New Year Sale ! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

PECB Exam ISO-IEC-27001-Lead-Auditor Topic 2 Question 35 Discussion

Actual exam question for PECB's ISO-IEC-27001-Lead-Auditor exam
Question #: 35
Topic #: 2
[All ISO-IEC-27001-Lead-Auditor Questions]

You are conducting an ISMS audit in the despatch department of an international logistics organisation that provides shipping services to large organisations including local hospitals and government offices. Parcels typically contain pharmaceutical products, biological samples, and documents such as passports and driving licences. You note that the company records show a very large number of returned items with causes including mis-addressed labels and, in 15% of company cases, two or more labels for different addresses for the one package. You are interviewing the Shipping Manager (SM).

You: Are items checked before being dispatched?

SH: Any obviously damaged items are removed by the duty staff before being dispatched, but the small profit margin makes it uneconomic to implement a formal checking process.

You: What action is taken when items are returned?

SM: Most of these contracts are relatively low value, therefore it has been decided that it is easier and more convenient to simply reprint the label and re-send individual parcels than it is to implement an investigation.

You raise a nonconformity. Referencing the scenario, which six of the following Appendix A controls would you expect the auditee to have implemented when you conduct the follow-up audit?

Show Suggested Answer Hide Answer
Suggested Answer: B, D, E, F, I, J

B) 8.12 Data leakage protection. This is true because the auditee should have implemented measures to prevent unauthorized disclosure of sensitive information, such as personal data, medical records, or official documents, that are contained in the parcels.Data leakage protection could include encryption, authentication, access control, logging, and monitoring of data transfers12.

D) 6.3 Information security awareness, education, and training. This is true because the auditee should have ensured that all employees and contractors involved in the shipping process are aware of the information security policies and procedures, and have received appropriate training on how to handle and protect the information assets in their custody.Information security awareness, education, and training could include induction programmes, periodic refreshers, awareness campaigns, e-learning modules, and feedback mechanisms13.

E) 7.10 Storage media. This is true because the auditee should have implemented controls to protect the storage media that contain information assets from unauthorized access, misuse, theft, loss, or damage.Storage media could include paper documents, optical disks, magnetic tapes, flash drives, or hard disks14.Storage media controls could include physical locks, encryption, backup, disposal, or destruction14.

F) 8.3 Information access restriction. This is true because the auditee should have implemented controls to restrict access to information assets based on the principle of least privilege and the need-to-know basis.Information access restriction could include identification, authentication, authorization, accountability, and auditability of users and systems that access information assets15.

I) 7.4 Physical security monitoring. This is true because the auditee should have implemented controls to monitor the physical security of the premises where information assets are stored or processed.Physical security monitoring could include CCTV cameras, alarms, sensors, guards, or patrols16.Physical security monitoring could help detect and deter unauthorized physical access or intrusion attempts16.

J) 5.13 Labelling of information. This is true because the auditee should have implemented controls to label information assets according to their classification level and handling instructions.Labelling of information could include markings, tags, stamps, stickers, or barcodes1.Labelling of information could help identify and protect information assets from unauthorized disclosure or misuse1.


ISO/IEC 27002:2022 Information technology --- Security techniques --- Code of practice for information security controls

ISO/IEC 27001:2022 Information technology --- Security techniques --- Information security management systems --- Requirements

ISO/IEC 27003:2022 Information technology --- Security techniques --- Information security management systems --- Guidance

ISO/IEC 27004:2022 Information technology --- Security techniques --- Information security management systems --- Monitoring measurement analysis and evaluation

ISO/IEC 27005:2022 Information technology --- Security techniques --- Information security risk management

ISO/IEC 27006:2022 Information technology --- Security techniques --- Requirements for bodies providing audit and certification of information security management systems

[ISO/IEC 27007:2022 Information technology --- Security techniques --- Guidelines for information security management systems auditing]

Contribute your Thoughts:

Currently there are no comments in this discussion, be the first to comment!


Save Cancel