PECB
LEAD-AUDITOR · Question #102
LEAD-AUDITOR Question #102: Real Exam Question with Answer & Explanation
Sign in or unlock LEAD-AUDITOR to reveal the answer and full explanation for question #102. The question stem and answer options stay visible for context.
Question
You are performing an ISMS audit at a residential nursing home that provides healthcare services. The next step in your audit plan is to verify the information security incident management process. The IT Security Manager presents the information security incident management procedure (Document reference ID: ISMS_L2_16, version 4). You review the document and notice a statement "Any information security weakness, event, and incident should be reported to the Point of Contact (PoC) within 1 hour after identification". When interviewing staff, you found that there were differences in the understanding of the meaning of the phrase "weakness, event, and incident". The IT Security Manager explained that an online "information security handling" training seminar information security risk treatment plan has been established and implemented properly. You decide to interview the IT security manager. You: Can you please explain how the organisation performs its information security risk assessment and treatment process? IT Security Manager: We follow the information security risk management procedure which generates a risk treatment plan. Narrator: You review risk treatment plan No. 123 relating to the planned installation of an electronic (invisible) fence to improve the physical security of the nursing home. You found the risk treatment plan was approved by IT Security Manager. You: Who is responsible for physical security risks? IT Security Manager: The Facility Manager is responsible for the physical security risk. The IT department helps them to monitor the alarm. The Facility Manager is authorized to approve the budget for risk treatment plan No. 123. You: What residual information security risks exist after risk treatment plan No. 123 was implemented? IT Security Manager: There is no information for the acceptance of residual information security risks as far as I know. You prepare your audit findings. Select three options for findings that are justified in the scenario.
Options
- ANonconformity (NC) - The information for the acceptance of residual information security risks
- BThere is an opportunity for improvement (OI) to conduct security checks on the perimetre fence
- CThere is an opportunity for improvement (OI) once the Electronic (invisible) fence is installed.
- DNonconformity (NC) - Top management must ensure that the resources needed for the ISMS are
- ENonconformity (NC) - The IT security manager should be aware of and understand his authority
- FNonconformity (NC) - The organization should provide the resources needed for the continual
- GNonconformity (NC) - The risk treatment plan No. 123 should be approved by the risk owner, the
- HIt is good practice to adopt state-of-the-art technology as part of the continual improvement
Unlock LEAD-AUDITOR to see the answer
You've previewed enough free LEAD-AUDITOR questions. Unlock LEAD-AUDITOR for full answers, explanations, the timed quiz mode, progress tracking, and the master PDF. Question stem and options stay visible so you can still see what's on the exam.