Scenario 9: SkyFleet specializes in air freight services, providing fast and reliable transportation solutions for...

PECB ISO-IEC-27001-Lead-Implementer Question Answer

Scenario 9: SkyFleet specializes in air freight services, providing fast and reliable transportation solutions for businesses that need quick delivery of goods across long distances. Given the confidential nature of the information it handles, SkyFleet is committed to maintaining the highest information security standards. To achieve this, the company has had an information security management system (ISMS) based on ISO/IEC 27001 in operation for a year. To enhance its reputation, SkyFleet is pursuing certification against ISO/IEC 27001.

SkyFleet strongly emphasizes the ongoing maintenance of information security. In pursuit of this goal, it has established a rigorous review process, conducting in-depth assessments of the ISMS strategy every two years to ensure security measures remain robust and up to date. In addition, the company takes a balanced approach to nonconformities. For example, when employees fail to follow proper data encryption protocols for internal communications, SkyFleet assesses the nature and scale of this nonconformity. If this deviation is deemed minor and limited in scope, the company does not prioritize immediate resolution. However, a significant action plan was developed to address a major nonconformity involving the revamp of the company's entire data management system to ensure the protection of client data. SkyFleet entrusted the approval of this action plan to the employees directly responsible for implementing the changes. This streamlined approach ensures that those closest to the issues actively engage in the resolution process. SkyFleet's blend of innovation, dedication to information security, and adaptability has built its reputation as a key player in the IT and communications services sector.

Despite initially not being recommended for certification due to missed deadlines for submitting required action plans, SkyFleet undertook corrective measures to address these deficiencies in preparation for the next certification process. These measures involved analyzing the root causes of the delay, developing a corrective action plan, reassessing ISMS implementation to ensure compliance with ISO/IEC 27001 requirements, intensifying internal audit activities, and engaging with a certification body for a follow-up audit.

According to scenario 9, has SkyFleet accurately outlined the responsible party for approving its action plan for the revamp of the company's entire data management system?

Yes, the employees directly involved in implementing the actions should approve the action plans

No, the responsibility for approving action plans lies on top management

No, an independent third party should be responsible for approving action plans

Yes, any employee can approve as long as they are part of the team

Explanation:

According to ISO/IEC 27001:2022, the responsibility for ensuring that corrective actions (including major action plans for system-wide changes) are appropriate and adequately resourced rests with top management. While input from those directly implementing the changes is essential, the standard places ultimate accountability for the ISMS, including the approval of major action plans, on top management.

Relevant Extracts:

“Top management shall demonstrate leadership and commitment with respect to the information security management system by... ensuring that the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization... ensuring the integration of the information security management system requirements into the organization’s processes; ensuring that the resources needed... are available.”

— ISO/IEC 27001:2022, Clause 5.1 (Leadership and commitment)

“Top management shall assign the responsibility and authority for... ensuring that the information security management system conforms to the requirements of this International Standard; reporting on the performance of the information security management system to top management.”

— ISO/IEC 27001:2022, Clause 5.3 (Organizational roles, responsibilities and authorities)

Approval of significant action plans (such as a full revamp of the data management system) is a management responsibility, as it can impact resourcing, strategy, and risk management at the organizational level. Input from those implementing the actions is vital for effectiveness, but the formal approval must come from top management or a designated authority within management.

[References:, , ISO/IEC 27001:2022, Clause 5.1 and 5.3 (Leadership, Roles, and Responsibilities), , ISO/IEC 27001:2022 Implementation Guidance, Section 10 (Corrective Action and Improvement), , Summary:, While operational staff and those implementing the plan should be closely involved in its creation and execution, top management must approve major corrective action plans. Therefore, the correct answer is:, , B. No, the responsibility for approving action plans lies on top management, ]

PECB ISO-IEC-27001-Lead-Implementer View All Questions

PECB ISO-IEC-27001-Lead-Implementer Summary

Vendor: PECB
Product: ISO-IEC-27001-Lead-Implementer
Update on: Jul 30, 2025
Questions: 293

Price: $52.5 ~~$149.99~~

Buy Now ISO-IEC-27001-Lead-Implementer PDF + Testing Engine Pack

Which of the following represents an example of The Open Security Architecture (TOGAF) framework?

What is the first phase in the information security policy development life cycle?

Weekend Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: xmasmnth

Scenario 9: SkyFleet specializes in air freight services, providing fast and reliable transportation solutions for...

The Answer Is:

Explanation:

PECB ISO-IEC-27001-Lead-Implementer Summary

Payments We Accept

Contact Us