PECB ISO-IEC-27001-Lead-Implementer Exam With Confidence Using Practice Dumps

The correct answer is Option C, as it best upholds objectivity and impartiality while allowing the internal audit to proceed effectively.

ISO/IEC 27001:2022 Clause 9.2 – Internal audit requires that audits be conducted in a manner that ensures objectivity and impartiality. This requirement is further reinforced by ISO 19011, which states that auditors should not audit their own work and should avoid conflicts of interest.

In this scenario, the auditor:

Held daily operational responsibilities in the IT Department just three months ago.

Is now asked to audit the same department.

Although job descriptions clearly distinguish past and present roles, the risk of perceived or actual bias remains high due to the short time elapsed. A common best practice is a cooling-off period (often around one year), but ISO standards do not mandate a fixed duration.

Option A is incorrect because clear job descriptions alone do not eliminate bias risk.

Option B is too rigid; ISO/IEC 27001 does not mandate a one-year cooling-off period.

By conducting the audit jointly with a colleague from another department, the organization:

Preserves audit independence,

Introduces an objective perspective,

Mitigates conflict-of-interest concerns,

Remains compliant with Clause 9.2 and ISO 19011 guidance

According to the ISO/IEC 27001:2022 Lead Implementer objectives and content, the maturity levels of information security controls are based on the ISO/IEC 15504 standard, which defines five levels of process capability: incomplete, performed, managed, established, and optimized1. Each level has a set of attributes that describe the characteristics of the process at that level. The level of defined corresponds to the attribute of process performance, which means that the process achieves its expected outcomes2. In this case, the control of two-factor authentication has been documented, standardized, and communicated, which implies that it has a clear purpose and expected outcomes. However, the control is not consistently implemented, monitored, or measured, which means that it does not meet the attributes of the higher levels of managed, established, or optimized. Therefore, the control is at the level of defined, which is the second level of maturity.

1: ISO/IEC 27001:2022 Lead Implementer Course Brochure, page 5

2: ISO/IEC 27001:2022 Lead Implementer Course Presentation, slide 25

Annex A control A.8.26 Application security requirements mandates that security requirements must be identified, specified, and approved during the development or acquisition of applications.

“Information security requirements shall be identified, specified and approved when developing or acquiring applications.”

— ISO/IEC 27001:2022, Annex A, Control 8.26 Application security requirementsQuestion No. 22/80

What iS the purpose of ISO,'IEC 27002 clause 8ü8?

TO ensure all security requitements are addressed during application development

To ensure software is written securely to reduce information security vulnerabilities

To ensure secure system design principles are followed