PECB LEAD-IMPLEMENTER Exam Questions & Answers

Correct Answer: B

Explanation: According to ISO/IEC 27001:2022, clause 10.1, an action plan for nonconformities and corrective actions should include the following elements1: What needs to be done Who is responsible for doing it When it will be completed How the effectiveness of the actions will be evaluated How the results of the actions will be documented In scenario 9, the action plan only describes what needs to be done and who is responsible for doing it, but it does not specify when it will be completed, how the effectiveness of the actions will be evaluated, and how the results of the actions will be documented. Therefore, the action plan is not sufficient to eliminate the detected nonconformities. References:

1: ISO/IEC 27001:2022, Information technology -- Security techniques -- Information security management systems -- Requirements, clause 10.1, Nonconformity and corrective action.

Correct Answer: B

Explanation: The statement describes the organizational boundaries of the ISMS scope, which define which parts of the organization are included or excluded from the ISMS. The organizational boundaries can be based on criteria such as departments, functions, processes, activities, or locations. In this case, the statement specifies that the ISMS covers all departments within Company XYZ that have access to customers' data, and excludes the ones that do not. The statement also explains the purpose of the ISMS, which is to ensure the confidentiality, integrity, and availability of customers' data, and ensure compliance with the applicable regulatory requirements regarding information security. The statement does not describe the information systems boundary of the ISMS scope, which defines which information systems are included or excluded from the ISMS. The information systems boundary can be based on criteria such as hardware, software, networks, databases, or applications. The statement does not mention any specific information systems that are covered by the ISMS. The statement also does not describe the physical boundary of the ISMS scope, which defines which physical locations are included or excluded from the ISMS. The physical boundary can be based on criteria such as buildings, rooms, cabinets, or devices. The statement does not mention any specific physical locations that are covered by the ISMS. References: ISO/IEC 27001:2013, clause 4.3: Determining the scope of the information security management system ISO/IEC 27001 Lead Implementer Course, Module 4: Planning the ISMS based on ISO/IEC 27001 ISO/IEC 27001 Lead Implementer Course, Module 6: Implementing the ISMS based on ISO/IEC 27001 ISO/IEC 27001 Lead Implementer Course, Module 7: Performance evaluation, monitoring and measurement of the ISMS based on ISO/IEC 27001 ISO/IEC 27001 Lead Implementer Course, Module 8: Continual improvement of the ISMS based on ISO/IEC 27001 ISO/IEC 27001 Lead Implementer Course, Module 9: Preparing for the ISMS certification audit ISO/IEC 27001 scope statement | How to set the scope of your ISMS - Advisera1 How to Write an ISO 27001 Scope Statement (+3 Examples) - Compleye2 How To Use an Information Flow Map to Determine Scope of Your ISMS3 ISMS SCOPE DOCUMENT - Resolver4 Define the Scope and Objectives - ISMS Info5

Correct Answer: C

Explanation: According to ISO/IEC 27001:2022, clause 9.1, the organization shall determine:

what needs to be monitored and measured, including information security processes and controls, as well as information security performance and the effectiveness of the ISMS;

the methods for monitoring, measurement, analysis and evaluation, to ensure valid and reliable results;

when the monitoring and measurement shall be performed; who shall monitor and measure;

who shall analyze and evaluate the monitoring and measurement results; and how the results shall be communicated and used for decision making and improvement.

The organization shall retain documented information as evidence of the monitoring and measurement results.

The standard does not prescribe a specific frequency or method for monitoring and measurement, but it requires the organization to have a defined and documented process that is appropriate to its context, objectives, risks, and

opportunities. The organization should also ensure that the monitoring and measurement results are analyzed and evaluated to determine the performance and effectiveness of the ISMS, and to identify any nonconformities, gaps, or

improvement opportunities. In the scenario, SunDee did not comply with these requirements, as it did not have a monitoring and measurement process in place, and did not monitor or measure the performance and effectiveness of its ISMS

regularly. It also did not use valid and reliable methods, or communicate and use the results for improvement. Therefore, SunDee's negligence of ISMS performance evaluation was a major nonconformity, as Tessa correctly identified.

References: ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection -- Information security management systems -- Requirements, clause 9.1; PECB ISO/IEC 27001 Lead Implementer Course, Module 9: Monitoring,

Measurement, Analysis and Evaluation.