CONFIDENTIAL
Examination ISMS Examination Paper for
Information Security Management Systems
Internal Auditor Training Courses
Please write your name and the date in the space below.
ate
THESE SPACES ARE FOR OFFICIAL USE ONLY
Marker orker2__| Pass mark | Maximum
é 10
15 20
7 10
7 0
Total 35 30
Name of Marker
‘This examination is closed book.
‘+ A clean copy of 150 27001 and a bilingual dictionary are the only tems
permitted for reference.
+ Electronic devices, including laptops and mobile phones, are not permitted into
‘the examination room. Exceptions may be granted to students with special
needs.
ISHS Bxranton 13/20 Serr 2013 AE gs eserves by 56S Kr is
MtateInformation for students
‘The examination paper isn four sections. Attempt all sections and all questions.
‘The time allowed fs 80 minutes. There f= no addtional time allowed for reading
the examination paper.
‘0 |riarks af’ avallabies Te pase youlmiust achieve at least'35/miark= (70%)/and
{You must achieve atleast 50% in each of the four sections. The mapimum
‘marks for each question, or part of a question, are shawn in brackets,
‘Your answers must be written on the sheets supplied. Please avoid writing in the
margins) these are for the markers, Write on the reverse side of a page I
ecessaty. Additional loase sheets will nt be accepted
All references to 1SO 27001 refer tothe latest Issue.
Action verb Meaning
describe depict in words
explain sive a clear account of
coutine sive the most important features of (less depth than explain
or describe)
sive provide without explanation (used normally with the
Instruction to give an example (or examples) of .m)
st provide a ist without explanation (bullet points)
‘entity select and name
define provide a generally recognised or accepted definition
state 2 less demanding form of ‘define’ or where there is no
‘enerally recognised definition
586 Darton 1/10 Ssteber 20:3 - Ags sed peta y SS Kony
Sota‘amination MS Eamon Paper for formation Secy Mangement tee
Section one ~ Five questions worth two marks each
41.1 A key requirement of internal audits is that they are objective and impartial.
Describe the difference between objectivity and impartiality in this context,
(marks)
1.2. Explain, in the context of auditing, the difference between being
argumentative and being assertive. (2 marks)
1.3. The level of legal and regulatory compliance is one measure of the
performance of an Information security management system
List two methods an organisation can use to determine its leve of
legal and regulatory compliance. (2 marks)
19 barunton 1/10 Sete 201 ~t atresrved operate by 5 Keys
anaes‘emt Ss xarnaton Pape or formation Sect Uangement ates
1.4 Clause 6.1.3 of 150 27001 requites appropriate information security risk
treatment options to be carried out, Briefly describe two of the four
Principal risk treatment options that may be applied to a risk.
(2 marks)
1.5. Identify two ways in which an auditor can verify that agreed corrective
‘actions have been effectively implemented (2 marks)
{ss exariraton 1/10 Satter 2013 A as resected by 56S Kee Ud
Tact‘ransom Eamon Paper for frmation Scurty Management tens
Section two ~ Four questions worth five marks each
2a
22
IS 27000 defines an ISMS as “part of the overall management system based
‘on 8 business risk approach
2) Explain your understanding of what is meant by "a business risk
approach’ (2 marks)
») Identity six 150 27001 clauses that support such an approzch.
(3 marks)
150 27001 requires top management to provide evidence of its
leadership and commitment to the development and implementation
othe information security management system.
lefly a method you could use to evaluate top management
(2 merks)
155 barns 1/10 Sater 2013 ~ gs reserve operate by SS Kaya Us
Tosa‘saminton xaminaton oper normaton ear Mangement Sats
b) Give three examples of audit evidence you would gather as part
‘of your evaluation of top management commitment. (3 arks)
2.3. Apostive auditor attribute is to be diplomatic.
2) State the meaning of “iplomatic’ and give an example to demonstrate how
(3 marks)
an auditor could be diplomatic.
b) Describe briefly the effect that not being diplomatic could have
(2 marks)
‘on an aut
155 Bxinaton 13/20 Satara 203 seca operates by 56S Kana id
Tote te2a
‘amaton 5 rarination Paper for armton Sect Usngeeat Stee
{At the opening meeting of an external audit, the management representative
Informs you that a recent internal audit has found many nonconformities
relating fo the in house purchasing department.
Corrective action has already been planned. The management representative
therefore suggests that to audit this department again would add no value and
‘asks Ifyou could delete this department from
the audit plan and spend more time in the production area.
Cutline five issues you would include in the response you would give
to this request. (S marks)
159 Samiion 1/10 Sepeber 20: ate reserve pty SS anya
Poms‘amino 5S uamnstion Pape forinartion acy Haagen Start
Section three ~ one question worth ten marks
aa
During a routine surveillance visit, the organisation you are aueiting informs
you that they no longer carry out any design work. This activity is now
Sutsourced to @ subcontractor
Give four examples of aut evidence you would look for to determine the
conformance of the current system with ISO 27001, given the information you
have just received,
AND
For each of your examples, identify the clause(s) of ISO 27001 that relate to
this situation
(2 marks for each example and 0.5 mark for identifying the clause(s) of 150
27001 relevant to each of the four examples = total 10 marks)
1995 barinston 1/10 Setter 201 ~ lt reserved operated by 9 Kaya id
Powteramination SS Examination Pape for formation Sct Uangement Stems
3.2 Section four ~ one question worth ten marks:
Instructions to student:
{Questions in this section ae designed to test your abilty to analyse audit situations,
evaluate autit evidence and apply knowledge ofthe audit criteria correctly.
Three audit situations are deseribed. For each, review the information and evidence in
the scenario and decide if there is sufficient evidence to report the findings 2
onconformity with the auat enteria, ISO 27001 (curent issue).
either
‘+ Where you determine there is sufficient evidence, complete the noxconformity
report template,
Marking scheme for @ nonconformity:
1. For correctly identifying the scenario as a nonconformity (2 marks)
2, Fora clear description of the nanconformity (@ marks)
3. For correctly quoting relevant evidence (3 marks)
4. For correcty ientilying the relevant 1SO 27001 requirement
oo)
‘5. Overall clarity ofthe nonconformiy report or)
Note: ifyou raise a nonconformity report when there is ne nonconformity, 0
(ero) marks will be awarded.
or
+ Ifyou think there isnot yet suffisent evidence to report your findings as &
rnonconformity, complete the audit investigation template, cleary
stating
1, Your reason(s) for thinking there isnot yet sufficient evidence to report
‘yur findings as a noncontormity (@ marks)
2. How you would investigate to determine conformity or nonconformty.
Include audit trails you would follow and specine examples of aud
evidence you would seek and for what purpose. (@ marks)
Note: if you compete the audit investigation template for a situation
where there ls evidence that a nonconformiy exists, a maximum 2f 7
‘marks may be awarded as follows:
‘+ Providing a valid reason why there is insufficient evidence fr 2
ronconfermity (marks)
1+ Providing relevant audit trails as above (5 marks)
1595 baron 1/10 Septeer 203 ~ Al pts reserve peat by 9S Kanal
Toe dele“x1 Audit situation one:
In an area dedicated to disposal of faled and redundant IT equipment you are
examining the disposal record for asset number 1234, a laptop PC. You note that
In the final inspection records the word 'OK’ is written next to the statzment that all
Information has been securely erased from the device.
‘The record shows that this laptop PC has been bought from the company by an
‘employee for their private use. When asked about this, the manager explains that
Usable equipment Is sold internally with proceeds going to a nominated charity.
You ask to see the equipment in use to see if information has been erased as stated
In the record, ‘The manager starts the PC which boots up to show a Microsoft
Windows xP® operating system. Further inspection of File Explorer indicates that
the fe system is apparently empty.
IF you think there is sufficient evidence to report your findings as @ nonaonformiy
‘+ Complete the nonconformity report on the following page
1545 Sxinsin 1/10 Sater 2013 Al fs reserved operate y 55 Kaya is
oc ibatte‘rainson BS ramon Paper for informaton Sct Management Stent
IRCA ISMS AUDIT - NONCONFORMITY REPORT
Deserotion of he nencontemity (Max 3 marks
eovantencence (Hx 3 Marks)
150 270012013 douse oa requirement (Max I Mar
1 Sor eentiying te scenario a6 2 nonconformty 2 Marks are aworseg
oR
‘+ Complete your answer on the following page.
{ss intr 10 Serer 2013 ~ ls rezoned spray CS Kana id
fopttarte‘amination 5 amination Paper for formation Secy Management Stems
‘Audit situation one:
+ Give your reason(s) for thinking there is not yet sufficient evidence to report
Your findings as a nonconformity.
+ Describe how you would investigate further to determine conformity or
oncanformity. Include audit tralls you would follow and specific examples of
‘audit evidence you would seek end for what purpose.
Audit investigation template
earn why ther ot yet sffen even for repotng noncanormy (ax 2 Rar
ce sought ond purpose (Hex? Merk or
1996 Sain 1/10 Septorber 201 ~ A ete reser pata y SS anya
‘oe Bote{amination SS Examination Pape or formation Sect Hangeent stems
‘THIS 15 THE END OF AUDIT SITUATION ONE
155 Bxarinaton 15/20 Serer 2013 Al ats resaved opted by 565 Keno Ud
Reeseamino BS Examination Pape for formation Seca Maragement Stems
198 amin 1/10 Septeber 201A reserves peasy SS arya
oe ot