Higher Test Marks with Free Online ISO-IEC-27001-Lead-Auditor Exam Practice

Which two of the following phrases are 'objectives' in relation to a first-party audit? 

What is the worst possible action that an employee may receive for sharing his or her password or access with others?

Scenario 4: SendPay is a financial company that provides its services through a network of agents and

financial institutions. One of their main services is transferring money worldwide. SendPay, as a new

company, seeks to offer top quality services to its clients. Since the company offers international transactions,

it requires from their clients to provide personal information, such as their identity, the reason for the

transactions, and other details that might be needed to complete the transaction. Therefore, SendPay has

implemented security measures to protect their clients' information, including detecting, investigating, and

responding to any information security threats that may emerge. Their commitment to offering secure services

was also reflected during the ISMS implementation where the company invested a lot of time and resources.

Last year, SendPay unveiled their digital platform that allows money transactions through electronic devices,

such as smartphones or laptops, without requiring an additional fee. Through this platform, SendPay's clients

can send and receive money from anywhere and at any time. The digital platform helped SendPay to simplify

the company's operations and further expand its business. At the time, SendPay was outsourcing its software

operations, hence the project was completed by the software development team of the outsourced company.

The same team was also responsible for maintaining the technology infrastructure of SendPay.

Recently, the company applied for ISO/IEC 27001 certification after having an ISMS in place for almost a

year. They contracted a certification body that fit their criteria. Soon after, the certification body appointed a

team of four auditors to audit SendPay's ISMS.

During the audit, among others, the following situations were observed:

1.The outsourced software company had terminated the contract with SendPay without prior notice. As a

result, SendPay was unable to immediately bring the services back in-house and its operations were disrupted

for five days. The auditors requested from SendPay's representatives to provide evidence that they have a plan to follow in cases of contract terminations. The representatives did not provide any documentary evidence but

during an interview, they told the auditors that the top management of SendPay had identified two other

software development companies that could provide services immediately if similar situations happen again.

2.There was no evidence available regarding the monitoring of the activities that were outsourced to the

software development company. Once again, the representatives of SendPay told the auditors that they

regularly communicate with the software development company and that they are appropriately informed for

any possible change that might occur.

3.There was no nonconformity found during the firewall testing. The auditors tested the firewall configuration

in order to determine the level of security provided by

these services. They used a packet analyzer to test the firewall policies which enabled them to check the

packets sent or received in real-time.

Based on this scenario, answer the following question:

Regarding the third situation observed, auditors themselves tested the configuration of firewalls implemented

in SendPay's network. How do you describe this situation? Refer to scenario 4.

Which one option best describes the purpose of retaining documented information related to the Information Security Management System (ISMS) of an organisation?

Stages of Information