ISO-IEC-27001-Lead-Auditor Exam Dumps - PECB ISO 27001 Questions and Answers

Question # 24

As the Information Security Management System audit team leader, you are conducting a second-party audit of an international logistics company on behalf of an online retailer. During the audit, one of your team members reports a nonconformity relating to control 5.18 (Access rights) of Appendix A of ISO/IEC 27001:2022. She found evidence that removing the server access protocols of 20 people who left in the last 3 months took up to 1 week whereas the policy required removing access within 24 hours of their departure.

When the auditee was asked why there was a delay in removing access they replied, 'no one was available in the IT department during that period as a result of COVID-19. As soon as an IT officer became available the rights were removed.

You note that she intends to raise a minor non-conformity against Access rights control (5.18). How should you respond to this?

Options:

Agree with the raising of a minor non-conformity but against control 5.15, not 5.18.

Agree with the raising of the minor non-conformity against 5.18.

Disagree with the raising of a minor conformity as appropriate action was taken at the earliest opportunity Take no further action.

Disagree with the raising of the minor nonconformity as appropriate action was taken at the earliest opportunity. Instead raise an opportunity for improvement.

Disagree with the raising of the minor nonconformity, there is sufficient evidence to justify an escalation to a major non-conformity.

Require additional audit evidence to be obtained before determining whether a non-conformity is appropriate.

Buy Now

Question # 25

Scenario 6: Sinvestment is an insurance company that offers home, commercial, and life insurance. The company was founded in North Carolina, but have recently expanded in other locations, including Europe and Africa.

Sinvestment is committed to complying with laws and regulations applicable to their industry and preventing any information security incident. They have implemented an ISMS based on ISO/IEC 27001 and have applied for ISO/IEC 27001 certification.

Two auditors were assigned by the certification body to conduct the audit. After signing a confidentiality agreement with Sinvestment. they started the audit activities. First, they reviewed the documentation required by the standard, including the declaration of the ISMS scope, information security policies, and internal audits reports. The review process was not easy because, although Sinvestment stated that they had a documentation procedure in place, not all documents had the same format.

Then, the audit team conducted several interviews with Sinvestment's top management to understand their role in the ISMS implementation. All activities of the stage 1 audit were performed remotely, except the review of documented information, which took place on-site, as requested by Sinvestment.

During this stage, the auditors found out that there was no documentation related to information security training and awareness program. When asked, Sinvestment's representatives stated that the company has provided information security training sessions to all employees. Stage 1 audit gave the audit team a general understanding of Sinvestment's operations and ISMS.

The stage 2 audit was conducted three weeks after stage 1 audit. The audit team observed that the marketing department (which was not included in the audit scope) had no procedures in place to control employees’ access rights. Since controlling employees' access rights is one of the ISO/IEC 27001 requirements and was included in the information security policy of the company, the issue was included in the audit report. In addition, during stage 2 audit, the audit team observed that Sinvestment did not record logs of user activities. The procedures of the company stated that "Logs recording user activities should be retained and regularly reviewed," yet the company did not present any evidence of the implementation of such procedure.

During all audit activities, the auditors used observation, interviews, documented information review, analysis, and technical verification to collect information and evidence. All the audit findings during stages 1 and 2 were analyzed and the audit team decided to issue a positive recommendation for certification.

Based on the scenario above, answer the following question:

The audit team reviewed Sinvestment's documented information on-site, as requested by the company. Is this acceptable?

Options:

Yes, Sinvestment has the right to require that no document is carried off-site during the documented information review

No, Sinvestment cannot decide where the documentation review take place, since a confidentiality agreement was signed prior to stage 1 audit

No, the combination of on-site and off-site activities can impact the audit negatively

Buy Now

Question # 26

Which two of the following statements are true?

Options:

The organisation is only required to comply with legislation that directly relates to its information security management system.

During a third-party audit, the auditor evaluates how the organisation ensures that it is made aware of changes to the legal requirements.

The organisation is not allowed to outsource the task of reviewing the legislative environment to ensure legal compliance is maintained.

As part of a certification body audit, the auditor is responsible for verifying the organisation's legal compliance status.

During a certification body audit, the auditor should ensure documented information is retained which identifies the legislation the organisation is required to comply with.

The role of a certification body auditor involves evaluating the organisation's processes to ensure compliance with their legal requirements.

Buy Now

Answer:

B, E

Explanation:

From Exact Extract:

Explanation for B (True):

This statement is true because ISO 27001 requires an organization to establish processes for identifying, reviewing, and complying with applicable legal, statutory, regulatory, and contractual obligations. A key part of this is being aware of changes to these requirements to maintain ongoing compliance. An auditor's role is to verify that the organization has such a process in place and that it is effective.

[Reference:, ISO/IEC 27001:2022, Clause 6.1.3 "Information security risk treatment": While not directly stating "legal requirements," this clause implies that the organization must determine controls to treat information security risks, and compliance with legal requirements is a significant risk factor., ISO/IEC 27001:2022, Annex A.5.31 "Legal, statutory, regulatory and contractual requirements": This control states: "The organization should identify, document, and comply with relevant legal, statutory, regulatory, and contractual requirements related to information security." This inherently includes processes for staying aware of changes., ISO/IEC 27002:2022, 5.31 (Guidance for A.5.31): Provides more detail, emphasizing the need for processes to "identify all relevant legal, statutory, regulatory and contractual requirements, and to ensure that appropriate action is taken to comply with these requirements." This explicitly includes monitoring for changes., ISO/IEC 17021-1:2015, Clause 9.1.2 "Audit objectives": An audit objective is to determine "the ability of the management system to ensure the client meets applicable statutory, regulatory and contractual requirements." This necessarily involves checking the process for identifying changes., Explanation for E (True):, ISO 27001 mandates the retention of documented information for various aspects of the ISMS, including the identification of legal requirements. Auditors will look for evidence that the organization has indeed identified and documented the applicable legislation it needs to comply with., , Reference:, ISO/IEC 27001:2022, Clause 7.5.1 "General," 7.5.2 "Creating and updating documented information," and 7.5.3 "Control of documented information": These clauses generally require documented information to be maintained and retained as specified by the standard., ISO/IEC 27001:2022, Annex A.5.31 "Legal, statutory, regulatory and contractual requirements": As mentioned above, this control explicitly states that the organization should "identify, document, and comply with relevant legal, statutory, regulatory and contractual requirements." The term "document" directly implies "documented information is retained.", ISO/IEC 27002:2022, 5.31 (Guidance for A.5.31): Further elaborates that the identified requirements should be documented and kept up to date., Explanation for A (False):, The organization is required to comply with all applicable legal, statutory, and regulatory requirements, as well as contractual obligations. Information security often intersects with broader legal frameworks (e.g., data protection, privacy, industry-specific regulations) that may not directly relate to the ISMS in a narrow sense, but are critical to the organization's overall compliance and its information security posture., , Reference:, ISO/IEC 27001:2022, Annex A.5.31 "Legal, statutory, regulatory and contractual requirements": This control does not limit compliance to only what "directly relates" but to "relevant" requirements. The scope of "relevant" is determined by the organization's context, operations, and information it handles., Explanation for C (False):, Organizations can and often do outsource tasks like legal environment reviews to specialized legal firms or subscribe to legal compliance services. The ISO 27001 standard does not prohibit outsourcing. However, the organization remains ultimately accountable for ensuring that these outsourced processes meet the requirements of the ISMS and that legal compliance is maintained. The auditor would verify the organization's oversight of such outsourced activities., , Reference:, ISO/IEC 27001:2022, Clause 8.1 "Operational planning and control": This clause states that organizations should "control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects" and "ensure that outsourced processes are controlled." This implicitly allows outsourcing but requires control., Explanation for D (False):, A certification body auditor's role is not to act as a legal compliance officer or to definitively verify the organization's actual legal compliance status (i.e., whether they are perfectly compliant with every law). That responsibility lies with the organization itself, often supported by its legal counsel. The auditor's role is to verify that the organization has established, implemented, and maintains an effective process for identifying, managing, and complying with legal requirements as required by ISO 27001. They audit the management system's approach to compliance, not the legal compliance outcome itself., , Reference:, ISO/IEC 17021-1:2015, Clause 9.1.2 "Audit objectives": States that the audit is to determine "the ability of the management system to ensure the client meets applicable statutory, regulatory and contractual requirements." It does not state the auditor's role is to legally verify compliance., ISO/IEC 27001:2022, Introduction: Emphasizes that the standard specifies requirements for establishing, implementing, maintaining, and continually improving an ISMS, not for guaranteeing absolute legal compliance outside the scope of the ISMS processes., Explanation for F (This statement is generally aligned with the role, but less precise as a 'sole true' statement compared to B and E):, While this statement is generally true about the auditor's role, its phrasing "to ensure compliance with their legal requirements" can be misinterpreted. As explained for D, the auditor evaluates the processes designed to achieve compliance, not the absolute legal compliance itself. However, in the context of multiple-choice questions where you pick the "most true" statements, it conveys a similar intent to B, but B and E are more precise regarding specific auditor actions and ISMS requirements. Given B and E are unequivocally true as specific audit actions/requirements, they are the stronger correct answers., , Reference:, ISO/IEC 17021-1:2015, Clause 9.1.2 "Audit objectives": As noted before, the audit objective includes evaluating the management system's ability to meet requirements. This aligns with evaluating processes., , , , ]

Question # 27

From the following options, select the one option that is the sole responsibility of a third-party audit team leader.

Options:

Select the audit team members

Compile checklists for the audit team

Act on behalf of the certification body

Identify non-conformances in the management system

Buy Now

Answer:

Explanation:

From Exact Extract:

Explanation for A (Sole Responsibility of Audit Team Leader):

The audit team leader is ultimately responsible for ensuring the audit team has the necessary competence and resources to conduct the audit effectively and achieve its objectives. This includes the crucial task of selecting the appropriate team members, considering their individual competencies, sector experience, and linguistic capabilities to cover the audit scope. While the certification body might provide a pool of auditors, the specific selection for a given audit is the team leader's responsibility to ensure the team is fit for purpose.

[Reference:, ISO/IEC 17021-1:2015, Clause 7.3 "Audit team": This clause details the requirements for forming the audit team. Specifically, Clause 7.3.2 "Selection of the audit team" states, "The certification body shall select the audit team, including the audit team leader and technical experts, as required, for the specific audit." While the CB "selects," in practice, the audit team leader is often delegated or directly responsible for the specific selection of their team members based on the audit's needs, and the CB formally approves. The team leader's direct involvement in team composition is critical for audit effectiveness. This is a task that cannot be fully delegated to individual team members or entirely to an administrative role within the certification body without the team leader's input and approval., Explanation for B (Not Sole Responsibility):, While an audit team leader will certainly review, guide, or approve audit checklists, the actual compilation of detailed checklists can be performed by any competent auditor within the team, or even by a central function of the certification body. It is not exclusively the team leader's task., , Reference:, ISO 19011:2018 (Guidelines for auditing management systems), Clause 6.4.3 "Preparing documented information for the audit": This clause mentions that the audit team should prepare documented information, such as checklists, for the audit. It does not specify that this is solely the audit team leader's responsibility., Explanation for C (Not Sole Responsibility):, While the audit team leader holds the primary authority and responsibility during the audit and certainly acts as the main representative of the certification body, all members of the audit team are expected to uphold the professionalism, ethics, and procedures of the certification body. Thus, "acting on behalf of the certification body" is a collective responsibility of the entire audit team, though the leader bears the ultimate accountability., , Reference:, ISO/IEC 17021-1:2015, Clause 4 "Principles": Outlines principles like impartiality, competence, and responsibility, which apply to all personnel involved in certification activities., ISO 19011:2018, Clause 5 "Principles of auditing": Principles like ethical conduct, due professional care, and independence apply to all auditors., Explanation for D (Not Sole Responsibility):, Identifying non-conformances is a fundamental responsibility of every auditor on the team. Each auditor, as they review documented information, conduct interviews, and observe processes in their assigned areas, is expected to identify and report any non-conformities against the audit criteria. The team leader then reviews, consolidates, and ensures proper categorization and documentation of these non-conformances, but they are not the sole identifier., , Reference:, ISO 19011:2018, Clause 6.4.8 "Conducting audit activities": States that "evidence of conformity and nonconformity should be collected." This is an activity carried out by all auditors., ISO 19011:2018, Clause 6.4.9 "Identifying and recording audit information": Specifies that "audit findings... shall be recorded." This applies to all auditors., , , ]

Question # 28

You are an experienced audit team leader conducting a third-party surveillance audit of an organisation that designs websites for its clients. You are currently reviewing the organisation's Statement of Applicability.

Based on the requirements of ISO/IEC 27001, which two of the following observations about the Statement of Applicability are true?

Options:

Justification for both the inclusion and exclusion of Annex A controls in the Statement of Applicability is required

The Statement of Applicability is owned and amended by the organisation's top management

The Statement of Applicability must be reviewed at least annually

A Statement of Applicability must be produced by organisations seeking ISO/IEC 27001 conformity

Justification is only required for any controls that the organisations choses to exclude

The Statement of Applicability must be reviewed at Management Review

Buy Now

Question # 29

Scenario 5: Data Grid Inc. is a well-known company that delivers security services across the entire information technology infrastructure. It provides cybersecurity software, including endpoint security, firewalls, and antivirus software. For two decades, Data Grid Inc. has helped various companies secure their networks through advanced products and services. Having achieved reputation in the information and network security field, Data Grid Inc. decided to obtain the ISO/IEC 27001 certification to better secure its internal and customer assets and gain competitive advantage.

Data Grid Inc. appointed the audit team, who agreed on the terms of the audit mandate. In addition, Data Grid Inc. defined the audit scope, specified the audit criteria, and proposed to close the audit within five days. The audit team rejected Data Grid Inc.'s proposal to conduct the audit within five days, since the company has a large number of employees and complex processes. Data Grid Inc. insisted that they have planned to complete the audit within five days, so both parties agreed upon conducting the audit within the defined duration. The audit team followed a risk-based auditing approach.

To gain an overview of the main business processes and controls, the audit team accessed process descriptions and organizational charts. They were unable to perform a deeper analysis of the IT risks and controls because their access to the IT infrastructure and applications was restricted. However, the audit team stated that the risk that a significant defect could occur to Data Grid Inc.'s ISMS was low since most of the company's processes were automated. They therefore evaluated that the ISMS, as a whole, conforms to the standard requirements by asking the representatives of Data Grid Inc. the following questions:

•How are responsibilities for IT and IT controls defined and assigned?

•How does Data Grid Inc. assess whether the controls have achieved the desired results?

•What controls does Data Grid Inc. have in place to protect the operating environment and data from malicious software?

•Are firewall-related controls implemented?

Data Grid Inc.'s representatives provided sufficient and appropriate evidence to address all these questions.

The audit team leader drafted the audit conclusions and reported them to Data Grid Inc.'s top management. Though Data Grid Inc. was recommended for certification by the auditors, misunderstandings were raised between Data Grid Inc. and the certification body in regards to audit objectives. Data Grid Inc. stated that even though the audit objectives included the identification of areas for potential improvement, the audit team did not provide such information.

Based on this scenario, answer the following question:

Which type of audit risk was defined as “low* by the audit team? Refer to scenario 5.

Options:

Inherent

Control

Detection

Buy Now

Question # 30

How does the use of new technologies such as big data impact auditing?

Options:

It presents new challenges, for example, combining structured and unstructured data

It enhances the audit quality by enabling auditors to collect higher quality audit evidence

It causes significant disruptions, for example, introducing data that is too large or complex for processing by traditional database management tools

Buy Now

Question # 31

Scenario 5: Cobt. an insurance company in London, offers various commercial, industrial, and life insurance solutions. In recent years, the number of Cobt's clients has increased enormously. Having a huge amount of data to process, the company decided that certifying against ISO/IEC 27001 would bring many benefits to securing information and show its commitment to continual improvement. While the company was well-versed in conducting regular risk assessments, implementing an ISMS brought major changes to its daily operations. During the risk assessment process, a risk was identified where significant defects occurred without being detected or prevented by the organizations internal control mechanisms.

The company followed a methodology to implement the ISMS and had an operational ISMS in place after only a few months After successfully implementing the ISMS, Cobt applied for ISO/IEC 27001 certification Sarah, an experienced auditor, was assigned to the audit Upon thoroughly analyzing the audit offer, Sarah accepted her responsibilities as an audit team leader and immediately started to obtain general information about Cobt She established the audit criteria and objective, planned the audit, and assigned the audit team members' responsibilities.

Sarah acknowledged that although Cobt has expanded significantly by offering diverse commercial and insurance solutions, it still relies on some manual processes Therefore, her initial focus was to gather information on how the company manages its information security risks Sarah contacted Cobt's representatives to request access to information related to risk management for the off-site review, as initially agreed upon for part of the audit However, Cobt later refused, claiming that such information is too sensitive to be accessed outside of the company This refusal raised concerns about the audit's feasibility, particularly regarding the availability and cooperation of the auditee and access to evidence Moreover, Cobt raised concerns about the audit schedule, stating that it does not properly reflect the recent changes the company made It pointed out that the actions to be performed during the audit apply only to the initial scope and do not encompass the latest changes made in the audit scope

Sarah also evaluated the materiality of the situation, considering the significance of the information denied for the audit objectives. In this case, the refusal by Cobt raised questions about the completeness of the audit and its ability to provide reasonable assurance. Following these situations, Sarah decided to withdraw from the audit before a certification agreement was signed and communicated her decision to Cobt and the certification body. This decision was made to ensure adherence to audit principles and maintain transparency, highlighting her commitment to consistently upholding these principles.

Based on the scenario above, answer the following question:

Question:

Based on the role of Sarah described in Scenario 5, which of the following should NOT be part of her responsibilities?

Options:

Assigning responsibilities to the audit team members

Defining the audit criteria and objectives

Planning the audit

Buy Now

Question # 32

The following are purposes of Information Security, except:

Options:

Ensure Business Continuity

Minimize Business Risk

Increase Business Assets

Maximize Return on Investment

Buy Now

Question # 33

The data centre at which you work is currently seeking ISO/IEC27001:2022 certification. In preparation for your initial certification visit, several internal audits have been carried out by a colleague working at another data centre within your Group. They secured their own ISO/IEC 27001:2022 certificate earlier in the year.

You have just qualified as an Internal ISMS auditor and your manager has asked you to review the audit process and audit findings as a final check before the external Certification Body arrives.

Which four of the following would cause you concern in respect of conformity to ISO/IEC 27001:2022 requirements?

Options:

Although the scope for each internal audit has been defined, there are no audit criteria defined for the audits carried out to date.

Audit reports are not held in hardcopy (i.e. on paper). They are only stored as *. PDF documents on the organisation's intranet.

The audit process states the results of audits will be made available to 'relevant' managers, not top management.

The audit programme does not reference audit methods or audit responsibilities.

The audit programme does not take into account the relative importance of information security processes.

The audit programme does not take into account the results of previous audits.

The audit programme has not been signed as 'approved by Top Management.

Buy Now

Exam Code: ISO-IEC-27001-Lead-Auditor

Exam Name: PECB Certified ISO/IEC 27001 2022 Lead Auditor exam

Last Update: Feb 24, 2026

Questions: 418

ISO-IEC-27001-Lead-Auditor PDF

$25.5 ~~$84.99~~

Add to Cart

ISO-IEC-27001-Lead-Auditor Testing Engine

$28.5 ~~$94.99~~

Add to Cart

ISO-IEC-27001-Lead-Auditor PDF + Testing Engine

$40.5 ~~$134.99~~

Add to Cart

Spring Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: Board70

certsboard certification exams

Navigation:

ISO-IEC-27001-Lead-Auditor Exam Dumps - PECB ISO 27001 Questions and Answers

Options:

Answer:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

ISO-IEC-27001-Lead-Auditor PDF

ISO-IEC-27001-Lead-Auditor Testing Engine

ISO-IEC-27001-Lead-Auditor PDF + Testing Engine

Quick Links

Recently New Released Certification Exams

Site Secure