PECB ISO-IEC-27001-Lead-Auditor Exam With Confidence Using Practice Dumps

According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), control A.5.29 requires an organization to establish and maintain a business continuity management process to ensure the continued availability of information and information systems at the required level following disruptive incidents1. The organization should identify and prioritize critical information assets and processes, assess the risks and impacts of disruptive incidents, develop and implement business continuity plans (BCPs), test and review the BCPs, and ensure that relevant parties are aware of their roles and responsibilities1. Therefore, when verifying the information security of the business continuity management process, an ISMS auditor should verify that these aspects are met in accordance with the audit criteria.

Three options that will be in the audit trail for verifying control A.5.29 are:

Collect more evidence on how the organisation manages information security on mobile devices and during teleworking (Relevant to control A.6.7): This option is relevant because it can provide evidence of how the organization has implemented appropriate controls to protect the confidentiality, integrity and availability of information and information systems when staff work from home using mobile devices, such as laptops, tablets or smartphones. This is related to control A.6.7, which requires an organization to establish a policy and procedures for teleworking and use of mobile devices1.

Collect more evidence on how and when the Business Continuity Plan has been tested (Relevant to control A.5.29): This option is relevant because it can provide evidence of how the organization has tested and reviewed the BCPs to ensure their effectiveness and suitability for different scenarios, such as a pandemic. This is related to control A.5.29, which requires an organization to test and review the BCPs at planned intervals or when significant changes occur1.

Collect more evidence on how the organisation makes sure only staff with a negative test result can enter the organisation (Relevant to control A.7.2): This option is relevant because it can provide evidence of how the organization has implemented appropriate controls to prevent or reduce the risk of infection or transmission of diseases among staff or residents, such as requiring regular staff self-testing and using a health status app. This is related to control A.7.2, which requires an organization to ensure that all employees and contractors are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational policies and procedures in this respect1.

The other options are not relevant to verifying control A.5.29, as they are not related to the control or its requirements. For example:

Collect more evidence by interviewing more staff about their feeling about working from home (Relevant to clause 4.2): This option is not relevant because it does not provide evidence of how the organization has established and maintained a business continuity management process or ensured the continued availability of information and information systems following disruptive incidents. It may be related to clause 4.2, which requires an organization to understand the needs and expectations of interested parties, but not specifically to control A.5.29.

Collect more evidence on what resources the organisation provides to support the staff working from home (Relevant to clause 7.1): This option is not relevant because it does not provide evidence of how the organization has established and maintained a business continuity management process or ensured the continued availability of information and information systems following disruptive incidents. It may be related to clause 7.1, which requires an organization to determine and provide the resources needed for its ISMS, but not specifically to control A.5.29.

Collect more evidence on how the organisation performs a business risk assessment to evaluate how fast the existing residents can be discharged from the nursing home (Relevant to clause 6): This option is not relevant because it does not provide evidence of how the organization has established and maintained a business continuity management process or ensured the continued availability of information and information systems following disruptive incidents. It may be related to clause 6, which requires an organization to plan actions to address risks and opportunities for its ISMS, but not specifically to control A.5.29.

From Exact Extract:

1. ISO/IEC 27001:2022 – Obligation to implement security controls

ISO/IEC 27001:2022 requires organizations to implement information security controls to address identified risks, particularly where personally identifiable information (PII) is processed.

Under Clause 6.1.3 – Information security risk treatment, the standard requires that an organization:

“Determine all controls that are necessary to implement the information security risk treatment option(s) chosen.”

In this scenario, the chatbot introduced new and unmitigated risks, including:

Incorrect handling of user input

Potential unauthorized disclosure of information (sending random files)

Processing of PII without sufficient safeguards

Therefore, implementing additional security controls is mandatory, not optional.

2. ISO/IEC 27002:2022 – Privacy and monitoring controls

The controls implemented by Fintive directly align with Annex A of ISO/IEC 27002:2022, including:

A.5.34 – Privacy and protection of PIIRequires organizations to protect personal data in line with legal, regulatory, and contractual requirements.

A.8.15 – LoggingRequires audit logs to be enabled to record events for investigation.

A.8.16 – Monitoring activitiesRequires monitoring systems to detect anomalous behavior.

A.5.18 – Access rightsRequires periodic access reviews to prevent unauthorized access.

These controls are explicitly designed to detect errors, misuse, unauthorized access, and suspicious behavior — exactly the risks described in the scenario.

3. Why the other options are incorrect

Option A – IncorrectISO/IEC 27001 does not permit organizations to avoid implementing controls simply because they may affect operations. Operational impact is considered during risk assessment, but security and privacy obligations take precedence, especially for PII.

Option B – IncorrectISO/IEC 27001 does not limit the number of controls. Controls must be appropriate to the risk, not minimized for efficiency. A reduction in efficiency does not justify non-compliance or privacy violations.

4. Auditor conclusion

Implementing security controls to protect information privacy is:

Required by ISO/IEC 27001:2022

Consistent with ISO/IEC 27002:2022 Annex A controls

Appropriate given the identified risks

A correct application of risk treatment and continual improvement

The certification body had a valid reason to accept CyberShielding Systems Inc.’s objection, making option A the correct answer. ISO/IEC 17021-1 requires certification bodies to ensure that audit teams are competent and acceptable to the auditee, particularly where access to sensitive information, systems, or facilities is involved. Security clearance requirements set by the auditee are a legitimate consideration, especially for organizations operating in highly sensitive information security environments.

In this scenario, CyberShielding Systems Inc. operates in the cybersecurity sector and handles sensitive internal and customer information. Auditors without the necessary security clearance may be unable to access required information or systems, which would compromise the effectiveness and completeness of the audit. Accepting such an objection supports both audit quality and information protection.

Option B is incorrect because objections are not limited to cases of prior unprofessional conduct. Option C is incorrect because conflicts of interest are not the only valid grounds for objection. ISO/IEC 17021-1 allows auditees to object to auditors for justified reasons, including competence, impartiality, confidentiality, or access limitations.

Therefore, replacing the auditor due to insufficient security clearance was appropriate and consistent with certification body requirements and good auditing practice.