Question 1

In the context of a third-party certification audit, it is very important to have effective communication. Select an option that contains the correct answer about communication in an audit context.

Accepted Answer

C

Explanation: In the context of a third-party certification audit, it is very important to have effective communication between the audit team and the auditee. The formal communication channels, such as the names and contact details of the audit team members, the auditee representatives, the audit client and any other relevant parties, can be established during the opening meeting. This helps to ensure that the audit objectives, scope, criteria, methods, schedule and any other arrangements are clearly understood and agreed by all parties. It also facilitates the exchange of information, feedback, requests, concerns and complaints during the audit process. Reference: = ISO 19011:2022, clause 6.4.2; PECB Candidate Handbook ISO 27001 Lead Auditor, page 25.

Question 2

You are performing an ISMS audit at a residential nursing home that provides healthcare services.
The next step in your audit plan is to verify the information security incident management process.
The IT Security Manager presents the information security incident management procedure and
explains that the process is based on ISO/IEC 27035-1:2016.
You review the document and notice a statement "any information security weakness, event, and
incident should be reported to the Point of Contact (PoC) within 1 hour after identification". When
interviewing staff, you found that there were differences in the understanding of the meaning of
"weakness, event, and incident".
You sample incident report records from the event tracking system for the last 6 months with
summarized results in the following table.
ISO-IEC-27001-Lead-Auditor practice exam questions

ISO-IEC-27001-Lead-Auditor practice exam questions

You would like to further investigate other areas to collect more audit evidence. Select two options
that will not be in your audit trail.

Accepted Answer

Explanation: B . This clause requires the organisation to determine the interested parties that are relevant to the ISMS, and the requirements of these interested parties12. This clause is relevant to the verification of the scope of the ISMS because it helps the organisation to identify the stakeholders that have an influence or an interest in the information security of the organisation, such as customers, suppliers, regulators, employees, etc. The organisation should also consider the needs and expectations of these interested parties when defining the scope of the ISMS, and ensure that they are met and communicated. E . This clause requires the organisation to establish an information security policy that provides the framework for setting the information security objectives and guiding the information security activities13. This clause is relevant to the verification of the scope of the ISMS because it helps the organisation to define the direction and principles of the ISMS, and to align them with the strategic goals and context of the organisation. The information security policy should also be consistent with the scope of the ISMS, and should be communicated and understood within the organisation and by relevant interested parties. F . This clause requires the organisation to determine the internal and external issues that are relevant to the purpose and the context of the organisation, and that affect its ability to achieve the intended outcomes of the ISMS14. This clause is relevant to the verification of the scope of the ISMS because it helps the organisation to understand the factors and conditions that influence the information security of the organisation, such as the legal, technological, social, economic, environmental, etc. The organisation should also monitor and review these issues, and consider them when defining the scope of the ISMS. H . This clause requires the organisation to determine the boundaries and applicability of the ISMS to establish its scope15. This clause is relevant to the verification of the scope of the ISMS because it helps the organisation to describe the information and processes that are included in the ISMS, and to document the scope in a clear and concise manner. The organisation should also consider the issues, requirements, and interfaces identified in clauses 4.1, 4.2, and 4.3 when determining the scope of the ISMS, and ensure that the scope is appropriate to the nature and scale of the organisation. Reference: 1: PECB Candidate Handbook - ISO 27001 Lead Auditor, page 17 2: ISO/IEC 27001:2022 - Information technology — Security techniques — Information security management systems — Requirements, clause 4.2 3: ISO/IEC 27001:2022 - Information technology — Security techniques — Information security management systems — Requirements, clause 5.2 4: ISO/IEC 27001:2022 - Information technology — Security techniques — Information security management systems — Requirements, clause 4.1 5: ISO/IEC 27001:2022 - Information technology — Security techniques — Information security management systems — Requirements, clause 4.3

Question 3

You are performing an ISMS audit at a residential nursing home that provides healthcare services.
The next step in your audit plan is to verify the information security incident management process.
The IT Security Manager presents the information security incident management procedure and
explains that the process is based on ISO/IEC 27035-1:2016.
You review the document and notice a statement "any information security weakness, event, and
incident should be reported to the Point of Contact (PoC) within 1 hour after identification". When
interviewing staff, you found that there were differences in the understanding of the meaning of
"weakness, event, and incident".
You sample incident report records from the event tracking system for the last 6 months with
summarized results in the following table.
ISO-IEC-27001-Lead-Auditor practice exam questions

You would like to further investigate other areas to collect more audit evidence. Select two options
that will not be in your audit trail.

Accepted Answer

B, G

Explanation: According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 4.2 requires an organization to determine the needs and expectations of interested parties that are relevant to its ISMS1. This includes identifying the legal, regulatory, contractual and other requirements that apply to its information security activities1. Therefore, collecting more evidence on what the service requirements of healthcare monitoring are may not be relevant to verifying the information security incident management process, as it is not directly related to the audit objective or criteria. This option will not be in the audit trail.

Question 4

Scenario 6: Sinvestment is an insurance company that offers home, commercial, and life insurance.
The company was founded in North Carolina, but have recently expanded in other locations,
including Europe and Africa.
Sinvestment is committed to complying with laws and regulations applicable to their industry and
preventing any information security incident. They have implemented an ISMS based on ISO/IEC
27001 and have applied for ISO/IEC 27001 certification.
Two auditors were assigned by the certification body to conduct the audit. After signing a
confidentiality agreement with Sinvestment. they started the audit activities. First, they reviewed the
documentation required by the standard, including the declaration of the ISMS scope, information
security policies, and internal audits reports. The review process was not easy because, although
Sinvestment stated that they had a documentation procedure in place, not all documents had the
same format.
Then, the audit team conducted several interviews with Sinvestment's top management to
understand their role in the ISMS implementation. All activities of the stage 1 audit were performed
remotely, except the review of documented information, which took place on-site, as requested by
Sinvestment.
During this stage, the auditors found out that there was no documentation related to information
security training and awareness program. When asked, Sinvestment's representatives stated that the
company has provided information security training sessions to all employees. Stage 1 audit gave the
audit team a general understanding of Sinvestment's operations and ISMS.
The stage 2 audit was conducted three weeks after stage 1 audit. The audit team observed that the
marketing department (which was not included in the audit scope) had no procedures in place to
control employees’ access rights. Since controlling employees' access rights is one of the ISO/IEC
27001 requirements and was included in the information security policy of the company, the issue
was included in the audit report. In addition, during stage 2 audit, the audit team observed that
Sinvestment did not record logs of user activities. The procedures of the company stated that "Logs
recording user activities should be retained and regularly reviewed," yet the company did not
present any evidence of the implementation of such procedure.
During all audit activities, the auditors used observation, interviews, documented information
review, analysis, and technical verification to collect information and evidence. All the audit findings
during stages 1 and 2 were analyzed and the audit team decided to issue a positive recommendation
for certification.
According to scenario 6, the marketing department employees were not following the access control
policy. Which option is correct in this case?

Accepted Answer

B

Explanation: Even though the marketing department was not included in the audit scope, the issue of employees' access rights control must be communicated to Sinvestment's representatives and included in the audit report because it is part of Sinvestment’s information security policy. It reflects on the overall adherence to the ISMS requirements. Reference: ISO/IEC 27001:2013, Clause 9.2 (Internal audit)

Question 5

Which six of the following actions are the individual(s) managing the audit programme responsible for?

Accepted Answer

A, B, C, D, E, F

Explanation: According to ISO 19011:2018, which provides guidelines for auditing management systems, an audit programme is a set of one or more audits planned for a specific time frame and directed towards a specific purpose1. The individual(s) managing the audit programme are responsible for establishing, implementing and maintaining the audit programme in accordance with the organization’s policies and objectives1. This includes defining the extent of the audit programme based on strategic direction, risks and opportunities; establishing the audit programme by defining its objectives, scope and criteria; determining the resources necessary for the audit programme; selecting competent auditors and assigning them to appropriate audits; defining the objectives, scope and criteria for each individual audit; defining the plan of each individual audit; retaining documented information of the audit results; reviewing and improving the performance of the audit programme1. Therefore, these six actions are part of the responsibilities of the individual(s) managing the audit programme. The other option, communicating with the auditee during the audit, is not a responsibility of the individual(s) managing the audit programme, but rather a responsibility of the audit team leader1. Reference: ISO 19011:2018 - Guidelines for auditing management systems

Question 6

Scenario:
Northstorm is an online retail shop offering unique vintage and modern accessories. It initially
entered a small market but gradually grew thanks to the development of the overall e-commerce
landscape. Northstorm works exclusively online and ensures efficient payment processing, inventory
management, marketing tools, and shipment orders. It uses prioritized ordering to receive, restock,
and ship its most popular products.
Northstorm has traditionally managed its IT operations by hosting its website and maintaining full
control over its infrastructure, including hardware, software, and data administration. However, this
approach hindered its growth due to the lack of responsive infrastructure. Seeking to enhance its e-
commerce and payment systems, Northstorm opted to expand its in-house data centers, completing
the expansion in two phases over three months. Initially, the company upgraded its core servers,
point-of-sale, ordering, billing, database, and backup systems. The second phase involved improving
mail, payment, and network functionalities. Additionally, during this phase, Northstorm adopted an
international standard for personally identifiable information (PII) controllers and PII processors
regarding PII processing to ensure its data handling practices were secure and compliant with global
regulations.
Despite the expansion, Northstorm's upgraded data centers failed to meet its evolving business
demands. This inadequacy led to several new challenges, including issues with order prioritization.
Customers reported not receiving priority orders, and the company struggled with responsiveness.
This was largely due to the main server's inability to process orders from YouDecide, an application
designed to prioritize orders and simulate customer interactions. The application, reliant on
advanced algorithms, was incompatible with the new operating system (OS) installed during the
upgrade.
Faced with urgent compatibility issues, Northstorm quickly patched the application without proper
validation, leading to the installation of a compromised version. This security lapse resulted in the
main server being affected and the company's website going offline for a week. Recognizing the
need for a more reliable solution, the company decided to outsource its website hosting to an e-
commerce provider. The company signed a confidentiality agreement concerning product ownership
and conducted a thorough review of user access rights to enhance security before transitioning.
Based on Scenario 1, which international standard did Northstorm adopt during the second phase of
expansion?

Accepted Answer

A

Explanation: Comprehensive and Detailed In-Depth Northstorm adopted an international standard for Personally Identifiable Information (PII) controllers and PII processors to ensure its data handling practices were secure and compliant with global regulations. This aligns directly with ISO/IEC 27701, which extends ISO/IEC 27001 and ISO/IEC 27002 to cover Privacy Information Management Systems (PIMS), specifically addressing the protection of PII. A . ISO/IEC 27701 – Correct Answer. This standard is designed for organizations acting as PII controllers and processors and provides guidelines on privacy management, regulatory compliance, and data protection. B . ISO/IEC 27009 – Incorrect because this standard provides guidance on sector-specific requirements for ISMS, not privacy or PII protection. C . ISO/IEC 27003 – Incorrect because it provides general implementation guidance for ISMS, not specific controls for PII processing. This aligns with ISO/IEC 27001:2022 Annex A Control A.5.34 (Privacy and Protection of PII), which focuses on ensuring compliance with privacy regulations and implementing privacy-enhancing security measures.

Question 7

In the context of a third-party certification audit, confidentiality is an issue in an audit programme. Select two options which correctly state the function of confidentiality in an audit

Accepted Answer

C, D

Explanation: Confidentiality is one of the principles of audit conduct that auditors should adhere to when performing audits. Confidentiality means that auditors should exercise discretion in the use and protection of information acquired in the course of their duties3. Auditors should respect the intellectual property rights of the auditee and other parties involved in the audit, and should not disclose any information that is sensitive, proprietary, or confidential without prior approval from the auditee or other authorized parties3. Auditors should also obtain the auditee’s permission before using a camera or recording equipment during an audit, as these devices may capture confidential information or infringe on the privacy of individuals3. Therefore, these two options correctly state the function of confidentiality in an audit. The other options are either incorrect or irrelevant to confidentiality. For example, auditors are not forced by regulatory requirements to maintain confidentiality in an audit, but rather by ethical obligations and contractual agreements3. Observers in an audit team can access confidential information if they have signed a confidentiality agreement and have been authorized by the auditee3. Audit information can be used for improving personal competence by the auditor only if it does not compromise confidentiality or conflict with other interests3. As an auditor is always accompanied by a guide, there is still a risk to the auditee’s sensitive information if the guide is not trustworthy or authorized to access such information3. Reference: ISO 19011:2018 - Guidelines for auditing management systems

Question 8

You are performing an ISMS initial certification audit at a residential nursing home that provides
healthcare services. The next step in your audit plan is to conduct the closing meeting. During the
final audit team meeting, as an audit team leader, you agree to report 2 minor nonconformities and
1 opportunity for improvement as below:
ISO-IEC-27001-Lead-Auditor practice exam questions

Select one option of the recommendation to the audit programme manager you are going to advise
to the auditee at the closing meeting.

Accepted Answer

C

Explanation: • Minor Nonconformities: The identified nonconformities are minor, meaning they don't pose a significant risk to the information security management system (ISMS). They are likely to be easily rectified with focused corrective actions. • Opportunity for Improvement: This is not a nonconformity but a suggestion for enhancing the ISMS. It doesn't require immediate corrective action but should be addressed in the organization's continual improvement efforts. • Initial Certification: As this is an initial certification audit, the organization is expected to demonstrate its commitment to addressing any gaps identified. A partial audit allows for a focused follow-up on the specific areas of nonconformity, ensuring they have been adequately addressed. Why other options are not suitable: • A . Recommend certification after your approval of the proposed corrective action plan: While certification is the goal, it's premature to recommend it before verifying the effectiveness of the corrective actions. • B . Recommend that a full scope re-audit is required within 6 months: This is too extensive for minor nonconformities. A full re-audit is usually reserved for major nonconformities or systemic issues. • D . Recommend that the findings can be closed out at a surveillance audit in 1 year: This is too long a timeframe for addressing the nonconformities. Prompt corrective action is necessary to demonstrate commitment to the ISMS. In summary, recommending a partial audit within 3 months strikes the right balance between allowing the organization time to implement corrective actions and ensuring timely verification of their effectiveness. This approach aligns with the principles of ISO 27001 and supports the organization's journey towards certification.

Question 9

Scenario 4: Branding is a marketing company that works with some of the most famous companies in
the US. To reduce internal costs. Branding has outsourced the software development and IT helpdesk
operations to Techvology for over two years. Techvology. equipped with the necessary expertise,
manages Branding's software, network, and hardware needs. Branding has implemented an
information security management system (ISMS) and is certified against ISO/IEC 27001,
demonstrating its commitment to maintaining high standards of information security. It actively
conducts audits on Techvology to ensure that the security of its outsourced operations complies with
ISO/IEC 27001 certification requirements.
During the last audit. Branding's audit team defined the processes to be audited and the audit
schedule. They adopted an evidence based approach, particularly in light of two information security
incidents reported by Techvology in the past year The focus was on evaluating how these incidents
were addressed and ensuring compliance with the terms of the outsourcing agreement
The audit began with a comprehensive review of Techvology's methods for monitoring the quality of
outsourced operations, assessing whether the services provided met Branding's expectations and
agreed-upon standards The auditors also verified whether Techvology complied with the contractual
requirements established between the two entities This involved thoroughly examining the terms
and conditions in the outsourcing agreement to guarantee that all aspects, including information
security measures, are being adhered to.
Furthermore, the audit included a critical evaluation of the governance processes Techvology uses to
manage its outsourced operations and other organizations. This step is crucial for Branding to verify
that proper controls and oversight mechanisms are in place to mitigate potential risks associated
with the outsourcing arrangement.
The auditors conducted interviews with various levels of Techvology's personnel and analyzed the
incident resolution records. In addition, Techvology provided the records that served as evidence that
they conducted awareness sessions for the staff regarding incident management. Based on the
information gathered, they predicted that both information security incidents were caused by
incompetent personnel. Therefore, auditors requested to see the personnel files of the employees
involved in the incidents to review evidence of their competence, such as relevant experience,
certificates, and records of attended trainings.
Branding's auditors performed a critical evaluation of the validity of the evidence obtained and
remained alert for evidence that could contradict or question the reliability of the documented
information received. During the audit at Techvology, the auditors upheld this approach by critically
assessing the incident resolution records and conducting thorough interviews with employees at
different levels and functions. They did not merely take the word of Techvology's representatives for
facts; instead, they sought concrete evidence to support the representatives' claims about the
incident management processes.
Based on the scenario above, answer the following question:
According to Scenario 4, what type of audit evidence did the auditors collect to determine the source
of the information security incidents?

Accepted Answer

A

Explanation: Comprehensive and Detailed In-Depth A . Correct Answer: Auditors conducted interviews (verbal evidence) and analyzed incident resolution records, employee training logs, and governance policies (documentary evidence). ISO 19011:2018 (Clause 6.4.7) states that audit evidence can be verbal, documented, observed, or analytical. B . Incorrect: Confirmative evidence involves third-party validation, which was not explicitly mentioned. C . Incorrect: Mathematical analysis was not conducted in this audit. Relevant Standard Reference: ISO 19011:2018 Clause 6.4.7 (Audit Evidence Collection Methods)

Question 10

Select two of the following options that are the responsibility of a legal technical expert on the audit team during a certification audit.

Accepted Answer

Explanation: A legal technical expert (LTE) is a person who provides specific knowledge or expertise related to the legal aspects of the information security management system (ISMS) during a certification audit. The LTE is not an auditor, but a member of the audit team who supports the auditors in collecting and evaluating the audit evidence. The LTE is not responsible for evaluating the auditee’s legal knowledge, criticising the organisation’s legal compliance issues, or debating complex legal points with the auditee, as these tasks may be beyond the scope of the audit, or may compromise the objectivity and impartiality of the audit. The LTE is responsible for advising on legal checkpoints for the audit team, such as the applicable legal, regulatory, and contractual requirements, the relevant sources of information, the methods of verification, and the criteria of evaluation. The LTE is also responsible for verifying the legal status of the organisation, such as the registration, licensing, authorisation, or accreditation of the organisation, and the compliance with the relevant laws and regulations. Reference: What is the role of a technical expert in ISO audit? Roles, Responsibilities & Authorities for ISO 27001 5.3 Guide to Become an ISO 27001 Lead Auditor

Question 11

What is the difference between a restricted and confidential document?

Accepted Answer

B

Explanation: The difference between a restricted and confidential document is that a restricted document is to be shared among named individuals, while a confidential document is to be shared among an authorized group. Restricted and confidential are examples of information classification levels that indicate the sensitivity and value of information and the degree of protection required for it. Restricted documents contain information that could cause serious damage or harm to the organization or its stakeholders if disclosed to unauthorized persons. Therefore, they should only be accessed by specific individuals who have a legitimate need to know and are authorized by the information owner. Confidential documents contain information that could cause damage or harm to the organization or its stakeholders if disclosed to unauthorized persons. Therefore, they should only be accessed by a defined group of people who have a legitimate need to know and are authorized by the information owner. ISO/IEC 27001:2022 requires the organization to classify information in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification (see clause A.8.2.1). Reference: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements, What is Information Classification?

Question 12

When multiple offices of a certification body are involved, what must be ensured?

Accepted Answer

B

Explanation: Comprehensive and Detailed In-Depth B . Correct Answer: A single legally enforceable agreement must cover all sites included in the certification scope to ensure: Consistency in audit approach Legal clarity between all parties Global applicability for multinational companies A . Incorrect: Separate agreements for each office would create inconsistencies and legal complexities. C . Incorrect: All sites involved in certification must be covered by the agreement, not just the main office. Relevant Standard Reference: ISO/IEC 17021-1:2015 Clause 8.2.1 (Legally Enforceable Agreements for Certification)

Question 13

DRAG DROP
You are an experienced ISMS audit team leader providing instruction to an auditor in training. They
are unclear in their understanding of risk processes and ask you to provide them with an example of
each of the processes detailed below.
Match each of the descriptions provided to one of the following risk management processes.
To complete the table click on the blank section you want to complete so that it is highlighted in red,
and then click on the applicable text from the options below. Alternatively, you may drag and drop
each option to the appropriate blank section.
ISO-IEC-27001-Lead-Auditor practice exam questions

Accepted Answer

Explanation: https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/ISO-IEC-27001-LEAD-AUDITOR/page_49_img_2.jpg Risk analysis is the process by which the nature of the risk is determined along with its probability and impact. Risk analysis involves estimating the likelihood and consequences of potential events or situations that could affect the organization’s information security objectives or requirements12. Risk analysis could use qualitative or quantitative methods, or a combination of both12. Risk management is the process by which a risk is controlled at all stages of its life cycle by means of the application of organisational policies, procedures and practices. Risk management involves establishing the context, identifying, analyzing, evaluating, treating, monitoring, and reviewing the risks that could affect the organization’s information security performance or compliance12. Risk management aims to ensure that risks are identified and treated in a timely and effective manner, and that opportunities for improvement are exploited12. Risk identification is the process by which a risk is recognised and described. Risk identification involves identifying and documenting the sources, causes, events, scenarios, and potential impacts of risks that could affect the organization’s information security objectives or requirements12. Risk identification could use various techniques, such as brainstorming, interviews, checklists, surveys, or historical data12. Risk evaluation is the process by which the impact and/or probability of a risk is compared against risk criteria to determine if it is tolerable. Risk evaluation involves comparing the results of risk analysis with predefined criteria that reflect the organization’s risk appetite, tolerance, or acceptance12. Risk evaluation could use various methods, such as ranking, scoring, or matrix12. Risk evaluation helps to prioritize and decide on the appropriate risk treatment options12. Risk mitigation is the process by which the impact and/or probability of a risk is reduced by means of the application of controls. Risk mitigation involves selecting and implementing measures that are designed to prevent, reduce, transfer, or accept risks that could affect the organization’s information security objectives or requirements12. Risk mitigation could include various types of controls, such as technical, organizational, legal, or physical12. Risk mitigation should be based on a cost-benefit analysis and a residual risk assessment12. Risk transfer is the process by which a risk is passed to a third party, for example through obtaining appropriate insurance. Risk transfer involves sharing or shifting some or all of the responsibility or liability for a risk to another party that has more capacity or capability to manage it12. Risk transfer could include various methods, such as contracts, agreements, partnerships, outsourcing, or insurance12. Risk transfer should not be used as a substitute for effective risk management within the organization12. Reference := ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements ISO/IEC 27005:2022 Information technology — Security techniques — Information security risk management

Question 14

DRAG DROP
You have just completed a scheduled information security audit of your organisation when the IT
Manager approaches you and asks for your assistance in the revision of the company's risk
management process.
He is attempting to update the current documentation to make it easier for other managers to
understand, however, it is clear from your discussion he is confusing several key terms.
You ask him to match each of the descriptions with the appropriate risk term. What should the
correct answers be?
ISO-IEC-27001-Lead-Auditor practice exam questions

Accepted Answer

Explanation: The correct answers for matching each of the descriptions with the appropriate risk term are: The strategy chosen to respond to a specific information security risk: This is a definition of information security risk treatment. According to ISO/IEC 27000:2022, information security risk treatment is “the process of selecting and implementing measures to modify the information security risk” Section 3.33. The effect of uncertainty on information security objectives: This is a definition of information security risk. According to ISO/IEC 27000:2022, information security risk is “the effect of uncertainty on information security objectives” Section 3.32. The requirements against which information security risks are evaluated: This is a definition of information security risk criteria. According to ISO/IEC 27000:2022, information security risk criteria are “the terms of reference by which the significance of information security risks is assessed” Section 3.31. A definition of the overall level of information security risk that is considered to be tolerable: This is a definition of information security risk acceptance criteria. According to ISO/IEC 27000:2022, information security risk acceptance criteria are “the level of information security risk that is acceptable” Section 3.30.

Question 15

DRAG DROP
As the ISMS audit team leader, you are conducting a second-party audit of an international logistics
company on behalf of an online retailer. During the audit, one of your team members reports a
nonconformity relating to control 5.18 (Access rights) of Appendix A of ISO/IEC 27001:2022. She
found evidence that removing the server access protocols of 20 people who left in the last 3 months
took up to 1 week whereas the policy required removing access within 24 hours of their departure.
Complete the sentence with the best word(s), dick on the blank section you want to complete so that
it is highlighted in red, and then click on the applicable text from the options below. Alternatively,
you may drag and drop the option to the appropriate blank section.
ISO-IEC-27001-Lead-Auditor practice exam questions

Accepted Answer

Explanation: The purpose of including access rights in an information management system to ISO/IEC 27001:2022 is to provide, review, modify and remove these permissions in accordance with the organisation’s policy and rules for access control. Access rights are the permissions granted to users or groups of users to access, use, modify, or delete information assets. Access rights should be aligned with the organisation’s access control policy, which defines the objectives, principles, roles, and responsibilities for managing access to information systems. Access rights should also follow the organisation’s rules for access control, which specify the criteria, procedures, and controls for granting, reviewing, modifying, and revoking access rights. The purpose of including access rights in an information management system is to ensure that only authorised users can access information assets according to their business needs and roles, and to prevent unauthorised or inappropriate access that could compromise the confidentiality, integrity, or availability of information assets. Reference: ISO/IEC 27001:2022 Annex A Control 5.181 ISO/IEC 27002:2022 Control 5.182 CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Training Course3

Free PECB ISO-IEC-27001-Lead-Auditor Actual Exam Questions