PECB ISO-IEC-27001-Lead-Implementer Exam With Confidence Using Practice Dumps

The correct answer is Option C, as it best upholds objectivity and impartiality while allowing the internal audit to proceed effectively.

ISO/IEC 27001:2022 Clause 9.2 – Internal audit requires that audits be conducted in a manner that ensures objectivity and impartiality. This requirement is further reinforced by ISO 19011, which states that auditors should not audit their own work and should avoid conflicts of interest.

In this scenario, the auditor:

Held daily operational responsibilities in the IT Department just three months ago.

Is now asked to audit the same department.

Although job descriptions clearly distinguish past and present roles, the risk of perceived or actual bias remains high due to the short time elapsed. A common best practice is a cooling-off period (often around one year), but ISO standards do not mandate a fixed duration.

Option A is incorrect because clear job descriptions alone do not eliminate bias risk.

Option B is too rigid; ISO/IEC 27001 does not mandate a one-year cooling-off period.

By conducting the audit jointly with a colleague from another department, the organization:

Preserves audit independence,

Introduces an objective perspective,

Mitigates conflict-of-interest concerns,

Remains compliant with Clause 9.2 and ISO 19011 guidance

Annex A 7.1 of ISO/IEC 27001 : 2022 is a control that requires an organization to define and implement security perimeters and use them to protect areas that contain information and other associated assets. Information and information security assets can include data, infrastructure, software, hardware, and personnel. The main purpose of this control is to prevent unauthorized physical access, damage, and interference to these assets, which could compromise the confidentiality, integrity, and availability of the information. Physical security perimeters can include fences, walls, gates, locks, alarms, cameras, and other barriers or devices that restrict or monitor access to the facility or area. The organization should also consider the environmental and fire protection of the assets, as well as the disposal of any waste or media that could contain sensitive information.

ISO/IEC 27001 : 2022 Lead Implementer Study Guide, Section 5.3.1.7, page 101

ISO/IEC 27001 : 2022 Lead Implementer Info Kit, page 17

ISO/IEC 27002 : 2022, Control 7.1 – Physical Security Perimeters123

Incident response team service categories typically include reactive, proactive, and security quality management services. Proactive services are designed to support organizational functions such as training, awareness, readiness, and auditing, with the aim of preventing incidents before they occur.

These services include:

Security awareness and training

Simulations and exercises

Readiness assessments

Advisory support to audits

This aligns with ISO/IEC 27001:2022’s preventive intent, particularly:

Clause 7.2 – Competence

Clause 7.3 – Awareness

Annex A A.5.35 – Independent review of information security

Reactive services (Option B) focus on incident handling after an event, while security quality management services (Option C) focus on metrics and maturity oversight.