Exam ISO-IEC-27001-Lead-Auditor Topic 6 Question 297 Discussion
Actual exam question for PECB's ISO-IEC-27001-Lead-Auditor exam
Question #: 297
Topic #: 6
Question #: 297
Topic #: 6
Scenario 5
Scenario 5
CyberShielding Systems Inc. provides security services spanning the entire information technology infrastructure. It provides cybersecurity software, including endpoint security, firewalls, and antivirus software. CyberShielding Systems Inc. has helped various companies secure their networks for two decades through advanced products and services. Having achieved a reputation in the information and network security sector, CyberShielding Systems Inc. decided to implement a security information management system (ISMS) based on ISO/IEC 27001 and obtain a certification to better secure its internal and customer assets and gain a competitive advantage.
The certification body initiated the process by selecting the audit team for CyberShielding Systems Inc.'s ISO
/IEC 27001 certification. They provided the company with the name and background information of each audit member. However, upon review, CyberShielding Systems Inc. discovered that one of the auditors did not hold the security clearance required by them. Consequently, the company objected to the appointment of this auditor. Upon review, the certification body replaced the auditor in response to CyberShielding Systems Inc.'s objection.
As part of the audit process, CyberShielding Systems Inc.'s approach to risk and opportunity determination was assessed as a standalone activity. This involved examining the organization's methods for identifying and managing risks and opportunities. The audit team's core objectives encompassed providing assurance on the effectiveness of CyberShielding Systems Inc.'s risk and opportunity identification mechanisms and reviewing the organization's strategies for addressing these determined risks and opportunities. During this, the audit team also identified a risk due to a lack of oversight in the firewall configuration review process, where changes were implemented without proper approval, potentially exposing the company to vulnerabilities. This finding highlighted the need for stronger internal controls to prevent such issues.
The audit team accessed process descriptions and organizational charts to understand the main business processes and controls. They performed a limited analysis of the IT risks and controls because their access to the IT infrastructure and applications was limited by third-party service provider restrictions. However, the audit team stated that the risk of a significant defect occurring in CyberShielding's ISMS was low since most of the company's processes were automated. They therefore evaluated that the ISMS, as a whole, conforms to the standard requirements by questioning CyberShielding representatives on IT responsibilities, control effectiveness, and anti-malware measures. CyberShielding's representatives provided sufficient and appropriate evidence to address all these questions.
Despite the agreement signed before the audit, which outlined the audit scope, criteria, and objectives, the audit was primarily focused on assessing conformity with established criteria and ensuring compliance with statutory and regulatory requirements.
Question
Based on Scenario 5, is the approach used by the audit team to assess the conformity of the ISMS to the standard requirements in line with audit recommended practices?
Scenario 5
CyberShielding Systems Inc. provides security services spanning the entire information technology infrastructure. It provides cybersecurity software, including endpoint security, firewalls, and antivirus software. CyberShielding Systems Inc. has helped various companies secure their networks for two decades through advanced products and services. Having achieved a reputation in the information and network security sector, CyberShielding Systems Inc. decided to implement a security information management system (ISMS) based on ISO/IEC 27001 and obtain a certification to better secure its internal and customer assets and gain a competitive advantage.
The certification body initiated the process by selecting the audit team for CyberShielding Systems Inc.'s ISO
/IEC 27001 certification. They provided the company with the name and background information of each audit member. However, upon review, CyberShielding Systems Inc. discovered that one of the auditors did not hold the security clearance required by them. Consequently, the company objected to the appointment of this auditor. Upon review, the certification body replaced the auditor in response to CyberShielding Systems Inc.'s objection.
As part of the audit process, CyberShielding Systems Inc.'s approach to risk and opportunity determination was assessed as a standalone activity. This involved examining the organization's methods for identifying and managing risks and opportunities. The audit team's core objectives encompassed providing assurance on the effectiveness of CyberShielding Systems Inc.'s risk and opportunity identification mechanisms and reviewing the organization's strategies for addressing these determined risks and opportunities. During this, the audit team also identified a risk due to a lack of oversight in the firewall configuration review process, where changes were implemented without proper approval, potentially exposing the company to vulnerabilities. This finding highlighted the need for stronger internal controls to prevent such issues.
The audit team accessed process descriptions and organizational charts to understand the main business processes and controls. They performed a limited analysis of the IT risks and controls because their access to the IT infrastructure and applications was limited by third-party service provider restrictions. However, the audit team stated that the risk of a significant defect occurring in CyberShielding's ISMS was low since most of the company's processes were automated. They therefore evaluated that the ISMS, as a whole, conforms to the standard requirements by questioning CyberShielding representatives on IT responsibilities, control effectiveness, and anti-malware measures. CyberShielding's representatives provided sufficient and appropriate evidence to address all these questions.
Despite the agreement signed before the audit, which outlined the audit scope, criteria, and objectives, the audit was primarily focused on assessing conformity with established criteria and ensuring compliance with statutory and regulatory requirements.
Question
Based on Scenario 5, is the approach used by the audit team to assess the conformity of the ISMS to the standard requirements in line with audit recommended practices?
Suggested Answer: A Vote an answer
The audit team's approach is in line with recommended auditing practices, making option A the correct answer. ISO management system audits, including ISO/IEC 27001 audits, are designed to provide reasonable assurance, not absolute assurance, that the management system conforms to the standard requirements. This principle is explicitly supported by ISO 19011 and ISO/IEC 17021-1.
In the scenario, the audit team assessed conformity by reviewing key processes, questioning responsible personnel, examining representative evidence, and evaluating control effectiveness. Although access to IT systems was limited, the auditors compensated by gathering sufficient and appropriate evidence through alternative means. This approach reflects the reality of auditing complex environments, particularly those involving third-party service providers.
Option B is incorrect because ISO standards do not require auditors to assess every process in full detail.
Audits are sample-based by design. Expecting a complete, exhaustive assessment of each process would be impractical and inconsistent with audit principles. Option C is incorrect because assessing the ISMS as a whole is not merely an efficiency-driven decision; it is an accepted and intentional audit approach aimed at evaluating system-level effectiveness.
Therefore, obtaining reasonable assurance through a structured, evidence-based approach confirms that the audit team acted in accordance with recommended audit practices.
In the scenario, the audit team assessed conformity by reviewing key processes, questioning responsible personnel, examining representative evidence, and evaluating control effectiveness. Although access to IT systems was limited, the auditors compensated by gathering sufficient and appropriate evidence through alternative means. This approach reflects the reality of auditing complex environments, particularly those involving third-party service providers.
Option B is incorrect because ISO standards do not require auditors to assess every process in full detail.
Audits are sample-based by design. Expecting a complete, exhaustive assessment of each process would be impractical and inconsistent with audit principles. Option C is incorrect because assessing the ISMS as a whole is not merely an efficiency-driven decision; it is an accepted and intentional audit approach aimed at evaluating system-level effectiveness.
Therefore, obtaining reasonable assurance through a structured, evidence-based approach confirms that the audit team acted in accordance with recommended audit practices.
by Marina at Apr 08, 2026, 04:16 AM
0
0
0
10
Comments
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Report Comment
Commenting
You can sign-up / login (it's free).