PECB Lead Implementer (ISO/IEC 27001) — Question 81

Scenario 22: OpenTech, with its headquarters in San Francisco, specializes in information and communication technology (ICT) solutions. Its clientele primarily includes data communication enterprises and network operators. The company’s core objective is to enable its clients a smooth transition into multi-service providers, aligning their operations with the complex demands of the digital landscape.

Recently, Tim, the internal auditor of OpenTech, conducted an internal audit which uncovered nonconformities related to their monitoring procedures and system vulnerabilities. In response to the identified nonconformities, OpenTech decided to employ a comprehensive problem-solving approach to solve these issues systematically. The method encompasses a team-oriented approach, aiming to identify, correct, and eliminate the root causes of issues. This approach involves several steps. First, establish a group of experts with deep knowledge of processes and controls. Next, break down the nonconformity into measurable components and implement interim containment measures. Then, identify potential root causes and select and verify permanent corrective actions. Finally, put those actions into practice, validate them, take steps to prevent recurrence, and recognize and acknowledge the team’s efforts.

Following the analysis of the root cause of the nonconformities, OpenTech’s ISMS project manager, Julia, developed a list of potential actions to address the identified nonconformities. Julia carefully evaluated the list to ensure that each action would effectively eliminate the root cause of the respective nonconformity. While assessing potential corrective action for addressing a nonconformity, Julia identified the issue as significant and assessed a high likelihood of its reoccurrence. Consequently, she chose to implement temporary corrective actions. Afterward, Julia combined all the nonconformities into a single action plan and sought approval from the top management. The submitted action plan was written as follows:

A new version of the access control policy will be established and new restrictions will be created to ensure that network access is effectively managed and monitored by the Information and Communication Technology (ICT) Department.

However, Julia’s submitted action plan was not approved by top management. The reason cited was that a general action plan meant to address all nonconformities was deemed unacceptable. Consequently, Julia revised the action plan and submitted separate ones for approval. Unfortunately, Julia did not adhere to the organization’s specified deadline for submission, resulting in a delay in the corrective action process, and notably, the revised action plans lacked a defined schedule for execution.

Did Julia’s approach to submitting action plans for addressing nonconformities align with best practices? Refer to scenario 22.

Answer options

• A. Yes, as action plan submission can be flexible
• B. No, as action plans are typically expected to meet specified deadlines
• C. Yes, Julia revised the action plan to ensure alignment with best practices

Correct answer: B

Explanation

The correct answer is B because adhering to specified deadlines for action plan submissions is a standard best practice in project management. Julia's failure to meet the deadline and lack of a defined execution schedule for the revised action plans indicate a deviation from these best practices, making options A and C incorrect.