05 27001la en QS V12.1 20221111

QUIZZES
SHEET
CERTIFIED ISO/IEC 27001 LEAD AUDITOR

TRAINING COURSE
www.pecb.com
Quiz 1: Standards and regulatory frameworks
1. What does the ISO/IEC 27001 standard provide?

A. Requirements for organizations certifying an information security management system
B. Requirements for an information security management system
C. Guidance for auditing an information security management system
2. Organizations can obtain certification against the ISO/IEC 27002 standard if they
implement all of its information security controls.
A. True
B. False
3. The implementation of ISO/IEC 27001 is a legal requirement in most countries.

A. True
B. False
4. What is the aim of laws with regard to intellectual property rights?

A. Protecting certain intangible assets
B. Ensuring that certain assets are regularly reviewed
C. Providing asset management reports for legal purposes
5. Which of the following is one of the objectives of the privacy protection policy?
A. To increase awareness regarding the legal requirements for protecting personal
information
B. To increase awareness regarding cybercrimes that target an organization’s computer
network
C. To increase awareness regarding the validity of digital signatures in electronic
documents
www.pecb.com
CERTIFIED ISO/IEC 27001 LEAD AUDITOR TRAINING COURSE
Quiz 2: Certification process
1. When does the surveillance audit take place?

A. After conducting stage 2 audit
B. After conducting the audit follow-up
C. After obtaining certification
2. ISO performs accreditation and certification activities.

A. True
B. False
3. Which of the statements holds true?

A. Certification bodies are accredited by accreditation bodies
B. Certification bodies are certified by accreditation bodies
C. Certification bodies are hired by accreditation bodies
4. A third party that performs the assessment of conformity of management systems is:
A. An international standard
B. An accreditation body
C. A certification body
5. Your Market is a market research company which helps its customers determine which
products and services are on demand. The company is currently evaluating the
effectiveness of its information security controls through an ISMS audit. What is Your
Market in this case?
A. An accreditation body
B. A certification body
C. An auditee
© 2022 PECB |3
Quiz 3: Fundamental concepts and principles of information security
1. According to ISO 9000, what is an asset?

A. Item or entity that has potential or actual value to an organization
B. Meaningful data for an organization
C. Document which states requirements for an organization
2. What is the difference between specifications and records?

A. Specifications are documents that state requirements, whereas records are documents
that state achieved results
B. Specifications refer to information and the medium on which it is contained, whereas
records are documents that state requirements
C. Specifications and records are both forms of documents, so they can be used
interchangeably
3. A former employee of Company A has gained unauthorized access to the company’s

sensitive information. What does this present?
A. A threat that has the potential to harm the assets of the organization, such as information
or systems
B. A vulnerability in the monitoring system of the organization that does not have
corresponding threats
C. A security control incorrectly implemented by the organization that is not vulnerable
4. With which of the following principles does an organization comply if it ensures that
only authorized users have access to their sensitive data?
A. Confidentiality
B. Integrity
C. Availability
5. What does the integrity principle entail?

A. That information is available to authorized individuals
B. That information is accurate and safe from unauthorized access
C. That information is accessible when needed
6. Which of the options below represents an example of a vulnerability?

A. Unencrypted data
B. Unauthorized access by persons who have left the organization
C. Data input error by personnel
7. What can have an impact on the availability of information?

A. Incorrect results
© 2022 PECB |4
B. Deliberate change of information

C. Performance degradation
8. An organization has clearly defined the security procedures and uses an access control
software to avoid unauthorized access of the personnel to its confidential data. What is
the function of these security controls?
A. To prevent the occurrence of incidents
B. To correct errors arising from a problem
C. To report the occurrence of a malicious act
9. To which classification of security controls does the implementation of patches after

the identification of system vulnerabilities belong?
A. Preventive by function and managerial by type
B. Corrective by function and technical by type
C. Detective by function and administrative by type
© 2022 PECB |5
Quiz 4: Information security management system (ISMS)
1. What is one of the main purposes of implementing an ISMS?

A. To determine the information security objectives
B. To define the information security requirements
C. To reduce information security risks
2. Which of the statements below regarding the ISMS scope is correct?

A. Any inclusions made in the ISMS scope should be justified
B. A key process is not considered part of organizational boundaries
C. The ISMS scope must be available as documented information
3. Who is responsible for establishing the information security policy according to

ISO/IEC 27001?
A. The top management
B. Internal interested parties
C. The information security manager
4. What criteria should be considered when selecting a risk assessment methodology?

A. New technologies
B. Costs and availability of supporting software tools
C. Risk treatment plan
5. An organization has decided to move its information-processing facilities to a place

where the risk of flooding is low. What option of risk treatment is this?
A. Risk avoidance
B. Risk evaluation
C. Risk sharing
6. Why should an organization draft a Statement of Applicability?

A. To document the justifications for the inclusion and exclusion of Annex A controls
B. To ensure that the ISMS is aligned with the mission of the organization
C. To ensure compliance with industry best practices
7. The risk that remains after risk treatment is known as:

A. Inherent risk
B. Treated risk
C. Residual risk
© 2022 PECB |6
© 2022 PECB |7
Scenario-based quiz 1: Sections 1-5

Webos is a software company that offers custom web-based IT solutions for banks and financial
institutions. They are focused on developing personalized and flexible banking software. Hence,
their services include processing sensitive data.
Recently, one of their main partners required an update of the software they got from Webos
because their current version was vulnerable to external attacks. Webos provided an updated
version that included migrating to the Windows Azure SQL database to solve the encryption,
authentication, and high availability problems. However, the solution did not work and Webos’s
partner terminated their contract.
The project failed due to problems with the segregation of duties in Webos. Their only software
development team leader, Julia Robinson, was on maternity leave and her duties and
responsibilities were assigned to an inexperienced team member.
To increase the security of their services and regain customer confidence, Webos decided to
initiate major changes, including the implementation of an ISMS. They decided to improve their
existing maintenance and support services and conduct technical investigations for any security
incident reported by their partners. In addition, they decided to segregate the duties of the
software development team in order to avoid similar situations in the future.
Based on the scenario above, answer the following questions:
1. Which option below presents a vulnerability in Webos’s client system?

A. The updated version of the software
B. The database encryption problems
C. The maternity leave of the software development team leader
2. Webos’s project failed due to the lack of segregation of duties during the maternity
leave of the software development team leader. Which of the following is a threat that
can impact Webos in this situation?
A. Failure to produce management reports
B. Insufficient software testing
C. Unauthorized use of the system
3. Webos conducted technical investigations after its partners reported security incidents.
What is the aim of implementing this security control?
A. To control software operations
B. To report the occurrence of an error or omission
© 2022 PECB |8
C. To correct the problems and prevent their recurrence
4. By segregating the duties of the software development team, Webos implemented:

A. A managerial control
B. An administrative control
C. A legal control
5. Migration to the Windows Azure SQL database would solve the availability problems
by reducing the _____________.
A. Disruption of operations
B. Invasion of privacy of users
C. Leak of sensitive information
© 2022 PECB |9
Quiz 5: Fundamental audit concepts and principles
1. What does ISO 19011 provide?

A. Guidance for auditors on information security controls
B. Fundamental principles of auditing
C. Requirements for bodies providing audit
2. Company X evaluated and improved its risk management and core processes by using
the insights and recommendations provided by the _______________ activities.
A. Internal audit
B. External audit
C. Second party audit
3. The auditee determines the audit objectives.

A. True
B. False
4. The auditor issued an unfavorable report for Company 1 by strictly examining the
audit evidence. He was not intimidated when Company 1, the main client of his audit
firm, threatened to terminate the contract if the audit report does not suit them. Which
principle of auditing has the auditor followed?
A. Independence
B. Confidentiality
C. Fair presentation
5. Which type of audit approach focuses on matters that are significant for the auditee?
A. Risk-based approach
B. Evidence-based approach
C. Sector-specific approach
6. An audit team leader must be competent to:

A. Prepare the audit conclusions
B. Manage digital signatures in audit reports
C. Interpret penetration testing results
© 2022 PECB | 10
Quiz 6: The impact of trends and technology in auditing
1. What is the impact of new technologies in auditing processes?

A. Increase audit efficiency and help in minimizing costs
B. Reduce audit efficiency because it increases the need for quality control checks
C. Reduce transparency and increase the time needed to conduct technical tests
2. An example of structured data is:

A. MongoDB
B. Structured query language (SQL)
C. Apache Giraph
3. How can big data technology tools be beneficial for auditors?

A. By retrieving data that may be considered sensitive
B. By implementing more qualitative controls
C. By combining structured and unstructured data to effectively conduct risk assessment
4. Supervised machine learning is used to group data based only on outputs and includes
clustering, representation learning, and density estimation.
A. True
B. False
5. __________________ includes delivering hosted services over the internet, such as

infrastructure as a service or platform as a service.
A. Outsourcing
B. Cloud computing
C. Machine learning
6. Which services are managed by the cloud provider when using Infrastructure as a
Service (IaaS)?
A. Application and data
B. Network and storage
C. Middleware and data
7. What step should an auditor follow to ensure the competence of staff in outsourced
operations?
A. Review the service provider’s processes and employees’ contracts
B. Ensure that disaster recovery processes are in place
© 2022 PECB | 11
C. Review and evaluate the organization’s plan in case of an unexpected termination of the
outsourcing agreement
8. Which services can be managed by the user when using Platform as a Service (PaaS)?
A. Virtualization and servers
B. Runtime and middleware
C. Application and data
9. Linear regression and logistic regression are algorithms utilized by:

A. Machine learning
B. Outsourced operations
C. Cloud computing
10. Artificial general intelligence (AGI) is also known as:

A. Strong artificial intelligence
B. Weak artificial intelligence
C. Supervised artificial intelligence
© 2022 PECB | 12
Quiz 7: Evidence-based auditing
1. Audit evidence must be:

A. Verifiable
B. Physical
C. Refutable
2. A piece of audit evidence can be a combination of several types of evidence.

A. True
B. False
3. What type of evidence is an external audit report?

A. Physical
B. Confirmative
C. Analytical
4. How can an auditor verify conformity to control 5.18 Access rights of ISO/IEC 27001
by using analytical evidence?
A. By analyzing results of the access rights removal procedure on a sample of users upon
the termination of their contracts
B. By analyzing the removal or adjustment of access rights procedure
C. By analyzing the access rights removal simulation test
5. What makes audit evidence appropriate?

A. Sufficiency
B. Relevance and reliability
C. Approval
6. Which type of audit evidence is considered the least reliable?

A. Verbal
B. Confirmative
C. Physical
7. What type of evidence is the observation of a firewall configuration?

A. Analytical
B. Mathematical
C. Technical
© 2022 PECB | 13
Quiz 8: Risk-based auditing
1. Which type of audit risk is known as the risk that occurs in the management system
despite the internal control mechanisms in an organization?
A. Inherent risk
B. Control risk
C. Detection risk
2. Which of the following factors should be considered when determining the materiality
of a system?
A. The organizational changes
B. The conditions of service-level agreements
C. The audit results
3. During an ISO/IEC 27001 audit, auditors must obtain absolute assurance that every
single process is effective and conforms to the standard requirements.
A. True
B. False
4. Materiality is taken into account to determine the duration of the audit based on the
risks inherent to the organization during:
A. Initial contact
B. Stage 1 audit
C. Stage 2 audit
5. What does “control risk” mean?

A. The risk that a significant defect related to the organizations’ internal controls could not
be detected by the auditor
B. The risk that a significant defect could not be prevented by the organization’s internal
control mechanisms
C. The risk that remains after a significant defect of an internal control is detected and
corrected
6. What action is taken during stage 1 audit when evaluating materiality during the
audit?
A. Identifying the key processes to be audited
B. Determining the audit duration
C. Adjusting the plan based on the materiality of each process or asset
© 2022 PECB | 14
Quiz 9: Initiation of the audit process
1. Which parties are involved in an audit offer?

A. The auditor and the auditee
B. The certification body and the auditee
C. The certification body and the auditor
2. How many audit team leaders should be appointed for a joint audit?
A. One audit team leader
B. Two audit team leaders
C. It is up to the certification body
3. What can trigger the initiation of a change in the audit scope?

A. Recent changes in the existing processes
B. Review of major information security incidents
C. Modifications in the information security policy
4. Auditors use the _______________ as a reference to determine conformity.

A. Audit feasibility
B. Audit criteria
C. Audit objectives
5. The certification agreement document formalizes the acceptance of an audit mandate

from the auditor.
A. True
B. False
6. What is the purpose of an initial contact with the auditee?

A. To determine the audit objectives
B. To discuss the audit schedule
C. To establish the communication objectives
© 2022 PECB | 15
Quiz 10: Stage 1 audit
1. What is the main objective of stage 1 audit?

A. To determine if internal audits and management reviews are performed
B. To evaluate if the ISMS is effectively implemented
C. To evaluate if the processes of the organization conform to the requirements of the
standard
2. Stage 1 audit should not be conducted too far from stage 2 audit.
A. True
B. False
3. Which is the first phase of stage 1 audit?

A. Conduct on-site activities
B. Document the stage 1 audit outputs
C. Prepare for on-site activities
4. Which of the following activities of stage 1 audit does NOT take place during the
auditor’s on-site visit?
A. Observing the technology used and the operations of the ISMS in general
B. Reviewing the information security policy and other documented information
C. Validating the compliance of the management system with contractual and regulatory
requirements
5. Why should the auditor interview the person responsible for the ISMS in an
organization?
A. To validate the top management’s commitment in an organization
B. To provide information regarding the organization’s internal audits
C. To understand how the organization operates with the management system in place
6. The scope of the management system and the responsibility of the auditee’s top
management should be validated during:
A. Stage 1 audit
B. Stage 2 audit
C. After the audit
7. Which documentation should be examined by the auditor first?

A. Strategic documentation (declaration of scope, objectives and policies, etc.)
B. Documentation related to risk management
© 2022 PECB | 16
C. Documentation of supporting procedures (worksheets, forms, etc.)
8. An auditor must have sufficient knowledge of and practical experience in the use of
electronic media.
A. True
B. False
© 2022 PECB | 17

Finanvo is a financial institution that provides financial and monetary transactions, such as loans,
investments, and deposits. Recently, they experienced a large increase of clients in a short
amount of time, which caused frequent network service interruptions. Thus, Finanvo’s top
management started to explore new solutions that could help them reduce the number of service
interruptions and maintain the quality of their services.
Finanvo decided to implement an information security management system based on ISO/IEC

27001. They applied for certification after one year of having an active ISMS. They selected
AuditOrg, a well-known certification body, to conduct the audit. The audit team comprised five
auditors, of which two had worked for one of Finanvo’s biggest competitors. This meant they
had adequate experience in auditing financial institutions.
Following best audit practices, AuditOrg initiated the audit by gathering information regarding
the scope of the management system and Finanvo’s understanding of the standard requirements.
As part of their audit activities, the auditors carried out a general review of the organization’s
documented information, including records on training sessions. Some employees’ training
records were missing, so the audit team interviewed them to verify their participation. The
auditors used the collected information from the interviews as a sample to measure the
employees’ understanding of information security. After obtaining the needed information, the
auditors calculated the amount of training hours and analyzed the collected evidence. The
findings helped the auditors support their conclusions and report all audit activities truthfully and
accurately.
The auditors concluded that they did not detect any major nonconformity in Finanvo’s
information security management system.
Answer the following questions by referring to the above-mentioned scenario:
1. What type of audit is AuditOrg conducting?

A. Second party audit
B. Third party audit
C. Internal audit
2. Based on the scenario, can Finanvo request the replacement of the audit team
members?
A. Yes, two of AuditOrg’s auditors have worked for one of Finanvo’s biggest competitors,
which is a valid reason to request the replacement of audit team members
© 2022 PECB | 18
B. No, Finanvo does not have a valid reason to request the replacement of audit team
members since the auditors have adequate experience in auditing
C. No, Finanvo cannot request the replacement of the audit team member for any reason
3. AuditOrg’s audit team members have collected all types of evidence below, except
____________.
A. Confirmative evidence
B. Mathematical evidence
C. Analytical evidence
4. Which auditing principle has AuditOrg applied in this case, “The findings helped the
auditors support their conclusions and report all audit activities truthfully and
accurately?”
A. Independence
B. Fair presentation
C. Confidentiality
5. How would you evaluate the level of responsibility demonstrated by AuditOrg’s

auditors?
A. Ordinary negligence, since the auditors have demonstrated lack of diligence during the
audit
B. Gross negligence, since the auditors have demonstrated a total lack of diligence during
the audit
C. No negligence, since the auditors have demonstrated due diligence during the audit
© 2022 PECB | 19
Quiz 11: Preparing for stage 2 audit
1. What is the main objective of stage 2 audit?

A. To review the internal audit activities
B. To evaluate the implementation of the ISMS
C. To verify the information security objectives of the ISMS
2. Which of the following is a step in audit planning?

A. Conducting risk assessment
B. Determining the audit criteria
C. Preparing the audit test plans
3. How does the audit team select processes and systems to be tested?
A. Based on the technical experts’ advice
B. Based on audit procedures
C. Based on materiality
4. During the audit, documented information involving proprietary information was

protected at all times. Which principle of maintaining audit work documents has been
followed?
A. Confidentiality
B. Authorship
C. Conciseness
5. A well-designed documentation standard improves the overall quality of the audit.

A. True
B. False
© 2022 PECB | 20
Quiz 12: Stage 2 audit
1. What is the main purpose of the opening meeting in an audit?

A. To obtain detailed information about management system-related processes
B. To verify audit evidence and obtain a reasonable level of assurance
C. To ensure that planned audit activities can be performed
2. The opening meeting agenda can include information on:

A. The availability of resources
B. The examination of documented information
C. The creation of audit test plans
3. The auditor has accessed logs to the server room. What source of information was
collected?
A. Documents
B. Observations
C. Records
4. How is audit evidence evaluated?

A. By comparing it against the audit criteria
B. By conducting quality review
C. By utilizing audit tests
5. The quality review of audit evidence will assure that the audit findings are reliable and
valid.
A. True
B. False
© 2022 PECB | 21
Quiz 13: Communication during the audit
1. How often should audit team meetings be held?

A. A meeting held in the morning and another at the end of the day
B. A meeting per day held in the morning
C. A meeting per day held in the evening
2. What is the role of an observer?

A. To assist the audit team
B. To accompany the audit team
C. To help the auditor with the audit procedures
3. A guide’s responsibilities include maintaining logistics, ensuring that health and safety
policies are observed, and facilitating audit activities.
A. True
B. False
4. Why should an auditor consider cultural aspects at every stage of the audit?
A. To solve conflicts between employees of the auditee
B. To document conflictual situations
C. To avoid possible conflicts or misunderstandings
5. Which of the following is a characteristic of autocratic leaders?

A. They supervise and control their employees
B. They allow their employees to set the goals and deadlines
C. They provide guidance to their employees
6. Leaders who are attentive to the needs and emotions of their employees and listen to
their opinions but they themselves take the final decisions are categorized as:
A. Laissez-faire leaders
B. Democratic leaders
C. Autocratic leaders
7. What should an auditor do to evaluate the top management’s commitment to the

information security management system?
A. Interview the auditee’s top management
B. Demonstrate commitment to audit procedures
C. Ask all of the auditee’s employees for their opinion
© 2022 PECB | 22
Quiz 14: Audit procedures
1. What must an auditor collect to ensure the relevance of an audit procedure?

A. Archives
B. Backups
C. Evidence
2. Which of the following options is NOT an audit procedure?

A. Evidence collection analysis
B. Evidence collection synthesis
C. Evidence collection tools
3. Which of the options below is NOT necessary to have in mind when conducting
effective interviews?
A. Ensuring the interviewee does not leave out important information
B. Asking for specifics
C. Using complex and abstract terminology
4. What factors should an auditor consider when evaluating the conformity of

documented information?
A. Content and format
B. Dates and signatures
C. Alignment with policies
5. The auditor is an observer during a system backup test. What type of observation is
the auditor conducting?
A. General observation
B. Quantitative observation
C. Detailed observation
6. An auditor takes notes of the serial numbers of the audited equipment and the
locations where certain processes take place. Why would an auditor take such actions?
A. To document their observations
B. To keep notes for similar future cases
C. To keep track in case they forget something
7. In statistical terms, _______________ approach is known as the study of a population

by studying representative samples.
A. Synthesis
B. Decomposition
© 2022 PECB | 23
C. Analysis
8. The practice of producing information based on quantitative empirical data is known

as:
A. Empirics
B. Samples
C. Statistics
9. Which sampling method is more complex and usually more time consuming to
perform?
A. Interval sampling
B. Systematic sampling
C. Random sampling
10. Which option best describes evaluation in auditing?

A. An objective procedure
B. Assessment of nonconformity
C. A subjective procedure
© 2022 PECB | 24
Quiz 15: Creating audit test plans
1. How can an auditor avoid disrupting the auditee’s operations?

A. By developing audit test plans using only observation
B. By conducting virtual audits
C. By grouping audit test plans
2. To verify conformity to clause 7.5.3 Control of documented information of ISO/IEC

27001, the audit team has validated the electronic structure for classifying and storing
documented information. What type of audit procedure has been used?
A. Technical verification
B. Analysis
C. Documented information review
3. Which document can serve as audit evidence to verify conformity to clause 4.3
Determining the scope of the information security management system of ISO/IEC
27001?
A. Statement of Applicability
B. Information security policy
C. Risk assessment report
4. Which of the following is considered as audit evidence when verifying conformity to

clause 5.1 Leadership and commitment of ISO/IEC 27001?
A. Risk treatment results
B. The scope of the organization’s certification
C. Information security objectives
5. A combination of audit test plans should be used to verify conformity to the standard
requirements.
A. True
B. False
© 2022 PECB | 25

DeeCorp, established in 1989, is one of the first companies to offer wireless technology services
in South America. With more than 400 employees, they specialize in providing innovative
engineering services, including network planning, deployment, integration, and optimization.
Complying with ISO/IEC 27001 is very important to DeeCorp. They hope to finally gain their
certification this year.
Eva was appointed to be the audit team leader for DeeCorp’s audit. Her job was to evaluate the
current state of DeeCorp’s information security management system and present the audit
findings in a comprehensive report. This would allow her to determine whether she should issue
a recommendation for certification to DeeCorp.
Eva has thorough theoretical and practical knowledge of the audit principles and procedures. She
is also experienced in information security. Her team consisted of two other auditors, Tom and
Ben. Eva has already worked with Tom and Ben previously, so a socializing event (e.g., audit
opening meeting) was deemed unnecessary.
Eva, Tom, and Ben decided to structure an audit test plan before proceeding. Eva’s job was to
verify DeeCorp’s conformity to Annex A 5.1 Policies for information security of ISO/IEC
27001. To do so, she used individual interviews as an evidence collection procedure and audit
sampling as a tool. She chose a statistically reliable and easy-to-use sampling method. Ben and
Tom, on the other hand, were responsible for the sampling procedure. They selected a sample
size of 10 employees based on a fixed interval.
Based on the scenario above, answer the following questions:
1. According to the general principles for determining the sample size, did Tom and Ben
select a valid sample size of 10 employees based on a fixed interval?
A. No, the determined sample size is significantly low compared to DeeCorp’s population,
as according to the general principles, for a population lower than 366 the minimum
number of the sample size should be 25
B. Yes, the determined sample size is on proportion with DeeCorp’s overall population
C. No, the determined sample size is significantly low compared to DeeCorp’s population,
as according to the general principles, for a population higher than 366, the minimum
number of the sample size should be 25
2. According to the scenario, Eva wanted an easy-to-use and statistically reliable

sampling method. Which method fits that description?
A. Random sampling
B. Systematic sampling
C. Block selection sampling
© 2022 PECB | 26
3. The scenario states that there is no need for a socializing event. Is “socializing” the
main purpose of an audit opening meeting?
A. No, the main purpose of an audit opening meeting is to gain a level of understanding of
the team members’ background
B. Yes, the main purpose of an audit opening meeting is to allow the audit members to
socialize
C. No, the main purpose of an audit opening meeting is to introduce and agree on the audit
plan, audit team, and roles and responsibilities of each auditor
4. What important information could Eva gather from the individual interviews that
would be of help for her final audit report?
A. Detailed information that helps her evaluate and determine if a set of policies for
information security is defined, approved, published, and communicated to employees
and external parties
B. Detailed information on when the organization implemented the information security
policies control and the persons responsible for its implementation and maintenance
C. Detailed information on the expertise level of DeeCorp employees and their level of
understanding and attitude to the organization’s policies
5. Eva’s team structured an audit test plan in order to:

A. Test whether the controls are error-free
B. Determine a nonconformity
C. Validate conformity to requirements
© 2022 PECB | 27
Quiz 16: Drafting audit findings and nonconformity reports
1. According to ISO 19011, what should be considered when determining audit findings?
A. Description of or reference to audit criteria against which conformity is shown
B. Declaration of conformity
C. Follow-up of previous audit records
2. The auditor found out that the auditee has restricted the access of its employees to the
operating system software using an access control system. This access is being
controlled and monitored but not documented. How is this situation to be evaluated?
A. As a major nonconformity
B. As a minor nonconformity
C. As conformity
3. What is the definition of an anomaly?

A. A deviation from a requirement or from the targets set by the organization
B. An element observed during the implementation that may be subject to improvement
C. A fulfilment of a requirement specified by the organization
4. What should be included in a nonconformity report?

A. Audit criteria
B. Corrective actions to be taken by the auditee
C. Reference for future audits
5. What do the audit criteria describe?

A. The facts observed and recorded during the audit
B. The type of nonconformity observed
C. The specific requirements of the standard used as a reference for the evaluation of the
ISMS
6. The auditor has noticed that the auditee does not have a Statement of Applicability.
What audit conclusion should the auditor reach?
A. Major nonconformity
B. Minor nonconformity
C. Conform
7. An observation is a situation observed during the audit that influences audit

conclusions.
A. True
B. False
© 2022 PECB | 28
© 2022 PECB | 29
Quiz 17: Audit documentation and quality review
1. What is the purpose of creating and keeping work documents?

A. To support audit evidence
B. To ensure compliance with the standard requirements
C. To develop a quality review procedure
2. Management system-related documents in the auditor’s possession should be destroyed

after the audit.
A. True
B. False
3. Who is responsible for ensuring the protection of the auditee’s confidential information
included in the audit records?
A. Auditee’s employees
B. Audit team members
C. Only the audit team leader
4. Why should the audit team leader review other audit team member’s work
documents?
A. To ensure that the auditors have collected sufficient information to support their
conclusion
B. To ensure that the audit team members make the adequate certification decision based
on the evaluation of the results
C. To ensure that the auditee’s processes and procedures are in compliance with standard
requirements
5. Which of the following is NOT included in audit records?

A. Audit test plans
B. Interview notes
C. Proposed action plans
© 2022 PECB | 30
Quiz 18: Closing of the audit
1. When does the audit team formally present the audit conclusions and the certification
recommendation?
A. During the closing meeting
B. During the surveillance audit
C. During the audit follow-up
2. Why should audit findings be discussed with the auditee’s management prior to the
closing meeting?
A. To negotiate the conclusions with competent employees
B. To initiate the implementation of corrective actions
C. To present the audit conclusions
3. After finding out that the auditee does not have a backup policy, the auditor provided
the auditee with a backup policy template to help them treat the detected
nonconformity. Is this acceptable?
A. Yes, because auditors should help the auditee resolve the detected nonconformities
B. Yes, because auditors should provide the necessary resources to the auditee in order to
resolve the nonconformities
C. No, because auditors cannot suggest specific solutions to resolve nonconformities
4. The audit conclusions are a summary of the audit findings based on the audit evidence.
A. True
B. False
5. Which statement with regard to the distribution of the audit report is correct?
A. The audit report should be distributed after appropriate measures that ensure
confidentiality have been considered
B. The audit report should be distributed to the audit team members only
C. The audit report should be distributed to the certification body, which then decides with
whom to share the audit report
6. Which information is NOT included in the certificate issued by the certification body?
A. The management system scope
B. The name of the audit team leader
C. The geographical location of the auditee
© 2022 PECB | 31
© 2022 PECB | 32
Quiz 19: Evaluation of action plans by the auditor
1. What should the auditee specify in an action plan?

A. The detection, root cause, and corrections of nonconformities
B. The audit follow-up and surveillance activities
C. The audit agreement, plan, and evaluation of results
2. One action plan should cover all the nonconformities.

A. True
B. False
3. Which of the following is NOT included in an action plan?

A. The correction of nonconformities
B. The elimination of the root causes
C. The project plan to treat the nonconformity
4. How are action plans evaluated?

A. Based on the audit evidence collected during the audit
B. Based on the auditor’s experience and knowledge
C. Based on the completion status of the corrective actions
5. What does the following sentence indicate in an action plan: “There is no procedure in
place to ensure the required protection against malware.”?
A. Description of the nonconformity
B. Description of the root cause
C. Description of the proposed corrective action
© 2022 PECB | 33
Quiz 20: Beyond the initial audit
1. If the audit report indicates a major nonconformity, what happens next?

A. The auditee is subject to an audit review
B. The auditee is subject of an immediate lawsuit
C. The auditee is subject to an audit follow-up
2. When is it possible for the auditor NOT to perform a follow-up audit?

A. In case of insufficient financial resources
B. In case of a minor nonconformity
C. In cases when multiple recommendations are received
3. The auditor should review the effectiveness of the actions taken by the auditee:
A. After closing the nonconformity
B. Before conducting the closing meeting
C. Before closing the nonconformity
4. An auditee can have its certification ________________ when the certified management
system has constantly failed to comply with certification requirements.
A. Extended
B. Suspended
C. Transferred
5. What is the purpose of a recertification audit?

A. To confirm the continual suitability, adequacy, and effectiveness of the management
system
B. To evaluate the degree of nonconformity of the management system
C. To confirm the efficiency degree of the management system
6. It is recommended that after the first surveillance audit, the second surveillance audit
should be conducted on a time-frame no longer than:
A. 6 months
B. 12 months
C. 24 months
© 2022 PECB | 34
Quiz 21: Managing an internal audit program
1. An audit program should follow the steps described in Annex A.

A. True
B. False
2. The ________________ has no advisory role within the auditee.

A. Internal audit
B. External audit
C. Management review
3. What is the role of an internal auditor?

A. To consider only the effectiveness of the ISMS
B. To conduct the audit in a planned and timely manner
C. To ensure the effectiveness and efficiency of the operations
4. Which of the following is a crucial factor in accomplishing the mission of the internal
audit?
A. The auditors’ experience of interference from the audited entities
B. The availability and collaboration of the audited entities
C. The collaboration of non-audited entities
5. Unless otherwise specified, the records related to the internal audit program are the
property of the Internal Audit Department.
A. True
B. False
6. Which factors below can require modifications in an audit program?

A. Manager’s requirement
B. Conflict of interest situation
C. Audit efficiency
© 2022 PECB | 35

Company ABC is a leading software development and testing company headquartered in
Frankfurt, Germany offering services based on the clients’ requests and needs. The development
process is divided into the following phases: discovery, development, testing, deployment, and
maintenance. During each phase, the company ensures information privacy and protection
through a successfully implemented and maintained ISMS.
However, the ISMS implementation alone could not help them expand their market. That is why
they decided to apply for an ISO/IEC 27001 certification.
The company contacted a certification body to undergo the process of certification. You, an
auditor that works for the certification body, are selected as the audit team leader. During the
course of audit activities, you draft the audit findings and the nonconformity reports.
Upon considering the validity of the audit evidence, you drafted two nonconformity reports for
the detected nonconformities. The reports followed the same structure: the audit criteria,
description of the observed nonconformity, and the audit finding.
Based on the audit findings and other information collected during the audit, you recommend
Company ABC for certification upon the filing of corrective action plans. The audit conclusion
was discussed with the auditee’s representatives, who ensured you that action plans will be
submitted as soon as possible.
To resolve the first detected nonconformity, Company ABC submitted the following action plan:
“A formal user registration and de-registration process to grant or deny access to systems and
services that process sensitive information will be created.” The action plan addressing the
second nonconformity stated that “A new version of the security policy will be published to
include legal and regulatory requirements.”
Once the submitted action plans and the implemented corrective actions were evaluated, you
decide to close the detected nonconformities.
Answer the following questions by referring to the above-mentioned scenario:
1. What should have you taken into consideration, in addition to the audit evidence, when
determining the audit findings?
A. Requirements of the audit client
B. Submission of corrective actions
C. Content of action plans
© 2022 PECB | 36
2. You have validated the action plans and the implemented corrective actions submitted
by Company ABC. What type of audit have you conducted?
A. Surveillance audit
B. Audit follow-up
C. Internal audit
3. Which of the following statements presents the best description of the observed
nonconformity related to the first action plan submitted by Company ABC?
A. The process used to grant or deny access to systems and services that process sensitive
information is not documented
B. There is no process in place to manage access to systems and services that process
sensitive information
C. In a sample of 30 user accounts belonging to former employees of Company ABC, only
5 of them followed the formal user de-registration process
4. The auditee has submitted the following action plan, “A formal user registration and
de-registration process to grant or deny access to systems and services that process
sensitive information will be created.” Is this action plan acceptable?
A. No, because it does not address the root cause of the detected nonconformity
B. No, because a time frame for completing the action has not been included
C. No, because the required resources for the implementation have not been included
5. What type of audit finding does the second action plan resolve?
A. Anomaly
B. Minor nonconformity
C. Major nonconformity
© 2022 PECB | 37

05 27001la en QS V12.1 20221111

Uploaded by

Copyright:

Available Formats

05 27001la en QS V12.1 20221111

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

05 27001la en QS V12.1 20221111

Uploaded by

Copyright:

Available Formats

QUIZZES

CERTIFIED ISO/IEC 27001 LEAD AUDITOR

1. What does the ISO/IEC 27001 standard provide?

3. The implementation of ISO/IEC 27001 is a legal requirement in most countries.

4. What is the aim of laws with regard to intellectual property rights?

Quiz 2: Certification process

1. When does the surveillance audit take place?

2. ISO performs accreditation and certification activities.

3. Which of the statements holds true?

Quiz 3: Fundamental concepts and principles of information security

1. According to ISO 9000, what is an asset?

2. What is the difference between specifications and records?

3. A former employee of Company A has gained unauthorized access to the company’s

5. What does the integrity principle entail?

6. Which of the options below represents an example of a vulnerability?

7. What can have an impact on the availability of information?

B. Deliberate change of information

9. To which classification of security controls does the implementation of patches after

Quiz 4: Information security management system (ISMS)

1. What is one of the main purposes of implementing an ISMS?

2. Which of the statements below regarding the ISMS scope is correct?

3. Who is responsible for establishing the information security policy according to

4. What criteria should be considered when selecting a risk assessment methodology?

5. An organization has decided to move its information-processing facilities to a place

6. Why should an organization draft a Statement of Applicability?

7. The risk that remains after risk treatment is known as:

Scenario-based quiz 1: Sections 1-5

Based on the scenario above, answer the following questions:

1. Which option below presents a vulnerability in Webos’s client system?

C. To correct the problems and prevent their recurrence

4. By segregating the duties of the software development team, Webos implemented:

Quiz 5: Fundamental audit concepts and principles

1. What does ISO 19011 provide?

3. The auditee determines the audit objectives.

6. An audit team leader must be competent to:

Quiz 6: The impact of trends and technology in auditing

1. What is the impact of new technologies in auditing processes?

2. An example of structured data is:

3. How can big data technology tools be beneficial for auditors?

5. __________________ includes delivering hosted services over the internet, such as

9. Linear regression and logistic regression are algorithms utilized by:

10. Artificial general intelligence (AGI) is also known as:

Quiz 7: Evidence-based auditing

1. Audit evidence must be:

2. A piece of audit evidence can be a combination of several types of evidence.

3. What type of evidence is an external audit report?

5. What makes audit evidence appropriate?

6. Which type of audit evidence is considered the least reliable?

7. What type of evidence is the observation of a firewall configuration?

Quiz 8: Risk-based auditing

5. What does “control risk” mean?

Quiz 9: Initiation of the audit process

1. Which parties are involved in an audit offer?

3. What can trigger the initiation of a change in the audit scope?

4. Auditors use the _______________ as a reference to determine conformity.

5. The certification agreement document formalizes the acceptance of an audit mandate

6. What is the purpose of an initial contact with the auditee?

Quiz 10: Stage 1 audit

1. What is the main objective of stage 1 audit?