You are conducting an ISMS audit.

PECB ISO-IEC-27001-Lead-Auditor Question Answer

You are conducting an ISMS audit. The next step in your audit plan is to verify that the organisation's

information security risk treatment plan has been established and implemented properly. You decide to

interview the IT security manager.

You: Can you please explain how the organisation performs its information security risk assessment and

treatment process?

IT Security Manager: We follow the information security risk management procedure which generates a

risk treatment plan.

Narrator: You review risk treatment plan No. 123 relating to the planned installation of an electronic

(invisible) fence to improve the physical security of the nursing home. You found the risk treatment plan was

approved by IT Security Manager.

You: Who is responsible for physical security risks?

IT Security Manager: The Facility Manager is responsible for the physical security risk. The IT department helps them to monitor the alarm. The Facility Manager is authorized to approve the budget for risk treatment plan No. 123.

You: What residual information security risks exist after risk treatment plan No. 123 was implemented?

IT Security Manager: There is no information for the acceptance of residual information security risks as far as I know.

You prepare your audit findings. Select three options for findings that are justified in the scenario.

Nonconformity (NC) - The information for the acceptance of residual information security risks should be updated after the risk treatment is implemented. Clause 6.1.3.f

There is an opportunity for improvement (OI) to conduct security checks on the perimetre fence

There is an opportunity for improvement (OI) once the Electronic (invisible) fence is installed. Residents' physical security is improved

Nonconformity (NC) - Top management must ensure that the resources needed for the ISMS are available. Clause 5.1.c

Nonconformity (NC) - The IT security manager should be aware of and understand his authority and area of responsibility. Clause 7.3

Nonconformity (NC) - The organization should provide the resources needed for the continual improvement of the ISMS. Clause 7.1

Nonconformity (NC) - The risk treatment plan No. 123 should be approved by the risk owner, the Facility Manager in this case. Clause 6.1.3.f

Explanation:

The three options for findings that are justified in the scenario are:

•Nonconformity (NC) - The information for the acceptance of residual information security risks should be updated after the risk treatment is implemented. Clause 6.1.3.f

•Nonconformity (NC) - The IT security manager should be aware of and understand his authority and area of responsibility. Clause 7.3

•Nonconformity (NC) - The risk treatment plan No. 123 should be approved by the risk owner, the Facility Manager in this case. Clause 6.1.3.f

According to ISO/IEC 27001:2022, clause 6.1.3.f, the organisation must retain documented information that includes the information for the acceptance of residual information security risks, and the approval of the risk treatment plan by the risk owner1. Therefore, option A and G are justified as nonconformities, because the organisation failed to update the information for the acceptance of residual risks, and the risk treatment plan was approved by the IT security manager, who is not the risk owner.

According to ISO/IEC 27001:2022, clause 7.3, the organisation must ensure that the persons assigned to perform the roles and responsibilities for the ISMS are competent, and are aware of the consequences of not conforming to the ISMS requirements2. Therefore, option E is justified as a nonconformity, because the IT security manager, who is responsible for the information security risk management process, was not aware of his authority and area of responsibility.

The other options are not justified as findings, because they are either irrelevant or incorrect. For example:

•Option B is irrelevant, because it is not related to the information security risk treatment plan No. 123, which is the focus of the audit.

•Option C is incorrect, because it is not an opportunity for improvement, but rather a benefit of the risk treatment plan No. 123, which is already implemented.

•Option D is incorrect, because it is not a nonconformity, but rather a requirement for the organisation to provide the resources needed for the ISMS, which is not the same as the resources needed for the risk treatment plan No. 123.

•Option F is incorrect, because it is not a nonconformity, but rather a requirement for the organisation to provide the resources needed for the continual improvement of the ISMS, which is not the same as the resources needed for the risk treatment plan No. 123.

•Option H is irrelevant, because it is not a finding, but rather a good practice, which is not the objective of the audit.

References: 1: ISO/IEC 27001:2022, 6.1.3.f; 2: ISO/IEC 27001:2022, 7.3; : ISO/IEC 27001:2022; : ISO/IEC 27001:2022

PECB ISO-IEC-27001-Lead-Auditor View All Questions