Scenario 2:

Clinic is a medical device company founded in the 1960s. It offers a wide range of
medical devices that help the treatment of heart-related diseases and are used in
crucial and difficult surgical interventions. With established and international
reputation, the company is always in high demand throughout Europe.

Clinic initially focused its efforts on providing accurate medical devices for specific
heart-related diseases. Over time, its expertise grew and new opportunities arose.
Today, Clinic is a pioneer in manufacturing top-quality medical devices. Their client
list includes some of the largest health care providers in Europe. Some of Clinic's
main characteristics are their comprehensive understanding of and approach to
information security regulations, laws, and best practices, their ability to meet their
clients' security needs, and the protection of their proprietary information.

The company wanted to implement an information security management system

(ISMS) and become certified against ISO/IEC 27001. The decision was
communicated to all employees. An external consultant was hired to help the
implementation process, who held a training session with the implementation project
team before beginning the implementation process. The security awareness and
communication culture within the company made the process much easier.

The first step of the implementation process was to identify Clinic's existing security
controls and conduct a risk assessment. The risk assessment process was
conducted only at the beginning of the ISMS implementation and its results provided
the basis for establishing appropriate policies and selecting additional security
controls to reduce the assessed risks to an acceptable level. Communication during
the process was excellent and the risk assessment results were communicated
directly to the top management, which made them feel like they did not need to
document the results. The results were not documented.

The implementation process was harder than expected, so the company decided to
ignore some security controls of Annex A of ISO/IEC 27001 that were considered
unnecessary and expensive. On the other hand, they added a number of controls
from a reliable source that was not part of the standard. According to their research,
the controls helped companies in their sector to enhance the security of specific
information assets.

The implementation project team evaluated the applicability of the security controls
against the external and internal factors related to the ISMS. Then, they drafted the
Statement of Applicability (SoA), which comprised an exhaustive list of the controls
that they considered applicable from Annex A of ISO/IEC 27001 and the other
sources. An overview of the implementation steps and the justification for their
implementation was provided for controls with the status "Implemented".
Based on the scenario above, answer the following question:

1. Does the SoA document comply with the standard requirements?

A. Yes, because it comprises an exhaustive list of controls
considered applicable from Annex A of ISO/IEC 27001 and the
other sources
B. No, because security controls selected from sources other than Annex A of
ISO/IEC 27001 are included
C. No, because it does not contain the justification for the exclusion of controls
from Annex A of ISO/IEC 27001

2. Clinic, as presented in scenario 2, decided to exclude some security controls

from Annex A of ISO/IEC 27001. Is this acceptable?
A. Yes, only the security controls deemed applicable to Clinic's context should
be implemented
B. Yes, only if Clinic has implemented the majority of security controls from
Annex A of ISO/IEC 27001
C. No, Clinic should implement all the security controls from Annex A of ISO/IEC
27001 in order to comply with standard requirements

3. Based on scenario 2, Clinic performed the risk assessment only at the beginning
of the ISMS implementation. Is this acceptable?
A. Yes, risk assessment is not part of auditing activities, hence this does not
represent an audit finding
B. Yes, Clinic decides when risk assessment should be performed
C. No, Clinic should perform risk assessment at planned intervals, as per
ISO/IEC 27001's requirements

4. Which of the options provided below shows that Clinic is not complying with
ISO/IEC 27001's requirements regarding the risk assessment process?
Refer to scenario 2.
A. Clinic identified, analyzed, and evaluated the information security risks at
the beginning of the ISMS implementation
B. Clinic identified the existing controls prior to conducting the risk assessment
process
C. Clinic did not document the risk assessment results

5. Clinic selected the security controls that could help them reduce risks to an
acceptable level. What does it indicate? Refer to scenario 2.
A. Clinic decided to treat risks by selecting the appropriate security controls
B. Clinic decided to modify risks by sharing them with external parties
C. Clinic decided to avoid the identified risks based on an acceptance level
Stand-alone questions:

6. Which of the following is an example of risk modification?

A. An organization implements content filtering solutions to mitigate
ransomware attacks
B. An organization uses unlicensed software, as it cannot afford the software
license costs
C. All potential employees of an organization undergo a screening process
before being considered for hiring

7. What should be monitored and reviewed continually in an ISMS?

A. The effectiveness of security controls
B. The root causes of nonconformities
C. The functions of security controls

8. A marketing agency is defining its risk assessment approach. After identifying

the risk assessment methodology, what else should be identified?
A. The acceptable levels of risk
B. The risk treatment options
C. The existing controls
Scenario 3:

Rebuildy is a construction company headquartered in California with locations in

many other areas within the US. They specialize in designing, building, and
maintaining residential buildings.

Rebuildy's main market is in the US, but they aim to slowly expand globally. To do so,
they had to first achieve international recognition. A way of doing so was to
implement an information security management system (ISMS) based on ISO/IEC
27001. This included a comprehensive understanding of information security risks, a
defined continual improvement approach, and robust business solutions.

The ISMS implementation outcomes are presented below:

• Information security is achieved by applying a set of security controls and
establishing policies, processes, and procedures.
• Security controls are implemented based on risk assessment and aim
to eliminate or reduce risks to an acceptable level.
• All processes ensure the continual improvement of the ISMS based on the plan
do-check-act (POCA) model.
• The information security policy is part of a security manual drafted based on best
security practices. Therefore, there is no stand-alone document for the policy.
• Information security roles and responsibilities have been clearly stated in
every employee's job description.
• Management reviews of the ISMS are conducted at planned intervals.

Rebuildy applied for certification after two midterm management reviews and one
annual internal audit.

Before the audit, a former employee of Rebuildy approached one of the audit team
members to tell them that Rebuildy has several security problems that they are trying
to conceal. The former employee presented the documented evidence to the audit
team member, who decided to have them.

The documented evidence obtained from the former employee was attached to the
audit report, along with the nonconformities report. Among others, the following
nonconformities were detected:
• An illegally downloaded movie file was found on one of the employee's desktop.
• A stand-alone information security policy has not been established. Instead, the
company uses a security manual drafted based on best security practices.

After receiving these documents form the audit team, the audit team leader decided
to conduct a meeting with the Rebuildy's top management to present the audit
findings. However, at the last minute, Rebuildy offered the audit team a higher
payment than the one offered by the certification body, and the audit team
changed their decision and decided to give a recommendation for certification.

Based on the scenario above, answer the following question:

9. The audit team member decided to take into consideration the

information given by the former employee. Is this acceptable?
A. Yes, the audit team leader should take into consideration all available
sources of information
B. Yes, since the former employee supports the given information
with documented evidence
C. No, the audit findings should be factual statements based on only
objective evidence collected during the audit

10. The audit team did not report the absence of a written information
security policy. What are the consequences of this action for the audit?
Refer to scenario 3.
A. There are no impacts because the audit was conducted in accordance
with current professional practices
B. The audit findings should not be questioned because the auditor can
decide which audit findings should be reported
C. The audit findings should be challenged and a new audit should be
assigned because the auditor chose to ignore a major nonconformity

11. Based on scenario 3, what is the first step that the auditor should take
when detecting an illegally downloaded file in one of the employee's
computer?
A. Issue a major nonconformity immediately and report it to
the top management
B. Report the finding to the Rebuildy's top management and together
evaluate whether the observed situation is a nonconformity
C. Withdraw from the audit since this situation is an illegal act

12. The audit team obtained to determine if Rebuildy

has established an information security policy:
A. Documentary evidence
B. Verbal evidence
C. Technical evidence
13. Based on the last paragraph of scenario 3, what has the audit team violated?
A. The independence principle
B. The security of information collected during the audit
C. The evidence-based approach