ISO-IEC-27001-LEAD-AUDITOR Question #136: Real Exam Question with Answer & Explanation

You are conducting an ISMS audit. The next step in your audit plan is to verify that the organisation's information security risk treatment plan has been established and implemented properly. You decide to interview the IT security manager. You: Can you please explain how the organisation performs its information security risk assessment and treatment process? IT Security Manager: We follow the information security risk management procedure which generates a risk treatment plan. Narrator: You review risk treatment plan No. 123 relating to the planned installation of an electronic (invisible) fence to improve the physical security of the nursing home. You found the risk treatment plan was approved by IT Security Manager. You: Who is responsible for physical security risks? IT Security Manager: The Facility Manager is responsible for the physical security risk. The IT department helps them to monitor the alarm. The Facility Manager is authorized to approve the budget for risk treatment plan No. 123. You: What residual information security risks exist after risk treatment plan No. 123 was implemented? IT Security Manager: There is no information for the acceptance of residual information security risks as far as I know. You prepare your audit findings. Select three options for findings that are justified in the scenario.