According to the PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, the auditee should take the following actions in response to a nonconformity against clause 6.1.3.e of ISO/IEC 27001:20221:

Implement the appropriate risk treatment for each of the applicable controls, as this is the main requirement of clause 6.1.3.e and the objective of the risk treatment process2.

Revise the relevant content in the Statement of Applicability to justify their exclusion, as this is the expected output of the risk treatment process and the evidence of the risk-based decisions3.

Revisit the risk assessment process relating to the three controls, as this is the input for the risk treatment process and the source of identifying the risks and the controls4.

The other options are not correct because:

Allocating responsibility for producing evidence to prove to auditors that the controls are implemented is not a valid action, as the audit team already found that there was no evidence of the implementation of the three controls.

Compiling plans for the periodic assessment of the risks associated with the controls is not a valid action, as this is part of the risk monitoring and review process, not the risk treatment process5.

Incorporating written procedures for the controls into the organisation’s Security Manual is not a valid action, as this is part of the documentation and operation of the ISMS, not the risk treatment process.

Removing the three controls from the Statement of Applicability is not a valid action, as this is not a sufficient justification for their exclusion and does not reflect the risk treatment process.

Undertaking a survey of customers to find out if the controls are needed by them is not a valid action, as this is not a relevant criterion for the risk assessment and treatment process, which should be based on the organisation’s own context and objectives.

 1: PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 36, section 4.5.22: ISO/IEC 27001:2022, clause 6.1.3.e3: ISO/IEC 27001:2022, clause 6.1.3.f4: ISO/IEC 27001:2022, clause 6.1.25: ISO/IEC 27001:2022, clause 6.2. : ISO/IEC 27001:2022, clause 7.5 and 8. : ISO/IEC 27001:2022, clause 6.1.3.d. : ISO/IEC 27001:2022, clause 4.1 and 4.2.