PECB Updated ISO-IEC-27001-Lead-Implementer Exam Questions and Answers by cruz

According to the ISO/IEC 27001:2022 Lead Implementer objectives and content, the maturity levels of information security controls are based on the ISO/IEC 15504 standard, which defines five levels of process capability: incomplete, performed, managed, established, and optimized1. Each level has a set of attributes that describe the characteristics of the process at that level. The level of defined corresponds to the attribute of process performance, which means that the process achieves its expected outcomes2. In this case, the control of two-factor authentication has been documented, standardized, and communicated, which implies that it has a clear purpose and expected outcomes. However, the control is not consistently implemented, monitored, or measured, which means that it does not meet the attributes of the higher levels of managed, established, or optimized. Therefore, the control is at the level of defined, which is the second level of maturity.

1: ISO/IEC 27001:2022 Lead Implementer Course Brochure, page 5

2: ISO/IEC 27001:2022 Lead Implementer Course Presentation, slide 25

Annex A Control A.6.1 of ISO/IEC 27001:2022 (and ISO/IEC 27002:2022 Clause 6.1) covers Screening:

“Background verification checks on all candidates for employment should be carried out in accordance with relevant laws, regulations and ethics, and proportional to the business requirements, the classification of the information to be accessed, and the perceived risks.”

If collective agreements (e.g., labor union agreements) or local labor laws prohibit such checks, this is a valid justification for exclusion in the Statement of Applicability (SoA), per ISO/IEC 27001:2022 Clause 6.1.3 (d), which allows exclusions when properly justified.

 According to ISO/IEC 27001:2013, clause 9.3, the top management of an organization must review the ISMS at planned intervals to ensure its continuing suitability, adequacy and effectiveness. The management review must consider the status of actions from previous management reviews, changes in external and internal issues, the performance and effectiveness of the ISMS, feedback from interested parties, results of risk assessment and treatment, and opportunities for continual improvement. The management review must also result in decisions and actions related to the ISMS policy and objectives, resources, risks and opportunities, and improvement. The management review is a critical process that demonstrates the commitment and involvement of the top management in the ISMS and its alignment with the strategic direction of the organization. The management review also provides input for the internal audit and the certification audit.

SunDee has neglected to conduct management reviews regularly, which means that it has not fulfilled the requirement of clause 9.3. This is a major nonconformity that could jeopardize the renewal of the ISMS certificate. The certification body will verify whether SunDee has conducted management reviews and whether they have been effective and documented. If SunDee cannot provide evidence of management reviews, it will have to take corrective actions and undergo a follow-up audit before the certificate can be renewed. Alternatively, the certification body may decide to suspend or withdraw the certificate if SunDee fails to address the nonconformity within a specified time frame.

ISO/IEC 27001:2013, Information technology — Security techniques — Information security management systems — Requirements, clause 9.3

PECB, ISO/IEC 27001 Lead Implementer Course, Module 9: Performance evaluation, measurement, and monitoring of an ISMS based on ISO/IEC 27001

PECB, ISO/IEC 27001 Lead Implementer Exam Preparation Guide, Section 9: Performance evaluation, measurement, and monitoring of an ISMS based on ISO/IEC 27001