PECB ISO-IEC-27001-Lead-Auditor Exam - Topic 1 Question 68 Discussion

Comprehensive and Detailed In-Depth

ISO/IEC 27001 Clause 5.1 (Leadership and Commitment) defines top management's role in ensuring the effectiveness of the Information Security Management System (ISMS). It requires top management to:

Ensure the availability of resources for the ISMS (Correct Responsibility).

Promote continual improvement of the ISMS (Correct Responsibility).

Direct and support employees to contribute to ISMS effectiveness (Correct Responsibility).

B . Conducting regular internal audits -- Incorrect Responsibility:

Internal audits are not a direct responsibility of top management. Instead, Clause 9.2 (Internal Audit) requires audits to be conducted independently of management.

Top management is responsible for ensuring audits are conducted but does not need to conduct them personally.

Thus, top management is responsible for oversight and support but not for conducting internal audits themselves.

Relevant Standard Reference:

ISO/IEC 27001:2022 Clause 5.1 (Leadership and Commitment)

ISO/IEC 27001:2022 Clause 9.2 (Internal Audit)