nerdexam
PECB

ISO-IEC-27001-LEAD-AUDITOR · Question #107

ISO-IEC-27001-LEAD-AUDITOR Question #107: Real Exam Question with Answer & Explanation

The correct answer is A. Confidentiality and nondisclosure agreements C. Information security awareness, education and training D. Remote working arrangements E. The conducting of verification checks on personnel. The PEOPLE controls are related to the human aspects of information security, such as roles and responsibilities, awareness and training, screening and contracts, and remote working. The auditor in training should review the following controls: Confidentiality and nondisclosure a

Question

You are an experienced audit team leader guiding an auditor in training. Your team is currently conducting a third-party surveillance audit of an organisation that stores data on behalf of external clients. The auditor in training has been tasked with reviewing the PEOPLE controls listed in the Statement of Applicability (SoA) and mplemented at the site. Select four controls from the following that would you expect the auditor in training to review.

Options

  • AConfidentiality and nondisclosure agreements
  • BHow protection against malware is implemented
  • CInformation security awareness, education and training
  • DRemote working arrangements
  • EThe conducting of verification checks on personnel
  • FThe operation of the site CCTV and door control systems
  • GThe organisation's arrangements for information deletion
  • HThe organisation's business continuity arrangements

Explanation

The PEOPLE controls are related to the human aspects of information security, such as roles and responsibilities, awareness and training, screening and contracts, and remote working. The auditor in training should review the following controls: Confidentiality and nondisclosure agreements (A): These are contractual obligations that bind the employees and contractors of the organisation to protect the confidentiality of the information they handle, especially the data of external clients. The auditor should check if these agreements are signed, updated, and enforced by the organisation. This control is related to clause A.7.2.1 of ISO/IEC 27001:2022. Information security awareness, education and training (C): These are activities that aim to enhance the knowledge, skills, and behaviour of the employees and contractors regarding information security. The auditor should check if these activities are planned, implemented, evaluated, and improved by the organisation. This control is related to clause A.7.2.2 of ISO/IEC Remote working arrangements (D): These are policies and procedures that govern the information security aspects of working from locations other than the organisation's premises, such as home or public places. The auditor should check if these arrangements are defined, approved, and monitored by the organisation. This control is related to clause A.6.2.1 of ISO/IEC The conducting of verification checks on personnel (E): These are background checks that verify the identity, qualifications, and suitability of the employees and contractors who have access to sensitive information or systems. The auditor should check if these checks are conducted, documented, and reviewed by the organisation. This control is related to clause A.7.1.1 of ISO/IEC 27001:2022.

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full ISO-IEC-27001-LEAD-AUDITOR Practice