PECB Lead Implementer (ISO/IEC 27001) — Question 71

Scenario 23: NetworkFuse is a leading company that deals with the design, production, and distribution of network hardware products. Over the past two years, NetworkFuse has maintained an operational information security management system (ISMS) based on ISO/IEC 27001 requirements and a quality management system (QMS) based on ISO 9001. These systems are designed to ensure the company’s commitment to both information security and the highest quality standards.

To further demonstrate its dedication to best practices and industry standards, NetworkFuse recently scheduled a combined certification audit. This audit seeks to validate NetworkFuse’s compliance with both ISO/IEC 27001 and ISO 9001, demonstrating the company’s strong commitment to maintaining high standards in information security management and quality management. The process began with carefully selecting a certification body. Then, NetworkFuse took steps to prepare its employees for the audit, which was crucial in ensuring a smooth and successful audit process. Additionally, NetworkFuse appointed individuals to manage the ISMS and the QMS.

NetworkFuse decided to not conduct a self-evaluation before the audit, a step often taken by organizations to proactively identify potential areas of improvement. The company’s top management believed such an evaluation was unnecessary, confident in their existing systems and practices. This decision reflected their trust in the robustness of their ISMS and QMS. As part of the preparations, NetworkFuse took careful measures to ensure that all necessary documented information, including internal audit reports, management reviews, technological infrastructure, and the overall functioning of the ISMS and QMS, was readily available for the audit. This information would be vital in demonstrating their compliance with the ISO standards.

During the audit, NetworkFuse requested from the certification body to not carry documentation off-site. This request stemmed from their commitment to safeguarding sensitive and proprietary information, and reflecting their desire for maximum security and control during the audit process. Despite meticulous preparations, the actual audit did not proceed as ‘scheduled. NetworkFuse raised concerns about the assigned audit team leader and requested a replacement. The company asserted that the same audit team leader had previously issued a recommendation for certification to one of NetworkFuse’s main competitors. This potential conflict of interest raised concerns among the company’s top management. However, the certification body rejected NetworkFuse’s request for a replacement, and the audit process was canceled.

According to scenario 23, NetworkFuse requested from the certification body to not carry documentation off-site. Is this acceptable?

Answer options

• A. Yes, the auditee may request that the review of the documentation takes place on-site
• B. Yes, only if a confidentiality agreement is formerly signed by the audit team
• C. No, the certification body decides whether the documentation review takes place on-site or off-site

Correct answer: A

Explanation

The correct answer is A because an auditee has the right to request that the documentation review occurs on-site to maintain control over sensitive information. Option B is incorrect since a confidentiality agreement does not necessarily grant the auditee the right to dictate the location of the review. Option C is also incorrect because while the certification body has procedures, an auditee's request for on-site review is valid and can be honored.