ExamTopics Logo
Mail Us[email protected]
Menu
Pecb Discussions
exam questions

Exam Lead Auditor All Questions

View all questions & answers for the Lead Auditor exam
Go to Exam

Exam Lead Auditor topic 1 question 110 discussion

Actual exam question from PECB's Lead Auditor
Question #: 110
Topic #: 1
[All Lead Auditor Questions]

You are performing an ISMS audit at a residential nursing home called ABC that provides healthcare services. The next step in your audit plan is to verity the information security of ABC's healthcare mobile app development, support, and lifecycle process. During the audit, you learned the organization outsourced the mobile app development to a professional software development organization with CMMI Level 5, ITSM (ISO/IEC 20000-1), BCMS (ISO 22301) and ISMS (ISO/IEC 27001) certified.
The IT Manager presents the software security management procedure and summarises the process as follows:
The mobile app development shall adopt "security-by-design" and "security-by-default" principles, as a minimum. The following security functions for personal data protection shall be available:
Access control.
Personal data encryption, i.e., Advanced Encryption Standard (AES) algorithm, key lengths: 256 bits; and
Personal data pseudonymization.
Vulnerability checked and no security backdoor
You sample the latest Mobile App Test report - Reference ID: 0098, details as follows:

You would like to investigate other areas further to collect more audit evidence. Select three options that will not be in your audit trail. (Choose three.)

  • A. Collect more evidence by downloading and testing the mobile app on your phone. (Relevant to control A.8.1)
  • B. Collect more evidence to determine the number of users of ABC's healthcare mobile app. (Relevant to clause 4.2)
  • C. Collect more evidence on how much residents' family members pay to install ABC's healthcare mobile app. (Relevant to clause 4.2)
  • D. Collect more evidence on how the developer trains its product support personnel. (Relevant to clause 7.2)
  • E. Collect more evidence on how the organization manages information security in the selection of an external service provider. (Relevant to control A.5.19)
  • F. Collect more evidence on how the organization performs testing of personal data handling. (Relevant to control A.5.34)
  • G. Collect more evidence on the organization's business continuity policy. (Relevant to control A.5.30)
  • H. Collect more evidence to verify the developer's CMMI Level 5, ITSM (ISO/IEC 20000-1), BCMS (ISO 22301) and ISMS (ISO/IEC 27001) certification. (Relevant to control A.5.21)
Show Suggested Answer Hide Answer
Suggested Answer: ACG 🗳️
by ROCTW at May 22, 2025, 10:30 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
ROCTW
3 weeks, 5 days ago
Selected Answer: ABC
A. Relevant to control A.8.1 Invalid. This is inappropriate auditor behavior. As a certification auditor, you should not perform direct technical testing (like penetration testing or vulnerability assessment) on personal devices or outside the auditee's controlled environment. It violates audit independence and security best practices. B. Relevant to clause 4.2 Invalid. Clause 4.2 (Understanding interested parties' needs and expectations) focuses on information security requirements. The "number of users" is a business metric, not a direct information security need or expectation, and does not explain or impact the core issue of failed encryption/pseudonymization. C. Relevant to clause 4.2 Invalid. The cost of the app is a financial/commercial detail, completely irrelevant to the ISMS, its security controls, or the information security needs/expectations outlined in Clause 4.2.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel