Scenario 3
NightCore, a multinational technology enterprise headquartered in the United States, specializes in e-commerce, cloud computing, digital streaming, and artificial intelligence (AI). After having an information security management system (ISMS) implemented for over a year, NightCore contracted a certification body to perform an audit for ISO/IEC 27001 certification.
The certification body formed a team of five auditors, with Jack as a team leader. Jack is renowned for his extensive auditing experience in risk management, information security controls, and incident management. His skill set aligns well with the requirements of auditing principles and processes, enabling him to effectively comprehend the audit scope and apply relevant criteria effectively. Jack also demonstrates a solid understanding of NightCore's organizational structure, purpose, and management practices and the statutory and regulatory requirements applicable to its activities.
The audit carried out by the audit team followed a rational method to reach reliable and reproducible conclusions systematically. The audit team recognized that only information capable of being verified to some extent should be considered valid evidence. In some rare instances during the audit where the verification of certain information posed challenges and where its degree of verifiability was low, the auditors exercised their professional judgment to assess the reliability and determine the level of reliance that could be placed on such evidence.
During the audit, the auditors documented their observations and inspection notes regarding the operational planning and control of NightCore's ISMS operations. They also recorded observations of NightCore's inventory of information and associated assets. Additionally, the auditors reviewed the configuration of firewalls implemented to secure connections to network services.
As the audit approached its final stages, NightCore's commitment to upholding the highest levels of information security became evident. With ISO/IEC 27001 certification within reach, NightCore is well-positioned to achieve ISO/IEC 27001 certification, enhancing its reputation in the technology sector.
According to Scenario 3, did the auditors appropriately handle information that could only be verified to some extent?
The auditors handled partially verifiable information appropriately by applying professional judgment, which makes option A the correct answer. ISO 19011:2018 emphasizes that auditing is not a purely mechanical process and requires auditors to apply due professional care when evaluating evidence. Audit evidence is often based on samples and may vary in its degree of verifiability. The key requirement is that auditors assess the reliability, relevance, and sufficiency of the evidence before using it to support audit conclusions.
In the scenario, the audit team explicitly recognized that some information could only be verified to a limited extent and responded by carefully evaluating how much reliance could be placed on that information. This aligns with ISO 19011 principles, particularly the evidence-based approach and due professional care. Auditors are expected to exercise judgment when full verification is impractical, provided they clearly understand the limitations of the evidence and do not overstate its reliability.
Option B is incorrect because ISO standards do not require auditors to discard all partially verifiable information. Doing so could lead to incomplete audit conclusions and an unrealistic audit process. Option C is also incorrect because while external experts may be used in certain specialized cases, ISO 19011 does not mandate their involvement whenever evidence is difficult to verify. The auditors' approach in the scenario demonstrates appropriate competence and professional judgment, consistent with ISO auditing guidance.
To verify conformity to control 8.15 Logging of ISO/IEC 27001 Annex A, the audit team studied a sample of server logs to determine if they could be edited or deleted. Which audit procedure did the audit team use?
The audit team used technical verification, making option B the correct answer. Technical verification involves examining technical configurations, system settings, or operational characteristics of information systems to verify whether controls are implemented and effective. In this scenario, the auditors examined server logs to determine whether they could be altered or deleted, which directly assesses the technical enforcement of logging controls.
ISO/IEC 27002:2022 control 8.15 requires organizations to ensure that logs are protected against unauthorized modification or deletion. Verifying this requirement cannot be achieved through interviews or documentation alone; it requires direct interaction with or inspection of the technical system.
Option A is incorrect because analysis refers to evaluating information, patterns, or results after evidence has been collected, not to the act of examining system configurations. Option C is incorrect because observation involves watching activities or processes being performed, such as monitoring staff behavior or physical security practices, not inspecting system-level controls.
Therefore, reviewing server logs for editability or deletion capability is a clear example of technical verification, which is an appropriate and necessary audit procedure for technological controls.
Which two of the following phrases would apply to "audit objectives"?
The audit objectives are the purpose and scope of an audit, as defined by the audit client and the auditor.According to the ISO/IEC 27001 standard, the audit objectives for an ISMS audit may include determining the extent of conformity of the ISMS with the audit criteria, evaluating the ability of the ISMS to ensure the organization meets its information security objectives, and identifying potential areas for improvement of the ISMS12.References: =1: PECB Candidate Handbook - ISO/IEC 27001 Lead Auditor, page 192: ISO/IEC 27007:2011 Information technology --- Security techniques --- Guidelines for information security management systems auditing, clause 4.2.1.
Scenario 5: Cobt. an insurance company in London, offers various commercial, industrial, and life insurance solutions. In recent years, the number of Cobt's clients has increased enormously. Having a huge amount of data to process, the company decided that certifying against ISO/IEC 27001 would bring many benefits to securing information and show its commitment to continual improvement. While the company was well-versed in conducting regular risk assessments, implementing an ISMS brought major changes to its daily operations. During the risk assessment process, a risk was identified where significant defects occurred without being detected or prevented by the organizations internal control mechanisms.
The company followed a methodology to implement the ISMS and had an operational ISMS in place after only a few months After successfully implementing the ISMS, Cobt applied for ISO/IEC 27001 certification Sarah, an experienced auditor, was assigned to the audit Upon thoroughly analyzing the audit offer, Sarah accepted her responsibilities as an audit team leader and immediately started to obtain general information about Cobt She established the audit criteria and objective, planned the audit, and assigned the audit team members' responsibilities.
Sarah acknowledged that although Cobt has expanded significantly by offering diverse commercial and insurance solutions, it still relies on some manual processes Therefore, her initial focus was to gather information on how the company manages its information security risks Sarah contacted Cobt's representatives to request access to information related to risk management for the off-site review, as initially agreed upon for part of the audit However, Cobt later refused, claiming that such information is too sensitive to be accessed outside of the company This refusal raised concerns about the audit's feasibility, particularly regarding the availability and cooperation of the auditee and access to evidence Moreover, Cobt raised concerns about the audit schedule, stating that it does not properly reflect the recent changes the company made It pointed out that the actions to be performed during the audit apply only to the initial scope and do not encompass the latest changes made in the audit scope
Sarah also evaluated the materiality of the situation, considering the significance of the information denied for the audit objectives. In this case, the refusal by Cobt raised questions about the completeness of the audit and its ability to provide reasonable assurance. Following these situations, Sarah decided to withdraw from the audit before a certification agreement was signed and communicated her decision to Cobt and the certification body. This decision was made to ensure adherence to audit principles and maintain transparency, highlighting her commitment to consistently upholding these principles.
Based on the scenario above, answer the following question:
Based on the role of Sarah described in Scenario 5, which of the following should NOT be part of her responsibilities?
Comprehensive and Detailed In-Depth
A . Assigning responsibilities to the audit team members (Correct Answer) -- This is not Sarah's responsibility. The certification body assigns the audit team and defines responsibilities, ensuring independence and objectivity.
B . Defining the audit criteria and objectives (Correct Responsibility) -- Sarah, as the audit team leader, must establish audit criteria and objectives, per ISO 19011 (Guidelines for Auditing Management Systems).
C . Planning the audit (Correct Responsibility) -- The audit team leader is responsible for planning the audit, including timelines and resource allocation.
Relevant Standard Reference:
ISO/IEC 27001:2022 Clause 9.2 (Internal Audit)
ISO 19011:2018 Clause 5.5.2 (Defining Audit Objectives and Criteria)
According to ISO/IEC 27001, Clause 5.1 (Leadership and Commitment), which of the following is NOT a responsibility of top management?
Comprehensive and Detailed In-Depth
ISO/IEC 27001 Clause 5.1 (Leadership and Commitment) defines top management's role in ensuring the effectiveness of the Information Security Management System (ISMS). It requires top management to:
Ensure the availability of resources for the ISMS (Correct Responsibility).
Promote continual improvement of the ISMS (Correct Responsibility).
Direct and support employees to contribute to ISMS effectiveness (Correct Responsibility).
B . Conducting regular internal audits -- Incorrect Responsibility:
Internal audits are not a direct responsibility of top management. Instead, Clause 9.2 (Internal Audit) requires audits to be conducted independently of management.
Top management is responsible for ensuring audits are conducted but does not need to conduct them personally.
Thus, top management is responsible for oversight and support but not for conducting internal audits themselves.
Relevant Standard Reference:
ISO/IEC 27001:2022 Clause 5.1 (Leadership and Commitment)
ISO/IEC 27001:2022 Clause 9.2 (Internal Audit)
John Howard
22 days agoSarah Peterson
1 month agoGary Moore
2 months agoNancy Allen
2 months agoThomas Adams
2 months agoKevin Torres
2 months agoKenneth Moore
1 month agoAndrew Taylor
1 month agoRachel Hernandez
2 months agoKris
3 months agoDiego
3 months agoJani
3 months agoSabrina
4 months agoJoesph
4 months agoHector
4 months agoJettie
4 months agoMammie
5 months agoTwanna
5 months agoAudry
5 months agoBettina
5 months agoShonda
6 months agoLaurel
6 months agoLeatha
6 months agoPeggie
6 months agoAlida
7 months agoFrank
7 months agoLera
7 months agoBette
8 months agoYoko
8 months agoWillodean
8 months agoJames
8 months agoIsaiah
8 months agoMarsha
9 months agoMarvel
9 months agoNan
9 months agoFranchesca
9 months agoNelida
10 months agoStephania
10 months agoLoren
12 months agoLashaun
1 year agoTina
1 year agoGearldine
1 year agoAileen
1 year agoLai
1 year agoTwanna
1 year agoAngelica
1 year agoPaz
2 years agoBernardo
2 years agoJulie
2 years agoElfriede
2 years agoCarmelina
2 years agoLouann
2 years agoBarabara
2 years agoJaney
2 years agoRoselle
2 years agoZachary
2 years agoEmeline
2 years agoLisandra
2 years agoJulio
2 years agoMy
2 years agoVi
2 years agoGlynda
2 years agoStephen
2 years agoJody
2 years agoSusy
2 years agoOnita
2 years agoHarrison
2 years agoTori
2 years agoReuben
2 years ago