Question 1

During a third-party certification audit you are presented with a list of issues by an auditee. Which four of the following constitute 'external' issues in the context of a management system to ISO/IEC 27001:2022?

Options :

A : A rise in interest rates in response to high inflation

B : A reduction in grants as a result of a change in government policy

C : Poor levels of staff competence as a result of cuts in training expenditure

D : Increased absenteeism as a result of poor management

E : Higher labour costs as a result of an aging population

F : Inability to source raw materials due to government sanctions

G : Poor morale as a result of staff holidays being reduced

H : A fall in productivity linked to outdated production equipment

Answer: A,B,E,F

Question 2

Why do we need to test a disaster recovery plan regularly, and keep it up to date?

Options :

A : Otherwise the measures taken and the incident procedures planned may not be adequate

B : Otherwise it is no longer up to date with the registration of daily occurring faults

C : Otherwise remotely stored backups may no longer be available to the security team

Answer: A

Question 3

Which one of the following options is the definition of an interested party?

Options :

A :

A third party can appeal to an organisation when it perceives itself to be affected by a decision or activity

B :

A person or organisation that can affect, be affected by or perceive itself to be affected by a decision or activity

C :

A group or organisation that can interfere in or perceive itself to be interfered with by a management decision

D :

An individual or organisation that can control, be controlled by, or perceive itself to be controlled by a decision or activity

Answer: B

Question 4

Select two options that describe an advantage of using a checklist.

Options :

A : Using the same checklist for every audit without review

B : Restricting interviews to nominated parties

C : Ensuring relevant audit trails are followed

D : Ensuring the audit plan is implemented

E : Reducing audit duration

F : Not varying from the checklist when necessary

Answer: C,D

Question 5

You are an experienced audit team leader conducting a third-party surveillance audit of an organisation that

designs websites for its clients. You are currently reviewing the organisation's Statement of Applicability.

Based on the requirements of ISO/IEC 27001, which two of the following observations about the Statement of

Applicability are true?

Options :

A :

Justification for both the inclusion and exclusion of Annex A controls in the Statement of Applicability is required

B : The Statement of Applicability is owned and amended by the organisation-s top management

C : The Statement of Applicability must be reviewed at least annually

D : A Statement of Applicability must be produced by organisations seeking ISO/IEC 27001 conformity

E : Justification is only required for any controls that the organisations choses to exclude

F : The Statement of Applicability must be reviewed at Management Review

Answer: A,D