New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

PECB ISO-IEC-27001-Lead-Auditor Exam - Topic 1 Question 34 Discussion

Actual exam question for PECB's ISO-IEC-27001-Lead-Auditor exam
Question #: 34
Topic #: 1
[All ISO-IEC-27001-Lead-Auditor Questions]

The auditor was unable to identify that Company A hid their insecure network architecture. What type of audit risk is this?

Show Suggested Answer Hide Answer
Suggested Answer: A, B, E, F

According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 4.1 requires an organization to determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcomes of its ISMS2.External issues are those that originate from outside the organization, such as legal, regulatory, cultural, social, political, economic, natural and competitive factors2.Internal issues are those that originate from within the organization, such as governance, structure, roles and responsibilities, policies, objectives, culture, capabilities, resources and information systems2.Therefore, based on this definition, four examples of external issues in the context of a management system to ISO/IEC 27001:2022 are a rise in interest rates in response to high inflation (which affects the economic environment of the organization), a reduction in grants as a result of a change in government policy (which affects the political and legal environment of the organization), higher labour costs as a result of an aging population (which affects the social and demographic environment of the organization), and inability to source raw materials due to government sanctions (which affects the trade and supply environment of the organization)2. The other options are examples of internal issues, as they originate from within the organization or its activities.For example, poor levels of staff competence as a result of cuts in training expenditure (which affects the capabilities and resources of the organization), increased absenteeism as a result of poor management (which affects the culture and performance of the organization), poor morale as a result of staff holidays being reduced (which affects the motivation and satisfaction of the organization's personnel), and a fall in productivity linked to outdated production equipment (which affects the efficiency and quality of the organization's processes)2.Reference:ISO/IEC 27001:2022 - Information technology -- Security techniques -- Information security management systems -- Requirements


by Terina at Apr 29, 2024, 11:47 AM

Limited Time Offer

25%

Off

Get Premium ISO-IEC-27001-Lead-Auditor Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Selma
3 months ago
Totally agree, it's about detection!
upvoted 0 times
...
Cherelle
3 months ago
Inherent risk seems off here.
upvoted 0 times
...
Valentin
3 months ago
Wait, how did the auditor miss that?
upvoted 0 times
...
Keneth
4 months ago
I think it's more of a control risk.
upvoted 0 times
...
Darrin
4 months ago
That's definitely a detection risk!
upvoted 0 times
...
Tammara
4 months ago
I practiced a similar question where the auditor missed a significant fraud. I think that was also about detection risk, so I might go with that here.
upvoted 0 times
...
Launa
4 months ago
Control risk could be relevant here too, since it relates to the effectiveness of the company's internal controls, but I lean towards detection risk.
upvoted 0 times
...
Eugene
4 months ago
I remember something about inherent risk being related to the nature of the business, but this seems more about the auditor's oversight.
upvoted 0 times
...
Julian
5 months ago
I think this might be a detection risk since the auditor failed to identify the issue, but I'm not entirely sure.
upvoted 0 times
...
Edna
5 months ago
Okay, let me walk through this step-by-step. The auditor failed to identify the issue, so it's not inherent risk. And since it's a control issue, not a detection issue, I think the answer has to be control risk. I feel pretty confident about that.
upvoted 0 times
...
Lyndia
5 months ago
Hmm, I'm not totally sure about this one. Could it also be detection risk, since the auditor didn't detect the issue? I'll have to think it through carefully.
upvoted 0 times
...
Terry
5 months ago
This seems like a pretty straightforward audit risk question. I think the answer is Control risk, since the auditor failed to identify the company's insecure network architecture, which is a control issue.
upvoted 0 times
...
Ressie
5 months ago
Ugh, I'm really struggling with this type of audit risk question. There are so many different types, it's hard to keep them straight. I'll have to review my notes before the exam.
upvoted 0 times
...
Curtis
5 months ago
Okay, I think I've got this. The question is asking about the physical location of the Planning Optimization service, not the Dynamics 365 instance. Based on my understanding, the service runs in Microsoft's cloud, so the answer is likely option C or D.
upvoted 0 times
...
Laquita
5 months ago
I'll definitely look into the registry settings for ListOfDDCs. It seems like a common area where misconfigurations can happen.
upvoted 0 times
...
Fidelia
9 months ago
If the auditor can't even find the network issues, they must be using the 'invisible ink' method of auditing.
upvoted 0 times
...
India
9 months ago
I'd say this is a clear 'Detection' problem. The auditor must have been using the 'hide and seek' method of auditing.
upvoted 0 times
...
An
9 months ago
Sounds like a classic case of 'Control' issues. Maybe the auditor needs to take a 'control' alt delete approach to this problem.
upvoted 0 times
Detra
8 months ago
Maybe the auditor needs to take a 'control' alt delete approach to this problem.
upvoted 0 times
...
Delmy
8 months ago
C) Detection
upvoted 0 times
...
Yuki
9 months ago
B) Control
upvoted 0 times
...
Leslee
9 months ago
A) Inherent
upvoted 0 times
...
...
Francoise
10 months ago
Ah, the classic 'hide and seek' audit technique. Gotta love when the company is playing 'keep away' with their network architecture.
upvoted 0 times
Darrin
9 months ago
C) Detection
upvoted 0 times
...
Jennie
9 months ago
B) Control
upvoted 0 times
...
Crista
9 months ago
A) Inherent
upvoted 0 times
...
...
Alise
10 months ago
I disagree, I think it's detection risk because the auditor failed to detect the insecure network architecture.
upvoted 0 times
...
Robt
10 months ago
I agree with Eva, it's definitely inherent risk.
upvoted 0 times
...
Eva
10 months ago
I think it's inherent risk.
upvoted 0 times
...
Dorinda
10 months ago
I believe it's detection risk, as the auditor failed to detect the issue.
upvoted 0 times
...
Tamesha
10 months ago
I agree with Chana, because it's related to the nature of the business.
upvoted 0 times
...
Lezlie
11 months ago
If the auditor can't even identify the network issues, I'm guessing they need a little more 'detection' in their diet.
upvoted 0 times
Sena
9 months ago
User 4: Maybe they need to improve their detection procedures.
upvoted 0 times
...
Lavera
10 months ago
User 3: Yeah, the auditor should have caught that during the audit.
upvoted 0 times
...
Yoko
10 months ago
User 2: That sounds like a detection risk to me.
upvoted 0 times
...
Lonny
10 months ago
User 1: Looks like Company A is hiding their insecure network architecture.
upvoted 0 times
...
...
Chana
11 months ago
I think it's inherent risk.
upvoted 0 times
...

Save Cancel