New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

PECB ISO-IEC-27001-Lead-Auditor Exam - Topic 4 Question 27 Discussion

Actual exam question for PECB's ISO-IEC-27001-Lead-Auditor exam
Question #: 27
Topic #: 4
[All ISO-IEC-27001-Lead-Auditor Questions]

You are performing an ISMS initial certification audit at a residential nursing home that provides healthcare services. The next step in your audit plan is to conduct the closing meeting. During the final audit team meeting, as an audit team leader, you agree to report 2 minor nonconformities and 1 opportunity for improvement as below:

Select one option of the recommendation to the audit programme manager you are going to advise to the auditee at the closing meeting.

Show Suggested Answer Hide Answer
Suggested Answer: D

According to ISO/IEC 17021-1:2015, which specifies the requirements for bodies providing audit and certification of management systems, clause 9.4.9 requires the certification body to make a certification decision based on the information obtained during the audit and any other relevant information1.The certification body should also consider the effectiveness of the corrective actions taken by the auditee to address any nonconformities identified during the audit1. Therefore, when making a recommendation to the audit programme manager, an ISMS auditor should consider the nature and severity of the nonconformities and the proposed corrective actions.

Based on the scenario above, the auditor should recommend certification after their approval of the proposed corrective action plan and recommend that the findings can be closed out at a surveillance audit in 1 year. The auditor should provide the following justification for their recommendation:

Justification: This recommendation is appropriate because it reflects the fact that the auditee has only two minor nonconformities and one opportunity for improvement, which do not indicate a significant or systemic failure of their ISMS.A minor nonconformity is defined as a failure to achieve one or more requirements of ISO/IEC 27001:2022 or a situation which raises significant doubt about the ability of an ISMS process to achieve its intended output, but does not affect its overall effectiveness or conformity2.An opportunity for improvement is defined as a suggestion for improvement beyond what is required by ISO/IEC 27001:20222. Therefore, these findings do not prevent or preclude certification, as long as they are addressed by appropriate corrective actions within a reasonable time frame. The auditor should approve the proposed corrective action plan before recommending certification, to ensure that it is realistic, achievable, and effective. The auditor should also recommend that the findings can be closed out at a surveillance audit in 1 year, to verify that the corrective actions have been implemented and are working as intended.

The other options are not valid recommendations for the audit programme manager, as they are either too lenient or too strict for the given scenario. For example:

Recommend certification immediately: This option is not valid because it implies that the auditor ignores or accepts the nonconformities, which is contrary to the audit principles and objectives of ISO 19011:20182, which provides guidelines for auditing management systems.It also contradicts the requirement of ISO/IEC 17021-1:20151, which requires the certification body to consider the effectiveness of the corrective actions taken by the auditee before making a certification decision.

Recommend that a full scope re-audit is required within 6 months: This option is not valid because it implies that the auditor overreacts or exaggerates the nonconformities, which is contrary to the audit principles and objectives of ISO 19011:20182.It also contradicts the requirement of ISO/IEC 17021-1:20151, which requires the certification body to determine whether a re-audit is necessary based on the nature and extent of nonconformities and other relevant factors. A full scope re-audit is usually reserved for major nonconformities or multiple minor nonconformities that indicate a serious or widespread failure of an ISMS.

Recommend that an unannounced audit is carried out at a future date: This option is not valid because it implies that the auditor distrusts or doubts the auditee's commitment or capability to implement corrective actions, which is contrary to the audit principles and objectives of ISO 19011:20182.It also contradicts the requirement of ISO/IEC 17021-1:20151, which requires the certification body to conduct unannounced audits only under certain conditions, such as when there are indications of serious problems with an ISMS or when required by sector-specific schemes.

Recommend that a partial audit is required within 3 months: This option is not valid because it implies that the auditor imposes or prescribes a specific time frame or scope for verifying corrective actions, which is contrary to the audit principles and objectives of ISO 19011:20182.It also contradicts the requirement of ISO/IEC 17021-1:20151, which requires the certification body to determine whether a partial audit is necessary based on the nature and extent of nonconformities and other relevant factors. A partial audit may be appropriate for minor nonconformities, but the time frame and scope should be agreed upon with the auditee and based on the proposed corrective action plan.


by Gary at Dec 21, 2023, 11:10 PM

Limited Time Offer

25%

Off

Get Premium ISO-IEC-27001-Lead-Auditor Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Jaclyn
3 months ago
C could work, but unannounced audits can be tricky.
upvoted 0 times
...
Erick
3 months ago
B seems too harsh, they should get a chance to improve first.
upvoted 0 times
...
Bobbie
4 months ago
Surprised they didn't recommend an immediate certification. Seems risky!
upvoted 0 times
...
Lemuel
4 months ago
Totally agree with D! A surveillance audit makes sense.
upvoted 0 times
...
Darnell
4 months ago
I think D is the best option. They need time to fix things.
upvoted 0 times
...
Mila
4 months ago
I think option A might be too hasty given the minor nonconformities. We should probably ensure corrective actions are in place first, like in option D.
upvoted 0 times
...
Tommy
4 months ago
I feel like recommending an unannounced audit could be a good way to ensure compliance, but I’m not sure if that’s the best first step here.
upvoted 0 times
...
Idella
4 months ago
I'm a bit unsure about the timelines. Wasn't there a practice question that suggested a full re-audit for more serious issues? Maybe option B is more appropriate?
upvoted 0 times
...
Bea
5 months ago
I remember we discussed the importance of addressing nonconformities before recommending certification. I think option D makes the most sense.
upvoted 0 times
...
Penney
5 months ago
Based on the information provided, I think option D is the way to go. Recommending certification after approving the corrective action plan seems like the most reasonable approach given the relatively minor issues identified. As long as the organization addresses those items, there's no need for a full re-audit or unannounced visit.
upvoted 0 times
...
Mozelle
5 months ago
Hmm, this is a tricky one. I'm not sure if I should recommend a full re-audit or just a partial audit. The minor nonconformities could be easily fixed, but I want to make sure the organization is fully compliant before certifying them. I'll need to weigh the pros and cons of each option.
upvoted 0 times
...
Brittani
5 months ago
This seems like a straightforward audit scenario, so I'm feeling pretty confident about this one. I'd probably recommend option D - certifying after approving the corrective action plan. The minor nonconformities don't seem too serious, and the opportunity for improvement can likely be addressed in the short term.
upvoted 0 times
...
Jerrod
5 months ago
I'm a bit unsure about this one. The question is asking for a recommendation to the audit programme manager, but the options seem to cover a range of different actions. I'll need to carefully review the details of each option to determine the best recommendation.
upvoted 0 times
...
Elvera
5 months ago
I'm pretty confident that the answer is B. The syntax of "(ex1, Ex2):" is the correct way to handle multiple exceptions in a single except block in Python. The other options don't seem to match the expected syntax.
upvoted 0 times
...
Viva
5 months ago
I think the attribute we're looking for is related to the timeout settings, but I'm not entirely sure if it's session timeout or idle timeout.
upvoted 0 times
...
Lorrie
5 months ago
This is a pretty standard question. I'm confident I can answer this correctly based on my understanding of video conferencing technology. I'll just double-check my knowledge to make sure I don't miss anything.
upvoted 0 times
...
Felix
5 months ago
Hmm, this seems like a tricky one. I'll need to think carefully about the relationship between consequences and safety aspects.
upvoted 0 times
...
Johnna
5 months ago
Hmm, this is a tricky one. I'm not entirely sure about the differences between the options. I'll have to think this through carefully and try to eliminate the less likely answers.
upvoted 0 times
...

Save Cancel