PECB Exam ISO-IEC-27001-Lead-Auditor Topic 1 Question 39 Discussion

Actual exam question for PECB's ISO-IEC-27001-Lead-Auditor exam

Question #: 39
Topic #: 1

[All ISO-IEC-27001-Lead-Auditor Questions]

Scenario 2:

Clinic, founded in the 1990s, is a medical device company that specializes in treatments for heart-related conditions and complex surgical interventions. Based in Europe, it serves both patients and healthcare professionals. Clinic collects patient data to tailor treatments, monitor outcomes, and improve device functionality. To enhance data security and build trust, Clinic is implementing an information security management system (ISMS) based on ISO/IEC 27001. This initiative demonstrates Clinic's commitment to securely managing sensitive patient information and proprietary technologies.

Clinic established the scope of its ISMS by solely considering internal issues, interfaces, dependencies between internal and outsourced activities, and the expectations of interested parties. This scope was carefully documented and made accessible. In defining its ISMS, Clinic chose to focus specifically on key processes within critical departments such as Research and Development, Patient Data Management, and Customer Support.

Despite initial challenges, Clinic remained committed to its ISMS implementation, tailoring security controls to its unique needs. The project team excluded certain Annex A controls from ISO/IEC 27001 while incorporating additional sector-specific controls to enhance security. The team evaluated the applicability of these controls against internal and external factors, culminating in the development of a comprehensive Statement of Applicability (SoA) detailing the rationale behind control selection and implementation.

As preparations for certification progressed, Brian, appointed as the team leader, adopted a self-directed risk assessment methodology to identify and evaluate the company's strategic issues and security practices. This proactive approach ensured that Clinic's risk assessment aligned with its objectives and mission.

Based on Scenario 2, the Clinic decided that the ISMS would cover only key processes and departments. Is this acceptable?

AYes, but the decision to exclude other processes and departments must be justified

BYes, organizations may limit the scope of the ISMS, but they cannot request a certification audit if the ISMS scope does not include all processes and departments

CNo, Clinic must include all processes and departments in the scope, regardless of their importance or relevance to the ISMS

Show Suggested Answer

Suggested Answer: A, B, C, F

A follow-up audit may be carried out where nonconformities are major. This is true because a major nonconformity is a situation that raises significant doubt about the ability of the organization's management system to achieve its intended results, and therefore requires immediate corrective action.A follow-up audit is necessary to verify the effectiveness of the corrective action and the conformity of the management system12.

A follow-up audit may be carried out where nonconformities are minor. This is true because a minor nonconformity is a situation that does not affect the capability of the management system to achieve its intended results, but represents a deviation from the specified requirements.A follow-up audit may be conducted to check the implementation of the corrective action and the improvement of the management system12.

The outcomes of a follow-up audit should be reported to top management and the audit team leader who carried out the audit where the nonconformities were initially identified. This is true because the top management is responsible for ensuring the effectiveness and continual improvement of the management system, and the audit team leader is accountable for the audit process and the audit conclusions.The follow-up audit report should provide them with objective evidence of the status of the nonconformities and the corrective actions taken by the auditee13.

The outcomes of a follow-up audit should be reported to the individual managing the audit programme and the audit client. This is true because the individual managing the audit programme is responsible for planning, implementing, monitoring and reviewing the audit activities, and the audit client is the organization or person requesting an audit.The follow-up audit report should inform them of the results of the follow-up audit and any changes in the certification status of the auditee13.

ISO 19011:2022 Guidelines for auditing management systems

ISO/IEC 27001:2022 Information technology --- Security techniques --- Information security management systems --- Requirements

ISO/IEC 17021-1:2022 Conformity assessment --- Requirements for bodies providing audit and certification of management systems --- Part 1: Requirements

by Leontine at Jul 03, 2024, 05:15 PM

Limited Time Offer