PECB ISO-IEC-27001-Lead-Auditor Dumps - The Sure Way To Pass Exam [Q112-Q135]

PECB ISO-IEC-27001-Lead-Auditor Dumps - The Sure Way To Pass Exam

ISO-IEC-27001-Lead-Auditor Exam Questions (Updated 2024) 100% Real Question Answers

PECB ISO-IEC-27001-Lead-Auditor exam is an internationally recognized certification that validates a professional's expertise in auditing and managing information security management systems based on the ISO/IEC 27001 standard. PECB Certified ISO/IEC 27001 Lead Auditor exam certification is suitable for professionals who want to pursue a career in information security management, audit, or compliance. ISO-IEC-27001-Lead-Auditor exam covers various topics related to information security management, including risk management, control objectives, audit techniques, and compliance with legal and regulatory requirements.

 

NEW QUESTION # 112
Which of the following does an Asset Register contain? (Choose two)

• A. Asset Owner
• B. Process ID
• C. Asset Modifier
• D. Asset Type

Answer: A,D

NEW QUESTION # 113
You are performing an ISMS audit at a residential nursing home that provides healthcare services. The next step in your audit plan is to verify the information security incident management process. The IT Security Manager presents the information security incident management procedure and explains that the process is based on ISO/IEC 27035-1:2016.
You review the document and notice a statement "any information security weakness, event, and incident should be reported to the Point of Contact (PoC) within 1 hour after identification". When interviewing staff, you found that there were differences in the understanding of the meaning of "weakness, event, and incident".
You sample incident report records from the event tracking system for the last 6 months with summarized results in the following table.

You would like to further investigate other areas to collect more audit evidence. Select two options that will not be in your audit trail.

• A. Collect more evidence on how and when the company pays the ransom fee to unlock the company's mobile phone and data, i.e., credit card, and bank transfer. (Relevant to control A.5.26)
• B. Collect more evidence on what the service requirements of healthcare monitoring are. (Relevant to clause 4.2)
• C. Collect more evidence by interviewing more staff about their understanding of the reporting process. (Relevant to control A.6.8)
• D. Collect more evidence on how and when the Human Resources manager pays the ransom fee to unlock personal mobile data, i.e., credit card, and bank transfer. (Relevant to control A.5.26)
• E. Collect more evidence on the incident recovery procedures. (Relevant to control A.5.26)
• F. Collect more evidence on how the organisation determined the incident recovery time. (Relevant to control A.5.27)
• G. Collect more evidence on how the organization determined no further action was needed after the incident. (Relevant to control A.5.26)

Answer: A,B

Explanation:
According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 4.2 requires an organization to determine the needs and expectations of interested parties that are relevant to its ISMS1. This includes identifying the legal, regulatory, contractual and other requirements that apply to its information security activities1. Therefore, collecting more evidence on what the service requirements of healthcare monitoring are may not be relevant to verifying the information security incident management process, as it is not directly related to the audit objective or criteria. This option will not be in the audit trail.

NEW QUESTION # 114
Which three of the following options are an advantage of using a sampling plan for the audit?

• A. Misses key issues
• B. Use of the plan for consecutive audits
• C. Overrules the auditor's instincts
• D. Implements the audit plan efficiently
• E. Provides a suitable understanding of the ISMS
• F. Gives confidence in the audit results

Answer: D,E,F

Explanation:
According to ISO 19011:2018, which provides guidelines for auditing management systems, a sampling plan is a method for selecting a representative subset of the audit evidence from a defined population1. A sampling plan can have several advantages for the audit, such as providing a suitable understanding of the ISMS by covering its key processes, activities, and controls; implementing the audit plan efficiently by optimizing the use of time and resources; and giving confidence in the audit results by ensuring that the sample is sufficient, reliable, and unbiased1. Therefore, these three options are examples of advantages of using a sampling plan for the audit. The other options are not advantages, but rather disadvantages or risks of using a sampling plan. For example, overruling the auditor's instincts may lead to missing important evidence or issues that are not covered by the sampling plan; using the same plan for consecutive audits may reduce the effectiveness and validity of the audit results; and missing key issues may result from an inadequate or inappropriate sampling plan1. Reference: ISO 19011:2018 - Guidelines for auditing management systems

NEW QUESTION # 115
Does the security have the right to ask you to display your ID badges and check your bags?

• A. True
• B. False

Answer: A

NEW QUESTION # 116
Which one of the following options is the definition of an interested party?

• A. A group or organisation that can interfere in or perceive itself to be interfered with by a management decision
• B. A third party can appeal to an organisation when it perceives itself to be affected by a decision or activity
• C. An individual or organisation that can control, be controlled by, or perceive itself to be controlled by a decision or activity
• D. A person or organisation that can affect, be affected by or perceive itself to be affected by a decision or activity

Answer: D

Explanation:
Explanation
This is the definition of an interested party according to ISO 27001:2013, clause 3.16. An interested party is essentially a stakeholder, i.e., a person or organization that can influence or be influenced by the information security management system (ISMS) or its activities. Interested parties can have different needs and expectations regarding the ISMS, and these should be identified and addressed by the organization.
References:
ISO/IEC 27001:2013, Information technology - Security techniques - Information security management systems - Requirements, clause 3.16 PECB Candidate Handbook ISO 27001 Lead Auditor, page 10 Identifying interested parties and their expectations for an ISO 27001 ISMS Examples of ISO 27001 interested parties

NEW QUESTION # 117
As a new member of the IT department you have noticed that confidential information has been leaked several times. This may damage the reputation of the company. You have been asked to propose an organisational measure to protect laptop computers. What is the first step in a structured approach to come up with this measure?

• A. Encrypt all sensitive information
• B. Set up an access control procedure
• C. Appoint security staff
• D. Formulate a policy

Answer: D

Explanation:
Explanation
An organisational measure is a measure that involves the establishment of policies, procedures, roles, responsibilities, and structures to manage information security within an organization. Examples of organisational measures include security policies, awareness programs, risk assessments, audits, and incident response plans. A policy is a statement of intent or direction that provides guidance for decision making and actions within an organization. A policy defines the scope, objectives, principles, and roles for information security management. Therefore, formulating a policy is the first step in a structured approach to come up with an organisational measure to protect laptop computers. References: ISO/IEC 27000:2022, clause
3.47; ISO/IEC 27001:2022, clause 5.2.

NEW QUESTION # 118
The computer room is protected by a pass reader. Only the System Management department has a pass.
What type of security measure is this?

• A. a repressive security measure
• B. a physical security measure
• C. a corrective security measure
• D. a logical security measure

Answer: B

Explanation:
A physical security measure is a measure that protects information and information processing facilities from physical threats and hazards, such as fire, flood, earthquake, theft, vandalism, etc. Physical security measures include locks, alarms, fences, cameras, fire extinguishers, ventilation systems, etc. The computer room is protected by a pass reader that only allows authorized personnel from the System Management department to access it. This is an example of a physical security measure, because it prevents unauthorized physical access to the computer room and its contents. ISO/IEC 27001:2022 requires the organization to implement physical and environmental security controls to prevent unauthorized physical access, damage and interference to the organization's information and information processing facilities (see clause A.11). Reference: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, What is Physical Security?

NEW QUESTION # 119
What is a reason for the classification of information?

• A. Creating a manual describing the BYOD policy
• B. To provide clear identification tags
• C. To structure the information according to its sensitivity

Answer: C

Explanation:
The reason for the classification of information is to structure the information according to its sensitivity. Information classification is a process of assigning categories or labels to information based on its value, sensitivity, criticality and legal requirements. Information classification helps to determine the appropriate level of security controls and handling procedures for different types of information. Information classification also facilitates the communication of information security requirements and expectations among internal and external parties. ISO/IEC 27001:2022 requires the organization to classify information in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification (see clause A.8.2.1). Reference: [CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course], ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, What is Data Classification?

NEW QUESTION # 120
You are performing an ISMS audit at a residential nursing home called ABC that provides healthcare services.
You find all nursing home residents wear an electronic wristband for monitoring their location, heartbeat, and blood pressure always. You learned that the electronic wristband automatically uploads all data to the artificial intelligence (AI) cloud server for healthcare monitoring and analysis by healthcare staff.
To verify the scope of ISMS, you interview the management system representative (MSR) who explains that the ISMS scope covers an outsourced data center.
Select three options for the audit evidence you need to find to verify the scope of the ISMS.

• A. The IT service agreement with the data center where the artificial intelligence (AI) cloud server is located
• B. The auditee has identified the governmental authorities' needs and expectations on healthcare services and patient data handling
• C. The auditee has identified the resident's needs and expectations on the facility and environmental safety
• D. The auditee is considering the purchase of a healthcare monitoring app from an external software company
• E. The auditee has identified the resident's needs and expectations on healthcare medical treatment services
• F. The auditee has identified the resident's needs and expectations on the comfort facility, medical professional's competence, and clean environment
• G. The auditee has identified the resident's needs and expectations on how they should protect the resident's personal data
• H. The auditee has ISO 9001 certification

Answer: A,B,G

Explanation:
Explanation
According to ISO 27001:2022 clause 4.3, the organisation shall determine the scope of the information security management system (ISMS) by considering the internal and external issues, the requirements of interested parties, and the interfaces and dependencies with other organisations12 In this case, the ISMS scope covers an outsourced data center that hosts the artificial intelligence (AI) cloud server for healthcare monitoring and analysis of the residents' data. Therefore, the audit evidence you need to find to verify the scope of the ISMS should include:
* The auditee has identified the governmental authorities' needs and expectations on healthcare services and patient data handling. This is an external issue and an interested party requirement that affects the ISMS scope, as the auditee has to comply with the relevant laws and regulations regarding the quality, safety, and privacy of healthcare services and patient data12
* The auditee has identified the resident's needs and expectations on how they should protect the resident's personal data. This is an external issue and an interested party requirement that affects the ISMS scope, as the auditee has to ensure the confidentiality, integrity, and availability of the resident's personal data that is collected, processed, and stored by the electronic wristband and the AI cloud server12
* The IT service agreement with the data center where the artificial intelligence (AI) cloud server is located. This is an interface and dependency with another organisation that affects the ISMS scope, as the auditee has to control the externally provided processes, products, and services that are relevant to the ISMS, and to implement appropriate contractual requirements related to information security12 The following options are not relevant or sufficient for verifying the scope of the ISMS:
* The auditee has identified the resident's needs and expectations on the facility and environmental safety.
This is an external issue and an interested party requirement, but it does not affect the ISMS scope, as it is not related to information security12
* The auditee has ISO 9001 certification. This is an indication of the auditee's quality management system, but it does not verify the scope of the ISMS, as it is not related to information security12
* The auditee has identified the resident's needs and expectations on the comfort facility, medical professional's competence, and clean environment. These are external issues and interested party requirements, but they do not affect the ISMS scope, as they are not related to information security12
* The auditee has identified the resident's needs and expectations on healthcare medical treatment services. These are external issues and interested party requirements, but they do not verify the scope of the ISMS, as they are not specific to information security12
* The auditee is considering the purchase of a healthcare monitoring app from an external software company. This is a potential change that may affect the ISMS scope in the future, but it does not verify the current scope of the ISMS, as it is not yet implemented or controlled12 References:
1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1 2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2

NEW QUESTION # 121
You are conducting an ISMS audit in the despatch department of an international logistics organisation that provides shipping services to large organisations including local hospitals and government offices. Parcels typically contain pharmaceutical products, biological samples, and documents such as passports and driving licences. You note that the company records show a very large number of returned items with causes including misaddressed labels and, in 15% of cases, two or more labels for different addresses for the one package. You are interviewing the Shipping Manager (SM).
You: Are items checked before being dispatched?
SM: Any obviously damaged items are removed by the duty staff before being dispatched, but the small profit margin makes it uneconomic to implement a formal checking process.
You: What action is taken when items are returned?
SM: Most of these contracts are relatively low value, therefore it has been decided that it is easier and more convenient to simply reprint the label and re-send individual parcels than it is to implement an investigation.
You raise a nonconformity against ISO 27001:2022 based on the lack of control of the labelling process.
At the closing meeting, the Shipping Manager issues an apology to you that his comments may have been misunderstood. He says that he did not realise that there is a background IT process that automatically checks that the right label goes onto the right parcel otherwise the parcel is ejected at labelling. He asks that you withdraw your nonconformity.
Select three options of the correct responses that you as the audit team leader would make to the request of the Shipping Manager.

• A. Advise management that the new information provided will be discussed when the auditors have more time
• B. Ask the audit team members to state what they think should happen
• C. Advise the Shipping Manager that his request will be included in the audit report
• D. Indicate that the nonconformity is evidence of a deeper system failure that needs to be rectified
• E. Thank the Shipping Manager for his honesty but advise that withdrawing the nonconformity is not the right way to proceed
• F. Inform him of your understanding and withdraw the nonconformity
• G. Advise the Shipping Manager that the nonconformity must stand since the evidence obtained for it was dear
• H. Inform the Shipping Manager that the nonconformity is minor and should be quickly corrected

Answer: A,C,E

Explanation:
Explanation
* A. Advise the Shipping Manager that his request will be included in the audit report. This is true because the audit report should document all the relevant information and evidence related to the audit, including any requests or objections raised by the auditee. The audit report should also provide the rationale for the audit conclusions and recommendations12.
* B. Advise management that the new information provided will be discussed when the auditors have more time. This is true because the auditors should not make hasty decisions based on incomplete or unverified information. The auditors should review and evaluate the new information in a systematic and objective manner, and determine whether it affects the audit findings, nonconformities, or conclusions12.
* F. Thank the Shipping Manager for his honesty but advise that withdrawing the nonconformity is not the right way to proceed. This is true because the auditors should acknowledge and appreciate the cooperation and transparency of the auditee, but also maintain their professional integrity and independence. The auditors should not withdraw a nonconformity unless they are satisfied that it was raised in error or that it has been effectively corrected and verified12.
References :=
* ISO 19011:2022 Guidelines for auditing management systems
* ISO/IEC 17021-1:2022 Conformity assessment - Requirements for bodies providing audit and certification of management systems - Part 1: Requirements

NEW QUESTION # 122
The following are purposes of Information Security, except:

• A. Increase Business Assets
• B. Ensure Business Continuity
• C. Minimize Business Risk
• D. Maximize Return on Investment

Answer: A

Explanation:
The following are purposes of information security, except increasing business assets. Increasing business assets is not a purpose of information security, as it is not directly related to protecting information and systems from threats and risks. Information security may contribute to increasing business assets by enhancing customer trust, reputation, compliance, and efficiency, but it is not its primary goal. Ensuring business continuity is a purpose of information security, as it aims to prevent or minimize disruptions or losses caused by incidents affecting information and systems. Minimizing business risk is a purpose of information security, as it aims to identify and reduce threats and vulnerabilities that may compromise information and systems. Maximizing return on investment is a purpose of information security, as it aims to optimize the costs and benefits of implementing and maintaining information security controls and measures. Reference: : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 23. : [ISO/IEC 27001 Brochures | PECB], page 4.

NEW QUESTION # 123
You receive the following mail from the IT support team: Dear User,Starting next week, we will be deleting all inactive email accounts in order to create spaceshare the below details in order to continue using your account. In case of no response, Name:
Email ID:
Password:
DOB:
Kindly contact the webmail team for any further support. Thanks for your attention.
Which of the following is the best response?

• A. One should not respond to these mails and report such email to your supervisor
• B. Ignore the email
• C. Respond it by saying that one should not share the password with anyone

Answer: A

NEW QUESTION # 124
You are an experienced ISMS audit team leader, talking to an Auditor in training who has been assigned to your audit team. You want to ensure that they understand the importance of the Check stage of the Plan-Do-Check-Act cycle in respect of the operation of the information security management system.
You do this by asking him to select the words that best complete the sentence:
To complete the sentence with the best word(s), click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.

Answer:

Explanation:

Explanation
Review is the third stage of the Plan-Do-Check-Act (PDCA) cycle, which is a four-step model for implementing and improving an information security management system (ISMS) according to ISO/IEC
27001:202212. Review involves assessing and measuring the performance of the ISMS against the established policies, objectives, and criteria12.
Assess is the verb that describes the action of reviewing the ISMS. Assess means to evaluate, analyze, or measure something in a systematic and objective manner3. Assessing the ISMS involves collecting and verifying audit evidence, identifying strengths and weaknesses, and determining the degree of conformity or nonconformity12.
Regular is the adjective that describes the frequency or interval of reviewing the ISMS. Regular means occurring or done at fixed or uniform intervals4. Reviewing the ISMS at regular intervals means conducting internal audits and management reviews periodically, such as annually, quarterly, or monthly, depending on the needs and risks of the organization12.
Suitability is one of the attributes that describes the quality or outcome of reviewing the ISMS. Suitability means being appropriate or fitting for a particular purpose, person, or situation5. Reviewing the ISMS for suitability means ensuring that it is aligned with the organization's strategic direction, business objectives, and information security requirements12.
References :=
ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements ISO/IEC 27003:2022 Information technology - Security techniques - Information security management systems - Guidance Assess | Definition of Assess by Merriam-Webster Regular | Definition of Regular by Merriam-Webster Suitability | Definition of Suitability by Merriam-Webster

NEW QUESTION # 125
In the event of an Information security incident, system users' roles and responsibilities are to be observed, except:

• A. Cooperate with investigative personnel during investigation if needed
• B. Report suspected or known incidents upon discovery through the Servicedesk
• C. Make the information security incident details known to all employees
• D. Preserve evidence if necessary

Answer: C

NEW QUESTION # 126
The data center at which you work is currently seeking ISO/IEC27001:2022 certification. In preparation for your initial certification visit a number of internal audits have been carried out by a colleague working at another data centre within your Group. They secured their ISO/IEC 27001:2022 certificate earlier in the year.
You have just qualified as an Internal ISMS auditor and your manager has asked you to review the audit process and audit findings as a final check before the external Certrfication Body arrives.
Which six of the following would cause you concern in respect of conformity to ISO/IEC 27001:2022 requirements?

• A. The audit programme shows management reviews taking place at irregular intervals during the year
• B. The audit process states the results of audits will be made available to 'relevant' managers, not top management
• C. Audit reports are not held in hardcopy (i.e. on paper). They are only stored as ".POF documents on the organisation's intranet
• D. Top management commitment to the ISMS will not be audited before the certification visit, according to the audit programme
• E. The audit programme does not take into account the relative importance of information security processes
• F. The audit programme does not take into account the results of previous audits
• G. The audit programme does not reference audit methods or audit responsibilities
• H. Although the scope for each internal audit has been defined, there are no audit criteria defined for the audits carried out to date
• I. The audit programme mandates auditors must be independent of the areas they audit in order to satisfy the requirements of ISO/IEC 27001:2022
• J. Audit reports to date have used key performance indicator information to focus solely on the efficiency of ISMS processes

Answer: A,D,E,F,H,J

Explanation:
Explanation
According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 9.3 requires top management to review the organization's ISMS at planned intervals to ensure its continuing suitability, adequacy and effectiveness1. Clause 9.2 requires the organization to conduct internal audits at planned intervals to provide information on whether the ISMS conforms to its own requirements and those of ISO/IEC 27001:2022, and is effectively implemented and maintained1. Therefore, when reviewing the audit process and audit findings as a final check before the external certification body arrives, an internal ISMS auditor should verify that these clauses are met in accordance with the audit criteria.
Six of the following statements would cause concern in respect of conformity to ISO/IEC 27001:2022 requirements:
* The audit programme shows management reviews taking place at irregular intervals during the year:
This statement would cause concern because it implies that the organization is not conducting management reviews at planned intervals, as required by clause 9.3. This may affect the ability of top management to ensure the continuing suitability, adequacy and effectiveness of the ISMS.
* The audit programme does not take into account the relative importance of information security processes: This statement would cause concern because it implies that the organization is not applying a risk-based approach to determine the audit frequency, methods, scope and criteria, as recommended by ISO 19011:2018, which provides guidelines for auditing management systems2. This may affect the ability of the organization to identify and address the most significant risks and opportunities for its ISMS.
* Although the scope for each internal audit has been defined, there are no audit criteria defined for the audits carried out to date: This statement would cause concern because it implies that the organization is not establishing audit criteria for each internal audit, as required by clause 9.2. Audit criteria are the set of policies, procedures or requirements used as a reference against which audit evidence is compared2.
Without audit criteria, it is not possible to determine whether the ISMS conforms to its own requirements and those of ISO/IEC 27001:2022.
* Audit reports to date have used key performance indicator information to focus solely on the efficiency of ISMS processes: This statement would cause concern because it implies that the organization is not evaluating the effectiveness of ISMS processes, as required by clause 9.1. Effectiveness is the extent to which planned activities are realized and planned results achieved2. Efficiency is the relationship between the result achieved and the resources used2. Both aspects are important for measuring and evaluating ISMS performance and improvement.
* The audit programme does not take into account the results of previous audits: This statement would cause concern because it implies that the organization is not using the results of previous audits as an input for planning and conducting subsequent audits, as recommended by ISO 19011:20182. This may affect the ability of the organization to identify and address any recurring or unresolved issues or nonconformities related to its ISMS.
* Top management commitment to the ISMS will not be audited before the certification visit, according to the audit programme: This statement would cause concern because it implies that the organization is not verifying that top management demonstrates leadership and commitment with respect to its ISMS, as required by clause 5.1. This may affect the ability of top management to ensure that the ISMS policy and objectives are established and compatible with the strategic direction of the organization; that roles, responsibilities and authorities for relevant roles are assigned and communicated; that resources needed for the ISMS are available; that communication about information security matters is established; that continual improvement of the ISMS is promoted; that other relevant management reviews are aligned with those of information security; and that support is provided to other relevant roles1.
The other statements would not cause concern in respect of conformity to ISO/IEC 27001:2022 requirements:
* Audit reports are not held in hardcopy (i.e. on paper). They are only stored as ".POF documents on the organisation's intranet: This statement would not cause concern because it does not imply any nonconformity with ISO/IEC 27001:2022 requirements. The standard does not prescribe any specific format or media for documenting or storing audit reports, as long as they are controlled according to clause 7.5.
* The audit programme mandates auditors must be independent of the areas they audit in order to satisfy the requirements of ISO/IEC 27001:2022: This statement would not cause concern because it does not imply any nonconformity with ISO/IEC 27001:2022 requirements. The standard does not prescribe any specific requirement for auditor independence, as long as the audit is conducted objectively and impartially, in accordance with ISO 19011:20182.
* The audit programme does not reference audit methods or audit responsibilities: This statement would not cause concern because it does not imply any nonconformity with ISO/IEC 27001:2022 requirements. The standard does not prescribe any specific requirement for referencing audit methods or audit responsibilities in the audit programme, as long as they are defined and documented according to ISO 19011:20182.
* The audit process states the results of audits will be made available to 'relevant' managers, not top management: This statement would not cause concern because it does not imply any nonconformity with ISO/IEC 27001:2022 requirements. The standard does not prescribe any specific requirement for communicating the results of audits to top management, as long as they are reported to the relevant parties and used as an input for management review, according to clause 9.3.
References: ISO/IEC 27001:2022 - Information technology - Security techniques - Information security management systems - Requirements, ISO 19011:2018 - Guidelines for auditing management systems

NEW QUESTION # 127
Which of the following is a technical security measure?

• A. Security policy
• B. Safe storage of backups
• C. User role profiles.
• D. Encryption

Answer: D

Explanation:
A technical security measure is a measure that uses technology to protect information assets from unauthorized access, modification, disclosure, or destruction. Examples of technical security measures include encryption, firewalls, antivirus software, authentication systems, and access control mechanisms. Encryption is a technical security measure that transforms information into an unreadable format using a secret key or algorithm. Encryption protects the confidentiality, integrity, and availability of information by preventing unauthorized parties from accessing or altering it. Therefore, encryption is the correct answer to this question. Reference: ISO/IEC 27000:2022, clause 3.48; ISO/IEC 27002:2022, clause 10.1.

NEW QUESTION # 128
What type of system ensures a coherent Information Security organisation?

• A. Information Technology Service Management System (ITSM)
• B. Information Security Management System (ISMS)
• C. Information Exchange Data System (IEDS)
• D. Federal Information Security Management Act (FISMA)

Answer: B

Explanation:
Explanation
An Information Security Management System (ISMS) is a systematic approach to managing the security of information assets within an organization. It includes the policies, processes, and controls that address the risks and opportunities related to information security. An ISMS is based on the Plan-Do-Check-Act (PDCA) cycle, which consists of four phases: establishment, implementation, operation, and maintenance. Therefore, an ISMS is set up in the following order: establishment, implementation, operation, maintenance. References: ISO/IEC 27000:2022, clause 3.24; ISO/IEC 27001:2022, clause 4.

NEW QUESTION # 129
Availability means

• A. Service should be accessible at the required time and usable by all
• B. Service should not be accessible when required
• C. Service should be accessible at the required time and usable only by the authorized entity

Answer: C

Explanation:
Explanation
Availability means that service should be accessible at the required time and usable only by the authorized entity. Availability is one of the three main objectives of information security, along with confidentiality and integrity. Availability ensures that information and systems are not disrupted or denied by unauthorized actions or events. References: : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 24. ISO/IEC 27001 Brochures | PECB, page 4.

NEW QUESTION # 130
The computer room is protected by a pass reader. Only the System Management department has a pass.
What type of security measure is this?

• A. a repressive security measure
• B. a physical security measure
• C. a corrective security measure
• D. a logical security measure

Answer: B

Explanation:
Explanation
A physical security measure is a measure that protects information and information processing facilities from physical threats and hazards, such as fire, flood, earthquake, theft, vandalism, etc. Physical security measures include locks, alarms, fences, cameras, fire extinguishers, ventilation systems, etc. The computer room is protected by a pass reader that only allows authorized personnel from the System Management department to access it. This is an example of a physical security measure, because it prevents unauthorized physical access to the computer room and its contents. ISO/IEC 27001:2022 requires the organization to implement physical and environmental security controls to prevent unauthorized physical access, damage and interference to the organization's information and information processing facilities (see clause A.11). References: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology
- Security techniques - Information security management systems - Requirements, What is Physical Security?

NEW QUESTION # 131
Select a word from the following options that best completes the sentence:
To complete the sentence with the word(s) click on the blank section you want to complete so that it is highlighted in red, and then click on the application text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.

Answer:

Explanation:

Explanation

The purpose of a management system audit is to evaluate the performance of an organization's management system.
A management system audit is an independent and systematic analysis and evaluation of a company's overall activities and performances1. It is a valuable tool used to determine the efficiency, functions, accomplishments and achievements of the company1. A management system audit can be conducted against a range of audit criteria, including (but not limited to) requirements set of in existing ISO standards2.
According to ISO 19011:2018, which provides guidelines for auditing management systems, the purpose of an audit is to enable the auditor to provide an audit conclusion that is related to the audit objectives2. The audit objectives are defined by the audit client and may include determining the extent of conformity or nonconformity of the audited management system against the audit criteria, evaluating the ability of the audited management system to ensure that the organization meets applicable statutory, regulatory and contractual requirements, identifying potential improvement opportunities for the audited management system, and facilitating continual improvement of the audited management system2.
Therefore, the correct answer is evaluate, as it best describes the purpose of a management system audit. The other options are not correct because they are not specific enough or do not reflect the intended outcome of an audit. For example, improve implies that the audit itself will enhance the performance of the management system, which is not necessarily true. Manage implies that the audit will control or direct the management system, which is not its role. Research implies that the audit will generate new knowledge or information about the management system, which is not its primary aim.

NEW QUESTION # 132
In order to take out a fire insurance policy, an administration office must determine the value of the data that it manages.
Which factor is [b]not[/b] important for determining the value of data for an organization?

• A. The degree to which missing, incomplete or incorrect data can be recovered.
• B. The importance of the business processes that make use of the data.
• C. The content of data.
• D. The indispensability of data for the business processes.

Answer: C

Explanation:
Explanation
The content of data is not an important factor for determining the value of data for an organization. The content of data refers to the representation or format of data, such as text, numbers, images, audio, video, etc.
The content of data can change depending on how it is processed, stored, or presented, but the value of data is derived from its meaning and usefulness for the organization. Therefore, the content of data is not relevant for taking out a fire insurance policy, as it does not reflect the potential loss or damage that the organization would suffer if the data was destroyed by fire. The other factors, such as the degree of recoverability, the indispensability, and the importance of data for the business processes, are important for determining the value of data for an organization. These factors indicate how critical the data is for the organization's operations, performance, and competitiveness, and how difficult or costly it would be to restore or replace the data in case of a fire. Therefore, the correct answer is A. References: Putting a value on data - PwC UK, page 3; What is Data Value? How to Define the Value of Your Data.

NEW QUESTION # 133
During a third-party certification audit, you are presented with a list of issues by an auditee. Which four of the following constitute 'internal' issues in the context of a management system to ISO 27001:2022?

• A. Inability to source raw materials due to government sanctions
• B. Higher labour costs as a result of an aging population
• C. A reduction in grants as a result of a change in government policy
• D. A rise in interest rates in response to high inflation
• E. Poor levels of staff competence as a result of cuts in training expenditure
• F. A fall in productivity linked to outdated production equipment
• G. Poor morale as a result of staff holidays being reduced
• H. Increased absenteeism as a result of poor management

Answer: E,F,G,H

NEW QUESTION # 134
The following are the guidelines to protect your password, except:

• A. For easy recall, use the same password for company and personal accounts
• B. Do not share passwords with anyone
• C. Don't use the same password for various company system security access
• D. Change a temporary password on first log-on

Answer: A,B

Explanation:
Explanation
The following are guidelines to protect your password, except for easy recall use the same password for company and personal accounts; do not share passwords with anyone. Using the same password for company and personal accounts is not a guideline to protect your password, as it increases the risk of compromising your password if one of your accounts is hacked or breached. You should use different and unique passwords for each account, and change them regularly. Sharing passwords with anyone is not a guideline to protect your password, as it reduces the security and accountability of your password. You should keep your password confidential and never disclose it to anyone, even if they claim to be authorized or trustworthy. Don't use the same password for various company system security access is a guideline to protect your password, as it prevents unauthorized access or misuse of your password if one of the systems is compromised or breached.
You should use different and complex passwords for each system, and follow the password policies and standards of the organization. Change a temporary password on first log-on is a guideline to protect your password, as it prevents unauthorized access or misuse of your password if the temporary password is intercepted or leaked. You should change the temporary password to a personal and secure password as soon as possible, and avoid using default or predictable passwords. References: : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 43. : [ISO/IEC 27001 LEAD AUDITOR - PECB], page 15.

NEW QUESTION # 135
......

PECB ISO-IEC-27001-Lead-Auditor (PECB Certified ISO/IEC 27001 Lead Auditor) Exam is an internationally recognized certification that attests to the competence of individuals in performing audits of information security management systems (ISMS) based on the ISO/IEC 27001 standard. PECB Certified ISO/IEC 27001 Lead Auditor exam certification is issued by the Professional Evaluation and Certification Board (PECB), a global provider of training, examination, and certification services in various fields, including information security.

The ISO/IEC 27001 lead auditor certification is designed to help individuals develop the skills and knowledge needed to effectively audit an organization's information security management system (ISMS). PECB Certified ISO/IEC 27001 Lead Auditor exam certification is based on the ISO/IEC 27001 standard, which is an international standard that outlines the requirements for an ISMS. PECB Certified ISO/IEC 27001 Lead Auditor exam certification covers a range of topics, including risk management, information security controls, and auditing techniques.

 

Pass PECB ISO-IEC-27001-Lead-Auditor Exam Quickly With Prep4pass: https://www.prep4pass.com/ISO-IEC-27001-Lead-Auditor_exam-braindumps.html

Prepare ISO-IEC-27001-Lead-Auditor Question Answers - ISO-IEC-27001-Lead-Auditor Exam Dumps: https://drive.google.com/open?id=1uN3MVBnc8rOEMdqyeAe-kYbxeSfdKN1H