PECB
LEAD-AUDITOR · Question #107
LEAD-AUDITOR Question #107: Real Exam Question with Answer & Explanation
Sign in or unlock LEAD-AUDITOR to reveal the answer and full explanation for question #107. The question stem and answer options stay visible for context.
Question
You are the audit team leader conducting a third-party audit of an online insurance organisation. During Stage 1, you found that the organisation took a very cautious risk approach and included all the information security controls in ISO/IEC 27001:2022 Appendix A in their Statement of Applicability. During the Stage 2 audit, your audit team found that there was no evidence of the implementation of the three controls (5.3 Segregation of duties, 6.1 Screening, 7.12 Cabling security) shown in the extract from the Statement of Applicability. No risk treatment plan was found. Select three options for the actions you would expect the auditee to take in response to a nonconformity against clause 6.1.3.e of ISO/IEC 27001:2022.
Exhibit
Options
- AAllocate responsibility for producing evidence to prove to auditors that the controls are
- BCompile plans for the periodic assessment of the risks associated with the controls.
- CImplement the appropriate risk treatment for each of the applicable controls.
- DIncorporate written procedures for the controls into the organisation's Security Manual.
- ERemove the three controls from the Statement of Applicability.
- FRevise the relevant content in the Statement of Applicability to justify their exclusion.
- GRevisit the risk assessment process relating to the three controls.
- HUndertake a survey of customers to find out if the controls are needed by them.
Unlock LEAD-AUDITOR to see the answer
You've previewed enough free LEAD-AUDITOR questions. Unlock LEAD-AUDITOR for full answers, explanations, the timed quiz mode, progress tracking, and the master PDF. Question stem and options stay visible so you can still see what's on the exam.