Free GAQM ISO-CLA-22 Exam Questions

Question 1

Imagine a significant data breach occurs after an ISO 27001 certification audit. The auditor's report stated no major nonconformities regarding access controls. Which action is MOST appropriate for the certified organization immediately?

A : Ignore the breach as the organization is already certified and a subsequent audit will address it.

B : Immediately notify the certification body (CB) of the breach and initiate a thorough investigation to determine if there were any systemic failures not identified during the audit.

C : Issue a press release stating the organization is ISO 27001 certified, therefore, the breach was likely an external attack and not an internal control failure.

D : Wait for the next surveillance audit to inform the CB about the breach and any corrective actions taken.

Answer: B

Question 2

Following audit confirmation, what principle is MOST directly threatened when the auditee's department head, who is also a personal friend of the Lead Auditor, is responsible for providing all documentation and coordinating all interviews for that department's processes?

A : Fair Presentation

B : Due Professional Care

C : Integrity

D : Independence

Answer: D

Question 3

Envision your organization plans to implement an ISMS. You are assigned the role of an internal auditor prior to the external certification audit. Which of the following actions is MOST aligned with the 'due professional care' principle during your internal audit?

A : Accepting the initial scope definition without question to avoid disrupting the implementation process.

B : Providing constructive feedback on identified nonconformities, even if it means potentially delaying the certification timeline.

C : Focusing solely on easily verifiable controls to ensure a high rate of compliance and a positive audit result.

D : Relying heavily on the expertise of the ISMS implementation team to streamline the audit process and minimize disruption.

Answer: B

Question 4

Assuming multiple minor nonconformities are identified during Stage 2 audit of an organization seeking ISO/IEC 27001 certification, and management demonstrates a credible plan for corrective action, what's the auditor's MOST appropriate next step?

A : Immediately recommend certification withdrawal due to the presence of nonconformities.

B : Issue a conditional recommendation for certification, contingent upon successful implementation of the corrective action plan within a defined timeframe.

C : Delay the certification recommendation until a follow-up audit confirms complete closure of all minor nonconformities.

D : Recommend full certification, as minor nonconformities do not inherently preclude certification if a corrective action plan is in place.

Answer: B

Question 5

Imagine a significant data breach occurs after an ISO 27001 certification audit. The auditor's report stated no major nonconformities regarding access controls. Which action is MOST appropriate for the certified organization immediately?

A : Ignore the breach as the organization is already certified and a subsequent audit will address it.

B : Immediately notify the certification body (CB) of the breach and initiate a thorough investigation to determine if there were any systemic failures not identified during the audit.

C : Issue a press release stating the organization is ISO 27001 certified, therefore, the breach was likely an external attack and not an internal control failure.

D : Wait for the next surveillance audit to inform the CB about the breach and any corrective actions taken.

Answer: B