ISO/IEC 27001 Lead Auditor v1.0

Page:    1 / 11   
Exam contains 159 questions

During which stage of the audit do auditors identify key processes to be audited and prioritized on the basis of materiality?

  • A. Initial contact
  • B. Stage 1 audit
  • C. Stage 2 audit


Answer : B

When multiple offices of a certification body are involved, what must be ensured?

  • A. Each office has a separate legally enforceable agreement with the client
  • B. A legally enforceable agreement that covers all sites within the certification scope
  • C. Only the main office has a legally agreement with the client


Answer : B

An organization is evaluating the materiality of different processes within its ISMS. It is assessing the direct expenses involved with personnel, third party services, and general fees. Which factor of materiality is the company primarily considering?

  • A. Cost of operations
  • B. Cost of the process
  • C. Potential cost of errors or nonconformities


Answer : B

Scenario: Rebuildy is a construction company located in Bangkok, Thailand, that specializes in designing, building, and maintaining residential buildings. To ensure the security of sensitive project data and client information, Rebuildy decided to implement an ISMS based on ISO/IEC 27001. This included a comprehensive understanding of information security risks, a defined continual improvement approach, and robust business solutions.
The ISMS implementation outcomes are presented below:
Information security is achieved by applying a set of security controls and establishing policies, processes, and procedures.
Security controls are implemented based on risk assessment and aim to eliminate or reduce risks to an acceptable level.
All processes ensure the continual improvement of the ISMS based on the plan-do-check-act (PDCA) model.
The information security policy is part of a security manual drafted based on best security practices. Therefore, it is not a stand-alone document.
Information security roles and responsibilities have been clearly stated in every employee's job description.
Management reviews of the ISMS are conducted at planned intervals.
Rebuildy applied for certification after two midterm management reviews and one annual internal audit. Before the certification audit, one of Rebuildy's former employees approached one of the audit team members to tell them that Rebuildy has several security problems that the company is trying to conceal. The former employee presented the documented evidence to the audit team member. Electra, a key client of Rebuildy, also submitted evidence on the same issues, and the auditor determined to retain this evidence instead of the former employee's. The audit team member remained in contact with Electra until the audit was completed, discussing the nonconformities found during the audit. Electra provided additional evidence to support these findings.
At the beginning of the audit, the audit team interviewed the company's top management. They discussed, among other things, the top management's commitment to the ISMS implementation. The evidence obtained from these discussions was documented in written confirmation, which was used to determine Rebuildy's conformity to several clauses of ISO/IEC 27001.
The documented evidence obtained from Electra was attached to the audit report, along with the nonconformities report. Among others, the following nonconformities were detected:
An instance of improper user access control settings was detected within the company's financial reporting system.
A stand-alone information security policy has not been established. Instead, the company uses a security manual drafted based on best security practices.
After receiving these documents from the audit team, the team leader met Rebuildy's top management to present the audit findings. The audit team reported the findings related to the financial reporting system and the lack of a stand-alone information security policy. The top management expressed dissatisfaction with the findings and suggested that the audit team leader's conduct was unprofessional, implying they might request a replacement. Under pressure, the audit team leader decided to cooperate with top management to downplay the significance of the detected nonconformities. Consequently, the audit team leader adjusted the report to present a more favorable view, thus misrepresenting the true extent of Rebuildy's compliance issues.
Based on the scenario above, answer the following question:
Is it acceptable for the auditor to prioritize keeping the evidence provided by Electra over the evidence provided by the former employee?

  • A. No, because evidence from a former employee is always more reliable than that from a client
  • B. No, both sources of evidence should be retained and evaluated equally
  • C. Yes, because evidence from a client is considered more reliable due to their independent status


Answer : B

Scenario: Rebuildy is a construction company located in Bangkok, Thailand, that specializes in designing, building, and maintaining residential buildings. To ensure the security of sensitive project data and client information, Rebuildy decided to implement an ISMS based on ISO/IEC 27001. This included a comprehensive understanding of information security risks, a defined continual improvement approach, and robust business solutions.
The ISMS implementation outcomes are presented below:
Information security is achieved by applying a set of security controls and establishing policies, processes, and procedures.
Security controls are implemented based on risk assessment and aim to eliminate or reduce risks to an acceptable level.
All processes ensure the continual improvement of the ISMS based on the plan-do-check-act (PDCA) model.
The information security policy is part of a security manual drafted based on best security practices. Therefore, it is not a stand-alone document.
Information security roles and responsibilities have been clearly stated in every employee's job description.
Management reviews of the ISMS are conducted at planned intervals.
Rebuildy applied for certification after two midterm management reviews and one annual internal audit. Before the certification audit, one of Rebuildy's former employees approached one of the audit team members to tell them that Rebuildy has several security problems that the company is trying to conceal. The former employee presented the documented evidence to the audit team member. Electra, a key client of Rebuildy, also submitted evidence on the same issues, and the auditor determined to retain this evidence instead of the former employee's. The audit team member remained in contact with Electra until the audit was completed, discussing the nonconformities found during the audit. Electra provided additional evidence to support these findings.
At the beginning of the audit, the audit team interviewed the company's top management. They discussed, among other things, the top management's commitment to the ISMS implementation. The evidence obtained from these discussions was documented in written confirmation, which was used to determine Rebuildy's conformity to several clauses of ISO/IEC 27001.
The documented evidence obtained from Electra was attached to the audit report, along with the nonconformities report. Among others, the following nonconformities were detected:
An instance of improper user access control settings was detected within the company's financial reporting system.
A stand-alone information security policy has not been established. Instead, the company uses a security manual drafted based on best security practices.
After receiving these documents from the audit team, the team leader met Rebuildy's top management to present the audit findings. The audit team reported the findings related to the financial reporting system and the lack of a stand-alone information security policy. The top management expressed dissatisfaction with the findings and suggested that the audit team leader's conduct was unprofessional, implying they might request a replacement. Under pressure, the audit team leader decided to cooperate with top management to downplay the significance of the detected nonconformities. Consequently, the audit team leader adjusted the report to present a more favorable view, thus misrepresenting the true extent of Rebuildy's compliance issues.
Based on the last paragraph of scenario, what did the audit team leader commit?

  • A. Ordinary negligence
  • B. Gross negligence
  • C. Fraud


Answer : B

Scenario: Rebuildy is a construction company located in Bangkok, Thailand, that specializes in designing, building, and maintaining residential buildings. To ensure the security of sensitive project data and client information, Rebuildy decided to implement an ISMS based on ISO/IEC 27001. This included a comprehensive understanding of information security risks, a defined continual improvement approach, and robust business solutions.
The ISMS implementation outcomes are presented below:
Information security is achieved by applying a set of security controls and establishing policies, processes, and procedures.
Security controls are implemented based on risk assessment and aim to eliminate or reduce risks to an acceptable level.
All processes ensure the continual improvement of the ISMS based on the plan-do-check-act (PDCA) model.
The information security policy is part of a security manual drafted based on best security practices. Therefore, it is not a stand-alone document.
Information security roles and responsibilities have been clearly stated in every employee's job description.
Management reviews of the ISMS are conducted at planned intervals.
Rebuildy applied for certification after two midterm management reviews and one annual internal audit. Before the certification audit, one of Rebuildy's former employees approached one of the audit team members to tell them that Rebuildy has several security problems that the company is trying to conceal. The former employee presented the documented evidence to the audit team member. Electra, a key client of Rebuildy, also submitted evidence on the same issues, and the auditor determined to retain this evidence instead of the former employee's. The audit team member remained in contact with Electra until the audit was completed, discussing the nonconformities found during the audit. Electra provided additional evidence to support these findings.
At the beginning of the audit, the audit team interviewed the company's top management. They discussed, among other things, the top management's commitment to the ISMS implementation. The evidence obtained from these discussions was documented in written confirmation, which was used to determine Rebuildy's conformity to several clauses of ISO/IEC 27001.
The documented evidence obtained from Electra was attached to the audit report, along with the nonconformities report. Among others, the following nonconformities were detected:
An instance of improper user access control settings was detected within the company's financial reporting system.
A stand-alone information security policy has not been established. Instead, the company uses a security manual drafted based on best security practices.
After receiving these documents from the audit team, the team leader met Rebuildy's top management to present the audit findings. The audit team reported the findings related to the financial reporting system and the lack of a stand-alone information security policy. The top management expressed dissatisfaction with the findings and suggested that the audit team leader's conduct was unprofessional, implying they might request a replacement. Under pressure, the audit team leader decided to cooperate with top management to downplay the significance of the detected nonconformities. Consequently, the audit team leader adjusted the report to present a more favorable view, thus misrepresenting the true extent of Rebuildy's compliance issues.
Did the audit team adhere to audit best practices regarding the situation with the financial reporting system? Refer to scenario.

  • A. Yes, as it is beyond the scope of the audit
  • B. No. the audit team should have contacted the certification body and reported the situation
  • C. No, the audit team should have withdrawn from the audit due to the illegal nature of the act


Answer : B

Scenario: Rebuildy is a construction company located in Bangkok, Thailand, that specializes in designing, building, and maintaining residential buildings. To ensure the security of sensitive project data and client information, Rebuildy decided to implement an ISMS based on ISO/IEC 27001. This included a comprehensive understanding of information security risks, a defined continual improvement approach, and robust business solutions.
The ISMS implementation outcomes are presented below:
Information security is achieved by applying a set of security controls and establishing policies, processes, and procedures.
Security controls are implemented based on risk assessment and aim to eliminate or reduce risks to an acceptable level.
All processes ensure the continual improvement of the ISMS based on the plan-do-check-act (PDCA) model.
The information security policy is part of a security manual drafted based on best security practices. Therefore, it is not a stand-alone document.
Information security roles and responsibilities have been clearly stated in every employee's job description.
Management reviews of the ISMS are conducted at planned intervals.
Rebuildy applied for certification after two midterm management reviews and one annual internal audit. Before the certification audit, one of Rebuildy's former employees approached one of the audit team members to tell them that Rebuildy has several security problems that the company is trying to conceal. The former employee presented the documented evidence to the audit team member. Electra, a key client of Rebuildy, also submitted evidence on the same issues, and the auditor determined to retain this evidence instead of the former employee's. The audit team member remained in contact with Electra until the audit was completed, discussing the nonconformities found during the audit. Electra provided additional evidence to support these findings.
At the beginning of the audit, the audit team interviewed the company's top management. They discussed, among other things, the top management's commitment to the ISMS implementation. The evidence obtained from these discussions was documented in written confirmation, which was used to determine Rebuildy's conformity to several clauses of ISO/IEC 27001.
The documented evidence obtained from Electra was attached to the audit report, along with the nonconformities report. Among others, the following nonconformities were detected:
An instance of improper user access control settings was detected within the company's financial reporting system.
A stand-alone information security policy has not been established. Instead, the company uses a security manual drafted based on best security practices.
After receiving these documents from the audit team, the team leader met Rebuildy's top management to present the audit findings. The audit team reported the findings related to the financial reporting system and the lack of a stand-alone information security policy. The top management expressed dissatisfaction with the findings and suggested that the audit team leader's conduct was unprofessional, implying they might request a replacement. Under pressure, the audit team leader decided to cooperate with top management to downplay the significance of the detected nonconformities. Consequently, the audit team leader adjusted the report to present a more favorable view, thus misrepresenting the true extent of Rebuildy's compliance issues.
Based on scenario, the audit team used the information obtained from interviews with top management to determine Rebuildy's conformity to several ISO/IEC 27001 clauses. Is this acceptable?

  • A. No, the audit team should have used only documentary evidence, such as policies and procedures, to determine conformity
  • B. Yes, the audit team obtained verbal evidence by written confirmations from the top management, which can be used to determine conformity to the standard
  • C. Yes, interviews with top management are the most reliable form of audit evidence and can be used to determine conformity to the standard without further verification


Answer : B

Scenario: Rebuildy is a construction company located in Bangkok, Thailand, that specializes in designing, building, and maintaining residential buildings. To ensure the security of sensitive project data and client information, Rebuildy decided to implement an ISMS based on ISO/IEC 27001. This included a comprehensive understanding of information security risks, a defined continual improvement approach, and robust business solutions.
The ISMS implementation outcomes are presented below:
Information security is achieved by applying a set of security controls and establishing policies, processes, and procedures.
Security controls are implemented based on risk assessment and aim to eliminate or reduce risks to an acceptable level.
All processes ensure the continual improvement of the ISMS based on the plan-do-check-act (PDCA) model.
The information security policy is part of a security manual drafted based on best security practices. Therefore, it is not a stand-alone document.
Information security roles and responsibilities have been clearly stated in every employee's job description.
Management reviews of the ISMS are conducted at planned intervals.
Rebuildy applied for certification after two midterm management reviews and one annual internal audit. Before the certification audit, one of Rebuildy's former employees approached one of the audit team members to tell them that Rebuildy has several security problems that the company is trying to conceal. The former employee presented the documented evidence to the audit team member. Electra, a key client of Rebuildy, also submitted evidence on the same issues, and the auditor determined to retain this evidence instead of the former employee's. The audit team member remained in contact with Electra until the audit was completed, discussing the nonconformities found during the audit. Electra provided additional evidence to support these findings.
At the beginning of the audit, the audit team interviewed the company's top management. They discussed, among other things, the top management's commitment to the ISMS implementation. The evidence obtained from these discussions was documented in written confirmation, which was used to determine Rebuildy's conformity to several clauses of ISO/IEC 27001.
The documented evidence obtained from Electra was attached to the audit report, along with the nonconformities report. Among others, the following nonconformities were detected:
An instance of improper user access control settings was detected within the company's financial reporting system.
A stand-alone information security policy has not been established. Instead, the company uses a security manual drafted based on best security practices.
After receiving these documents from the audit team, the team leader met Rebuildy's top management to present the audit findings. The audit team reported the findings related to the financial reporting system and the lack of a stand-alone information security policy. The top management expressed dissatisfaction with the findings and suggested that the audit team leader's conduct was unprofessional, implying they might request a replacement. Under pressure, the audit team leader decided to cooperate with top management to downplay the significance of the detected nonconformities. Consequently, the audit team leader adjusted the report to present a more favorable view, thus misrepresenting the true extent of Rebuildy's compliance issues.
Which action described in scenario indicates that the audit team leader violated the independence principle?

  • A. The audit team leader sent a favorable report after discussing the audit conclusions with the top management
  • B. The audit team included the former employee's evidence in the audit report without revealing the source
  • C. The audit team leader revealed confidential information about Rebuildy to the former employee


Answer : A

Scenario: Branding is a marketing company that works with some of the most famous companies in the US. To reduce internal costs, Branding has outsourced the software development and IT helpdesk operations to Techvology for over two years. Techvology, equipped with the necessary expertise, manages Branding's software, network, and hardware needs. Branding has implemented an information security management system (ISMS) and is certified against ISO/IEC 27001, demonstrating its commitment to maintaining high standards of information security. It actively conducts audits on Techvology to ensure that the security of its outsourced operations complies with ISO/IEC 27001 certification requirements.
During the last audit, Branding's audit team defined the processes to be audited and the audit schedule. They adopted an evidence-based approach, particularly in light of two information security incidents reported by Techvology in the past year. The focus was on evaluating how these incidents were addressed and ensuring compliance with the terms of the outsourcing agreement.
The audit began with a comprehensive review of Techvology's methods for monitoring the quality of outsourced operations, assessing whether the services provided met Branding's expectations and agreed-upon standards. The auditors also verified whether Techvology complied with the contractual requirements established between the two entities. This involved thoroughly examining the terms and conditions in the outsourcing agreement to guarantee that all aspects, including information security measures, are being adhered to.
Furthermore, the audit included a critical evaluation of the governance processes Techvology uses to manage its outsourced operations and other organizations. This step is crucial for Branding to verify that proper controls and oversight mechanisms are in place to mitigate potential risks associated with the outsourcing arrangement.
The auditors conducted interviews with various levels of Techvology's personnel and analyzed the incident resolution records. In addition, Techvology provided the records that served as evidence that they conducted awareness sessions for the staff regarding incident management. Based on the information gathered, they predicted that both information security incidents were caused by incompetent personnel. Therefore, auditors requested to see the personnel files of the employees involved in the incidents to review evidence of their competence, such as relevant experience, certificates, and records of attended trainings.
Branding's auditors performed a critical evaluation of the validity of the evidence obtained and remained alert for evidence that could contradict or question the reliability of the documented information received. During the audit at Techvology, the auditors upheld this approach by critically assessing the incident resolution records and conducting thorough interviews with employees at different levels and functions. They did not merely take the word of Techvology's representatives for facts; instead, they sought concrete evidence to support the representatives' claims about the incident management processes.
Based on the scenario above, answer the following question:
Were the auditors diligent in adhering to the auditing process for outsourced operations?

  • A. Yes, they demonstrated diligence and judgment in their auditing practices
  • B. No, the auditors did not request a sample of employment contracts until the end of the audit
  • C. No, the auditors did not interview any of Techvology's top management during the audit


Answer : A

Scenario: Branding is a marketing company that works with some of the most famous companies in the US. To reduce internal costs, Branding has outsourced the software development and IT helpdesk operations to Techvology for over two years. Techvology, equipped with the necessary expertise, manages Branding's software, network, and hardware needs. Branding has implemented an information security management system (ISMS) and is certified against ISO/IEC 27001, demonstrating its commitment to maintaining high standards of information security. It actively conducts audits on Techvology to ensure that the security of its outsourced operations complies with ISO/IEC 27001 certification requirements.
During the last audit, Branding's audit team defined the processes to be audited and the audit schedule. They adopted an evidence-based approach, particularly in light of two information security incidents reported by Techvology in the past year. The focus was on evaluating how these incidents were addressed and ensuring compliance with the terms of the outsourcing agreement.
The audit began with a comprehensive review of Techvology's methods for monitoring the quality of outsourced operations, assessing whether the services provided met Branding's expectations and agreed-upon standards. The auditors also verified whether Techvology complied with the contractual requirements established between the two entities. This involved thoroughly examining the terms and conditions in the outsourcing agreement to guarantee that all aspects, including information security measures, are being adhered to.
Furthermore, the audit included a critical evaluation of the governance processes Techvology uses to manage its outsourced operations and other organizations. This step is crucial for Branding to verify that proper controls and oversight mechanisms are in place to mitigate potential risks associated with the outsourcing arrangement.
The auditors conducted interviews with various levels of Techvology's personnel and analyzed the incident resolution records. In addition, Techvology provided the records that served as evidence that they conducted awareness sessions for the staff regarding incident management. Based on the information gathered, they predicted that both information security incidents were caused by incompetent personnel. Therefore, auditors requested to see the personnel files of the employees involved in the incidents to review evidence of their competence, such as relevant experience, certificates, and records of attended trainings.
Branding's auditors performed a critical evaluation of the validity of the evidence obtained and remained alert for evidence that could contradict or question the reliability of the documented information received. During the audit at Techvology, the auditors upheld this approach by critically assessing the incident resolution records and conducting thorough interviews with employees at different levels and functions. They did not merely take the word of Techvology's representatives for facts; instead, they sought concrete evidence to support the representatives' claims about the incident management processes.
According to scenario, what type of audit evidence did the auditors collect to determine the source of the information security incidents?

  • A. Verbal and documentary evidence
  • B. Confirmative and technical evidence
  • C. Analytical and mathematical evidence


Answer : A

Scenario: Branding is a marketing company that works with some of the most famous companies in the US. To reduce internal costs, Branding has outsourced the software development and IT helpdesk operations to Techvology for over two years. Techvology, equipped with the necessary expertise, manages Branding's software, network, and hardware needs. Branding has implemented an information security management system (ISMS) and is certified against ISO/IEC 27001, demonstrating its commitment to maintaining high standards of information security. It actively conducts audits on Techvology to ensure that the security of its outsourced operations complies with ISO/IEC 27001 certification requirements.
During the last audit, Branding's audit team defined the processes to be audited and the audit schedule. They adopted an evidence-based approach, particularly in light of two information security incidents reported by Techvology in the past year. The focus was on evaluating how these incidents were addressed and ensuring compliance with the terms of the outsourcing agreement.
The audit began with a comprehensive review of Techvology's methods for monitoring the quality of outsourced operations, assessing whether the services provided met Branding's expectations and agreed-upon standards. The auditors also verified whether Techvology complied with the contractual requirements established between the two entities. This involved thoroughly examining the terms and conditions in the outsourcing agreement to guarantee that all aspects, including information security measures, are being adhered to.
Furthermore, the audit included a critical evaluation of the governance processes Techvology uses to manage its outsourced operations and other organizations. This step is crucial for Branding to verify that proper controls and oversight mechanisms are in place to mitigate potential risks associated with the outsourcing arrangement.
The auditors conducted interviews with various levels of Techvology's personnel and analyzed the incident resolution records. In addition, Techvology provided the records that served as evidence that they conducted awareness sessions for the staff regarding incident management. Based on the information gathered, they predicted that both information security incidents were caused by incompetent personnel. Therefore, auditors requested to see the personnel files of the employees involved in the incidents to review evidence of their competence, such as relevant experience, certificates, and records of attended trainings.
Branding's auditors performed a critical evaluation of the validity of the evidence obtained and remained alert for evidence that could contradict or question the reliability of the documented information received. During the audit at Techvology, the auditors upheld this approach by critically assessing the incident resolution records and conducting thorough interviews with employees at different levels and functions. They did not merely take the word of Techvology's representatives for facts; instead, they sought concrete evidence to support the representatives' claims about the incident management processes.
Based on scenario, what type of audit did Branding conduct?

  • A. First party audit
  • B. Second party audit
  • C. Third party audit


Answer : B

Scenario: Branding is a marketing company that works with some of the most famous companies in the US. To reduce internal costs, Branding has outsourced the software development and IT helpdesk operations to Techvology for over two years. Techvology, equipped with the necessary expertise, manages Branding's software, network, and hardware needs. Branding has implemented an information security management system (ISMS) and is certified against ISO/IEC 27001, demonstrating its commitment to maintaining high standards of information security. It actively conducts audits on Techvology to ensure that the security of its outsourced operations complies with ISO/IEC 27001 certification requirements.
During the last audit, Branding's audit team defined the processes to be audited and the audit schedule. They adopted an evidence-based approach, particularly in light of two information security incidents reported by Techvology in the past year. The focus was on evaluating how these incidents were addressed and ensuring compliance with the terms of the outsourcing agreement.
The audit began with a comprehensive review of Techvology's methods for monitoring the quality of outsourced operations, assessing whether the services provided met Branding's expectations and agreed-upon standards. The auditors also verified whether Techvology complied with the contractual requirements established between the two entities. This involved thoroughly examining the terms and conditions in the outsourcing agreement to guarantee that all aspects, including information security measures, are being adhered to.
Furthermore, the audit included a critical evaluation of the governance processes Techvology uses to manage its outsourced operations and other organizations. This step is crucial for Branding to verify that proper controls and oversight mechanisms are in place to mitigate potential risks associated with the outsourcing arrangement.
The auditors conducted interviews with various levels of Techvology's personnel and analyzed the incident resolution records. In addition, Techvology provided the records that served as evidence that they conducted awareness sessions for the staff regarding incident management. Based on the information gathered, they predicted that both information security incidents were caused by incompetent personnel. Therefore, auditors requested to see the personnel files of the employees involved in the incidents to review evidence of their competence, such as relevant experience, certificates, and records of attended trainings.
Branding's auditors performed a critical evaluation of the validity of the evidence obtained and remained alert for evidence that could contradict or question the reliability of the documented information received. During the audit at Techvology, the auditors upheld this approach by critically assessing the incident resolution records and conducting thorough interviews with employees at different levels and functions. They did not merely take the word of Techvology's representatives for facts; instead, they sought concrete evidence to support the representatives' claims about the incident management processes.
Which auditing principle is explained in the last paragraph of scenario?

  • A. Risk-based approach
  • B. Fair presentation
  • C. Professional skepticism


Answer : C

Scenario: Branding is a marketing company that works with some of the most famous companies in the US. To reduce internal costs, Branding has outsourced the software development and IT helpdesk operations to Techvology for over two years. Techvology, equipped with the necessary expertise, manages Branding's software, network, and hardware needs. Branding has implemented an information security management system (ISMS) and is certified against ISO/IEC 27001, demonstrating its commitment to maintaining high standards of information security. It actively conducts audits on Techvology to ensure that the security of its outsourced operations complies with ISO/IEC 27001 certification requirements.
During the last audit, Branding's audit team defined the processes to be audited and the audit schedule. They adopted an evidence-based approach, particularly in light of two information security incidents reported by Techvology in the past year. The focus was on evaluating how these incidents were addressed and ensuring compliance with the terms of the outsourcing agreement.
The audit began with a comprehensive review of Techvology's methods for monitoring the quality of outsourced operations, assessing whether the services provided met Branding's expectations and agreed-upon standards. The auditors also verified whether Techvology complied with the contractual requirements established between the two entities. This involved thoroughly examining the terms and conditions in the outsourcing agreement to guarantee that all aspects, including information security measures, are being adhered to.
Furthermore, the audit included a critical evaluation of the governance processes Techvology uses to manage its outsourced operations and other organizations. This step is crucial for Branding to verify that proper controls and oversight mechanisms are in place to mitigate potential risks associated with the outsourcing arrangement.
The auditors conducted interviews with various levels of Techvology's personnel and analyzed the incident resolution records. In addition, Techvology provided the records that served as evidence that they conducted awareness sessions for the staff regarding incident management. Based on the information gathered, they predicted that both information security incidents were caused by incompetent personnel. Therefore, auditors requested to see the personnel files of the employees involved in the incidents to review evidence of their competence, such as relevant experience, certificates, and records of attended trainings.
Branding's auditors performed a critical evaluation of the validity of the evidence obtained and remained alert for evidence that could contradict or question the reliability of the documented information received. During the audit at Techvology, the auditors upheld this approach by critically assessing the incident resolution records and conducting thorough interviews with employees at different levels and functions. They did not merely take the word of Techvology's representatives for facts; instead, they sought concrete evidence to support the representatives' claims about the incident management processes.
According to ISO/IEC 27001 requirements, is Branding required to control the services offered by Techvology continually? Refer to scenario.

  • A. Yes, Branding is responsible for controlling and monitoring the quality of Techvology's services
  • B. Yes, only if this is a requirement specified in the contractual agreement between the two companies
  • C. No, Branding is not responsible for controlling the services offered by Techvology, but is responsible for monitoring them


Answer : C

Prior to initiating the audit activities, the auditors considered the auditee's context, critical processes, and expectations. Which auditing principle has been applied?

  • A. Due professional care
  • B. Professional skepticism
  • C. Integrity


Answer : A

What is the main difference between qualitative and quantitative evidence?

  • A. Qualitative evidence originates from the analysis of a sample related to determining the audit criteria, while quantitative evidence originates from the analysis of unquantifiable information
  • B. Qualitative evidence focuses on evaluating if a process or control complies with the audit criteria, while quantitative evidence aims to determine if a process in operation is functional and effective
  • C. Qualitative evidence is used to make estimations about the whole population, while quantitative evidence focuses on evaluating if a process complies with standard requirements


Answer : B

Page:    1 / 11   
Exam contains 159 questions

Talk to us!


Have any questions or issues ? Please dont hesitate to contact us

Certlibrary.com is owned by MBS Tech Limited: Room 1905 Nam Wo Hong Building, 148 Wing Lok Street, Sheung Wan, Hong Kong. Company registration number: 2310926
Certlibrary doesn't offer Real Microsoft Exam Questions. Certlibrary Materials do not contain actual questions and answers from Cisco's Certification Exams.
CFA Institute does not endorse, promote or warrant the accuracy or quality of Certlibrary. CFA® and Chartered Financial Analyst® are registered trademarks owned by CFA Institute.
Terms & Conditions | Privacy Policy