According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing,

maintaining and continually improving an information security management system (ISMS), clause

4.1 requires an organization to determine external and internal issues that are relevant to its purpose

and that affect its ability to achieve the intended outcomes of its ISMS2. External issues are those

that originate from outside the organization, such as legal, regulatory, cultural, social, political,

economic, natural and competitive factors2. Internal issues are those that originate from within the

organization, such as governance, structure, roles and responsibilities, policies, objectives, culture,

capabilities, resources and information systems2. Therefore, based on this definition, four examples

of external issues in the context of a management system to ISO/IEC 27001:2022 are a rise in interest

rates in response to high inflation (which affects the economic environment of the organization), a

reduction in grants as a result of a change in government policy (which affects the political and legal

environment of the organization), higher labour costs as a result of an aging population (which

affects the social and demographic environment of the organization), and inability to source raw

materials due to government sanctions (which affects the trade and supply environment of the

organization)2. The other options are examples of internal issues, as they originate from within the

organization or its activities. For example, poor levels of staff competence as a result of cuts in

training expenditure (which affects the capabilities and resources of the organization), increased

absenteeism as a result of poor management (which affects the culture and performance of the

organization), poor morale as a result of staff holidays being reduced (which affects the motivation

and satisfaction of the organization’s personnel), and a fall in productivity linked to outdated

production equipment (which affects the efficiency and quality of the organization’s

processes)2. Reference: ISO/IEC 27001:2022 - Information technology – Security techniques –

Information security management systems – Requirements

The three options that would not be valid audit trails are:

•

Collect more evidence on how the organisation manages the Point of Contact (PoC) which

monitors vulnerabilities. (Relevant to clause 8.1)

•

Collect more evidence on whether terms and definitions are contained in the information

security policy. (Relevant to control 5.32)

•

Collect more evidence to determine if ISO 27035 (Information security incident

management) is used as internal audit criteria. (Relevant to clause 8.13)

These options are not valid audit trails because they are not directly related to the information

security incident management process, which is the focus of the audit. The audit trails should be

relevant to the objectives, scope, and criteria of the audit, and should provide sufficient and reliable

evidence to support the audit findings and conclusions1.

Option E is not valid because the PoC is not a part of the information security incident management

process, but rather a role that is responsible for reporting and escalating information security

incidents to the appropriate authorities2. The audit trail should focus on how the PoC performs this

function, not how the organisation manages the PoC.

Option G is not valid because the terms and definitions are not a part of the information security

incident management process, but rather a part of the information security policy, which is a high-

level document that defines the organisation’s information security objectives, principles, and

responsibilities3. The audit trail should focus on how the information security policy is

communicated, implemented, and reviewed, not whether it contains terms and definitions.

Option H is not valid because ISO 27035 is not a part of the information security incident

management process, but rather a guidance document that provides best practices for managing

information security incidents4. The audit trail should focus on how the organisation follows the

requirements of ISO/IEC 27001:2022 for information security incident management, not whether it

uses ISO 27035 as an internal audit criteria.

The other options are valid audit trails because they are related to the information security incident

management process, and they can provide useful evidence to evaluate the conformity and

effectiveness of the process. For example:

•

Option A is valid because it relates to control A.5.29, which requires the organisation to

establish procedures to isolate and quarantine areas subject to information security incidents, in

order to prevent further damage and preserve evidence5. The audit trail should collect evidence on

how the organisation implements and tests these procedures, and how they ensure the continuity of

information security during disruption.

•

Option B is valid because it relates to control A.6.8, which requires the organisation to

establish mechanisms for reporting information security events and weaknesses, and to ensure that

they are communicated in a timely manner to the appropriate levels within the organisation6. The

audit trail should collect evidence on how the organisation defines and uses these mechanisms, and

how they monitor and review the reporting process.

•

Option C is valid because it relates to clause 7.2, which requires the organisation to provide

information security awareness, education, and training to all persons under its control, and to

evaluate the effectiveness of these activities7. The audit trail should collect evidence on how the

organisation identifies the information security training needs, how they deliver and record the

training, and how they measure the learning outcomes and feedback.

•

Option D is valid because it relates to control A.5.27, which requires the organisation to learn

from information security incidents and to implement corrective actions to prevent recurrence or

reduce impact8. The audit trail should collect evidence on how the organisation analyses and

documents the root causes and consequences of information security incidents, how they identify

and implement corrective actions, and how they verify the effectiveness of these actions.

•

Option F is valid because it relates to control A.5.30, which requires the organisation to

establish and maintain a business continuity plan to ensure the availability of information and

information processing facilities in the event of a severe information security incident9. The audit

trail should collect evidence on how the organisation develops and updates the business continuity

plan, how they test and review the plan, and how they communicate and train the relevant

personnel on the plan.

Reference: 1: ISO 19011:2018, 6.2; 2: ISO/IEC 27001:2022, A.6.8.1; 3: ISO/IEC 27001:2022, 5.2; 4:

ISO/IEC 27035:2016, Introduction; 5: ISO/IEC 27001:2022, A.5.29; 6: ISO/IEC 27001:2022, A.6.8; 7:

ISO/IEC 27001:2022, 7.2; 8: ISO/IEC 27001:2022, A.5.27; 9: ISO/IEC 27001:2022, A.5.30; : ISO

19011:2018; : ISO/IEC 27001:2022; : ISO/IEC 27001:2022; : ISO/IEC 27035:2016; : ISO/IEC

27001:2022; : ISO/IEC 27001:2022; : ISO/IEC 27001:2022; : ISO/IEC 27001:2022; : ISO/IEC 27001:2022

A third-party audit is an independent assessment of an organisation’s management system by an

external auditor, who is not affiliated with the organisation or its customers. The auditor verifies that

the management system meets the requirements of a specific standard, such as ISO 27001, and

evaluates its effectiveness and performance. The auditor also identifies any strengths, weaknesses,

opportunities, or risks of the management system, and provides recommendations for improvement.

The purpose of a third-party audit is to provide an objective and impartial evaluation of the

organisation’s management system, and to inform a certification decision by a certification body. A

certification body is an organisation that grants a certificate of conformity to the organisation, after

reviewing the audit report and evidence, and confirming that the management system meets the

certification criteri

a. A certification decision is the outcome of the certification process, which can be positive (granting,

maintaining, renewing, or expanding the scope of certification) or negative (suspending,

withdrawing, or reducing the scope of certification). Reference:

PECB Candidate Handbook ISO 27001 Lead Auditor, pages 19-25

ISO 19011:2018 - Guidelines for auditing management systems

The ISO 27001 audit process | ISMS.online

https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/ISO-IEC-27001-LEAD-AUDITOR/page_91_img_2.jpg

https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/ISO-IEC-27001-LEAD-AUDITOR/page_89_img_2.jpg

According to ISO 27001:2013, clause 5.2, the top management of an organization must establish,

implement and maintain an information security policy that is appropriate to the purpose of the

organization and provides a framework for setting information security objectives. The information

security policy must also include a commitment to comply with the applicable legal, regulatory and

contractual requirements, as well as any other requirements that the organization subscribes to.

Therefore, maintaining regulatory compliance is part of fulfilling the management system policy and

ensuring its effectiveness and suitability. Reference:

ISO/IEC 27001:2013, Information technology — Security techniques — Information security

management systems — Requirements, clause 5.2

PECB Candidate Handbook ISO 27001 Lead Auditor, page 10

ISO 27001 Policy: How to write it according to ISO 27001

"An audit finding is the result of the evaluation of the collected audit evidence against audit criteria."

The words that best complete the sentence to describe an audit finding are evaluation and

evidence. According to ISO 19011:2022, an audit finding is the result of the evaluation of the

collected audit evidence against audit criteria12. The other options are either not related to the

definition of an audit finding or do not fit the sentence grammatically. Reference: 1: ISO 19011:2022,

Guidelines for auditing management systems, Clause 3.11 \n2: PECB Certified ISO/IEC 27001 Lead

Auditor Exam Preparation Guide, Domain 5: Conducting an ISO/IEC 27001 audit

One possible way to complete the sentence is:

“When reviewing the effectiveness of action taken in response to a nonconformity, an auditor seeks

evidence of change that will prevent recurrence of the issue.”

According to ISO/IEC 27001:2022, clause 10.1, the organization shall continually improve the

suitability, adequacy, and effectiveness of the ISMS by evaluating the performance and the

effectiveness of the ISMS, ensuring that the policy and objectives are aligned with the strategic

direction of the organization, and taking actions to achieve the intended outcomes of the ISMS. One

of the ways to achieve continual improvement is to identify and correct nonconformities and take

actions to eliminate their causes and prevent their recurrence. Therefore, when reviewing the

effectiveness of the corrective actions, an auditor should look for evidence that the organization has

analyzed the root cause of the nonconformity, implemented appropriate changes to the ISMS, and

verified that the changes have resulted in the desired improvement and prevented the recurrence of

the issue. Reference: =

ISO/IEC 27001:2022, clause 10.1, Nonconformity and corrective action

ISO/IEC 27001:2022, clause 10.2, Continual improvement

PECB Candidate Handbook ISO 27001 Lead Auditor, page 19, Audit Process

PECB Candidate Handbook ISO 27001 Lead Auditor, page 21, Audit Findings

competence of the audit team and decision made by the certification body

According to ISO/IEC 17021-1, which specifies the requirements for bodies providing audit and

certification of management systems, an accredited certification means that the certification body

has been evaluated by an accreditation body against recognized standards to demonstrate its

competence, impartiality and performance capability1. Therefore, an accredited certification assures

the competence of the audit team that conducts the audit in accordance with ISO 19011 and ISO/IEC

27001:2022, and the decision made by the certification body that grants or maintains the

certification based on the audit evidence and findings2. Reference: ISO/IEC 17021-1:2015 -

Conformity assessment – Requirements for bodies providing audit and certification of management

systems – Part 1: Requirements, ISO/IEC 27001:2022 Lead Auditor (Information Security

Management Systems) | CQI | IRCA

The possible matches of the characteristics to the descriptions are:

Tenacious: Persistent and focused on objectives

Ethical: Fair, truthful, sincere, honest, discreet

Diplomatic: Tactful in dealing with individuals

Observant: Actively observing surroundings/activities

Perceptive: Aware of and able to understand situations

Open to improvement: Willing to learn from situations

Actively observing surroundings/activities = Observant

Fair, truthful, sincere, honest, discreet = Ethical

Persistent and focused on objectives = Tenacious

Willing to learn from situations = Open to improvement

Tactful in dealing with individuals = Diplomatic

Aware of and able to understand situations = Perceptive

These are the auditor’s characteristics and their descriptions as defined by ISO 19011:2022, Clause

7.2.21. The auditor’s personal behaviour is essential for building trust and confidence with the

auditee and for ensuring the credibility and effectiveness of the audit12. Reference: 1: ISO

19011:2022, Guidelines for auditing management systems, Clause 7.2.2 \n2: PECB Certified ISO/IEC

27001 Lead Auditor Exam Preparation Guide, Domain 3: Fundamental audit concepts and principles

The correct sequence of activities is:

Establish the management system

Plan the audit programme

Conduct internal audits

Hold a Management Review

Engage a Certification Body for stage 1 and stage 2 audits

Complete any corrective actions

Comprehensive but Short Explanation: = According to the PECB Candidate Handbook - ISO/IEC 27001

Lead Auditor, the steps for achieving certification are as follows1:

Establish the management system: This involves defining the scope, objectives, policies, procedures,

and controls of the ISMS, as well as ensuring the availability of resources and top management

commitment.

Plan the audit programme: This involves defining the audit objectives, criteria, scope, frequency,

methods, and responsibilities for conducting internal audits of the ISMS.

Conduct internal audits: This involves verifying the conformity and effectiveness of the ISMS, as well

as identifying any nonconformities or opportunities for improvement.

Hold a Management Review: This involves reviewing the performance and suitability of the ISMS, as

well as deciding on any changes or actions needed to improve it.

Engage a Certification Body for stage 1 and stage 2 audits: This involves selecting a reputable and

accredited certification body to conduct an external audit of the ISMS, consisting of two stages: a

documentation review and an on-site assessment.

Complete any corrective actions: This involves addressing any nonconformities or findings identified

by the certification body, and providing evidence of their implementation and effectiveness.

Reference: = 1: PECB Candidate Handbook - ISO/IEC 27001 Lead Auditor, pages 25-26.

Determine source of information

Collect by means of appropriate sampling

Reviewing

Audit evidence

Evaluating against audit criteria

Audit findings

Audit conclusions

The reviewing step involves checking the accuracy, completeness, and relevance of the collected

information. The audit evidence step involves documenting the information in a verifiable and

traceable manner. The evaluating against audit criteria step involves comparing the audit evidence

with the requirements of the ISO 27001 standard and the organization’s own policies and objectives.

The audit findings step involves identifying any nonconformities, weaknesses, or opportunities for

improvement in the ISMS. The audit conclusions step involves summarizing the audit results and

providing recommendations for corrective actions or enhancements.