Question 1

In what part of the process to grant access to a system does the user present a token?

Options :

A : Authorisation

B : Verification

C : Authentication

D : Identification

Answer: D

Question 2

Stages of Information

Options :

A : creation, evolution, maintenance, use, disposition

B : creation, use, disposition, maintenance, evolution

C : creation, distribution, use, maintenance, disposition

D : creation, distribution, maintenance, disposition, use

Answer: C

Question 3

Scenario 6: Sinvestment is an insurance company that offers home, commercial, and life insurance. The

company was founded in North Carolina, but have recently expanded in other locations, including Europe and

Africa.

Sinvestment is committed to complying with laws and regulations applicable to their industry and preventing

any information security incident. They have implemented an ISMS based on ISO/IEC 27001 and have

applied for ISO/IEC 27001 certification.

Two auditors were assigned by the certification body to conduct the audit. After signing a confidentiality agreement with Sinvestment. they started the audit activities. First, they reviewed the documentation required

by the standard, including the declaration of the ISMS scope, information security policies, and internal audits

reports. The review process was not easy because, although Sinvestment stated that they had a documentation

procedure in place, not all documents had the same format.

Then, the audit team conducted several interviews with Sinvestment's top management to understand their role

in the ISMS implementation. All activities of the stage 1 audit were performed remotely, except the review of

documented information, which took place on-site, as requested by Sinvestment.

During this stage, the auditors found out that there was no documentation related to information security

training and awareness program. When asked, Sinvestment's representatives stated that the company has

provided information security training sessions to all employees. Stage 1 audit gave the audit team a general

understanding of Sinvestment's operations and ISMS.

The stage 2 audit was conducted three weeks after stage 1 audit. The audit team observed that the marketing

department (which was not included in the audit scope) had no procedures in place to control employees’

access rights. Since controlling employees' access rights is one of the ISO/IEC 27001 requirements and was

included in the information security policy of the company, the issue was included in the audit report. In

addition, during stage 2 audit, the audit team observed that Sinvestment did not record logs of user activities.

The procedures of the company stated that "Logs recording user activities should be retained and regularly

reviewed," yet the company did not present any evidence of the implementation of such procedure.

During all audit activities, the auditors used observation, interviews, documented information review, analysis,

and technical verification to collect information and evidence. All the audit findings during stages 1 and 2

were analyzed and the audit team decided to issue a positive recommendation for certification.

During stage 1 audit, the audit team found out that Sinvestment did not have records on information security

training and awareness. What Sinvestment do in this case? Refer to scenario 6.

Options :

A : Correct the identified issue before the stage 2 audit

B : Document the identified issue and correct it after the certification audit is completed

C : Perform a new risk assessment process to understand whether the issue needs modification or not

Answer: A

Question 4

Which option below about the ISMS scope is correct?

Options :

A : ISMS scope should be available as documented information

B : ISMS scope should ensure continual improvement

C : ISMS scope should be compatible with the strategic orientation of the organization

Answer: A

Question 5

You are carrying out your first third-party ISMS surveillance audit as an Audit Team Leader. You are

presently in

the auditee's data centre with another member of your audit team.

You are currently in a large room that is subdivided into several smaller rooms, each of which has a numeric

combination lock and swipe card reader on the door. You notice two external contractors using a swipe card

and

combination number provided by the centre's reception desk to gain access to a client's suite to carry out

authorised electrical repairs.

You go to reception and ask to see the door access record for the client's suite. This indicates only one card

was

swiped. You ask the receptionist and they reply, "yes it's a common problem. We ask everyone to swipe their

cards but with contractors especially, one tends to swipe and the rest simply 'tailgate' their way in" but we know who they are from the reception sign-in.

Based on the scenario above which one of the following actions would you now take?

Options :

A :

Raise an opportunity for improvement to have a large sign in reception reminding everyone requiring access must use their swipe card at all times

B :

Determine whether any additional effective arrangements are in place to verify individual access to secure areas e.g. CCTV

C :

Raise a nonconformity against control A.7.1 'security perimiters' as a secure area is not adequately protected

D :

Raise a nonconformity against control A.7.6 'working in secure areas' as security measures for working in secure areas have not been defined

E :

Raise a nonconformity against control A.5.20 'addressing information security in supplier relationships' as information security requirements have not been agreed upon with the supplier

F :

Raise an opportunity for improvement that contractors must be accompanied at all times when accessing secure facilities

Answer: B

Smartly Prepare Exam with Free Online ISO-IEC-27001-Lead-Auditor Practice Test

Buying Options: