BlackFriday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

PECB Exam ISO-IEC-27001-Lead-Auditor Topic 7 Question 42 Discussion

Actual exam question for PECB's ISO-IEC-27001-Lead-Auditor exam
Question #: 42
Topic #: 7
[All ISO-IEC-27001-Lead-Auditor Questions]

You are carrying out your first third-party ISMS surveillance audit as an Audit Team Leader. You are presently in the auditee's data centre with another member of your audit team.

You are currently in a large room that is subdivided into several smaller rooms, each of which has a numeric combination lock and swipe card reader on the door. You notice two external contractors using a swipe card and combination number provided by the centre's reception desk to gain access to a client's suite to carry out authorised electrical repairs.

You go to reception and ask to see the door access record for the client's suite. This indicates only one card was swiped. You ask the receptionist and they reply, "yes it's a common problem. We ask everyone to swipe their cards but with contractors especially, one tends to swipe and the rest simply 'tailgate' their way in" but we know who they are from the reception sign-in.

Based on the scenario above which one of the following actions would you now take?

Show Suggested Answer Hide Answer
Suggested Answer: G

According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), control A.7.2 requires an organization to implement appropriate physical entry controls to prevent unauthorized access to secure areas1.The organization should define and document the criteria for granting and revoking access rights to secure areas, and should monitor and record the use of such access rights1. Therefore, when auditing the organization's application of control A.7.2, an ISMS auditor should verify that these aspects are met in accordance with the audit criteria.

Based on the scenario above, the auditor should raise a nonconformity against control A.7.2, as the secure area is not adequately protected from unauthorized access. The auditor should provide the following evidence and justification for the nonconformity:

Evidence: The auditor observed two external contractors using a swipe card and combination number provided by the centre's reception desk to gain access to a client's suite to carry out authorized electrical repairs. The auditor checked the door access record for the client's suite and found that only one card was swiped. The auditor asked the receptionist and was told that it was a common problem that contractors tend to swipe one card and tailgate their way in, but they were known from the reception sign-in.

Justification: This evidence indicates that the organization has not implemented appropriate physical entry controls to prevent unauthorized access to secure areas, as required by control A.7.2. The organization has not defined and documented the criteria for granting and revoking access rights to secure areas, as there is no verification or authorization process for providing swipe cards and combination numbers to external contractors. The organization has not monitored and recorded the use of access rights to secure areas, as there is no mechanism to ensure that each individual swipes their card and enters their combination number before entering a secure area. The organization has relied on the reception sign-in as a means of identification, which is not sufficient or reliable for ensuring information security.

The other options are not valid actions for auditing control A.7.2, as they are not related to the control or its requirements, or they are not appropriate or effective for addressing the nonconformity. For example:

Take no action: This option is not valid because it implies that the auditor ignores or accepts the nonconformity, which is contrary to the audit principles and objectives of ISO 19011:20182, which provides guidelines for auditing management systems.

Raise a nonconformity against control A.5.20 'addressing information security in supplier relationships' as information security requirements have not been agreed upon with the supplier: This option is not valid because it does not address the root cause of the nonconformity, which is related to physical entry controls, not supplier relationships.Control A.5.20 requires an organization to agree on information security requirements with suppliers that may access, process, store, communicate or provide IT infrastructure components for its information assets1. While this control may be relevant for ensuring information security in supplier relationships, it does not address the issue of unauthorized access to secure areas by external contractors.

Raise a nonconformity against control A.7.6 'working in secure areas' as security measures for working in secure areas have not been defined: This option is not valid because it does not address the root cause of the nonconformity, which is related to physical entry controls, not working in secure areas.Control A.7.6 requires an organization to define and apply security measures for working in secure areas1. While this control may be relevant for ensuring information security when working in secure areas, it does not address the issue of unauthorized access to secure areas by external contractors.

Determine whether any additional effective arrangements are in place to verify individual access to secure areas e.g. CCTV: This option is not valid because it does not address or resolve the nonconformity, but rather attempts to find alternative or compensating controls that may mitigate its impact or likelihood. While additional arrangements such as CCTV may be useful for verifying individual access to secure areas, they do not replace or substitute the requirement for appropriate physical entry controls as specified by control A.7.2.

Raise an opportunity for improvement that contractors must be accompanied at all times when accessing secure facilities: This option is not valid because it does not address or resolve the nonconformity, but rather suggests a possible improvement action that may prevent or reduce its recurrence or severity. While accompanying contractors at all times when accessing secure facilities may be a good practice for ensuring information security, it does not replace or substitute the requirement for appropriate physical entry controls as specified by control A.7.2.

Raise an opportunity for improvement to have a large sign in reception reminding everyone requiring access must use their swipe card at all times: This option is not valid because it does not address or resolve the nonconformity, but rather suggests a possible improvement action that may increase awareness or compliance with the existing controls. While having a large sign in reception reminding everyone requiring access must use their swipe card at all times may be a helpful reminder for ensuring information security, it does not replace or substitute the requirement for appropriate physical entry controls as specified by control A.7.2.

Tell the organisation they must write to their contractors, reminding them of the need to use access cards appropriately: This option is not valid because it does not address or resolve the nonconformity, but rather instructs the organization to take a corrective action that may not be effective or sufficient for ensuring information security. While writing to contractors, reminding them of the need to use access cards appropriately may be a communication measure for ensuring information security, it does not replace or substitute the requirement for appropriate physical entry controls as specified by control A.7.2.


Contribute your Thoughts:

Daisy
2 months ago
That could be a good idea too, to ensure better security measures
upvoted 0 times
...
Delsie
2 months ago
But what about raising an opportunity for improvement to have contractors accompanied at all times?
upvoted 0 times
...
Sherman
2 months ago
I agree with Daisy, information security requirements should be agreed upon with the supplier
upvoted 0 times
...
Daisy
2 months ago
I think we should raise a nonconformity against control A.5.20
upvoted 0 times
...
Laura
2 months ago
Hmm, option H seems like a good option. A friendly reminder never hurts, right? Although, maybe we should include a few emojis to really drive the point home.
upvoted 0 times
...
Val
2 months ago
Ooh, this one's a tough nut to crack. I reckon option B is the way to go - gotta make sure those supplier relationships are watertight, you know?
upvoted 0 times
Nydia
2 months ago
Yeah, raising a nonconformity against control A.5.20 would definitely help in ensuring that information security requirements are agreed upon with the supplier.
upvoted 0 times
...
Tabetha
2 months ago
Good point. We could consider raising both a nonconformity against control A.5.20 and also an opportunity for improvement regarding verifying individual access.
upvoted 0 times
...
Rory
2 months ago
I agree, option B seems like the best course of action to address the information security issue with the supplier.
upvoted 0 times
...
Tegan
2 months ago
But what about option D? Maybe we should also check if there are additional measures in place to verify individual access to secure areas.
upvoted 0 times
...
Chau
2 months ago
I agree, option B seems like the best course of action to address the issue with information security in supplier relationships.
upvoted 0 times
...
...
Albert
2 months ago
That's a good point, Catarina. It could help prevent unauthorized access in the future.
upvoted 0 times
...
Robt
3 months ago
You know, this reminds me of that time I tried to sneak into the office after hours. Didn't end well. Anyway, I think option D is the best approach.
upvoted 0 times
Moon
1 months ago
Definitely, ensuring proper verification of access is crucial for security.
upvoted 0 times
...
Rosita
1 months ago
It's important to have effective arrangements in place for secure areas.
upvoted 0 times
...
Mitsue
2 months ago
Yeah, having CCTV to verify individual access sounds like a practical solution.
upvoted 0 times
...
Maurine
2 months ago
I agree, option D seems like a good way to address the issue.
upvoted 0 times
...
...
Catarina
3 months ago
But shouldn't we also consider raising an opportunity for improvement to have contractors accompanied at all times?
upvoted 0 times
...
Lynelle
3 months ago
Haha, good one! Those contractors are really taking the 'tailgating' thing too literally. Option G is definitely the way to go here.
upvoted 0 times
...
Frank
3 months ago
I agree with Albert. Information security requirements should be agreed upon with the supplier.
upvoted 0 times
...
Joni
3 months ago
Ah, I see the issue here. We need to make sure those contractors are following the rules, so I'd say option E is the way to go.
upvoted 0 times
Nickole
2 months ago
That's a good point. It's important to ensure compliance with access rules.
upvoted 0 times
...
Dorethea
2 months ago
Yes, contractors should be accompanied at all times in secure areas.
upvoted 0 times
...
...
Kati
3 months ago
Wow, this is a tricky one. I think I'd go with option C - that's the most direct way to address the security breaches we observed.
upvoted 0 times
Shelba
2 months ago
Definitely, it's important to address any lapses in security measures.
upvoted 0 times
...
Theola
3 months ago
We should make sure security measures for working in secure areas are clearly defined.
upvoted 0 times
...
Candra
3 months ago
Agreed, that seems like the best course of action to address the security issue.
upvoted 0 times
...
Micah
3 months ago
Let's raise a nonconformity against control A.7.6 for working in secure areas.
upvoted 0 times
...
...
Albert
3 months ago
I think we should raise a nonconformity against control A.5.20.
upvoted 0 times
...

Save Cancel