ISO/-EC -27001- Lead Auditor Final
Exam with All Correct Answers.
1. What does the ISO/IEC 27001 standard provide?
A. Requirements for organizations certifying an information security management system
B. Requirements for an information security management system
C. Guidance for auditing an information security management system - Answer B.
Requirements for an information security management system
1. Organizations can obtain certification against the ISO/IEC 27002 standard if they implement
all of its information security controls. - Answer A. False
1. The implementation of ISO/IEC 27001 is a legal requirement in most countries. - Answer
A. False
1. What is the aim of laws with regard to intellectual property rights?
A. Protecting certain intangible assets
B. Ensuring that certain assets are regularly reviewed
C. Providing asset management reports for legal purposes - Answer A. Protecting certain
intangible assets
1. Which of the following is one of the objectives of the privacy protection policy?
A. To increase awareness regarding the legal requirements for protecting personal information
B. To increase awareness regarding cybercrimes that target an organization's computer network
C. To increase awareness regarding the validity of digital signatures in electronic documents -
Answer A. To increase awareness regarding the legal requirements for protecting personal
information
1. When does the surveillance audit take place?
A. After conducting stage 2 audit
B. After conducting the audit follow-up
C. After obtaining certification - Answer C. After obtaining certification
1. ISO performs accreditation and certification activities.
A. True
B. False - Answer False
,1. Which of the statements holds true?
A. Certification bodies are accredited by accreditation bodies
B. Certification bodies are certified by accreditation bodies
C. Certification bodies are hired by accreditation bodies - Answer A. Certification bodies are
accredited by accreditation bodies
1. A third party that performs the assessment of conformity of management systems is:
A. An international standard
B. An accreditation body
C. A certification body - Answer C. A certification body
1. Your Market is a market research company which helps its customers determine which
products and services are on demand. The company is currently evaluating the effectiveness of
its information security controls through an ISMS audit. What is Your Market in this case?
A. An accreditation body
B. A certification body
C. An auditee - Answer C. An auditee
1. According to ISO 9000, what is an asset?
A. Item or entity that has potential or actual value to an organization
B. Meaningful data for an organization
C. Document which states requirements for an organization - Answer A. Item or entity that
has potential or actual value to an organization
1. What is the difference between specifications and records?
A. Specifications are documents that state requirements, whereas records are documents that
state achieved results
B. Specifications refer to information and the medium on which it is contained, whereas records
are documents that state requirements
C. Specifications and records are both forms of documents, so they can be used interchangeably
- Answer A. Specifications are documents that state requirements, whereas records are
documents that state achieved results
1. A former employee of Company A has gained unauthorized access to the company's sensitive
information. What does this present?
A. A threat that has the potential to harm the assets of the organization, such as information or
systems
, B. A vulnerability in the monitoring system of the organization that does not have corresponding
threats
C. A security control incorrectly implemented by the organization that is not vulnerable -
Answer A. A threat that has the potential to harm the assets of the organization, such as
information or systems
1. With which of the following principles does an organization comply if it ensures that only
authorized users have access to their sensitive data?
A. Confidentiality
B. Integrity
C. Availability - Answer A. Confidentiality
1. What does the integrity principle entail?
A. That information is available to authorized individuals
B. That information is accurate and safe from unauthorized access
C. That information is accessible when needed - Answer B. That information is accurate and
safe from unauthorized access
1. Which of the options below represents an example of a vulnerability?
A. Unencrypted data
B. Unauthorized access by persons who have left the organization
C. Data input error by personnel - Answer A. Unencrypted data
1. What can have an impact on the availability of information?
A. Incorrect results
B. Deliberate change of information
C. Performance degradation - Answer C. Performance degradation
1. An organization has clearly defined the security procedures and uses an access control
software to avoid unauthorized access of the personnel to its confidential data. What is the
function of these security controls?
A. To prevent the occurrence of incidents
B. To correct errors arising from a problem
C. To report the occurrence of a malicious act - Answer A. To prevent the occurrence of
incidents
1. To which classification of security controls does the implementation of patches after the
identification of system vulnerabilities belong?
Exam with All Correct Answers.
1. What does the ISO/IEC 27001 standard provide?
A. Requirements for organizations certifying an information security management system
B. Requirements for an information security management system
C. Guidance for auditing an information security management system - Answer B.
Requirements for an information security management system
1. Organizations can obtain certification against the ISO/IEC 27002 standard if they implement
all of its information security controls. - Answer A. False
1. The implementation of ISO/IEC 27001 is a legal requirement in most countries. - Answer
A. False
1. What is the aim of laws with regard to intellectual property rights?
A. Protecting certain intangible assets
B. Ensuring that certain assets are regularly reviewed
C. Providing asset management reports for legal purposes - Answer A. Protecting certain
intangible assets
1. Which of the following is one of the objectives of the privacy protection policy?
A. To increase awareness regarding the legal requirements for protecting personal information
B. To increase awareness regarding cybercrimes that target an organization's computer network
C. To increase awareness regarding the validity of digital signatures in electronic documents -
Answer A. To increase awareness regarding the legal requirements for protecting personal
information
1. When does the surveillance audit take place?
A. After conducting stage 2 audit
B. After conducting the audit follow-up
C. After obtaining certification - Answer C. After obtaining certification
1. ISO performs accreditation and certification activities.
A. True
B. False - Answer False
,1. Which of the statements holds true?
A. Certification bodies are accredited by accreditation bodies
B. Certification bodies are certified by accreditation bodies
C. Certification bodies are hired by accreditation bodies - Answer A. Certification bodies are
accredited by accreditation bodies
1. A third party that performs the assessment of conformity of management systems is:
A. An international standard
B. An accreditation body
C. A certification body - Answer C. A certification body
1. Your Market is a market research company which helps its customers determine which
products and services are on demand. The company is currently evaluating the effectiveness of
its information security controls through an ISMS audit. What is Your Market in this case?
A. An accreditation body
B. A certification body
C. An auditee - Answer C. An auditee
1. According to ISO 9000, what is an asset?
A. Item or entity that has potential or actual value to an organization
B. Meaningful data for an organization
C. Document which states requirements for an organization - Answer A. Item or entity that
has potential or actual value to an organization
1. What is the difference between specifications and records?
A. Specifications are documents that state requirements, whereas records are documents that
state achieved results
B. Specifications refer to information and the medium on which it is contained, whereas records
are documents that state requirements
C. Specifications and records are both forms of documents, so they can be used interchangeably
- Answer A. Specifications are documents that state requirements, whereas records are
documents that state achieved results
1. A former employee of Company A has gained unauthorized access to the company's sensitive
information. What does this present?
A. A threat that has the potential to harm the assets of the organization, such as information or
systems
, B. A vulnerability in the monitoring system of the organization that does not have corresponding
threats
C. A security control incorrectly implemented by the organization that is not vulnerable -
Answer A. A threat that has the potential to harm the assets of the organization, such as
information or systems
1. With which of the following principles does an organization comply if it ensures that only
authorized users have access to their sensitive data?
A. Confidentiality
B. Integrity
C. Availability - Answer A. Confidentiality
1. What does the integrity principle entail?
A. That information is available to authorized individuals
B. That information is accurate and safe from unauthorized access
C. That information is accessible when needed - Answer B. That information is accurate and
safe from unauthorized access
1. Which of the options below represents an example of a vulnerability?
A. Unencrypted data
B. Unauthorized access by persons who have left the organization
C. Data input error by personnel - Answer A. Unencrypted data
1. What can have an impact on the availability of information?
A. Incorrect results
B. Deliberate change of information
C. Performance degradation - Answer C. Performance degradation
1. An organization has clearly defined the security procedures and uses an access control
software to avoid unauthorized access of the personnel to its confidential data. What is the
function of these security controls?
A. To prevent the occurrence of incidents
B. To correct errors arising from a problem
C. To report the occurrence of a malicious act - Answer A. To prevent the occurrence of
incidents
1. To which classification of security controls does the implementation of patches after the
identification of system vulnerabilities belong?
