27001 Lead Auditor Scenario Based Questions

Instructions

Each of the following audit scenarios may include sufficient evidence of non-conformity with the requirements of ISO 27001. In the space provided, write the number and the sub-clause reference of ISO 27001 which most directly relates to the nature of the non-conformity. If more than one clause is directly relevant, note them all and circle the best one.

If insufficient evidence of nonconformity is shown, state what you would look for before making a NC ranking conclusion– major or minor.

SAMPLE ANSWER FOR GUIDANCE: Each of the following audit scenarios may include sufficient evidence of nonconformity with the requirements of ISO 27001. In the space provided, write the number and the sub-clause reference of ISO 27001 which most directly relates to the nature of the nonconformity. If more than one clause is directly relevant, note them all and circle the best one. (This is optional, in majority of cases one clause is identified). In place of organization name, you may write ABC Pty Ltd. Category of Nonconformity may be decided based on judgement, whether nonconformity may result in complete breakdown of Management System. In this situation, you may choose it as Major Nonconformity.

Scenario 1 The auditee is unable to provide an ISMS Scope document identifying internal and external issues considered, requirements from interested parties for specific information security needs, or internal and external dependencies between activities performed within or outside the organization impacting internal processes.
This is the case where Nonconformity is to be raised as Standard Requirement is not complied with. In this scenario, Section A needs to be filled as below. First Write Nonconformity statement Then Standard Requirement And then Objective Evidence that was sighted. All these three subsections are mandatory to be filled in case of Nonconformity.
Section A
Organization Name: Non-Conformity no.
Process Under Review: ISO 27001 Clause no.
Category of Non-Conformity: Major/Minor
Nonconformity statement: The ISMS scope document was not available during the audit.
Standard Requirement: When determining this scope, the organization shall consider: a) the external and internal issues referred to in 4.1; b) the requirements referred to in 4.2; and c) interfaces and dependencies between activities performed by the organization, and those that are performed by other organizations. The scope shall be available as documented information. – taken it from standard directly.
Objective Evidence: The Scope document identifying internal and external issues considered, requirements from interested parties for specific information security needs, or internal and external dependencies between activities performed within or outside the organization impacting internal processes.

Section B
Further investigation:
Scenario 7
According to interviews with purchasing staffs, purchasing employees use their private home PCs to email with customers when confirming orders and customer requirements outside business hours and on weekends. The “Management System Manual” (MA-QA- 01) only permits company or customer data to be processed on configured systems.
This is the scenario where there is insufficient evidence for raising Nonconformity and hence further investigation is required. In this scenario, section B needs to be filled with bullet points of questions to be asked for further investigation as below.
Section A
Organization Name: Non-Conformity no.
Process Under Review: ISO 27001 Clause no.
Category of Non-Conformity: Major/Minor
Nonconformity statement:
Standard Requirement:
Objective Evidence:
Section B Further investigation:
Does organization policy provide for configuration of home PCs?
-What is the organization’s policy for teleworking?
-What is the organization’s mobile device policy?
-How is remote access provided when working from home?
ISO 27001 LA Scenario based questions
Scenario

The auditee is unable to provide an ISMS Scope document identifying internal and external issues considered, requirements from interested parties for specific information security needs, or internal and external dependencies between activities performed within or outside the organization impacting internal processes.

Section A

Category of Non-Conformity

Section B


Scenario

A review of the ISMS policy shows no specific reference to management’s commitment to the importance of an effective information security management system being necessary to the success of the organization. Neither can the auditor find any evidence of management oversight review and analysis of ISMS performance results.

Section A

Category of Non-Conformity

Section B


Scenario

The Information Security risk assessment document does not define risk acceptance criteria to be employed when deciding to assume risks.

Section A

Category of Non-Conformity

Section B


Scenario

Failure to obtain management authorization for an Exclusion from one of the standard ISO 27001 Annex A controls has excluded control Annex A "Third Party Service Delivery Management.” The exclusion has not been justified in the ISMS documentation.

Section A

Category of Non-Conformity

Section B


Scenario

The Statement of Applicability (SP-EX-01) referenced from the Management System Manual (MA-QA-01) does not include justification of exclusion.

Section A

Category of Non-Conformity

Section B


Scenario

Review of ISMS documentation materials did not produce evidence of ISMS awareness materials or activities. Interviews with the CSO confirmed that no formal training was provided to staff, but all were required to read and understand the IS Security policies.

Section A

Category of Non-Conformity

Section B


Scenario

According to interviews with purchasing staffs, purchasing employees use their private home PCs to email with customers when confirming orders and customer requirements outside business hours and on weekends. The "Management System Manual" (MA-QA-01) only permits company or customer data to be processed on configured systems

Section A

Category of Non-Conformity

Section B


The auditor can find no apparent evidence of management approval of the Information Security Policy & Objectives statement in the Management System Manual (MA-QA-01).

Section A

Category of Non-Conformity

Section B


The "Controlling Documents" procedure (PR-QA-01) does not address the need to classify and protect and customer documents and records. There is no reference to the levels of confidentiality for various document types and how to handle the different classification levels.

Section A

Category of Non-Conformity

Section B


While storage devices are backed up on a regular basis, there was no evidence that the backup copies are tested for integrity and readability as required by the "Business Continuity & Data Recovery" Procedure (PR-IS-02).

Section A

Category of Non-Conformity

Section B


A review of information systems change management practices lacked documented evidence of risk identification for unplanned changes. Interviews with staff indicated risks were discussed but risk treatment decisions were not recorded.

Section A

Category of Non-Conformity

Section B


Interviews with internal audit team revealed that previous ISMS audit records are deleted after 1 year due to increased storage costs.

Section A

Category of Non-Conformity

Section B


An internal ISMS audit from 11 months earlier has identified a nonconformity described in CAR. There is no evidence of any corrective action which was due 7months ago.

Section A

Category of Non-Conformity

Section B


ISMS issues are identified and reported monthly to top management. There is no evidence of ISMS analysis of issues over time or issue trend reporting.

Section A

Category of Non-Conformity

Section B


Computer operators are in the habit of keeping the computer room rear entrance door propped open to the receiving bays and the public areas while they take breaks.

Section A

Category of Non-Conformity

Section B


When asked about any exclusion from the standard controls in Annex A of ISO 27001, the InfoSec Manager said that felt no need for "Supplier service delivery management" because all of their services are handled internally by employees. When asked to show where this exclusion had been justified, the InfoSec Manager said, "Well, it seemed logical to us, so we didn't document the exclusion if that’s what you mean.”

Section A

Category of Non-Conformity

Section B


The auditor noticed that the CEO approval section of the published Information Security Policy & Objectives statement in the Management System Manual had not been filled in and asked the CEO why he had not approved it. He replied that he was waiting for the InfoSec Manager to define the Risk Treatment Controls in the Statement of Applicability and that he would not sign off until the manual was complete. He said, "I can't imagine why it is taking him so long to get that done, the rest of the manual looks good to me!"

Section A

Category of Non-Conformity

Section B


The auditor noticed that the Information Security Risk Treatment Controls section for the statement of Applicability table (SP-EX-01) was incomplete, and when asked about it the InfoSec Manager replied "I am waiting on the CEO to assign priority so I can get are source to help me get this done. I wish he would hurry up and get back to me so that I can get this risk treatment controls guidance implemented."

Section A

Category of Non-Conformity

Section B


The auditor was alerted to the fact that an Internal Audit from 11 months earlier had initiated a Corrective Action Request (CAR-Form) which is now overdue by 7 months. When the process owner, the InfoSec Manager, was asked to explain what CAR-Form was all about and why there was a delay in addressing it, the InfoSec Manager replied “This is the same issue we talked about before where I am waiting for the CEO to get me some resources to complete the Risk Treatment Controls guidance. Are you going to raise a second non-conformance for the same problem?" The auditor calmly explained that there are times when different system issues need to be highlighted even though they may revolve around the same incident. The auditor explained that this particular issue is about the corrective action system not being effective not the failure to complete the documentation.

Section A

Category of Non-Conformity

Section B


The auditor asked if the system produces security incident logs with details of attempted and successful security breaches. The InfoSec Manager proudly produced a pile of printed sheets from the corner of his office. The auditor asked about the procedure for reviewing the logs to determine the effectiveness of the security system and the InfoSec Manager replied, "Our Security Incident Handling Procedure (PR-IS-01) has a few paragraphs about that.

Section A

Category of Non-Conformity

Section B


The auditor asked the CEO if he ever handled highly confidential and sensitive information for his customers. The CEO replied that this was often the case, especially when receiving orders and requirements from customers. When the auditor asked what different information classification labels were used, the CEO was silent for a moment and then replied, "We try to treat everything as "top secret". The auditor later confirmed that procedure "Controlling Documents" (PR-QA-01) did not address the subject of Information Classifications, including the classification of "top secret" that was mentioned by the CEO.

Section A

Category of Non-Conformity

Section B


The IT Manager showed the auditor the regular schedule for storage device back-up and the run log that indicated successful completion of each scheduled back up job. The auditor asked to see results of tests that confirmed that the backup copies would be readable should a data recovery event be required. The IT Manager said, "I know we are supposed to do that, and we do explain how to do that in our Business Continuity &Data recovery procedure, but we cannot agree on a time to run the tests that suits everyone involved, so we didn't get around to conducting any tests."

Section A

Category of Non-Conformity

Section B


The auditor asked the Purchasing Manager about the workload in his department and if there were plans to hire any additional staff. The auditor had intended to ask about hiring procedures. However, the Purchasing Manager launched into an animated discussion about how much work he had, and those tough economic times had caused a ban on hiring new employees. He said he often had to work late at night and on weekends from his private home PC to email with customers about their requirements. The Purchasing Manager suggested “If the CEO would approve a laptop for me, then that would solve a lot of problems - do you think you could ask him about that?"

Section A

Category of Non-Conformity

Section B


During the interview with the QA Manager, the auditor noted that most internal audit corrective actions were closed within a few days of the Corrective Action Request (CAR)being initiated. When queried about these dates, the QA Manager promptly replied, "Oh yes, we like to get those CARs done and off our list as soon as possible. We push for an update to the problem procedure and then close it out straight away. Our CEO doesn't like to see a long list of CARs in our monthly report to management!"

Section A

Category of Non-Conformity

Section B


After entering the computer room through the locked door from the administration offices, the auditor noticed that there was a rear door that led directly out to the factory near the receiving bays and the open yard beyond. On closer inspection the auditor found that the door was held lightly open by a small block of wood. When the auditor pointed this out to the Computer Room Supervisor, the auditor was told "It saves us having to go out through the main office when we have free time to get some fresh air in the yard."

Section A

Category of Non-Conformity

Section B


During the audit, the IT Manager pointed out several new items of computer hardware in the office that had been purchased in the past year - 2 HP laptops and 1 HP printer. The auditor noted that there were no asset tags evident on the new equipment and asked how the items could be traced back to the asset register if there was a need to look up details about the equipment. The IT Manager said he was sure that their details and location had been added to the asset register as per the TR Purchasing Procedure (PR-PU-001) and that someone must have simply forgotten to attach the asset tags. He said he did not have access to the asset register and could not confirm if the entries had been made.

Section A

Category of Non-Conformity

Section B


The auditor asked the IT Manager if there had been any recent improvements to information security. The auditor was shown an announcement that had been sent to all employees who use ' PCs for company business. It explained the need to install data encryption software on ' PCs, how to obtain the company provided data encryption software, and a deadline for completing the installation five months ago. When asked how successful the roll-out had been and if everyone had completed the task on time, the IT Manager responded, "Well, we had no complaints, but then again I didn't have a formal plan to follow-up with everyone may be the InfoSec Manager carried out the follow-up activity? He is good like that!"

Section A

Category of Non-Conformity

Section B


An interview with a recently hired Security Guard showed that he had requested and been given access to the appropriate computer systems as required for his job function. When the auditor pointed out that records of these sorts of changes to system access need to be retained as evidence of conformity to the ISMS, the Security Guard said he filled out the form and submitted it to the InfoSec Manager and did not see the need to keep his own copy of the form. He was not sure what happened to the original form after he sent it off.

Section A

Category of Non-Conformity

Section B


The auditor found that had an adequate training plan for the roles defined in the ISMS. On reviewing the ISMS-related training records for recent hires with the Training Coordinator, the auditor noted that there were no training records for the InfoSec
Manager hired just two months ago, but apart from that had not hired new employees for more than 10 months due to a market down-turn.

Section A

Category of Non-Conformity

Section B


The CEO confirmed that he had conducted a management review session of the business processes three months ago and that a number of issues had been raised including hiring an InfoSec Manager to oversee information security. When the auditor asked to seethe documented results of the management review, the CEO said "Coming out of the meeting we all knew what had to be done and we just ran with it. It was very exciting! I think we have most of the tasks completed or at least started. I didn't keep a list of tasks but maybe one of the others did? Our new InfoSec Manager is very diligent in these matters. I am learning a lot from watching him."

Section A

Category of Non-Conformity

Section B


When the auditor asked the CEO which items were used as input to the Management Review session held 3 months earlier, the CEO replied, "I know we reviewed the results of internal audits, the status of corrective actions. I hate to see those not completed... and there may be more, but I can't recall exactly. My word, we had some lively discussions! May be one of my other managers kept our meeting agenda?"

Section A

Category of Non-Conformity

Section B


On inquiring about the results of the last internal ISMS audit, the InfoSec Manager handed the auditor an internal audit report for an audit prepared only one week before the external ISMS audit visit was due. The auditor asked if this was part of a planned ISMS audit schedule or if the audit was conducted as a last-minute arrangement because the external ISMS audit was due the following week. The InfoSec Manager said that he was sure there was an internal ISMS audit schedule somewhere, but that he had only just found out that he was responsible for these ISMS matters and did not know where to look.

Section A

Category of Non-Conformity

Section B


As the InfoSec Manager explained the security incident and nonconformity handling process, the auditor noted that the documented process had a focus on fixing the immediate incident. When the auditor pointed out that ISO 27001 requires determining the cause of nonconformities, the InfoSec Manager agreed that they typically did do this even though the documented process doesn’t have a big emphasis on identifying causes.

Section A

Category of Non-Conformity

Section B


The Network Diagram viewed by the auditor showed separation of Operational Application systems from the Development & Test Application systems. However, the diagram did not show a similar separate test environment for the Enterprise Application system. When queried on this fact, the InfoSec Manager said, "That must be a mistake in the diagram. I am sure our IT Manager can confirm that we do use separate environments for all of our operational and test applications, including the Enterprise application."

Section A

Category of Non-Conformity

Section B


Few staff members have just started working as Information security officer in an organization. Since they just do the IT related work for last few months, the ISMS policy has not been informed to them yet.

Section A

Category of Non-Conformity

Section B


In ABC organization, malware was found in the networks of endpoint devices, and an audit on the networks was conducted. The first device which was affected by malware in the networks was found, but it was not clear how that device got affected and the concerned staff in ABC could not detect the root cause of the malware issue.

Section A

Category of Non-Conformity

Section B


In a university examination, data leak occurred during the final university examination. The audit was conducted for information security management, and it was found that Professors and lecturers usually took their laptops with the examination data off-site without prior authorization.

Section A

Category of Non-Conformity

Section B


Print Co., Ltd. is one of printers, and many of employees often use computers. Considering information security, the company has defined two kinds of computer users: normal users and privileged users. They use different password according to the type of user, but the passwords are printed on labels which are pasted on the sides of computers so that employees can check them easily. The passwords will not be changed in order to avoid confusion.

Section A

Category of Non-Conformity

Section B


Kakkonn Co., Ltd, founded in 1900, is a huge pharmaceutical company. Since it has a lot of divisions, it is decided to do a morning meeting in each division every morning. In the morning meeting, the representative of a division advocates the information security policy and communicates it among the staff in the division. The information security policy has not been documented, but every employee is familiar with it because of the morning meeting.

Section A

Category of Non-Conformity

Section B


Web & Surf Co., Ltd. is a website making company, and has restricted the use of USB flash drive as one of the ways to protect computers used in the company from some threat, such as computer virus. The management has decided not to establish and document the records of USB flash drive use in order to show the trust in employees.

Section A

Category of Non-Conformity

Section B


TSafety Transport Co., Ltd. is a transportation company. It has established the documented ISMS and conducts the review and improvement periodically. However, the ISMS has not been approved by the management because of the company policy that indicates the importance of on-the-field decision.

Section A

Radio Buttons

Section B


Right Security Co., Ltd. is a security company. The company has recently established and implemented the ISMS, and the management has decided not to document specific procedures of corrective and preventive actions, because All of information assets and threat has been identified when establishing the ISMS.

Section A

Category of Non-Conformity

Section B


Young Sports Co., Ltd. runs sports clubs, and it has established and implemented the ISMS considering the information security toward the personal information of members. Through the periodical review of ISMS, an internal auditor found a nonconformity to the requirements about the use of cabinets which contains the personal information of club members. The auditor immediately changed the keys and locks of the cabinet to meet the requirements as a corrective action.

Section A

Category of Non-Conformity

Section B


Safety Drive Co., Ltd. is one of substitute driving company. The company has determined specific actions and documented the procedures to eliminate the cause of potential non-conformities with the ISMS requirements in order to prevent their occurrence. The priority of the preventive actions is determined based on the experience of the person who is in charge of ISMS.

Section A

Category of Non-Conformity

Section B


Aurora Rosa produces real estate guarantor service. In the review, the internal auditor found the same nonconformity as the one which had been found 5 years ago. The auditor tried to check the record about the nonconformity, but he could not because the company discards the records of corrective action every three years.

Section A

Category of Non-Conformity

Section B