Exam Format

Score

Multiple Choice Questions (60 Score) ____

Attention of the candidates;

This test that is expected to measure the compatences of the Auditor accordance to the ISO
27001 and ISO 19011 Standard is licensed by Staregister International Inc. and accredited by
IAS 'International Accreditation Service with the certificate number PCB-101.

This examination paper is single section. 60 multiple choice questions are formed. Some
questions,deliberatly prepared with the reverse meaning. Please read the questions carefully
and make sure that you understand what is expected. Duration of the exam is of 40 (forty)
minutes to complete the exam. No more time will be given to answer any question.

Each question is 1 point. The maximum point of the exam is 60, sufficient success point of
the exam is 42.

Please tick the answer on the paper that is given to you.

"ISO 27001" and "standard" words will always mean ISO 27001:2013.

You can use only ISO 27001:2013 standard. No more notes will be allowed during the test.

You may start the exam now.

We wish you success.

EXAM DATE:
PAGE 2/15
1. What is the first action that an organization should take for a risk identified from risk
assessment?
a. Transferring the risk to other parties e.g. insurers
b. Applying appropriate controls to reduce the risk
c. Examining the organizations criteria for risk acceptance
d. Developing appropriate security awareness, education and training activities

2. Which of the following could NOT be a part of a Risk Treatment Plan

a. Vulnerabilities that can be exploited by threats so to cause harm to assets or of
the organization
b. A relation between risks and selected risk treatment option
c. A relation between risks and selected control objectives and control
d. Actions related to Risks

3. An organization has established a reporting procedure for employee, contractors and

third parties in order to be aware of the procedure for information security events and
the point of contact.Which of the following that included in procedure should have to be
avoided?

a. Information security event reporting form

b. How to carry out their own action before reporting to the point of contact
c. Suitable feedback processes for informing those reporting information security
events
d. Reference to an established formal disciplinary process

4. In an Information Security Management System, why it is important the classification

of information?

a. To indicate the needs, priorities and expected degree of protection

b. To perform the risk assessments
c. To define terms in third party agreements
d. To define physical security perimeter

EXAM DATE:
PAGE 3/15
5. Which of the following is NOT a good implementation guidance for cabling security?

a. Routes should be avoided to be in public areas

b. Power cables should be together with communication cables for easier inspection
c. Use of electromagnetic shielding to protect the cables
d. Clearly identifiable cable and equipment marking should be used

6. In order to ensure the security of electronic commerce services, which of the following
controls should be avoided?

a. Duplication of transaction information

b. Authorization process associated with who may set prices, issue or sign key
trading documents
c. Usage of digital signatures
d. Usage of cryptographic controls in compliance with legal requirements

7. Users should be required to follow good security practices in password use. Which of
the following is NOT a good security practice?

a. Change passwords at regular intervals

b. Change passwords based on the number of accesses
c. Keeping a record of passwords
d. Not to use the same password for business and not business purpose

8. A business continuity strategy should be developed to determine the overall approach

to business continuity.Which is the key factor that determine this strategy?

a. The estimated magnitude of risks

b. The determined significance of the risks
c. Results from risk assessment
d. Top management

EXAM DATE:
PAGE 4/15
9. Which of the following considerations that refer to Intellectual Property Rights, may not
be correct?
a. The organization acquiring software only from known and reputable sources in
order to ensure that copyright is not violated
b. Organization should check that not duplicating, converting to another format or
extracting from commercial recordings other than permitted by copyright law
c. The Intellectual Property Rights of software developed by an organization
belongs to the organization
d. The organization should check the compliance with terms and conditions for
software and information obtained from public networks

10.An organization that implement an Information Security Management System has to

achieve and maintain appropriate protection of organizational asset. Who is responsible
for the maintenance of controls that have been applied to specific asset?

a. Chief Information Security Manager

b. Owner of the asset
c. User of the asset
d. Employee that owner has delegated the implementation of specific control

11.Operation of information security measurement involves activities that are essential for
ensuring that the developed measurement results provide accurate information with
regard to effectiveness of an implemented Information Security Measurement
Programme

a. Integration measurement procedures into the overall operation of the ISMS

b. Collecting and storing data
c. Analyzing data
d. Verification of data

EXAM DATE:
PAGE 5/15
12.Which is the key factor for an organization in order to detect unauthorized information
processing activities through monitoring?
a. Systems should be monitored and information security events should be
recorded
b. An organization should comply with all relevant legal requirements, applicable to
its monitoring and logging activities
c. System monitoring should be used to check the effectiveness of controls
adopted
d. Operator logs and fault logging should be used to ensure that information
system problems are identified

13.Risk assessment should be performed periodically to address changes in the security

requirements and in the risk situation. In these cases it is important the results to be
a. Comparable and reproducible
b. Qualitative
c. Quantitative
d. In accordance with statutory and regulatory requirements

14.The criteria for accepting risks and the acceptable levels of risk, are:
a. An outcome of risk assessment methodology
b. A decision of management commitment
c. Part of statement of applicability
d. Part of Quality Manual

15.In order to achieve the control objective “To manage information security within the
organization” which of the following controls may NOT be necessarily?
a. Information security activities should be coordinated by representatives from
different parts of the organization with relevant roles and job functions
b. All identified security requirements should be addressed before giving customers
access to the organizations information or assets
c. Appropriate contacts with special interest groups or other specialist security
forums and professional associations should be maintained
d. A management authorization process for new information processing facilities
should be defined and implemented

EXAM DATE:
PAGE 6/15
16.Which of the following guidelines should be avoided in order operational data to be
protected when used for testing purpose?

a. The access control procedures, which apply to operational application systems,

should also apply to test application systems
b. There should be separate authorization, each time operational information is
copied to a test application system
c. Operational information should be erased from a test application system,
immediately after an audit trail of logs
d. The copying and use of operational information should be logged to provide an
audit trail

17.Which of the following implementation guidance of change management could

introduce more vulnerabilities when changes to operational systems made?
a. Communication of change details to all relevant persons
b. Fallback procedures from unsuccessful changes and unforeseen events
c. Updating systems with the latest versions of operating system or application
d. Planning and testing of changes

18.Security features, service levels and management requirements of all network services
should be identified and included in any network services agreement, whether these
services are provided in-house or outsourced.Which of the following security features
should applied in order the above control to be achieved?

a. Technology should be applied for security of network services, such as

authedication, encryption and network connection controls
b. Technical parameters required for secured connection with the network services
in accordance with the security and network connection rules
c. Procedures for the network service usage to restrict access to network services
or applications, where necessary
d. All the above

EXAM DATE:
PAGE 7/15
19.Multi-user systems that require protection against unauthorized access should have the
allocation of privileges controlled through a formal authorization process. Which of the
following steps of privilege management based on wrong assumption?
a. Privileges should be allocated to users on a need – to – use basis and on event –
by – event basis in line with the access control policy
b. Privileges should be assigned to a different user ID from those used for normal
business use
c. The development and use of system routines should be avoided as they need to
grant privileges to more users
d. None of above

20.Which of the following security objectives can be achieved by using cryptographic

controls?

a. Availability, confidentiality, integrity

b. Availability, integrity, authenticity
c. Availability, integrity, authenticity
d. Confidentiality, integrity, authenticity, non repudiation

21.In corrective and preventive actions, the organization shall :

a. Apply lessons learnt from the security experience of the organization itself
b. Apply lessons learnt from the security experience of other organizations
c. Communicate the actions to all interest parties with a level of detail, appropriate
to the circumstances
d. All the above

22.In “Plan – Do – Check – Act” model, the risk re-assessment is part of the:
a. Plan Phase
b. DO Phase
c. Check Phase
d. Act Phase

EXAM DATE:
PAGE 8/15
 23.Which should participate in the information security assessment?

a. Only line managers (e.g. organizational unit heads)

b. Only process owners (i.e. representing important organization areas)
c. Only individuals who possess a strong knowledge of the current environment,
conditions and what is relevant in terms of information security
d. All of above

24.The audit report is issued

a. During the opening meeting

b. Within agreed time period
c. During the on-site audit process
d. When the audit client asks for a copy

25.Which of the following is not a responsibility of the guides?

a. Establishing contacts and timing for interviews

b. Witnessing the audits on behalf of the auditee
c. Arranging visits to specific parts of the organization
d. Leading the auditor’s questions to the interviewed person

26.“Set of policies, procedures or requirements” is the definition for:

a. Audit conclusions
b. Audit criteria
c. Audit findings
d. Management System

27.“Description of the activities and arrangements of an audit” is the definition for:

a. Audit findings
b. Audit timetable
c. Audit programme
d. Audit scope

28. “The extent and boundaries of an audit” is the definition for:

EXAM DATE:
PAGE 9/15
 a. Audit plan
b. Audit programme
c. Audit scope
d. Audit criteria

29.Which of the following principles do not relate to auditors?

a. Fair Presentation
b. Away from bias
c. Ethical Conduct
d. Leadership

30.An auditor can be evaluated:

a. When he first shows interest to become an auditor

b. When he is to be selected as a member of an audit team
c. Continually, to prove that he is competent
d. All of the above

31.The audit is considered completed when:

a. All activities described in the audit plan have been carried out and the approved
audit report has been distributed
b. The audit team has announced the audit findings to the auditee
c. The audited organization sends the closers to the auditor
d. All question of the audit checklist have been answered

32. An auditor should be

a. Theatrical
b. Versatile
c. Abrasive
d. Indecisive

EXAM DATE:
PAGE 10/15
33. You are the lead auditor and you are conducting a surveillance audit on behalf of a
certification company. During the on site audit, two people from the audited
organization argue about one of your findings. How should you react?

a. Ignore them and continue the audit

b. Say that you have to move on
c. Inform them about the finding, the requirement and kindly inform them that you
have a audit plan to follow
d. Stop the audit and try to solve the problem

34. In deciding the size and composition of the audit team, consideration should not be
given to the following

a. Audit objectives, scope and criteria

b. Whether the audit is a combined or joint audit
c. The age of the auditors
d. The language of the audit

35. The audit evidence is based

a. Sampling method
b. On the 100% of the available information
c. Only on information given by interviews
d. Only on the documents presented by the top management

36. The auditee has the right

1. To end the audit

2. Not to pay the certification body if any nonconformities have been documented
3. To dispute an audit finding
4. To ask for an auditor that is a friend

37. Records related to audit personnel do not cover subjects such as:
a. Auditor competence
b. Audit team selection
c. Maintenance of competence
d. Audit reports filled by auditors

38.The implementation of the audit programme should be monitored:

EXAM DATE:
PAGE 11/15
 a. at planned intervals
b. every year
c. every three (3) years
d. when the lead auditor decides

39. Which is the minimum number of auditors, an audit team can have?

a. Two
b. One
c. Required number regarding to audit program
d. Three

40. How many lead auditors, an audit team can have for a single audit (one management
system audited)?

a. One
b. Two
c. None
d. Four

41. If not fully covered by the auditors in the audit team, the necessary knowledge and
skills can be satisfied by

a. Including appropriate technical experts

b. Buying scientific books
c. Reducing the extent of the audit programme
d. Reducing the audit scope

42.When conducting document review and the documentation is found to be inadequate:

a. the Lead auditor should inform the audit client, the auditee and those assigned
responsibility for managing the audit programme
b. the Lead auditor should make all the necessary additions and inform the auditee
c. the Lead Auditor must inform the Organization’s consultant in order to make the
necessary additions
d. the lead auditor should stop the audit without further delay.

43. Put the listed activities of the audit process in the right time order

EXAM DATE:
PAGE 12/15
 a. Opening meeting, process of auditing, audit team meeting, closing meeting
b. Opening meeting, closing meeting, process of auditing, audit team meeting
c. Opening meeting, audit team meeting, Process of auditing, closing meeting
d. Opening meeting, process of auditing, closing meeting, audit team meeting

44. Opening (entry) meetings are used to introduce, outline the audit scope and explain
the process.

a. True
b. False

45. Opening meetings are used primarily to summarize findings and present non-
conformities.
a. True
b. False

46. Two or more auditing organizations may cooperate, as part of their audit programmes,
to conduct a joint audit.

a. True
b. False

47. Where a combined audit is to be conducted, it is important that the audit team leader
ensures that the audit objectives, scope and criteria are appropriate to the nature of
the combined audit.

a. True
b. False

48. Auditors are independent of the activity being audited and are free from bias and
conflict of interest, except from the case where there is no time to find someone else.

a. True
b. False

49. The audit team leader can assign to an audit team member, the responsibility to raise,
categorize and document nonconformities.

a. True
EXAM DATE:
PAGE 13/15
 b. False

50. The audit team leader, in consultation with the audit team, should assign to each team
member responsibility for auditing specific processes, functions, sites, areas or
activities.

a. True
b. False

51. Audit findings can indicate include nonconformity with audit objectives

a. True
b. False

52. The ISO 19011 standard, covers all auditors for management system standartds

a. True
b. False

53. Audit evidence should be qualitative or quantitative

a. True
b. False

54.According to ISO / IEC 27001 requirements, w an Information Security Measurement

Programme is needed?

a. True
b. False

55.When an organization develop and maintain continuity plans to maintain or restore

operations and to ensure availability of information at the required level and in the
required time scales following interruption or failure of critical business processes,
Acceptable loss of information and services could NOT be taken into consideration?

a. True
b. False
EXAM DATE:
PAGE 14/15
56.An organization can claim conformity to ISO / IEC 27001 by justified exclusion of
Controls that not affect the security requirements determined by risk assessment only

a. True
b. False

57.In the case of “services” provided to customers, Information Security Management

System cannot be applied?
a. True
b. False

58.In order to define the detailed scope and boundaries for the Information Security
Management System (ISMS), the following are necessary:
a) Define the organizational scope and boundaries
b) Define Information Communication Technology (ICT) scope and boundaries
c) Define physical scope and boundaries

a. True
b. False

59.Organizations implement Information Security Management System (ISMS) should

have procedures in place that specify when and by whom authorities should be
contacted and how identified information security incidents should be reported in a
timely manner if it is suspected that the law may have been broken.Business continuity
and contingency process may support Maintaining such contacts,

a. True
b. False

60.Groups of information services, users and information systems should be segregated on

networks.Virtual private networks (VPN) is NOT appropriate for segregation in
networks.

a. True
b. False

END OF THE EXAM.

EXAM DATE:
PAGE 15/15