CONFIDENTIAL Examination ISMS Examination Paper for Information Security Management Systems Internal Auditor Training Courses Please write your name and the date in the space below. ate THESE SPACES ARE FOR OFFICIAL USE ONLY Marker orker2__| Pass mark | Maximum é 10 15 20 7 10 7 0 Total 35 30 Name of Marker ‘This examination is closed book. ‘+ A clean copy of 150 27001 and a bilingual dictionary are the only tems permitted for reference. + Electronic devices, including laptops and mobile phones, are not permitted into ‘the examination room. Exceptions may be granted to students with special needs. ISHS Bxranton 13/20 Serr 2013 AE gs eserves by 56S Kr is MtateInformation for students ‘The examination paper isn four sections. Attempt all sections and all questions. ‘The time allowed fs 80 minutes. There f= no addtional time allowed for reading the examination paper. ‘0 |riarks af’ avallabies Te pase youlmiust achieve at least'35/miark= (70%)/and {You must achieve atleast 50% in each of the four sections. The mapimum ‘marks for each question, or part of a question, are shawn in brackets, ‘Your answers must be written on the sheets supplied. Please avoid writing in the margins) these are for the markers, Write on the reverse side of a page I ecessaty. Additional loase sheets will nt be accepted All references to 1SO 27001 refer tothe latest Issue. Action verb Meaning describe depict in words explain sive a clear account of coutine sive the most important features of (less depth than explain or describe) sive provide without explanation (used normally with the Instruction to give an example (or examples) of .m) st provide a ist without explanation (bullet points) ‘entity select and name define provide a generally recognised or accepted definition state 2 less demanding form of ‘define’ or where there is no ‘enerally recognised definition 586 Darton 1/10 Ssteber 20:3 - Ags sed peta y SS Kony Sota‘amination MS Eamon Paper for formation Secy Mangement tee Section one ~ Five questions worth two marks each 41.1 A key requirement of internal audits is that they are objective and impartial. Describe the difference between objectivity and impartiality in this context, (marks) 1.2. Explain, in the context of auditing, the difference between being argumentative and being assertive. (2 marks) 1.3. The level of legal and regulatory compliance is one measure of the performance of an Information security management system List two methods an organisation can use to determine its leve of legal and regulatory compliance. (2 marks) 19 barunton 1/10 Sete 201 ~t atresrved operate by 5 Keys anaes‘emt Ss xarnaton Pape or formation Sect Uangement ates 1.4 Clause 6.1.3 of 150 27001 requites appropriate information security risk treatment options to be carried out, Briefly describe two of the four Principal risk treatment options that may be applied to a risk. (2 marks) 1.5. Identify two ways in which an auditor can verify that agreed corrective ‘actions have been effectively implemented (2 marks) {ss exariraton 1/10 Satter 2013 A as resected by 56S Kee Ud Tact‘ransom Eamon Paper for frmation Scurty Management tens Section two ~ Four questions worth five marks each 2a 22 IS 27000 defines an ISMS as “part of the overall management system based ‘on 8 business risk approach 2) Explain your understanding of what is meant by "a business risk approach’ (2 marks) ») Identity six 150 27001 clauses that support such an approzch. (3 marks) 150 27001 requires top management to provide evidence of its leadership and commitment to the development and implementation othe information security management system. lefly a method you could use to evaluate top management (2 merks) 155 barns 1/10 Sater 2013 ~ gs reserve operate by SS Kaya Us Tosa‘saminton xaminaton oper normaton ear Mangement Sats b) Give three examples of audit evidence you would gather as part ‘of your evaluation of top management commitment. (3 arks) 2.3. Apostive auditor attribute is to be diplomatic. 2) State the meaning of “iplomatic’ and give an example to demonstrate how (3 marks) an auditor could be diplomatic. b) Describe briefly the effect that not being diplomatic could have (2 marks) ‘on an aut 155 Bxinaton 13/20 Satara 203 seca operates by 56S Kana id Tote te2a ‘amaton 5 rarination Paper for armton Sect Usngeeat Stee {At the opening meeting of an external audit, the management representative Informs you that a recent internal audit has found many nonconformities relating fo the in house purchasing department. Corrective action has already been planned. The management representative therefore suggests that to audit this department again would add no value and ‘asks Ifyou could delete this department from the audit plan and spend more time in the production area. Cutline five issues you would include in the response you would give to this request. (S marks) 159 Samiion 1/10 Sepeber 20: ate reserve pty SS anya Poms‘amino 5S uamnstion Pape forinartion acy Haagen Start Section three ~ one question worth ten marks aa During a routine surveillance visit, the organisation you are aueiting informs you that they no longer carry out any design work. This activity is now Sutsourced to @ subcontractor Give four examples of aut evidence you would look for to determine the conformance of the current system with ISO 27001, given the information you have just received, AND For each of your examples, identify the clause(s) of ISO 27001 that relate to this situation (2 marks for each example and 0.5 mark for identifying the clause(s) of 150 27001 relevant to each of the four examples = total 10 marks) 1995 barinston 1/10 Setter 201 ~ lt reserved operated by 9 Kaya id Powteramination SS Examination Pape for formation Sct Uangement Stems 3.2 Section four ~ one question worth ten marks: Instructions to student: {Questions in this section ae designed to test your abilty to analyse audit situations, evaluate autit evidence and apply knowledge ofthe audit criteria correctly. Three audit situations are deseribed. For each, review the information and evidence in the scenario and decide if there is sufficient evidence to report the findings 2 onconformity with the auat enteria, ISO 27001 (curent issue). either ‘+ Where you determine there is sufficient evidence, complete the noxconformity report template, Marking scheme for @ nonconformity: 1. For correctly identifying the scenario as a nonconformity (2 marks) 2, Fora clear description of the nanconformity (@ marks) 3. For correctly quoting relevant evidence (3 marks) 4. For correcty ientilying the relevant 1SO 27001 requirement oo) ‘5. Overall clarity ofthe nonconformiy report or) Note: ifyou raise a nonconformity report when there is ne nonconformity, 0 (ero) marks will be awarded. or + Ifyou think there isnot yet suffisent evidence to report your findings as & rnonconformity, complete the audit investigation template, cleary stating 1, Your reason(s) for thinking there isnot yet sufficient evidence to report ‘yur findings as a noncontormity (@ marks) 2. How you would investigate to determine conformity or nonconformty. Include audit trails you would follow and specine examples of aud evidence you would seek and for what purpose. (@ marks) Note: if you compete the audit investigation template for a situation where there ls evidence that a nonconformiy exists, a maximum 2f 7 ‘marks may be awarded as follows: ‘+ Providing a valid reason why there is insufficient evidence fr 2 ronconfermity (marks) 1+ Providing relevant audit trails as above (5 marks) 1595 baron 1/10 Septeer 203 ~ Al pts reserve peat by 9S Kanal Toe dele“x1 Audit situation one: In an area dedicated to disposal of faled and redundant IT equipment you are examining the disposal record for asset number 1234, a laptop PC. You note that In the final inspection records the word 'OK’ is written next to the statzment that all Information has been securely erased from the device. ‘The record shows that this laptop PC has been bought from the company by an ‘employee for their private use. When asked about this, the manager explains that Usable equipment Is sold internally with proceeds going to a nominated charity. You ask to see the equipment in use to see if information has been erased as stated In the record, ‘The manager starts the PC which boots up to show a Microsoft Windows xP® operating system. Further inspection of File Explorer indicates that the fe system is apparently empty. IF you think there is sufficient evidence to report your findings as @ nonaonformiy ‘+ Complete the nonconformity report on the following page 1545 Sxinsin 1/10 Sater 2013 Al fs reserved operate y 55 Kaya is oc ibatte‘rainson BS ramon Paper for informaton Sct Management Stent IRCA ISMS AUDIT - NONCONFORMITY REPORT Deserotion of he nencontemity (Max 3 marks eovantencence (Hx 3 Marks) 150 270012013 douse oa requirement (Max I Mar 1 Sor eentiying te scenario a6 2 nonconformty 2 Marks are aworseg oR ‘+ Complete your answer on the following page. {ss intr 10 Serer 2013 ~ ls rezoned spray CS Kana id fopttarte‘amination 5 amination Paper for formation Secy Management Stems ‘Audit situation one: + Give your reason(s) for thinking there is not yet sufficient evidence to report Your findings as a nonconformity. + Describe how you would investigate further to determine conformity or oncanformity. Include audit tralls you would follow and specific examples of ‘audit evidence you would seek end for what purpose. Audit investigation template earn why ther ot yet sffen even for repotng noncanormy (ax 2 Rar ce sought ond purpose (Hex? Merk or 1996 Sain 1/10 Septorber 201 ~ A ete reser pata y SS anya ‘oe Bote{amination SS Examination Pape or formation Sect Hangeent stems ‘THIS 15 THE END OF AUDIT SITUATION ONE 155 Bxarinaton 15/20 Serer 2013 Al ats resaved opted by 565 Keno Ud Reeseamino BS Examination Pape for formation Seca Maragement Stems 198 amin 1/10 Septeber 201A reserves peasy SS arya oe ot