Confidently Practice Online with Free ISO-IEC-27001-Lead-Auditor Exam Cram

Scenario 7: Lawsy is a leading law firm with offices in New Jersey and New York City. It has over 50

attorneys offering sophisticated legal services to clients in business and commercial law, intellectual property,

banking, and financial services. They believe they have a comfortable position in the market thanks to their

commitment to implement information security best practices and remain up to date with technological

developments.

Lawsy has implemented, evaluated, and conducted internal audits for an ISMS rigorously for two years now.

Now, they have applied for ISO/IEC 27001 certification to ISMA, a well-known and trusted certification

body.

During stage 1 audit, the audit team reviewed all the ISMS documents created during the implementation.

They also reviewed and evaluated the records from management reviews and internal audits. Lawsy submitted records of evidence that corrective actions on nonconformities were performed when

necessary, so the audit team interviewed the internal auditor. The interview validated the adequacy and

frequency of the internal audits by providing detailed insight into the internal audit plan and procedures.

The audit team continued with the verification of strategic documents, including the information security

policy and risk evaluation criteria. During the information security policy review, the team noticed

inconsistencies between the documented information describing governance framework (i.e., the information

security policy) and the procedures.

Although the employees were allowed to take the laptops outside the workplace, Lawsy did not have

procedures in place regarding the use of laptops in such cases. The policy only provided general information

about the use of laptops. The company relied on employees' common knowledge to protect the confidentiality

and integrity of information stored in the laptops. This issue was documented in the stage 1 audit report.

Upon completing stage 1 audit, the audit team leader prepared the audit plan, which addressed the audit

objectives, scope, criteria, and procedures.

During stage 2 audit, the audit team interviewed the information security manager, who drafted the

information security policy. He justified the Issue identified in stage 1 by stating that Lawsy conducts

mandatory information security training and awareness sessions every three months.

Following the interview, the audit team examined 15 employee training records (out of 50) and concluded that

Lawsy meets requirements of ISO/IEC 27001 related to training and awareness. To support this conclusion,

they photocopied the examined employee training records.

Based on the scenario above, answer the following question:

Should the auditor archive the copies of employee training records after the completion of the audit? Refer to

scenario 7.

Scenario 2: Clinic, founded in the 1990s, is a medical device company that specializes in treatments for heart-related conditions and complex surgical interventions. Based in Europe, it serves both patients and healthcare professionals. Clinic collects patient data to tailor treatments, monitor outcomes, and improve device functionality. To enhance data security and build trust, Clinic is implementing an information security management system (ISMS) based on ISO/IEC 27001. This initiative demonstrates Clinic's commitment to securely managing sensitive patient information and proprietary technologies. Clinic established the scope of its ISMS by solely considering internal issues, interfaces, dependencies between internal and outsourced activities, and the expectations of interested parties. This scope was carefully documented and made accessible. In defining its ISMS, Clinic chose to focus specifically on key processes within critical departments such as Research and Development, Patient Data Management, and Customer Support. Despite initial challenges, Clinic remained committed to its ISMS implementation, tailoring security controls to its unique needs. The project team excluded certain Annex A controls from ISO/IEC 27001 while incorporating additional sector-specific controls to enhance security. The team evaluated the applicability of these controls against internal and external factors, culminating in the development of a comprehensive Statement of Applicability (SoA) detailing the rationale behind control selection and implementation. As preparations for certification progressed, Brian, appointed as the team leader, adopted a self-directed risk assessment methodology to identify and evaluate the company’s strategic issues and security practices . This proactive approach ensured that Clinic’s risk assessment aligned with its objectives and mission. Question: Based on Scenario 2, Clinic initially defined its information security objectives and then conducted a risk assessment. Is this acceptable?

You are carrying out your first third-party ISMS surveillance audit as an Audit Team Leader. You are

presently in the auditee's data centre with another member of your audit team.

Your colleague seems unsure as to the difference between an information security event and an information

security incident. You attempt to explain the difference by providing examples.

Which three of the following scenarios can be defined as information security incidents?

Which two of the following phrases are 'objectives' in relation to a first-party audit? 

What is the goal of classification of information?