction with individuals representing the auditee (page 12). Audit methods with interaction include reviewing checklists with auditee and conducting interviews, as they involve direct communication and feedback from the auditee. Audit methods without interaction include sampling (e.g. products), observing work performed via live video streaming, checking legal compliance with local authorities, and analysing documents provided in advance of the audit, as they do not require any dialogue or exchange with the auditee. References: PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 12.

Comprehensive and Detailed In-Depth Explanation:

A. Assigning responsibilities to the audit team members (Correct Answer) – This is not Sarah’s responsibility. The certification body assigns the audit team and defines responsibilities, ensuring independence and objectivity.

B. Defining the audit criteria and objectives (Correct Responsibility) – Sarah, as the audit team leader, must establish audit criteria and objectives, per ISO 19011 (Guidelines for Auditing Management Systems).

C. Planning the audit (Correct Responsibility) – The audit team leader is responsible for planning the audit, including timelines and resource allocation.

Relevant Standard Reference:

ISO/IEC 27001:2022 Clause 9.2 (Internal Audit)

ISO 19011:2018 Clause 5.5.2 (Defining Audit Objectives and Criteria)

ISO/IEC 27001 focuses on the core principles of the CIA triad:

•Confidentiality: Ensuring information is accessible only to authorized individuals.

•Integrity: Maintaining the accuracy and completeness of information, protecting it from unauthorized modification.

•Availability: Information should be accessible to authorized users when needed (this is also important, but not one of the choices in this specific question).

Explanation (ISO-aligned)

Vulnerability scanning tools may produce false positives.

ISO/IEC 27002:2022 A.8.8 (Management of technical vulnerabilities) requires vulnerabilities to be evaluated, not blindly accepted.

A vulnerability becomes confirmed only after validation, contextual analysis, or successful exploitation.

Option A is incorrect because scan results require validation.

Option B is incorrect because failure to exploit does not prove absence of vulnerability.

✅ Correct reasoning: risk must be validated before confirmation.

Comprehensive and Detailed In-Depth Explanation:

A. Preventive Control – Correct Answer. Access control software is designed to prevent unauthorized access by enforcing authentication and authorization mechanisms. This aligns with ISO/IEC 27001:2022 Annex A Control A.5.18 (Access Rights).

B. Detective controls identify and log unauthorized access attempts, but do not prevent them.

C. Corrective controls take action after a security event has occurred.

Comprehensive and Detailed In-Depth Explanation:

A. Correct Answer:

ISO/IEC 27001:2022 Clause 10.1 (Improvement) requires organizations to submit action plans to address audit findings.

Clastus must document an action plan before corrective actions can be evaluated or followed up.

B. Incorrect:

Corrective actions can only be evaluated after action plans are submitted and implemented.

C. Incorrect:

Follow-up occurs after corrective actions have been executed and verified.

Relevant Standard Reference:

ISO/IEC 27001:2022 Clause 10.1 (Corrective Action Planning and Implementation)

The major nonconformity related to storing sensitive information in removable media justifies the unfavorable recommendation for certification. This issue directly contradicts the information classification scheme's stipulations, indicating a significant oversight in enforcing the ISMS policies.

According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 9.3 requires top management to review the organization’s ISMS at planned intervals to ensure its continuing suitability, adequacy and effectiveness1. Clause 9.2 requires the organization to conduct internal audits at planned intervals to provide information on whether the ISMS conforms to its own requirements and those of ISO/IEC 27001:2022, and is effectively implemented and maintained1. Therefore, when reviewing the audit process and audit findings as a final check before the external certification body arrives, an internal ISMS auditor should verify that these clauses are met in accordance with the audit criteria.

Six of the following statements would cause concern in respect of conformity to ISO/IEC 27001:2022 requirements:

The audit programme shows management reviews taking place at irregular intervals during the year: This statement would cause concern because it implies that the organization is not conducting management reviews at planned intervals, as required by clause 9.3. This may affect the ability of top management to ensure the continuing suitability, adequacy and effectiveness of the ISMS.

The audit programme does not take into account the relative importance of information security processes: This statement would cause concern because it implies that the organization is not applying a risk-based approach to determine the audit frequency, methods, scope and criteria, as recommended by ISO 19011:2018, which provides guidelines for auditing management systems2. This may affect the ability of the organization to identify and address the most significant risks and opportunities for its ISMS.

Although the scope for each internal audit has been defined, there are no audit criteria defined for the audits carried out to date: This statement would cause concern because it implies that the organization is not establishing audit criteria for each internal audit, as required by clause 9.2. Audit criteria are the set of policies, procedures or requirements used as a reference against which audit evidence is compared2. Without audit criteria, it is not possible to determine whether the ISMS conforms to its own requirements and those of ISO/IEC 27001:2022.

Audit reports to date have used key performance indicator information to focus solely on the efficiency of ISMS processes: This statement would cause concern because it implies that the organization is not evaluating the effectiveness of ISMS processes, as required by clause 9.1. Effectiveness is the extent to which planned activities are realized and planned results achieved2. Efficiency is the relationship between the result achieved and the resources used2. Both aspects are important for measuring and evaluating ISMS performance and improvement.

The audit programme does not take into account the results of previous audits: This statement would cause concern because it implies that the organization is not using the results of previous audits as an input for planning and conducting subsequent audits, as recommended by ISO 19011:20182. This may affect the ability of the organization to identify and address any recurring or unresolved issues or nonconformities related to its ISMS.

Top management commitment to the ISMS will not be audited before the certification visit, according to the audit programme: This statement would cause concern because it implies that the organization is not verifying that top management demonstrates leadership and commitment with respect to its ISMS, as required by clause 5.1. This may affect the ability of top management to ensure that the ISMS policy and objectives are established and compatible with the strategic direction of the organization; that roles, responsibilities and authorities for relevant roles are assigned and communicated; that resources needed for the ISMS are available; that communication about information security matters is established; that continual improvement of the ISMS is promoted; that other relevant management reviews are aligned with those of information security; and that support is provided to other relevant roles1.

The other statements would not cause concern in respect of conformity to ISO/IEC 27001:2022 requirements:

Audit reports are not held in hardcopy (i.e. on paper). They are only stored as ".POF documents on the organisation’s intranet: This statement would not cause concern because it does not imply any nonconformity with ISO/IEC 27001:2022 requirements. The standard does not prescribe any specific format or media for documenting or storing audit reports, as long as they are controlled according to clause 7.5.

The audit programme mandates auditors must be independent of the areas they audit in order to satisfy the requirements of ISO/IEC 27001:2022: This statement would not cause concern because it does not imply any nonconformity with ISO/IEC 27001:2022 requirements. The standard does not prescribe any specific requirement for auditor independence, as long as the audit is conducted objectively and impartially, in accordance with ISO 19011:20182.

The audit programme does not reference audit methods or audit responsibilities: This statement would not cause concern because it does not imply any nonconformity with ISO/IEC 27001:2022 requirements. The standard does not prescribe any specific requirement for referencing audit methods or audit responsibilities in the audit programme, as long as they are defined and documented according to ISO 19011:20182.

The audit process states the results of audits will be made available to ‘relevant’ managers, not top management: This statement would not cause concern because it does not imply any nonconformity with ISO/IEC 27001:2022 requirements. The standard does not prescribe any specific requirement for communicating the results of audits to top management, as long as they are reported to the relevant parties and used as an input for management review, according to clause 9.3.

Comprehensive and Detailed In-Depth Explanation:

A. Correct Answer:

ISO 19011:2018 mandates that auditors present all nonconformities with sufficient detail and context to ensure proper understanding and corrective action planning.

Failure to explain nonconformities fully could lead to ineffective remediation.

B. Incorrect:

Minor nonconformities must also be presented to ensure full transparency.

C. Incorrect:

Aligning with standard clauses is necessary, but detailed analysis is more critical.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.6.2 (Presentation of Audit Findings in Closing Meetings)

Confidentiality is one of the principles of audit conduct that auditors should adhere to when performing audits. Confidentiality means that auditors should exercise discretion in the use and protection of information acquired in the course of their duties3. Auditors should respect the intellectual property rights of the auditee and other parties involved in the audit, and should not disclose any information that is sensitive, proprietary, or confidential without prior approval from the auditee or other authorized parties3. Auditors should also obtain the auditee’s permission before using a camera or recording equipment during an audit, as these devices may capture confidential information or infringe on the privacy of individuals3. Therefore, these two options correctly state the function of confidentiality in an audit. The other options are either incorrect or irrelevant to confidentiality. For example, auditors are not forced by regulatory requirements to maintain confidentiality in an audit, but rather by ethical obligations and contractual agreements3. Observers in an audit team can access confidential information if they have signed a confidentiality agreement and have been authorized by the auditee3. Audit information can be used for improving personal competence by the auditor only if it does not compromise confidentiality or conflict with other interests3. As an auditor is always accompanied by a guide, there is still a risk to the auditee’s sensitive information if the guide is not trustworthy or authorized to access such information3. References: ISO 19011:2018 - Guidelines for auditing management systems

The word that best completes the sentence is “demonstrate”. According to ISO/IEC 27001:2022, Clause 7.5, the organization shall retain documented information as evidence of the performance of the processes and the conformity of the products and services with the requirements1. The purpose of retaining documented information is to demonstrate conformity with the requirements of the management system standard, not to maintain, audit, or certify it. References: 1: ISO/IEC 27001:2022, Information technology — Security techniques — Information security management systems — Requirements, Clause 7.5

The IRT’s finding that FTP transmits authentication credentials in clear text represents a vulnerability in information security terms. A vulnerability is defined as a weakness in an asset, system, or control that can be exploited by a threat. In this scenario, FTP itself is not a threat, nor is it the risk; rather, it is the technical weakness that enabled the attackers to succeed.

The attackers (hackers) are the threat, and the potential loss of proprietary information is the impact. The risk arises from the combination of the threat exploiting the vulnerability and causing harm. However, the question specifically asks what the IRT’s finding about FTP represents, and that finding is the identification of a weakness in the system design. The use of clear-text authentication is a well-known security weakness, making it easier for attackers to capture credentials through network traffic interception.

ISO/IEC 27001:2022 risk assessment logic requires organizations to distinguish clearly between threats, vulnerabilities, and risks during incident analysis. The IRT did exactly this by identifying that the protocol itself lacked encryption, which is a vulnerability. This is further supported by the corrective action taken: replacing FTP with SSH. SSH provides encrypted communication, which directly addresses the vulnerability by removing the weakness that allowed credential exposure.

Therefore, the IRT’s findings correctly identify FTP as a vulnerability, making option A the correct answer.

According to the PECB Candidate Handbook1, audit team leaders should have the following additional knowledge and skills compared to auditors:

•Plan the audit, including preparing the audit plan, assigning work to the audit team members and coordinating their activities

•Make effective use of resources provided to the audit, such as personnel, time, budget and equipment

•Manage the audit process, including leading the opening and closing meetings, directing the audit team, resolving conflicts and ensuring the audit objectives are achieved

•Review and approve the audit report and audit findings

•Communicate with the client and other interested parties throughout the audit

A checklist is a tool that helps auditors to collect and verify information relevant to the audit objectives and scope. It can provide the following advantages:

Ensuring relevant audit trails are followed: A checklist can help auditors to identify and trace the sources of evidence that support the conformity or nonconformity of the audited criteria. It can also help auditors to avoid missing or overlooking any important aspects of the audit.

Ensuring the audit plan is implemented: A checklist can help auditors to follow and fulfil the audit plan, which describes the arrangements and details of the audit, such as the objectives, scope, criteria, schedule, roles, and responsibilities. It can also help auditors to manage their time and resources effectively and efficiently.

The other options are not advantages of using a checklist, but rather:

Using the same checklist for every audit without review: This is a disadvantage of using a checklist, as it can lead to a rigid and ineffective audit approach. A checklist should be tailored and adapted to each specific audit, taking into account the context, risks, and changes of the auditee and the audit criteria. A checklist should also be reviewed and updated periodically to ensure its validity and relevance.

Restricting interviews to nominated parties: This is a disadvantage of using a checklist, as it can limit the scope and depth of the audit. A checklist should not prevent auditors from interviewing other relevant parties or sources of information that may provide valuable evidence or insights for the audit. A checklist should be used as a guide, not as a constraint.

Reducing audit duration: This is not necessarily an advantage of using a checklist, as it depends on various factors, such as the complexity, size, and maturity of the auditee’s ISMS, the availability and quality of evidence, the competence and experience of the auditors, and the level of cooperation and communication between the auditors and the auditee. A checklist may help reduce audit duration by improving efficiency and organization, but it may also increase audit duration by requiring more evidence or verification.

Not varying from the checklist when necessary: This is a disadvantage of using a checklist, as it can result in a superficial or incomplete audit. A checklist should not prevent auditors from exploring or investigating any issues or concerns that arise during the audit, even if they are not included in the checklist. A checklist should be used as a support, not as a substitute.

•Minor Nonconformities: The identified nonconformities are minor, meaning they don't pose a significant risk to the information security management system (ISMS). They are likely to be easily rectified with focused corrective actions.

•Opportunity for Improvement: This is not a nonconformity but a suggestion for enhancing the ISMS. It doesn't require immediate corrective action but should be addressed in the organization's continual improvement efforts.

•Initial Certification: As this is an initial certification audit, the organization is expected to demonstrate its commitment to addressing any gaps identified. A partial audit allows for a focused follow-up on the specific areas of nonconformity, ensuring they have been adequately addressed.

Why other options are not suitable:

•A. Recommend certification after your approval of the proposed corrective action plan: While certification is the goal, it's premature to recommend it before verifying the effectiveness of the corrective actions.

•B. Recommend that a full scope re-audit is required within 6 months: This is too extensive for minor nonconformities. A full re-audit is usually reserved for major nonconformities or systemic issues.

•D. Recommend that the findings can be closed out at a surveillance audit in 1 year: This is too long a timeframe for addressing the nonconformities. Prompt corrective action is necessary to demonstrate commitment to the ISMS.

In summary, recommending a partial audit within 3 months strikes the right balance between allowing the organization time to implement corrective actions and ensuring timely verification of their effectiveness. This approach aligns with the principles of ISO 27001 and supports the organization's journey towards certification.

Integrity is one of the basic components of information security, along with confidentiality and availability. Integrity means that information is safeguarded from unauthorized or accidental changes that could affect its accuracy and completeness. Integrity ensures that information is reliable and trustworthy3. References: ISO/IEC 27001:2022 Lead Auditor Training Course - BSI

The correct sequence of activities for the management of information security risk in accordance with the requirements of ISO/IEC 27001:2022 is as follows:

1st: Create and maintain information security risk criteria 2nd: Identify the risks that need to be considered when planning for the information security management system 3rd: Assess the potential consequences that would arise if the risk were to materialise 4th: Select appropriate risk treatment options 5th: Carry out information security risk assessments at planned intervals 6th: Consider the results of risk assessment and the status of the risk treatment plan at management review

This sequence is based on the information security risk management process described in ISO/IEC 27001:2022 clause 6.1, which includes the following activities:

establishing and maintaining information security risk criteria;

ensuring that repeated information security risk assessments produce consistent, valid and comparable results;

identifying the information security risks;

analyzing the information security risks;

evaluating the information security risks;

treating the information security risks;

accepting the information security risks and the residual information security risks;

communicating and consulting with stakeholders throughout the process;

monitoring and reviewing the information security risks and the risk treatment plan.

•Second-Party Audits: These involve an organization (the customer) auditing another organization with which it has a relationship (such as a supplier). The focus is on ensuring the supplier meets the customer's information security requirements.

•Accreditation Bodies: These assess the competence of certification bodies but don't directly participate in second-party audits.

•CQI and IRCA: These organizations provide auditor certifications but their training alone doesn't automatically qualify someone for second-party ISO/IEC 27001 audits. The auditor should have specific knowledge of the standard.

The purpose of a Stage 2 audit is to evaluate the implementation of the management system, in this case, the ISMS, according to the requirements of ISO/IEC 27001:2022 and the organisation’s own policies and procedures. The Stage 2 audit involves collecting evidence of the effectiveness and performance of the ISMS, as well as verifying the conformity and suitability of the organisation’s controls. The Stage 2 audit also assesses the organisation’s ability to achieve its information security objectives and to manage information security risks. References: = ISO/IEC 27006:2022, clause 9.2.2.2; PECB Candidate Handbook ISO 27001 Lead Auditor, page 28.

Jack compromised the audit principle of confidentiality by selling NightCore's information after the audit. Confidentiality ensures that information is accessible only to those authorized to have access and is protected throughout its lifecycle.

The following statements are true:

The role of a certification body auditor involves evaluating the organization’s processes for ensuring compliance with their legal requirements. This is part of the auditor’s responsibility to assess the effectiveness and conformity of the organization’s ISMS against the ISO/IEC 27001:2022 standard and the applicable legal and regulatory requirements.

During a third-party audit, the auditor evaluates how the organization ensures that they are made aware of changes to the legal requirements. This is part of the auditor’s responsibility to verify that the organization has established and maintained a process for identifying and updating their legal and other requirements related to information security. The following statement is false:

As part of a certification body audit, the auditor is responsible for verifying the organization’s legal compliance status. This is not true, as the auditor is not authorized or qualified to provide legal advice or judgment on the organization’s compliance status. The auditor can only report on the evidence of compliance or noncompliance observed during the audit, but the ultimate responsibility for ensuring legal compliance lies with the organization. References: : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 66. : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 67. : ISO/IEC 27001 LEAD AUDITOR - PECB, page 22.

Comprehensive and Detailed In-Depth Explanation:

A. Correct Answer:

ISO 19011:2018 (Guidelines for Auditing Management Systems) outlines diligent audit practices, including evidence-based assessment and professional skepticism.

The auditors critically reviewed records, interviewed staff, and validated incident response effectiveness.

They did not rely solely on verbal statements but sought concrete evidence, demonstrating due diligence and judgment.

B. Incorrect:

Employment contracts are not primary audit evidence for competence; training and certification records hold greater significance.

C. Incorrect:

The scenario does not mention that top management was excluded from interviews. However, their involvement is not mandatory for evaluating incident handling.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.4 (Conducting Audit Activities)

This option is appropriate for inclusion in the closing meeting agenda, as it is a requirement of the ISO 19011 standard, which provides guidelines for auditing management systems, including ISMS12. The standard states that the audit team leader should advise the auditee of any situations encountered during the audit that may decrease the confidence that can be placed in the audit conclusions, such as limitations in the audit scope, access, or sampling3. The standard also states that the audit report should include a statement that the audit is based on a sample of the information available at the time of the audit, and that the audit does not provide absolute assurance of the conformity or effectiveness of the audited management system4. Therefore, the audit team leader should include a disclaimer in the closing meeting agenda to inform the auditee of the nature and limitations of the audit, and to avoid any misunderstandings or false expectations. The other options are not appropriate for inclusion in the closing meeting agenda, as they are either irrelevant, incorrect, or incomplete. For example:

•A detailed explanation of the certification body’s complaints process is not relevant for the closing meeting agenda, as it is not related to the audit findings or conclusions. The certification body’s complaints process should be communicated to the auditee before the audit, as part of the audit agreement or contract5.

•An explanation of the audit plan and its purpose is not correct for the closing meeting agenda, as it should have been done at the opening meeting or before the audit. The audit plan is a document that describes the scope, objectives, criteria, and methodology of the audit, as well as the audit schedule, the audit team, the audit locations, and the audit deliverables . The audit plan should be communicated and agreed with the auditee in advance, and any changes or deviations should be notified during the audit.

•Names of auditees associated with nonconformities are not complete for the closing meeting agenda, as they do not provide the details or the evidence of the nonconformities. The audit team leader should present the audit findings, which include the description, the audit criteria, and the audit evidence of each nonconformity, as well as the audit conclusions and the audit recommendation . The audit team leader should also avoid naming or blaming individuals, and focus on the processes and the system.

The velocity of big data refers to the speed at which data is generated, transmitted, processed, and analyzed, often in near real-time or real-time contexts. This makes option B the correct answer.

Big data is commonly described using the “three Vs”: Volume, Velocity, and Variety. Volume refers to the sheer amount of data generated. Variety refers to the different types of data, such as structured, semi-structured, and unstructured data. Velocity, however, specifically focuses on how quickly data flows into systems and how fast it must be processed to remain valuable.

Option B accurately reflects this concept by emphasizing rapid processing and real-time handling, which is critical in use cases such as fraud detection, network monitoring, and real-time analytics. In these scenarios, delayed processing significantly reduces the usefulness of the data.

Option A is incorrect because it describes volume, not velocity. Option C is incorrect because it describes variety. From an information security and audit perspective, velocity introduces additional risks, such as reduced time for validation, logging, and manual review, which must be addressed through automated controls.

Therefore, the correct description of big data velocity is the rapidity at which data is processed in a real-time context.

The correct answer is Corrective controls, because the organization is responding to an incident that has already occurred and is taking actions to remove the malware and restore normal operations. Corrective controls are designed to limit damage, eradicate the cause of an incident, and return systems to an acceptable operational state after a security event has been detected.

In this scenario, the malware infection has already bypassed existing security measures, meaning preventive controls failed to stop the incident. The focus now is not on detection, as the infection is already known, but on remediation and recovery. Activities such as malware removal, system restoration from backups, reinstallation of compromised systems, and application of patches are classic examples of corrective controls.

ISO/IEC 27001:2022 addresses this through clause 10.2 on nonconformity and corrective action, which requires organizations to take action to control and correct incidents and deal with their consequences. Additionally, ISO/IEC 27002:2022 includes controls related to incident response and recovery that support corrective actions after an event.

Option B is incorrect because detective controls, such as monitoring and logging, are intended to identify incidents, not resolve them. Option C is incorrect because preventive controls aim to stop incidents from occurring in the first place, such as antivirus software or access controls. Since the malware has already caused harm, corrective controls are the most appropriate response.

An intrinsic vulnerability refers to a weakness that is inherent to a system or tool, such as a data processing tool’s inability to perform bound checking on arrays. This characteristic makes the system susceptible to issues like buffer overflows, which can lead to crashes or other types of failures. References: = The concept of intrinsic vulnerability is based on the understanding that certain vulnerabilities are built into the system and are not influenced by external factors. This aligns with the general principles of information security management systems and the content typically covered in ISMS ISO/IEC 27001 Lead Auditor training and certification programs

8.1 Information stored on, processed by, or accessible via user endpoint devices shall be protected = Technological control 7.8 Equipment shall be sited securely and protected = Physical control 5.2 Information security roles and responsibilities shall be defined and allocated according to the organisation’s needs = Organisational control 6.7 Security measures shall be implemented when personnel are working remotely to protect information processed, processed, or stored outside the organisation’s premises = People control

According to the web search results from my predefined tool, ISO 27001:2022 has restructured and consolidated the Annex A controls into four categories: organisational, people, physical, and technological12. These categories reflect the different aspects and dimensions of information security, and are aligned with the cybersecurity concepts of identify, protect, detect, respond, and recover3. The controls in each category are as follows4:

Organisational controls: These are controls that relate to the governance, management, and coordination of information security activities within the organisation. They include controls such as information security policies, roles and responsibilities, risk assessment and treatment, performance evaluation, and improvement.

People controls: These are controls that relate to the behaviour, awareness, and competence of the people involved in information security, both within and outside the organisation. They include controls such as human resource security, training and awareness, access control, incident management, and business continuity.

Physical controls: These are controls that relate to the protection of physical assets and environments that store, process, or transmit information. They include controls such as physical security, environmental security, equipment security, and media security.

Technological controls: These are controls that relate to the use of technology to implement, monitor, and maintain information security. They include controls such as cryptography, network security, system security, application security, and threat intelligence.

Based on these categories, the controls listed in the question can be matched as follows:

8.1 Information stored on, processed by, or accessible via user endpoint devices shall be protected: This is a technological control, as it involves the use of technology to protect information on devices such as laptops, smartphones, tablets, etc. It may include measures such as encryption, authentication, antivirus, firewall, etc.

7.8 Equipment shall be sited securely and protected: This is a physical control, as it involves the protection of physical assets and environments that store, process, or transmit information. It may include measures such as locks, alarms, CCTV, fire suppression, etc.

5.2 Information security roles and responsibilities shall be defined and allocated according to the organisation’s needs: This is an organisational control, as it involves the governance, management, and coordination of information security activities within the organisation. It may include measures such as defining the authority and accountability of information security personnel, establishing reporting lines and communication channels, assigning tasks and duties, etc.

6.7 Security measures shall be implemented when personnel are working remotely to protect information processed, processed, or stored outside the organisation’s premises: This is a people control, as it involves the behaviour, awareness, and competence of the people involved in information security, both within and outside the organisation. It may include measures such as providing guidance and training on remote working, enforcing policies and procedures, monitoring and auditing remote activities, etc.

= 1: A Breakdown of ISO 27001:2022 Annex A Controls - BARR Advisory42: ISO 27001:2022 Annex A Controls - What’s New? | ISMS.Online13: How many controls are there in ISO 27001:2022? - Strike Graph34: ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements, Annex A.

The correct answer is during the first and second years of certification, making option B correct. According to ISO/IEC 17021-1, ISO/IEC 27006, and standard certification cycle rules, ISO/IEC 27001 certification follows a three-year certification cycle. After the initial certification audit, the organization is subject to periodic surveillance audits to ensure continued conformity of the ISMS.

Surveillance audits are typically conducted annually during the first and second years following certification. Their purpose is to verify that the ISMS remains effective, that corrective actions are maintained, and that the organization continues to comply with ISO/IEC 27001 requirements. These audits are less extensive than the initial certification audit but still cover critical ISMS elements, changes, incidents, and improvement activities.

Option A is incorrect because surveillance audits are mandatory and scheduled by the certification body, not optional or request-based. Option C is incorrect because five years exceeds the standard certification cycle. Instead, a recertification audit is conducted in the third year, not a surveillance audit.

Therefore, surveillance audits are normally conducted during the first and second years after certification, confirming option B as correct.

The technical expert can communicate their audit findings to the auditee only through one of the audit team members. This ensures that communications remain coordinated and that the audit team maintains control over the audit process.

Audit planning for certification audits is defined by ISO 19011:2018, clause 6.3 (Preparing audit activities) and ISO/IEC 27006.

Key audit planning documents include:

Audit plan (mandatory, prepared by team leader)

Checklists (supporting tool for consistency and coverage of requirements)

List of external providers (required to check compliance with ISO/IEC 27001 Annex A.5.19 – supplier relationships and A.5.20 – supplier agreements)

Sample plans (used when sampling evidence across sites, processes, or records is needed, especially in Stage 2 audits)

However, the following are not required:

B. Career history of the IT manager – Personnel competence may be verified during interviews and evidence review, but an auditor does not need career histories as part of audit planning. ISO 19011 only requires access to competence records if needed but not CVs.

F. Organisation’s financial statement – Financial performance is not part of ISMS audit planning unless it relates to identified risks or contractual obligations. ISO/IEC 27001 focuses on information security risks, not financial audit compliance.

ISO 19011:2018 (clause 6.3.2) clearly defines the required planning inputs as:

Audit objectives, scope, and criteria

Audit team roles and responsibilities

Allocation of resources

Information about the auditee’s ISMS (e.g., documented scope, processes, external provider relationships, relevant legal/regulatory requirements)

There is no mention of personnel CVs or financial statements being required.

Final Correct Answer: B and F

Audit methods are the techniques and procedures that auditors use to collect and evaluate audit evidence. Audit methods can be classified into two categories: those that involve human interaction and those that do not. Human interaction methods are those that require direct or indirect communication with the auditee or other relevant parties, such as interviews, questionnaires, surveys, observations, or walkthroughs. Non-human interaction methods are those that do not require any communication with the auditee or other parties, such as document reviews, data analysis, or remote surveillance.

Some examples of audit methods that do not involve human interaction are:

Performing a review of auditee’s procedures in preparation for an audit: This method involves examining the auditee’s documented information, such as policies, processes, records, or reports, to verify their adequacy and effectiveness in meeting the audit criteria. The auditor does not need to interact with the auditee or anyone else to perform this method.

Analysing data by remotely accessing the auditee’s server: This method involves accessing and processing the auditee’s data, such as performance indicators, logs, metrics, or statistics, to verify their accuracy and reliability in meeting the audit criteria. The auditor does not need to interact with the auditee or anyone else to perform this method.

ISO/IEC 27001:2022 explicitly requires that risk treatment decisions be based on the results of the information security risk assessment. Clause 6.1.3 states that, after completing a risk assessment, the organization shall determine appropriate risk treatment options and select controls to implement those options. This ensures that controls are proportionate, justified, and aligned with actual information security risks rather than arbitrary or purely cost-driven decisions.

In the scenario, Knight conducted a risk assessment after implementing SSH to replace FTP and then chose a risk treatment option based on the assessment results. This approach is fully compliant with ISO/IEC 27001. The organization first identified the risk, implemented a control to address the vulnerability, and then reassessed the residual risk to confirm whether it was reduced to an acceptable level. This demonstrates a structured and systematic risk management process.

Option B is incorrect because ISO/IEC 27001 does not allow financial considerations to override risk assessment outcomes. While cost is a factor, it must be balanced against the risk and potential impact. Option C is incorrect because random selection of risk treatment options contradicts the fundamental principles of risk-based decision-making and would undermine the effectiveness of the ISMS.

Therefore, selecting a risk treatment option based on risk assessment results is not only acceptable but required under ISO/IEC 27001:2022.

Comprehensive and Detailed In-Depth Explanation:

A. Correct Answer:

Virtual audits require predefined remote access protocols to ensure secure, authorized connections for data review.

ISO 19011:2018 provides guidelines for virtual auditing security measures.

B. Incorrect:

Internal audits may use remote access, but agreement is not mandatory.

C. Incorrect:

External audits may involve remote access but do not require predefined agreements in all cases.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.4.10 (Remote and Virtual Auditing Procedures)

Detection risk refers to the risk that the auditor will not detect a material misstatement or significant issue within the organization's ISMS. In this case, the auditor's inability to identify Company A's insecure network architecture is a detection risk.

According to ISO/IEC 27001 guidelines, any significant changes to the scope of the ISMS, such as a merger, must be communicated to the certification body. This ensures that the certification remains valid and that all locations and processes are included in the scope. The certification body will then decide the appropriate actions to incorporate the new entity into the existing certification.

Establishing the audit programme objectives, scope and criteria

Determining the resources necessary for the audit programme, such as the audit team members, the budget, the time, the tools, etc.

Selecting and appointing the audit team leaders and auditors

Reviewing and approving the audit plans and arrangements

Ensuring the effective communication and coordination among the audit programme stakeholders, such as the auditors, the auditees, the certification bodies, the accreditation bodies, etc.

Keeping informed the accreditation body on the progress of the audit programme, especially in case of any significant changes, issues, or nonconformities

Monitoring and reviewing the performance and results of the audit programme and the audit teams

Evaluating the feedback and satisfaction of the auditees and other interested parties

Identifying and implementing the opportunities for improvement of the audit programme

The individual(s) managing the audit programme are not responsible for the following tasks, which are delegated to the audit team leaders or the auditors12:

Communicating with the auditee during the audit, such as conducting the opening and closing meetings, resolving any audit-related problems, reporting any audit findings, etc.

Determining the legal requirements applicable to each audit, such as the confidentiality, the impartiality, the consent, the liability, etc.

Defining the objectives, scope and criteria for an individual audit, which are derived from the audit programme and agreed with the auditee

Defining the plan of an individual audit, which includes the audit schedule, the audit activities, the audit methods, the audit documents, etc.

The four statements that are true are:

•Major nonconformities may be subject to on-site follow up

•The action taken to address major nonconformities is typically more substantial than the action taken to address minor nonconformities

•Several minor nonconformities can be grouped into a major nonconformity

•Nonconformities may be graded to indicate their significance

According to ISO 19011:2018, a nonconformity is the non-fulfilment of a requirement1. Nonconformities may be graded to indicate their significance, based on the criteria established by the audit programme or the audit client2. The grading of nonconformities may use different terms or levels, such as major, minor, critical, etc., depending on the nature and context of the audit3. However, some common definitions of major and minor nonconformities are:

•A major nonconformity is a nonconformity that affects the ability of the management system to achieve its intended results, or that represents a significant breakdown of the management system4. Major nonconformities may require immediate corrective action and on-site follow up by the auditor to verify their closure5.

•A minor nonconformity is a nonconformity that does not affect the ability of the management system to achieve its intended results, or that represents an isolated lapse of the management system4. Minor nonconformities may require corrective action within a specified time frame and off-site verification by the auditor to confirm their closure5.

The action taken to address nonconformities depends on the severity and impact of the nonconformity, and the risk of recurrence or escalation. Typically, the action taken to address major nonconformities is more substantial than the action taken to address minor nonconformities, as it may involve identifying and eliminating the root cause of the problem, implementing preventive measures, and monitoring the effectiveness of the solution.

Several minor nonconformities can be grouped into a major nonconformity if they are related to the same requirement, process, or area, and if they indicate a systemic failure or a significant risk to the management system. The auditor should use professional judgment and evidence-based approach to decide whether to group or report nonconformities individually.

The other statements are false, based on the guidance of ISO 19011:2018. For example:

•Option B is false, because nonconformities can be graded using different terms or levels, depending on the criteria established by the audit programme or the audit client2. The terms ‘major’ and ‘minor’ are not mandatory or universal, but rather examples of possible grading levels3.

•Option D is false, because very minor nonconformities should not be re-graded as opportunities for improvement, but rather reported as nonconformities, as they still represent a non-fulfilment of a requirement1. An opportunity for improvement is a suggestion for enhancing the performance or effectiveness of the management system, but it is not a nonconformity or a requirement.

•Option F is false, because the grading of nonconformities does not have to be explained to the auditee at the opening meeting, but rather at the closing meeting, where the audit findings and conclusions are presented and discussed. The opening meeting is intended to provide an overview of the audit objectives, scope, criteria, and methods, and to confirm the audit arrangements and logistics.

•Option G is false, because the auditee is not always responsible for determining the criteria for grading nonconformities, but rather the audit programme or the audit client, in consultation with the auditee and other relevant parties2. The auditee is responsible for taking corrective action to address the nonconformities, and for providing evidence of their completion and effectiveness.

Qualitative evidence in an audit typically involves observations, interviews, and reviews that provide insights into the processes and compliance through subjective but informed assessments. An interview with information security personnel to validate compliance with the standard requirements is an example of qualitative evidence, where the quality and effectiveness of processes are assessed based on expert judgments rather than measurable metrics.

The overall competence of the12:

The audit scope and criteria: The audit scope defines the extent and boundaries of the audit, such as the locations, processes, functions, and time period to be audited. The audit criteria are the set of policies, procedures, standards, or requirements used as a reference against which the audit evidence is compared. The audit scope and criteria determine the complexity and extent of the audit, and thus influence the number and expertise of the auditors needed to cover all the relevant aspects of the audit.

The overall competence of the audit team needed to achieve audit objectives: The audit team should have the appropriate knowledge, skills, and experience to conduct the audit effectively and efficiently, and to provide credible and reliable audit results. The audit team competence should include the following elements12:

Generic competence: The ability to apply the principles and methods of auditing, such as planning, conducting, reporting, and following up the audit, as well as the personal behaviour and attributes of the auditors, such as ethical conduct, fair presentation, professional care, independence, and impartiality.

Discipline and sector-specific competence: The ability to understand and apply the audit criteria and the relevant technical or industry aspects of the audited organization, such as the information security management system (ISMS) requirements, the information security risks and controls, the legal and regulatory obligations, the organizational context and culture, the processes and activities, the products and services, etc.

Audit team leader competence: The ability to manage the audit team and the audit process, such as coordinating the audit activities, communicating with the audit programme manager and the auditee, resolving any audit-related problems, ensuring the quality and consistency of the audit work and the audit report, etc.

The person responsible for managing the audit programme should not consider the following factors when deciding the size and composition of the audit team for a specific audit, as they are either irrelevant or inappropriate for the audit process12:

Customer relationships: The audit team should not be influenced by any personal or professional relationships with the auditee or other interested parties, as this may compromise the objectivity and impartiality of the audit. The audit team should avoid any conflicts of interest or self-interest that may affect the audit results or the audit decisions.

Seniority of the audit team leader: The audit team leader should be selected based on their competence and experience, not on their seniority or rank within the organization or the audit programme. The audit team leader should have the authority and responsibility to manage the audit team and the audit process, regardless of their seniority or position.

The cost of the audit: The cost of the audit should not be the primary factor for determining the size and composition of the audit team, as this may compromise the quality and effectiveness of the audit. The audit team should have sufficient resources and time to conduct the audit in accordance with the audit objectives, scope, and criteria, and to provide accurate and reliable audit results and recommendations.

The duration preferred by the auditee: The duration of the audit should be based on the audit objectives, scope, and criteria, and the availability and cooperation of the auditee, not on the preference or convenience of the auditee. The audit team should have enough time to conduct the audit in a thorough and systematic manner, and to collect and evaluate sufficient and relevant audit evidence.

According to ISO 19011:2018, which provides guidelines for auditing management systems, the audit objectives are defined by the audit client and may include determining the extent of conformity or nonconformity of the audited management system against the audit criteria, evaluating the ability of the audited management system to ensure that the organization meets applicable statutory, regulatory and contractual requirements, identifying potential improvement opportunities for the audited management system, and facilitating continual improvement of the audited management system1. Therefore, these three phrases are examples of objectives in relation to an audit. The other options are not objectives, but rather elements or factors that may influence or affect an audit. For example, an international standard is a source of audit criteria, a management policy is a part of the audited management system, and completing an audit on time is a requirement for an effective audit. References: ISO 19011:2018 - Guidelines for auditing management systems

According to ISO/IEC 27001:2022, clause 7.2.2, the organization shall ensure that all persons who have access to information are aware of the information security policy and their contribution to the effectiveness of the ISMS, including the benefits of improved information security performance2. Therefore, awareness training on information security is a requirement for all persons, not just new hires. References: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) | CQI | IRCA

It is acceptable and often necessary for auditors to test technical controls such as firewalls to validate the operation and effectiveness of these processes during an ISMS audit. This hands-on testing provides concrete, technical evidence of the security measures' performance.

The correct statement which defines the content of the scope of the ISMS is that the ISMS scope should take any information security issues that have occurred and any interested parties’ requirements into consideration. According to ISO/IEC 27001:2022, the scope of the ISMS should be determined by considering the internal and external issues, the requirements and expectations of interested parties, the interfaces and dependencies between the organisation and other parties, and the information security risks. The scope of the ISMS should also be aligned with the strategic direction of the organisation and be appropriate to its purpose and context. The scope of the ISMS should not be limited by the government’s recommendation, nor exclude external service providers, nor be based on a single department or function, unless these are justified by the risk assessment and the needs and expectations of interested parties. References: = ISO/IEC 27001:2022, clause 4.3; PECB Candidate Handbook ISO 27001 Lead Auditor, page 15; ISO 27001 scope statement | How to set the scope of your ISMS - Advisera.

Comprehensive and Detailed In-Depth Explanation:

A. Correct Answer:

ISO 19011:2018 states that the audit team leader is responsible for compiling and finalizing the audit report.

B. Incorrect:

Team members contribute findings, but the leader ensures finalization.

C. Incorrect:

The certification body reviews but does not prepare the report.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.7.1 (Audit Report Preparation and Approval)

A document review is a process of examining the documented information related to the management system before the on-site audit activities. The purpose of a document review is to: 12

Determine the conformity of the management system, as far as documented, with audit criteria, i.e., to check whether the documents are consistent, complete, and compliant with the requirements of ISO/IEC 27001 and any other applicable standards or regulations.

Gather information to support the on-site audit activities, i.e., to identify the scope, objectives, processes, controls, risks, and opportunities of the management system, and to plan the audit methods, techniques, and resources accordingly.

The other statements are not accurate, because:

A document review does not reveal or decide about the conformity or nonconformity of the management system as a whole, but only of the documented information. The conformity or nonconformity of the management system is determined by the on-site audit activities, which include interviews, observations, and tests12

A document review does not gather evidence or findings to support the audit report or process, but information to support the on-site audit activities. The evidence or findings are collected during the on-site audit activities, which are then documented and reported12

A document review does not detect any nonconformity of the management system, if documented, but determines the conformity of the documented information. The nonconformity of the management system is detected by the on-site audit activities, which evaluate the performance and effectiveness of the management system12

A document review does not identify information to support the audit plan, but gathers information to support the on-site audit activities. The audit plan is prepared before the document review, based on the audit scope, objectives, criteria, and program. The document review is part of the audit plan implementation12

Signing the certification agreement, which should clearly outline the audit objectives, scope, and responsibilities, would help prevent misunderstandings between the certification body and Data Grid Inc. A well-defined agreement ensures both parties have a clear understanding of what the audit will entail and what outputs are expected.

A first-party audit is an internal audit in which the organization’s own staff or contractors check the conformity and effectiveness of the ISMS. A certification body auditor and an audit team from an accreditation body are external auditors who conduct audits for the purpose of certification or accreditation. They do not participate in a first-party audit, but rather in a third-party audit. References: First & Second Party Audits - operational services, The ISO 27001 Audit Process | Blog | OneTrust, The ISO 27001 Audit Process | A Beginner’s Guide - IAS USA

The three options that would not be valid audit trails are:

•Collect more evidence on how the organisation manages the Point of Contact (PoC) which monitors vulnerabilities. (Relevant to clause 8.1)

•Collect more evidence on whether terms and definitions are contained in the information security policy. (Relevant to control 5.32)

•Collect more evidence to determine if ISO 27035 (Information security incident management) is used as internal audit criteria. (Relevant to clause 8.13)

These options are not valid audit trails because they are not directly related to the information security incident management process, which is the focus of the audit. The audit trails should be relevant to the objectives, scope, and criteria of the audit, and should provide sufficient and reliable evidence to support the audit findings and conclusions1.

Option E is not valid because the PoC is not a part of the information security incident management process, but rather a role that is responsible for reporting and escalating information security incidents to the appropriate authorities2. The audit trail should focus on how the PoC performs this function, not how the organisation manages the PoC.

Option G is not valid because the terms and definitions are not a part of the information security incident management process, but rather a part of the information security policy, which is a high-level document that defines the organisation’s information security objectives, principles, and responsibilities3. The audit trail should focus on how the information security policy is communicated, implemented, and reviewed, not whether it contains terms and definitions.

Option H is not valid because ISO 27035 is not a part of the information security incident management process, but rather a guidance document that provides best practices for managing information security incidents4. The audit trail should focus on how the organisation follows the requirements of ISO/IEC 27001:2022 for information security incident management, not whether it uses ISO 27035 as an internal audit criteria.

The other options are valid audit trails because they are related to the information security incident management process, and they can provide useful evidence to evaluate the conformity and effectiveness of the process. For example:

•Option A is valid because it relates to control A.5.29, which requires the organisation to establish procedures to isolate and quarantine areas subject to information security incidents, in order to prevent further damage and preserve evidence5. The audit trail should collect evidence on how the organisation implements and tests these procedures, and how they ensure the continuity of information security during disruption.

•Option B is valid because it relates to control A.6.8, which requires the organisation to establish mechanisms for reporting information security events and weaknesses, and to ensure that they are communicated in a timely manner to the appropriate levels within the organisation6. The audit trail should collect evidence on how the organisation defines and uses these mechanisms, and how they monitor and review the reporting process.

•Option C is valid because it relates to clause 7.2, which requires the organisation to provide information security awareness, education, and training to all persons under its control, and to evaluate the effectiveness of these activities7. The audit trail should collect evidence on how the organisation identifies the information security training needs, how they deliver and record the training, and how they measure the learning outcomes and feedback.

•Option D is valid because it relates to control A.5.27, which requires the organisation to learn from information security incidents and to implement corrective actions to prevent recurrence or reduce impact8. The audit trail should collect evidence on how the organisation analyses and documents the root causes and consequences of information security incidents, how they identify and implement corrective actions, and how they verify the effectiveness of these actions.

•Option F is valid because it relates to control A.5.30, which requires the organisation to establish and maintain a business continuity plan to ensure the availability of information and information processing facilities in the event of a severe information security incident9. The audit trail should collect evidence on how the organisation develops and updates the business continuity plan, how they test and review the plan, and how they communicate and train the relevant personnel on the plan.

These four scenarios are examples of a lack of competence, which is defined as the ability to apply the knowledge and skills needed to perform a work role or a task effectively and efficiently12. Competence in ISO 27001:2022 is determined by the organisation’s needs and expectations, and it is based on the relevant education, training, or experience of the people involved in the ISMS34. The organisation is required to ensure that all the people who affect the performance of the ISMS are competent, and to provide them with the necessary training and awareness to fulfil their roles and responsibilities35. The four scenarios indicate that the people involved either lack the knowledge or skills to perform their tasks, or have not received the appropriate training or guidance to do so. The other scenarios are not related to competence, but to other factors such as negligence, error, or policy violation.

Comprehensive and Detailed In-Depth Explanation:

C. Correct Answer:

A missing reference to continual improvement is a documentation issue, not an immediate security risk, making it a minor nonconformity.

A. Incorrect:

Lack of employee training poses a direct security risk (major nonconformity).

B. Incorrect:

Missing multi-factor authentication significantly weakens security (major nonconformity).

Relevant Standard Reference:

ISO/IEC 27001:2022 Clause 10.1 (Continual Improvement)

If an organization like OrgXY informs the certification body that it is not ready to conduct the surveillance audit as scheduled, the certification may be suspended. This is because the surveillance audit is a critical part of the ongoing certification maintenance, required to ensure continued compliance with the standard.

The audit procedure used here is "analysis." The audit team analyzed server logs to verify if they can be edited or deleted, focusing on evaluating the logs' properties and the controls over their manipulation to ensure they comply with ISO/IEC 27001 requirements.

The standard definition of ISMS is a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization’s information security to achieve business objectives. This definition is given in clause 3.17 of ISO/IEC 27001:2022, and it describes the main components and purpose of an ISMS. An ISMS is not a project-based approach, as it is an ongoing process that requires continual improvement. An ISMS is not a company wide business objective, as it is a management system that supports the organization’s objectives. An ISMS is not an information security systematic approach, as it is a broader concept that encompasses the organization’s context, risks, controls, and performance. References: : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 15. : ISO/IEC 27001:2022, clause 3.17.

This statement encapsulates the relationship between threats, vulnerabilities, and assets within the context of information security. Threats are potential causes of an unwanted incident, which may result in harm to a system or organization. Vulnerabilities are weaknesses that can be exploited by threats to cause harm. Assets are valuable resources to an organization that need protection. Therefore, when threats exploit vulnerabilities, they can damage or destroy assets. References: = The explanation is based on the foundational concepts of information security as outlined in ISO/IEC 27001, which includes understanding the interplay between threats, vulnerabilities, and assets as part of an information security management system (ISMS)

No, copies of files are not generally kept as audit records unless specifically required and agreed upon in the audit plan. Audit records typically include notes and observations made by auditors, not copies of the auditee's files, unless these are essential and explicitly allowed by the auditee.

Materiality in the context of an audit involves assessing what level of nonconformities or failures, including those related to legal and contractual compliance, would be significant enough to affect the audit conclusions. Costs related to these issues are considered when determining materiality.

Comprehensive and Detailed In-Depth Explanation:

B. Correct Answer:

The Stage 1 audit (preliminary assessment) focuses on understanding the organization and its processes, identifying key areas for in-depth auditing in Stage 2.

Materiality-based prioritization occurs in Stage 1 to ensure the Stage 2 audit focuses on critical areas.

A. Incorrect:

Initial contact is only for scheduling and preliminary discussions.

C. Incorrect:

By Stage 2, the key areas should already be identified and the focus is on detailed auditing.

Relevant Standard Reference:

ISO/IEC 27006:2020 Clause 9.2.2 (Stage 1 Audit and Planning for Stage 2 Audit)

A threat in information security is any circumstance or event with the potential to cause harm to an information system through unauthorized access, destruction, disclosure, modification of data, and/or denial of service. The situation where hackers compromise an administrator’s account by cracking the password represents a direct threat to the security of the information system. References: = This explanation is based on general information security principles and the typical content covered in ISMS ISO/IEC 27001 Lead Auditor training and certification programs. It aligns with the knowledge expected of a professional with an ISO/IEC 27001 Lead Auditor certification

From Exact Extract:

Explanation for B (True):

This statement is true because ISO 27001 requires an organization to establish processes for identifying, reviewing, and complying with applicable legal, statutory, regulatory, and contractual obligations. A key part of this is being aware of changes to these requirements to maintain ongoing compliance. An auditor's role is to verify that the organization has such a process in place and that it is effective.

The four controls from the list that are related to PHYSICAL aspects of the ISMS are:

•Access to and from the loading bay

•How power and data cables enter the building

•The operation of the site CCTV and door control systems

•The organisation’s arrangements for maintaining equipment

These controls are derived from the ISO 27001 Annex A, which provides a comprehensive list of information security controls that can be applied to an ISMS1. The other controls in the list are more related to ORGANIZATIONAL, LEGAL, or HUMAN aspects of the ISMS, which are also important, but not the focus of this question.

According to the ISMS Auditing Guideline2, the auditor in training should review the PHYSICAL controls by:

•Checking the SoA to identify the applicable controls and their implementation status

•Interviewing the relevant staff and management to verify their understanding and involvement in the controls

•Observing the physical and environmental conditions to confirm the existence and effectiveness of the controls

•Examining the relevant documents and records to validate the compliance and performance of the controls

I hope this helps you prepare for the exam. ????

Comprehensive and Detailed In-Depth Explanation:

C. Correct Answer: Changes to the audit scope must be approved by the auditee, the auditor, and the certification body. This ensures fairness and maintains compliance with ISO 19011 guidelines on audit planning.

A. Incorrect: The audit schedule cannot be changed solely at Cobt’s request—approval is required.

B. Incorrect: Audit scope is not limited to technological changes but includes organizational and procedural changes as well.

Relevant Standard Reference:

ISO 19011:2018 Clause 5.5.2 (Determining the Audit Scope and Schedule)

ISO/IEC 27001:2022, clause 10.2 (Nonconformity and corrective action):

When a nonconformity occurs, the organization shall … take action to control and correct it, and deal with the consequences; evaluate the need for action to eliminate the cause(s) of the nonconformity, in order that it does not recur or occur elsewhere; implement any action needed; review the effectiveness of any corrective action taken.

The auditor’s responsibility is to verify effectiveness of corrective actions. This means the auditor must look for evidence of change that actually addresses the root cause and prevents recurrence — not just temporary fixes, promises, or documentation.

Let’s analyse the distractors:

A. Incorrect — corrective action should not allow recurrence.

B. Incorrect — refers to preventive action, which ISO 27001:2022 no longer uses as a separate concept; instead, it is integrated into risk management.

C. Weak — merely “reducing probability” is not sufficient; ISO 27001 requires elimination of causes to prevent recurrence.

D. Incorrect — “assurance from the auditee” is not acceptable evidence; auditors need objective evidence, not verbal commitment.

E. Incorrect — “comfort” is not an audit principle; ISO 19011 requires objective evidence.

F. Correct — aligns directly with ISO 27001 clause 10.2: “review the effectiveness of any corrective action taken … so that nonconformity does not recur.”

Thus, the correct nonconformity statement is:

“When reviewing the effectiveness of action taken in response to a nonconformity, an auditor seeks evidence of change that will prevent recurrence of the issue.”

As an employee, you should do the following when you see a visitor roaming around without visitor’s ID, except saying “hi” and offering coffee. Saying “hi” and offering coffee is not an appropriate action, as it may imply that you are welcoming or endorsing the visitor without verifying their identity or purpose. This may also give the visitor an opportunity to gain your trust or exploit your kindness. Calling the receptionist and informing about the visitor is an appropriate action, as it alerts the responsible staff to handle the situation and ensure that the visitor is authorized and registered. Greeting and asking him what is his business is an appropriate action, as it shows your concern and curiosity about the visitor’s presence and intention. Escorting him to his destination is an appropriate action, as it prevents the visitor from wandering around unattended and accessing unauthorized areas or information. References: : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 42. : [ISO/IEC 27001 LEAD AUDITOR - PECB], page 15.

B. 8.12 Data leakage protection. This is true because the auditee should have implemented measures to prevent unauthorized disclosure of sensitive information, such as personal data, medical records, or official documents, that are contained in the parcels. Data leakage protection could include encryption, authentication, access control, logging, and monitoring of data transfers12.

D. 6.3 Information security awareness, education, and training. This is true because the auditee should have ensured that all employees and contractors involved in the shipping process are aware of the information security policies and procedures, and have received appropriate training on how to handle and protect the information assets in their custody. Information security awareness, education, and training could include induction programmes, periodic refreshers, awareness campaigns, e-learning modules, and feedback mechanisms13.

E. 7.10 Storage media. This is true because the auditee should have implemented controls to protect the storage media that contain information assets from unauthorized access, misuse, theft, loss, or damage. Storage media could include paper documents, optical disks, magnetic tapes, flash drives, or hard disks14. Storage media controls could include physical locks, encryption, backup, disposal, or destruction14.

F. 8.3 Information access restriction. This is true because the auditee should have implemented controls to restrict access to information assets based on the principle of least privilege and the need-to-know basis. Information access restriction could include identification, authentication, authorization, accountability, and auditability of users and systems that access information assets15.

I. 7.4 Physical security monitoring. This is true because the auditee should have implemented controls to monitor the physical security of the premises where information assets are stored or processed. Physical security monitoring could include CCTV cameras, alarms, sensors, guards, or patrols16. Physical security monitoring could help detect and deter unauthorized physical access or intrusion attempts16.

J. 5.13 Labelling of information. This is true because the auditee should have implemented controls to label information assets according to their classification level and handling instructions. Labelling of information could include markings, tags, stamps, stickers, or barcodes1 . Labelling of information could help identify and protect information assets from unauthorized disclosure or misuse1 .

References :=

ISO/IEC 27002:2022 Information technology — Security techniques — Code of practice for information security controls

ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements

ISO/IEC 27003:2022 Information technology — Security techniques — Information security management systems — Guidance

ISO/IEC 27004:2022 Information technology — Security techniques — Information security management systems — Monitoring measurement analysis and evaluation

ISO/IEC 27005:2022 Information technology — Security techniques — Information security risk management

ISO/IEC 27006:2022 Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems

[ISO/IEC 27007:2022 Information technology — Security techniques — Guidelines for information security management systems auditing]

Comprehensive and Detailed In-Depth Explanation:

B. Correct Answer:

Stage 1 audits identify gaps and allow the organization to correct major nonconformities before Stage 2 certification.

ISO/IEC 27006 requires organizations to address major nonconformities before proceeding to Stage 2.

A. Incorrect:

Organizations are allowed to correct nonconformities identified in Stage 1.

C. Incorrect:

Major changes must be addressed, not just minor modifications.

Relevant Standard Reference:

ISO/IEC 27006:2020 Clause 9.2.3 (Stage 1 and Stage 2 Audit Process)

According to the PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, the auditor in training should review the organisational controls that are related to the information security policy, the roles and responsibilities, the information classification, the information exchange, the supplier relationships, and the information asset management1. These controls are aligned with the ISO/IEC 27001 requirements for clauses 5, 7, 8.2, 8.3, and 8.42. The other controls (A, D, G, and H) are more relevant to the physical and environmental security, the communications security, or the business continuity management, which are not part of the organisational controls3. References: 1: PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 42, section 5.2.32: ISO/IEC 27001:2022, clauses 5, 7, 8.2, 8.3, and 8.43: ISO/IEC 27001:2022, clauses 8.1, 8.5, and 8.6.

Comprehensive and Detailed In-Depth Explanation:

A. Correct Answer:

ISO/IEC 27001:2022 Annex A Control A.5.19 (Information Security in Supplier Relationships) requires organizations to monitor and control their suppliers to ensure compliance with security requirements.

Branding must monitor, assess, and ensure Techvology maintains compliance with ISO/IEC 27001 and outsourcing agreements.

B. Incorrect:

Even if not explicitly stated in the contract, ISO/IEC 27001 requires continual supplier monitoring.

C. Incorrect:

Branding is responsible for both controlling and monitoring outsourced services, not just monitoring them.

Relevant Standard Reference:

ISO/IEC 27001:2022 Annex A Control A.5.19 (Supplier Security Compliance)

ISO/IEC 27001:2022 Clause 8.2 (Outsourced Service Controls)

This situation represents a sampling error, making option B the correct answer. ISO 19011:2018 explicitly states that management system audits are conducted using sampling techniques because it is impractical to examine all available information within the constraints of time and resources. When auditors select a subset of records, there is an inherent risk that the sample may not fully represent the entire population.

In this scenario, the audit team reviewed training records for 15 out of 50 employees to assess conformity with ISO/IEC 27001 training and awareness requirements. While this is an acceptable and standard audit practice, it introduces the possibility that the selected sample may not reflect gaps or issues present in the remaining records. This uncertainty is known as sampling risk or sampling error.

Option A is incorrect because a “risk related to the auditor” generally refers to competence, impartiality, or ethical behavior issues, none of which are indicated here. The auditors followed a recognized audit method. Option C is incorrect because inherent risk relates to the nature of the organization or its environment, not to the audit technique used.

Sampling error does not imply that the audit conclusion is invalid; rather, it reflects a known limitation of audits that auditors must manage through professional judgment and appropriate sample selection. Therefore, reviewing a subset of training records represents sampling error.

The Plan-Do-Check-Act (PDCA) cycle is a four-step method for implementing and improving processes, products, or services. The “plan” phase involves establishing the objectives and processes necessary to deliver the desired results. This may include setting SMART goals, identifying resources, defining roles and responsibilities, conducting risk assessments, and developing plans for training, communication, and monitoring.

This scenario presents a risk that primarily impacts availability, which is one of the three core information security principles alongside confidentiality and integrity. Relying on a single server to manage all incoming traffic introduces a single point of failure, meaning that if the server fails, services become unavailable.

From an ISO/IEC 27001 perspective, this is clearly a risk, not merely a misconfiguration or a system error. A risk exists because there is a reasonable likelihood that the server could fail and a significant impact if it does, namely service disruption. ISO/IEC 27001 clause 6.1.2 requires organizations to identify such risks that could affect the availability of information and services.

Option B is incorrect because while misconfiguration can cause outages, the scenario does not describe an incorrect configuration; it describes an architectural dependency. Option C is incorrect because authentication is not the primary concern; the issue affects the ability to deliver services at all, regardless of user authentication.

Availability is explicitly addressed in ISO/IEC 27002:2022 through controls such as redundancy and capacity management. The absence of redundancy increases availability risk. Therefore, the scenario correctly represents a risk impacting availability, making option A the best answer.

The appropriate actions to take next are to investigate whether pest infestation is an identified risk and if so, what risk treatment is to be applied, to determine whether the high levels of rainfall have had other impacts on data centre operations, and to check with the guide that they intend to initiate the organisation’s information security incident process. These actions are relevant to the ISMS audit objectives and criteria, as they relate to the organisation’s risk assessment and treatment, security performance, and incident management processes. The other actions are either not within the scope of the ISMS audit, not required by the ISO/IEC 27001 standard, or not the responsibility of the auditor. References: PECB Candidate Handbook1, page 21-22; ISO/IEC 27001:2022 (en)2, clauses 6.1, 8.2, 9.1, and 10.2.

The three Annex A controls that you would expect the auditee to have implemented when you conduct the follow-up audit are:

B. 5.13 Labelling of information

E. 5.34 Privacy and protection of personal identifiable information (PII)

G. 6.3 Information security awareness, education, and training

B. This control requires the organisation to label information assets in accordance with the information classification scheme, and to handle them accordingly12. This control is relevant for the auditee because it could help them to avoid misaddressing labels and sending parcels to wrong destinations, which could compromise the confidentiality, integrity, and availability of the information assets. By labelling the information assets correctly, the auditee could also ensure that they are delivered to the intended recipients and that they are protected from unauthorized access, use, or disclosure.

E. This control requires the organisation to protect the privacy and the rights of individuals whose personal identifiable information (PII) is processed by the organisation, and to comply with the applicable legal and contractual obligations13. This control is relevant for the auditee because it could help them to prevent the unauthorized use of residents’ personal data by a supplier, which could violate the privacy and the rights of the residents and their family members, and expose the auditee to legal and reputational risks. By protecting the PII of the residents and their family members, the auditee could also enhance their trust and satisfaction, and avoid complaints and disputes.

G. This control requires the organisation to ensure that all employees and contractors are aware of the information security policy, their roles and responsibilities, and the relevant information security procedures and controls14. This control is relevant for the auditee because it could help them to improve the information security culture and behaviour of their staff, and to reduce the human errors and negligence that could lead to information security incidents. By providing information security awareness, education, and training to their staff, the auditee could also increase their competence and performance, and ensure the effectiveness and efficiency of the information security processes and controls.

From Exact Extract:

Explanation for A (Sole Responsibility of Audit Team Leader):

The audit team leader is ultimately responsible for ensuring the audit team has the necessary competence and resources to conduct the audit effectively and achieve its objectives. This includes the crucial task of selecting the appropriate team members, considering their individual competencies, sector experience, and linguistic capabilities to cover the audit scope. While the certification body might provide a pool of auditors, the specific selection for a given audit is the team leader's responsibility to ensure the team is fit for purpose.

By using illegal versions of software, NightCore ignored the control about intellectual property rights under Annex A.8.1.1 of ISO/IEC 27001, which requires the protection of organizational records to include intellectual property and personal information held in the form of data or software.

Audit evidence should be evaluated against the audit criteria in order to determine audit findings.

Audit evidence is the information obtained by the auditors during the audit process that is used as a basis for forming an audit opinion or conclusion12. Audit evidence could include records, documents, statements, observations, interviews, or test results12.

Audit criteria are the set of policies, procedures, standards, regulations, or requirements that are used as a reference against which audit evidence is compared12. Audit criteria could be derived from internal or external sources, such as ISO standards, industry best practices, or legal obligations12.

Audit findings are the results of a process that evaluates audit evidence and compares it against audit criteria13. Audit findings can show that audit criteria are being met (conformity) or that they are not being met (nonconformity). They can also identify best practices or improvement opportunities13.

References :=

ISO 19011:2022 Guidelines for auditing management systems

ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements

Components of Audit Findings - The Institute of Internal Auditors

A third-party virtual audit is an external audit conducted by an independent certification body using remote technology such as video conferencing, screen sharing, and electronic document exchange. The purpose of a third-party virtual audit is to verify the conformity and effectiveness of the information security management system (ISMS) and to issue a certificate of compliance12

Before you start conducting the audit, you would need to inform the auditee about the following issues: 12

You will ask those being interviewed to state their name and position beforehand, i.e., to confirm their identity and role in the ISMS. This is to ensure that you are interviewing the relevant personnel and that they are authorized to provide information and evidence for the audit.

You will ask for a 360-degree view of the room where the audit is being carried out, i.e., to verify the physical and environmental security of the audit location. This is to ensure that there are no unauthorized persons or devices in the vicinity that could compromise the confidentiality, integrity, or availability of the information being audited.

The other issues are not relevant or appropriate for a third-party virtual audit, because:

You will ask to see the ID card of the person that is on the screen, i.e., to verify their identity. This is not necessary if you have already asked them to state their name and position beforehand, and if you have access to the auditee’s organizational chart or staff directory. Asking to see the ID card could also be seen as intrusive or disrespectful by the auditee.

You will take photos of every person you interview, i.e., to document the audit process. This is not advisable as it could violate the privacy or consent of the auditee and the interviewees. Taking photos could also be seen as unprofessional or suspicious by the auditee. You should rely on the audit records and evidence provided by the auditee and the audit tool instead.

You will not record any part of the audit, unless permitted, i.e., to respect the auditee’s preferences and rights. This is not a valid issue to inform the auditee about, as you should always record the audit for quality assurance and verification purposes. Recording the audit is also a requirement of the ISO/IEC 27001 standard and the certification body. You should inform the auditee that you will record the audit and obtain their consent before the audit begins.

You expect the auditee to have assessed all risks associated with online activities, i.e., to ensure the security of the audit process. This is not an issue to inform the auditee about, as it is part of the auditee’s responsibility and obligation to have a risk assessment and treatment process for their ISMS. You should assess the auditee’s risk management practices and controls during the audit, not before it.

The audit team employed an evidence-based approach, making option A the correct answer. This is explicitly demonstrated throughout the scenario and aligns directly with ISO 19011:2018, which defines evidence-based auditing as one of the fundamental principles of auditing management systems. An evidence-based approach requires that audit conclusions are based on verifiable information and objective evidence rather than assumptions, opinions, or hypothetical scenarios.

In the scenario, the audit team clearly states that only information capable of being verified to some extent was considered valid audit evidence. This reflects the ISO 19011 requirement that audit evidence should be verifiable, relevant, and based on samples of available information. The auditors documented observations, inspection notes, asset inventories, and firewall configurations, all of which are tangible and verifiable sources of audit evidence. Even in situations where evidence was difficult to verify, the auditors applied professional judgment to assess reliability, which is consistent with the principle of due professional care rather than speculative analysis.

Option B is incorrect because a risk-based approach focuses on prioritizing audit activities based on risk levels, not on how conclusions are reached. While risk awareness may influence audit planning, it does not define the method of forming conclusions. Option C is incorrect because hypothetical analysis is not recognized as an acceptable audit method under ISO standards. ISO audits must be grounded in factual, verifiable evidence.

Therefore, the audit team’s systematic reliance on verifiable information confirms that an evidence-based approach was used.

Furthermore, Jack’s understanding of NightCore’s organizational context, management practices, and applicable statutory and regulatory requirements demonstrates competence in applying audit criteria within the organization’s specific environment. His ability to exercise professional judgment when evidence is difficult to verify further supports his suitability as an audit team leader.

Option A is incorrect because Jack’s experience spans multiple relevant domains, not just a few limited areas. Option B is incorrect because auditor competence is not based solely on understanding organizational structure; it requires a broader combination of auditing, technical, and contextual knowledge, all of which Jack clearly demonstrates.

By drafting a procedure for information labeling, EsBank has submitted an action plan to resolve the nonconformity. This step addresses the immediate issue identified during the audit by establishing a consistent approach to labeling information according to its classification.

The best way to dispose of a hard copy of a customer design document is to shred it using a shredder. This is because shredding ensures that the document is destroyed and cannot be reconstructed or accessed by unauthorized persons. A customer design document may contain sensitive or confidential information that could cause harm or damage to the customer or the organization if disclosed. Therefore, it is important to protect the confidentiality and integrity of the document until it is securely disposed of. Throwing it in any dustbin, giving it to the office boy to reuse it for other purposes, or reusing it for writing are not secure ways of disposing of the document, as they could expose the document to unauthorized access, theft, loss or damage. ISO/IEC 27001:2022 requires the organization to implement procedures for the secure disposal of media containing information (see clause A.8.3.2). References: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements, What is Secure Disposal?

While competence is important for an effective ISMS, the specific competence records of the ISMS manager are less relevant when determining resources for the internal audit program. The focus should be on resources directly related to the audit process itself. Here's why the other options matter:

•A. Availability of competent auditors and technical experts: Crucial for conducting thorough audits and accurately assessing the ISMS.

•C. Availability of the necessary documented information: Essential for auditors to review policies, procedures, and records related to the ISMS.

•D. Impact of different time zones: Can affect scheduling, coordination, and communication during the audit, potentially requiring additional resources.

Comprehensive and Detailed In-Depth Explanation:

C. Correct Answer: ISO/IEC 27001 Clause 6.2 (Information Security Objectives and Planning to Achieve Them) requires information security objectives to be based on risk assessment results.

A. Incorrect: While objectives can be revised, they must be initially established based on risk assessment findings.

B. Incorrect: Objectives should be set after risk assessment, but security objectives are not dependent on full implementation.

Thus, Clinic did not follow the correct sequence in establishing security objectives before conducting a risk assessment.

The only option that is not prohibited in acceptable use of information assets is C: company-wide e-mails with supervisor/TL permission. This option implies that the sender has obtained the necessary authorization from their supervisor or team leader to send an e-mail to all employees in the organization. This could be done for legitimate business purposes, such as announcing important news, events or updates that are relevant to everyone. However, this option should still be used sparingly and responsibly, as it could cause unnecessary disruption or annoyance to the recipients if abused or misused. The other options are prohibited in acceptable use of information assets, as they could violate the information security policies and procedures of the organization, as well as waste resources and bandwidth. Electronic chain letters (A) are messages that urge recipients to forward them to multiple other people, often with false or misleading claims or promises. They are considered spam and could contain malicious links or attachments that could compromise information security. E-mail copies to non-essential readers (B) are messages that are sent to recipients who do not need to receive them or have no interest in them. They are considered unnecessary and could clutter the inbox and distract the recipients from more important messages. Messages with very large attachments or to a large number of recipients (D) are messages that consume a lot of network resources and could affect the performance or availability of the information systems. They could also exceed the storage capacity or quota limits of the recipients’ mailboxes and cause problems for them. ISO/IEC 27001:2022 requires the organization to implement rules for acceptable use of assets (see clause A.8.1.3). References: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements, What is Acceptable Use?

Auditors have the authority to object or even refuse an audit mandate if they believe that the audit duration proposed by the auditee is not sufficient to thoroughly assess the ISMS. It is crucial for the audit to be comprehensive enough to cover all necessary aspects of the system, ensuring its effectiveness and compliance.

The auditors primarily collected physical and technical evidence, making option B the correct answer. Physical and technical evidence refers to evidence obtained through direct observation of systems, configurations, and operational practices, as well as inspection of tangible or technical elements within the organization’s environment.

In the scenario, the auditors reviewed firewall configurations, examined operational planning and control activities, and inspected the inventory of information and associated assets. Firewall configurations are a clear example of technical evidence, as they involve system settings and security mechanisms that can be directly reviewed and validated. Asset inventories, while documented, are often verified through physical or system-level inspection to confirm their accuracy and completeness. Operational planning and control observations involve witnessing how processes are executed in practice, which also constitutes physical or technical evidence.

Option A is incorrect because analytical and documentary evidence would primarily involve reports, metrics, trend analysis, or formal documents without direct system inspection. While some documentation was reviewed, the scenario emphasizes inspection and observation of operational and technical controls. Option C is incorrect because mathematical evidence is not a recognized audit evidence category under ISO standards.

ISO 19011 recognizes observation and inspection as valid methods for collecting audit evidence, particularly when assessing the effectiveness of technical and operational controls. Therefore, the evidence collected in this audit is best classified as physical and technical evidence.

This situation represents a nonconformity, making option B the correct answer. ISO/IEC 27001:2022 requires organizations to implement controls to manage information security risks and to support them with appropriate documented information where necessary. Allowing employees to use laptops outside the workplace without defined procedures represents a failure to implement adequate controls for protecting information assets.

From a control perspective, ISO/IEC 27002:2022 includes technological and organizational controls related to endpoint device security, protection of information assets, and secure use of equipment. Relying on employees’ “common knowledge” instead of defined procedures does not meet the requirement for systematic, repeatable, and auditable control implementation. Controls must be formally defined, communicated, and consistently applied.

Option A is incorrect because an anomaly is typically a one-off deviation or unusual occurrence that does not indicate a systemic failure. In this case, the absence of procedures is systemic and affects all employees who use laptops externally. Option C is incorrect because conformity would require documented, implemented, and effective controls aligned with identified risks, which is not the case here.

Even though Lawsy meets training and awareness requirements, training cannot substitute for missing operational controls and procedures. Auditors must assess both awareness and the existence of formal controls. Therefore, the lack of procedures for laptop use outside the workplace constitutes a nonconformity with ISO/IEC 27001 requirements.

The purpose of a follow-up audit is to verify the completion and effectiveness of corrective actions taken by the auditee in response to the nonconformities identified in a previous audit1. A follow-up audit is a type of audit that is conducted after an initial audit, and it focuses on the specific areas where nonconformities were found and corrective actions were agreed upon2. A follow-up audit can be conducted as a separate audit or as part of a scheduled audit, depending on the nature and severity of the nonconformities and the audit programme objectives3.

The other options are not the purpose of a follow-up audit, but rather the purpose of other types of audits. For example:

•Option A is the purpose of a performance audit, which is a type of audit that evaluates the effectiveness of the management system in achieving its intended results4.

•Option B is the purpose of a compliance audit, which is a type of audit that verifies the conformity of the management system with the specified requirements, such as the ISMS objectives5.

•Option C is the purpose of a process audit, which is a type of audit that examines the inputs, activities, outputs, and interactions of a specific process within the management system, such as the risk treatment process.

A follow-up audit may be carried out where nonconformities are major. This is true because a major nonconformity is a situation that raises significant doubt about the ability of the organization’s management system to achieve its intended results, and therefore requires immediate corrective action. A follow-up audit is necessary to verify the effectiveness of the corrective action and the conformity of the management system12.

A follow-up audit may be carried out where nonconformities are minor. This is true because a minor nonconformity is a situation that does not affect the capability of the management system to achieve its intended results, but represents a deviation from the specified requirements. A follow-up audit may be conducted to check the implementation of the corrective action and the improvement of the management system12.

The outcomes of a follow-up audit should be reported to top management and the audit team leader who carried out the audit where the nonconformities were initially identified. This is true because the top management is responsible for ensuring the effectiveness and continual improvement of the management system, and the audit team leader is accountable for the audit process and the audit conclusions. The follow-up audit report should provide them with objective evidence of the status of the nonconformities and the corrective actions taken by the auditee13.

The outcomes of a follow-up audit should be reported to the individual managing the audit programme and the audit client. This is true because the individual managing the audit programme is responsible for planning, implementing, monitoring and reviewing the audit activities, and the audit client is the organization or person requesting an audit. The follow-up audit report should inform them of the results of the follow-up audit and any changes in the certification status of the auditee13.

References :=

ISO 19011:2022 Guidelines for auditing management systems

ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements

ISO/IEC 17021-1:2022 Conformity assessment — Requirements for bodies providing audit and certification of management systems — Part 1: Requirements

Comprehensive and Detailed In-Depth Explanation:

Penetration testing (pen testing) is a simulated cyberattack used to assess security weaknesses in an ICT system.

B. Identifying failures in ICT protection schemes – Correct answer. The goal of penetration testing is to find vulnerabilities in networks, applications, and systems before attackers can exploit them. This aligns with ISO/IEC 27001:2022 Annex A Control A.8.16 (Monitoring Activities) and A.8.8 (Management of Technical Vulnerabilities).

A. Code reviews are not the primary goal of pen testing; static analysis tools are used for code security.

C. Physical inspections relate to hardware security audits, which are separate from penetration testing.

“In a third-party audit an observation can indicate conformity at organisation is not required to take action.”

According to the PECB Candidate Handbook1, an observation is “a statement of fact made during an audit and substantiated by objective evidence”. An observation can indicate conformity or nonconformity, but it does not require any corrective action from the audited organisation. A recommendation, on the other hand, is “a suggestion for improvement based on an observation”. A recommendation may or may not be accepted by the audited organisation.

According to the Fundamentals – Third parties2, a third-party audit is “an audit conducted by an external organisation that has the legal right to audit an organisation’s processes and procedures”. A third-party audit can result in a finding, which is “a conclusion reached by the auditor based on the audit evidence collected”. A finding can be positive or negative, depending on whether the audited organisation meets the audit criteria or not. A nonconformity is “a finding that indicates the non-fulfilment of a requirement”. A nonconformity requires corrective action from the audited organisation to prevent recurrence.

The audit team leader suggesting a specific solution on resolving the nonconformities is unacceptable in an external audit. This could compromise the impartiality of the audit process by appearing to assist the auditee in corrective actions, which should independently originate from the auditee to ensure the integrity and effectiveness of the ISMS.

Comprehensive and Detailed In-Depth Explanation:

A. Correct Answer: ISO/IEC 27001 Clause 4.1 (Understanding the Organization and Its Context) and Clause 4.2 (Understanding the Needs and Expectations of Interested Parties) require organizations to consider both internal and external issues when defining the scope of the ISMS.

The scenario states that Clinic only considered internal issues but did not assess external factors, such as regulatory requirements, industry standards, or cybersecurity threats.

B. Incorrect: The scope is not fully correct because external factors were not considered.

C. Incorrect: Justifying exclusions is necessary in the SoA, not in the ISMS scope statement.

By failing to consider external issues, Clinic's ISMS does not meet the full requirements of ISO/IEC 27001.

A management system audit is a systematic, independent and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled. The audit criteria are a set of requirements that may include policies, procedures, standards, regulations, etc. The purpose of a management system audit is to evaluate the performance of an organisation’s management system in terms of its effectiveness, efficiency, compliance, and improvement. A management system audit can also identify strengths, weaknesses, opportunities, and risks of the management system and provide recommendations for improvement.

Vehicular incidents are not a type of information security attack. A vehicular incident is an event that involves a vehicle or its driver causing damage or injury to people or property. A vehicular incident may have an impact on information security if it affects the availability or integrity of information or systems that are transported or accessed by vehicles, but it is not an intentional or malicious attack on information security. Legal incidents are a type of information security attack that involve legal actions or disputes that may compromise the confidentiality or integrity of information or systems. Technical vulnerabilities are a type of information security attack that exploit weaknesses or flaws in software or hardware that may compromise the confidentiality, integrity, or availability of information or systems. Privacy incidents are a type of information security attack that involve unauthorized access or disclosure of personal or sensitive information that may compromise the confidentiality or integrity of information or systems. References: : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 25. : [ISO/IEC 27001 LEAD AUDITOR - PECB], page 13.

The responsibilities described fit those of a "guide." A guide in an audit context is typically someone from the auditee's organization who facilitates audit activities, manages logistics, ensures compliance with health and safety policies, and may also witness the audit process, assisting the audit team.

Yes, Jack should communicate such situations to the certification body. It is essential for auditors to report potential nonconformities and ethical breaches to the certification body to maintain the integrity and credibility of the audit process, without necessarily informing top management of these steps.

The role and responsibility that system users should not observe in the event of an information security incident is D: make the information security incident details known to all employees. This is not a proper role or responsibility for system users, as it could cause unnecessary panic, confusion or speculation among employees who are not involved in the incident response process. It could also compromise the confidentiality and integrity of the incident information, which could be sensitive or confidential in nature. Making the information security incident details known to all employees could also violate the information security policies and procedures of the organization, which may require a certain level of discretion and confidentiality when dealing with incidents. The other roles and responsibilities are correct, as they describe what system users should do in the event of an information security incident, such as reporting the incident to the Servicedesk (A), preserving evidence if necessary (B), and cooperating with investigative personnel if needed ©. These roles and responsibilities help to ensure a quick, effective and orderly response to information security incidents. ISO/IEC 27001:2022 requires the organization to implement procedures for reporting and managing information security incidents (see clause A.16.1). References: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements, What is Information Security Incident Management?

According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 5.2 requires top management to establish an information security policy that provides the framework for setting information security objectives1. Clause 6.2 requires top management to ensure that the information security objectives are established at relevant functions and levels1. Therefore, when verifying that the information security policy and objectives have been established by top management, an ISMS auditor should review relevant documents and records that demonstrate top management’s involvement and commitment.

To verify that the mobile device policy and objectives are implemented and effective, an ISMS auditor should review relevant documents and records that demonstrate how the policy and objectives are communicated, monitored, measured, analyzed, and evaluated. The auditor should also sample and verify the implementation of the controls that are stated in the policy.

Three options for the audit trail that are relevant to verifying the mobile device policy and objectives are:

Review the internal audit report to make sure the IT department has been audited: This option is relevant because it can provide evidence of how the IT department, which is responsible for managing the mobile devices and their security, has been evaluated for its conformity and effectiveness in implementing the mobile device policy and objectives. The internal audit report can also reveal any nonconformities, corrective actions, or opportunities for improvement related to the mobile device policy and objectives.

Sampling some mobile devices from on-duty medical staff and validate the mobile device information with the asset register: This option is relevant because it can provide evidence of how the mobile devices that are used by the medical staff, who are involved in processing and storing residents’ data, are registered in the asset register and have physical protection enabled. This can verify the implementation and effectiveness of two of the controls that are stated in the mobile device policy.

Review the asset register to make sure all company’s mobile devices are registered: This option is relevant because it can provide evidence of how the company’s mobile devices that are within the ISMS scope are identified and accounted for. This can verify the implementation and effectiveness of one of the controls that are stated in the mobile device policy.

The other options for the audit trail are not relevant to verifying the mobile device policy and objectives, as they are not related to the policy or objectives or their implementation or effectiveness. For example:

Interview the reception personnel to make sure all visitor and employee bags are checked before entering the nursing home: This option is not relevant because it does not provide evidence of how the mobile device policy and objectives are implemented or effective. It may be related to another policy or objective regarding physical security or access control, but not specifically to mobile devices.

Review visitors’ register book to make sure no visitor can have their personal mobile phone in the nursing home: This option is not relevant because it does not provide evidence of how the mobile device policy and objectives are implemented or effective. It may be related to another policy or objective regarding information security awareness or compliance, but not specifically to mobile devices.

Interview the supplier of the devices to make sure they are aware of the ISMS policy: This option is not relevant because it does not provide evidence of how the mobile device policy and objectives are implemented or effective. It may be related to another policy or objective regarding information security within supplier relationships, but not specifically to mobile devices.

Interview top management to verify their involvement in establishing the information security policy and the information security objectives: This option is not relevant because it does not provide evidence of how the mobile device policy and objectives are implemented or effective. It may be related to verifying that the information security policy and objectives have been established by top management, but not specifically to mobile devices.

Comprehensive and Detailed In-Depth Explanation:

B. Correct Answer:

ISO 19011:2018 mandates that auditors must obtain permission before making copies of documents.

Virtual audits must adhere to confidentiality agreements to protect sensitive data.

A. Incorrect:

Screenshots cannot be taken without permission, even if the audit is not recorded.

C. Incorrect:

Screenshots are allowed with prior authorization, ensuring proper data handling.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.4.10 (Virtual Auditing and Data Handling)

The two standards that are used as ISMS third-party certification audit criteria are ISO/IEC 27001 and relevant legal, statutory, and regulatory requirements. ISO/IEC 27001 specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS)1. Relevant legal, statutory, and regulatory requirements are those that apply to the organization’s information security aspects and objectives2. The other options are either not standards (E) or not directly related to the ISMS certification audit criteria (A, B, C, F). References: 1: ISO/IEC 27001:2022, Information technology — Security techniques — Information security management systems — Requirements, Clause 1 \n2: ISO/IEC 27001:2022, Information technology — Security techniques — Information security management systems — Requirements, Clause 4.2

Comprehensive and Detailed In-Depth Explanation:

C. Correct Answer:

Internal audits detect nonconformities but do not actively prevent them.

A. Incorrect:

Internal audits verify corrective actions.

B. Incorrect:

Technology can reduce manual tasks in internal audits.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.4.7 (Audit Program Limitations)

According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 7.2 requires an organization to determine the necessary competence of persons doing work under its control that affects its ISMS performance, and to provide training or take other actions to acquire or maintain the necessary competence1. Control A.6.3 requires an organization to ensure that all employees and contractors are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational policies and procedures in this respect2. Therefore, if an ISMS auditor finds that the information security incident training effectiveness can be improved, this indicates an opportunity for improvement (OFI) that is relevant to clause 7.2 and control A.6.3.

According to ISO/IEC 27001:2022, clause 9.1 requires an organization to monitor, measure, analyze and evaluate its ISMS performance and effectiveness1. Control A.5.24 requires an organization to define and apply procedures for reporting information security events and weaknesses2. Therefore, if an ISMS auditor finds that based on sampling interview results, none of the interviewees were able to describe the incident management procedure reporting process including the role and responsibilities of personnel, this indicates a nonconformity (NC) that is not conforming with clause 9.1 and control A.5.24.

The other options are not correct options for preparing the audit findings based on the given information. For example, there is no nonconformance if the information security weaknesses, events, and incidents are reported, as this conforms with clause 9.1 and control A.5.24; there is no nonconformance if the information security handling training has performed, and its effectiveness was evaluated, as this conforms with clause 7.2 and control A.6.3; there is no nonconformity if the information security incident training has failed, as this may not necessarily indicate a lack of conformity with clause 7.2 or control A.6.3; there is no opportunity for improvement if the information security weaknesses, events, and incidents are reported, as this is already conforming with clause 9.1 and control A.5.24. References: ISO/IEC 27001:2022 - Information technology – Security techniques – Information security management systems – Requirements, ISO/IEC 27002:2013 - Information technology – Security techniques – Code of practice for information security controls

According to ISO 19011:2018, clause 5.3, the person responsible for managing the audit programme should determine the resources necessary for the audit programme, such as the audit team members, the budget, the time, the tools, etc. The audit resources should be sufficient and appropriate to ensure the quality and effectiveness of the audit programme and the audit results. The audit resources include the following elements12:

Essential resources: These are the resources that are required to conduct the audit programme and the individual audits, such as the audit documents, the audit methods, the audit tools, the audit schedule, the audit budget, etc. The essential resources should be identified and allocated based on the audit objectives, scope, and criteria, and the availability and cooperation of the auditee. The essential resources should also be reviewed and updated as necessary to reflect any changes or deviations in the audit programme or the individual audits.

Competent personnel: These are the audit team members who have the appropriate knowledge, skills, and experience to conduct the audit effectively and efficiently, and to provide credible and reliable audit results and recommendations. The competent personnel should include the audit team leader, the auditors, and any technical experts or observers who support the audit team. The competent personnel should be selected and appointed based on the audit objectives, scope, and criteria, and the specific competence requirements for the audit programme and the individual audits. The competent personnel should also be independent and impartial, and avoid any conflicts of interest or self-interest that may affect the audit results or the audit decisions.

The context of the organisation is the business environment in which the organisation operates and defines its information security management system (ISMS). It includes the internal and external factors and conditions that can influence the organisation’s information security objectives, strategies, and policies. The context of the organisation helps the organisation to identify the scope, boundaries, and requirements of the ISMS, as well as the interested parties and their expectations. The context of the organisation is determined by considering both internal and external issues, such as the organisational structure, culture, values, mission, vision, objectives, strategies, resources, capabilities, processes, activities, products, services, markets, customers, competitors, suppliers, partners, regulators, laws, regulations, standards, guidelines, best practices, risks, opportunities, threats, vulnerabilities, etc. References: ISO 27001:2022 Clause 4 Context of the organization, ISO 27001 Requirement 4.1 – Understanding the Context of the Organisation, ISO 27001 context of the organization – How to define it - Advisera