Question 1

What is the relationship between data and information?

Options :

A : Data is structured information.

B : Information is the meaning and value assigned to a collection of data.

Answer: B

Question 2

Which of the following does an Asset Register contain? (Choose two)

Options :

A : Asset Type

B : Asset Owner

C : Asset Modifier

D : Process ID

Answer: A,B

Question 3

An external auditor received an offer to conduct an ISMS audit at a research development company. Before accepting it, they discussed with the internal auditor of the auditee, who was their friend, about previous audit reports. Is this acceptable?

Options :

A : No, the external auditor should discuss about the auditee-s previous audit reports only with the certification body

B : Yes, the auditor can review and discuss the previous audit reports before accepting an audit mandate

C : No, the auditor should uphold objectivity even when deciding whether to accept the audit mandate or not

Answer: C

Question 4

When preparing for an audit, which of the following statements is false?

Options :

A : Each auditor creates their own audit checklist for use during the audit

B : The audit checklists are shared and agreed with the auditee in advance of the audit

C : The audit plan is shared with the auditee in advance of the audit

D : The audit plan may be changed during the audit

Answer: B

Question 5

Scenario 2: Clinic, founded in the 1990s, is a medical device company that specializes in treatments for heart-related conditions and complex surgical interventions. Based in Europe, it serves both patients and healthcare professionals. Clinic collects patient data to tailor treatments, monitor outcomes, and improve device functionality. To enhance data security and build trust, Clinic is implementing an information security management system (ISMS) based on ISO/IEC 27001. This initiative demonstrates Clinic's commitment to securely managing sensitive patient information and proprietary technologies. Clinic established the scope of its ISMS by solely considering internal issues, interfaces, dependencies between internal and outsourced activities, and the expectations of interested parties. This scope was carefully documented and made accessible. In defining its ISMS, Clinic chose to focus specifically on key processes within critical departments such as Research and Development, Patient Data Management, and Customer Support. Despite initial challenges, Clinic remained committed to its ISMS implementation, tailoring security controls to its unique needs. The project team excluded certain Annex A controls from ISO/IEC 27001 while incorporating additional sector-specific controls to enhance security. The team evaluated the applicability of these controls against internal and external factors, culminating in the development of a comprehensive Statement of Applicability (SoA) detailing the rationale behind control selection and implementation. As preparations for certification progressed, Brian, appointed as the team leader, adopted a self-directed risk assessment methodology to identify and evaluate the company’s strategic issues and security practices . This proactive approach ensured that Clinic’s risk assessment aligned with its objectives and mission. Question: Based on Scenario 2, Clinic initially defined its information security objectives and then conducted a risk assessment. Is this acceptable?

Options :

A : Yes, because objectives can be adjusted later to fit the risk assessment results

B : No, because the risk assessment should be conducted only once objectives are fully implemented

C : No, information security objectives must be established, taking into account risk assessment results, as per ISO/IEC 27001 requirements

Answer: C

Confidently Practice Online with Free ISO-IEC-27001-Lead-Auditor Exam Cram

Buying Options: