Try our Free Demo Practice Tests for Comprehensive ISO-IEC-27001-Lead-Auditor Exam Preparation

audit of a new client, using ISO/IEC 27001:2022 as your criteria.

It is the afternoon of the second day of a 2-day audit, and you are just about to start writing your audit report.

So far no nonconformities have been identified and you and your team have been impressed with both the site

and the organisation's ISMS.

At this point, a member of your team approaches you and tells you that she has been unable to complete her

assessment of leadership and commitment as she has spent too long reviewing the planning of changes.

Which one of the following actions will you take in response to this information?

company was founded in North Carolina, but have recently expanded in other locations, including Europe and

Africa.

Sinvestment is committed to complying with laws and regulations applicable to their industry and preventing

any information security incident. They have implemented an ISMS based on ISO/IEC 27001 and have

applied for ISO/IEC 27001 certification.

Two auditors were assigned by the certification body to conduct the audit. After signing a confidentiality agreement with Sinvestment. they started the audit activities. First, they reviewed the documentation required

by the standard, including the declaration of the ISMS scope, information security policies, and internal audits

reports. The review process was not easy because, although Sinvestment stated that they had a documentation

procedure in place, not all documents had the same format.

Then, the audit team conducted several interviews with Sinvestment's top management to understand their role

in the ISMS implementation. All activities of the stage 1 audit were performed remotely, except the review of

documented information, which took place on-site, as requested by Sinvestment.

During this stage, the auditors found out that there was no documentation related to information security

training and awareness program. When asked, Sinvestment's representatives stated that the company has

provided information security training sessions to all employees. Stage 1 audit gave the audit team a general

understanding of Sinvestment's operations and ISMS.

The stage 2 audit was conducted three weeks after stage 1 audit. The audit team observed that the marketing

department (which was not included in the audit scope) had no procedures in place to control employees’

access rights. Since controlling employees' access rights is one of the ISO/IEC 27001 requirements and was

included in the information security policy of the company, the issue was included in the audit report. In

addition, during stage 2 audit, the audit team observed that Sinvestment did not record logs of user activities.

The procedures of the company stated that "Logs recording user activities should be retained and regularly

reviewed," yet the company did not present any evidence of the implementation of such procedure.

During all audit activities, the auditors used observation, interviews, documented information review, analysis,

and technical verification to collect information and evidence. All the audit findings during stages 1 and 2

were analyzed and the audit team decided to issue a positive recommendation for certification.

During stage 1 audit, the audit team found out that Sinvestment did not have records on information security

training and awareness. What Sinvestment do in this case? Refer to scenario 6.

security, virtualization, cloud computing, network hardware, network management software, and networking

technologies.

The company's recognition has increased drastically since gaining ISO/IEC 27001 certification. The

certification confirmed the maturity of UpNefs operations and its compliance with a widely recognized and

accepted standard.

But not everything ended after the certification. UpNet continually reviewed and enhanced its security controls

and the overall effectiveness and efficiency of the ISMS by conducting internal audits. The top management

was not willing to employ a full-time team of internal auditors, so they decided to outsource the internal audit

function. This form of internal audits ensured independence, objectivity, and that they had an advisory role

about the continual improvement of the ISMS.

Not long after the initial certification audit, the company created a new department specialized in data and

storage products. They offered routers and switches optimized for data centers and software-based networking

devices, such as network virtualization and network security appliances. This caused changes to the operations

of the other departments already covered in the ISMS certification scope.

Therefore. UpNet initiated a risk assessment process and an internal audit. Following the internal audit result,

the company confirmed the effectiveness and efficiency of the existing and new processes and controls.

The top management decided to include the new department in the certification scope since it complies with

ISO/IEC 27001 requirements. UpNet announced that it is ISO/IEC 27001 certified and the certification scope

encompasses the whole company.

One year after the initial certification audit, the certification body conducted another audit of UpNefs ISMS.

This audit aimed to determine the UpNefs ISMS fulfillment of specified ISO/IEC 27001 requirements and

ensure that the ISMS is being continually improved. The audit team confirmed that the certified ISMS

continues to fulfill

the requirements of the standard. Nonetheless, the new department caused a significant impact on governing the management system. Moreover, the certification body was not informed about any changes. Thus, the

UpNefs certification was suspended.

Based on the scenario above, answer the following question:

What type of audit is illustrated in the last paragraph of scenario 9?

is still outstanding.

Which four of the following actions should you take?