Free Preparation Discussions
MENU
PECB ISO-IEC-27001-Lead-Auditor Exam - Topic 3 Question 64 Discussion
Topic #: 3
Scenario 9: Techmanic is a Belgian company founded in 1995 and currently operating in Brussels. It provides IT consultancy, software design, and hardware/software services, including deployment and maintenance. The company serves sectors like public services, finance, telecom, energy, healthcare, and education. As a customer-centered company, it prioritizes strong client relationships and leading security practices.
Techmanic has been ISO/IEC 27001 certified for a year and regards this certification with pride. During the certification audit, the auditor found some inconsistencies in its ISMS implementation. Since the observed situations did not affect the capability of its ISMS to achieve the intended results, Techmanic was certified after auditors followed up on the root cause analysis and corrective actions remotely During that year, the company added hosting to its list of services and requested to expand its certification scope to include that area The auditor in charge approved the request and notified Techmanic that the extension audit would be conducted during the surveillance audit
Techmanic underwent a surveillance audit to verify its iSMS's continued effectiveness and compliance with ISO/IEC 27001. The surveillance audit aimed to ensure that Techmanic's security practices, including the recent addition of hosting services, aligned seamlessly with the rigorous requirements of the certification
The auditor strategically utilized the findings from previous surveillance audit reports in the recertification activity with the purpose of replacing the need for additional recertification audits, specifically in the IT consultancy sector. Recognizing the value of continual improvement and learning from past assessments. Techmanic implemented a practice of reviewing previous surveillance audit reports. This proactive approach not only facilitated identifying and resolving potential nonconformities but also aimed to streamline the recertification process in the IT consultancy sector.
During the surveillance audit, several nonconformities were found. The ISMS continued to fulfill the ISO/IEC 27001*s requirements, but Techmanic failed to resolve the nonconformities related to the hosting services, as reported by its internal auditor. In addition, the internal audit report had several inconsistencies, which questioned the independence of the internal auditor during the audit of hosting services. Based on this, the extension certification was not granted. As a result. Techmanic requested a transfer to another certification body. In the meantime, the company released a statement to its clients stating that the ISO/IEC 27001 certification covers the IT services, as well as the hosting services.
Based on the scenario above, answer the following question:
Is the internal auditor responsible for following up on action plans resulting from external audits?
Comprehensive and Detailed In-Depth
A . Correct Answer:
Internal auditors focus on internal audit nonconformities, while external auditors oversee external audit follow-ups.
B . Incorrect:
Minor nonconformities do not change the role of internal auditors.
C . Incorrect:
Internal auditors do not follow up on external audit findings---this is the certification body's responsibility.
Relevant Standard Reference:
ISO/IEC 27001:2022 Clause 9.2.2 (Internal Audit Responsibilities)
Markus
15 days agoRoxane
20 days agoVannessa
25 days agoTammara
1 month agoLajuana
1 month agoRebecka
1 month agoApolonia
2 months agoDiego
2 months agoPortia
2 months agoLacey
2 months agoIzetta
2 months agoBuddy
2 months agoLynelle
3 months agoElli
3 months agoMarge
4 months agoHeike
4 months agoHester
4 months agoFlorinda
4 months agoRoslyn
4 months ago