New Year Sale ! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

PECB Exam ISO-IEC-27001-Lead-Auditor Topic 6 Question 32 Discussion

Actual exam question for PECB's ISO-IEC-27001-Lead-Auditor exam
Question #: 32
Topic #: 6
[All ISO-IEC-27001-Lead-Auditor Questions]

You are carrying out your first third-party ISMS surveillance audit as an Audit Team Leader. You are presently in the auditee's data centre with another member of your audit team.

You are currently in a large room that is subdivided into several smaller rooms, each of which has a numeric combination lock and swipe card reader on the door. You notice two external contractors using a swipe card and combination number provided by the centre's reception desk to gain access to a client's suite to carry out authorised electrical repairs.

You go to reception and ask to see the door access record for the client's suite. This indicates only one card was swiped. You ask the receptionist and they reply, "yes it's a common problem. We ask everyone to swipe their cards but with contractors especially, one tends to swipe and the rest simply 'tailgate' their way in" but we know who they are from the reception sign-in.

Based on the scenario above which one of the following actions would you now take?

Show Suggested Answer Hide Answer
Suggested Answer: G

According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), control A.7.2 requires an organization to implement appropriate physical entry controls to prevent unauthorized access to secure areas1.The organization should define and document the criteria for granting and revoking access rights to secure areas, and should monitor and record the use of such access rights1. Therefore, when auditing the organization's application of control A.7.2, an ISMS auditor should verify that these aspects are met in accordance with the audit criteria.

Based on the scenario above, the auditor should raise a nonconformity against control A.7.2, as the secure area is not adequately protected from unauthorized access. The auditor should provide the following evidence and justification for the nonconformity:

Evidence: The auditor observed two external contractors using a swipe card and combination number provided by the centre's reception desk to gain access to a client's suite to carry out authorized electrical repairs. The auditor checked the door access record for the client's suite and found that only one card was swiped. The auditor asked the receptionist and was told that it was a common problem that contractors tend to swipe one card and tailgate their way in, but they were known from the reception sign-in.

Justification: This evidence indicates that the organization has not implemented appropriate physical entry controls to prevent unauthorized access to secure areas, as required by control A.7.2. The organization has not defined and documented the criteria for granting and revoking access rights to secure areas, as there is no verification or authorization process for providing swipe cards and combination numbers to external contractors. The organization has not monitored and recorded the use of access rights to secure areas, as there is no mechanism to ensure that each individual swipes their card and enters their combination number before entering a secure area. The organization has relied on the reception sign-in as a means of identification, which is not sufficient or reliable for ensuring information security.

The other options are not valid actions for auditing control A.7.2, as they are not related to the control or its requirements, or they are not appropriate or effective for addressing the nonconformity. For example:

Take no action: This option is not valid because it implies that the auditor ignores or accepts the nonconformity, which is contrary to the audit principles and objectives of ISO 19011:20182, which provides guidelines for auditing management systems.

Raise a nonconformity against control A.5.20 'addressing information security in supplier relationships' as information security requirements have not been agreed upon with the supplier: This option is not valid because it does not address the root cause of the nonconformity, which is related to physical entry controls, not supplier relationships.Control A.5.20 requires an organization to agree on information security requirements with suppliers that may access, process, store, communicate or provide IT infrastructure components for its information assets1. While this control may be relevant for ensuring information security in supplier relationships, it does not address the issue of unauthorized access to secure areas by external contractors.

Raise a nonconformity against control A.7.6 'working in secure areas' as security measures for working in secure areas have not been defined: This option is not valid because it does not address the root cause of the nonconformity, which is related to physical entry controls, not working in secure areas.Control A.7.6 requires an organization to define and apply security measures for working in secure areas1. While this control may be relevant for ensuring information security when working in secure areas, it does not address the issue of unauthorized access to secure areas by external contractors.

Determine whether any additional effective arrangements are in place to verify individual access to secure areas e.g. CCTV: This option is not valid because it does not address or resolve the nonconformity, but rather attempts to find alternative or compensating controls that may mitigate its impact or likelihood. While additional arrangements such as CCTV may be useful for verifying individual access to secure areas, they do not replace or substitute the requirement for appropriate physical entry controls as specified by control A.7.2.

Raise an opportunity for improvement that contractors must be accompanied at all times when accessing secure facilities: This option is not valid because it does not address or resolve the nonconformity, but rather suggests a possible improvement action that may prevent or reduce its recurrence or severity. While accompanying contractors at all times when accessing secure facilities may be a good practice for ensuring information security, it does not replace or substitute the requirement for appropriate physical entry controls as specified by control A.7.2.

Raise an opportunity for improvement to have a large sign in reception reminding everyone requiring access must use their swipe card at all times: This option is not valid because it does not address or resolve the nonconformity, but rather suggests a possible improvement action that may increase awareness or compliance with the existing controls. While having a large sign in reception reminding everyone requiring access must use their swipe card at all times may be a helpful reminder for ensuring information security, it does not replace or substitute the requirement for appropriate physical entry controls as specified by control A.7.2.

Tell the organisation they must write to their contractors, reminding them of the need to use access cards appropriately: This option is not valid because it does not address or resolve the nonconformity, but rather instructs the organization to take a corrective action that may not be effective or sufficient for ensuring information security. While writing to contractors, reminding them of the need to use access cards appropriately may be a communication measure for ensuring information security, it does not replace or substitute the requirement for appropriate physical entry controls as specified by control A.7.2.


Contribute your Thoughts:

Michal
5 months ago
I agree. It's important to have effective arrangements to verify individual access to secure areas.
upvoted 0 times
...
Chery
7 months ago
That's a valid point. Maybe we should consider that as well.
upvoted 0 times
...
Michal
7 months ago
But shouldn't we also consider raising an opportunity for improvement to have contractors accompanied at all times in secure facilities?
upvoted 0 times
...
Rasheeda
7 months ago
That sounds like a good idea. It's important to address information security in supplier relationships.
upvoted 0 times
...
Chery
7 months ago
I think we should raise a nonconformity against control A.5.20 for not agreeing on information security requirements with the supplier.
upvoted 0 times
Irma
7 months ago
I think raising an opportunity for improvement on accompanying contractors is also important.
upvoted 0 times
...
Carolann
7 months ago
We should also consider if there are effective arrangements to verify individual access.
upvoted 0 times
...
Sanda
7 months ago
I agree, we need to ensure information security requirements are in place.
upvoted 0 times
...
...
Lajuana
8 months ago
Haha, I love the idea of having a giant sign in reception reminding everyone to use their swipe cards. That's a great opportunity for improvement, but I'm not sure it's the best course of action here.
upvoted 0 times
...
Gregoria
8 months ago
I think option B might be the way to go. The organization hasn't agreed on security requirements with the supplier, so that seems like a clear nonconformity. But I'm also interested in what the others think.
upvoted 0 times
...
Kimbery
8 months ago
I don't know, guys. Option A seems tempting, but I'm pretty sure that's not the right answer. These contractors are clearly not following the security protocols, and we can't just ignore that.
upvoted 0 times
...
Iraida
8 months ago
Hmm, I'm leaning towards option D. It seems like we need to determine if there are any other effective arrangements in place, like CCTV, to verify individual access. That could help us understand the full extent of the issue.
upvoted 0 times
...
Shalon
8 months ago
I think the key here is that the organization is already aware of the problem, but doesn't seem to be doing enough to address it. Raising a nonconformity might be the right step, but I'm not sure which one would be the most appropriate.
upvoted 0 times
...
Arlen
8 months ago
Wow, this is a tricky one. I'm not sure what the best course of action is here. It seems like the contractors are not following the security protocols, but the organization is aware of the issue. I'm curious to hear what the others think.
upvoted 0 times
...

Save Cancel