ISO27001
Which of the options below is NOT necessary to have in mind when conducting effective interviews?
Using complex and abstract terminology
Which of the following activities of stage 1 audit does NOT take place during the auditor's on-site visit?
Validating the compliance of the management system with contractual and regulatory requirements
Which type of audit evidence is considered the least reliable?
Verbal
Audit evidence must be:
Verifiable
The scope of the management system and the responsibility of the auditee's top management should be validated during:
Stage 1 audit
Stage 1 audit should not be conducted too far from stage 2 audit.
Stage 1 audit should not be conducted too far from stage 2 audit.
Which documentation should be examined by the auditor first?
Strategic documentation (declaration of scope, objectives and policies, etc.)
Artificial general intelligence (AGI) is also known as:
Strong artificial intelligence
An example of structured data is:
Structured query language (SQL)
What type of evidence is the observation of a firewall configuration?
Technical
What does the integrity principle entail?
That information is accurate and safe from unauthorized access
Which of the statements below regarding the ISMS scope is correct?
The ISMS scope must be available as documented information
The opening meeting agenda can include information on:
The availability of resources
Which parties are involved in an audit offer?
The certification body and the auditor
Which of the following factors should be considered when determining the materiality of a system?
The conditions of service-level agreements
Which option below presents a vulnerability in Webos's client system?
The database encryption problems
What does "control risk" mean?
The risk that a significant defect could not be prevented by the organization's internal control mechanisms
Who is responsible for establishing the information security policy according to ISO/IEC 27001?
The top management
Which of the following is a characteristic of autocratic leaders?
They supervise and control their employees
What type of audit is AuditOrg conducting?
Third party audit
What is the role of an observer?
To accompany the audit team
Why should an auditor consider cultural aspects at every stage of the audit?
To avoid possible conflicts or misunderstandings
Webos conducted technical investigations after its partners reported security incidents. What is the aim of implementing this security control?
To correct the problems and prevent their recurrence
What is the main objective of stage 1 audit?
To determine if internal audits and management reviews are performed
Why should an organization draft a Statement of Applicability?
To document the justifications for the inclusion and exclusion of Annex A controls
What is the main purpose of the opening meeting in an audit?
To ensure that planned audit activities can be performed
What is the purpose of an initial contact with the auditee?
To establish the communication objectives
What is the main objective of stage 2 audit?
To evaluate the implementation of the ISMS
Which of the following is one of the objectives of the privacy protection policy?
To increase awareness regarding the legal requirements for protecting personal information
An organization has clearly defined the security procedures and uses an access control software to avoid unauthorized access of the personnel to its confidential data. What is the function of these security controls?
To prevent the occurrence of incidents
What is one of the main purposes of implementing an ISMS?
To reduce information security risks
Why should the auditor interview the person responsible for the ISMS in an organization?
To understand how the organization operates with the management system in place
A guide's responsibilities include maintaining logistics, ensuring that health and safety policies are observed, and facilitating audit activities.
True
A piece of audit evidence can be a combination of several types of evidence
True
A well-designed documentation standard improves the overall quality of the audit.
True
An auditor must have sufficient knowledge of and practical experience in the use of electronic media.
True
Webos's project failed due to the lack of segregation of duties during the maternity leave of the software development team leader. Which of the following is a threat that can impact Webos in this situation?
Unauthorized use of the system
Which of the options below represents an example of a vulnerability?
Unencrypted data
Leaders who are attentive to the needs and emotions of their employees and listen to their opinions but they themselves take the final decisions are categorized as:
Democratic leaders
Migration to the Windows Azure SQL database would solve the availability problems by reducing the _____________
Disruption of operations
How would you evaluate the level of responsibility demonstrated by AuditOrg's auditors?
No negligence, since the auditors have demonstrated due diligence during the audit
How many audit team leaders should be appointed for a joint audit?
One audit team leader
What can have an impact on the availability of information?
Performance degradation
Which is the most appropriate cloud computing solution when an organization wants to reduce the coding time?
Platform as a service (PaaS)
Which is the first phase of stage 1 audit?
Prepare for on-site activities
An audit team leader must be competent to:
Prepare the audit conclusions
What is the aim of laws with regard to intellectual property rights?
Protecting certain intangible assets
What can trigger the initiation of a change in the audit scope?
Recent changes in the existing processes
The auditor has accessed logs to the server room. What source of information was collected?
Records
What makes audit evidence appropriate?
Relevance and reliability
What does the ISO/IEC 27001 standard provide?
Requirements for an information security management system
The risk that remains after risk treatment is known as:
Residual risk
What step should an auditor follow to ensure the competence of staff in outsourced operations?
Review the service provider's processes and employees' contracts
An organization has decided to move its information-processing facilities to a place where the risk of flooding is low. What option of risk treatment is this?
Risk avoidance
Which type of audit approach focuses on matters that are significant for the auditee?
Risk-based approach
What is the difference between specifications and records?
Specifications are documents that state requirements, whereas records are documents that state achieved results
To which classification of security controls does the implementation of patches after the identification of system vulnerabilities belong?
Corrective by function and technical by type
What criteria should be considered when selecting a risk assessment methodology?
Costs and availability of supporting software tools
A third party that performs the assessment of conformity of management systems is:
A certification body
How often should audit team meetings be held?
A meeting held in the morning and another at the end of the day
A former employee of Company A has gained unauthorized access to the company's sensitive information. What does this present?
A threat that has the potential to harm the assets of the organization, such as information or systems
When does the surveillance audit take place?
After obtaining certification
By segregating the duties of the software development team, Webos implemented:
An administrative control
Your Market is a market research company which helps its customers determine which products and services are on demand. The company is currently evaluating the effectiveness of its information security controls through an ISMS audit. What is Your Market in this case?
An auditee
Which services can be managed by the user when using Platform as a Service (PaaS)?
Application and data
Auditors use the _______________ as a reference to determine conformity
Audit criteria
How does the audit team select processes and systems to be tested?
Based on materiality
How can an auditor verify conformity to control A.9.2.6 Removal or adjustment of access rights of ISO/IEC 27001 by using analytical evidence?
By analyzing results of the access rights removal procedure on a sample of users upon the termination of their contracts
How is audit evidence evaluated?
By comparing it against the audit criteria
How can big data technology tools be beneficial for auditors?
By retrieving data that may be considered sensitive
Which of the statements holds true with certification bodies?
Certification bodies are accredited by accreditation bodies
__________________ includes delivering hosted services over the internet, such as infrastructure as a service or platform as a service.
Cloud computing
Which of the following is a step in audit planning?
Conducting risk assessment
During the audit, documented information involving proprietary information was protected at all times. Which principle of maintaining audit work documents has been followed?
Confidentiality
With which of the following principles does an organization comply if it ensures that only authorized users have access to their sensitive data?
Confidentiality
What type of evidence is an external audit report?
Confirmative
AuditOrg's audit team members have collected all types of evidence below, except
Confirmative evidence
What factors should an auditor consider when evaluating the conformity of documented information?
Content and format
What must an auditor collect to ensure the relevance of an audit procedure?
Evidence
Which of the following options is NOT an audit procedure?
Evidence collection synthesis
Which auditing principle has AuditOrg applied in this case, "The findings helped the auditors support their conclusions and report all audit activities truthfully and accurately?"
Fair presentation
During an ISO/IEC 27001 audit, auditors must obtain absolute assurance that every single process is effective and conforms to the standard requirements.
False
ISO performs accreditation and certification activities
False
Organizations can obtain certification against the ISO/IEC 27002 standard if they implement all of its information security controls.
False
Supervised machine learning is used to group data based only on outputs and includes clustering, representation learning, and density estimation.
False
The auditee determines the audit objectives.
False
The certification agreement document formalizes the acceptance of an audit mandate from the auditor.
False
The implementation of ISO/IEC 27001 is a legal requirement in most countries.
False
The quality review of audit evidence will assure that the audit findings are reliable and valid.
False
What does ISO 19011 provide?
Fundamental principles of auditing
What action is taken during stage 1 audit when evaluating materiality during the audit?
Identifying the key processes to be audited
What is the impact of new technologies in auditing processes?
Increase audit efficiency and help in minimizing costs
The auditor issued an unfavorable report for Company 1 by strictly examining the audit evidence. He was not intimidated when Company 1, the main client of his audit firm, threated to terminate the contract if the audit report does not suit them. Which principle of auditing has the auditor followed?
Independence
Which type of audit risk is known as the risk that occurs in the management system despite the internal control mechanisms in an organization?
Inherent risk
Materiality is taken into account to determine the duration of the audit based on the risks inherent to the organization during:
Initial contact
Company X evaluated and improved its risk management and core processes by using the insights and recommendations provided by the _______________ activities.
Internal audit
What should an auditor do to evaluate the top management's commitment to the information security management system?
Interview the auditee's top management
According to ISO 9000, what is an asset?
Item or entity that has potential or actual value to an organization
Linear regression and logistic regression are algorithms utilized by:
Machine learning
Based on the scenario, can Finanvo request the replacement of the audit team members?
Yes, two of AuditOrg's auditors have worked for one of Finanvo's biggest competitors, which is a valid reason to request the replacement of audit team members