Take the ISO 27001 course exam and get the EU GDPR course exam for free
LIMITED-TIME OFFER – VALID UNTIL SEPTEMBER 30, 2021

Expert Advice Community

Guest

ISO 27001 Lead Auditor exam - Doubts regarding a question

  Quote
Guest
Guest user Created:   Sep 06, 2021 Last commented:   Sep 06, 2021

ISO 27001 Lead Auditor exam - Doubts regarding a question

I took a part in ISO27k Lead Auditor workshop in August 2021.
I also approached the exam. Unfortunately, I was not able to pass IS part, as 6 % were missing to achieve 70% for this area.
I have a doubt regarding two questions, asked during one or both approaches to the exam in IS area.
As we do not receive a report which questions were responded correctly and which not, I am not able to verify it by myself.

1 - There was a question during the exam, which was like: Should risk owner be assigned to each critical risk?

I responded Yes, but I was started wondering if the question should be understood just in the context of critical risk or in a wider context, meaning does the question ask really about critical risk in it or maybe the response should be No, because standard requires owners to be assigned to all type of risks found?

2 - Second one is regarding "justification" of adding particular control to SoA. I do not entirely understood how to read "justification" in this question?

Could you please explain it to me?

I will be grateful.

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Sep 06, 2021

1 - There was a question during the exam, which was like: Should risk owner be assigned to each critical risk?

I responded Yes, but I was started wondering if the question should be understood just in the context of critical risk or in a wider context, meaning does the question ask really about critical risk in it or maybe the response should be No, because standard requires owners to be assigned to all type of risks found?

The question is to be considered in a wider context than you initially thought because the standard (clause 6.1.2 c) required that all identified risks must have an assigned owner, not only the critical ones.

Please note that each identified risk needs to be a designated owner, even if at the moment of the assessment it is not critical. This is so because changes in the organizational context may change the risk value, either to increase or decrease it, and if only risks identified as critical at the moment of the assessment have a designated owner, other risks may increase, and the organization won’t be aware of it.

For further information, see:

2 - Second one is regarding "justification" of adding particular control to SoA. I do not entirely understood how to read "justification" in this question?

Could you please explain it to me?

For SoA, “justification” is the reason for which a control is deemed applicable. The whole concept of ISO 27001 is that you only need to apply a control if you have a reason (i.e., a justification) for that. This ensures that you do not expend unnecessary resources and that all your requirements are properly covered.

For example, if you implement a cryptographic technology and you do not have a relevant risk to justify the implementation of control A.10.1.1 (Policy on the use of cryptographic controls), then you are expending resources unnecessarily (in an ISO 27001 point of view).

On the other hand, if you do not have relevant risks to justify the implementation of control A.10.1.1, but you have a contractual clause with a client stipulating the use of cryptography, then you need to include reference to this contractual clause to justify the use of the control.

Quote
0 0
Guest
Guest user Sep 06, 2021

Thank you for that.

Nonetheless...

With regard to the question about owners to be assigned to each critical risk... 
Considering the fact that the question was structured in a way "Does each critical risk should have the owner assigned?" and not in a way : Does ONLY critical risk should have risk owner assigned?", if my response YES was marked as incorrect, I would like to  appeal to my exam results.

In both approaches to IS part of the exam I was missing only 6% to pass, which is basically 1 question probably.  And I had this question both times in it.

Could you please check and let me know if this can be somehow proceeded?

I will be grateful.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Sep 06, 2021

Sep 06, 2021

Suggested Topics

Guest user Created:   Sep 23, 2021 ISO 27001 & 22301
Replies: 1
0 0

ISO 27001 implementation

Guest user Created:   Sep 21, 2021 ISO 27001 & 22301
Replies: 1
0 0

Conformio questions