Scenario: Rebuildy is a construction company located in Bangkok, Thailand, that specializes in designing, building, and maintaining residential buildings. To ensure the security of sensitive project data and client information, Rebuildy decided to implement an ISMS based on ISO/IEC 27001. This included a comprehensive understanding of information security risks, a defined continual improvement approach, and robust business solutions.The ISMS implementation outcomes are presented below:Information security is achieved by applying a set of security controls and establishing policies, processes, and procedures.Security controls are implemented based on risk assessment and aim to eliminate or reduce risks to an acceptable level.All processes ensure the continual improvement of the ISMS based on the plan-do-check-act (PDCA) model.The information security policy is part of a security manual drafted based on best security practices. Therefore, it is not a stand-alone document.Information security roles and responsibilities have been clearly stated in every employee's job description.Management reviews of the ISMS are conducted at planned intervals.Rebuildy applied for certification after two midterm management reviews and one annual internal audit. Before the certification audit, one of Rebuildy's former employees approached one of the audit team members to tell them that Rebuildy has several security problems that the company is trying to conceal. The former employee presented the documented evidence to the audit team member. Electra, a key client of Rebuildy, also submitted evidence on the same issues, and the auditor determined to retain this evidence instead of the former employee's. The audit team member remained in contact with Electra until the audit was completed, discussing the nonconformities found during the audit. Electra provided additional evidence to support these findings.At the beginning of the audit, the audit team interviewed the company's top management. They discussed, among other things, the top management's commitment to the ISMS implementation. The evidence obtained from these discussions was documented in written confirmation, which was used to determine Rebuildy's conformity to several clauses of ISO/IEC 27001.The documented evidence obtained from Electra was attached to the audit report, along with the nonconformities report. Among others, the following nonconformities were detected:An instance of improper user access control settings was detected within the company's financial reporting system.A stand-alone information security policy has not been established. Instead, the company uses a security manual drafted based on best security practices.After receiving these documents from the audit team, the team leader met Rebuildy's top management to present the audit findings. The audit team reported the findings related to the financial reporting system and the lack of a stand-alone information security policy. The top management expressed dissatisfaction with the findings and suggested that the audit team leader's conduct was unprofessional, implying they might request a replacement. Under pressure, the audit team leader decided to cooperate with top management to downplay the significance of the detected nonconformities. Consequently, the audit team leader adjusted the report to present a more favorable view, thus misrepresenting the true extent of Rebuildy's compliance issues.Based on the last paragraph of scenario, what did the audit team leader commit?
Scenario: Branding is a marketing company that works with some of the most famous companies in the US. To reduce internal costs, Branding has outsourced the software development and IT helpdesk operations to Techvology for over two years. Techvology, equipped with the necessary expertise, manages Branding's software, network, and hardware needs. Branding has implemented an information security management system (ISMS) and is certified against ISO/IEC 27001, demonstrating its commitment to maintaining high standards of information security. It actively conducts audits on Techvology to ensure that the security of its outsourced operations complies with ISO/IEC 27001 certification requirements.During the last audit, Branding's audit team defined the processes to be audited and the audit schedule. They adopted an evidence-based approach, particularly in light of two information security incidents reported by Techvology in the past year. The focus was on evaluating how these incidents were addressed and ensuring compliance with the terms of the outsourcing agreement.The audit began with a comprehensive review of Techvology's methods for monitoring the quality of outsourced operations, assessing whether the services provided met Branding's expectations and agreed-upon standards. The auditors also verified whether Techvology complied with the contractual requirements established between the two entities. This involved thoroughly examining the terms and conditions in the outsourcing agreement to guarantee that all aspects, including information security measures, are being adhered to.Furthermore, the audit included a critical evaluation of the governance processes Techvology uses to manage its outsourced operations and other organizations. This step is crucial for Branding to verify that proper controls and oversight mechanisms are in place to mitigate potential risks associated with the outsourcing arrangement.The auditors conducted interviews with various levels of Techvology's personnel and analyzed the incident resolution records. In addition, Techvology provided the records that served as evidence that they conducted awareness sessions for the staff regarding incident management. Based on the information gathered, they predicted that both information security incidents were caused by incompetent personnel. Therefore, auditors requested to see the personnel files of the employees involved in the incidents to review evidence of their competence, such as relevant experience, certificates, and records of attended trainings.Branding's auditors performed a critical evaluation of the validity of the evidence obtained and remained alert for evidence that could contradict or question the reliability of the documented information received. During the audit at Techvology, the auditors upheld this approach by critically assessing the incident resolution records and conducting thorough interviews with employees at different levels and functions. They did not merely take the word of Techvology's representatives for facts; instead, they sought concrete evidence to support the representatives' claims about the incident management processes.According to ISO/IEC 27001 requirements, is Branding required to control the services offered by Techvology continually? Refer to scenario.
As an auditor, you have noticed that ABC Inc. has established a procedure to manage the removable storage media. The procedure is based on the classification scheme adopted by ABC Inc. Thus, if the information stored is classified as "confidential," the procedure applies. On the other hand, information classified as "public" does not have confidentiality requirements; thus, only a procedure for ensuring its integrity and availability applies. What type of audit finding is this?
Which one of the following options best describes the main purpose of a Stage 2 third-party audit?
Select two options that describe an advantage of using a checklist. (Chose two.)
You are performing an ISO 27001 ISMS surveillance audit at a residential nursing home, ABC Healthcare Services. ABC uses a healthcare mobile app designed and maintained by a supplier, WeCare, to monitor residents' well-being. During the audit, you learn that 90% of the residents' family members regularly receive medical device advertisements from WeCare, by email and SMS once a week. The service agreement between ABC and WeCare prohibits the supplier from using residents' personal data. ABC has received many complaints from residents and their family members.The Service Manager says that the complaints were investigated as an information security incident which found that they were justified. Corrective actions have been planned and implemented according to the nonconformity and corrective action management procedure.You write a nonconformity "ABC failed to comply with information security control A.5.34 (Privacy and protection of PII) relating to the personal data of residents' and their family members. A supplier, WeCare, used residents' personal information to send advertisements to family members."Select three options of the corrections and corrective actions listed that you would expect ABC to make in response to the nonconformity. (Choose three.)
