PECB Lead Implementer (ISO/IEC 27001) — Question 85

Scenario 22: OpenTech, with its headquarters in San Francisco, specializes in information and communication technology (ICT) solutions. Its clientele primarily includes data communication enterprises and network operators. The company’s core objective is to enable its clients a smooth transition into multi-service providers, aligning their operations with the complex demands of the digital landscape.

Recently, Tim, the internal auditor of OpenTech, conducted an internal audit which uncovered nonconformities related to their monitoring procedures and system vulnerabilities. In response to the identified nonconformities, OpenTech decided to employ a comprehensive problem-solving approach to solve these issues systematically. The method encompasses a team-oriented approach, aiming to identify, correct, and eliminate the root causes of issues. This approach involves several steps. First, establish a group of experts with deep knowledge of processes and controls. Next, break down the nonconformity into measurable components and implement interim containment measures. Then, identify potential root causes and select and verify permanent corrective actions. Finally, put those actions into practice, validate them, take steps to prevent recurrence, and recognize and acknowledge the team’s efforts.

Following the analysis of the root cause of the nonconformities, OpenTech’s ISMS project manager, Julia, developed a list of potential actions to address the identified nonconformities. Julia carefully evaluated the list to ensure that each action would effectively eliminate the root cause of the respective nonconformity. While assessing potential corrective action for addressing a nonconformity, Julia identified the issue as significant and assessed a high likelihood of its reoccurrence. Consequently, she chose to implement temporary corrective actions. Afterward, Julia combined all the nonconformities into a single action plan and sought approval from the top management. The submitted action plan was written as follows:

A new version of the access control policy will be established and new restrictions will be created to ensure that network access is effectively managed and monitored by the Information and Communication Technology (ICT) Department.

However, Julia’s submitted action plan was not approved by top management. The reason cited was that a general action plan meant to address all nonconformities was deemed unacceptable. Consequently, Julia revised the action plan and submitted separate ones for approval. Unfortunately, Julia did not adhere to the organization’s specified deadline for submission, resulting in a delay in the corrective action process, and notably, the revised action plans lacked a defined schedule for execution.

Did OpenTech have a plan in place to implement permanent corrective action to address the identified nonconformities? Refer to scenario 22.

Answer options

• A. Yes, OpenTech had a comprehensive plan in place to implement permanent corrective actions
• B. No, OpenTech did not have a clear plan to implement a permanent corrective action
• C. No, OpenTech decided not to pursue this course of action

Correct answer: B

Explanation

The correct answer is B because, although Julia identified nonconformities and proposed action plans, her plans were not approved by top management, and she failed to meet the submission deadline, indicating a lack of a clear and effective strategy for permanent corrective actions. Options A and C are incorrect as there was no comprehensive plan in place, and OpenTech did attempt a course of action, but it was not executed properly.