Question 1

A well-executed risk analysis provides a great deal of useful information. A risk analysis has four main

objectives.

What is not one of the four main objectives of a risk analysis?

Options :

A : Identifying assets and their value

B : Implementing counter measures

C : Establishing a balance between the costs of an incident and the costs of a security measure

D : Determining relevant vulnerabilities and threats

Answer: B

Question 2

You are an experienced audit team leader guiding an auditor in training.

Your team is currently conducting a third-party surveillance audit of an organisation that stores data on behalf

of external clients. The auditor in training has been tasked with reviewing the TECHNOLOGICAL controls

listed in

the Statement of Applicability (SoA) and implemented at the site.

Select four controls from the following that would you expect the auditor in training to review.

Options :

A : Confidentiality and nondisclosure agreements

B : How access to source code and development tools are managed

C : How power and data cables enter the building

D : How protection against malware is implemented

E : How the organisation evaluates its exposure to technical vulnerabilities

F : Information security awareness, education and training

G : The organisation-s arrangements for information deletion

Answer: B,D,E,G

Question 3

During a follow-up audit, you notice that a nonconformity identified for completion before the follow-up audit

is still outstanding.

Which four of the following actions should you take?

Options :

A : Report the failure to address the corrective action for the outstanding nonconformity to the organisation-s top management

B : Immediately raise an nonconformity as the date for completion has been exceeded

C : If the delay is justified agree on a revised date for clearing the nonconformity with the auditee/audit client

D : Contact the individuals) managing the audit programme to seek their advice as to how to proceed

E : Decide whether the delay in addressing the nonconformity is justified

F : Cancel the follow-up audit and return when an assurance has been received that the nonconformity has been cleared

G : Note the nonconformity is still outstanding and follow audit trails to determine why

H : If the delay is unjustified advise the auditee /audit client and agree on remedial action

Answer: A,C,E,G

Question 4

Why do we need to test a disaster recovery plan regularly, and keep it up to date?

Options :

A : Otherwise the measures taken and the incident procedures planned may not be adequate

B : Otherwise it is no longer up to date with the registration of daily occurring faults

C : Otherwise remotely stored backups may no longer be available to the security team

Answer: A

Question 5

A marketing agency has developed its own risk assessment approach as part of the ISMS implementation. Is this acceptable?

Options :

A : Yes, any risk assessment methodology that complies with the ISO/IEC 27001 requirements can be used

B : Yes, only if the risk assessment methodology is aligned with recognized risk assessment methodologies

C : No, when implementing an ISMS, the risk assessment methodology provided by ISO/IEC 27001 should be used

Answer: A

Confidently Practice Online with Free ISO-IEC-27001-Lead-Auditor Exam Cram

Buying Options: