nerdexam
PECB

ISO-IEC-27001-LEAD-AUDITOR · Question #120

ISO-IEC-27001-LEAD-AUDITOR Question #120: Real Exam Question with Answer & Explanation

The correct answer is B. This option is a possible correction and corrective action that ABC could take to address the E. This option is a possible corrective action that ABC could take to address the nonconformity. F. This option is a possible corrective action that ABC could take to address the nonconformity.. The three options of the corrections and corrective actions listed that you would expect ABC to make in response to the nonconformity are: nonconformity. A correction is the action taken to eliminate a detected nonconformity, while a corrective action is the action taken to elimi

Question

You are performing an ISO 27001 ISMS surveillance audit at a residential nursing home, ABC Healthcare Services. ABC uses a healthcare mobile app designed and maintained by a supplier, WeCare, to monitor residents' well-being. During the audit, you learn that 90% of the residents' family members regularly receive medical device advertisements from WeCare, by email and SMS once a week. The service agreement between ABC and WeCare prohibits the supplier from using residents' personal data. ABC has received many complaints from residents and their family members. The Service Manager says that the complaints were investigated as an information security incident which found that they were justified. Corrective actions have been planned and implemented according to the nonconformity and corrective action management procedure. You write a nonconformity "ABC failed to comply with information security control A.5.34 (Privacy and protection of PII) relating to the personal data of residents' and their family members. A supplier, WeCare, used residents' personal information to send advertisements to family members." Select three options of the corrections and corrective actions listed that you would expect ABC to make in response to the nonconformity.

Options

  • AABC asks an ISMS consultant to test the ABC Healthcare mobile app for protection against
  • BThis option is a possible correction and corrective action that ABC could take to address the
  • CABC confirms that information security control A.5.34 is contained in the Statement of
  • DABC discontinues the use of the ABC Healthcare mobile app.
  • EThis option is a possible corrective action that ABC could take to address the nonconformity.
  • FThis option is a possible corrective action that ABC could take to address the nonconformity.
  • GABC takes legal action against WeCare for breach of contract.
  • HABC trains all staff on the importance of maintaining information security protocols.

Explanation

The three options of the corrections and corrective actions listed that you would expect ABC to make in response to the nonconformity are: nonconformity. A correction is the action taken to eliminate a detected nonconformity, while a corrective action is the action taken to eliminate the cause of a nonconformity and to prevent its recurrence1. By cancelling the service agreement with WeCare, ABC could stop the unauthorized use of residents' personal data and protect their privacy and rights. This could also prevent further complaints and legal issues from the residents and their family members. However, this option may also have some drawbacks, such as the loss of a service provider, the need to find an alternative solution, and the potential impact on the residents' well-being. By introducing background checks on information security performance for all suppliers, ABC could ensure that they select and work with reliable and trustworthy partners who respect the confidentiality, integrity, and availability of the information they handle. This could also help ABC to comply with information security control A.15.1.1 (Information security policy for supplier relationships), which requires the organisation to agree and document information security requirements for mitigating the risks associated with supplier access to the organisation's By periodically monitoring compliance with all applicable legislation and contractual requirements involving third parties, ABC could verify that the suppliers are fulfilling their obligations and responsibilities regarding information security. This could also help ABC to comply with information security control A.18.1.1 (Identification of applicable legislation and contractual requirements), which requires the organisation to identify, document, and keep up to date the relevant legislative, regulatory, contractual, and other requirements to which the organisation is

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full ISO-IEC-27001-LEAD-AUDITOR Practice