Study Document 10

Quick revision flashcards.

Compact ISO 27001 Lead Auditor revision prompts for clauses, risk, Statement of Applicability, audit terms, audit sequence, Annex A, and NCR rules.

How to use

Revise in short rounds, then test with scenarios.

Read the prompt, answer from memory, then check the answer. The goal is not only recall, but fast recognition of which clause, audit concept, or NCR rule applies in a scenario.

4-10Mandatory ISO 27001 management system clauses for conformity.
SoAControl inclusion, exclusion justification, and implementation status.
NCRRequirement, evidence, problem, and location.

Clause flashcards

Know the intent of Clause 4 to Clause 10.

Clause questions often test whether the learner can connect a business situation to the correct ISO 27001 management system requirement.

Question

Which clauses are mandatory for ISO 27001 conformity?

Clauses 4 to 10. They cannot be excluded when an organization claims conformity to ISO/IEC 27001.

Question

Can Annex A controls be excluded?

Yes, but only with valid justification in the Statement of Applicability where the controls are not necessary.

Clause 4

What is Clause 4 about?

Context, interested parties, ISMS scope, and the processes needed for the ISMS.

Clause 5

What is Clause 5 about?

Leadership, policy, organizational roles, responsibilities, authorities, and top management commitment.

Clause 6

What is Clause 6 about?

Actions to address risks and opportunities, information security risk assessment, risk treatment, objectives, and planning of changes.

Clause 7

What is Clause 7 about?

Resources, competence, awareness, communication, and documented information.

Clause 8

What is Clause 8 about?

Operational planning and control, risk assessment operation, risk treatment operation, and outsourced process control.

Clause 9

What is Clause 9 about?

Monitoring, measurement, analysis, evaluation, internal audit, and management review.

Clause 10

What is Clause 10 about?

Continual improvement, nonconformity, corrective action, and improvement of the ISMS.

Exam clue

Which clause applies to missing evidence of management review?

Clause 9.3, because management review is part of performance evaluation.

Risk flashcards

Risk language appears in almost every exam domain.

Use these prompts to separate risk assessment, risk treatment, residual risk, risk acceptance, and Statement of Applicability evidence.

Risk

What is risk?

The effect of uncertainty on objectives.

Risk assessment

What are the main parts of risk assessment?

Risk identification, risk analysis, and risk evaluation.

Risk treatment

What is risk treatment?

The process to modify risk, often through controls, transfer, avoidance, retention, or other treatment options.

Residual risk

What is residual risk?

Risk remaining after treatment.

Acceptance

Who accepts residual risk?

The risk owner or another authorized role defined by the organization.

SoA

What must the Statement of Applicability include?

Necessary controls, inclusion justification, implementation status, and exclusion justification.

Audit flashcards

Separate audit criteria, evidence, findings, and conclusions.

This is a common exam trap. The criteria is the requirement; the evidence is what was found; the finding is the evaluation against criteria.

Criteria

What is audit criteria?

The requirement or reference used to judge conformity.

Evidence

What is audit evidence?

Verifiable information relevant to audit criteria.

Finding

What is an audit finding?

The result of evaluating audit evidence against audit criteria.

Audit type

What is a first-party audit?

An internal audit conducted by or for the organization.

Audit type

What is a second-party audit?

A customer or interested party audit of a supplier or external provider.

Audit type

What is a third-party audit?

An independent certification, accreditation, or external assurance audit.

NCR flashcards

Good findings are objective and complete.

These prompts help with nonconformity writing, corrective action questions, and closing meeting scenarios.

NCR

What is nonconformity?

Non-fulfilment of a requirement.

Correction

What is correction?

Action to eliminate the detected nonconformity.

Corrective action

What is corrective action?

Action to eliminate the cause of a nonconformity and prevent recurrence.

NCR formula

What must an NCR contain?

Requirement, objective evidence, clear problem statement, and location or process.

Professional wording

Should an NCR blame individuals?

No. It should describe an objective process failure using evidence and criteria.

Closure

When should a finding be closed?

When correction, root cause, corrective action, implementation evidence, and effectiveness review are adequate.

Memory formulas

Use short formulas for sequence questions.

These are quick recall anchors. In the exam, apply them to the scenario and do not force them where the context is different.

Risk assessment

Identify - Analyse - Evaluate.

Risk treatment

Select option - Determine controls - Compare Annex A - Create SoA - Plan treatment - Accept residual risk.

Audit evidence flow

Source - Sampling - Evidence - Criteria comparison - Finding - Conclusion.

Audit lifecycle

Plan - Conduct - Report - Follow up.

NCR formula

Requirement - Evidence - Problem - Location.

Exam answer filter

Requirement? Evidence? Scope? Auditor role? Professional behaviour?

Use note

This is a KISCyber learner guide.

This page is an original training summary using user-provided ISO 27001 Lead Auditor study materials as references. Always use the authorised standard, official course material, and current exam provider guidance when preparing for certification.