ISO 27001 Lead Auditor exam - Doubts regarding a question
Assign topic to the user
1 - There was a question during the exam, which was like: Should risk owner be assigned to each critical risk?
I responded Yes, but I was started wondering if the question should be understood just in the context of critical risk or in a wider context, meaning does the question ask really about critical risk in it or maybe the response should be No, because standard requires owners to be assigned to all type of risks found?
The question is to be considered in a wider context than you initially thought because the standard (clause 6.1.2 c) required that all identified risks must have an assigned owner, not only the critical ones.
Please note that each identified risk needs to be a designated owner, even if at the moment of the assessment it is not critical. This is so because changes in the organizational context may change the risk value, either to increase or decrease it, and if only risks identified as critical at the moment of the assessment have a designated owner, other risks may increase, and the organization won’t be aware of it.
For further information, see:
- Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/
2 - Second one is regarding "justification" of adding particular control to SoA. I do not entirely understood how to read "justification" in this question?
Could you please explain it to me?
For SoA, “justification” is the reason for which a control is deemed applicable. The whole concept of ISO 27001 is that you only need to apply a control if you have a reason (i.e., a justification) for that. This ensures that you do not expend unnecessary resources and that all your requirements are properly covered.
For example, if you implement a cryptographic technology and you do not have a relevant risk to justify the implementation of control A.10.1.1 (Policy on the use of cryptographic controls), then you are expending resources unnecessarily (in an ISO 27001 point of view).
On the other hand, if you do not have relevant risks to justify the implementation of control A.10.1.1, but you have a contractual clause with a client stipulating the use of cryptography, then you need to include reference to this contractual clause to justify the use of the control.
Thank you for that.
Nonetheless...
With regard to the question about owners to be assigned to each critical risk...
Considering the fact that the question was structured in a way "Does each critical risk should have the owner assigned?" and not in a way : Does ONLY critical risk should have risk owner assigned?", if my response YES was marked as incorrect, I would like to appeal to my exam results.
In both approaches to IS part of the exam I was missing only 6% to pass, which is basically 1 question probably. And I had this question both times in it.
Could you please check and let me know if this can be somehow proceeded?
I will be grateful.
Comment as guest or Sign in
Sep 06, 2021