PECB Lead Auditor (ISO/IEC 27001) — Question 25
The data center at which you work is currently seeking ISO/IEC 27001:2022 certification. In preparation for your initial certification visit, several internal audits have been carried out by a colleague working at another data center within your Group. They secured their own ISO/IEC 27001:2022 certificate earlier in the year.
You have just qualified as an Internal ISMS auditor and your manager has asked you to review the audit process and audit findings as a final check before the external Certification Body arrives.
Which four of the following would cause you concern in respect of conformity to ISO/IEC 27001:2022 requirements? (Choose four.)
Answer options
- A. Although the scope for each internal audit has been defined, there are no audit criteria defined for the audits carried out to date.
- B. Audit reports are not held in hardcopy (i.e. on paper). They are only stored as *.PDF documents on the organization's intranet.
- C. The audit process states the results of audits will be made available to 'relevant' managers, not top management.
- D. The audit programme does not reference audit methods or audit responsibilities.
- E. The audit programme does not take into account the relative importance of information security processes.
- F. The audit programme does not take into account the results of previous audits.
- G. The audit programme has not been signed as 'approved' by Top Management.
- H. The audit programme shows management reviews taking place at irregular intervals during the year.
Correct answer: A, D, E, F
Explanation
Option A is a concern because without defined audit criteria, it is difficult to assess compliance and effectiveness. Option D raises issues as not specifying audit methods or responsibilities can lead to inconsistent auditing practices. Option E is critical since ignoring the importance of information security processes could undermine the overall security posture. Lastly, option F is problematic because previous audit results provide valuable insights that can inform current practices and improvements.