Scenario 3: Rebuildy is a construction company located in Bangkok.. Thailand, that specializes in designing, building, and maintaining residential buildings. To ensure the security of sensitive project data and client information, Rebuildy decided to implement an ISMS based on ISO/IEC 27001. This included a comprehensive understanding of information security risks, a defined continual improvement approach, and robust business solutions.

The ISMS implementation outcomes are presented below

•Information security is achieved by applying a set of security controls and establishing policies, processes, and procedures.

•Security controls are implemented based on risk assessment and aim to eliminate or reduce risks to an acceptable level.

•All processes ensure the continual improvement of the ISMS based on the plan-do-check-act (PDCA) model.

•The information security policy is part of a security manual drafted based on best security practices Therefore, it is not a stand-alone document.

•Information security roles and responsibilities have been clearly stated in every employees job description

•Management reviews of the ISMS are conducted at planned intervals.

Rebuildy applied for certification after two midterm management reviews and one annual internal audit Before the certification audit one of Rebuildy’s former employees approached one of the audit team members to tell them that Rebuildy has several security problems that the company is trying to conceal. The former employee presented the documented evidence to the audit team member Electra, a key client of Rebuildy, also submitted evidence on the same issues, and the auditor determined to retain this evidence instead of the former employee's. The audit team member remained in contact with Electra until the audit was completed, discussing the nonconformities found during the audit. Electra provided additional evidence to support these findings.

At the beginning of the audit, the audit team interviewed the company’s top management They discussed, among other things, the top management's commitment to the ISMS implementation. The evidence obtained from these discussions was documented in written confirmation, which was used to determine Rebuildy’s conformity to several clauses of ISO/IEC 27001

The documented evidence obtained from Electra was attached to the audit report, along with the nonconformities report. Among others, the following nonconformities were detected:

•An instance of improper user access control settings was detected within the company's financial reporting system.

•A stand-alone information security policy has not been established. Instead, the company uses a security manual drafted based on best security practices.

After receiving these documents from the audit team, the team leader met Rebuildy’s top management to present the audit findings. The audit team reported the findings related to the financial reporting system and the lack of a stand-alone information security policy. The top management expressed dissatisfaction with the findings and suggested that the audit team leader's conduct was unprofessional, implying they might request a replacement. Under pressure, the audit team leader decided to cooperate with top management to downplay the significance of the detected nonconformities. Consequently, the audit team leader adjusted the report to present a more favorable view, thus misrepresenting the true extent of Rebuildy's compliance issues.

Based on the scenario above, answer the following question:

Question:

Based on Scenario 3, the audit team used information obtained from interviews with top management to determine Rebuildy’s conformity to several ISO/IEC 27001 clauses. Is this acceptable?