PECB Lead Implementer (ISO/IEC 27001) — Question 35

Based on scenario 5, after migrating to cloud, Operaze’s IT team changed the ISMS scope and implemented all the required modifications. Is this acceptable?

Answer options

• A. Yes, because the ISMS scope should be changed when there are changes to the external environment
• B. No, because the company has already defined the ISMS scope
• C. No, because any change in ISMS scope should be accepted by the management

Correct answer: C

Explanation

The correct answer is C because any adjustments to the ISMS scope require management's consent to ensure alignment with organizational objectives and risk management strategies. Option A is incorrect as changes in the external environment alone do not justify modifications without management approval. Option B is also incorrect since the ISMS scope can be updated, but it must go through the appropriate channels.