Pass the PECB ISO 27001 ISO-IEC-27001-Lead-Auditor Questions and answers with CertsForce

The following four statements are true according to ISO/IEC 27001’s risk management requirements: 12

The results of risk assessments must be maintained. This is true because clause 8.2.3 of ISO/IEC 27001:2022 requires the organisation to retain documented information of the information security risk assessment process and the results12

ISO/IEC 27001 provides an outline approach for the management of risk. This is true because clause 6.1.2 of ISO/IEC 27001:2022 specifies the general steps for the information security risk management process, which include establishing the risk criteria, assessing the risks, treating the risks, and monitoring and reviewing the risks12

The organisation must produce a risk treatment plan for every business risk identified. This is true because clause 6.1.3 of ISO/IEC 27001:2022 requires the organisation to produce a risk treatment plan that defines the actions to be taken to address the unacceptable risks, the responsibilities, the expected dates, and the resources required12

Risk assessments should be undertaken following significant changes. This is true because clause 8.2.4 of ISO/IEC 27001:2022 requires the organisation to review and update the risk assessment at planned intervals or when significant changes occur12

The following four statements are false according to ISO/IEC 27001’s risk management requirements:

Risk identification is used to determine the severity of an information security risk. This is false because risk identification is used to identify the assets, threats, vulnerabilities, and existing controls that are relevant to the information security risk management process. The severity of an information security risk is determined by the risk analysis, which evaluates the likelihood and impact of the risk scenarios12

The organisation must operate a risk treatment process to eliminate its information security risks. This is false because the organisation can choose from four options to treat its information security risks: avoid, transfer, mitigate, or accept. The organisation does not have to eliminate all its information security risks, but only those that are unacceptable according to its risk criteria12

The initial phase in an organisation’s risk management process should be information security risk assessment. This is false because the initial phase in an organisation’s risk management process should be establishing the risk management framework, which includes defining the risk management policy, objectives, scope, roles, responsibilities, and criteria. The information security risk assessment is the second phase in the risk management process12

Risks assessments should be undertaken at monthly intervals. This is false because there is no fixed frequency for conducting risk assessments in ISO/IEC 27001. The organisation should determine the appropriate intervals for reviewing and updating the risk assessment based on its risk appetite, risk profile, and operational context12

CloudFort’s certification was suspended because it effectively operated beyond its approved certification scope without ensuring that the scope extension was formally assessed and approved, making option A the correct answer. Under ISO/IEC 17021-1, certification applies strictly to the defined and approved scope. Any significant organizational change that affects the ISMS, such as creating a new department with different processes and governance impacts, must be communicated promptly and assessed by the certification body before being considered part of the certified scope.

In this scenario, CloudFort did request a scope extension, which is the correct initial action. However, it failed to provide timely and sufficient updates regarding the impact of the new department on the ISMS. As a result, the certification body could not verify whether the extended scope continued to conform to ISO/IEC 27001 requirements. Operating new activities under the assumption of certification before formal approval constitutes misuse of certification, which justifies suspension.

Option B is incorrect because outsourcing internal audits is explicitly permitted by ISO/IEC 27001, provided independence and competence are ensured. Option C is incorrect because the audit team confirmed that the certified ISMS still fulfilled standard requirements; the issue was scope governance, not ISMS failure.

Therefore, the suspension resulted from scope control and certification governance failures, not from nonconformity with the standard itself.

An audit finding is the result of the evaluation of the collected audit evidence against audit criteria.

Comprehensive and Detailed In-Depth Explanation:

B. Correct Answer:

The engagement letter serves to inform the auditee about the audit details, including:

Audit scope

Audit schedule

Expectations from both parties

It formally introduces the audit process and schedules the initial contact.

A. Incorrect:

The authority to conduct the audit is established by the certification body’s agreement, not just the engagement letter.

C. Incorrect:

Audit objectives are determined in the planning phase and are not the primary function of the engagement letter.

Relevant Standard Reference:

ISO 19011:2018 Clause 6.2 (Initiating the Audit)

This scenario represents an "audit finding." An audit finding refers to results that indicate a deviation from the expected performance or standards. Discovering that two employees have not received the required training is an audit finding indicating noncompliance with the organization's training requirements.

The option that best describes how Information Security Management System (ISMS) audits should be conducted, aligning with best practices and standards like ISO/IEC 27001:2022, is:

D. Audit methods should be used to assess objective evidence in order to generate audit findings. Then, the audit conclusion should be created and presented to the auditee at the closing meeting.

This option accurately reflects the audit process, emphasizing the use of systematic audit methods to assess objective evidence, which is crucial for impartiality and accuracy in auditing. Audit findings are the results derived from evaluating the objective evidence against the audit criteria. The conclusion, based on the audit findings, provides a comprehensive summary of the audit's outcomes, indicating whether the audited ISMS meets the established criteria. Presenting these conclusions to the auditee during the closing meeting ensures transparency and provides an opportunity for immediate clarification and discussion of the results and potential next steps.

The technical expert can communicate their audit findings to the auditee only through one of the audit team members. This ensures that communications remain coordinated and that the audit team maintains control over the audit process.

The best way to dispose of a hard copy of a customer design document is to shred it using a shredder. This is because shredding ensures that the document is destroyed and cannot be reconstructed or accessed by unauthorized persons. A customer design document may contain sensitive or confidential information that could cause harm or damage to the customer or the organization if disclosed. Therefore, it is important to protect the confidentiality and integrity of the document until it is securely disposed of. Throwing it in any dustbin, giving it to the office boy to reuse it for other purposes, or reusing it for writing are not secure ways of disposing of the document, as they could expose the document to unauthorized access, theft, loss or damage. ISO/IEC 27001:2022 requires the organization to implement procedures for the secure disposal of media containing information (see clause A.8.3.2). References: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements, What is Secure Disposal?

The correct answer is the certification body, because ISO/IEC 17021-1 clearly assigns responsibility for establishing the audit scope and audit criteria to the certification body, not to the audit team or the auditee. The certification body is responsible for managing the certification process, ensuring consistency, impartiality, and compliance with accreditation requirements.

The audit scope defines the boundaries of the certification audit, including organizational units, locations, activities, and processes to be audited. The audit criteria define the set of policies, procedures, and requirements against which conformity is assessed, such as ISO/IEC 27001 requirements, statutory obligations, and internal ISMS policies. While the audit team leader may plan how the audit will be conducted within the defined scope, they do not determine the scope itself.

Option A is incorrect because the audit team leader’s role is to manage the audit execution, prepare the audit plan, and coordinate audit activities, not to establish the official scope or criteria. Option B is incorrect because although discussions with the auditee are necessary to understand the organization and confirm scope feasibility, the final authority remains with the certification body.

This separation of responsibility ensures independence and prevents organizations from unduly influencing the certification boundaries. Therefore, the certification body is the entity that establishes the audit scope and audit criteria.

The number of days assigned to a third-party audit is not determined by the auditee’s availability, but by the audit program, which considers the audit scope, objectives, criteria, risks, and resources12. The auditee’s availability is only one factor that affects the audit planning and scheduling, but not the audit duration3. Auditors approved for conducting onsite audits do require additional training for virtual audits, as there are significant differences in the skillset required. Virtual audits pose different challenges and opportunities than onsite audits, such as communication, technology, security, and evidence collection4 . Auditors need to be familiar with the tools and techniques for conducting remote audits, as well as the ethical and professional behavior expected in a virtual environment . References:

PECB Candidate Handbook - ISO 27001 Lead Auditor, page 18

ISO 19011:2018, Guidelines for auditing management systems, clause 5.3.2

ISO 19011:2018, Guidelines for auditing management systems, clause 6.3.1

Deloitte - Conducting a Virtual Internal Audit, page 1

[A Guide to Conducting Effective and Efficient Remote Audits], page 1

[ISO 19011:2018, Guidelines for auditing management systems], clause 7.2.3

[Remote Auditing Best Practices & Checklist for Regulatory Compliance], page 1