New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

PECB ISO-IEC-27001-Lead-Auditor Exam - Topic 1 Question 33 Discussion

Actual exam question for PECB's ISO-IEC-27001-Lead-Auditor exam
Question #: 33
Topic #: 1
[All ISO-IEC-27001-Lead-Auditor Questions]

You are performing an ISMS audit at a residential nursing home that provides healthcare services. The next step in your audit plan is to verify the information security of the business continuity management process. During the audit, you learned that the organisation activated one of the business continuity plans (BCPs) to make sure the nursing service continued during the recent pandemic. You ask Service Manager to explain how the organisation manages information security during the business continuity management process.

The Service Manager presents the nursing service continuity plan for a pandemic and summarises the process as

follows:

Stop the admission of any NEW residents.

70% of administration staff and 30% of medical staff will work from home.

Regular staff self-testing including submitting a negative test report 1 day BEFORE they come to the office.

Install ABC's healthcare mobile app, tracking their footprint and presenting a GREEN Health Status QR-Code for checking

on the spot.

You ask the Service Manager how to prevent non-relevant family members or interested parties from accessing residents' personal data when staff work from home. The Service Manager cannot answer and suggests the n" Security Manager should help with that.

You would like to further investigate other areas to collect more audit evidence Select three options that will be in your audit trail.

Show Suggested Answer Hide Answer
Suggested Answer: A, E, F

According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), control A.5.29 requires an organization to establish and maintain a business continuity management process to ensure the continued availability of information and information systems at the required level following disruptive incidents1.The organization should identify and prioritize critical information assets and processes, assess the risks and impacts of disruptive incidents, develop and implement business continuity plans (BCPs), test and review the BCPs, and ensure that relevant parties are aware of their roles and responsibilities1. Therefore, when verifying the information security of the business continuity management process, an ISMS auditor should verify that these aspects are met in accordance with the audit criteria.

Three options that will be in the audit trail for verifying control A.5.29 are:

Collect more evidence on how the organisation manages information security on mobile devices and during teleworking (Relevant to control A.6.7): This option is relevant because it can provide evidence of how the organization has implemented appropriate controls to protect the confidentiality, integrity and availability of information and information systems when staff work from home using mobile devices, such as laptops, tablets or smartphones.This is related to control A.6.7, which requires an organization to establish a policy and procedures for teleworking and use of mobile devices1.

Collect more evidence on how and when the Business Continuity Plan has been tested (Relevant to control A.5.29): This option is relevant because it can provide evidence of how the organization has tested and reviewed the BCPs to ensure their effectiveness and suitability for different scenarios, such as a pandemic.This is related to control A.5.29, which requires an organization to test and review the BCPs at planned intervals or when significant changes occur1.

Collect more evidence on how the organisation makes sure only staff with a negative test result can enter the organisation (Relevant to control A.7.2): This option is relevant because it can provide evidence of how the organization has implemented appropriate controls to prevent or reduce the risk of infection or transmission of diseases among staff or residents, such as requiring regular staff self-testing and using a health status app.This is related to control A.7.2, which requires an organization to ensure that all employees and contractors are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational policies and procedures in this respect1.

The other options are not relevant to verifying control A.5.29, as they are not related to the control or its requirements. For example:

Collect more evidence by interviewing more staff about their feeling about working from home (Relevant to clause 4.2): This option is not relevant because it does not provide evidence of how the organization has established and maintained a business continuity management process or ensured the continued availability of information and information systems following disruptive incidents. It may be related to clause 4.2, which requires an organization to understand the needs and expectations of interested parties, but not specifically to control A.5.29.

Collect more evidence on what resources the organisation provides to support the staff working from home (Relevant to clause 7.1): This option is not relevant because it does not provide evidence of how the organization has established and maintained a business continuity management process or ensured the continued availability of information and information systems following disruptive incidents. It may be related to clause 7.1, which requires an organization to determine and provide the resources needed for its ISMS, but not specifically to control A.5.29.

Collect more evidence on how the organisation performs a business risk assessment to evaluate how fast the existing residents can be discharged from the nursing home (Relevant to clause 6): This option is not relevant because it does not provide evidence of how the organization has established and maintained a business continuity management process or ensured the continued availability of information and information systems following disruptive incidents. It may be related to clause 6, which requires an organization to plan actions to address risks and opportunities for its ISMS, but not specifically to control A.5.29.


by Sherrell at Apr 22, 2024, 05:27 PM

Limited Time Offer

25%

Off

Get Premium ISO-IEC-27001-Lead-Auditor Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Krissy
3 months ago
Collecting evidence on BCP testing is crucial too!
upvoted 0 times
...
Goldie
3 months ago
I think they should definitely focus on mobile device security.
upvoted 0 times
...
Kristel
3 months ago
Wait, how can they ensure family members don’t access personal data?
upvoted 0 times
...
Joesph
4 months ago
I agree, but what about data security? That's a big gap!
upvoted 0 times
...
Bettye
4 months ago
Sounds like they have a solid plan for staff working from home.
upvoted 0 times
...
Aileen
4 months ago
I feel like we should also look into how the BCP has been tested. Option E might give us insights into their preparedness and effectiveness during the pandemic.
upvoted 0 times
...
Quentin
4 months ago
I recall a practice question about ensuring staff have the right resources while teleworking. Option C could be useful to see if they provide adequate support for secure remote work.
upvoted 0 times
...
Tomas
4 months ago
I'm not entirely sure, but I think interviewing staff about their feelings on working from home might not give us the concrete evidence we need. Option B seems less relevant to information security.
upvoted 0 times
...
Kristofer
5 months ago
I remember we discussed the importance of managing information security on mobile devices, especially with staff working from home. I think option A makes the most sense to investigate further.
upvoted 0 times
...
Teresita
5 months ago
I feel pretty confident about this one. The key is to collect evidence on the specific security controls and processes the organization has in place to support their business continuity plan, especially around remote work and mobile devices. I'll focus on those areas and make sure I have a solid audit trail.
upvoted 0 times
...
Mira
5 months ago
Okay, let's see here. The question is asking about verifying information security during the business continuity management process, so I'll definitely want to look at how they're managing mobile devices and remote work. The options about staff resources and testing also seem relevant.
upvoted 0 times
...
Howard
5 months ago
This seems like a pretty comprehensive exam question covering various aspects of information security and business continuity management. I think I'll start by focusing on the key areas mentioned, like mobile device security, teleworking, and business risk assessment.
upvoted 0 times
...
Pete
5 months ago
Hmm, this is a tricky one. I'm a bit confused about how to approach verifying the information security of the business continuity process. I'll need to make sure I understand the requirements and relevant controls before I can decide which options to select.
upvoted 0 times
...
Cecily
5 months ago
Okay, I've got an idea. I think the pam_nologin module along with the /etc/nologin configuration file is the way to go. That should disable all logins except for root, right?
upvoted 0 times
...
Cordell
5 months ago
I remember practicing a question similar to this, and I chose Switch Widget back then too. Seems like a safe bet!
upvoted 0 times
...
Arleen
5 months ago
I'm pretty confident that the answer is B. The "link:" operator is used to find all the sites that link to the specified URL, which in this case would be ghttech.net. So this search should return all the sites that have a link to the ghttech.net website.
upvoted 0 times
...
Wilda
2 years ago
True, BCP testing is essential. Maybe we should include that in our audit trail.
upvoted 0 times
...
Remedios
2 years ago
What about how they test the Business Continuity Plan? Option E seems relevant too.
upvoted 0 times
...
Arlie
2 years ago
Good point. I also think checking clause 7.1 could help. Option C is important.
upvoted 0 times
...
Ashlyn
2 years ago
I would pick option A. Managing security on mobile devices and during teleworking is crucial.
upvoted 0 times
...
Wilda
2 years ago
It's quite detailed. They're clearly concerned about how information is managed during crises.
upvoted 0 times
...
Remedios
2 years ago
What do you think of the question about verifying information security?
upvoted 0 times
...
Bo
2 years ago
Lastly, I will investigate how the Business Continuity Plan has been tested.
upvoted 0 times
...
Bo
2 years ago
I will also gather evidence on what resources are provided to support staff working from home.
upvoted 0 times
...
Bo
2 years ago
I will collect more evidence on how information security is managed on mobile devices and during teleworking.
upvoted 0 times
...
Sharen
2 years ago
I'm not sure, you should speak to the Security Manager.
upvoted 0 times
...
Bo
2 years ago
How does the organisation manage information security during the business continuity process?
upvoted 0 times
...
Sharen
2 years ago
We activated our BCP during the pandemic to ensure the nursing service continued.
upvoted 0 times
...

Save Cancel