PECB Lead Implementer (ISO/IEC 27001) — Question 64

Scenario 10: NetworkFuse develops, manufactures, and sells network hardware. The company has had an operational information security management system (ISMS) based on ISO/IEC 27001 requirements and a quality management system (QMS) based on ISO 9001 for approximately two years. Recently, it has applied for a combined certification audit in order to obtain certification against ISO/IEC 27001 and ISO 9001.
After selecting the certification body, NetworkFuse prepared the employees for the audit. The company decided to not conduct a self-evaluation before the audit since, according to the top management, it was not necessary. In addition, it ensured the availability of documented information, including internal audit reports and management reviews, technologies in place, and the general operations of the ISMS and the QMS. However, the company requested from the certification body that the documentation could not be carried off-site.
However, the audit was not performed within the scheduled days because NetworkFuse rejected the audit team leader assigned and requested their replacement. The company asserted that the same audit team leader issued a recommendation for certification to its mam competitor, which, for the company’s top management, was a potential conflict of interest. The request was not accepted by the certification body.
Based on the scenario above, answer the following question:
Does NetworkFuse fulfill the prerequisites for a certification audit?

Answer options

Correct answer: B

Explanation

The correct answer is B because NetworkFuse ensured that internal audits and management reviews were available, which are crucial for demonstrating compliance with the ISMS and QMS requirements. Option A is incorrect as merely selecting a certification body does not fulfill all prerequisites. Option C is misleading since the ISMS has already been operational for two years, exceeding the one-year requirement.