PECB Updated ISO-IEC-27001-Lead-Implementer Exam Questions and Answers by isobelle

According to ISO/IEC 27001:2022 Clause 6.1.3 (a), an organization must determine appropriate risk treatment options. ISO 27005:2022 (Clause 8.2.2) defines risk retention as:

“The decision to accept the risk without taking any action to reduce it, often because the cost of mitigation is greater than the benefit.”

The company assessed the likelihood and impact of the risk and decided not to mitigate, which qualifies as risk retention (also known as risk acceptance in ISO 27001 Clause 6.1.3(f)).

The primary requirement for the documented information of an ISMS (Information Security Management System) is that it must be appropriately controlled, maintained, and made available as necessary to support the operation and effectiveness of the ISMS.

Relevant Extract:

ISO/IEC 27001:2022, Clause 7.5 (Documented information) states:

"The organization’s information security management system shall include documented information required by this document and determined by the organization as being necessary for the effectiveness of the ISMS. Documented information required by the information security management system and by this document shall be controlled to ensure it is available and suitable for use, where and when it is needed."

ISO/IEC 27001:2022, Clause 7.5.3 (Control of documented information) specifically requires:

"Documented information required by the information security management system and by this document shall be controlled to ensure:

— it is available and suitable for use, where and when it is needed;

— it is adequately protected (e.g., from loss of confidentiality, improper use, or loss of integrity)."

There is no requirement for ISMS documentation to exist only in digital format (A), to be public (C), or to be arbitrarily flexible to any change trigger (B). Control and availability as needed are the requirements.

The correct answer is Option C, as it best upholds objectivity and impartiality while allowing the internal audit to proceed effectively.

ISO/IEC 27001:2022 Clause 9.2 – Internal audit requires that audits be conducted in a manner that ensures objectivity and impartiality. This requirement is further reinforced by ISO 19011, which states that auditors should not audit their own work and should avoid conflicts of interest.

In this scenario, the auditor:

Held daily operational responsibilities in the IT Department just three months ago.

Is now asked to audit the same department.

Although job descriptions clearly distinguish past and present roles, the risk of perceived or actual bias remains high due to the short time elapsed. A common best practice is a cooling-off period (often around one year), but ISO standards do not mandate a fixed duration.

Option A is incorrect because clear job descriptions alone do not eliminate bias risk.

Option B is too rigid; ISO/IEC 27001 does not mandate a one-year cooling-off period.

By conducting the audit jointly with a colleague from another department, the organization:

Preserves audit independence,

Introduces an objective perspective,

Mitigates conflict-of-interest concerns,

Remains compliant with Clause 9.2 and ISO 19011 guidance

The correct and verified answer is Option A – IMS2, which is the methodology specifically designed to support the implementation of ISO/IEC management system standards, including ISO/IEC 27001.

IMS2 (Integrated Management System methodology) is structured to align directly with Annex SL, the harmonized high-level structure used by ISO/IEC 27001:2022. It emphasizes:

Understanding organizational context

Planning based on risks and objectives

Resource and competence management

Phased implementation

Documented information and traceability

Continual improvement

Scenario 3 clearly reflects these elements: Infralink conducted planning, cost–benefit analysis, phased implementation, documentation with traceability, and alignment with business objectives—all hallmarks of the IMS2 methodology.

The other options are not appropriate:

PMBOK is a generic project management framework and does not specifically address ISMS or ISO Annex SL requirements.

ISO 10006 provides guidance on quality management in projects, not ISMS implementation.

ISO/IEC 27001:2022 requires a systematic, standards-aligned methodology for implementation, which IMS2 is designed to provide.