PECB Updated ISO-IEC-27001-Lead-Auditor Exam Questions and Answers by andy

The correct answer is A, because peer review or independent review of audit working documents is an accepted and recommended auditing practice when performed by a qualified and authorized individual. ISO/IEC 17021-1 requires certification bodies to maintain quality assurance mechanisms, including review of audit documentation, to ensure audit consistency, impartiality, and technical validity.

Reviewing working documents before audit conclusions are finalized helps identify gaps, inconsistencies, or errors while corrective action is still possible. This strengthens the reliability of the audit outcome and supports sound certification decisions.

Option B is incorrect because limiting review to after conclusions are finalized reduces the effectiveness of quality control and may require rework. Option C is incorrect because auditors should not review their own work exclusively; independent review is a key safeguard against bias and oversight.

Therefore, a qualified auditor appointed by the certification body reviewing working documents prior to final conclusions is fully aligned with good auditing practice and accreditation requirements.

Comprehensive and Detailed In-Depth Explanation:

Northstorm adopted an international standard for Personally Identifiable Information (PII) controllers and PII processors to ensure its data handling practices were secure and compliant with global regulations. This aligns directly with ISO/IEC 27701, which extends ISO/IEC 27001 and ISO/IEC 27002 to cover Privacy Information Management Systems (PIMS), specifically addressing the protection of PII.

A. ISO/IEC 27701 – Correct Answer. This standard is designed for organizations acting as PII controllers and processors and provides guidelines on privacy management, regulatory compliance, and data protection.

B. ISO/IEC 27009 – Incorrect because this standard provides guidance on sector-specific requirements for ISMS, not privacy or PII protection.

C. ISO/IEC 27003 – Incorrect because it provides general implementation guidance for ISMS, not specific controls for PII processing.

This aligns with ISO/IEC 27001:2022 Annex A Control A.5.34 (Privacy and Protection of PII), which focuses on ensuring compliance with privacy regulations and implementing privacy-enhancing security measures.

According to ISO 27001:2022 clause 4.1, the organisation shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system (ISMS)12

External issues are factors outside the organisation that it cannot control, but can influence or adapt to. They include political, economic, social, technological, legal, and environmental factors that may affect the organisation’s information security objectives, risks, and opportunities12

Internal issues are factors within the organisation that it can control or change. They include the organisation’s structure, culture, values, policies, objectives, strategies, capabilities, resources, processes, activities, relationships, and performance that may affect the organisation’s information security management system12

Therefore, the following issues are considered ‘internal’ in the context of a management system to ISO 27001:2022:

Poor levels of staff competence as a result of cuts in training expenditure: This is an internal issue because it relates to the organisation’s capability, resource, and process of developing and maintaining the competence of its personnel involved in the ISMS. The organisation can control or change its training expenditure and its impact on staff competence12

Poor morale as a result of staff holidays being reduced: This is an internal issue because it relates to the organisation’s culture, value, and relationship with its employees. The organisation can control or change its staff holiday policy and its impact on staff morale12

Increased absenteeism as a result of poor management: This is an internal issue because it relates to the organisation’s performance, structure, and accountability of its management. The organisation can control or change its management practices and its impact on staff absenteeism12

A fall in productivity linked to outdated production equipment: This is an internal issue because it relates to the organisation’s capability, resource, and process of ensuring the availability and suitability of its production equipment. The organisation can control or change its equipment maintenance and upgrade and its impact on productivity12

The following issues are considered ‘external’ in the context of a management system to ISO 27001:2022:

Higher labour costs as a result of an aging population: This is an external issue because it relates to the social and demographic factor that affects the availability and cost of labour in the market. The organisation cannot control or change the aging population, but can influence or adapt to its impact on labour costs12

A rise in interest rates in response to high inflation: This is an external issue because it relates to the economic and monetary factor that affects the cost and availability of capital in the market. The organisation cannot control or change the interest rates or inflation, but can influence or adapt to its impact on capital costs12

A reduction in grants as a result of a change in government policy: This is an external issue because it relates to the political and legal factor that affects the availability and conditions of public funding for the organisation. The organisation cannot control or change the government policy, but can influence or adapt to its impact on grants12

Inability to source raw materials due to government sanctions: This is an external issue because it relates to the political and legal factor that affects the availability and cost of raw materials in the market. The organisation cannot control or change the government sanctions, but can influence or adapt to its impact on raw materials12

From Exact Extract:

Explanation for C (Correct Response):

The audit team leader's primary responsibility is to manage the audit process effectively and efficiently according to the agreed-upon audit plan and schedule. A Stage 2 audit schedule is typically tightly managed to ensure all required elements of the management system are sampled within the allocated time. A 45-minute video presentation is a significant time commitment that would disrupt the planned audit activities. Politely but firmly stating the need to adhere to the schedule is professional and critical for maintaining audit integrity and achieving the audit objectives.