www.pecb.

com

EXERCISES
Correction Key

CERTIFIED ISO/IEC 27001 LEAD AUDITOR

TRAINING COURSE
 Certified ISO/IEC 27001 Lead Auditor |
PECB Group Inc., ©2024

Exercise 1: Reasons to implement an ISMS based on ISO/IEC 27001

List and explain three significant advantages that organizations would gain by
implementing an information security management system based on ISO/IEC 27001.
In addition, explain how the organizations can measure these advantages by means
of metrics.

Possible answer:

Advantage 1: Improvement of information security posture by implementing

internationally recognized information security controls and better managing
information security threats.
How can organizations measure this advantage?
By putting in place indicators to measure the number of information security
incidents, the number of hours during which information network is unavailable,
monthly costs of incidents, etc.

Advantage 2: Achievement of good governance

How can organizations measure this advantage?
By putting in place indicators to measure the awareness of their personnel regarding
information security.

Advantage 3: Increase of competitive advantage

How can organizations measure this advantage?
By evaluating brand awareness, measuring the percentage of growth in sales,
determining the degree to which customers’ needs and expectations were met, etc.

Page 2 of 31
 Certified ISO/IEC 27001 Lead Auditor |
PECB Group Inc., ©2024

Exercise 2: Ethics
How should the auditor handle the following situations? Prepare to discuss your
answers in class.

1. The auditee asks the auditor to depersonalize the audit notes so they can use
the notes to create a case study. This case study will be used for internal
purposes only.

Possible answer:The auditor should reject this request because, firstly, their notes
are not the property of the auditee and, secondly, depersonalizing notes takes time
(the auditor is not paid to do that), and the process could be perceived as a potential
conflict of interest.

2. During the audit, an auditor discovers evidence of bribery involving senior

management. The bribery scheme involves payments made to secure favorable
contracts and manipulate business competition.

Possible answer: The auditor should document the evidence of bribery, providing
comprehensive details on the involved parties, transaction amounts, and the
resultant impact on financial statements. The auditor should promptly recognize the
discovered bribery as a notifiable illegal act and evaluate its standing within the
framework of applicable laws and regulations. Simultaneously, the auditor should
arrange a meeting with senior management to communicate the findings, affording
them an opportunity to respond and provide insights into the organization's stance on
the matter.

3. A former employee of the auditee contacts the auditor to inform them that the
auditee has several security problems that it is trying to conceal before the audit.
This person proposes to send documented evidence to prove their claims.

Possible answer: The conduct of an audit must not be based on hearsay. The
person in this situation might have personal issues with their former employer,
therefore, does not represent a reliable source of information. In addition, the
documents in their possession are, undoubtedly, held in violation of their old
employment contract. In that case, the auditor should politely refuse such help. The
auditor can inform the person that it is possible to file and send a formal complaint to
the certification body. This way, the auditor will demonstrate professional skepticism
during the audit.

4. The auditor detected a nonconformity during the audit of a small organization.

The auditor believes that this nonconformity has occurred because the employee
responsible was recently hired and is not experienced to carry out the task. In
addition, the auditor suspects that, if the nonconformity is reported, the senior

Page 3 of 31
 Certified ISO/IEC 27001 Lead Auditor |
PECB Group Inc., ©2024

executive of the organization, a quick-tempered man, will get furious with the
employee and fire them.

Possible answer: Whatever the consequences of the declared nonconformity, the

auditor must reveal it in an impartial manner. Otherwise, by issuing a false report, the
auditor would contradict their ethical principles.

Page 4 of 31
 Certified ISO/IEC 27001 Lead Auditor |
PECB Group Inc., ©2024

Exercise 3: Drafting an audit test plan

Prepare an audit test plan by selecting at least three appropriate audit procedures to
validate if an organization adequately protects logs that record activities or faults
(Control Annex A 8.15 of ISO/IEC 27001).

Mark “N/A” for the procedures that do not apply.

Possible answer:

AUDIT TEST PLAN

Audit criteria: ISO/IEC 27001, Annex A 8.15 Logging

Logs that record activities, exceptions, faults and other relevant events shall be
produced, stored, protected and analyzed.

• Observe the controls implemented to ensure the protection

Observation against unauthorized changes to log information and
operational problems with the logging facility

Documented
information • Review the topic-specific policy on logging
review

• Interview the person(s) to validate the logging policy objectives

• Interview the network administrator to validate the operation of
Interview
the controls in place to protect the logged information against
unauthorized access

• Observe the logging equipment configurations to verify their

Technical
compliance with the organization’s internal policies and
verification
procedures
• Select a sample of logged information and conduct an analysis
Analysis
of it

Page 5 of 31
 Certified ISO/IEC 27001 Lead Auditor |
PECB Group Inc., ©2024

Exercise 4: Nonconformity reports

Upon reading the case study, XIII Certification audit, complete the nonconformity
reports for the findings observed by the audit team.

In case of nonconformities, the report should include the following:

• The audit criteria
• A description of the nonconformity
• The type of nonconformity (minor or major)

You can use the “comments” section to justify your decision.

Findings:
1. The log-on procedure of the centralized platform provides detailed error
messages, indicating which part of the login data (username or password) is
incorrect, aiding potential unauthorized users in refining their intrusion strategies.
2. The company fails to keep records or monitor who enters and exists secure
areas, making it impossible to track unauthorized access or investigate security
incidents. BankPulse Solutions’ management is aware of the situation, and the
security manager has identified this issue as being a risk to be monitored and
included in the risk analysis report. BankPulse Solutions has no other
documentation of this situation.
3. BankPulse Solutions has two distinct processes for incident management, one
for the head office and one for the back office. In addition, the incident records
are kept in two separate information systems that do not communicate with each
other. In an interview with the person responsible for technical support, it was
stated that, within five years, the company will replace the two systems with an
integrated system for managing information security events.

Page 6 of 31
 Certified ISO/IEC 27001 Lead Auditor |
PECB Group Inc., ©2024

NONCONFORMITY REPORT #1
Client: BankPulse Solutions Site: Head office
Clause/control number: Annex A
Process: Secure authentication
8.5
Audit criteria: Secure authentication technologies and procedures shall be
implemented based on information access restrictions and the topic-specific policy
on access control.

Description of the observed nonconformity: The system's log-on procedure

provides detailed error messages, explicitly indicating whether the username or
password is incorrect. This transparency aids potential unauthorized users in
refining their intrusion strategies, posing a significant security risk.
Auditor: Chloe Roy Acknowledgement by The type of
auditee representative: nonconformity
Date: March 22, 2023 Minor

Comments:
The situation is categorized as a minor nonconformity because the provision of
explicit error messages during the log-on process significantly aids potential
unauthorized users in refining their intrusion strategies, which could lead to
compromised system security.

Page 7 of 31
 Certified ISO/IEC 27001 Lead Auditor |
PECB Group Inc., ©2024

NONCONFORMITY REPORT #2
Client: BankPulse Solutions Site: Head office
Process: Physical entry Clause/control number: Annex A 7.2
Audit criteria: Secure areas should be protected by appropriate entry controls
and access points.

Description of the observed nonconformity: The company does not have any
records or documentation for monitoring the access of individuals to secure areas.

Acknowledgement by The type of

Auditor: Chloe Roy
auditee representative: nonconformity
Date: March 22, 2023 Major

Comments:
This is considered to be a major nonconformity because the company should allow
only authorized access to its server room. In addition, it should be able to provide
evidence of how it ensures such authorized access.

Comments on situation 3:
According to the given information, there is no nonconformity. BankPulse Solutions
can have different procedures to manage the incidents. The planned system
integration in the future complies with control 5.24, aiming to establish an effective
incident management system, enabling the definition, establishment, and
communication of information security incident management protocols across the
organization, thereby enhancing efficiency and consistency.

Page 8 of 31
 Certified ISO/IEC 27001 Lead Auditor |
PECB Group Inc., ©2024

Homework 1: Identification of threats, vulnerabilities, and impacts

Based on the case study, list the threats and vulnerabilities associated with the
following scenarios and indicate the potential impacts. Then, determine if the impacts
would affect the confidentiality, integrity, or availability of the organization’s data.
1. Ian Kovalev and Katie Harper were hired by BankPulse Solutions’ competitor,
EverNet.
2. The software delivered to BankPulse Solutions’ clients in Brazil had some
serious flaws and made clients vulnerable to external attacks.
3. Julia Robinson, the website designer, was ill for one month.
4. Customer information (names, addresses, and credit card numbers) is kept in a
database that does not have a proper encryption or access control in place.

Complete the matrix below and prepare to discuss your answers.

Possible answer:

Page 9 of 31
 Certified ISO/IEC 27001 Lead Auditor |
PECB Group Inc., ©2024

Potential
Scenario Vulnerabilities Threats C I A
consequences
Ian Kovalev and • Lack of controls regarding the • Revealing confidential data X • Loss of customers
Katie Harper were termination of employment to the competitor to a competitor
hired by BankPulse • Ian Kovalev, the former accounting VP • Financial losses
Solutions’ has knowledge of sensitive data
competitor, (payroll, financial results, etc.) and
EverNet. Katie Harper, the former marketing
assistant has knowledge of BankPulse
Solutions’ sales strategies and
marketing campaigns.
The software • Insufficient software testing • Abuse of rights X X X • Invasion of privacy
delivered to • Widely distributed software • Corruption of data of clients
BankPulse • Lack of data encryption • Error in use • Confidential
Solutions’ clients in • Lack of documentation • Tampering with software information
Brazil had some • Lack of backup copies leakage
serious flaws and • Disruption of
made clients services
vulnerable to
external attacks.
Julia Robinson, the • No segregation of duties • Lack of available personnel X X X • Unavailable
website designer, • Only one person available for this • Abuse of rights website: loss in
was ill for one function • Unauthorized use of revenues
month. • Failure to produce management equipment • Inability to fulfill
reports contractual
obligations

Page 10 of 31
 Certified ISO/IEC 27001 Lead Auditor |
PECB Group Inc., ©2024

Potential
Scenario Vulnerabilities Threats C I A
consequences
• Disruption of
operations
Customer • Lack of data encryption • Database injection attacks X X X • Service
information (names, • Single point of failure • Corruption of data interruption
addresses, and • No backup procedures in place • Confidential
credit card information
numbers) is kept in leakage
a database that • Deliberate
does not have a changes
proper encryption • Loss of data
or access control in • Information theft
place. • Corrupted
database

Page 11 of 31
 Certified ISO/IEC 27001 Lead Auditor |
PECB Group Inc., ©2024

Homework 2: Selection of controls

For each threat identified in exercise 1, select the appropriate controls (by providing
the correct clause or annex number) which allow BankPulse Solutions to modify,
share, or avoid the risk.

Complete the matrix below and prepare to discuss your answers.

Possible answer:

Page 12 of 31
 Certified ISO/IEC 27001 Lead Auditor |
PECB Group Inc., ©2024

Potential
Scenario Vulnerabilities Threats C I A Controls
consequences
Ian Kovalev and Katie • Lack of controls regarding • Revealing X • Loss of customers to Annex A 6.2
Harper were hired by the termination of confidential a competitor Annex A 6.5
BankPulse Solutions’ employment data to the • Financial losses Annex A 6.6
competitor, EverNet. • Ian Kovalev, the former competitor
accounting VP has
knowledge of sensitive data
(payroll, financial results,
etc.) and Katie Harper, the
former marketing assistant
has knowledge of
BankPulse Solutions’ sales
strategies and marketing
campaigns.
The software • Insufficient software testing • Abuse of X X X • Invasion of privacy of Annex A 5.8
delivered to • Widely distributed software rights clients Annex A 8.4
BankPulse Solutions’ • Lack of data encryption • Corruption of • Confidential Annex A 8.18
clients in Brazil had • Lack of documentation data information leakage Annex A 8.29
some serious flaws • Lack of backup copies • Error in use • Disruption of services
and made clients • Tampering
vulnerable to external with software
attacks.
Julia Robinson, the • No segregation of duties • Lack of X X X • Unavailable website: Annex A 5.3
website designer, was • Only one person available available loss in revenues Annex A 5.37
ill for one month. for this function personnel • Inability to fulfill Annex A 8.2
contractual obligations Annex A 8.15

Page 13 of 31
 Certified ISO/IEC 27001 Lead Auditor |
PECB Group Inc., ©2024

Potential
Scenario Vulnerabilities Threats C I A Controls
consequences
• Failure to produce • Abuse of • Disruption of
management reports rights operations
• Unauthorize
d use of
equipment
Customer information • Lack of data encryption • Database X X X • Service interruption Annex A 5.15
(names, addresses, • Single point of failure injection • Confidential Annex A 8.13
and credit card • No backup procedures in attacks information leakage Annex A 8.24
numbers) is kept in a place • Corruption of • Deliberate changes
database that does data • Loss of data
not have a proper • Information theft
encryption or access • Corrupted database
control in place.

Page 14 of 31
 Certified ISO/IEC 27001 Lead Auditor |
PECB Group Inc., ©2024

Homework 3: Audit evidence

List at least two actions that the auditor should take to verify conformity to the
following controls of Annex A of ISO/IEC 27001.

Possible answer:
1. Annex A 5.1 Policies for information security
• Review of documented information security policy to validate its
development and content
• Interview with the person(s) in charge of information security to validate the
approval of the policy and its communication to the auditee’s employees and
relevant external parties
• Verification of the policy distribution media (website, hard copy version,
email, etc.)

2. Annex A 5.18 Access rights

• Review of documented procedures for the removal of access rights
• Interview with the person in charge of information security or the human
resources manager to validate if the process of removing access rights is
carried out as per the procedures in place
• Analysis of a sample of employees that are no longer part of the organization
to verify if their access rights have been removed
• Observation of access rights in the systems directories (e.g., Microsoft Active
Directory, Novell Access Manager, Apple Open Directory)

3. Annex A 8.7 Protection against malware

• Review of documented measures against malware
• Interview with a technician to validate the management process of the
measures against malware (monitoring, updates, reports, etc.)
• Verification of the configurations for protection against malware software
• Analysis of a sample of workstations to check if there is a software to protect
the system against malware and if the software is up to date

4. Annex A 8.13 Information backup

• Review of documentation of the policy on backup information
• Interview with the person(s) responsible for the backup procedures

Page 15 of 31
 Certified ISO/IEC 27001 Lead Auditor |
PECB Group Inc., ©2024

Homework 4: Evidence in an audit

List at least two types of evidence that would be sufficient to verify the organization’s
conformity to the following clauses of ISO/IEC 27001. Additionally, indicate the type
of evidence.

Possible answer:
1. Clause 6.1.3 Information security risk treatment
• Review of the risk treatment plan (documentary evidence)
• Interview with the person(s) in charge of information security (verbal
evidence)
• Verification of a sample of action plans specified in the risk treatment plan
(analytical evidence)

2. Annex A 8.4 Access to source code

• Review of the policy on access control to program source code
(documentary evidence)
• Interview with a member of the Software Development Department (verbal
evidence)
• Analysis of access logs to program source code to detect exceptions
(analytical evidence)

3. Annex A 7.10 Storage media

• Review of the policy of the topic-specific policy on the management of
removable storage media (documentary evidence)
• Interview with the person(s) responsible for backups (verbal evidence)

4. Annex A 8.26 Application security requirements

• Interview with the person(s) responsible for developing security requirements
to determine if information security specialists were involved in the process
(verbal evidence)
• Review of the application security requirements (documentary evidence)

5. Annex A 8.32 Change management

• Interview with a member of the top management to determine if there are
procedures in place for carrying changes(verbal evidence)
• Review of the change control policy and procedures (documentary evidence)
• Verification of a sample of changes that have already been made (analytical
evidence)

Page 16 of 31
 Certified ISO/IEC 27001 Lead Auditor |
PECB Group Inc., ©2024

Homework 5: Documented information review

Review some of BankPulse Solutions’ documented information related to the ISMS
and determine if they meet the minimum requirements of ISO/IEC 27001. In addition,
list the necessary controls that BankPulse Solutions should implement.

Possible answer:
1. The information security policy
The organization’s policy does not comply with two requirements of the standard:
a statement that stipulates that the organization takes into account the
requirements linked to the activity and the legal or regulatory requirements
(Annex A 5.31) and does not include a commitment to continual improvement
(Clause 5.2d).

2. The definition of the ISMS scope and objectives

The document fulfills the minimum requirements to ensure conformity with
ISO/IEC 27001. Concerning the absence of a signature in the document, the
auditor should ask to see the original signed document during the on-site audit.

3. The Statement of Applicability (excerpt)

There are several important points missing, such as the lack of justifications for
the selection of particular measures. The auditor will not be able to validate if the
justifications are logical and appropriate.

4. The roles and responsibilities matrix

Some persons seem to have duties and responsibilities that could be
noncompliant with task segregation best practices. The auditor should request
more information during the on-site audit to validate this point.

5. The incident management process related to the ISMS (with the incident
declaration form)
The incident management process and the form are compliant, even though the
process involves a lot of steps. However, there is a lack of consistency between
documents (the forms do not seem to support the process). This may lead the
auditor to believe that they were written by more than one person who
apparently did not communicate with each other at all, or they did so
ineffectively.

Page 17 of 31
 Certified ISO/IEC 27001 Lead Auditor |
PECB Group Inc., ©2024

Homework 6: Reviewing an audit plan

By referring to the case study, analyze the audit plan below and point out the
mistakes of this plan.

AUDIT INFORMATION
Organization: BankPulse Solutions
Address: Montreal, Canada
Client ID: 202204_BS27001
Number of employees within the
scope: 20
Auditee representative: Alan Brown
Standard(s) audited: ISO/IEC 27001:2022
Audit team leader: Chloe Roy
Other audit team member(s): N/A
Audit type: Stage 2 audit
Date(s) of audit: March 6 to March 22, 2023
Audit duration: Four days
Language: English
The scope of the ISMS established by
BankPulse Solutions includes all data
Audit scope:
processing facilities of the organization’s
headquarters in Montreal.

Audit preparation

a. Audit objectives
The objectives of this audit are to:
• Confirm that the ISMS complies with the audit criteria
• Confirm that the ISMS meets applicable statutory, regulatory, and
contractual requirements
• Confirm the effectiveness of the ISMS in meeting its specified objectives
• Identify the information security areas that need potential improvement

b. Audit criteria
The audit criteria are all normative clauses of the ISO/IEC 27001 standard:
• Clause 4: Context of the organization
• Clause 5: Leadership
• Clause 7: Support
• Clause 8: Operation
• Clause 9: Performance evaluation
• Clause 10: Improvement
• Annex A: Excerpt containing applicable controls related to the scope

Page 18 of 31
 Certified ISO/IEC 27001 Lead Auditor |
PECB Group Inc., ©2024

AUDIT PLAN
Date: March 6, 2023
Key
Time Auditor Steps
contact
Chloe Alan
8:30 – 8:40 Meet and greet
Roy Brown
Chloe Alan
8:40 – 9:00 Conduct the opening meeting
Roy Brown
Verify conformity to clause 4 Context of the
organization to evaluate if:
• The internal and external issues have
been identified, including those related to
climate change
• The ISMS addresses the needs and
Chloe expectations of interested parties Alan
9:00 – 10:00
Roy • The relevant requirements of interested Brown
parties have been determined, including
legal, regulatory, and contractual
requirements and those related to
climate change
• The scope has been determined in
accordance with standard requirements
• Verify conformity to clause 5 Leadership
by interviewing the top management to
evaluate their commitment to the ISMS
• Review:
Information security policy
10:00 – Chloe Alan
Roles and responsibilities (through
11:00 Roy Brown
assessing the organizational
structure and conducting interviews
with a group of employees to assess
their awareness and understanding
of their roles and responsibilities)
• Verify conformity to clause 6 Planning by
reviewing the following:
11:00 – Chloe Planning of actions to address risks Alan
12:00 Roy and opportunities Brown
Information security objectives
Planning of changes
12:00 – Chloe Alan
Lunch break
13:00 Roy Brown

13:00 – Chloe • Verify conformity to clause 7 Support Alan

14:00 Roy through: Brown

Page 19 of 31
 Certified ISO/IEC 27001 Lead Auditor |
PECB Group Inc., ©2024

Reviewing communication plans

Reviewing employee training records
and interviewing a number of
employees
Reviewing the procedure for creating,
updating, and controlling documented
information
• Verify conformity to clause 8 Operation
by reviewing:
Documented information regarding
the planning, implementation, and
14:00 – Chloe Alan
control of ISMS processes
15:00 Roy Brown
Previous information security risk
assessments reports
Information security risk treatment
plan
15:15 – Chloe Alan
Short break
15:30 Roy Brown
• Verify conformity to clause 9
Performance evaluation by reviewing:
Internal audit program and
documented evidence of its
15:30 – Chloe Alan
implementation
16:00 Roy Brown
Management review process
Documented information on the
results the monitoring and
measurement results
• Review notes taken during the day and
16:00 – Chloe Alan
Roy the audit findings, meet with the audit Brown
17:00
team, and then with the auditee

AUDIT PLAN
Date: March 7, 2023
Key
Time Auditor Steps
contact
• Verify conformity to clause 10
Improvement by reviewing:
Chloe Nonconformities and corrective Alan
8:30 –10:00
Roy actions taken or planned Brown
Other evidence of continual
improvement

Page 20 of 31
 Certified ISO/IEC 27001 Lead Auditor |
PECB Group Inc., ©2024

Verify conformity to Annex A 5 controls:

• 5.1 Policies for information security
• 5.2 Information security roles and
responsibilities
10:00 – Chloe • 5.3 Segregation of duties Alan
10:45 Roy • 5.4 Management responsibilities Brown
• 5.5 Contact with authorities
• 5.6 Contact with special interest groups
• 5.8 Information security in project
management
10:45 – Chloe Alan
Short break
11:00 Roy Brown
Verify conformity to Annex A 6 controls:
• 6.1 Screening
• 6.2 Terms and conditions of employment
11:00 – Chloe • 6.3 Information security awareness, Alan
12:00 Roy education and training Brown
• 6.4 Disciplinary process
• 6.5 Responsibilities after termination or
change of employment
12:00 – Chloe Alan
Lunch break
13:00 Roy Brown
Verify conformity to Annex A 7 controls:
13:00 – Chloe Alan
• 7.1 Physical security perimeters
13:30 Roy Brown
• 7.2 Physical entry
13:30 – Chloe Alan
Physical facilities tour
14:00 Roy Brown
Verify conformity to Annex A 8 controls:
14:00 – Chloe • 8.1 User end point devices Alan
15:00 Roy • 8.2 Privileged access rights Brown
• 8.3 Information access restrictions
15:00 – Chloe Alan
Lunch break
16:00 Roy Brown
Review notes taken during the day and the
16:00 – Chloe Alan
audit findings, meet with the audit team, and
17:00 Roy Brown
then with the auditee

AUDIT PLAN
Date: March 20, 2023
Key
Time Auditor Steps
contact

Page 21 of 31
 Certified ISO/IEC 27001 Lead Auditor |
PECB Group Inc., ©2024

Verify conformity to Annex A 5 controls:

• 5.9 Inventory of information and other
Chloe associated assets Alan
8:30 – 9:30
Roy • 5.10 Acceptable use of information and Brown
other associates assets
• 5.11 Return of assets
Chloe Alan
9:30 – 9:45 Short break
Roy Brown
Verify conformity to Annex A 5 controls:
• 5.12 Classification of information
• 5.13 Labelling of information
Chloe • 5.14 Information transfer Alan
9:45 –11:00
Roy • 5.15 Access control Brown
• 5.16 Identity management
• 5.17 Authentication information
• 5.18 Access rights
Verify conformity to Annex A 5 controls:
• 5.19 Information security in supplier
relationship
• 5.20 Addressing information security
within supplier agreements
11:00 – Chloe Alan
• 5.21 Managing information security in
12:00 Roy Brown
the ICT supply chain
• 5.22 Monitoring, review and change
management of supplier services
• 5.23 Information security for use of cloud
services
12:00 – Chloe Alan
Lunch break
13:00 Roy Brown
Verify conformity to Annex A 5 controls:
• 5.24 Information security incident
management planning and preparation
• 5.25 Assessment and decision on
13:00 – Chloe Alan
information security events
14:00 Roy Brown
• 5.26 Response to information security
incidents
• 5.27 Learning from information security
incidents
14:00 – Chloe Alan
Break
14:30 Roy Brown

14:30 – Chloe Alan

Verify conformity to Annex A 6 controls:
15:00 Roy Brown

Page 22 of 31
 Certified ISO/IEC 27001 Lead Auditor |
PECB Group Inc., ©2024

• 6.6 Confidentiality or non-disclosure

agreements
• 6.8 Information security event reporting
15:00 – Chloe Alan
Short break
15:15 Roy Brown
Verify conformity to Annex A 7 controls:
• 7.5 Protecting against physical and
environmental threats
15:15 – Chloe Alan
• 7.6 Working in secure areas
16:30 Roy Brown
• 7.7 Clear desk and clear screen
• 7.8 Equipment siting and protection
• 7.9 Security of assets off-premises
Review notes taken during the day and the
16:30 – Chloe Alan
audit findings, meet with the audit team, and
17:00 Roy Brown
then with the auditee

AUDIT PLAN
Date: March 21, 2023
Key
Time Auditor Steps
contact
• Interview a representative sample of
employees engaged in key processes
related to the ISMS; spend
approximately 10 minutes per person
• The interview should focus on:
Chloe Their ISMS roles and responsibilities Alan
8:30 – 9:30
Roy Processes for identifying the Brown
opportunities for improvement
Management and protection of
passwords
Reporting of security incidents and
events
Verify conformity to Annex A 7 controls:
• 7.10 Storage media
• 7.11 Supporting utilities
Chloe Alan
9:30 – 10:30 • 7.12 Cabling security
Roy Brown
• 7.13 Equipment maintenance
• 7.14 Secure disposal or re-use of
equipment

Page 23 of 31
 Certified ISO/IEC 27001 Lead Auditor |
PECB Group Inc., ©2024

Verify conformity to Annex A 8 controls:

• 8.8 Management of technical
10:30 – Chloe vulnerabilities Alan
12:00 Roy • 8.9 Configuration management Brown
• 8.10 Information deletion
• 8.13 Information backup
12:00 – Chloe Alan
Lunch break
13:00 Roy Brown
Verify conformity to Annex A 8 controls:
• 8.14 Redundancy of information
processing facilities
13:00 – Chloe Alan
• 8.15 Logging
14:00 Roy Brown
• 8.16 Monitoring activities
• 8.17 Clock synchronization
• 8.18 Use of privileged utility programs
14:00 – Chloe Alan
Have the closing meeting
14:30 Roy Brown
Verify conformity to Annex A 8 controls:
• 8.19 Installation of software on
14:30 – Chloe Alan
operational systems
15:30 Roy Brown
• 8.20 Networks security
• 8.21 Security of network services
15:30 – Chloe Alan
Short break
15:45 Roy Brown
15:45 – Chloe Review the compiled documented Alan
17:00 Roy information for the audit Brown

Possible answer:
Based on the audit plan, the auditor reviewed solely the Annex A controls identified
as applicable in the Statement of Applicability, but neglected to assess the
justifications for deeming other controls as not applicable. It is crucial in an audit to
not only evaluate the implementation and effectiveness of the selected controls but
also to understand and verify the rationale behind the exclusion of certain controls.

The auditor applied the same level of effort and techniques uniformly across all
clauses, instead of emphasizing a risk-based approach where auditors prioritize
high-risk areas. This could overlook or undermine the importance of varying risk
levels across different audit areas, potentially leading to inefficiencies and reduced
effectiveness in the audit process.

The closing meeting in the fourth day is scheduled before reviewing the controls
8.19, 8.20, and 8.21 of Annex A. The closing meeting should be conducted at the
end of the audit. Thus, this point needs be rescheduled, as well.

Page 24 of 31
 Certified ISO/IEC 27001 Lead Auditor |
PECB Group Inc., ©2024

Homework 7: Opening meeting

Using the information from the provided case study about BankPulse Solutions,
create an agenda and outline for the opening meeting of the certification audit.
Ensure that your agenda addresses the unique aspects and challenges related to
BankPulse Solutions’ operations and compliance.

Possible answer:
The top management of BankPulse Solutions should be briefed by the audit team
leader on how the audit activities will be undertaken. Additionally, there are other
aspects that the opening meeting agenda should include, such as:
• Introduction of the audit team members
• Confirmation of the audit plan, objectives, scope, and criteria
• Confirmation of the audit plan and logistics
• Introduction of the audit methods
• Determination of the communication channels between the audit team and the
auditee during the audit
• Information on the availability of resources
• Information on audit findings and the closing meeting

Page 25 of 31
 Certified ISO/IEC 27001 Lead Auditor |
PECB Group Inc., ©2024

Homework 8: Interview with the chief information security officer

You will interview Alan Brown, the chief information security officer of BankPulse
Solutions, who is also responsible for the implementation of the ISMS. Make sure to
ask questions that help you determine whether the company has implemented the
following controls of ISO/IEC 27001:
• Annex A 8.4 Access to source code
• Annex A 8.20 Networks security
• Annex A 8.26 Application security requirements

Possible answer:
1. How does BankPulse Solutions manage access to source code, development
tools, and software libraries?
2. Regarding access permissions, how does the company differentiate read access
and write access to source code based on personnel roles?
3. Specifically, how are authorization procedures managed when updating source
code and associated items, in line with the change control procedures?
4. How are networks and network devices secured, managed, and controlled to
protect information in systems and applications?
5. How does BankPulse Solutions establish controls to safeguard the confidentiality
and integrity of data passing over public networks, third-party networks, or
wireless networks?
6. How has BankPulse Solutions determined the application security requirements?
7. What are the information security requirements that the company has identified,
specified, and approved for developing and acquiring applications?
8. Could you discuss the measures in place to ensure the protection of data while in
transit, at rest, or during testing phases of the applications?

Page 26 of 31
 Certified ISO/IEC 27001 Lead Auditor |
PECB Group Inc., ©2024

Homework 9: Audit sampling process

Assess whether BankPulse Solutions complies with control A 6.1 Screening of
Annex A in ISO/IEC 27001. Given that the company has around 170 employees, you
need to employ sampling process as an audit procedure.

Define the target population, the sample, and the sample size. In addition, choose
the sampling method and justify your decision. Briefly explain how you would
conduct the sampling process.

Possible answer:
The sampling population of this audit will be all BankPulse Solutions employees who
were subject to background verification checks conducted by the company. The
auditor decides to use the systematic selection method of sampling, because it is
statistically reliable and easy to execute. Moreover, this selection is based on a fixed
interval.

The following steps describe the sampling process:

• Target population: All employees of the BankPulse Solutions (170 employees)
• Sampling population: Current BankPulse Solutions employees for which the
company has conducted background verification checks prior to employment
• Sampling method: Systematic selection
• Sample size: 17 employees
• Sampling process: By starting the selection randomly with the 7th change, the
auditor selects the rest of the sample at every 10 changes (170/17 = 10).

Page 27 of 31
 Certified ISO/IEC 27001 Lead Auditor |
PECB Group Inc., ©2024

Homework 10: Closing meeting

Outline the key points you would cover in the closing meeting with BankPulse
Solutions’ top management subsequent to the audit process. This should include an
overview of the topics for discussion.

Possible answer:
• Confirmation of questionnaire completion: Verify with the management team
whether all planned questions pertinent to the audit have been addressed. This
is essential to ensure that all areas of concern have been thoroughly explored
and discussed.
• Summary of findings: Present a concise overview of the main conclusions
derived from the audit process. This will involve summarizing the key findings
and insights gathered. I will request confirmation from the management to
validate the accuracy and alignment of the conclusions.
• Arrangements for follow-up information: Discuss and agree on the procedure for
obtaining any additional information required, such as documents or further data.
Clear steps and timelines will be established to ensure the smooth acquisition of
necessary information.
• Opportunity for questions and comments: Invite the top management to ask any
questions or provide comments regarding the audit process, its outcomes, or any
related concerns. This open discussion will allow for clarification and further
insights from their perspective.
• Acknowledgment and gratitude: Express my sincere appreciation for the top
management's participation, cooperation, and valuable input throughout the audit
process. Their time and collaboration have been fundamental in achieving a
comprehensive assessment.

Page 28 of 31
 Certified ISO/IEC 27001 Lead Auditor |
PECB Group Inc., ©2024

Homework 11: Evaluation of corrective actions

After receiving the submitted action plans by the auditee, you, as the auditor, should
evaluate if they are appropriate and address the root causes of the nonconformities.

1. In the IT department, the same individual who has the authority to approve
system changes also has unrestricted access to implement those changes. This
lack of segregation of duties could lead to unauthorized or erroneous
modifications to critical systems.

Root cause: The absence of a clear division of responsibilities and authorizations

within the IT department increases the risk of errors, fraud, or unauthorized system
changes.

Corrective action: Implement a segregation of duties policy within the IT

department, establishing separate roles for change approval and implementation.
Specifically, designate one individual or team to authorize system changes and a
separate team or individual to implement those changes. Access controls and
permissions should be adjusted accordingly to enforce these divisions of
responsibility (time frame: within 30 days).

Possible answer: While disciplinary actions might create awareness, the primary
issue is the absence of a structural control to prevent unauthorized or accidental
modifications in critical systems. By implementing a clear segregation of duties
policy, the company addresses the root cause, reducing the risk of errors or
intentional malfeasance within the IT systems.

2. A technician responsible for managing the company's outdated hard drives,

stored at the secondary site, did not properly dispose them. Rather than deleting
the data and destroying the disks as required, the person simply discarded them.
However, the procedure did not specifically cover the disposal of stored data in
devices or in other storage media when no longer needed, only its deletion.

Root cause: Absence of clear and comprehensive procedures regarding the

disposal of stored data in devices that are no longer needed.

Corrective action: Revise the procedure to encompass a comprehensive disposal

method for information that is no longer needed, covering not just information
systems but also all devices and other storage media (time frame: within three
months). Conduct training sessions to educate all relevant personnel on the revised
policies and procedures (time frame: within three months).

Possible answer: I agree with the proposed corrective action since it addressed the
root cause of the nonconformity.

Page 29 of 31
 Certified ISO/IEC 27001 Lead Auditor |
PECB Group Inc., ©2024

3. The HR Department did not consistently verify applicants’ CVs and business
references due to a lack of awareness of the procedure.

Root cause: Inadequate and inconsistent training and communication within the HR
Department.

Corrective action: Inform (time frame: immediately) the HR team about the critical
importance and scope of background verification checks procedure for all potential
candidates prior to employment, emphasizing their legal, regulatory, and ethical
significance in accordance with company policies, train them (time frame: within
three months), and require that each member of the team follows the procedure
strictly.

Possible answer: I agree with the proposed corrective action. Attending trainings
and being constantly informed regarding the procedure helps in increasing
employees’ awareness.

4. An employee accessed an information processing facility which they were not

authorized to access. That facility consists of sensitive information that belongs
to the organization.

Root cause: The employee, knowing the internal regulations of the organization,
has violated the rules.

Corrective action: Fire the employee based on internal rules and policies (time
frame: immediately).

Possible answer: To be effective, the corrective action must be implemented in

compliance with the organization’s regulations, and an analysis of the incident
should be performed to determine the root causes. Appropriate controls are in place
(informed employees, visible signs, and access control). Thus, it is the organization’s
duty to apply appropriate disciplinary measures to this person, based on the internal
policies.

5. The organization does not have a formal process to categorize incidents.

Root cause: The current process for categorizing the latest information security
events as information security incidents is ineffective.

Corrective action: Establish a formal process outlining how incidents should be

identified, assessed, and categorized (time frame: within 12 months), buy a software
solution that supports incident categorization to streamline the process and maintain
a centralized database of incidents (time frame: within 24 months), and conduct

Page 30 of 31
 Certified ISO/IEC 27001 Lead Auditor |
PECB Group Inc., ©2024

training sessions or workshops for relevant personnel to ensure they understand the
new incident categorization process (time frame: within 12 months).

Possible answer: I agree with the proposed corrective action, except that the
completion deadline is too extended. The auditor should ask the organization to
provide additional justifications regarding such extended deadlines.

Page 31 of 31