nerdexam
PECB

ISO-IEC-27001-LEAD-AUDITOR · Question #304

ISO-IEC-27001-LEAD-AUDITOR Question #304: Real Exam Question with Answer & Explanation

The correct answer is C. No, information security objectives must be established, taking into account risk assessment. ISO/IEC 27001 Clause 6.2 (Information Security Objectives and Planning to Achieve Them) requires information security objectives to be based on risk assessment results. Thus, Clinic did not follow the correct sequence in establishing security objectives before conducting a risk a

Question

Scenario 2: Clinic, founded in the 1990s, is a medical device company that specializes in treatments for heart- related conditions and complex surgical interventions. Based in Europe, it serves both patients and healthcare professionals. Clinic collects patient data to tailor treatments, monitor outcomes, and improve device functionality. To enhance data security and build trust, Clinic is implementing an information security management system (ISMS) based on ISO/IEC 27001. This initiative demonstrates Clinic's commitment to securely managing sensitive patient information and proprietary technologies. Clinic established the scope of its ISMS by solely considering internal issues, interfaces, dependencies between internal and outsourced activities, and the expectations of interested parties. This scope was carefully documented and made accessible. In defining its ISMS, Clinic chose to focus specifically on key processes within critical departments such as Research and Development, Patient Data Management, and Customer Support. Despite initial challenges, Clinic remained committed to its ISMS implementation, tailoring security controls to its unique needs. The project team excluded certain Annex A controls from ISO/IEC 27001 while incorporating additional sector-specific controls to enhance security. The team evaluated the applicability of these controls against internal and external factors, culminating in the development of a comprehensive Statement of Applicability (SoA) detailing the rationale behind control selection and implementation. As preparations for certification progressed, Brian, appointed as the team leader, adopted a self- directed risk assessment methodology to identify and evaluate the company's strategic issues and security practices. This proactive approach ensured that Clinic's risk assessment aligned with its objectives and mission. Based on Scenario 2, Clinic initially defined its information security objectives and then conducted a risk assessment. Is this acceptable?

Options

  • AYes, because objectives can be adjusted later to fit the risk assessment results
  • BNo, because the risk assessment should be conducted only once objectives are fully
  • CNo, information security objectives must be established, taking into account risk assessment

Explanation

ISO/IEC 27001 Clause 6.2 (Information Security Objectives and Planning to Achieve Them) requires information security objectives to be based on risk assessment results. Thus, Clinic did not follow the correct sequence in establishing security objectives before conducting a risk assessment.

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full ISO-IEC-27001-LEAD-AUDITOR Practice