Practice your PECB Certified ISO/IEC 27001 Lead Auditor certification test with free ISO-IEC-27001-Lead-Auditor exam cram and take control of your certification preparation. At FreeExamCram, you can practice online for free using real ISO-IEC-27001-Lead-Auditor exam dumps, verified questions, and expert-designed free online practice tests. Moreover our PECB ISO-IEC-27001-Lead-Auditor exam cram backed by our confidence-boosting refund guarantee.
Scenario 8: EsBank provides banking and financial solutions to the Estonian banking sector since September
2010. The company has a network of 30 branches with over 100 ATMs across the country.
Operating in a highly regulated industry, EsBank must comply with many laws and regulations regarding the
security and privacy of data. They need to manage information security across their operations by
implementing technical and nontechnical controls. EsBank decided to implement an ISMS based on ISO/IEC
27001 because it provided better security, more risk control, and compliance with key requirements of laws
and regulations.
Nine months after the successful implementation of the ISMS, EsBank decided to pursue certification of their
ISMS by an independent certification body against ISO/IEC 27001 .The certification audit included all of
EsBank’s systems, processes, and technologies.
The stage 1 and stage 2 audits were conducted jointly and several nonconformities were detected. The first
nonconformity was related to EsBank’s labeling of information. The company had an information
classification scheme but there was no information labeling procedure. As a result, documents requiring the
same level of protection would be labeled differently (sometimes as confidential, other times sensitive).
Considering that all the documents were also stored electronically, the nonconformity also impacted media
handling. The audit team used sampling and concluded that 50 of 200 removable media stored sensitive
information mistakenly classified as confidential. According to the information classification scheme,
confidential information is allowed to be stored in removable media, whereas storing sensitive information is
strictly prohibited. This marked the other nonconformity.
They drafted the nonconformity report and discussed the audit conclusions with EsBank’s representatives,
who agreed to submit an action plan for the detected nonconformities within two months.
EsBank accepted the audit team leader's proposed solution. They resolved the nonconformities by drafting a
procedure for information labeling based on the classification scheme for both physical and electronic formats.
The removable media procedure was also updated based on this procedure.
Two weeks after the audit completion, EsBank submitted a general action plan. There, they addressed the
detected nonconformities and the corrective actions taken, but did not include any details on systems, controls,
or operations impacted. The audit team evaluated the action plan and concluded that it would resolve the
nonconformities. Yet, EsBank received an unfavorable recommendation for certification.
Based on the scenario above, answer the following question:
Which action illustrated in scenario 8 is unacceptable in an external audit?
Based on the identified nonconformities. Company A established action plans that included the detected
nonconformities, the root causes, and a general statement regarding each action that would be taken. Is this
acceptable?
Scenario 9: UpNet, a networking company, has been certified against ISO/IEC 27001. It provides network
security, virtualization, cloud computing, network hardware, network management software, and networking
technologies.
The company's recognition has increased drastically since gaining ISO/IEC 27001 certification. The
certification confirmed the maturity of UpNefs operations and its compliance with a widely recognized and
accepted standard.
But not everything ended after the certification. UpNet continually reviewed and enhanced its security controls
and the overall effectiveness and efficiency of the ISMS by conducting internal audits. The top management
was not willing to employ a full-time team of internal auditors, so they decided to outsource the internal audit
function. This form of internal audits ensured independence, objectivity, and that they had an advisory role
about the continual improvement of the ISMS.
Not long after the initial certification audit, the company created a new department specialized in data and
storage products. They offered routers and switches optimized for data centers and software-based networking
devices, such as network virtualization and network security appliances. This caused changes to the operations
of the other departments already covered in the ISMS certification scope.
Therefore. UpNet initiated a risk assessment process and an internal audit. Following the internal audit result,
the company confirmed the effectiveness and efficiency of the existing and new processes and controls.
The top management decided to include the new department in the certification scope since it complies with
ISO/IEC 27001 requirements. UpNet announced that it is ISO/IEC 27001 certified and the certification scope
encompasses the whole company.
One year after the initial certification audit, the certification body conducted another audit of UpNefs ISMS.
This audit aimed to determine the UpNefs ISMS fulfillment of specified ISO/IEC 27001 requirements and
ensure that the ISMS is being continually improved. The audit team confirmed that the certified ISMS
continues to fulfill
the requirements of the standard. Nonetheless, the new department caused a significant impact on governing the management system. Moreover, the certification body was not informed about any changes. Thus, the
UpNefs certification was suspended.
Based on the scenario above, answer the following question:
What type of audit is illustrated in the last paragraph of scenario 9?
What is social engineering?
Select two options that describe an advantage of using a checklist.
© Copyrights FreeExamCram 2026. All Rights Reserved
We use cookies to ensure that we give you the best experience on our website (FreeExamCram). If you continue without changing your settings, we'll assume that you are happy to receive all cookies on the FreeExamCram.