PECB ISO-IEC-27001-Lead-Implementer Dumps

According to ISO/IEC 27001:2022, clause 10.1, corrective actions are actions taken to eliminate the root causes of nonconformities and prevent their recurrence, while preventive actions are actions taken to eliminate the root causes of potential nonconformities and prevent their occurrence. In scenario 9, OpenTech has taken corrective actions to address the nonconformity related to the monitoring procedures, but not preventive actions to avoid similar nonconformities in the future. For example, OpenTech could have taken preventive actions such as conducting regular reviews of the access control policy, providing training and awareness to the staff on the policy, or implementing automated controls to prevent user ID reuse.

References:

• ISO/IEC 27001:2022, Information technology — Security techniques — Information security management systems — Requirements, clause 10.1
• PECB, ISO/IEC 27001 Lead Implementer Course, Module 8: Performance evaluation, improvement and certification audit of an ISMS, slide 8.3.1.1

According to ISO/IEC 27001, interested parties are those who can affect, be affected by, or perceive themselves to be affected by the organization’s information security activities, products, or services. Interested parties can be classified into four categories based on their influence and interest in the ISMS:

• Positively influenced interested parties: those who benefit from the ISMS and support its implementation and operation
• Negatively influenced interested parties: those who are adversely affected by the ISMS and oppose its implementation and operation
• High-interest interested parties: those who have a strong interest in the ISMS and its outcomes, regardless of their influence
• Low-interest interested parties: those who have a weak interest in the ISMS and its outcomes, regardless of their influence

In scenario 5, the HR manager of Operaze belongs to the category of negatively influenced interested parties, because he/she perceives that the ISMS will create more paperwork and documentation for the HR Department, and therefore opposes its implementation and operation. The HR manager does not benefit from the ISMS and does not support its objectives and requirements.

References:

• ISO/IEC 27001:2013, clause 4.2: Understanding the needs and expectations of interested parties
• ISO/IEC 27001:2013, Annex A.18.1.4: Assessment of and decision on information security events
• ISO/IEC 27001 Lead Implementer Course, Module 2: Introduction to Information Security Management System (ISMS) concepts as required by ISO/IEC 27001
• ISO/IEC 27001 Lead Implementer Course, Module 4: Planning the ISMS based on ISO/IEC 27001
• ISO/IEC 27001 Lead Implementer Course, Module 6: Implementing the ISMS based on ISO/IEC 27001
• ISO/IEC 27001 Lead Implementer Course, Module 7: Performance evaluation, monitoring and measurement of the ISMS based on ISO/IEC 27001
• ISO/IEC 27001 Lead Implementer Course, Module 8: Continual improvement of the ISMS based on ISO/IEC 27001
• ISO/IEC 27001 Lead Implementer Course, Module 9: Preparing for the ISMS certification audit

An access control software is a type of preventive control that is designed to limit the access to sensitive files and information based on the user’s identity, role, or authorization level. An access control software helps to protect the confidentiality, integrity, and availability of the information by preventing unauthorized users from viewing, modifying, or deleting it. An access control software also helps to create an audit trail that records who accessed what information and when, which can be useful for accountability and compliance purposes.

The IT Department of a financial institution decided to implement preventive controls to avoid potential security breaches. Therefore, they separated the development, testing, and operating equipment, secured their offices, and used cryptographic keys. However, they are seeking further measures to enhance their security and minimize the risk of security breaches. An access control software would help the IT Department achieve this objective by adding another layer of protection to their sensitive files and information, and ensuring that only authorized personnel can access them.

References:

• ISO/IEC 27001:2022 Lead Implementer Course Guide1
• ISO/IEC 27001:2022 Lead Implementer Info Kit2
• ISO/IEC 27001:2022 Information Security Management Systems - Requirements3
• ISO/IEC 27002:2022 Code of Practice for Information Security Controls4
• What are Information Security Controls? - SecurityScorecard4
• What Are the Types of Information Security Controls? - RiskOptics2
• Integrity is the property of safeguarding the accuracy and completeness of information and processing methods. A breach of integrity occurs when information is modified or destroyed in an unauthorized or unintended manner. In this case, Diana accidently modified the order details of a customer without their permission, which resulted in the customer receiving an incorrect product. This means that the information about the customer’s order was not accurate or complete, and therefore, the integrity principle was breached. Availability and confidentiality are two other information security principles, but they were not violated in this case. Availability is the property of being accessible and usable upon demand by an authorized entity, and confidentiality is the property of preventing disclosure of information to unauthorized individuals or systems.
• References: ISO/IEC 27001:2022 Lead Implementer Course Content, Module 5: Introduction to Information Security Controls based on ISO/IEC 27001:20221; ISO/IEC 27001:2022 Information Security, Cybersecurity and Privacy Protection, Clause 3.7: Integrity2

According to ISO/IEC 27001:2022, clause 7.5.1, the organization shall ensure that the documented information required by the ISMS and by this document is controlled to ensure that it is available and suitable for use, where and when it is needed, and that it is adequately protected. This includes ensuring that the documented information is reviewed and approved for suitability and adequacy. The information security procedures are part of the documented information that supports the operation of the ISMS processes and the implementation of the information security controls. Therefore, they should be drafted, reviewed, and validated by the information security committee, which is the group of people responsible for overseeing the ISMS and ensuring its alignment with the organization’s objectives and strategy. The information security committee should include representatives from different functions and levels of the organization, as well as external experts if needed. The information security committee should also ensure that the information security procedures are communicated to the relevant employees and other interested parties, and that they are periodically reviewed and updated as necessary.

References:

• ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements, clauses 5.3, 7.5.1, and 9.3
• ISO/IEC 27001:2022 Lead Implementer objectives and content, 4 and 5

A demilitarized zone (DMZ) is a network segment that separates the internal network from the external network, such as the Internet. It is used to host public services that need to be accessible from outside the organization, such as web servers, email servers, or DNS servers. A DMZ provides a layer of protection for the internal network by limiting the exposure of the public services and preventing unauthorized access from the external network. A DMZ is an example of a preventive control, which is a type of control that aims to prevent or deter the occurrence of an information security incident. Preventive controls reduce the likelihood of a threat exploiting a vulnerability and causing harm to the organization’s information assets. Other examples of preventive controls are encryption, authentication, firewalls, antivirus software, and security awareness training.

References:

• ISO/IEC 27001 : 2022 Lead Implementer Study Guide, Section 8.2.3.2.1, page 162
• ISO/IEC 27001 : 2022 Lead Implementer Info Kit, page 13
• ISO/IEC 27002 : 2022, Section 13.1.3, page 66

 Risk modification is one of the four risk treatment options defined by ISO/IEC 27001, which involves applying controls to reduce the likelihood and/or impact of the risk. By requiring its employees to change their email passwords at least once every 60 days, Company A has implemented a risk modification option to reduce the risk of unauthorized access to its email accounts. Changing passwords frequently can make it harder for attackers to guess or crack the passwords, and can limit the damage if a password is compromised.

The other three risk treatment options are:

• Risk avoidance: This option involves eliminating the risk source or discontinuing the activity that causes the risk. For example, Company A could avoid the risk of email compromise by not using email at all, but this would also mean losing the benefits of email communication.
• Risk retention: This option involves accepting the risk and its consequences, either because the risk is too low to justify any treatment, or because the cost of treatment is too high compared to the potential loss. For example, Company A could retain the risk of email compromise by not implementing any security measures, but this would expose the company to potential breaches and reputational damage.
• Risk transfer: This option involves sharing or transferring the risk to a third party, such as an insurer, a supplier, or a partner. For example, Company A could transfer the risk of emailcompromise by outsourcing its email service to a cloud provider, who would be responsible for the security and availability of the email accounts.

References:

• ISO/IEC 27001:2013, clause 6.1.3: Information security risk treatment
• ISO/IEC 27001 Lead Implementer Course, Module 4: Planning the ISMS based on ISO/IEC 27001
• ISO/IEC 27001 Lead Implementer Course, Module 6: Implementing the ISMS based on ISO/IEC 27001
• ISO/IEC 27001 Lead Implementer Course, Module 7: Performance evaluation, monitoring and measurement of the ISMS based on ISO/IEC 27001
• ISO/IEC 27001 Lead Implementer Course, Module 8: Continual improvement of the ISMS based on ISO/IEC 27001
• ISO/IEC 27001 Lead Implementer Course, Module 9: Preparing for the ISMS certification audit
• ISO 27001 Risk Assessment & Risk Treatment: The Complete Guide - Advisera1
• Infosec Risk Treatment for ISO 27001 Requirement 8.3 - ISMS.online2
• ISO 27001 Clause 6.1.3 Information security risk treatment3
• ISO 27001 Risk Treatment Plan - Scrut Automation4

An intrusion detection system (IDS) is a device or software application that monitors network activities, looking for malicious behaviors or policy violations, and reports their findings to a management station. An IDS can help an organization to detect intrusions on networks, which are unauthorized attempts to access, manipulate, or harm network resources or data. In the scenario, Beauty should have implemented an IDS to detect intrusions on networks, such as the one that exposed customers’ information due to the out-of-date anti-malware software. An IDS could have alerted the IT team about the suspicious network activity and helped them to respond faster and more effectively. Therefore, the correct answer is C.

References: ISO/IEC 27001:2013, Information technology — Security techniques — Information security management systems — Requirements, clause 3.14; ISO/IEC 27039:2015, Information technology — Security techniques — Selection, deployment and operations of intrusion detection and prevention systems (IDPS), clause 4.1.

According to ISO/IEC 27001, an incident management process must include processes for using knowledge gained from information security incidents to reduce the likelihood or impact of future incidents, and to improve the overall level of information security. This means that the organization should conduct a root cause analysis of the incidents, identify the lessons learned, and implement corrective actions to prevent recurrence or mitigate consequences. The organization should also document and communicate the results of the incident management process to relevant stakeholders, and update the risk assessment and treatment plan accordingly. (Must be taken from ISO/IEC 27001 : 2022 Lead Implementer resources)

References: ISO/IEC 27001 : 2022 Lead Implementer Study guide and documents, specifically:

• ISO/IEC 27001:2022, clause 10.2 Nonconformity and corrective action
• ISO/IEC 27001:2022, Annex A.16 Information security incident management
• ISO/IEC TS 27022:2021, clause 7.5.3.16 Information security incident management process
• PECB ISO/IEC 27001 Lead Implementer Course, Module 9: Incident Management

Intrinsic vulnerabilities are related to the characteristics of the asset that make it susceptible to threats, regardless of the presence or absence of controls. In scenario 1, the complicated user interface of the web-based medical software is an intrinsic vulnerability, as it is a feature of the software that makes itdifficult to use and increases the likelihood of human errors. The software malfunction and the service interruptions are not intrinsic vulnerabilities, but rather incidents that occurred due to external factors, such as the increased number of users or the software company’s actions.

References: ISO/IEC 27001:2022 Lead Implementer Course Content, Module 6: Risk Assessment and Treatment1; ISO/IEC 27001:2022 Information Security, Cybersecurity and Privacy Protection, Clause 6.1.2: Information security risk assessment2

According to ISO/IEC 27001:2022, clause 9.3.3, the organization must retain documented information as evidence of the results of management reviews. The results of management reviews must include decisions and actions related to the ISMS policy, objectives, risks, opportunities, resources, and communication. Documenting the results of management reviews is important to ensure the accountability, traceability, and effectiveness of the ISMS. It also helps the organization to monitor and measure the performance and improvement of the ISMS, and to demonstrate compliance with the requirements of ISO/IEC 27001:2022. Therefore, an organization that has an ISMS in place and conducts management reviews at planned intervals, but does not retain documented information on the results, is not in accordance with the requirements of ISO/IEC 27001. (From the PECB ISO/IEC 27001 Lead Implementer Course Manual, page 107)

References:

• PECB ISO/IEC 27001 Lead Implementer Course Manual, page 107
• PECB ISO/IEC 27001 Lead Implementer Info Kit, page 7
• ISO/IEC 27001:2022 (en), Information security, cybersecurity and privacy protection — Information security management systems — Requirements, clause 9.3.3 1

 According to ISO/IEC 27001:2022, information security risk can be accepted as one of the four possible options for risk treatment, along with avoiding, modifying, or sharing the risk12. Risk acceptance means that the organization decides to tolerate the level of risk without taking any further action to reduce it3. Risk acceptance can be done before, during, or after the risk treatment process, depending on the organization’s risk criteria and the residual risk level4.

References: 1: ISO 27001 Risk Assessments | IT Governance UK 2: ISO 27001 Risk Assessment: 7 Step Guide - IT Governance UK Blog 3: ISO 27001 Clause 6.1.2 Information security risk assessment process 4: ISO 27001 Risk Assessment & Risk Treatment: The Complete Guide - Advisera

According to ISO/IEC 27001:2022, a nonconformity report is a document that records the details of any deviation from the audit criteria that is identified during an audit2. The audit criteria are the set of policies, procedures, requirements, or specifications that are used as a reference against which audit evidence is compared3. Therefore, a nonconformity report must include the following aspects:

• The description of the nonconformity, which should clearly state what the deviation is, where it occurred, and when it was detected
• The audit findings, which should provide the objective evidence that supports the identification of the nonconformity
• The audit criteria, which should specify the reference document or standard that the nonconformity deviates from
• The recommendations, which should suggest the possible corrective actions or improvements that can be taken to address the nonconformity

In scenario 8, Tessa’s nonconformity report included the description of the nonconformity, the audit findings, and the recommendations, but it did not specify the audit criteria. Therefore, the report did not include all the necessary aspects and was incomplete.

References:

• 1: ISO/IEC 27001:2022, Clause 9.2.3
• 2: ISO/IEC 27001:2022, Clause 3.23
• 3: ISO/IEC 27001:2022, Clause 3.5
• : ISO/IEC 27001:2022, Annex A.9.2.3

The statement describes the organizational boundaries of the ISMS scope, which define which parts of the organization are included or excluded from the ISMS. The organizational boundaries can be based on criteria such as departments, functions, processes, activities, or locations. In this case, the statement specifies that the ISMS covers all departments within Company XYZ that have access to customers’ data, and excludes the ones that do not. The statement also explains the purpose of the ISMS, which is to ensure the confidentiality, integrity, and availability of customers’ data, and ensure compliance with the applicable regulatory requirements regarding information security.

The statement does not describe the information systems boundary of the ISMS scope, which defines which information systems are included or excluded from the ISMS. The information systems boundary can be based on criteria such as hardware, software, networks, databases, or applications. The statement does not mention any specific information systems that are covered by the ISMS.

The statement also does not describe the physical boundary of the ISMS scope, which defines which physical locations are included or excluded from the ISMS. The physical boundary can be based on criteria such as buildings, rooms, cabinets, or devices. The statement does not mention any specific physical locations that are covered by the ISMS.

References:

• ISO/IEC 27001:2013, clause 4.3: Determining the scope of the information security management system
• ISO/IEC 27001 Lead Implementer Course, Module 4: Planning the ISMS based on ISO/IEC 27001
• ISO/IEC 27001 Lead Implementer Course, Module 6: Implementing the ISMS based on ISO/IEC 27001
• ISO/IEC 27001 Lead Implementer Course, Module 7: Performance evaluation, monitoring and measurement of the ISMS based on ISO/IEC 27001
• ISO/IEC 27001 Lead Implementer Course, Module 8: Continual improvement of the ISMS based on ISO/IEC 27001
• ISO/IEC 27001 Lead Implementer Course, Module 9: Preparing for the ISMS certification audit
• ISO/IEC 27001 scope statement | How to set the scope of your ISMS - Advisera1
• How to Write an ISO 27001 Scope Statement (+3 Examples) - Compleye2
• How To Use an Information Flow Map to Determine Scope of Your ISMS3
• ISMS SCOPE DOCUMENT - Resolver4
• Define the Scope and Objectives - ISMS Info5

Confidentiality of information is the property that information is not made available or disclosed to unauthorized individuals, entities, or processes. In other words, confidentiality ensures that only those who are authorized to access the information can do so. In the scenario, the confidentiality of information was compromised when the software company modified some files that contained sensitive information related to HealthGenic’s patients. This modification resulted in the invasion of patients’ privacy, which means that their personal and medical information was exposed to unauthorized parties. Therefore, the correct answer is B.

References: : ISO/IEC 27001:2013, Information technology — Security techniques — Information security management systems — Requirements, clause 3.14.

Based on his tasks, Bob is part of the incident response team (IRT) of InfoSec. According to ISO/IEC 27035-2:2023, the IRT is a team of appropriately skilled and trusted members of an organization that responds to and resolves incidents in a coordinated way1. One of the tasks of the IRT is to conduct an evaluation of the nature of an unexpected event, including the details on how the event happened and what or whom it might affect1. This is consistent with Bob’s responsibility of ensuring that a thorough evaluation of the nature of an unexpected event is conducted. Therefore, Bob belongs to the incident response team.

References:

• ISO/IEC 27035-2:2023 (en), Information technology — Information security incident management — Part 2: Guidelines to plan and prepare for incident response1
• Response to Information Security Incidents | ISMS.online2

According to ISO/IEC 27001:2022, a threat is any incident that could negatively affect the confidentiality, integrity or availability of an asset1. In this scenario, the asset is the information related to HealthGenic’s patients, which is stored and processed by the web-based medical software. The software company’s modification of some files that comprised sensitive information related to HealthGenic’s patients is an incident that could negatively affect the confidentiality and integrity of the asset, as it resulted in incomplete and incorrect medical reports and invaded the patients’ privacy. Therefore, this situation represents a threat to HealthGenic.

References:

• ISO/IEC 27001:2022 - Information security, cybersecurity and privacy protection — Information security management systems — Requirements
• ISO 27001 Key Terms - PJR

 According to the ISO/IEC 27001:2022 standard, the organization should establish, implement and maintain a process to manage changes that affect the information security management system (ISMS) and to continually improve the suitability, adequacyand effectiveness of the ISMS (section 8.1.3 and 10.2). The standard also states that the organization should update the documented information of the ISMS as necessary to reflect the changes and the results of the improvement process (section 8.1.3.2 and 10.2.2). Therefore, the update of documented information supports the continual improvement of the ISMS by ensuring that the ISMS is aligned with the current and future needs and expectations of the organization and its interested parties.

References:

• ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements1
• ISO/IEC 27001 Lead Implementer Info Kit
• Continual Improvement For ISO 27001 Requirement 10.22

Annex A 7.1 of ISO/IEC 27001 : 2022 is a control that requires an organization to define and implement security perimeters and use them to protect areas that contain information and other associated assets. Information and information security assets can include data, infrastructure, software, hardware, and personnel. The main purpose of this control is to prevent unauthorized physical access, damage, and interference to these assets, which could compromise the confidentiality, integrity, and availability of the information. Physical security perimeters can include fences, walls, gates, locks, alarms, cameras, and other barriers or devices that restrict or monitor access to the facility or area. The organization should also consider the environmental and fire protection of the assets, as well as the disposal of any waste or media that could contain sensitive information.

References:

• ISO/IEC 27001 : 2022 Lead Implementer Study Guide, Section 5.3.1.7, page 101
• ISO/IEC 27001 : 2022 Lead Implementer Info Kit, page 17
• ISO/IEC 27002 : 2022, Control 7.1 – Physical Security Perimeters123

According to ISO/IEC 27001:2022, clause 10.1, an action plan for nonconformities and corrective actions should include the following elements1:

• What needs to be done
• Who is responsible for doing it
• When it will be completed
• How the effectiveness of the actions will be evaluated
• How the results of the actions will be documented

In scenario 9, the action plan only describes what needs to be done and who is responsible for doing it, but it does not specify when it will be completed, how the effectiveness of the actions will be evaluated, and how the results of the actions will be documented. Therefore, the action plan is not sufficient to eliminate the detected nonconformities.

References:

1: ISO/IEC 27001:2022, Information technology — Security techniques — Information security management systems — Requirements, clause 10.1, Nonconformity and corrective action.

 According to ISO/IEC 27001:2022, clause 6.2, the organization shall establish information security objectives at relevant functions and levels. The information security objectives shall be consistent with the information security policy and relevant to the information security risks. The organization shall update the information security objectives as changes occur. Therefore, when OpenTech decides to establish a new version of its access control policy, it should update its information security objectives accordingly to reflect the changes and ensure alignment with the policy.

References: ISO/IEC 27001:2022, clause 6.2; PECB ISO/IEC 27001 Lead Implementer Course, Module 10, slide 8.

According to ISO/IEC 27001:2022, the control that enables the organization to manage storage media through their life cycle of use, acquisition, transportation and disposal belongs to the category of physical and environmental security. This category covers the controls that prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities. The specific control objective for this control is A.11.2.7 Secure disposal or reuse of equipment1, which states that "equipment containing storage media shall be checked to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or reuse."2

References:

• ISO/IEC 27001:2022, Annex A
• ISO/IEC 27002:2022, clause 11.2.7

According to ISO/IEC 27001:2022, information security controls are measures that are implemented to protect the confidentiality, integrity, and availability of information assets1. Controls can be preventive, detective, or corrective, depending on their purpose and nature2. Preventive controls aim to prevent or deter the occurrence of a security incident or reduce its likelihood. Detective controls aim to detect or discover the occurrence of a security incident or its symptoms. Corrective controls aim to correct or restore the normal state of an asset or a process after a security incident or mitigate its impact2.

In this scenario, Socket Inc. implemented several security controls to prevent information security incidents from recurring, such as:

• Segregation of networks: This is a preventive and technical control that involves separating different parts of a network into smaller segments, using devices such as routers, firewalls, or VPNs, to limit the access and communication between them3. This can enhance the security and performance of the network, as well as reduce the administrative efforts and costs3.
• Privileged access rights: This is a preventive and administrative control that involves granting access to information assets or systems only to authorized personnel who have a legitimate need to access them, based on their roles and responsibilities4. This can reduce the risk of unauthorized access, misuse, or modification of information assets or systems4.
• Cryptographic controls: This is a preventive and technical control that involves the use of cryptography, which is the science of protecting information by transforming it into an unreadable format, to protect the confidentiality, integrity, and authenticity of information assets or systems. This can prevent unauthorized access, modification, or disclosure of information assets or systems.
• Information security threat management: This is a preventive and administrative control that involves the identification, analysis, and response to information security threats, which are any incidents that could negatively affect the confidentiality, integrity, or availability of information assets or systems. This can help the organization to anticipate, prevent, or mitigate the impact of information security threats.
• Information security integration into project management: This is a preventive and administrative control that involves the incorporation of information security requirements and controls into the planning, execution, and closure of projects, which are temporary endeavors undertaken to create a unique product, service, or result. This can ensure that information security risks and opportunities are identified and addressed throughout the project life cycle.

However, information backup is not a preventive control, but a corrective control. Information backup is a corrective and technical control that involves the creation and maintenance of copies of information assets or systems, using dedicated software and utilities, to ensure that they can be recovered in case of data loss, corruption, accidental deletion, or cyber incidents. This can help the organization to restore the normal state of information assets or systems after a security incident or mitigate its impact. Therefore,information backup does not prevent information security incidents from recurring, but rather helps the organization to recover from them.

References:

• ISO/IEC 27001:2022 - Information security, cybersecurity and privacy protection — Information security management systems — Requirements
• ISO 27001 Key Terms - PJR
• Network Segmentation: What It Is and How It Works | Imperva
• ISO 27001:2022 Annex A 8.2 – Privileged Access Rights - ISMS.online
• [ISO 27001:2022 Annex A 8.3 – Cryptographic Controls - ISMS.online]
• [ISO 27001:2022 Annex A 5.30 – Information Security Threat Management - ISMS.online]
• [ISO 27001:2022 Annex A 5.31 – Information Security Integration into Project Management - ISMS.online]
• [ISO 27001:2022 Annex A 8.13 – Information Backup - ISMS.online]

According to the ISO/IEC 27001 : 2022 standard, information security incident management is the process of ensuring a consistent and effective approach to the managementof information security incidents, events and weaknesses. One of the objectives of this process is to collect and preserve evidence that can be used for disciplinary and legal action, as well as for learning and improvement. Therefore, Anna should be aware of the collection and preservation of records when gathering data for the forensics team. She should follow the information security incident management policy of InfoSec, which specifies the type, format, content and location of the records to be created and maintained. She should also ensure that the records are protected from unauthorized access, modification, deletion or disclosure, and that they are retained for an appropriate period of time.

References:

• ISO/IEC 27001 : 2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements, Clause 16.1.7, Collection of evidence
• ISO/IEC 27001 : 2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements, Annex A.16.1.7, Collection of evidence
• ISO/IEC 27001 : 2022 Lead Implementer Study Guide, Chapter 9, Information security incident management

According to the ISO/IEC 27001 : 2022 Lead Implementer course, the steps required by ISO/IEC 27001 that an organization must take when a nonconformity is detected are as follows1:

• React to the nonconformity, take action to control and correct it, and deal with its consequences
• Evaluate the need for action to eliminate the causes of the nonconformity so that it does not recur or occur elsewhere
• Implement any action needed
• Review the effectiveness of the corrective action
• Make changes to the information security management system (ISMS) if necessary

Therefore, communicating the details of the nonconformity to every employee of the organization and suspending the employee that caused the nonconformity is not part of the steps required by ISO/IEC 27001. This option is not only unnecessary, but also potentially harmful, as it could violate the principles of confidentiality, integrity, and availability of information, as well as the human rights and dignity of the employee involved2. Instead, the organization should follow the established procedures for reporting, recording, and analyzing nonconformities, and ensure that the corrective actions are appropriate, proportional, and fair3.

References: 1: PECB, ISO/IEC 27001 Lead Implementer Course, Module 10: Nonconformity and Corrective Action, slide 9 2: PECB, ISO/IEC 27001 Lead Implementer Course, Module 10: Nonconformity and Corrective Action, slide 10 3: PECB, ISO/IEC 27001 Lead Implementer Course, Module 10: Nonconformity and Corrective Action, slide 11