New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

PECB ISO-IEC-27001-Lead-Auditor Exam - Topic 1 Question 39 Discussion

Actual exam question for PECB's ISO-IEC-27001-Lead-Auditor exam
Question #: 39
Topic #: 1
[All ISO-IEC-27001-Lead-Auditor Questions]

Scenario 2:

Clinic, founded in the 1990s, is a medical device company that specializes in treatments for heart-related conditions and complex surgical interventions. Based in Europe, it serves both patients and healthcare professionals. Clinic collects patient data to tailor treatments, monitor outcomes, and improve device functionality. To enhance data security and build trust, Clinic is implementing an information security management system (ISMS) based on ISO/IEC 27001. This initiative demonstrates Clinic's commitment to securely managing sensitive patient information and proprietary technologies.

Clinic established the scope of its ISMS by solely considering internal issues, interfaces, dependencies between internal and outsourced activities, and the expectations of interested parties. This scope was carefully documented and made accessible. In defining its ISMS, Clinic chose to focus specifically on key processes within critical departments such as Research and Development, Patient Data Management, and Customer Support.

Despite initial challenges, Clinic remained committed to its ISMS implementation, tailoring security controls to its unique needs. The project team excluded certain Annex A controls from ISO/IEC 27001 while incorporating additional sector-specific controls to enhance security. The team evaluated the applicability of these controls against internal and external factors, culminating in the development of a comprehensive Statement of Applicability (SoA) detailing the rationale behind control selection and implementation.

As preparations for certification progressed, Brian, appointed as the team leader, adopted a self-directed risk assessment methodology to identify and evaluate the company's strategic issues and security practices. This proactive approach ensured that Clinic's risk assessment aligned with its objectives and mission.

Based on Scenario 2, the Clinic decided that the ISMS would cover only key processes and departments. Is this acceptable?

Show Suggested Answer Hide Answer
Suggested Answer: A, B, C, F

A follow-up audit may be carried out where nonconformities are major. This is true because a major nonconformity is a situation that raises significant doubt about the ability of the organization's management system to achieve its intended results, and therefore requires immediate corrective action.A follow-up audit is necessary to verify the effectiveness of the corrective action and the conformity of the management system12.

A follow-up audit may be carried out where nonconformities are minor. This is true because a minor nonconformity is a situation that does not affect the capability of the management system to achieve its intended results, but represents a deviation from the specified requirements.A follow-up audit may be conducted to check the implementation of the corrective action and the improvement of the management system12.

The outcomes of a follow-up audit should be reported to top management and the audit team leader who carried out the audit where the nonconformities were initially identified. This is true because the top management is responsible for ensuring the effectiveness and continual improvement of the management system, and the audit team leader is accountable for the audit process and the audit conclusions.The follow-up audit report should provide them with objective evidence of the status of the nonconformities and the corrective actions taken by the auditee13.

The outcomes of a follow-up audit should be reported to the individual managing the audit programme and the audit client. This is true because the individual managing the audit programme is responsible for planning, implementing, monitoring and reviewing the audit activities, and the audit client is the organization or person requesting an audit.The follow-up audit report should inform them of the results of the follow-up audit and any changes in the certification status of the auditee13.


ISO 19011:2022 Guidelines for auditing management systems

ISO/IEC 27001:2022 Information technology --- Security techniques --- Information security management systems --- Requirements

ISO/IEC 17021-1:2022 Conformity assessment --- Requirements for bodies providing audit and certification of management systems --- Part 1: Requirements

by Leontine at Jul 03, 2024, 05:15 PM

Limited Time Offer

25%

Off

Get Premium ISO-IEC-27001-Lead-Auditor Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Brett
3 months ago
I think they might be setting themselves up for issues later on.
upvoted 0 times
...
Adelina
3 months ago
As long as they justify the exclusions, it should be fine.
upvoted 0 times
...
Alverta
3 months ago
Surprised they can limit the scope like that!
upvoted 0 times
...
Kiera
4 months ago
I disagree, all processes should be included for a complete ISMS.
upvoted 0 times
...
Yasuko
4 months ago
Sounds reasonable to focus on key areas first!
upvoted 0 times
...
Ammie
4 months ago
I’m leaning towards option A because it makes sense to justify exclusions, but I wonder if that would affect their certification chances.
upvoted 0 times
...
Jovita
4 months ago
I feel like the ISO/IEC 27001 guidelines emphasize the importance of including all relevant processes, but I can't recall the exact wording.
upvoted 0 times
...
Aliza
4 months ago
I think I came across a similar question where the scope was debated. It seems like they need to justify any exclusions to maintain compliance.
upvoted 0 times
...
Geoffrey
5 months ago
I remember studying that organizations can limit the scope of their ISMS, but I’m not sure if they can exclude entire departments.
upvoted 0 times
...
Charlesetta
5 months ago
I'm a bit confused on this one. The scenario says Clinic focused on key processes and departments, but the question is asking if that's acceptable. I'm not entirely sure - the standard seems to allow scope limitation, but there may be some specific requirements around that. I'll need to review the details carefully to make sure I understand the right approach.
upvoted 0 times
...
Daniel
5 months ago
Okay, so the key here is that Clinic can limit the scope, but they need to make sure they document and justify that decision. I think that's the way to go - focus on the critical areas, but be prepared to explain why other processes and departments were excluded. That seems like a reasonable approach.
upvoted 0 times
...
Karrie
5 months ago
I think this is a tricky one. The scenario indicates that Clinic focused on key processes and departments, which seems reasonable, but I'm not sure if that's fully acceptable under the standard. I'll need to carefully review the requirements around scope and justification.
upvoted 0 times
...
Ma
5 months ago
Hmm, this is a tough call. On one hand, the standard does allow organizations to limit the scope of the ISMS, but on the other hand, it sounds like Clinic may need to justify that decision. I'll need to think through the pros and cons and make sure I understand the nuances here.
upvoted 0 times
...
Whitley
5 months ago
I feel pretty confident about this one. Based on my understanding of how Backup Exec DLM works, the correct answer is C - when the "Allow Backup Exec to delete all expired backup sets" option is enabled. That's the key condition that triggers the deletion of all expired backup sets.
upvoted 0 times
...
Stephaine
10 months ago
Clinic's strategy sounds like a smart compromise. They're focusing on the critical areas first, which is a wise move. As long as they can back it up, I think they're on the right track.
upvoted 0 times
Shalon
9 months ago
B) It's a strategic approach that allows Clinic to allocate resources efficiently and address the most crucial aspects of data security
upvoted 0 times
...
Clorinda
9 months ago
A) Absolutely, focusing on critical areas first can help Clinic establish a strong foundation for information security management
upvoted 0 times
...
Ozell
10 months ago
B) I agree, it's important for Clinic to prioritize key processes and departments to ensure effective implementation of the ISMS
upvoted 0 times
...
Dona
10 months ago
A) Yes, but the decision to exclude other processes and departments must be justified
upvoted 0 times
...
...
Ollie
10 months ago
I bet the certification auditor is going to have a field day with Clinic's 'selective' approach. Maybe they should've gone with the 'kitchen sink' method instead.
upvoted 0 times
...
Rosenda
10 months ago
Clinic should just include everything to be on the safe side. Who knows what could come back to haunt them later? Better to be overly cautious than to have gaps in the ISMS.
upvoted 0 times
Paulina
10 months ago
Clinic should consider all aspects to ensure comprehensive security measures.
upvoted 0 times
...
Jerry
10 months ago
A) Yes, but the decision to exclude other processes and departments must be justified
upvoted 0 times
...
...
Audry
11 months ago
I agree, Clinic's decision is reasonable. Trying to cover everything would be impractical and could slow down the implementation. As long as they document the rationale, this approach is valid.
upvoted 0 times
...
Remedios
11 months ago
Limiting the scope to key processes and departments makes sense. As long as Clinic can justify the exclusion of other areas, this approach should be acceptable.
upvoted 0 times
Cyndy
9 months ago
B) By focusing on key areas, Clinic can ensure that its resources are effectively allocated to protect sensitive information and technologies
upvoted 0 times
...
Pamella
10 months ago
A) Exactly, it's important for Clinic to have a clear rationale for why certain areas are included or excluded in the ISMS scope
upvoted 0 times
...
Sol
10 months ago
B) I agree, focusing on key processes and departments can help Clinic prioritize its security efforts
upvoted 0 times
...
Shay
10 months ago
A) Yes, but the decision to exclude other processes and departments must be justified
upvoted 0 times
...
...
Rachael
11 months ago
But shouldn't Clinic include all processes and departments in the scope to ensure comprehensive security measures?
upvoted 0 times
...
Chandra
11 months ago
I agree with you, Maurine. It's important for Clinic to prioritize areas that are critical to their operations.
upvoted 0 times
...
Maurine
11 months ago
I think Clinic made the right decision to focus on key processes and departments for their ISMS.
upvoted 0 times
...

Save Cancel