I took a part in ISO27k Lead Auditor workshop in August 2021.
I also approached the exam. Unfortunately, I was not able to pass IS part, as 6 % were missing to achieve 70% for this area.
I have a doubt regarding two questions, asked during one or both approaches to the exam in IS area.
As we do not receive a report which questions were responded correctly and which not, I am not able to verify it by myself.
1 - There was a question during the exam, which was like: Should risk owner be assigned to each critical risk?
I responded Yes, but I was started wondering if the question should be understood just in the context of critical risk or in a wider context, meaning does the question ask really about critical risk in it or maybe the response should be No, because standard requires owners to be assigned to all type of risks found?
2 - Second one is regarding "justification" of adding particular control to SoA. I do not entirely understood how to read "justification" in this question?
Could you please explain it to me?
I will be grateful.