PECB Lead Auditor (ISO/IEC 27001) — Question 1

Scenario: Clinic, founded in the 1990s, is a medical device company that specializes in treatments for heart-related conditions and complex surgical interventions. Based in Europe, it serves both patients and healthcare professionals. Clinic collects patient data to tailor treatments, monitor outcomes, and improve device functionality. To enhance data security and build trust, Clinic is implementing an information security management system (ISMS) based on ISO/IEC 27001. This initiative demonstrates Clinic's commitment to securely managing sensitive patient information and its proprietary technologies.
Clinic established the scope of its ISMS by solely considering internal issues, interfaces and dependencies between activities conducted internally and those outsourced to other organizations, and the expectations of interested parties. This scope was carefully documented and made accessible. In defining its ISMS, Clinic chose to focus specifically on key processes within critical departments such as Research and Development, Patient Data Management, and Customer Support.
Despite initial challenges. Clinic remained committed to its ISMS implementation, tailoring security controls to its unique needs. The project team excluded certain Annex A controls from ISO/IEC 27001, incorporating additional sector-specific controls to enhance security. The project team meticulously evaluated the applicability of these controls against internal and external factors, culminating in developing a comprehensive Statement of Applicability (SoA) detailing the rationale behind control selection and implementation.
As preparations for certification progressed, Brian, appointed as the team leader for the project team, adopted a self-directed risk assessment methodology to identify and evaluate the company, strategic issues, and security practices. This proactive approach ensured that Clinic's risk assessment aligned with its objectives and missions.
Based on the scenario above, answer the following question:
Does the Clinic's SoA document meet the ISO/IEC 27001 requirements for the SoA?

Answer options

• A. Yes, because it comprises an exhaustive list of controls considered applicable from Annex A of ISO/IEC 27001 and the other sources
• B. No, because security controls selected from sources other than Annex A of ISO/IEC 27001 are included
• C. No. because it does not contain the justification for the exclusion of controls from Annex A of ISO/IEC 27001

Correct answer: C

Explanation

The correct answer is C, as the SoA must include justifications for any controls excluded from Annex A. While the inclusion of external controls (as mentioned in B) may not be an issue, the lack of justification for exclusions is a critical requirement that is not addressed. Answer A is incorrect because it implies all necessary controls were included without noting the justification requirement.