PECB Certified ISO/IEC 27001 2022 Lead Auditor exam ISO-IEC-27001-Lead-Auditor Question # 18 Topic 2 Discussion

ISO-IEC-27001-Lead-Auditor Exam Topic 2 Question 18 Discussion:

Question #: 18

Topic #: 2

You are conducting an ISMS audit in the despatch department of an international logistics organisation that provides shipping services to large organisations including local hospitals and government offices. Parcels typically contain pharmaceutical products, biological samples, and documents such as passports and driving licences. You note that the company records show a very large number of returned items with causes including misaddressed labels and, in 15% of cases, two or more labels for different addresses for the one package. You are interviewing the Shipping Manager (SM).
You: Are items checked before being dispatched?
SM: Any obviously damaged items are removed by the duty staff before being dispatched, but the small profit margin makes it uneconomic to
implement a formal checking process.
You: What action is taken when items are returned?
SM: Most of these contracts are relatively low value, therefore it has been decided that it is easier and more convenient to simply reprint the label and re-send individual parcels than it is to implement an investigation.
You raise a nonconformity. Referencing the scenario, which three of the following Annex A controls would you expect the auditee to have implemented when you conduct the follow-up audit?

5.11 Return of assets

5.13 Labelling of information

5.3 Segregation of duties

5.32 Intellectual property rights

5.34 Privacy and protection of personal identifiable information (PII)

5.6 Contact with special interest groups

6.3 Information security awareness, education, and training

Get Premium ISO-IEC-27001-Lead-Auditor Questions

Explanation

The three Annex A controls that you would expect the auditee to have implemented when you conduct the follow-up audit are:

B. 5.13 Labelling of information

E. 5.34 Privacy and protection of personal identifiable information (PII)

G. 6.3 Information security awareness, education, and training

B. This control requires the organisation to label information assets in accordance with the information classification scheme, and to handle them accordingly12. This control is relevant for the auditee because it could help them to avoid misaddressing labels and sending parcels to wrong destinations, which could compromise the confidentiality, integrity, and availability of the information assets. By labelling the information assets correctly, the auditee could also ensure that they are delivered to the intended recipients and that they are protected from unauthorized access, use, or disclosure.

E. This control requires the organisation to protect the privacy and the rights of individuals whose personal identifiable information (PII) is processed by the organisation, and to comply with the applicable legal and contractual obligations13. This control is relevant for the auditee because it could help them to prevent the unauthorized use of residents’ personal data by a supplier, which could violate the privacy and the rights of the residents and their family members, and expose the auditee to legal and reputational risks. By protecting the PII of the residents and their family members, the auditee could also enhance their trust and satisfaction, and avoid complaints and disputes.

G. This control requires the organisation to ensure that all employees and contractors are aware of the information security policy, their roles and responsibilities, and the relevant information security procedures and controls14. This control is relevant for the auditee because it could help them to improve the information security culture and behaviour of their staff, and to reduce the human errors and negligence that could lead to information security incidents. By providing information security awareness, education, and training to their staff, the auditee could also increase their competence and performance, and ensure the effectiveness and efficiency of the information security processes and controls.

References:

1: ISO/IEC 27001:2022 - Information technology — Security techniques — Information security management systems — Requirements, Annex A 2: ISO/IEC 27002:2022 - Information technology — Security techniques — Code of practice for information security controls, clause 8.2.1 3: ISO/IEC 27002:2022 - Information technology — Security techniques — Code of practice for information security controls, clause 18.1.4 4: ISO/IEC 27002:2022 - Information technology — Security techniques — Code of practice for information security controls, clause 7.2.2

Actual exam question for PECB ISO-IEC-27001-Lead-Auditor exam by Flint24641 at Aug 3, 2025, 12:00:00 AM

Contribute your Thoughts:

Chosen Answer: A B C D E F G
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.

PECB Certified ISO/IEC 27001 2022 Lead Auditor exam ISO-IEC-27001-Lead-Auditor Question # 18 Topic 2 Discussion

PECB Certified ISO/IEC 27001 2022 Lead Auditor exam ISO-IEC-27001-Lead-Auditor Question # 18 Topic 2 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

PECB Certified ISO/IEC 27001 2022 Lead Auditor exam ISO-IEC-27001-Lead-Auditor Question # 18 Topic 2 Discussion

PECB Certified ISO/IEC 27001 2022 Lead Auditor exam ISO-IEC-27001-Lead-Auditor Question # 18 Topic 2 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Awaiting moderator approval