Selected ISO-IEC-27001-Lead-Implementer ISO 27001 Questions Answers

ISO/IEC 27005:2022 (Clause 8.2.1 – Risk Identification Process) and the ISMS Implementation Toolkit emphasize that risk identification is a cyclical and iterative process:

“Risk identification should evolve with organizational maturity and environmental change, becoming more detailed and effective through each cycle.”

This aligns with Clause 10.1 of ISO/IEC 27001:2022, which requires continual improvement:

“The organization shall continually improve the suitability, adequacy and effectiveness of the information security management system.”

Refining detail over time allows organizations to adjust to new threats and better understand their environment, promoting resilience and continual improvement.

According to the ISO/IEC 27001 : 2022 Lead Implementer course, the steps required by ISO/IEC 27001 that an organization must take when a nonconformity is detected are as follows1:

React to the nonconformity, take action to control and correct it, and deal with its consequences

Evaluate the need for action to eliminate the causes of the nonconformity so that it does not recur or occur elsewhere

Implement any action needed

Review the effectiveness of the corrective action

Make changes to the information security management system (ISMS) if necessary

Therefore, communicating the details of the nonconformity to every employee of the organization and suspending the employee that caused the nonconformity is not part of the steps required by ISO/IEC 27001. This option is not only unnecessary, but also potentially harmful, as it could violate the principles of confidentiality, integrity, and availability of information, as well as the human rights and dignity of the employee involved2. Instead, the organization should follow the established procedures for reporting, recording, and analyzing nonconformities, and ensure that the corrective actions are appropriate, proportional, and fair3.