Exam ISO-IEC-27001-Lead-Implementer Topic 4 Question 71 Discussion
Actual exam question for PECB's ISO-IEC-27001-Lead-Implementer exam
Question #: 71
Topic #: 4
Question #: 71
Topic #: 4
Scenario 10: CircuitLinking is a company specializing in water purification solutions, designing and manufacturing efficient filtration and treatment systems for both residential and commercial applications.
Over the past two years, the company has actively implemented an integrated management system (IMS) that aligns with both ISO/IEC 27001 for information security and ISO 9001 for quality management. Recently, the company has taken a significant step forward by applying for a combined audit, aiming to achieve certification against both ISO/IEC 27001 and ISO 9001.
In preparation for the certification audit, CircuitLinking ensured a clear understanding of ISO/IEC 27001 within the company and identified key subject-matter experts to assist the auditors. It also allocated sufficient resources and performed a self-assessment to verify that processes were clearly defined, roles and responsibilities were segregated, and documented information was maintained. To avoid delays, the company gathered all necessary documentation in advance to provide evidence that procedures were in place and effective.
Following the successful completion of the Stage 1 audit, which focused on verifying the design of the management system, the Stage 2 audit was conducted to examine the implementation and effectiveness of the information security and quality management systems.
One of the auditors, Megan, was a previous employee of the company. To uphold the integrity of the certification process, the company notified the certification body about the potential conflict of interest and requested an auditor change. Subsequently, the certification body selected a replacement, ensuring impartiality. Additionally, the company requested a background check of the audit team members; however, the certification body denied this request. The necessary adjustments to the audit plan were made, and transparent communication with stakeholders was maintained.
The audit process continued seamlessly under the new auditor's guidance. Upon audit completion, the certification body evaluated the results and conclusions of the audit and CircuitLinking's public information and awarded CircuitLinking the combined certification.
A recertification audit for CircuitLinking was conducted to verify that the company's management system continued to meet the required standards and remained effective within the defined scope of certification.
CircuitLinking had implemented significant changes to its management system, including a major overhaul of its information security processes, the adoption of new technology platforms, and adjustments to comply with recent changes in industry legislation. Due to these substantial updates, the recertification audit required a Stage 1 assessment to evaluate the impact of these changes.
According to Scenario 10, the certification body evaluated the results and conclusions of the audit and CircuitLinking's public information when making the certification decision. Is this acceptable?
Over the past two years, the company has actively implemented an integrated management system (IMS) that aligns with both ISO/IEC 27001 for information security and ISO 9001 for quality management. Recently, the company has taken a significant step forward by applying for a combined audit, aiming to achieve certification against both ISO/IEC 27001 and ISO 9001.
In preparation for the certification audit, CircuitLinking ensured a clear understanding of ISO/IEC 27001 within the company and identified key subject-matter experts to assist the auditors. It also allocated sufficient resources and performed a self-assessment to verify that processes were clearly defined, roles and responsibilities were segregated, and documented information was maintained. To avoid delays, the company gathered all necessary documentation in advance to provide evidence that procedures were in place and effective.
Following the successful completion of the Stage 1 audit, which focused on verifying the design of the management system, the Stage 2 audit was conducted to examine the implementation and effectiveness of the information security and quality management systems.
One of the auditors, Megan, was a previous employee of the company. To uphold the integrity of the certification process, the company notified the certification body about the potential conflict of interest and requested an auditor change. Subsequently, the certification body selected a replacement, ensuring impartiality. Additionally, the company requested a background check of the audit team members; however, the certification body denied this request. The necessary adjustments to the audit plan were made, and transparent communication with stakeholders was maintained.
The audit process continued seamlessly under the new auditor's guidance. Upon audit completion, the certification body evaluated the results and conclusions of the audit and CircuitLinking's public information and awarded CircuitLinking the combined certification.
A recertification audit for CircuitLinking was conducted to verify that the company's management system continued to meet the required standards and remained effective within the defined scope of certification.
CircuitLinking had implemented significant changes to its management system, including a major overhaul of its information security processes, the adoption of new technology platforms, and adjustments to comply with recent changes in industry legislation. Due to these substantial updates, the recertification audit required a Stage 1 assessment to evaluate the impact of these changes.
According to Scenario 10, the certification body evaluated the results and conclusions of the audit and CircuitLinking's public information when making the certification decision. Is this acceptable?
Suggested Answer: C Vote an answer
ISO/IEC 17021-1:2015 (which sets out the requirements for bodies providing audit and certification of management systems, referenced in ISO/IEC 27001 certification practices) clearly states that the certification body must consider all relevant information when making a certification decision. This includes audit findings and other information, such as public information that may affect the decision, as long as it is relevant and objective.
Relevant Extract:
ISO/IEC 17021-1:2015, Clause 9.5.1 states:
"The certification body shall make decisions regarding granting, maintaining, renewing, extending, reducing, suspending or withdrawing certification based on an evaluation of audit findings and conclusions and any other relevant information (e.g., public information, complaints, etc.)." ISO/IEC 27001:2022 Implementation Guidance supports this:
"Certification bodies may use other relevant information, such as publicly available data, to ensure the integrity and accuracy of the certification process." The certification decision should not be based solely on audit findings (B is incorrect) nor exclusively on auditor opinion (A is incorrect), but must include any relevant information-this may include public records, regulatory notices, and complaints that can impact certification status.
References:
ISO/IEC 17021-1:2015, Clause 9.5.1
ISO/IEC 27001:2022 Implementation Guidance, Certification Decisions
Summary:
It is not only acceptable but required by ISO/IEC 17021-1 for the certification body to use any relevant information (including public information) to ensure a fair and thorough certification decision.
C). Yes, the certification body must make the certification decision based on other relevant information, such as public information
Relevant Extract:
ISO/IEC 17021-1:2015, Clause 9.5.1 states:
"The certification body shall make decisions regarding granting, maintaining, renewing, extending, reducing, suspending or withdrawing certification based on an evaluation of audit findings and conclusions and any other relevant information (e.g., public information, complaints, etc.)." ISO/IEC 27001:2022 Implementation Guidance supports this:
"Certification bodies may use other relevant information, such as publicly available data, to ensure the integrity and accuracy of the certification process." The certification decision should not be based solely on audit findings (B is incorrect) nor exclusively on auditor opinion (A is incorrect), but must include any relevant information-this may include public records, regulatory notices, and complaints that can impact certification status.
References:
ISO/IEC 17021-1:2015, Clause 9.5.1
ISO/IEC 27001:2022 Implementation Guidance, Certification Decisions
Summary:
It is not only acceptable but required by ISO/IEC 17021-1 for the certification body to use any relevant information (including public information) to ensure a fair and thorough certification decision.
C). Yes, the certification body must make the certification decision based on other relevant information, such as public information
by Timothy at May 24, 2026, 01:11 PM
0
0
0
10
Comments
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Report Comment
Commenting
You can sign-up / login (it's free).