Professional Documents
Culture Documents
Exam Format Score Multiple Choice Questions (60 Score)
Exam Format Score Multiple Choice Questions (60 Score)
Score
This test that is expected to measure the compatences of the Auditor accordance to the ISO
27001 and ISO 19011 Standard is licensed by Staregister International Inc. and accredited by
IAS 'International Accreditation Service with the certificate number PCB-101.
This examination paper is single section. 60 multiple choice questions are formed. Some
questions,deliberatly prepared with the reverse meaning. Please read the questions carefully
and make sure that you understand what is expected. Duration of the exam is of 40 (forty)
minutes to complete the exam. No more time will be given to answer any question.
Each question is 1 point. The maximum point of the exam is 60, sufficient success point of
the exam is 42.
"ISO 27001" and "standard" words will always mean ISO 27001:2013.
You can use only ISO 27001:2013 standard. No more notes will be allowed during the test.
EXAM DATE:
PAGE 2/15
1. What is the first action that an organization should take for a risk identified from risk
assessment?
a. Transferring the risk to other parties e.g. insurers
b. Applying appropriate controls to reduce the risk
c. Examining the organizations criteria for risk acceptance
d. Developing appropriate security awareness, education and training activities
EXAM DATE:
PAGE 3/15
5. Which of the following is NOT a good implementation guidance for cabling security?
6. In order to ensure the security of electronic commerce services, which of the following
controls should be avoided?
7. Users should be required to follow good security practices in password use. Which of
the following is NOT a good security practice?
EXAM DATE:
PAGE 4/15
9. Which of the following considerations that refer to Intellectual Property Rights, may not
be correct?
a. The organization acquiring software only from known and reputable sources in
order to ensure that copyright is not violated
b. Organization should check that not duplicating, converting to another format or
extracting from commercial recordings other than permitted by copyright law
c. The Intellectual Property Rights of software developed by an organization
belongs to the organization
d. The organization should check the compliance with terms and conditions for
software and information obtained from public networks
11.Operation of information security measurement involves activities that are essential for
ensuring that the developed measurement results provide accurate information with
regard to effectiveness of an implemented Information Security Measurement
Programme
EXAM DATE:
PAGE 5/15
12.Which is the key factor for an organization in order to detect unauthorized information
processing activities through monitoring?
a. Systems should be monitored and information security events should be
recorded
b. An organization should comply with all relevant legal requirements, applicable to
its monitoring and logging activities
c. System monitoring should be used to check the effectiveness of controls
adopted
d. Operator logs and fault logging should be used to ensure that information
system problems are identified
14.The criteria for accepting risks and the acceptable levels of risk, are:
a. An outcome of risk assessment methodology
b. A decision of management commitment
c. Part of statement of applicability
d. Part of Quality Manual
15.In order to achieve the control objective “To manage information security within the
organization” which of the following controls may NOT be necessarily?
a. Information security activities should be coordinated by representatives from
different parts of the organization with relevant roles and job functions
b. All identified security requirements should be addressed before giving customers
access to the organizations information or assets
c. Appropriate contacts with special interest groups or other specialist security
forums and professional associations should be maintained
d. A management authorization process for new information processing facilities
should be defined and implemented
EXAM DATE:
PAGE 6/15
16.Which of the following guidelines should be avoided in order operational data to be
protected when used for testing purpose?
18.Security features, service levels and management requirements of all network services
should be identified and included in any network services agreement, whether these
services are provided in-house or outsourced.Which of the following security features
should applied in order the above control to be achieved?
EXAM DATE:
PAGE 7/15
19.Multi-user systems that require protection against unauthorized access should have the
allocation of privileges controlled through a formal authorization process. Which of the
following steps of privilege management based on wrong assumption?
a. Privileges should be allocated to users on a need – to – use basis and on event –
by – event basis in line with the access control policy
b. Privileges should be assigned to a different user ID from those used for normal
business use
c. The development and use of system routines should be avoided as they need to
grant privileges to more users
d. None of above
a. Apply lessons learnt from the security experience of the organization itself
b. Apply lessons learnt from the security experience of other organizations
c. Communicate the actions to all interest parties with a level of detail, appropriate
to the circumstances
d. All the above
22.In “Plan – Do – Check – Act” model, the risk re-assessment is part of the:
a. Plan Phase
b. DO Phase
c. Check Phase
d. Act Phase
EXAM DATE:
PAGE 8/15
23.Which should participate in the information security assessment?
a. Audit findings
b. Audit timetable
c. Audit programme
d. Audit scope
EXAM DATE:
PAGE 9/15
a. Audit plan
b. Audit programme
c. Audit scope
d. Audit criteria
a. Fair Presentation
b. Away from bias
c. Ethical Conduct
d. Leadership
a. All activities described in the audit plan have been carried out and the approved
audit report has been distributed
b. The audit team has announced the audit findings to the auditee
c. The audited organization sends the closers to the auditor
d. All question of the audit checklist have been answered
a. Theatrical
b. Versatile
c. Abrasive
d. Indecisive
EXAM DATE:
PAGE 10/15
33. You are the lead auditor and you are conducting a surveillance audit on behalf of a
certification company. During the on site audit, two people from the audited
organization argue about one of your findings. How should you react?
34. In deciding the size and composition of the audit team, consideration should not be
given to the following
a. Sampling method
b. On the 100% of the available information
c. Only on information given by interviews
d. Only on the documents presented by the top management
37. Records related to audit personnel do not cover subjects such as:
a. Auditor competence
b. Audit team selection
c. Maintenance of competence
d. Audit reports filled by auditors
39. Which is the minimum number of auditors, an audit team can have?
a. Two
b. One
c. Required number regarding to audit program
d. Three
40. How many lead auditors, an audit team can have for a single audit (one management
system audited)?
a. One
b. Two
c. None
d. Four
41. If not fully covered by the auditors in the audit team, the necessary knowledge and
skills can be satisfied by
a. the Lead auditor should inform the audit client, the auditee and those assigned
responsibility for managing the audit programme
b. the Lead auditor should make all the necessary additions and inform the auditee
c. the Lead Auditor must inform the Organization’s consultant in order to make the
necessary additions
d. the lead auditor should stop the audit without further delay.
43. Put the listed activities of the audit process in the right time order
EXAM DATE:
PAGE 12/15
a. Opening meeting, process of auditing, audit team meeting, closing meeting
b. Opening meeting, closing meeting, process of auditing, audit team meeting
c. Opening meeting, audit team meeting, Process of auditing, closing meeting
d. Opening meeting, process of auditing, closing meeting, audit team meeting
44. Opening (entry) meetings are used to introduce, outline the audit scope and explain
the process.
a. True
b. False
45. Opening meetings are used primarily to summarize findings and present non-
conformities.
a. True
b. False
46. Two or more auditing organizations may cooperate, as part of their audit programmes,
to conduct a joint audit.
a. True
b. False
47. Where a combined audit is to be conducted, it is important that the audit team leader
ensures that the audit objectives, scope and criteria are appropriate to the nature of
the combined audit.
a. True
b. False
48. Auditors are independent of the activity being audited and are free from bias and
conflict of interest, except from the case where there is no time to find someone else.
a. True
b. False
49. The audit team leader can assign to an audit team member, the responsibility to raise,
categorize and document nonconformities.
a. True
EXAM DATE:
PAGE 13/15
b. False
50. The audit team leader, in consultation with the audit team, should assign to each team
member responsibility for auditing specific processes, functions, sites, areas or
activities.
a. True
b. False
51. Audit findings can indicate include nonconformity with audit objectives
a. True
b. False
52. The ISO 19011 standard, covers all auditors for management system standartds
a. True
b. False
a. True
b. False
a. True
b. False
EXAM DATE:
PAGE 14/15
56.An organization can claim conformity to ISO / IEC 27001 by justified exclusion of
Controls that not affect the security requirements determined by risk assessment only
a. True
b. False
58.In order to define the detailed scope and boundaries for the Information Security
Management System (ISMS), the following are necessary:
a) Define the organizational scope and boundaries
b) Define Information Communication Technology (ICT) scope and boundaries
c) Define physical scope and boundaries
a. True
b. False
a. True
b. False
a. True
b. False
EXAM DATE:
PAGE 15/15