Exam ISO-IEC-27001-Lead-Auditor Topic 5 Question 106 Discussion
Actual exam question for PECB's ISO-IEC-27001-Lead-Auditor exam
Question #: 106
Topic #: 5
Question #: 106
Topic #: 5
Question
The top management of a company has designated specific personnel within the company to be responsible for reporting on the performance of the ISMS. These individuals are tasked with gathering relevant ISMS data, preparing reports, and ensuring that necessary information reaches the top management.
Does this approach align with ISO/IEC 27001 requirements?
The top management of a company has designated specific personnel within the company to be responsible for reporting on the performance of the ISMS. These individuals are tasked with gathering relevant ISMS data, preparing reports, and ensuring that necessary information reaches the top management.
Does this approach align with ISO/IEC 27001 requirements?
Suggested Answer: A Vote an answer
This approach aligns with ISO/IEC 27001:2022 because the standard explicitly allows top management to assign responsibilities and authorities for the effective operation of the ISMS, including reporting on its performance. Clause 5.3 of ISO/IEC 27001 requires top management to ensure that roles, responsibilities, and authorities related to information security are assigned and communicated within the organization.
While top management remains ultimately accountable for the ISMS, the standard does not require them to personally gather data, prepare reports, or perform operational monitoring activities. In practice, these tasks are often delegated to ISMS managers, security teams, or other designated personnel who are better positioned to collect and analyze performance data. What matters is that the information reaches top management in a timely and accurate manner so they can fulfill their governance responsibilities.
Option B is incorrect because it misunderstands accountability versus responsibility. Top management is accountable for ISMS performance, but they are not required to perform all related tasks themselves. Option C is incorrect because ISO/IEC 27001 does not mandate that a Chief Information Security Officer must be the reporting authority. The organization is free to define roles based on its structure, size, and context.
Therefore, assigning specific personnel to report on ISMS performance is fully consistent with ISO/IEC
27001 requirements.
While top management remains ultimately accountable for the ISMS, the standard does not require them to personally gather data, prepare reports, or perform operational monitoring activities. In practice, these tasks are often delegated to ISMS managers, security teams, or other designated personnel who are better positioned to collect and analyze performance data. What matters is that the information reaches top management in a timely and accurate manner so they can fulfill their governance responsibilities.
Option B is incorrect because it misunderstands accountability versus responsibility. Top management is accountable for ISMS performance, but they are not required to perform all related tasks themselves. Option C is incorrect because ISO/IEC 27001 does not mandate that a Chief Information Security Officer must be the reporting authority. The organization is free to define roles based on its structure, size, and context.
Therefore, assigning specific personnel to report on ISMS performance is fully consistent with ISO/IEC
27001 requirements.
by Valentine at Jun 21, 2026, 01:47 PM
0
0
0
10
Comments
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Report Comment
Commenting
You can sign-up / login (it's free).