Exam ISO-IEC-27001-Lead-Implementer Topic 2 Question 11 Discussion
Actual exam question for PECB's ISO-IEC-27001-Lead-Implementer exam
Question #: 11
Topic #: 2
Question #: 11
Topic #: 2
Scenario 9: SkyFleet specializes in air freight services, providing fast and reliable transportation solutions for businesses that need quick delivery of goods across long distances. Given the confidential nature of the information it handles, SkyFleet is committed to maintaining the highest information security standards. To achieve this, the company has had an information security management system (ISMS) based on ISO/IEC
27001 in operation for a year. To enhance its reputation, SkyFleet is pursuing certification against ISO/IEC
27001.
SkyFleet strongly emphasizes the ongoing maintenance of information security. In pursuit of this goal, it has established a rigorous review process, conducting in-depth assessments of the ISMS strategy every two years to ensure security measures remain robust and up to date. In addition, the company takes a balanced approach to nonconformities. For example, when employees fail to follow proper data encryption protocols for internal communications, SkyFleet assesses the nature and scale of this nonconformity. If this deviation is deemed minor and limited in scope, the company does not prioritize immediate resolution. However, a significant action plan was developed to address a major nonconformity involving the revamp of the company's entire data management system to ensure the protection of client data. SkyFleet entrusted the approval of this action plan to the employees directly responsible for implementing the changes. This streamlined approach ensures that those closest to the issues actively engage in the resolution process. SkyFleet's blend of innovation, dedication to information security, and adaptability has built its reputation as a key player in the IT and communications services sector.
Despite initially not being recommended for certification due to missed deadlines for submitting required action plans, SkyFleet undertook corrective measures to address these deficiencies in preparation for the next certification process. These measures involved analyzing the root causes of the delay, developing a corrective action plan, reassessing ISMS implementation to ensure compliance with ISO/IEC 27001 requirements, intensifying internal audit activities, and engaging with a certification body for a follow-up audit.
Based on Scenario 9, SkyFleet did not take any measures in certain situations when the employees do not behave as expected by procedures and policies. Is this acceptable?
27001 in operation for a year. To enhance its reputation, SkyFleet is pursuing certification against ISO/IEC
27001.
SkyFleet strongly emphasizes the ongoing maintenance of information security. In pursuit of this goal, it has established a rigorous review process, conducting in-depth assessments of the ISMS strategy every two years to ensure security measures remain robust and up to date. In addition, the company takes a balanced approach to nonconformities. For example, when employees fail to follow proper data encryption protocols for internal communications, SkyFleet assesses the nature and scale of this nonconformity. If this deviation is deemed minor and limited in scope, the company does not prioritize immediate resolution. However, a significant action plan was developed to address a major nonconformity involving the revamp of the company's entire data management system to ensure the protection of client data. SkyFleet entrusted the approval of this action plan to the employees directly responsible for implementing the changes. This streamlined approach ensures that those closest to the issues actively engage in the resolution process. SkyFleet's blend of innovation, dedication to information security, and adaptability has built its reputation as a key player in the IT and communications services sector.
Despite initially not being recommended for certification due to missed deadlines for submitting required action plans, SkyFleet undertook corrective measures to address these deficiencies in preparation for the next certification process. These measures involved analyzing the root causes of the delay, developing a corrective action plan, reassessing ISMS implementation to ensure compliance with ISO/IEC 27001 requirements, intensifying internal audit activities, and engaging with a certification body for a follow-up audit.
Based on Scenario 9, SkyFleet did not take any measures in certain situations when the employees do not behave as expected by procedures and policies. Is this acceptable?
Suggested Answer: C Vote an answer
According to ISO/IEC 27001:2022, organizations must address nonconformities-regardless of their scale or scope-to ensure the effectiveness of the ISMS. Clause 10.1 ("Nonconformity and corrective action") states:
"When a nonconformity occurs, the organization shall:
a) react to the nonconformity, and as applicable:
1) take action to control and correct it;
2) deal with the consequences;
b) evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by:
1) reviewing the nonconformity;
2) determining the causes of the nonconformity;
3) determining if similar nonconformities exist, or could potentially occur; c) implement any action needed; d) review the effectiveness of any corrective action taken; e) make changes to the information security management system, if necessary."
- ISO/IEC 27001:2022, Clause 10.1
The standard does not provide exceptions for minor or limited-scope nonconformities. All nonconformities must be addressed to prevent recurrence and to maintain and improve the ISMS. Failure to do so would be a direct violation of the ISO/IEC 27001:2022 requirements and could lead to a loss of certification or an increased risk to the organization.
References:
ISO/IEC 27001:2022, Clause 10.1 ("Nonconformity and corrective action") ISO/IEC 27001:2022 Implementation Guide, Section 10 (Continual improvement and corrective action) Summary:
Regardless of the scale or the number of employees involved, SkyFleet must take corrective action when procedures and policies are not followed. The correct answer is:
C). No, they should have taken action to control and correct it
"When a nonconformity occurs, the organization shall:
a) react to the nonconformity, and as applicable:
1) take action to control and correct it;
2) deal with the consequences;
b) evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by:
1) reviewing the nonconformity;
2) determining the causes of the nonconformity;
3) determining if similar nonconformities exist, or could potentially occur; c) implement any action needed; d) review the effectiveness of any corrective action taken; e) make changes to the information security management system, if necessary."
- ISO/IEC 27001:2022, Clause 10.1
The standard does not provide exceptions for minor or limited-scope nonconformities. All nonconformities must be addressed to prevent recurrence and to maintain and improve the ISMS. Failure to do so would be a direct violation of the ISO/IEC 27001:2022 requirements and could lead to a loss of certification or an increased risk to the organization.
References:
ISO/IEC 27001:2022, Clause 10.1 ("Nonconformity and corrective action") ISO/IEC 27001:2022 Implementation Guide, Section 10 (Continual improvement and corrective action) Summary:
Regardless of the scale or the number of employees involved, SkyFleet must take corrective action when procedures and policies are not followed. The correct answer is:
C). No, they should have taken action to control and correct it
by Malcolm at Mar 12, 2026, 01:43 AM
0
0
0
10
Comments
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Report Comment
Commenting
You can sign-up / login (it's free).