Exam ISO-IEC-27001-Lead-Auditor Topic 3 Question 344 Discussion

Actual exam question for PECB's ISO-IEC-27001-Lead-Auditor exam
Question #: 344
Topic #: 3

You are an experienced ISMS auditor, currently providing support to an ISMS auditor in training who is carrying out her first initial certification audit.
She asks you what she should be verifying when auditing an organisation's Information Security objectives.
You ask her what she has included in her audit checklist and she provides the following replies.
Which three of these responses would cause you concern in relation to conformity with ISO/IEC 27001:2022?

A. I am going to make sure that Information Security objectives are reviewed at all management reviews B. I am going to check how each Information Security objective has been communicated to those who need to be aware of it C. I am going to check that a completion date has been set for each objective D. I am going to check that all the Information Security objectives are measurable. If they are not measurable the organisation will not be able to track progress against them E. I am going to check that the Information Security objectives are distributed to all staff so that everyone is clear on what needs to be achieved, how it will be achieved, and by when it will be achieved F. I am going to check that the necessary budget, manpower and materials to achieve each objective has been determined G. I am going to check that there is a process in place to periodically revisit Information Security objectives, with a view to amending or cancelling them if circumstances necessitate this H. I am going to check that top management have determined the Information Security objectives for the current year. If not, I will check that this task has been programmed to be completed

Suggested Answer: A,E,H Vote an answer

The requirements for Information Security objectives are found in ISO/IEC 27001:2022, clause 6.2:
* Top management shall ensure that information security objectives are established.
* Objectives must:
* Be consistent with the information security policy.
* Be measurable (if practicable).
* Take into account applicable information security requirements, and results from risk assessments and risk treatment.
* Be communicated.
* Be monitored.
* Be updated as appropriate.
* When planning how to achieve objectives, organisations must determine:
* What will be done.
* What resources will be required.
* Who will be responsible.
* When it will be completed.
* How the results will be evaluated.
Analysis of each option:
* A. Reviewed at all management reviews # Concern.ISO 27001 clause 9.3 (Management review) requires that the status of objectives is reviewed, but not at all management reviews - only at scheduled ones. Mandating every review is incorrect.
* B. Communication # Correct.Clause 6.2 requires objectives to be communicated. This is valid.
* C. Completion date # Correct.Clause 6.2 requires organisations to determine when it will be completed.
Valid.
* D. Measurable # Correct.Clause 6.2 explicitly says objectives must be measurable (if practicable).
Valid.
* E. Distributed to all staff # Concern.Clause 6.2 requires objectives to be communicated to those who need to be aware, not all staff. This is overreach and not aligned with the standard.
* F. Budget/resources # Correct.Clause 6.2 requires determining what resources will be required. Valid.
* G. Process to revisit # Correct.Clause 6.2 requires objectives to be updated as appropriate. Valid.
* H. Top management determine annually # Concern.Clause 6.2 requires top management to ensure objectives are established, but there is no requirement for an annual cycle. This could cause mis-audit findings.
* ISO/IEC 27001:2022, Clause 6.2 (Information security objectives and planning to achieve them)

by Colby at Jun 28, 2026, 02:19 AM

Limited Time Offer

15%

Off

Get Premium ISO-IEC-27001-Lead-Auditor Questions as Interactive Self Test Engine or PDF

Comments

Here are all the actual test exam dumps for IT exams. Most people prepare for the actual exams with our test dumps to pass their exams. So it's critical to choose and actual test pdf to succeed.

RECENT DISCUSSIONS

Useful Links

Contact Us

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Disclaimer:
Actual4test doesn't offer Real SANS and GIAC Exam Questions.
Oracle and Java are registered trademarks of Oracle and/or its affiliates
Actual4test material do not contain actual actual Oracle Exam Questions or material.
Actual4test doesn't offer Real Microsoft Exam Questions.
Microsoft®, Azure®, Windows®, Windows Vista®, and the Windows logo are registered trademarks of Microsoft Corporation
Actual4test Materials do not contain actual questions and answers from Cisco's Certification Exams. The brand Cisco is a registered trademark of CISCO, Inc
CFA Institute does not endorse, promote or warrant the accuracy or quality of these questions. CFA® and Chartered Financial Analyst® are registered trademarks owned by CFA Institute.
Actual4test does not offer exam dumps or questions from actual exams. We offer learning material and practice tests created by subject matter experts to assist and help learners prepare for those exams. All certification brands used on the website are owned by the respective brand owners. Actual4test does not own or claim any ownership on any of the brands.