Limited Time Offer
15%
Off
Here are all the actual test exam dumps for IT exams. Most people prepare for the actual exams with our test dumps to pass their exams. So it's critical to choose and actual test pdf to succeed.
Exam ISO-IEC-27001-Lead-Auditor Topic 5 Question 274 Discussion
Actual exam question for PECB's ISO-IEC-27001-Lead-Auditor exam
Question #: 274
Topic #: 5
Question #: 274
Topic #: 5
Scenario 8
Trustingo has been providing banking and financial services in Estonia since 2010. The company has a network of 30 branches with over 100 ATMs nationwide. To meet strict data security and privacy regulations, Trustingo implemented an information security management system (ISMS) based on ISO/IEC 27001, ensuring better security, improved risk management, and compliance with legal requirements.
Nine months after the successful implementation of the ISMS, Trustingo decided to pursue certification for their ISMS based on ISO/IEC 27001 by an independent certification body. The certification audit included Trustingo's systems, processes, and technologies.
The audit team conducted the Stage 1 and Stage 2 audits jointly, and several nonconformities were detected.
The first nonconformity was related to Trustingo's labeling of information. The company had an information classification scheme but no information labeling procedure. As a result, documents requiring the same level of protection would be labeled differently.
The nonconformity also impacted media handling. The audit team used sampling and concluded that 50 of
200 removable media stored sensitive information mistakenly classified as confidential. According to the classification scheme, confidential information may be stored on removable media, whereas sensitive information is strictly prohibited.
The audit team drafted the nonconformity report and discussed conclusions with Trustingo's representatives.
Trustingo accepted the audit team leader's proposed solution and addressed the nonconformities by drafting an information labeling procedure and updating the removable media procedure.
Two weeks after audit completion, Trustingo submitted a general corrective action plan. Although it addressed the nonconformities, it lacked detailed action steps and system-specific impacts. As a result, Trustingo received an unfavorable certification recommendation.
Question
Which action in Scenario 8 is unacceptable in an external audit?
Trustingo has been providing banking and financial services in Estonia since 2010. The company has a network of 30 branches with over 100 ATMs nationwide. To meet strict data security and privacy regulations, Trustingo implemented an information security management system (ISMS) based on ISO/IEC 27001, ensuring better security, improved risk management, and compliance with legal requirements.
Nine months after the successful implementation of the ISMS, Trustingo decided to pursue certification for their ISMS based on ISO/IEC 27001 by an independent certification body. The certification audit included Trustingo's systems, processes, and technologies.
The audit team conducted the Stage 1 and Stage 2 audits jointly, and several nonconformities were detected.
The first nonconformity was related to Trustingo's labeling of information. The company had an information classification scheme but no information labeling procedure. As a result, documents requiring the same level of protection would be labeled differently.
The nonconformity also impacted media handling. The audit team used sampling and concluded that 50 of
200 removable media stored sensitive information mistakenly classified as confidential. According to the classification scheme, confidential information may be stored on removable media, whereas sensitive information is strictly prohibited.
The audit team drafted the nonconformity report and discussed conclusions with Trustingo's representatives.
Trustingo accepted the audit team leader's proposed solution and addressed the nonconformities by drafting an information labeling procedure and updating the removable media procedure.
Two weeks after audit completion, Trustingo submitted a general corrective action plan. Although it addressed the nonconformities, it lacked detailed action steps and system-specific impacts. As a result, Trustingo received an unfavorable certification recommendation.
Question
Which action in Scenario 8 is unacceptable in an external audit?
Suggested Answer: A Vote an answer
The unacceptable action in Scenario 8 is the audit team leader proposing a solution for resolving the nonconformities, making option A the correct answer. In external certification audits, auditors must remain impartial and independent. ISO/IEC 17021-1 strictly prohibits auditors from providing consultancy, advice, or specific solutions on how an organization should correct nonconformities.
Auditors are permitted to identify nonconformities, explain why they exist, and clarify the requirements of the standard. However, suggesting or proposing corrective solutions crosses the boundary into consultancy, which compromises auditor impartiality and could invalidate the certification process. In this scenario, Trustingo
"accepted the audit team leader's proposed solution," which clearly indicates inappropriate auditor involvement.
Option B is not correct because conducting Stage 1 and Stage 2 audits jointly can be acceptable in certain cases, such as small organizations or mature ISMS implementations, provided the certification body justifies the approach and requirements are met. Option C is also not the best answer because the classification of the nonconformity (minor or major) is an auditor judgment issue, not inherently unacceptable.
Therefore, the critical violation of external audit rules is the auditor proposing corrective solutions, making option A correct.
Auditors are permitted to identify nonconformities, explain why they exist, and clarify the requirements of the standard. However, suggesting or proposing corrective solutions crosses the boundary into consultancy, which compromises auditor impartiality and could invalidate the certification process. In this scenario, Trustingo
"accepted the audit team leader's proposed solution," which clearly indicates inappropriate auditor involvement.
Option B is not correct because conducting Stage 1 and Stage 2 audits jointly can be acceptable in certain cases, such as small organizations or mature ISMS implementations, provided the certification body justifies the approach and requirements are met. Option C is also not the best answer because the classification of the nonconformity (minor or major) is an auditor judgment issue, not inherently unacceptable.
Therefore, the critical violation of external audit rules is the auditor proposing corrective solutions, making option A correct.
by Sandy at May 25, 2026, 08:07 AM
Here are all the actual test exam dumps for IT exams. Most people prepare for the actual exams with our test dumps to pass their exams. So it's critical to choose and actual test pdf to succeed.
RECENT DISCUSSIONS
- Exam AZ-305 Topic 1 Question 92 Discussion
- Exam InsuranceSuite-Developer Topic 1 Question 69 Discussion
- Exam FCP_FMG_AD-7.6 Topic 2 Question 44 Discussion
- Exam C1000-171 Topic 1 Question 34 Discussion
- Exam DP-600 Topic 1 Question 206 Discussion
- Exam 8006 Topic 8 Question 273 Discussion
- Exam 8002 Topic 2 Question 7 Discussion
Contact Us
From Monday to Saturday
Support: Contact now
If you have any question please leave me your email address, we will reply and send email to you in 12 hours.
Copyright © 2026 Actual4test NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy
Disclaimer:
Actual4test doesn't offer Real SANS and GIAC Exam Questions.
Oracle and Java are registered trademarks of Oracle and/or its affiliates
Actual4test material do not contain actual actual Oracle Exam Questions or material.
Actual4test doesn't offer Real Microsoft Exam Questions.
Microsoft®, Azure®, Windows®, Windows Vista®, and the Windows logo are registered trademarks of Microsoft Corporation
Actual4test Materials do not contain actual questions and answers from Cisco's Certification Exams. The brand Cisco is a registered trademark of CISCO, Inc
CFA Institute does not endorse, promote or warrant the accuracy or quality of these questions. CFA® and Chartered Financial Analyst® are registered trademarks owned by CFA Institute.
Actual4test does not offer exam dumps or questions from actual exams. We offer learning material and practice tests created by subject matter experts to assist and help learners prepare for those exams. All certification brands used on the website are owned by the respective brand owners. Actual4test does not own or claim any ownership on any of the brands.
Comments
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Report Comment
Commenting
You can sign-up / login (it's free).