PECB Lead Auditor (ISO/IEC 27001) — Question 27

You are an experienced ISMS audit team leader guiding an auditor in training. You are testing her understanding of follow-up audits by asking her a series of questions to which the answer is either 'true' or 'false'.
Which two of the following questions should the answer be 'true'? (Choose two.)

Answer options

• A. A follow-up audit is required in all instances where nonconformities have been identified
• B. A follow-up audit is required only in instances where a major nonconformity has been identified
• C. A follow-up audit may be carried out where nonconformities are major
• D. The outcome of a follow-up audit could change an original major nonconformity into a minor nonconformity
• E. The outcomes of a follow-up audit should be reported to the audit team leader who carried out the original audit
• F. The outcomes of a follow-up audit should be reported to the individual managing the audit programme and the audit client

Correct answer: C, F

Explanation

The correct answers are C and F. A follow-up audit can indeed be performed when major nonconformities exist, and it is essential to report the outcomes to the individual managing the audit program and the audit client for proper oversight. Options A and B are incorrect because a follow-up audit is not required in all cases or solely for major nonconformities; it can also address other significant issues.