PECB Certified ISO/IEC 27001 2022 Lead Auditor exam ISO-IEC-27001-Lead-Auditor Question # 84 Topic 9 Discussion

ISO-IEC-27001-Lead-Auditor Exam Topic 9 Question 84 Discussion:

Question #: 84

Topic #: 9

You are carrying out your first third-party ISMS surveillance audit as an Audit Team Leader. You are presently in
the auditee's data centre with another member of your audit team.
You are currently in a large room that is subdivided into several smaller rooms, each of which has a numeric
combination lock and swipe card reader on the door. You notice two external contractors using a swipe card and
combination number provided by the centre's reception desk to gain access to a client's suite to carry out authorised electrical repairs.
You go to reception and ask to see the door access record for the client's suite. This indicates only one card was
swiped. You ask the receptionist and they reply, "yes it's a common problem. We ask everyone to swipe their
cards but with contractors especially, one tends to swipe and the rest simply 'tailgate' their way in" but we know who they are from the reception sign-in.
Based on the scenario above which one of the following actions would you now take?

Raise an opportunity for improvement to have a large sign in reception reminding everyone requiring access must use their swipe card at all times

Determine whether any additional effective arrangements are in place to verify individual access to secure areas e.g. CCTV

Raise a nonconformity against control A.7.1 'security perimiters' as a secure area is not adequately protected

Raise a nonconformity against control A.7.6 'working in secure areas' as security measures for working in secure areas have not been defined

Raise a nonconformity against control A.5.20 'addressing information security in supplier relationships' as information security requirements have not been agreed upon with the supplier

Raise an opportunity for improvement that contractors must be accompanied at all times when accessing secure facilities

Get Premium ISO-IEC-27001-Lead-Auditor Questions

Explanation

The best action to take in this scenario is to determine whether any additional effective arrangements are in place to verify individual access to secure areas, such as CCTV. This action is consistent with the audit principle of evidence-based approach, which requires the auditor to obtain sufficient and appropriate audit evidence to support the audit findings and conclusions1. By verifying the existence and effectiveness of other security controls, the auditor can assess the extent and impact of the nonconformity observed, and determine the appropriate audit finding and recommendation.

The other options are not the best actions to take in this scenario, because they are either premature or inappropriate. For example:

•Option A is inappropriate, because it is not the auditor’s role to suggest specific solutions or improvements to the auditee, but rather to report the audit findings and recommendations based on the audit criteria and objectives2. A large sign in reception may not be an effective or feasible solution to address the issue of tailgating, and it may not reflect the root cause of the problem.

•Option C is premature, because it assumes that the control A.7.1 ‘security perimeters’ is not adequately implemented, without verifying the existence and effectiveness of other security controls that may compensate for the observed nonconformity. The auditor should not jump to conclusions based on a single observation, but rather gather sufficient and appropriate audit evidence to support the audit finding3.

•Option D is premature, because it assumes that the control A.7.6 ‘working in secure areas’ is not adequately implemented, without verifying the existence and effectiveness of other security controls that may compensate for the observed nonconformity. The auditor should not jump to conclusions based on a single observation, but rather gather sufficient and appropriate audit evidence to support the audit finding3.

•Option E is inappropriate, because it is not related to the observed nonconformity, which is about the access control to secure areas, not the information security requirements agreed upon with the supplier. The auditor should not raise a nonconformity based on irrelevant or incorrect audit criteria4.

•Option F is inappropriate, because it is not the auditor’s role to suggest specific solutions or improvements to the auditee, but rather to report the audit findings and recommendations based on the audit criteria and objectives2. Requiring contractors to be accompanied at all times when accessing secure facilities may not be an effective or feasible solution to address the issue of tailgating, and it may not reflect the root cause of the problem.

[References: 1: ISO 19011:2018, 5.2; 2: ISO 19011:2018, 6.6; 3: ISO 19011:2018, 6.2; 4: ISO 19011:2018, 6.3; : ISO 19011:2018; : ISO 19011:2018; : ISO 19011:2018; : ISO 19011:2018, , , , ]

Actual exam question for PECB ISO-IEC-27001-Lead-Auditor exam by Rune8653 at Jan 29, 2026, 3:05:20 AM

Contribute your Thoughts:

Chosen Answer: A B C D E F
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.

Month End Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: simple70

PECB Certified ISO/IEC 27001 2022 Lead Auditor exam ISO-IEC-27001-Lead-Auditor Question # 84 Topic 9 Discussion

PECB Certified ISO/IEC 27001 2022 Lead Auditor exam ISO-IEC-27001-Lead-Auditor Question # 84 Topic 9 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Month End Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: simple70

PECB Certified ISO/IEC 27001 2022 Lead Auditor exam ISO-IEC-27001-Lead-Auditor Question # 84 Topic 9 Discussion

PECB Certified ISO/IEC 27001 2022 Lead Auditor exam ISO-IEC-27001-Lead-Auditor Question # 84 Topic 9 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Awaiting moderator approval