ISO27001

Ace your homework & exams now with Quizwiz!

Which of the options below is NOT necessary to have in mind when conducting effective interviews?

Using complex and abstract terminology

Which of the following activities of stage 1 audit does NOT take place during the auditor's on-site visit?

Validating the compliance of the management system with contractual and regulatory requirements

Which type of audit evidence is considered the least reliable?

Verbal

Audit evidence must be:

Verifiable

The scope of the management system and the responsibility of the auditee's top management should be validated during:

Stage 1 audit

Stage 1 audit should not be conducted too far from stage 2 audit.

Stage 1 audit should not be conducted too far from stage 2 audit.

Which documentation should be examined by the auditor first?

Strategic documentation (declaration of scope, objectives and policies, etc.)

Artificial general intelligence (AGI) is also known as:

Strong artificial intelligence

An example of structured data is:

Structured query language (SQL)

What type of evidence is the observation of a firewall configuration?

Technical

What does the integrity principle entail?

That information is accurate and safe from unauthorized access

Which of the statements below regarding the ISMS scope is correct?

The ISMS scope must be available as documented information

The opening meeting agenda can include information on:

The availability of resources

Which parties are involved in an audit offer?

The certification body and the auditor

Which of the following factors should be considered when determining the materiality of a system?

The conditions of service-level agreements

Which option below presents a vulnerability in Webos's client system?

The database encryption problems

What does "control risk" mean?

The risk that a significant defect could not be prevented by the organization's internal control mechanisms

Who is responsible for establishing the information security policy according to ISO/IEC 27001?

The top management

Which of the following is a characteristic of autocratic leaders?

They supervise and control their employees

What type of audit is AuditOrg conducting?

Third party audit

What is the role of an observer?

To accompany the audit team

Why should an auditor consider cultural aspects at every stage of the audit?

To avoid possible conflicts or misunderstandings

Webos conducted technical investigations after its partners reported security incidents. What is the aim of implementing this security control?

To correct the problems and prevent their recurrence

What is the main objective of stage 1 audit?

To determine if internal audits and management reviews are performed

Why should an organization draft a Statement of Applicability?

To document the justifications for the inclusion and exclusion of Annex A controls

What is the main purpose of the opening meeting in an audit?

To ensure that planned audit activities can be performed

What is the purpose of an initial contact with the auditee?

To establish the communication objectives

What is the main objective of stage 2 audit?

To evaluate the implementation of the ISMS

Which of the following is one of the objectives of the privacy protection policy?

To increase awareness regarding the legal requirements for protecting personal information

An organization has clearly defined the security procedures and uses an access control software to avoid unauthorized access of the personnel to its confidential data. What is the function of these security controls?

To prevent the occurrence of incidents

What is one of the main purposes of implementing an ISMS?

To reduce information security risks

Why should the auditor interview the person responsible for the ISMS in an organization?

To understand how the organization operates with the management system in place

A guide's responsibilities include maintaining logistics, ensuring that health and safety policies are observed, and facilitating audit activities.

True

A piece of audit evidence can be a combination of several types of evidence

True

A well-designed documentation standard improves the overall quality of the audit.

True

An auditor must have sufficient knowledge of and practical experience in the use of electronic media.

True

Webos's project failed due to the lack of segregation of duties during the maternity leave of the software development team leader. Which of the following is a threat that can impact Webos in this situation?

Unauthorized use of the system

Which of the options below represents an example of a vulnerability?

Unencrypted data

Leaders who are attentive to the needs and emotions of their employees and listen to their opinions but they themselves take the final decisions are categorized as:

Democratic leaders

Migration to the Windows Azure SQL database would solve the availability problems by reducing the _____________

Disruption of operations

How would you evaluate the level of responsibility demonstrated by AuditOrg's auditors?

No negligence, since the auditors have demonstrated due diligence during the audit

How many audit team leaders should be appointed for a joint audit?

One audit team leader

What can have an impact on the availability of information?

Performance degradation

Which is the most appropriate cloud computing solution when an organization wants to reduce the coding time?

Platform as a service (PaaS)

Which is the first phase of stage 1 audit?

Prepare for on-site activities

An audit team leader must be competent to:

Prepare the audit conclusions

What is the aim of laws with regard to intellectual property rights?

Protecting certain intangible assets

What can trigger the initiation of a change in the audit scope?

Recent changes in the existing processes

The auditor has accessed logs to the server room. What source of information was collected?

Records

What makes audit evidence appropriate?

Relevance and reliability

What does the ISO/IEC 27001 standard provide?

Requirements for an information security management system

The risk that remains after risk treatment is known as:

Residual risk

What step should an auditor follow to ensure the competence of staff in outsourced operations?

Review the service provider's processes and employees' contracts

An organization has decided to move its information-processing facilities to a place where the risk of flooding is low. What option of risk treatment is this?

Risk avoidance

Which type of audit approach focuses on matters that are significant for the auditee?

Risk-based approach

What is the difference between specifications and records?

Specifications are documents that state requirements, whereas records are documents that state achieved results

To which classification of security controls does the implementation of patches after the identification of system vulnerabilities belong?

Corrective by function and technical by type

What criteria should be considered when selecting a risk assessment methodology?

Costs and availability of supporting software tools

A third party that performs the assessment of conformity of management systems is:

A certification body

How often should audit team meetings be held?

A meeting held in the morning and another at the end of the day

A former employee of Company A has gained unauthorized access to the company's sensitive information. What does this present?

A threat that has the potential to harm the assets of the organization, such as information or systems

When does the surveillance audit take place?

After obtaining certification

By segregating the duties of the software development team, Webos implemented:

An administrative control

Your Market is a market research company which helps its customers determine which products and services are on demand. The company is currently evaluating the effectiveness of its information security controls through an ISMS audit. What is Your Market in this case?

An auditee

Which services can be managed by the user when using Platform as a Service (PaaS)?

Application and data

Auditors use the _______________ as a reference to determine conformity

Audit criteria

How does the audit team select processes and systems to be tested?

Based on materiality

How can an auditor verify conformity to control A.9.2.6 Removal or adjustment of access rights of ISO/IEC 27001 by using analytical evidence?

By analyzing results of the access rights removal procedure on a sample of users upon the termination of their contracts

How is audit evidence evaluated?

By comparing it against the audit criteria

How can big data technology tools be beneficial for auditors?

By retrieving data that may be considered sensitive

Which of the statements holds true with certification bodies?

Certification bodies are accredited by accreditation bodies

__________________ includes delivering hosted services over the internet, such as infrastructure as a service or platform as a service.

Cloud computing

Which of the following is a step in audit planning?

Conducting risk assessment

During the audit, documented information involving proprietary information was protected at all times. Which principle of maintaining audit work documents has been followed?

Confidentiality

With which of the following principles does an organization comply if it ensures that only authorized users have access to their sensitive data?

Confidentiality

What type of evidence is an external audit report?

Confirmative

AuditOrg's audit team members have collected all types of evidence below, except

Confirmative evidence

What factors should an auditor consider when evaluating the conformity of documented information?

Content and format

What must an auditor collect to ensure the relevance of an audit procedure?

Evidence

Which of the following options is NOT an audit procedure?

Evidence collection synthesis

Which auditing principle has AuditOrg applied in this case, "The findings helped the auditors support their conclusions and report all audit activities truthfully and accurately?"

Fair presentation

During an ISO/IEC 27001 audit, auditors must obtain absolute assurance that every single process is effective and conforms to the standard requirements.

False

ISO performs accreditation and certification activities

False

Organizations can obtain certification against the ISO/IEC 27002 standard if they implement all of its information security controls.

False

Supervised machine learning is used to group data based only on outputs and includes clustering, representation learning, and density estimation.

False

The auditee determines the audit objectives.

False

The certification agreement document formalizes the acceptance of an audit mandate from the auditor.

False

The implementation of ISO/IEC 27001 is a legal requirement in most countries.

False

The quality review of audit evidence will assure that the audit findings are reliable and valid.

False

What does ISO 19011 provide?

Fundamental principles of auditing

What action is taken during stage 1 audit when evaluating materiality during the audit?

Identifying the key processes to be audited

What is the impact of new technologies in auditing processes?

Increase audit efficiency and help in minimizing costs

The auditor issued an unfavorable report for Company 1 by strictly examining the audit evidence. He was not intimidated when Company 1, the main client of his audit firm, threated to terminate the contract if the audit report does not suit them. Which principle of auditing has the auditor followed?

Independence

Which type of audit risk is known as the risk that occurs in the management system despite the internal control mechanisms in an organization?

Inherent risk

Materiality is taken into account to determine the duration of the audit based on the risks inherent to the organization during:

Initial contact

Company X evaluated and improved its risk management and core processes by using the insights and recommendations provided by the _______________ activities.

Internal audit

What should an auditor do to evaluate the top management's commitment to the information security management system?

Interview the auditee's top management

According to ISO 9000, what is an asset?

Item or entity that has potential or actual value to an organization

Linear regression and logistic regression are algorithms utilized by:

Machine learning

Based on the scenario, can Finanvo request the replacement of the audit team members?

Yes, two of AuditOrg's auditors have worked for one of Finanvo's biggest competitors, which is a valid reason to request the replacement of audit team members


Related study sets

Female Menstrual Cycle & Sex Hormones (Luteal Phase)

View Set

SIA Computer Chapter 2 Excel True/False

View Set

Chapter 23: Management of Patients with Chest and Lower Respiratory Tract Disorders

View Set

BIO 180 WI 17 Reading Quiz Questions

View Set