Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

PECB ISO-IEC-27001-Lead-Implementer Exam - Topic 5 Question 68 Discussion

Actual exam question for PECB's ISO-IEC-27001-Lead-Implementer exam
Question #: 68
Topic #: 5
[All ISO-IEC-27001-Lead-Implementer Questions]

Scenario 9: OpenTech provides IT and communications services. It helps data communication enterprises and network operators become multi-service providers During an internal audit, its internal auditor, Tim, has identified nonconformities related to the monitoring procedures He identified and evaluated several system Invulnerabilities.

Tim found out that user IDs for systems and services that process sensitive information have been reused and the access control policy has not been followed After analyzing the root causes of this nonconformity, the ISMS project manager developed a list of possible actions to resolve the nonconformity. Then, the ISMS project manager analyzed the list and selected the activities that would allow the elimination of the root cause and the prevention of a similar situation in the future. These activities were included in an action plan The action plan, approved by the top management, was written as follows:

A new version of the access control policy will be established and new restrictions will be created to ensure that network access is effectively managed and monitored by the Information and Communication Technology (ICT) Department

The approved action plan was implemented and all actions described in the plan were documented.

Based on scenario 9. did the ISMS project manager complete the corrective action process appropriately?

Show Suggested Answer Hide Answer
Suggested Answer: C

According to ISO/IEC 27001:2022, the corrective action process consists of the following steps12:

Reacting to the nonconformity and, as applicable, taking action to control and correct it and deal with the consequences

Evaluating the need for action to eliminate the root cause(s) of the nonconformity, in order that it does not recur or occur elsewhere

Implementing the action needed

Reviewing the effectiveness of the corrective action taken

Making changes to the information security management system, if necessary

In scenario 9, the ISMS project manager did not complete the last step of reviewing the effectiveness of the corrective action taken. This step is important to verify that the corrective action has achieved the intended results and that no adverse effects have been introduced.The review can be done by using various methods, such as audits, tests, inspections, or performance indicators3. Therefore, the ISMS project manager did not complete the corrective action process appropriately.

1:ISO/IEC 27001:2022, clause 10.22:Procedure for Corrective Action [ISO 27001 templates]3:ISO 27001 Clause 10.2 Nonconformity and corrective action


by Jettie at May 07, 2026, 04:39 PM

Limited Time Offer

25%

Off

Get Premium ISO-IEC-27001-Lead-Implementer Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Cassi
17 days ago
I feel like just having a new access control policy isn't enough. The root cause needs to be tackled more directly, right?
upvoted 0 times
...
Jules
22 days ago
I remember a practice question that emphasized the importance of reviewing the implementation of corrective actions. That might be a missing step here.
upvoted 0 times
...
Joye
27 days ago
I think the ISMS project manager did a good job identifying the nonconformity and creating an action plan, but I'm not sure if they fully addressed the root cause.
upvoted 0 times
...

Save Cancel