PECB Lead Auditor (ISO/IEC 27001) — Question 4

As an auditor, you have noticed that ABC Inc. has established a procedure to manage the removable storage media. The procedure is based on the classification scheme adopted by ABC Inc. Thus, if the information stored is classified as "confidential," the procedure applies. On the other hand, information classified as "public" does not have confidentiality requirements; thus, only a procedure for ensuring its integrity and availability applies. What type of audit finding is this?

Answer options

• A. Nonconformity
• B. Anomaly
• C. Conformity

Correct answer: A

Explanation

The correct answer is 'Nonconformity' because the procedure does not fully align with the expected standards for handling information based on its classification. The use of different procedures for confidential and public information indicates a deviation from a uniform compliance standard, which is why it is considered a nonconformity. The other options, 'Anomaly' and 'Conformity,' do not accurately capture the nature of the finding as they imply either an unusual occurrence or complete adherence to standards, respectively.