PECB Lead Implementer (ISO/IEC 27001) — Question 101

Based on scenario 18, the top management decided to accept the risk related to a nonconformity to control 5.17 Authentication information. Is this acceptable?

Answer options

• A. Acceptable, the company analyzed the implementation costs and accepted the risk
• B. Acceptable, as the company properly informed the internal audit that they decided to accept the risk
• C. Unacceptable, the company should have provided justification for accepting the risks and documented it

Correct answer: C

Explanation

The correct answer is C because accepting risks requires proper justification and documentation to ensure accountability and transparency. Options A and B fail to address the necessity of justifying and documenting the decision to accept the risk, which is essential for compliance and risk management.