시험덤프
매달, 우리는 1000명 이상의 사람들이 시험 준비를 잘하고 시험을 잘 통과할 수 있도록 도와줍니다.
  / ISO-IEC-27001 Lead Implementer 덤프  / ISO-IEC-27001 Lead Implementer 문제 연습

PECB ISO-IEC-27001 Lead Implementer 시험

PECB Certified ISO/IEC 27001 Lead Implementer exam 온라인 연습

최종 업데이트 시간: 2025년05월04일

당신은 온라인 연습 문제를 통해 PECB ISO-IEC-27001 Lead Implementer 시험지식에 대해 자신이 어떻게 알고 있는지 파악한 후 시험 참가 신청 여부를 결정할 수 있다.

시험을 100% 합격하고 시험 준비 시간을 35% 절약하기를 바라며 ISO-IEC-27001 Lead Implementer 덤프 (최신 실제 시험 문제)를 사용 선택하여 현재 최신 50개의 시험 문제와 답을 포함하십시오.

 / 7

Question No : 1


Scenario 10: NetworkFuse develops, manufactures, and sells network hardware. The company has had an operational information security management system (ISMS) based on ISO/IEC 27001 requirements and a quality management system (QMS) based on ISO 9001 for approximately two years. Recently, it has applied for a j^ombined certification audit in order to obtain certification against ISO/IEC 27001 and ISO 9001.
After selecting the certification body, NetworkFuse prepared the employees for the audit The company decided to not conduct a self-evaluation before the audit since, according to the top management, it was not necessary. In addition, it ensured the availability of documented information, including internal audit reports and management reviews, technologies in place, and the general operations of the ISMS and the QMS. However, the company requested from the
certification body that the documentation could not be carried off-site
However, the audit was not performed within the scheduled days because NetworkFuse rejected the audit team leader assigned and requested their replacement The company asserted that the same audit team leader issued a recommendation for certification to its main competitor, which, for the company's top management, was a potential conflict of interest. The request was not accepted by the certification body
Based on scenario 10. NetworkFuse did not conduct a self-evaluation of the ISMS before the audit. Is this compliant to ISO/IEC 27001?

정답:
Explanation:
According to the ISO/IEC 27001:2022 standard, the organization is responsible for establishing, implementing, maintaining and continually improving the information security management system (ISMS) in accordance with the requirements of the standard (section 4.1). The standard does not explicitly require the organization to conduct a self-evaluation of the ISMS before the certification audit, which is an external audit performed by an independent certification body to verify the conformity of the ISMS with the standard and to grant the certification (section 9.3.2). However, the standard does require the organization to conduct internal audits (section 9.2) and management reviews (section 9.3) of the ISMS at planned intervals to ensure its effectiveness, suitability and adequacy, and to identify opportunities for improvement and corrective actions. Therefore, conducting a self-evaluation of the ISMS before the certification audit is a good practice to follow, as it can help the organization to prepare for the audit, to identify any gaps or nonconformities, and to demonstrate its commitment and readiness for the certification.
Reference: ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection ― Information security management systems ― Requirements1
ISO/IEC 27001 Lead Implementer Info Kit
SELF EVALUATION CHECKLIST ISO/IEC 27001:20222

Question No : 2


Scenario 10: NetworkFuse develops, manufactures, and sells network hardware. The company has had an operational information security management system (ISMS) based on ISO/IEC 27001 requirements and a quality management system (QMS) based on ISO 9001 for approximately two years. Recently, it has applied for a j^ombined certification audit in order to obtain certification against ISO/IEC 27001 and ISO 9001.
After selecting the certification body, NetworkFuse prepared the employees for the audit The company decided to not conduct a self-evaluation before the audit since, according to the top management, it was not necessary. In addition, it ensured the availability of documented information, including internal audit reports and management reviews, technologies in place, and the general operations of the ISMS and the QMS. However, the company requested from the certification body that the documentation could not be carried off-site
However, the audit was not performed within the scheduled days because NetworkFuse rejected the audit team leader assigned and requested their replacement The company asserted that the same audit team leader issued a recommendation for certification to its main competitor, which, for the company's top management, was a potential conflict of interest. The request was not accepted by the certification body The certification body rejected NetworkFuse's request to change the audit team leader. Is this acceptable? Refer to scenario 10.

정답:
Explanation:
According to the ISO/IEC 27001: 2022 Lead Implementer course, the certification body is responsible for selecting and appointing the audit team members, taking into account the competence, impartiality, and objectivity of the auditors1. The auditee can request the replacement of an audit team member only if there is a valid reason to doubt their competence or impartiality, such as a personal or professional conflict of interest, a lack of relevant experience or qualifications, or a previous involvement in the auditee’s activities2. However, NetworkFuse did not give a valid reason to support their claims, as the fact that the audit team leader issued a recommendation for certification to their main competitor does not imply a conflict of interest or a bias. Therefore, the certification body rejected NetworkFuse’s request to change the audit team leader, which is acceptable.
Reference: 1: PECB, ISO/IEC 27001 Lead Implementer Course, Module 11: Certification Audit of the ISMS, slide 13 2: PECB, ISO/IEC 27001 Lead Implementer Course, Module 11: Certification Audit of the ISMS, slide 14

Question No : 3


Scenario 10: NetworkFuse develops, manufactures, and sells network hardware. The company has had an operational information security management system (ISMS) based on ISO/IEC 27001 requirements and a quality management system (QMS) based on ISO 9001 for approximately two years. Recently, it has applied for a j^ombined certification audit in order to obtain certification against ISO/IEC 27001 and ISO 9001.
After selecting the certification body, NetworkFuse prepared the employees for the audit The company decided to not conduct a self-evaluation before the audit since, according to the top management, it was not necessary. In addition, it ensured the availability of documented information, including internal audit reports and management reviews, technologies in place, and the general operations of the ISMS and the QMS. However, the company requested from the certification body that the documentation could not be carried off-site
However, the audit was not performed within the scheduled days because NetworkFuse rejected the audit team leader assigned and requested their replacement The company asserted that the same audit team leader issued a recommendation for certification to its main competitor, which, for the company's top management, was a potential conflict of interest. The request was not accepted by the certification body According to scenario 10, NetworkFuse requested from the certification body to review all the documentation only on-site. Is this acceptable?

정답:
Explanation:
According to the ISO/IEC 27001:2022 standard, the certification body is responsible for planning and conducting the audit, including the review of the documented information. The certification body may decide to review the documentation on-site or off-site, depending on the audit objectives, scope, criteria, and risks. The auditee may not impose any restrictions on the access to the documentation, unless there are valid reasons for confidentiality or security. However, such restrictions should be agreed upon before the audit and should not compromise the effectiveness and impartiality of the audit.
Reference: ISO/IEC 27001:2022, clause 9.2.2
ISO/IEC 27006:2021, clause 7.1.4

Question No : 4


Scenario 10: NetworkFuse develops, manufactures, and sells network hardware. The company has had an operational information security management system (ISMS) based on ISO/IEC 27001 requirements and a quality management system (QMS) based on ISO 9001 for approximately two years. Recently, it has applied for a j^ombined certification audit in order to obtain certification against ISO/IEC 27001 and ISO 9001.
After selecting the certification body, NetworkFuse prepared the employees for the audit The company decided to not conduct a self-evaluation before the audit since, according to the top management, it was not necessary. In addition, it ensured the availability of documented information, including internal audit reports and management reviews, technologies in place, and the general operations of the ISMS and the QMS. However, the company requested from the certification body that the documentation could not be carried off-site
However, the audit was not performed within the scheduled days because NetworkFuse rejected the audit team leader assigned and requested their replacement The company asserted that the same audit team leader issued a recommendation for certification to its main competitor, which, for the company's top management, was a potential conflict of interest. The request was not accepted by the certification body NetworkFuse should_________________to ensure that employees are prepared for the audit. Refer to scenario 10.

정답:
Explanation:
One of the ways to prepare employees for an ISO/IEC 27001 audit is to conduct practice interviews with them. This can help them to familiarize themselves with the audit process, the types of questions they might be asked, and the evidence they need to provide to demonstrate compliance with the standard. Practice interviews can also help employees to identify any gaps or weaknesses in their knowledge or performance, and to address them before the actual audit. Practice interviews can be conducted by internal auditors, managers, or consultants, and should cover the relevant scope, objectives, and criteria of the audit. (From the PECB ISO/IEC 27001 Lead Implementer Course Manual, page 113)
Reference: PECB ISO/IEC 27001 Lead Implementer Course Manual, page 113 PECB ISO/IEC 27001 Lead Implementer Info Kit, page 10
5 Step Plan: How to Prepare for an ISO 27001 Certification Audit

Question No : 5


Scenario 10: NetworkFuse develops, manufactures, and sells network hardware. The company has had an operational information security management system (ISMS) based on ISO/IEC 27001 requirements and a quality management system (QMS) based on ISO 9001 for approximately two years. Recently, it has applied for a j^ombined certification audit in order to obtain certification against ISO/IEC 27001 and ISO 9001.
After selecting the certification body, NetworkFuse prepared the employees for the audit The company decided to not conduct a self-evaluation before the audit since, according to the top management, it was not necessary. In addition, it ensured the availability of documented information, including internal audit reports and management reviews, technologies in place, and the general operations of the ISMS and the QMS. However, the company requested from the certification body that the documentation could not be carried off-site However, the audit was not performed within the scheduled days because NetworkFuse rejected the audit team leader assigned and requested their replacement The company asserted that the same audit team leader issued a recommendation for certification to its main competitor, which, for the company's top management, was a potential conflict of interest. The request was not accepted by the certification body
Based on the scenario above, answer the following question:
Does NetworkFuse fulfill the prerequisites for a certification audit?

정답:
Explanation:
According to ISO/IEC 27006:2015, the prerequisites for a certification audit are:
The ISMS must be operational for a period of time that is sufficient to demonstrate its effectiveness and performance.
The organization must have conducted at least one internal audit and one management review of the ISMS prior to the certification audit.
The organization must provide the certification body with access to all the relevant documented information, records, personnel, and facilities related to the ISMS.
In the scenario, NetworkFuse has fulfilled these prerequisites, as it has had an operational ISMS for approximately two years, and it has performed internal audits and management reviews. Therefore, the correct answer is B.
Reference: ISO/IEC 27006:2015, clauses 9.1.1, 9.1.2, and 9.2.1.

Question No : 6


What supports the continual improvement of an ISMS?

정답:
Explanation:
According to the ISO/IEC 27001:2022 standard, the organization should establish, implement and maintain a process to manage changes that affect the information security management system (ISMS) and to continually improve the suitability, adequacy and effectiveness of the ISMS (section 8.1.3 and 10.2). The standard also states that the organization should update the documented information of the ISMS as necessary to reflect the changes and the results of the improvement process (section 8.1.3.2 and 10.2.2). Therefore, the update of documented information supports the continual improvement of the ISMS by ensuring that the ISMS is aligned with the current and future needs and expectations of the organization and its interested parties.
Reference: ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection ― Information security management systems ― Requirements1
ISO/IEC 27001 Lead Implementer Info Kit
Continual Improvement For ISO 27001 Requirement 10.22

Question No : 7


Which of the following is NOT part of the steps required by ISO/IEC 27001 that an organization must take when a nonconformity is detected?

정답:
Explanation:
According to the ISO/IEC 27001: 2022 Lead Implementer course, the steps required by ISO/IEC 27001 that an organization must take when a nonconformity is detected are as follows1:
React to the nonconformity, take action to control and correct it, and deal with its consequences Evaluate the need for action to eliminate the causes of the nonconformity so that it does not recur or occur elsewhere
Implement any action needed
Review the effectiveness of the corrective action
Make changes to the information security management system (ISMS) if necessary
Therefore, communicating the details of the nonconformity to every employee of the organization and suspending the employee that caused the nonconformity is not part of the steps required by ISO/IEC 27001. This option is not only unnecessary, but also potentially harmful, as it could violate the principles of confidentiality, integrity, and availability of information, as well as the human rights and dignity of the employee involved2. Instead, the organization should follow the established procedures for reporting, recording, and analyzing nonconformities, and ensure that the corrective actions are appropriate, proportional, and fair3.
Reference: 1: PECB, ISO/IEC 27001 Lead Implementer Course, Module 10: Nonconformity and Corrective Action, slide 9 2: PECB, ISO/IEC 27001 Lead Implementer Course, Module 10: Nonconformity and Corrective Action, slide 10 3: PECB, ISO/IEC 27001 Lead Implementer Course, Module 10: Nonconformity and Corrective Action, slide 11

Question No : 8


Scenario 9: OpenTech provides IT and communications services. It helps data communication enterprises and network operators become multi-service providers During an internal audit, its internal auditor, Tim, has identified nonconformities related to the monitoring procedures He identified and evaluated several system Invulnerabilities.
Tim found out that user IDs for systems and services that process sensitive information have been reused and the access control policy has not been followed After analyzing the root causes of this nonconformity, the ISMS project manager developed a list of possible actions to resolve the nonconformity. Then, the ISMS project manager analyzed the list and selected the activities that would allow the elimination of the root cause and the prevention of a similar situation in the future. These activities were included in an action plan
The action plan, approved by the top management, was written as follows:
A new version of the access control policy will be established and new restrictions will be created to ensure that network access is effectively managed and monitored by the Information and Communication Technology (ICT) Department
The approved action plan was implemented and all actions described in the plan were documented.
Based on scenario 9. did the ISMS project manager complete the corrective action process appropriately?

정답:
Explanation:
According to ISO/IEC 27001:2022, the corrective action process consists of the following steps12: Reacting to the nonconformity and, as applicable, taking action to control and correct it and deal with the consequences
Evaluating the need for action to eliminate the root cause(s) of the nonconformity, in order that it
does not recur or occur elsewhere
Implementing the action needed
Reviewing the effectiveness of the corrective action taken
Making changes to the information security management system, if necessary
In scenario 9, the ISMS project manager did not complete the last step of reviewing the effectiveness of the corrective action taken. This step is important to verify that the corrective action has achieved the intended results and that no adverse effects have been introduced. The review can be done by using various methods, such as audits, tests, inspections, or performance indicators3. Therefore, the ISMS project manager did not complete the corrective action process appropriately.
Reference: 1: ISO/IEC 27001:2022, clause 10.2 2: Procedure for Corrective Action [ISO 27001 templates] 3: ISO
27001 Clause 10.2 Nonconformity and corrective action

Question No : 9


Scenario 9: OpenTech provides IT and communications services. It helps data communication enterprises and network operators become multi-service providers During an internal audit, its internal auditor, Tim, has identified nonconformities related to the monitoring procedures He identified and evaluated several system Invulnerabilities.
Tim found out that user IDs for systems and services that process sensitive information have been reused and the access control policy has not been followed After analyzing the root causes of this nonconformity, the ISMS project manager developed a list of possible actions to resolve the nonconformity. Then, the ISMS project manager analyzed the list and selected the activities that would allow the elimination of the root cause and the prevention of a similar situation in the future. These activities were included in an action plan
The action plan, approved by the top management, was written as follows:
A new version of the access control policy will be established and new restrictions will be created to ensure that network access is effectively managed and monitored by the Information and Communication Technology (ICT) Department
The approved action plan was implemented and all actions described in the plan were documented.
Based on scenario 9. is the action plan for the identified nonconformities sufficient to eliminate the detected nonconformities?

정답:
Explanation:
According to ISO/IEC 27001:2022, clause 10.1, an action plan for nonconformities and corrective
actions should include the following elements1:
What needs to be done
Who is responsible for doing it
When it will be completed
How the effectiveness of the actions will be evaluated
How the results of the actions will be documented
In scenario 9, the action plan only describes what needs to be done and who is responsible for doing it, but it does not specify when it will be completed, how the effectiveness of the actions will be evaluated, and how the results of the actions will be documented. Therefore, the action plan is not sufficient to eliminate the detected nonconformities.
Reference: 1: ISO/IEC 27001:2022, Information technology ― Security techniques ― Information security management systems ― Requirements, clause 10.1, Nonconformity and corrective action.

Question No : 10


Scenario 9: OpenTech provides IT and communications services. It helps data communication enterprises and network operators become multi-service providers During an internal audit, its internal auditor, Tim, has identified nonconformities related to the monitoring procedures He identified and evaluated several system Invulnerabilities.
Tim found out that user IDs for systems and services that process sensitive information have been reused and the access control policy has not been followed After analyzing the root causes of this nonconformity, the ISMS project manager developed a list of possible actions to resolve the nonconformity. Then, the ISMS project manager analyzed the list and selected the activities that would allow the elimination of the root cause and the prevention of a similar situation in the future. These activities were included in an action plan The action plan, approved by the top management, was written as follows:
A new version of the access control policy will be established and new restrictions will be created to ensure that network access is effectively managed and monitored by the Information and Communication Technology (ICT) Department
The approved action plan was implemented and all actions described in the plan were documented.
Based on scenario 9, OpenTech has taken all the actions needed, except____________.

정답:
Explanation:
According to ISO/IEC 27001:2022, clause 10.1, corrective actions are actions taken to eliminate the root causes of nonconformities and prevent their recurrence, while preventive actions are actions taken to eliminate the root causes of potential nonconformities and prevent their occurrence. In scenario 9, OpenTech has taken corrective actions to address the nonconformity related to the monitoring procedures, but not preventive actions to avoid similar nonconformities in the future. For example, OpenTech could have taken preventive actions such as conducting regular reviews of the access control policy, providing training and awareness to the staff on the policy, or implementing automated controls to prevent user ID reuse.
Reference: ISO/IEC 27001:2022, Information technology ― Security techniques ― Information security management systems ― Requirements, clause 10.1
PECB, ISO/IEC 27001 Lead Implementer Course, Module 8: Performance evaluation, improvement and certification audit of an ISMS, slide 8.3.1.1

Question No : 11


Scenario 9: OpenTech provides IT and communications services. It helps data communication enterprises and network operators become multi-service providers During an internal audit, its internal auditor, Tim, has identified nonconformities related to the monitoring procedures He identified and evaluated several system Invulnerabilities.
Tim found out that user IDs for systems and services that process sensitive information have been reused and the access control policy has not been followed After analyzing the root causes of this nonconformity, the ISMS project manager developed a list of possible actions to resolve the nonconformity. Then, the ISMS project manager analyzed the list and selected the activities that would allow the elimination of the root cause and the prevention of a similar situation in the future. These activities were included in an action plan.
The action plan, approved by the top management, was written as follows:
A new version of the access control policy will be established and new restrictions will be created to ensure that network access is effectively managed and monitored by the Information and Communication Technology (ICT) Department
The approved action plan was implemented and all actions described in the plan were documented.
Based on this scenario, answer the following question:
OpenTech has decided to establish a new version of its access control policy.
What should the company do when such changes occur?

정답:
Explanation:
According to ISO/IEC 27001:2022, clause 6.2, the organization shall establish information security objectives at relevant functions and levels. The information security objectives shall be consistent with the information security policy and relevant to the information security risks. The organization shall update the information security objectives as changes occur. Therefore, when OpenTech decides to establish a new version of its access control policy, it should update its information security objectives accordingly to reflect the changes and ensure alignment with the policy.
Reference: ISO/IEC 27001:2022, clause 6.2; PECB ISO/IEC 27001 Lead Implementer Course, Module 10, slide 8.

Question No : 12


Which of the situations below can negatively affect the internal audit process?

정답:
Explanation:
According to the ISO/IEC 27001: 2022 Lead Implementer course, one of the factors that can negatively affect the internal audit process is the lack of cooperation from the auditees, which can manifest as restricting the internal auditor’s access to offices and documentation1. This can hinder the auditor’s ability to collect sufficient and appropriate audit evidence, verify the conformity of the information security management system (ISMS) with the audit criteria, and identify any nonconformities or opportunities for improvement2. Therefore, the auditees should be informed of the audit objectives, scope, criteria, and schedule in advance, and should provide the auditor with all the necessary information and resources to conduct the audit effectively3.
Reference: 1: PECB, ISO/IEC 27001 Lead Implementer Course, Module 9: Internal Audit, slide 22 2:
PECB, ISO/IEC 27001 Lead Implementer Course, Module 9: Internal Audit, slide 23 3: PECB, ISO/IEC
27001 Lead Implementer Course, Module 9: Internal Audit, slide 24

Question No : 13


Del&Co has decided to improve their staff-related controls to prevent incidents.
Which of the following is NOT a preventive control related to the Del&Co's staff?

정답:
Explanation:
According to ISO/IEC 27001:2022, Annex A.7, the objective of human resource security is to ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered, and to reduce the risk of human error, theft, fraud, or misuse of facilities.
The standard specifies eight controls in this domain, which are:
A .7.1 Prior to employment: This control covers the screening, terms and conditions, and roles and responsibilities of employees and contractors before they are hired.
A .7.2 During employment: This control covers the awareness, education, and training, disciplinary process, and management responsibilities of employees and contractors during their employment. A .7.3 Termination and change of employment: This control covers the return of assets, removal of access rights, and exit interviews of employees and contractors when they leave or change their roles.
The other controls in Annex A are related to other aspects of information security, such as organizational, physical, and technological controls. For example:
A .9.2 User access management: This control covers the authentication and authorization of users to access information systems and services, based on their roles and responsibilities.
A .11.1 Secure areas: This control covers the control of physical access to the equipment and information assets, such as locks, alarms, guards, etc.
A .13.2 Information transfer: This control covers the protection of information during its transfer, such as encryption, digital signatures, secure protocols, etc.
Therefore, video cameras are not a preventive control related to the staff, but rather a physical control related to the equipment and assets. Video cameras can be used to monitor and record the activities of the staff, but they cannot prevent them from causing incidents. They can only help to detect and investigate incidents after they occur.
Reference: ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection ― Information security management systems ― Requirements, Annex A; PECB ISO/IEC 27001 Lead Implementer Course, Module 8: Implementation of Information Security Controls.

Question No : 14


An organization that has an ISMS in place conducts management reviews at planned intervals, but does not retain documented information on the results.
Is this in accordance with the requirements of ISO/IEC 27001?

정답:
Explanation:
According to ISO/IEC 27001:2022, clause 9.3.3, the organization must retain documented information as evidence of the results of management reviews. The results of management reviews must include decisions and actions related to the ISMS policy, objectives, risks, opportunities, resources, and communication. Documenting the results of management reviews is important to ensure the accountability, traceability, and effectiveness of the ISMS. It also helps the organization to monitor and measure the performance and improvement of the ISMS, and to demonstrate compliance with the requirements of ISO/IEC 27001:2022. Therefore, an organization that has an ISMS in place and conducts management reviews at planned intervals, but does not retain documented information on the results, is not in accordance with the requirements of ISO/IEC 27001. (From the PECB ISO/IEC
27001 Lead Implementer Course Manual, page 107)
Reference: PECB ISO/IEC 27001 Lead Implementer Course Manual, page 107 PECB ISO/IEC 27001 Lead Implementer Info Kit, page 7
ISO/IEC 27001:2022 (en), Information security, cybersecurity and privacy protection ― Information security management systems ― Requirements, clause 9.3.3 1

Question No : 15


A small organization that is implementing an ISMS based on ISO/lEC 27001 has decided to outsource the internal audit function to a third party. Is this acceptable?

정답:
Explanation:
According to the ISO/IEC 27001:2022 standard, an internal audit is an audit conducted by the organization itself to evaluate the conformity and effectiveness of its information security management system (ISMS). The standard requires that the internal audit should be performed by auditors who are objective and impartial, meaning that they should not have any personal or professional interest or bias that could influence their judgment or compromise their integrity. The standard also allows the organization to outsource the internal audit function to a third party, as long as the criteria of objectivity and impartiality are met.
Outsourcing the internal audit function to a third party can be a better option for small organizations that may not have enough resources, skills, or experience to perform an internal audit by themselves.
By hiring an external auditor, the organization can benefit from the following advantages:
The external auditor can provide a fresh and independent perspective on the organization’s ISMS, identifying strengths, weaknesses, opportunities, and threats that may not be apparent to the internal staff.
The external auditor can bring in specialized knowledge, expertise, and best practices from other organizations and industries, helping the organization to improve its ISMS and achieve its objectives. The external auditor can reduce the risk of conflict of interest, bias, or influence that may arise when the internal staff audit their own work or the work of their colleagues.
The external auditor can save the organization time and money by conducting the internal audit more efficiently and effectively, avoiding duplication of work or unnecessary delays.
Therefore, outsourcing the internal audit function to a third party is acceptable and often preferable for small organizations that are implementing an ISMS based on ISO/IEC 27001.
Reference: ISO/IEC 27001:2022, Information technology ― Security techniques ― Information security management systems ― Requirements, Clause 9.2, Internal audit
ISO/IEC 27007:2023, Information technology ― Security techniques ― Guidelines for information security management systems auditing
PECB, ISO/IEC 27001 Lead Implementer Course, Module 12, Internal audit A Complete Guide to an ISO 27001 Internal Audit - Sprinto

 / 7
PECB