PECB Updated ISO-IEC-27001-Lead-Implementer Exam Questions and Answers by cohen

ISO/IEC 27001:2022 Annex A organizes controls into organizational (administrative), physical, people, and technological categories. Analyzing BotanéBloom ' s three controls: (1) WAF deployment = Technical control (a technological security measure), (2) weekly management reviews = Administrative control (organizational governance process), (3) revised job descriptions = Administrative/People control (defining roles and responsibilities). None of the implemented controls constitute Legal controls — which would involve contractual agreements, regulatory compliance measures, or legally binding security obligations such as NDAs, data processing agreements, or supplier security clauses. Legal controls are used to govern security obligations through formal agreements. Since no legal instruments were referenced in BotanéBloom ' s control implementation, Legal controls were not implemented per this scenario.

================

 According to the ISO/IEC 27001:2022 standard, an internal audit is an audit conducted by the organization itself to evaluate the conformity and effectiveness of its information security management system (ISMS). The standard requires that the internal audit should be performed by auditors who are objective and impartial, meaning that they should not have any personal or professional interest or bias that could influence their judgment or compromise their integrity. The standard also allows the organization to outsource the internal audit function to a third party, as long as the criteria of objectivity and impartiality are met.

Outsourcing the internal audit function to a third party can be a better option for small organizations that may not have enough resources, skills, or experience to perform an internal audit by themselves. By hiring an external auditor, the organization can benefit from the following advantages:

The external auditor can provide a fresh and independent perspective on the organization’s ISMS, identifying strengths, weaknesses, opportunities, and threats that may not be apparent to the internal staff.

The external auditor can bring in specialized knowledge, expertise, and best practices from other organizations and industries, helping the organization to improve its ISMS and achieve its objectives.

The external auditor can reduce the risk of conflict of interest, bias, or influence that may arise when the internal staff audit their own work or the work of their colleagues.

The external auditor can save the organization time and money by conducting the internal audit more efficiently and effectively, avoiding duplication of work or unnecessary delays.

Therefore, outsourcing the internal audit function to a third party is acceptable and often preferable for small organizations that are implementing an ISMS based on ISO/IEC 27001.

ISO/IEC 27001:2022, Information technology — Security techniques — Information security management systems — Requirements, Clause 9.2, Internal audit

ISO/IEC 27007:2023, Information technology — Security techniques — Guidelines for information security management systems auditing

PECB, ISO/IEC 27001 Lead Implementer Course, Module 12, Internal audit

A Complete Guide to an ISO 27001 Internal Audit - Sprinto

The statement describes the organizational boundaries of the ISMS scope, which define which parts of the organization are included or excluded from the ISMS. The organizational boundaries can be based on criteria such as departments, functions, processes, activities, or locations. In this case, the statement specifies that the ISMS covers all departments within Company XYZ that have access to customers’ data, and excludes the ones that do not. The statement also explains the purpose of the ISMS, which is to ensure the confidentiality, integrity, and availability of customers’ data, and ensure compliance with the applicable regulatory requirements regarding information security.

The statement does not describe the information systems boundary of the ISMS scope, which defines which information systems are included or excluded from the ISMS. The information systems boundary can be based on criteria such as hardware, software, networks, databases, or applications. The statement does not mention any specific information systems that are covered by the ISMS.

The statement also does not describe the physical boundary of the ISMS scope, which defines which physical locations are included or excluded from the ISMS. The physical boundary can be based on criteria such as buildings, rooms, cabinets, or devices. The statement does not mention any specific physical locations that are covered by the ISMS.

ISO/IEC 27001:2013, clause 4.3: Determining the scope of the information security management system

ISO/IEC 27001 Lead Implementer Course, Module 4: Planning the ISMS based on ISO/IEC 27001

ISO/IEC 27001 Lead Implementer Course, Module 6: Implementing the ISMS based on ISO/IEC 27001

ISO/IEC 27001 Lead Implementer Course, Module 7: Performance evaluation, monitoring and measurement of the ISMS based on ISO/IEC 27001

ISO/IEC 27001 Lead Implementer Course, Module 8: Continual improvement of the ISMS based on ISO/IEC 27001

ISO/IEC 27001 Lead Implementer Course, Module 9: Preparing for the ISMS certification audit

ISO/IEC 27001 scope statement | How to set the scope of your ISMS - Advisera1

How to Write an ISO 27001 Scope Statement (+3 Examples) - Compleye2

How To Use an Information Flow Map to Determine Scope of Your ISMS3

ISMS SCOPE DOCUMENT - Resolver4

Define the Scope and Objectives - ISMS Info5

In Scenario 9, once NeuroTrustMed confirmed that the onboarding inconsistencies were caused by a misconfigured HR-to-IT workflow step, the organization documented the issue in the ISMS log. This action corresponds to the identification and documentation of the nonconformity, which is an early and mandatory step in the collective (corrective) action process.

ISO/IEC 27001:2022 Clause 10.2 – Nonconformity and corrective action requires organizations to:

“react to the nonconformity, and as applicable, take action to control and correct it,”

and

“retain documented information as evidence of the nature of the nonconformities and any subsequent actions taken.”

The scenario explicitly mentions that the documentation included:

Description of the issue

Impacted systems

Affected users

A brief risk assessment

This clearly demonstrates formal identification and recording, not evaluation of solution options or follow-up verification.

Option B (Evaluation of options) would involve comparing alternative corrective actions, which is not described here.

Option C (Follow-up and review of corrective actions) occurs later, after implementation, which is also not the focus of this step.