Free Practice PECB ISO-IEC-27001-Lead-Auditor Exam Questions 2025

Which two of the following phrases are 'objectives' in relation to a first-party audit? 

Scenario 5: Data Grid Inc. is a well-known company that delivers security services across the entire

information technology infrastructure. It provides cybersecurity software, including endpoint security,

firewalls, and antivirus software. For two decades, Data Grid Inc. has helped various companies secure their

networks through advanced products and services. Having achieved reputation in the information and network

security field, Data Grid Inc. decided to obtain the ISO/IEC 27001 certification to better secure its internal and

customer assets and gain competitive advantage.

Data Grid Inc. appointed the audit team, who agreed on the terms of the audit mandate. In addition, Data Grid

Inc. defined the audit scope, specified the audit criteria, and proposed to close the audit within five days. The

audit team rejected Data Grid Inc.'s proposal to conduct the audit within five days, since the company has a

large number of employees and complex processes. Data Grid Inc. insisted that they have planned to complete

the audit within five days, so both parties agreed upon conducting the audit within the defined duration. The

audit team followed a risk-based auditing approach.

To gain an overview of the main business processes and controls, the audit team accessed process descriptions

and organizational charts. They were unable to perform a deeper analysis of the IT risks and controls because

their access to the IT infrastructure and applications was restricted. However, the audit team stated that the risk

that a significant defect could occur to Data Grid Inc.'s ISMS was low since most of the company's processes

were automated. They therefore evaluated that the ISMS, as a whole, conforms to the standard requirements

by asking the representatives of Data Grid Inc. the following questions:

•How are responsibilities for IT and IT controls defined and assigned?

•How does Data Grid Inc. assess whether the controls have achieved the desired results?

•What controls does Data Grid Inc. have in place to protect the operating environment and data from malicious

software?

•Are firewall-related controls implemented?

Data Grid Inc.'s representatives provided sufficient and appropriate evidence to address all these questions.

The audit team leader drafted the audit conclusions and reported them to Data Grid Inc.'s top management.

Though Data Grid Inc. was recommended for certification by the auditors, misunderstandings were raised

between Data Grid Inc. and the certification body in regards to audit objectives. Data Grid Inc. stated that even

though the audit objectives included the identification of areas for potential improvement, the audit team did

not provide such information.

Based on this scenario, answer the following question:

Based on scenario 5, the audit team disagreed with the proposed audit duration by Data Grid Inc. for the ISMS

audit. How do you describe such a situation? 

In the event of an Information security incident, system users' roles and responsibilities are to be observed, except: 

The scope of an organization certified against ISO/IEC 27001 states that they provide editing and web hosting services. However, due to some changes in the organization, the technical support related to the web hosting services has been outsourced. Should a change in the scope be initiated in this case?

You see a blue color sticker on certain physical assets. What does this signify?