NO.73 The computer room is protected by a pass reader. Only the System Management department has a pass.
A physical security measure is a measure that protects information and information processing facilities from physical threats and hazards, such as fire, flood, earthquake, theft, vandalism, etc. Physical security measures include locks, alarms, fences, cameras, fire extinguishers, ventilation systems, etc. The computer room is protected by a pass reader that only allows authorized personnel from the System Management department to access it. This is an example of a physical security measure, because it prevents unauthorized physical access to the computer room and its contents. ISO/IEC 27001:2022 requires the organization to implement physical and environmental security controls to prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities (see clause A.11). Reference: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology – Security techniques – Information security management systems – Requirements, What is Physical Security?
NO.74 Changes on project-managed applications or database should undergo the change control process as documented.
Changes on project-managed applications or database should undergo the change control process as documented, because this is a requirement of ISO/IEC 27001:2022 clause 12.1.2, which states that “the organization shall define and apply a change management process for changes to systems and applications within the scope of the information security management system”. The change management process should ensure that changes are recorded, assessed, authorized, prioritized, planned, tested, implemented, documented and reviewed in a controlled manner. Reference: [CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course], [ISO/IEC 27001:2022 Information technology – Security techniques – Information security management systems – Requirements]
NO.76 You are conducting an ISMS audit in the despatch department of an international logistics organisation that provides shipping services to large organisations including local hospitals and government offices. Parcels typically contain pharmaceutical products, biological samples, and documents such as passports and driving licences. You note that the company records show a very large number of returned items with causes including mis-addressed labels and, in 15% of company cases, two or more labels for different addresses for the one package. You are interviewing the Shipping Manager (SM).
B) 8.12 Data leakage protection. This is true because the auditee should have implemented measures to prevent unauthorized disclosure of sensitive information, such as personal data, medical records, or official documents, that are contained in the parcels. Data leakage protection could include encryption, authentication, access control, logging, and monitoring of data transfers12.
NO.78 Which of the following factors does NOT contribute to the value of data for an organisation?
The value of data for an organisation depends on various factors, such as the correctness, indispensability, importance, relevance, timeliness, completeness, and uniqueness of data. The content of data, however, does not contribute to its value, as it is merely the representation of data in a specific format or structure. The content of data can change depending on how it is processed, stored, or presented, but the value of data is derived from its meaning and usefulness for the organisation. Therefore, the correct answer is D. Reference: Putting a value on data – PwC UK, page 3; What is Data Value? How to Define the Value of Your Data.
NO.83 All are prohibited in acceptable use of information assets, except:
The only option that is not prohibited in acceptable use of information assets is C: company-wide e-mails with supervisor/TL permission. This option implies that the sender has obtained the necessary authorization from their supervisor or team leader to send an e-mail to all employees in the organization. This could be done for legitimate business purposes, such as announcing important news, events or updates that are relevant to everyone. However, this option should still be used sparingly and responsibly, as it could cause unnecessary disruption or annoyance to the recipients if abused or misused. The other options are prohibited in acceptable use of information assets, as they could violate the information security policies and procedures of the organization, as well as waste resources and bandwidth. Electronic chain letters (A) are messages that urge recipients to forward them to multiple other people, often with false or misleading claims or promises. They are considered spam and could contain malicious links or attachments that could compromise information security. E-mail copies to non-essential readers (B) are messages that are sent to recipients who do not need to receive them or have no interest in them. They are considered unnecessary and could clutter the inbox and distract the recipients from more important messages. Messages with very large attachments or to a large number of recipients (D) are messages that consume a lot of network resources and could affect the performance or availability of the information systems. They could also exceed the storage capacity or quota limits of the recipients’ mailboxes and cause problems for them. ISO/IEC 27001:2022 requires the organization to implement rules for acceptable use of assets (see clause A.8.1.3). Reference: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology – Security techniques – Information security management systems – Requirements, What is Acceptable Use?
NO.84 An employee caught with offense of abusing the internet, such as P2P file sharing or video/audio streaming, will not receive a warning for committing such act but will directly receive an IR.
According to ISO/IEC 27001:2022, clause A.8.1.5, the organization should establish and implement a clear policy on the acceptable use of information assets, including the internet. The policy should define the rules and consequences for violating them, such as disciplinary actions or legal sanctions. The policy should also be communicated to all users and relevant parties. Therefore, if an employee is caught abusing the internet, such as P2P file sharing or video/audio streaming, they will not receive a warning but will directly receive an IR (incident report), which is a formal record of the incident and its impact, as well as the corrective actions taken or planned. Reference: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course Handbook, page 54; [ISO/IEC 27001:2022], clause A.8.1.5.
by 
