New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

PECB ISO-IEC-27001-Lead-Auditor Exam - Topic 2 Question 35 Discussion

Actual exam question for PECB's ISO-IEC-27001-Lead-Auditor exam
Question #: 35
Topic #: 2
[All ISO-IEC-27001-Lead-Auditor Questions]

You are conducting an ISMS audit in the despatch department of an international logistics organisation that provides shipping services to large organisations including local hospitals and government offices. Parcels typically contain pharmaceutical products, biological samples, and documents such as passports and driving licences. You note that the company records show a very large number of returned items with causes including mis-addressed labels and, in 15% of company cases, two or more labels for different addresses for the one package. You are interviewing the Shipping Manager (SM).

You: Are items checked before being dispatched?

SH: Any obviously damaged items are removed by the duty staff before being dispatched, but the small profit margin makes it uneconomic to implement a formal checking process.

You: What action is taken when items are returned?

SM: Most of these contracts are relatively low value, therefore it has been decided that it is easier and more convenient to simply reprint the label and re-send individual parcels than it is to implement an investigation.

You raise a nonconformity. Referencing the scenario, which six of the following Appendix A controls would you expect the auditee to have implemented when you conduct the follow-up audit?

Show Suggested Answer Hide Answer
Suggested Answer: B, D, E, F, I, J

B) 8.12 Data leakage protection. This is true because the auditee should have implemented measures to prevent unauthorized disclosure of sensitive information, such as personal data, medical records, or official documents, that are contained in the parcels.Data leakage protection could include encryption, authentication, access control, logging, and monitoring of data transfers12.

D) 6.3 Information security awareness, education, and training. This is true because the auditee should have ensured that all employees and contractors involved in the shipping process are aware of the information security policies and procedures, and have received appropriate training on how to handle and protect the information assets in their custody.Information security awareness, education, and training could include induction programmes, periodic refreshers, awareness campaigns, e-learning modules, and feedback mechanisms13.

E) 7.10 Storage media. This is true because the auditee should have implemented controls to protect the storage media that contain information assets from unauthorized access, misuse, theft, loss, or damage.Storage media could include paper documents, optical disks, magnetic tapes, flash drives, or hard disks14.Storage media controls could include physical locks, encryption, backup, disposal, or destruction14.

F) 8.3 Information access restriction. This is true because the auditee should have implemented controls to restrict access to information assets based on the principle of least privilege and the need-to-know basis.Information access restriction could include identification, authentication, authorization, accountability, and auditability of users and systems that access information assets15.

I) 7.4 Physical security monitoring. This is true because the auditee should have implemented controls to monitor the physical security of the premises where information assets are stored or processed.Physical security monitoring could include CCTV cameras, alarms, sensors, guards, or patrols16.Physical security monitoring could help detect and deter unauthorized physical access or intrusion attempts16.

J) 5.13 Labelling of information. This is true because the auditee should have implemented controls to label information assets according to their classification level and handling instructions.Labelling of information could include markings, tags, stamps, stickers, or barcodes1.Labelling of information could help identify and protect information assets from unauthorized disclosure or misuse1.


ISO/IEC 27002:2022 Information technology --- Security techniques --- Code of practice for information security controls

ISO/IEC 27001:2022 Information technology --- Security techniques --- Information security management systems --- Requirements

ISO/IEC 27003:2022 Information technology --- Security techniques --- Information security management systems --- Guidance

ISO/IEC 27004:2022 Information technology --- Security techniques --- Information security management systems --- Monitoring measurement analysis and evaluation

ISO/IEC 27005:2022 Information technology --- Security techniques --- Information security risk management

ISO/IEC 27006:2022 Information technology --- Security techniques --- Requirements for bodies providing audit and certification of information security management systems

[ISO/IEC 27007:2022 Information technology --- Security techniques --- Guidelines for information security management systems auditing]

by Francis at May 12, 2024, 02:35 AM

Limited Time Offer

25%

Off

Get Premium ISO-IEC-27001-Lead-Auditor Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Vallie
3 months ago
Segregation of duties is a must for this kind of operation!
upvoted 0 times
...
Leslie
3 months ago
Wait, they just resend without checking? That seems off.
upvoted 0 times
...
Carrol
3 months ago
Mis-addressed labels are a huge issue in logistics.
upvoted 0 times
...
Rosendo
4 months ago
Reprinting labels instead of investigating? That's risky!
upvoted 0 times
...
Anika
4 months ago
They should definitely have a proper checking process in place.
upvoted 0 times
...
Tori
4 months ago
I’m a bit confused about which controls to prioritize, but I think 5.3 Segregation of duties could help prevent mislabeling issues in the dispatch process.
upvoted 0 times
...
Vernice
4 months ago
I practiced a similar question where we had to identify controls related to data protection, so I think 8.12 Data leakage protection might apply too.
upvoted 0 times
...
Rozella
4 months ago
I'm not entirely sure, but I feel like 6.3 Information security awareness could be important since the staff needs to be trained on proper labeling.
upvoted 0 times
...
Carlee
5 months ago
I remember discussing the importance of return processes in our last class, so I think 5.11 Return of assets is definitely relevant here.
upvoted 0 times
...
Dawne
5 months ago
This is a tough one, but I feel pretty confident I can figure it out. I'll start by identifying the core information security risks based on the scenario, then match those to the relevant Appendix A controls. Should be doable if I stay focused.
upvoted 0 times
...
Kenneth
5 months ago
Okay, I've got a strategy here. The main issues seem to be around label errors, returned items, and the lack of a formal checking process. So I'll be looking for controls related to asset management, data protection, access restrictions, and security awareness training. I think I can narrow it down to the right six.
upvoted 0 times
...
William
5 months ago
Hmm, I'm a bit unsure about this one. There are a lot of controls to choose from, and the scenario covers a few different areas. I'll need to really think through the key problems identified and try to match them to the appropriate controls.
upvoted 0 times
...
Gianna
5 months ago
This seems like a tricky question, but I think I can tackle it. I'll need to carefully review the scenario and the list of Appendix A controls to determine which six would be most relevant based on the issues raised.
upvoted 0 times
...
Yoko
5 months ago
Option D looks like the best choice to me. The meta files will likely contain important details about the QlikView documents that are causing the issues. Providing that context upfront should help the support team get to the root of the problem faster.
upvoted 0 times
...
Fabiola
5 months ago
Okay, let's see. The question is asking if the underlined text makes the statement correct. I think I'll need to consider the different security tools listed and decide which one is the best fit.
upvoted 0 times
...
Lemuel
5 months ago
Hmm, I'm a bit confused on how to calculate the host address range for a /28 subnet. I'll need to review my subnet masking notes before attempting this.
upvoted 0 times
...
Keneth
5 months ago
If I recall correctly, retiring short-term notes with cash should change both the current ratio and current assets. So I don't think that's the answer here.
upvoted 0 times
...

Save Cancel