ExamTopics Logo
Mail Us[email protected]
Menu
Pecb Discussions
exam questions

Exam Lead Auditor All Questions

View all questions & answers for the Lead Auditor exam
Go to Exam

Exam Lead Auditor topic 1 question 17 discussion

Actual exam question from PECB's Lead Auditor
Question #: 17
Topic #: 1
[All Lead Auditor Questions]

Scenario: Clinic, founded in the 1990s, is a medical device company that specializes in treatments for heart-related conditions and complex surgical interventions. Based in Europe, it serves both patients and healthcare professionals. Clinic collects patient data to tailor treatments, monitor outcomes, and improve device functionality. To enhance data security and build trust, Clinic is implementing an information security management system (ISMS) based on ISO/IEC 27001. This initiative demonstrates Clinic's commitment to securely managing sensitive patient information and its proprietary technologies.
Clinic established the scope of its ISMS by solely considering internal issues, interfaces and dependencies between activities conducted internally and those outsourced to other organizations, and the expectations of interested parties. This scope was carefully documented and made accessible. In defining its ISMS, Clinic chose to focus specifically on key processes within critical departments such as Research and Development, Patient Data Management, and Customer Support.
Despite initial challenges. Clinic remained committed to its ISMS implementation, tailoring security controls to its unique needs. The project team excluded certain Annex A controls from ISO/IEC 27001, incorporating additional sector-specific controls to enhance security. The project team meticulously evaluated the applicability of these controls against internal and external factors, culminating in developing a comprehensive Statement of Applicability (SoA) detailing the rationale behind control selection and implementation.
As preparations for certification progressed, Brian, appointed as the team leader for the project team, adopted a self-directed risk assessment methodology to identify and evaluate the company, strategic issues, and security practices. This proactive approach ensured that Clinic's risk assessment aligned with its objectives and missions.
Based on scenario, the Clinic decided that the ISMS would cover only key processes and departments. Is this acceptable?

  • A. Yes, but the decision to exclude other processes and departments must be justified
  • B. Yes, organizations may limit the scope of the ISMS, but they cannot request a certification audit if the ISMS scope does not include all processes and departments
  • C. No, Clinic must include all processes and departments in the scope, regardless of their importance or relevance to the ISMS
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by Kamiles at Oct. 20, 2025, 2:52 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
7fdefbf
2 weeks, 2 days ago
Selected Answer: A
Yes, the scope of an ISMS (Information Security Management System) should be justified, as this is a key requirement for standards like ISO 27001 and is crucial for an effective and auditable security program. Justification ensures the ISMS is relevant, aligned with business needs, and that any exclusions are intentional and well-reasoned, which is vital during audits and for managing risks.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel