View ISO-IEC-27001-Lead-Auditor Exam Questions

Q: 1

Which two of the following options for information are not required for audit planning of a certification audit?

Options

Discussion

Morgan Jan 27, 2026 1:16 pm

Pretty sure the question is just after what you don't need for initial audit prep, so C and E fit. The rep's work experience (C) and financials (E) aren't standard inputs according to ISO 27001. Docs, sampling plan, checklists are core. I could be missing some nuance but this lines up with my study notes.

PracticalAnalyst5352 Jan 14, 2026 11:04 pm

C/E? Not totally sure but management rep's experience and financials aren't part of audit prep requirements. Someone confirm?

Alex O. Jan 22, 2026 10:41 pm

Probably C and E, that matches what shows up in official guides. Saw a similar question in an official practice test.

Jack K. Jan 31, 2026 5:03 am

Option D

FocusedNeteng5808 Jan 13, 2026 8:34 pm

CE tbh, but if the audit involved financial due diligence (rare for 27001) E could flip needed. Seen similar on practice.

Drew K. Jan 17, 2026 2:02 pm

CE tbh, audit plan doesn't touch financials or the rep's background for ISO 27001.

Ethan O. Jan 15, 2026 9:34 am

Don't think it's D, audit checklists are always part of planning. C and E make more sense here.

DirectTester3967 Jan 12, 2026 7:11 am

C/E? Leaning toward those since the audit planning shouldn't need financial statements or info about the rep's work history. The focus is always on ISMS docs, scope, and sampling plans I think. Open to other ideas though.

Alex D. Jan 24, 2026 12:59 am

C/E? Seen this kind of question before and honestly it's annoying since audit planning never asks for the rep's work experience or financial statements. Pretty sure it's those two, but the wording always trips me up.

Be respectful. No spam.

Q: 2

Scenario 3: NightCore is a multinational technology company based in the United States that focuses on e-commerce, cloud computing, digital streaming, and artificial intelligence. After having an information security management system (ISMS) implemented for over 8 months, they contracted a certification body to conduct a third party audit in order to get certified against ISO/IEC 27001. The certification body set up a team of seven auditors. Jack, the most experienced auditor, was assigned as the audit team leader. Over the years, he received many well known certifications, such as the ISO/IEC 27001 Lead Auditor, CISA, CISSP, and CISM. Jack conducted thorough analyses on each phase of the ISMS audit, by studying and evaluating every information security requirement and control that was implemented by NightCore. During stage 2 audit. Jack detected several nonconformities. After comparing the number of purchased invoices for software licenses with the software inventory, Jack found out that the company has been using the illegal versions of a software for many computers. He decided to ask for an explanation from the top management about this nonconformity and see whether they were aware about this. His next step was to audit NightCore's IT Department. The top management assigned Tom, NightCore's system administrator, to act as a guide and accompany Jack and the audit team toward the inner workings of their system and their digital assets infrastructure. While interviewing a member of the Department of Finance, the auditors discovered that the company had recently made some unusual large transactions to one of their consultants. After gathering all the necessary details regarding the transactions. Jack decided to directly interview the top management. When discussing about the first nonconformity, the top management told Jack that they willingly decided to use a copied software over the original one since it was cheaper. Jack explained to the top management of NightCore that using illegal versions of software is against the requirements of ISO/IEC 27001 and the national laws and regulations. However, they seemed to be fine with it. Several months after the audit, Jack sold some of NightCore's information that he collected during the audit for a huge amount of money to competitors of NightCore. Based on this scenario, answer the following question: What type of audit evidence has Jack collected when he identified the first nonconformity regarding the software? Refer to scenario 3.

Options

Discussion

Layla M. Jan 17, 2026 12:07 pm

Call it A. Comparing invoices and inventories looks like analysis, not just pure math. Analytical evidence makes sense here, I think.

Sanjay Q. Jan 26, 2026 10:49 am

A for me

Avery Y. Jan 26, 2026 8:08 am

C tbh. The question uses exact counts (number of invoices vs inventory), which matches mathematical evidence more than analytical. Some people pick A by mistake since both involve reviewing records, but official practice leans toward C here.

CarefulLead9805 Jan 14, 2026 1:46 pm

I don’t think it’s A. C, based on official guides and practice questions.

Sam S. Jan 30, 2026 6:46 pm

C here, not A. This is about Jack counting and matching exact numbers of licenses vs inventory, so that's clearly mathematical evidence, not just analysis. Seen similar distinction on other exam reports.

AnitaZ Jan 19, 2026 3:51 am

Seems more like A in this context. Analytical evidence since it's about reviewing and comparing documents, not just calculations.

Liam S. Jan 15, 2026 9:39 am

Pretty confident it's C. That's numerical comparison, so fits the definition of mathematical evidence here.

Robin C. Jan 20, 2026 2:26 pm

Its A for me. Comparing invoices to inventory sounds like analytical evidence because he's analyzing records to find gaps, rather than just crunching numbers directly. Could be wrong, but that's how I've seen similar audit questions go. The scenario is described really clearly here.

Be respectful. No spam.

Q: 3

Which two of the following statements are true?

Options

Q: 4

Phishing is what type of Information Security Incident?

Options

Q: 5

In the context of a third-party certification audit, confidentiality is an issue in an audit programme. Select two options which correctly state the function of confidentiality in an audit

Options

Q: 6

You ask the IT Manager why the organisation still uses the mobile app while personal data encryption and pseudonymization tests failed. Also, whether the Service Manager is authorized to approve the test. The IT Manager explains the test results should be approved by him according to the software security management procedure. The reason why the encryption and pseudonymization functions failed is that these functions heavily slowed down the system and service performance. An extra 150% of resources are needed to cover this. The Service Manager agreed that access control is good enough and acceptable. That's why the Service Manager signed the approval. You sample one of the medical staff's mobile and found that ABC's healthcare mobile app, version 1.01 is installed. You found that version 1.01 has no test record. The IT Manager explains that because of frequent ransomware attacks, the outsourced mobile app development company gave a free minor update on the tested software, performed an emergency release of the updated software, and gave a verbal guarantee that there will be no impact on any security functions. Based on his 20 years of information security experience, there is no need to re- test. You are preparing the audit findings Select two options that are correct.

Options

Discussion

Jamie L. Jan 13, 2026 5:38 am

Hard to say, B and C. Both are nonconformities, since approval didn't follow procedure (B) and the version change wasn’t properly controlled (C). Saw something similar in an exam report. Pretty sure this is what ISO expects, but let me know if you disagree.

Karan Jan 29, 2026 2:40 pm

C or B. Had something like this in a mock and both failure to control changes (C) and not following the approval procedure (B) are clear nonconformities. Service Manager isn’t authorized, plus rolling out untested app version breaks clause 8.1. Pretty sure these two fit best but open to other takes.

Cameron Jan 22, 2026 8:30 am

B/C here. Official guide and practice questions usually highlight these as nonconformities-approval process wasn't followed (B) and change control wasn't managed (C). I think that's what the exam expects, but open to other views.

LeoH Jan 19, 2026 6:48 am

B C tbh, saw a similar scenario mentioned in a practice test. Both are nonconformities under ISO 27001.

Casey L. Jan 16, 2026 7:21 am

B/C here. Both are nonconformities per ISO 27001: Service Manager overstepped approval (B) and change wasn't properly reviewed or tested (C). If you see it differently let me know.

Owen S. Jan 13, 2026 2:46 am

Not E or D, it should be B and C here. B because the Service Manager approved something outside his authority and C since the update wasn’t properly tested or reviewed. I think a lot of folks trip up picking F, but that’s more improvement than NC.

Ishaan E. Jan 26, 2026 8:05 pm

B C

DirectTester9205 Jan 27, 2026 6:32 pm

Its B and C for me. Approving the test results wasn’t in line with the org’s software security management procedure, so B fits (clause 8.1). Also, releasing a new app version without proper change control or documented testing points to C-failure to control planned/unintended changes. D feels like a distractor, doesn’t map to the bigger NC here. I think this is pretty clear but if someone sees F as valid, let me know.

Be respectful. No spam.

Correct Answer:

Explanation

According to ISO 27001:2022 Annex A Control 8.30, the organisation shall ensure that externally

provided processes, products or services that are relevant to the information security management

system are controlled. This includes developing and entering into licensing agreements that cover

code ownership and intellectual property rights, and implementing appropriate contractual

requirements related to secure design and coding in accordance with Annex A 8.25 and 8.2912

In this case, the organisation and the developer have performed security tests that failed, which

indicates that the secure design and coding requirements of Annex A 8.29 were not met. The IT

Manager explains that the encryption and pseudonymization functions failed because they slowed

down the system and service performance, and that an extra 150% of resources are needed to cover

this. However, this does not justify the acceptance of the test results by the Service Manager, who is

not authorised to approve the test according to the software security management procedure. The

Service Manager should have consulted with the IT Manager, who is the owner of the process, and

followed the procedure for handling nonconformities and corrective actions. The Service Manager’s

decision to continue the service based on access control alone exposes the organisation to the risk of

compromising the confidentiality, integrity, and availability of personal data processed by the mobile

app. Therefore, there is a nonconformity (NC) with clause 8.1, control A.8.30.

According to ISO 27001:2022 Clause 8.1, the organisation shall plan, implement and control the

processes needed to meet information security requirements, and to implement the actions

determined in Clause 6.1. The organisation shall also control planned changes and review the

consequences of unintended changes, taking action to mitigate any adverse effects, as necessary12

In this case, the organisation has not controlled the planned change of the mobile app from version

1.0 to version 1.01, which was a minor update provided by the outsourced developer in response to

frequent ransomware attacks. The IT Manager explains that the developer performed an emergency

release of the updated software, and gave a verbal guarantee that there will be no impact on any

security functions. However, this is not sufficient to ensure that the change is properly assessed,

tested, documented, and approved before deployment. The IT Manager should have followed the

change management process and procedure, and verified that the updated software meets the

security requirements and does not introduce any new vulnerabilities or risks. The IT Manager’s

reliance on his 20 years of information security experience and the developer’s verbal guarantee is

not a valid basis for skipping the re-testing of the software. Therefore, there is a nonconformity (NC)

with clause 8.1.

Reference:

1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and

IRCA Certified Training 1 2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2

Q: 7

Which of the following is not a type of Information Security attack?

Options

Discussion

Sanjay U. Jan 24, 2026 9:50 pm

Not seeing how B fits as an info security attack. B

MayaY Jan 29, 2026 1:58 pm

Its D. Had something like this in a mock and picked Privacy Incidents since I thought technical and legal could be exploited, but not sure if that was right looking back.

Morgan P. Jan 27, 2026 2:56 am

Yeah, it's B here. Vehicular incidents just aren't classified as info security attacks.

SteadyCandidate2765 Jan 18, 2026 4:21 am

D , privacy incidents seem more like a consequence than an actual attack type. Saw similar phrasing in practice questions. Not 100 percent certain though, anyone else get tripped up by this distinction?

Sara Jan 14, 2026 11:44 pm

D or B, but leaning D since privacy incidents often feel like outcomes not attack types. Just my read, not 100 percent.

Grace R. Jan 25, 2026 12:30 am

I get why most are saying B, but I think D makes more sense here. Privacy incidents feel more like a result of an attack than an attack type itself, at least in ISO 27001 context. A and C both refer to specific vectors or vulnerabilities that could be exploited intentionally. Not totally sure though, open to other views.

Jamie P. Jan 20, 2026 10:16 am

Nah, I don’t think it’s A. B is the odd one out since vehicular incidents are more about physical accidents than info sec attacks. A, C, and D can all relate to information security breaches. Anyone disagree?

Avery Jan 27, 2026 4:03 am

Option B Not super confident but pretty sure vehicular incidents aren't considered security attacks like the others.

Be respectful. No spam.

Q: 8

You are an ISMS auditor conducting a third-party surveillance audit of a telecom's provider. You are in the equipment staging room where network switches are pre-programmed before being despatched to clients. You note that recently there has been a significant increase in the number of switches failing their initial configuration test and being returned for reprogramming. You ask the Chief Tester why and she says, 'It's a result of the recent ISMS upgrade'. Before the upgrade each technician had their own hard copy work instructions. Now, the eight members of my team have to share two laptops to access the clients' configuration instructions online. These delays put pressure on the technicians, resulting in more mistakes being made'. Based solely on the information above, which clause of ISO to raise a nonconformity against' Select one.

Options

Correct Answer:

Explanation

According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing,

maintaining and continually improving an information security management system (ISMS), clause

8.1 requires an organization to plan, implement and control its processes needed to meet ISMS

requirements2. This includes determining what needs to be done, how it will be done, who will do it,

when it will be done, what resources are required, how performance will be evaluated, etc2.

Therefore, if an ISMS auditor conducting a third-party surveillance audit of a telecom’s provider

notes that there has been a significant increase in the number of switches failing their initial

configuration test and being returned for reprogramming due to a recent ISMS upgrade that reduced

access to work instructions, this indicates a nonconformity against clause 8.1 of ISO/IEC

27001:2022. The organization has failed to plan and control its operational processes effectively to

ensure information security and quality2. The other options are not correct clauses to raise a

nonconformity against based solely on this information. For example, clause 7.5 deals with

documented information required by ISMS or determined by an organization as necessary for its

effectiveness2, but it does not specify how many copies or formats of work instructions should be

available; clause 10.2 deals with nonconformity and corrective action as a response to an identified

problem or incident2, but it does not address how to prevent or avoid such problems or incidents in

operational processes; clause 7.3 deals with awareness of ISMS policy, objectives, roles and

responsibilities among persons doing work under an organization’s control2, but it does not relate to

how work instructions are accessed or followed; clause 7.2 deals with competence of persons doing

work under an organization’s control that affects its ISMS performance2, but it does not imply that

lack of competence is caused by insufficient work instructions; clause 7.4 deals with communication

about ISMS among internal and external interested parties2, but it does not cover how operational

information is communicated within an organization. Reference: ISO/IEC 27001:2022 - Information

technology – Security techniques – Information security management systems – Requirements

Q: 9

Which two of the following are examples of audit methods that 'do' involve human interaction?

Options

Q: 10

What is the difference between a restricted and confidential document?

Options

Discussion

Casey L. Jan 28, 2026 8:36 pm

Makes sense to pick B here. Restricted is usually for specific named individuals, while confidential lets a defined group access it. Seen similar classification in my audits, but let me know if anyone has seen it swapped.

Ben X. Jan 26, 2026 3:57 pm

Looks like B is correct, since 'restricted' is for named individuals and 'confidential' covers an authorized group. That's what ISO/IEC 27001 usually means by those classifications. I think that's the best fit unless the context defines them differently.

SeasonedCandidate7068 Jan 27, 2026 12:59 pm

Jack S. Jan 30, 2026 5:53 am

Its A, had something like this in a mock.

Layla Jan 27, 2026 2:24 am

Guessing B. Seen similar on practice sets. A is tricky but actually flips the terms, ISO/IEC 27001 treats 'restricted' as for named individuals and 'confidential' for an authorized group. If anyone's company policy uses them differently, let me know, but pretty sure this matches exam intent.

Jamie Jan 18, 2026 10:52 am

B tbh. matches ISO/IEC 27001 wording better. A looks like a classic distractor mixing up access levels.

Aisha R. Jan 16, 2026 1:31 am

Yeah I think B fits best for ISO/IEC 27001, restricted is for named individuals and confidential is group access.

Ishaan A. Jan 31, 2026 1:44 pm

Pretty sure it's B. Restricted goes to specifically named people, confidential is more for a group with need-to-know. That's what ISO/IEC 27001 stresses about access levels. Open to hearing if anyone's org does this another way though.

FriendlyArchitect6242 Jan 30, 2026 2:24 am

C vs B? I think it's B because restricted access is meant for very specific users (named individuals), whereas confidential is for authorized groups. ISO/IEC 27001 audits I've done also split it this way, but curious if anyone's org does it differently.

Emma A. Jan 17, 2026 7:09 am

Option A

Be respectful. No spam.

Question 1 of 20 · Page 1 / 2

Premium Access Includes

✓ Quiz Simulator
✓ Exam Mode
✓ Progress Tracking
✓ Question Saving
✓ Flash Cards
✓ Drag & Drops
✓ 3 Months Access
✓ PDF Downloads

Get Premium Access

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE