PECB Updated ISO-IEC-42001-Lead-Auditor Exam Questions and Answers by jasmin

Question:

Which of the following does NOT constitute an appropriate technology requirement for virtual audits between the auditee and audit team?

Did ImoAI take the correct initial step after the major nonconformity was detected?

Scenario 9: ImoAl, headquartered in California. USA, provides Al solutions for various industries such as finance, healthcare, retail, and manufacturing. Its clients

include major financial institutions seeking Al powered fraud detection systems, healthcare providers leveraging Al for diagnostics and patient care, retailers

optimizing supply chain management with Al forecasting, and manufacturers enhancing production efficiency through Al-driven automation.

ImoAl has recently undergone a certification audit to ensure that its artificial intelligence management system AIMS is in compliance with ISO/IEC 42001. During the

audit, a major nonconformity related to data security protocols was identified, requiring urgent resolution. ImoAl swiftly initiated corrective actions to address the

major nonconformity. The audit follow-up, in agreement with the auditee, was scheduled six weeks after the initial audit. As part of exploring alternatives to audit

follow-up, the audit team leader chose to verify the effectiveness of the actions taken by the auditee by scheduling a specific visit to ImoAI's premises.

The follow-up audit involved a thorough evaluation of the effectiveness of these actions. The audit team leader thoroughly examined the corrections, corrective actions,

and root cause analysis conducted by ImoAl to assess whether they adequately addressed the nonconformity identified during the initial audit.

In conjunction with the external audit follow-up, ImoAl engaged its internal auditing team to oversee the progress of corrective actions. The AIMS manager of ImoAl

updated Ms. Rebecca Hayes, the internal auditor, on the status of corrections and corrective actions prompted by the nonconformity identified during the external

audit. Subsequently, Ms. Hayes thoroughly reviewed these measures, analyzing the corrections, root causes, and effectiveness of the implemented actions.

Upon satisfactory validation of the action plans, ImoAl was recommended for certification.

Scenario 9 (continued):

Scenario 9: Securisai, located in Tallinn. Estonia, specializes in the development of automated cybersecurity solutions that utilize AI systems. The company recently implemented an artificial intelligence management system AIMS in accordance with ISO/IEC 42001. In doing so, the company aimed to manage its Al-driven systems’ capabilities to detect and mitigate cyber threats more efficiently and ethically. As part of its commitment to upholding the highest standards of Al use and management, Securisai underwent a certification audit to demonstrate compliance with ISO/IEC 42001.

The audit process comprised two main stages: the initial or stage 1 audit focused on reviewing Securisai's documentation, policies, and procedures related to its AIMS. This review laid the groundwork for the stage 2 audit, which involved a comprehensive, on-site evaluation

of the actual implementation and effectiveness of the AIMS within Securisai's operations. The goal was to observe the AIMS in operation, ensuring that it not only existed on paper but was effectively integrated into the company's daily activities and cybersecurity strategies.

After the audit, Roger, Securisai's internal auditor, addressed the action plans devised to rectify nonconformities identified during the certification audit. He developed a long term strategy, highlighting key AIMS processes for triennial audits. Roger's internal audits play a

key role in advancing Securisai's goals by employing a systematic and disciplined method to assess and boost the efficiency of risk

management, governance processes, and strategic decision-making. Roger reported his findings directly to Securisai's top management.

Following the successful rectification of nonconformities, Securisai was officially certified against ISO/IEC 42001.

Recently, the company decided to transfer its ISO/IEC 42001 certification registration from one certification body to another despite being initially bound by a long-term agreement with the current certification body. This decision was motivated by the desire to partner with a certification body that offers deeper insights and expertise in the rapidly evolving field of artificial intelligence in cybersecurity.

To ensure a smooth transition and uphold its certification status, Securisai is diligently compiling the required documentation for submission to the new certification body. This includes a formal request, the most recent audit report underscoring its adherence to ISO/IEC 42001, the latest corrective action plan that highlights its continuous efforts toward improvement, and a copy of its current valid certification registration.

A year following Securisai's initial certification audit, a subsequent audit was carried out by the certification body on its AIMS. The

purpose of this audit was to assess compliance with ISO/IEC 42001 and verify the ongoing improvement of the AIMS. The audit team

concluded that Securisai's AIMS consistently meets the requirements set by ISO/IEC 42001.

Question:

In the context of Roger’s action plan at Securisai, was the plan he developed a general plan or a detailed plan?

Scenario 1 (continued):

To ensure the integrity of the AI system, Future Horizon Academy has implemented measures to ensure that training data remain isolated from data that could lead to harmful or undesirable outcomes. The institution adds significant data elements as metadata, transforms the data into a format usable by the AI system, and uses data from one or more trusted sources.

Committed to standardization and continual improvement, Future Horizon Academy decided to implement an artificial intelligence management system (AIMS) based on ISO/IEC 42001 that would help the institution increase operational efficiency, resulting in improved processes.

After having the AIMS in place for a year, the institution decided to apply for a certification audit to get certified against ISO/IEC 42001. Prior to the certification audit, the institution conducted an internal audit and management review to ensure that the AIMS aligns with the institution’s own requirements and that the system is being maintained effectively.

Question:

Prior to the certification audit, the institution conducted an internal audit and management review. Is this acceptable?