You are an experienced audit team leader guiding an auditor in training.

PECB ISO-IEC-27001-Lead-Auditor Question Answer

Your team is currently conducting a third-party surveillance audit of an organisation that stores data on behalf of external clients. The auditor in training has been tasked with reviewing the PEOPLE controls listed in the Statement of Applicability (SoA) and mplemented at the site.

Select four controls from the following that would you expect the auditor in training to review.

Confidentiality and nondisclosure agreements

How protection against malware is implemented

Information security awareness, education and training

Remote working arrangements

The conducting of verification checks on personnel

The operation of the site CCTV and door control systems

The organisation's arrangements for information deletion

Explanation:

The PEOPLE controls are related to the human aspects of information security, such as roles and responsibilities, awareness and training, screening and contracts, and remote working. The auditor in training should review the following controls:

Confidentiality and nondisclosure agreements (A): These are contractual obligations that bind the employees and contractors of the organisation to protect the confidentiality of the information they handle, especially the data of external clients. The auditor should check if these agreements are signed, updated, and enforced by the organisation. This control is related to clause A.7.2.1 of ISO/IEC 27001:2022.

Information security awareness, education and training ©: These are activities that aim to enhance the knowledge, skills, and behaviour of the employees and contractors regarding information security. The auditor should check if these activities are planned, implemented, evaluated, and improved by the organisation. This control is related to clause A.7.2.2 of ISO/IEC 27001:2022.

Remote working arrangements (D): These are policies and procedures that govern the information security aspects of working from locations other than the organisation’s premises, such as home or public places. The auditor should check if these arrangements are defined, approved, and monitored by the organisation. This control is related to clause A.6.2.1 of ISO/IEC 27001:2022.

The conducting of verification checks on personnel (E): These are background checks that verify the identity, qualifications, and suitability of the employees and contractors who have access to sensitive information or systems. The auditor should check if these checks are conducted, documented, and reviewed by the organisation. This control is related to clause A.7.1.1 of ISO/IEC 27001:2022.

References:

ISO/IEC 27001:2022, Information technology — Security techniques — Information security management systems — Requirements

PECB Candidate Handbook ISO/IEC 27001 Lead Auditor, 1

ISO 27001:2022 Lead Auditor - IECB, 2

ISO 27001:2022 certified ISMS lead auditor - Jisc, 3

ISO/IEC 27001:2022 Lead Auditor Transition Training Course, 4

ISO 27001 - Information Security Lead Auditor Course - PwC Training Academy, 5

PECB ISO-IEC-27001-Lead-Auditor View All Questions