PECB Updated ISO-IEC-27001-Lead-Auditor Exam Questions and Answers by may

The best way to dispose of a hard copy of a customer design document is to shred it using a shredder. This is because shredding ensures that the document is destroyed and cannot be reconstructed or accessed by unauthorized persons. A customer design document may contain sensitive or confidential information that could cause harm or damage to the customer or the organization if disclosed. Therefore, it is important to protect the confidentiality and integrity of the document until it is securely disposed of. Throwing it in any dustbin, giving it to the office boy to reuse it for other purposes, or reusing it for writing are not secure ways of disposing of the document, as they could expose the document to unauthorized access, theft, loss or damage. ISO/IEC 27001:2022 requires the organization to implement procedures for the secure disposal of media containing information (see clause A.8.3.2). References: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements, What is Secure Disposal?

According to ISO 19011:2018, clause 5.3, the person responsible for managing the audit programme should determine the resources necessary for the audit programme, such as the audit team members, the budget, the time, the tools, etc. The audit resources should be sufficient and appropriate to ensure the quality and effectiveness of the audit programme and the audit results. The audit resources include the following elements12:

Essential resources: These are the resources that are required to conduct the audit programme and the individual audits, such as the audit documents, the audit methods, the audit tools, the audit schedule, the audit budget, etc. The essential resources should be identified and allocated based on the audit objectives, scope, and criteria, and the availability and cooperation of the auditee. The essential resources should also be reviewed and updated as necessary to reflect any changes or deviations in the audit programme or the individual audits.

Competent personnel: These are the audit team members who have the appropriate knowledge, skills, and experience to conduct the audit effectively and efficiently, and to provide credible and reliable audit results and recommendations. The competent personnel should include the audit team leader, the auditors, and any technical experts or observers who support the audit team. The competent personnel should be selected and appointed based on the audit objectives, scope, and criteria, and the specific competence requirements for the audit programme and the individual audits. The competent personnel should also be independent and impartial, and avoid any conflicts of interest or self-interest that may affect the audit results or the audit decisions.

The audit team’s approach to assessing risk and opportunity determination as a standalone activity is in line with established auditing norms, making option A the correct answer. ISO/IEC 27001:2022 requires organizations to identify risks and opportunities related to the ISMS and to plan actions to address them. From an audit perspective, ISO 19011 allows auditors to structure audit activities in a way that ensures effective coverage of critical requirements.

Assessing risk and opportunity determination independently does not violate auditing principles, provided it remains connected to the overall management system context. In practice, auditors often examine risk management as a distinct audit trail because it is a foundational element that influences many other ISMS processes, including control selection, operational planning, and continual improvement. Conducting a focused assessment enables auditors to evaluate whether risks are identified systematically, whether opportunities are considered, and whether treatment plans are appropriate and effective.

Option C is incorrect because although risk and opportunity management should be embedded throughout the ISMS, auditing it as a standalone activity does not contradict this principle. It is an audit structuring decision rather than a management system design issue. Option B is incorrect because auditors do not require explicit auditee requests to structure audit activities independently; they are responsible for designing the audit approach.

Therefore, the audit team’s standalone assessment of risk and opportunity determination aligns with recommended auditing practices.