PECB Lead Auditor (ISO/IEC 27001) — Question 14

You are performing an ISO 27001 ISMS surveillance audit at a residential nursing home, ABC Healthcare Services. ABC uses a healthcare mobile app designed and maintained by a supplier, WeCare, to monitor residents' well-being. During the audit, you learn that 90% of the residents' family members regularly receive medical device advertisements from WeCare, by email and SMS once a week. The service agreement between ABC and WeCare prohibits the supplier from using residents' personal data. ABC has received many complaints from residents and their family members.
The Service Manager says that the complaints were investigated as an information security incident which found that they were justified. Corrective actions have been planned and implemented according to the nonconformity and corrective action management procedure.
You write a nonconformity "ABC failed to comply with information security control A.5.34 (Privacy and protection of PII) relating to the personal data of residents' and their family members. A supplier, WeCare, used residents' personal information to send advertisements to family members."
Select three options of the corrections and corrective actions listed that you would expect ABC to make in response to the nonconformity. (Choose three.)

Answer options

• A. ABC asks an ISMS consultant to test the ABC Healthcare mobile app for protection against cyber-crime.
• B. ABC cancels the service agreement with WeCare.
• C. ABC confirms that information security control A.5.34 is contained in the Statement of Applicability (SoA).
• D. ABC discontinues the use of the ABC Healthcare mobile app.
• E. ABC introduces background checks on information security performance for all suppliers.
• F. ABC periodically monitors compliance with all applicable legislation and contractual requirements involving third parties.
• G. ABC takes legal action against WeCare for breach of contract.
• H. ABC trains all stiff on the importance of maintaining information security protocols.

Correct answer: B, E, F

Explanation

The correct actions B, E, and F directly address the nonconformity by ensuring that the supplier relationship is terminated, background checks are established to prevent future issues, and compliance is regularly monitored. Options A, C, D, G, and H do not directly resolve the immediate concern of the nonconformity or focus on necessary corrective actions related to the misuse of personal data.