Summer Special Limited Time 60% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 8w52ceb345

Scenario 2:Clinic, founded in the 1990s, is a medical device company that specializes in treatments...

PECB ISO-IEC-27001-Lead-Auditor Full Course Access
PECB ISO-IEC-27001-Lead-Auditor View All Questions

Scenario 2:

Clinic, founded in the 1990s, is a medical device company that specializes in treatments for heart-related conditions and complex surgical interventions. Based in Europe, it serves both patients and healthcare professionals. Clinic collects patient data to tailor treatments, monitor outcomes, and improve device functionality. To enhance data security and build trust, Clinic is implementing an information security management system (ISMS) based on ISO/IEC 27001. This initiative demonstrates Clinic's commitment to securely managing sensitive patient information and proprietary technologies.

Clinic established the scope of its ISMS by solely considering internal issues, interfaces, dependencies between internal and outsourced activities, and the expectations of interested parties. This scope was carefully documented and made accessible. In defining its ISMS, Clinic chose to focus specifically on key processes within critical departments such as Research and Development, Patient Data Management, and Customer Support.

Despite initial challenges, Clinic remained committed to its ISMS implementation, tailoring security controls to its unique needs. The project team excluded certain Annex A controls from ISO/IEC 27001 while incorporating additional sector-specific controls to enhance security. The team evaluated the applicability of these controls against internal and external factors, culminating in the development of a comprehensive Statement of Applicability (SoA) detailing the rationale behind control selection and implementation.

As preparations for certification progressed, Brian, appointed as the team leader, adopted a self-directed risk assessment methodology to identify and evaluate the company’s strategic issues and security practices. This proactive approach ensured that Clinic’s risk assessment aligned with its objectives and mission.

Question:

Based on Scenario 2, Clinic initially defined its information security objectives and then conducted a risk assessment. Is this acceptable?

A.

Yes, because objectives can be adjusted later to fit the risk assessment results

B.

No, because the risk assessment should be conducted only once objectives are fully implemented

C.

No, information security objectives must be established, taking into account risk assessment results, as per ISO/IEC 27001 requirements

ISO-IEC-27001-Lead-Auditor PDF/Engine
  • Printable Format
  • Value of Money
  • 100% Pass Assurance
  • Verified Answers
  • Researched by Industry Experts
  • Based on Real Exams Scenarios
  • 100% Real Questions
buy now ISO-IEC-27001-Lead-Auditor pdf
Get 60% Discount on All Products, Use Coupon: "8w52ceb345"
Next
The data center at which you work is currently seeking ISO/IEC27001:2022 certification.
You are an experienced ISMS audit team leader providing instruction to a class of auditors...
Previous