Free GAQM ISO-CLA-22 Exam Questions

Question 1

In establishing an ISMS, which principle most directly addresses the ongoing monitoring and adjustment of security controls based on performance and changing threat landscape?

A : Continual Improvement

B : Risk-Based Thinking

C : Management Responsibility

D : Process Approach

Answer: A

Question 2

Imagine a significant data breach occurs after an ISO 27001 certification audit. The auditor's report stated no major nonconformities regarding access controls. Which action is MOST appropriate for the certified organization immediately?

A : Ignore the breach as the organization is already certified and a subsequent audit will address it.

B : Immediately notify the certification body (CB) of the breach and initiate a thorough investigation to determine if there were any systemic failures not identified during the audit.

C : Issue a press release stating the organization is ISO 27001 certified, therefore, the breach was likely an external attack and not an internal control failure.

D : Wait for the next surveillance audit to inform the CB about the breach and any corrective actions taken.

Answer: B

Question 3

Suppose a company 'SecureTech' holds ISO/IEC 27001 certification. During a surveillance audit, the auditor discovers several minor nonconformities relating to asset management. SecureTech promptly corrects these nonconformities and provides evidence to the auditor. What is the MOST appropriate auditor's response regarding the nonconformities?

A : Recommend immediate suspension of SecureTech's ISO/IEC 27001 certification due to the observed nonconformities.

B : Record the corrections as positive findings and disregard the initial nonconformities entirely.

C : Accept the corrective actions as evidence of commitment to ISMS maintenance and allow the certification to continue without further action.

D : Accept the corrective actions and record the nonconformities as closed, while potentially increasing the scope or frequency of future audits based on the number and nature of the findings.

Answer: D

Question 4

Considering resource allocation, which activity MOST significantly impacts the effectiveness of the audit program when managing multiple ISO/IEC 27001 audits across different departments with varying risk profiles?

A : Providing generic checklists applicable to all departments to ensure consistency.

B : Allocating auditor time and expertise proportionally to the risk profile and complexity of each department's ISMS.

C : Scheduling all departmental audits consecutively to minimize travel expenses for the audit team.

D : Using only internal auditors to reduce external audit costs and maintain confidentiality.

Answer: B

Question 5

Considering resource allocation, which activity MOST significantly impacts the effectiveness of the audit program when managing multiple ISO/IEC 27001 audits across different departments with varying risk profiles?

A : Providing generic checklists applicable to all departments to ensure consistency.

B : Allocating auditor time and expertise proportionally to the risk profile and complexity of each department's ISMS.

C : Scheduling all departmental audits consecutively to minimize travel expenses for the audit team.

D : Using only internal auditors to reduce external audit costs and maintain confidentiality.

Answer: B