• Home
  • Articles
  • 2024 New ISO-IEC-27001-Lead-Auditor Dumps - Real PECB Exam Questions [Q78-Q98]

2024 New ISO-IEC-27001-Lead-Auditor Dumps - Real PECB Exam Questions [Q78-Q98]

Share

2024 New ISO-IEC-27001-Lead-Auditor Dumps - Real PECB Exam Questions

Dependable ISO-IEC-27001-Lead-Auditor Exam Dumps to Become PECB Certified

NEW QUESTION # 78
Who is authorized to change the classification of a document?

  • A. The owner of the document
  • B. The administrator of the document
  • C. The manager of the owner of the document
  • D. The author of the document

Answer: A


NEW QUESTION # 79
In order to take out a fire insurance policy, an administration office must determine the value of the data that it manages.
Which factor is [b]not[/b] important for determining the value of data for an organization?

  • A. The importance of the business processes that make use of the data.
  • B. The degree to which missing, incomplete or incorrect data can be recovered.
  • C. The content of data.
  • D. The indispensability of data for the business processes.

Answer: C

Explanation:
Explanation
The content of data is not an important factor for determining the value of data for an organization. The content of data refers to the representation or format of data, such as text, numbers, images, audio, video, etc.
The content of data can change depending on how it is processed, stored, or presented, but the value of data is derived from its meaning and usefulness for the organization. Therefore, the content of data is not relevant for taking out a fire insurance policy, as it does not reflect the potential loss or damage that the organization would suffer if the data was destroyed by fire. The other factors, such as the degree of recoverability, the indispensability, and the importance of data for the business processes, are important for determining the value of data for an organization. These factors indicate how critical the data is for the organization's operations, performance, and competitiveness, and how difficult or costly it would be to restore or replace the data in case of a fire. Therefore, the correct answer is A. References: Putting a value on data - PwC UK, page 3; What is Data Value? How to Define the Value of Your Data.


NEW QUESTION # 80
What controls can you do to protect sensitive data in your computer when you go out for lunch?

  • A. You lock your computer by pressing Windows+L or CTRL-ALT-DELETE and then click "Lock Computer".
  • B. You turn off the monitor
  • C. You are confident to leave your computer screen as is since a password protected screensaver is installed and it is set to activate after 10 minutes of inactivity
  • D. You activate your favorite screen-saver

Answer: A


NEW QUESTION # 81
The audit lifecycle describes the ISO 19011 process for conducting an individual audit. Drag and drop the steps of the audit lifecycle into the correct sequence.

Answer:

Explanation:

Explanation:
The correct sequence of the steps of the audit lifecycle according to ISO 19011:2018 is:
Step 1: Audit initiation
Step 2: Audit preparation
Step 3: Conducting the audit
Step 4: Preparing and distributing the audit report
Step 5: Audit completion
Step 6: Audit follow-up
This sequence reflects the logical order of the audit activities, from establishing the audit objectives, scope and criteria, to verifying the implementation and effectiveness of the corrective actions. However, ISO 19011:2018 also recognizes that some audit activities can be iterative or concurrent, depending on the nature and complexity of the audit. For example, audit preparation and conducting the audit can overlap when new information or changes occur during the audit. Similarly, audit follow-up can be integrated with audit completion when the corrective actions are verified shortly after the audit. Therefore, the audit lifecycle should be adapted to the specific context and needs of each audit.


NEW QUESTION # 82
After a devastating office fire, all staff are moved to other branches of the company. At what moment in the incident management process is this measure effectuated?

  • A. Between classification and escalation
  • B. Between recovery and normal operations
  • C. Between incident and damage
  • D. Between detection and classification

Answer: C


NEW QUESTION # 83
Availability means

  • A. Service should be accessible at the required time and usable by all
  • B. Service should not be accessible when required
  • C. Service should be accessible at the required time and usable only by the authorized entity

Answer: C


NEW QUESTION # 84
The audit team leader prepares the audit plan for an initial certification stage 2 audit to ISO/IEC 27001:2022.
Which one of the following statements is true?

  • A. The audit team leader should make sure the audit has the support of a Technical Expert
  • B. The audit team leader should appoint audit team members with IT experience
  • C. The organisation should review the audit plan for agreement
  • D. The audit team leader should plan to interview each employee within the scope

Answer: C

Explanation:
Explanation
D: This statement is true because the audit team leader should communicate the audit plan to the audit client and the auditee, and obtain their approval before conducting the audit12. The audit plan should include the audit objectives, scope, criteria, methods, schedule, resources, roles and responsibilities, and other relevant information12. The audit plan should also be reviewed and updated as necessary during the audit process, and any changes should be agreed upon by the audit team leader, the audit client, and the auditee12. The purpose of reviewing and agreeing on the audit plan is to ensure that the audit is conducted in an efficient and effective manner, and that the audit expectations and requirements are clear and consistent among all parties involved.
References:
1: PECB Candidate Handbook - ISO 27001 Lead Auditor, page 23 2: ISO 19011:2018 - Guidelines for auditing management systems, clause 6.4.2


NEW QUESTION # 85
You are performing an ISMS audit at a European-based residential
nursing home called ABC that provides healthcare services. You find all nursing home residents wear an electronic wristband for monitoring their location, heartbeat, and blood pressure always. You learned that the electronic wristband automatically uploads all data to the artificial intelligence (AI) cloud server for healthcare monitoring and analysis by healthcare staff.
The next step in your audit plan is to verify that the information security policy and objectives have been established by top management.
During the audit, you found the following audit evidence.
Match the audit evidence to the corresponding requirement in ISO/IEC 27001:2022.

Answer:

Explanation:


NEW QUESTION # 86
Which three of the following options are an advantage of using a sampling plan for the audit?

  • A. Overrules the auditor's instincts
  • B. Use of the plan for consecutive audits
  • C. Misses key issues
  • D. Implements the audit plan efficiently
  • E. Gives confidence in the audit results
  • F. Provides a suitable understanding of the ISMS

Answer: D,E,F

Explanation:
According to ISO 19011:2018, which provides guidelines for auditing management systems, a sampling plan is a method for selecting a representative subset of the audit evidence from a defined population1. A sampling plan can have several advantages for the audit, such as providing a suitable understanding of the ISMS by covering its key processes, activities, and controls; implementing the audit plan efficiently by optimizing the use of time and resources; and giving confidence in the audit results by ensuring that the sample is sufficient, reliable, and unbiased1. Therefore, these three options are examples of advantages of using a sampling plan for the audit. The other options are not advantages, but rather disadvantages or risks of using a sampling plan. For example, overruling the auditor's instincts may lead to missing important evidence or issues that are not covered by the sampling plan; using the same plan for consecutive audits may reduce the effectiveness and validity of the audit results; and missing key issues may result from an inadequate or inappropriate sampling plan1. References: ISO 19011:2018 - Guidelines for auditing management systems


NEW QUESTION # 87
You are conducting an ISMS audit in the despatch department of an international logistics organisation that provides shipping services to large organisations including local hospitals and government offices. Parcels typically contain pharmaceutical products, biological samples, and documents such as passports and driving licences. You note that the company records show a very large number of returned items with causes including mis-addressed labels and, in 15% of company cases, two or more labels for different addresses for the one package. You are interviewing the Shipping Manager (SM).
You: Are items checked before being dispatched?
SH: Any obviously damaged items are removed by the duty staff before being dispatched, but the small profit margin makes it uneconomic to implement a formal checking process.
You: What action is taken when items are returned?
SM: Most of these contracts are relatively low value, therefore it has been decided that it is easier and more convenient to simply reprint the label and re-send individual parcels than it is to implement an investigation.
You raise a nonconformity. Referencing the scenario, which six of the following Appendix A controls would you expect the auditee to have implemented when you conduct the follow-up audit?

  • A. 7.10 Storage media
  • B. 5.32 Intellectual property rights
  • C. 5.6 Contact with special interest groups
  • D. 6.3 Information security awareness, education, and training
  • E. 5.11 Return of assets
  • F. 5.13 Labelling of information
  • G. 7.4 Physical security monitoring
  • H. 8.12 Data leakage protection
  • I. 5.3 Segregation of duties
  • J. 6.4 Disciplinary process
  • K. 8.3 Information access restriction

Answer: A,D,F,G,H,K

Explanation:
Explanation
* B. 8.12 Data leakage protection. This is true because the auditee should have implemented measures to prevent unauthorized disclosure of sensitive information, such as personal data, medical records, or official documents, that are contained in the parcels. Data leakage protection could include encryption, authentication, access control, logging, and monitoring of data transfers12.
* D. 6.3 Information security awareness, education, and training. This is true because the auditee should have ensured that all employees and contractors involved in the shipping process are aware of the information security policies and procedures, and have received appropriate training on how to handle and protect the information assets in their custody. Information security awareness, education, and training could include induction programmes, periodic refreshers, awareness campaigns, e-learning modules, and feedback mechanisms13.
* E. 7.10 Storage media. This is true because the auditee should have implemented controls to protect the storage media that contain information assets from unauthorized access, misuse, theft, loss, or damage. Storage media could include paper documents, optical disks, magnetic tapes, flash drives, or hard disks14. Storage media controls could include physical locks, encryption, backup, disposal, or destruction14.
* F. 8.3 Information access restriction. This is true because the auditee should have implemented controls to restrict access to information assets based on the principle of least privilege and the need-to-know basis. Information access restriction could include identification, authentication, authorization, accountability, and auditability of users and systems that access information assets15.
* I. 7.4 Physical security monitoring. This is true because the auditee should have implemented controls to monitor the physical security of the premises where information assets are stored or processed. Physical security monitoring could include CCTV cameras, alarms, sensors, guards, or patrols16. Physical security monitoring could help detect and deter unauthorized physical access or intrusion attempts16.
* J. 5.13 Labelling of information. This is true because the auditee should have implemented controls to label information assets according to their classification level and handling instructions. Labelling of information could include markings, tags, stamps, stickers, or barcodes1 . Labelling of information could help identify and protect information assets from unauthorized disclosure or misuse1 .
References :=
* ISO/IEC 27002:2022 Information technology - Security techniques - Code of practice for information security controls
* ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements
* ISO/IEC 27003:2022 Information technology - Security techniques - Information security management systems - Guidance
* ISO/IEC 27004:2022 Information technology - Security techniques - Information security management systems - Monitoring measurement analysis and evaluation
* ISO/IEC 27005:2022 Information technology - Security techniques - Information security risk management
* ISO/IEC 27006:2022 Information technology - Security techniques - Requirements for bodies providing audit and certification of information security management systems
* [ISO/IEC 27007:2022 Information technology - Security techniques - Guidelines for information security management systems auditing]


NEW QUESTION # 88
What is a reason for the classification of information?

  • A. To provide clear identification tags
  • B. Creating a manual describing the BYOD policy
  • C. To structure the information according to its sensitivity

Answer: C


NEW QUESTION # 89
Which three of the following phrases are objectives' in relation to an audit?

  • A. Complete audit on time
  • B. Regulatory requirements
  • C. Confirm the scope of the management system
  • D. International Standard
  • E. Identify opportunities for improvement
  • F. Management policy

Answer: B,C,E

Explanation:
Explanation
According to ISO 19011:2018, which provides guidelines for auditing management systems, the audit objectives are defined by the audit client and may include determining the extent of conformity or nonconformity of the audited management system against the audit criteria, evaluating the ability of the audited management system to ensure that the organization meets applicable statutory, regulatory and contractual requirements, identifying potential improvement opportunities for the audited management system, and facilitating continual improvement of the audited management system1. Therefore, these three phrases are examples of objectives in relation to an audit. The other options are not objectives, but rather elements or factors that may influence or affect an audit. For example, an international standard is a source of audit criteria, a management policy is a part of the audited management system, and completing an audit on time is a requirement for an effective audit. References: ISO 19011:2018 - Guidelines for auditing management systems


NEW QUESTION # 90
You are an experienced ISMS audit team leader providing guidance to an ISMS auditor in training. They have been asked to carry out an assessment of external providers and have prepared a checklist containing the following activities. They have asked you to review their checklist to confirm that the actions they are proposing are appropriate.
The audit they have been invited to participate in is a third-party surveillance audit of a data centre . The data centre agent is part of a wider telecommunication group. Each data centre within the group operates its own ISMS and holds its own certificate.
Select three options that relate to ISO/IEC 27001:2022's requirements regarding external providers.

  • A. I will limit my audit activity to externally provided processes as there is no need to audit externally provided products of services
  • B. I will ensure that the organisation has a reserve external provider for each process it has identified as critical to preservation of the confidentiality, integrity and accessibility of its information
  • C. I will ensure that the organisation ranks its external providers and allocates the majority of its work to those providers who are rated the highest
  • D. I will ensure the organization is has determined the need to communicate with external providers regarding the ISMS
  • E. I will ensure the organization is regularly monitoring, reviewing and evaluating external provider performance
  • F. I will check the other data centres are treated as external providers, even though they are part of the same telecommunication group
  • G. I will ensure that top management have assigned roles and responsibilities for those providing external ISMS processes as well as internal ISMS processes
  • H. I will ensure external providers have a documented process in place to notify the organisation of any risks arising from the use of its products or services

Answer: E,F,H

Explanation:
A. I will check the other data centres are treated as external providers, even though they are part of the same telecommunication group. This is appropriate because clause 8.1.4 of ISO 27001:2022 requires the organisation to ensure that externally provided processes, products or services that are relevant to the information security management system are controlled. Externally provided processes, products or services are those that are provided by any external party, regardless of the degree of its relationship with the organisation. Therefore, the other data centres within the same telecommunication group should be treated as external providers and subject to the same controls as any other external provider12
B. I will ensure external providers have a documented process in place to notify the organisation of any risks arising from the use of its products or services. This is appropriate because clause 8.1.4 of ISO
27001:2022 requires the organisation to implement appropriate contractual requirements related to information security with external providers. One of the contractual requirements could be the obligation of the external provider to notify the organisation of any risks arising from the use of its products or services, such as security incidents, vulnerabilities, or changes that could affect the information security of the organisation. The external provider should have a documented process in place to ensure that such notification is timely, accurate, and complete12
E. I will ensure the organisation is regularly monitoring, reviewing and evaluating external provider performance. This is appropriate because clause 8.1.4 of ISO 27001:2022 requires the organisation to monitor, review and evaluate the performance and effectiveness of the externally provided processes, products or services. The organisation should have a process in place to measure and verify the conformity and suitability of the external provider's deliverables and activities, and to provide feedback and improvement actions as necessary. The organisation should also maintain records of the monitoring, review and evaluation results12
F. I will ensure the organisation has determined the need to communicate with external providers regarding the ISMS. This is appropriate because clause 7.4.2 of ISO 27001:2022 requires the organisation to determine the need for internal and external communications relevant to the information security management system, including the communication with external providers. The organisation should define the purpose, content, frequency, methods, and responsibilities for such communication, and ensure that it is consistent with the information security policy and objectives. The organisation should also retain documented information of the communication as evidence of its implementation12 The following activities are not appropriate for the assessment of external providers according to ISO
27001:2022:
C. I will ensure that the organisation has a reserve external provider for each process it has identified as critical to preservation of the confidentiality, integrity and accessibility of its information. This is not appropriate because ISO 27001:2022 does not require the organisation to have a reserve external provider for each critical process. The organisation may choose to have a contingency plan or a backup solution in case of failure or disruption of the external provider, but this is not a mandatory requirement. The organisation should assess the risks and opportunities associated with the external provider and determine the appropriate treatment options, which may or may not include having a reserve external provider12
D. I will limit my audit activity to externally provided processes as there is no need to audit externally provided products or services. This is not appropriate because clause 8.1.4 of ISO 27001:2022 requires the organisation to control the externally provided processes, products or services that are relevant to the information security management system. Externally provided products or services may include software, hardware, data, or cloud services that could affect the information security of the organisation. Therefore, the audit activity should cover both externally provided processes and products or services, as applicable12
G. I will ensure that top management have assigned roles and responsibilities for those providing external ISMS processes as well as internal ISMS processes. This is not appropriate because clause 5.3 of ISO 27001:2022 requires the top management to assign the roles and responsibilities for the information security management system within the organisation, not for the external providers. The external providers are responsible for assigning their own roles and responsibilities for the processes, products or services they provide to the organisation. The organisation should ensure that the external providers have adequate competence and awareness for their roles and responsibilities, and that they are contractually bound to comply with the information security requirements of the organisation12
H. I will ensure that the organisation ranks its external providers and allocates the majority of its work to those providers who are rated the highest. This is not appropriate because ISO 27001:2022 does not require the organisation to rank its external providers or to allocate its work based on such ranking. The organisation may choose to evaluate and compare the performance and effectiveness of its external providers, but this is not a mandatory requirement. The organisation should select and use its external providers based on the information security criteria and objectives that are relevant to the organisation12 References:
1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1 2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2


NEW QUESTION # 91
You work in the office of a large company. You receive a call from a person claiming to be from the Helpdesk. He asks you for your password.
What kind of threat is this?

  • A. Social Engineering
  • B. Organizational threat
  • C. Natural threat
  • D. Arason

Answer: A

Explanation:
This is an example of a social engineering threat, which is a type of human threat that involves manipulating or deceiving people into revealing confidential information, performing unauthorized actions, or compromising the security of information assets. Social engineering techniques can exploit the psychological, emotional, or behavioral vulnerabilities of people, such as trust, curiosity, fear, or greed. A person claiming to be from the Helpdesk and asking for your password is trying to trick you into giving away your credentials, which can be used to access your account or system without your authorization. Therefore, the correct answer is C. Reference: ISO/IEC 27000:2022, clause 3.25; What is Social Engineering? | Definition and Examples.


NEW QUESTION # 92
Which two of the following phrases would apply to "plan" in relation to the Plan-Do-Check-Act cycle for a business process?

  • A. Organising changes
  • B. Retaining documentation
  • C. Setting objectives
  • D. Training staff
  • E. Providing ICT assets
  • F. Retaining documentation

Answer: C,D

Explanation:
The Plan-Do-Check-Act (PDCA) cycle is a four-step method for implementing and improving processes, products, or services. The "plan" phase involves establishing the objectives and processes necessary to deliver the desired results. This may include setting SMART goals, identifying resources, defining roles and responsibilities, conducting risk assessments, and developing plans for training, communication, and monitoring.
References:
ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) objectives and content from Quality.org and PECB ISO 19011:2018 Guidelines for auditing management systems [Section 5.3.1]


NEW QUESTION # 93
An administration office is going to determine the dangers to which it is exposed.
What do we call a possible event that can have a disruptive effect on the reliability of information?

  • A. dependency
  • B. threat
  • C. risk
  • D. vulnerability

Answer: B

Explanation:
Explanation
A possible event that can have a disruptive effect on the reliability of information is a threat. A threat is anything that has the potential to harm an asset or its protection, such as a natural disaster, a human error, a malicious attack, etc. A threat can exploit a vulnerability or weakness in an asset or its protection and cause an adverse impact on the confidentiality, integrity or availability of information. ISO/IEC 27001:2022 defines threat as "potential cause of an unwanted incident, which can result in harm to a system or organization" (see clause 3.48). References: [CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course], ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, What is Threat?


NEW QUESTION # 94
A fire breaks out in a branch office of a health insurance company. The personnel are transferred to neighboring branches to continue their work.
Where in the incident cycle is moving to a stand-by arrangements found?

  • A. between incident and damage
  • B. between threat and incident
  • C. between recovery and threat
  • D. between damage and recovery

Answer: A

Explanation:
Explanation
Moving to a stand-by arrangement is found between incident and damage in the incident cycle. The incident cycle is a model that describes the phases of an incident from its occurrence to its resolution. The incident cycle consists of four phases: threat, incident, damage, and recovery1. A threat is a potential cause or source of harm to an organization's information assets or systems. An incident is an event that compromises the confidentiality, integrity, or availability of information assets or systems. Damage is the negative impact or consequence of an incident on the organization's assets, operations, reputation, or legal obligations. Recovery is the process of restoring normal service and operations after an incident and preventing recurrence2. Moving to a stand-by arrangement is a form of contingency plan that enables the organization to continue its critical activities in an alternative location or mode after an incident. This measure is taken before the damage caused by the incident is fully assessed or contained. Therefore, moving to a stand-by arrangement is found between incident and damage in the incident cycle. References: [ISO/IEC 27031:2011], clause 4.2; [ISO/IEC
27035:2016], clause 4.


NEW QUESTION # 95
What is an example of a human threat?

  • A. thunderstrom
  • B. phishing
  • C. fire
  • D. a lightning strike

Answer: B

Explanation:
Explanation
A human threat is a threat that originates from a person or a group of people who intentionally or unintentionally cause harm to an organization's information assets. Examples of human threats include hackers, insiders, terrorists, criminals, competitors, or disgruntled employees. A human threat can exploit technical, physical, or organizational vulnerabilities to compromise the confidentiality, integrity, or availability of information. Phishing is an example of a human threat that uses social engineering techniques to trick users into revealing sensitive information, such as passwords, credit card numbers, or bank account details. Phishing attacks often involve sending fraudulent emails or messages that appear to be from legitimate sources, such as banks, government agencies, or trusted contacts. The messages may contain links to malicious websites or attachments that contain malware. Therefore, the correct answer is C. References: ISO/IEC 27000:2022, clause 3.25; What is Phishing? | How to Identify & Avoid Phishing Scams.


NEW QUESTION # 96
All are prohibited in acceptable use of information assets, except:

  • A. Company-wide e-mails with supervisor/TL permission.
  • B. Messages with very large attachments or to a large number ofrecipients.
  • C. E-mail copies to non-essential readers
  • D. Electronic chain letters

Answer: A


NEW QUESTION # 97
You are an ISMS audit team leader who has been assigned by your certification body to carry out a follow-up audit of a client. You are preparing your audit plan for this audit.
Which two of the following statements are true?

  • A. Opportunities for improvement should be verified first, followed by corrections and finally corrective actions
  • B. Verification should focus on whether any action undertaken is complete
  • C. Verification should focus on whether any action undertaken taken has been undertaken efficiently
  • D. Corrective actions should be reviewed first, followed by corrections and finally opportunities for improvement
  • E. Verification should focus on whether any action undertaken has been undertaken effectively
  • F. Corrections should be verified first, followed by corrective actions and finally opportunities for improvement

Answer: B,E

Explanation:
Explanation
According to ISO 27001:2022 clause 9.1.2, the organisation shall conduct internal audits at planned intervals to provide information on whether the information security management system conforms to the organisation's own requirements, the requirements of ISO 27001:2022, and is effectively implemented and maintained12 According to ISO 27001:2022 clause 10.1, the organisation shall react to the nonconformities and take action, as applicable, to control and correct them and deal with the consequences. The organisation shall also evaluate the need for action to eliminate the causes of nonconformities, in order to prevent recurrence or occurrence.
The organisation shall implement any action needed, review the effectiveness of any corrective action taken, and make changes to the information security management system, if necessary12 A follow-up audit is a type of internal audit that is conducted after a previous audit to verify whether the nonconformities and corrective actions have been addressed and resolved, and whether the information security management system has been improved12 Therefore, the following statements are true for preparing a follow-up audit plan:
* Verification should focus on whether any action undertaken is complete. This means that the auditor should check whether the organisation has implemented all the planned actions to correct and prevent the nonconformities, and whether the actions have been documented and communicated as required12
* Verification should focus on whether any action undertaken has been undertaken effectively. This means that the auditor should check whether the organisation has achieved the intended results and objectives of the actions, and whether the actions have eliminated or reduced the nonconformities and their causes and consequences12 The following statements are false for preparing a follow-up audit plan:
* Verification should focus on whether any action undertaken has been undertaken efficiently. This is false because efficiency is not a criterion for verifying the actions taken to address the nonconformities and corrective actions. Efficiency refers to the optimal use of resources to achieve the desired outcomes,
* but it is not a requirement of ISO 27001:2022. The auditor should focus on the effectiveness and completeness of the actions, not on the efficiency12
* Corrections should be verified first, followed by corrective actions and finally opportunities for improvement. This is false because there is no prescribed order for verifying the corrections, corrective actions, and opportunities for improvement. The auditor should verify all the actions taken by the organisation, regardless of their sequence or priority. The auditor may choose to verify the actions based on their relevance, significance, or impact, but this is not a mandatory requirement12
* Opportunities for improvement should be verified first, followed by corrections and finally corrective actions. This is false because there is no prescribed order for verifying the opportunities for improvement, corrections, and corrective actions. The auditor should verify all the actions taken by the organisation, regardless of their sequence or priority. The auditor may choose to verify the actions based on their relevance, significance, or impact, but this is not a mandatory requirement12
* Corrective actions should be reviewed first, followed by corrections and finally opportunities for improvement. This is false because there is no prescribed order for reviewing the corrective actions, corrections, and opportunities for improvement. The auditor should review all the actions taken by the organisation, regardless of their sequence or priority. The auditor may choose to review the actions based on their relevance, significance, or impact, but this is not a mandatory requirement12 References:
1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1 2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2


NEW QUESTION # 98
......

Get Ready with ISO-IEC-27001-Lead-Auditor Exam Dumps (2024): https://topexamcollection.pdfvce.com/PECB/ISO-IEC-27001-Lead-Auditor-exam-pdf-dumps.html

Related Articles

more
PECB ISO-IEC-27001-Lead-Auditor Certification Practice Exam