PECB ISO-27001-LA Online Practice Questions and Exam Preparation

PECB ISO-27001-LA Online Questions & Answers

• Question 111:

  An auditor of organisation A performs an audit of supplier B. Which two of the following actions is likely to represent a breach of confidentiality by the auditor after having identified findings in B's information security management system?

  A. Shares the findings with other relevant managers in A
  B. Shares the findings with B's Information Security Manager
  C. Shares the findings with A's supplier evaluation team
  D. Shares the findings with B's other customers
  E. Shares the findings with B's certification body
  F. Shares the findings with other relevant managers in B
  A. Shares the findings with other relevant managers in A
  D. Shares the findings with B's other customers

  ---

  According to the PECB Candidate Handbook1, one of the principles of auditing is confidentiality, which means that auditors should respect the confidentiality of information obtained during the audit and not disclose it to unauthorized parties. The handbook also states that auditors should only report audit results to those who have a legitimate need to know, such as the client, the auditee, and the certification body. Therefore, sharing the findings with other relevant managers in A or B's other customers would be a breach of confidentiality, as they are not directly involved in the audit process or the information security management system of B. Sharing the findings with B's Information Security Manager or other relevant managers in B would be appropriate, as they are part of the auditee organization and responsible for the implementation and improvement of the ISMS. Sharing the findings with A's supplier evaluation team or B's certification body would also be acceptable, as they have a legitimate need to know the audit results for the purpose of supplier selection or certification, respectively.

  References: 1: PECB Candidate Handbook - ISO 27001 Lead Auditor, pages 7-8.

• Question 112:

  You are an experienced ISMS audit team leader guiding an auditor in training. You decide to test her knowledge of follow-up audits by asking her a series of questions. Here are your questions and her answers. Which four of your questions has she answered correctly?

  A. Q: Should a follow-up audit seek to identify new nonconformities? A:YES
  B. Q: Should follow-up audits seek to ensure nonconformities have been effectively addressed? A:YES
  C. Q: Should follow-up audits consider agreed opportunities for improvement as well as corrective action? A:No
  D. Q: Is the purpose of a follow-up audit to verify the completion of corrections, corrective actions, and opportunities for improvement? A:YES
  E. Q: Are follow-up audits required for all audits? A:No
  F. Q: Should the outcome from a follow-up audit be reported to the audit team leader who carried out the audit at which the NCs were originally identified? A:YES
  G. Q: Should the outcome from a follow-up audit be reported to the audit client? A:No
  H. Q: Could an outcome from a follow-up audit be another follow-up audit if required? A:YES
  B. Q: Should follow-up audits seek to ensure nonconformities have been effectively addressed? A:YES
  D. Q: Is the purpose of a follow-up audit to verify the completion of corrections, corrective actions, and opportunities for improvement? A:YES
  E. Q: Are follow-up audits required for all audits? A:No
  H. Q: Could an outcome from a follow-up audit be another follow-up audit if required? A:YES

  ---

  Based on the understanding of follow-up audits, especially in the context of Information Security Management Systems (ISMS) and the guidelines provided by ISO 19011:2018, here are the four questions from your list that the auditor in training has answered correctly:

  B. Q: Should follow-up audits seek to ensure nonconformities have been effectively addressed? A: YES This is correct. The primary purpose of follow-up audits is to verify that nonconformities identified in previous audits have been effectively addressed and the corrective actions taken are suitable and effective. D. Q: Is the purpose of a follow-up audit to verify the completion of corrections, corrective actions, and opportunities for improvement? A: YES Yes, the follow-up audit aims to verify the completion and effectiveness of corrections and corrective actions. It may also consider the implementation of opportunities for improvement identified during the initial audit. E. Q: Are follow-up audits required for all audits? A: NO This is correct. Follow-up audits are not automatically required for all audits. They are typically conducted when nonconformities or other significant issues were identified in an earlier audit and there's a need to verify the implementation and effectiveness of the corrective actions. H. Q: Could an outcome from a follow-up audit be another follow-up audit if required? A: YES Yes, this is a possible outcome. If the follow-up audit finds that the corrective actions have not been fully effective, or if new issues are identified, it may be necessary to conduct another follow-up audit.

  The other responses provided by the auditor in training require some clarification or correction. For instance, while a follow-up audit primarily focuses on previously identified nonconformities and corrective actions, it can still identify new nonconformities if observed (A). Opportunities for improvement are generally considered in the scope of regular audits more so than in follow-up audits, which are more narrowly focused on corrective actions (C). Also, the outcomes of follow- up audits should typically be reported to both the audit team leader and the audit client (F and G), ensuring transparency and accountability.

  The four questions that the auditor in training has answered correctly are B, D, E, and H. These questions and answers are consistent with the definition and purpose of a follow-up audit as specified in ISO 19011:2018, Clause 6.712. A follow- up audit is conducted to verify the completion and effectiveness of corrective actions taken as a result of a previous audit (B, D). Follow-up audits are not mandatory for all audits, but they may be required by the audit program, the audit client, or other interested parties (E). The outcome of a follow-up audit may be another follow-up audit if the corrective actions are not satisfactory or not completed within the agreed time frame (H). The other questions and answers are either incorrect or irrelevant. A follow-up audit should not seek to identify new nonconformities, as this is not its objective (A). Follow-up audits should consider agreed opportunities for improvement as well as corrective actions, as they are both outputs of a previous audit ? The outcome of a follow-up audit should be reported to the audit client, as well as to other relevant parties, such as the audit team leader who carried out the previous audit (F, G).

  References: 1: ISO 19011:2018, Guidelines for auditing management systems, Clause 6.7 \n2: PECB Certified ISO/IEC 27001 Lead Auditor Exam Preparation Guide, Domain 6: Closing an ISO/IEC 27001 audit

• Question 113:

  Scenario:

  Techmanic is a Belgian company founded in 1995 and currently operating in Brussels. It provides IT consultancy, software design, and hardware/software services, including deployment and maintenance. The company serves sectors like public services, finance, telecom, energy, healthcare, and education. As a customer-centered company, it prioritizes strong client relationships and leading security practices.

  Techmanic has been ISO/IEC 27001 certified for a year and regards this certification with pride. During the certification audit, the auditor found some inconsistencies in its ISMS implementation. Since the observed situations did not affect the capability of its ISMS to achieve the intended results, Techmanic was certified after auditors followed up on the root cause analysis and corrective actions remotely During that year, the company added hosting to its list of services and requested to expand its certification

  scope to include that area The auditor in charge approved the request and notified Techmanic that the extension audit would be conducted during the surveillance audit

  Techmanic underwent a surveillance audit to verify its iSMS's continued effectiveness and compliance with ISO/IEC 27001. The surveillance audit aimed to ensure that Techmanic's security practices, including the recent addition of hosting services, aligned seamlessly with the rigorous requirements of the certification

  The auditor strategically utilized the findings from previous surveillance audit reports in the recertification activity with the purpose of replacing the need for additional recertification audits, specifically in the IT consultancy sector. Recognizing the value of continual improvement and learning from past assessments. Techmanic implemented a practice of reviewing previous surveillance audit reports. This proactive approach not only facilitated identifying and resolving potential nonconformities but also aimed to

  streamline the recertification process in the IT consultancy sector.

  During the surveillance audit, several nonconformities were found. The ISMS continued to fulfill the ISO/IEC 27001*s requirements, but Techmanic failed to resolve the nonconformities related to the hosting services, as reported by its internal auditor. In addition, the internal audit report had several inconsistencies, which questioned the independence of the internal auditor during the audit of hosting services. Based on this, the extension certification was not granted. As a result. Techmanic requested a

  transfer to another certification body. In the meantime, the company released a statement to its clients stating that the ISO/IEC 27001 certification covers the IT services, as well as the hosting services.

  Based on the scenario above, answer the following question:

  Question:

  According to Scenario, the auditor decided to conduct the extension audit during the surveillance audit .

  How do you define this situation?

  A. Acceptable, as extension audits are conducted during the surveillance audit
  B. Unacceptable, as the auditor cannot approve the extension audit
  C. Unacceptable, as extension audits are only conducted after the second year of the initial certification audit
  A. Acceptable, as extension audits are conducted during the surveillance audit

  ---

  A.

  Correct Answer:

  ISO/IEC 17021-1 allows extension audits to be conducted alongside surveillance audits.

  This reduces redundancy and cost while maintaining compliance .

  B. Incorrect:

  Certification bodies have the authority to approve extension audits.

  C. Incorrect:

  Extensions are not restricted to the second year--they can occur at any time during the certification cycle .

  Relevant Standard Reference:

  ISO/IEC 17021-1:2015 Clause 9.6.5 (Extension Audits During Surveillance)

• Question 114:

  The following are the guidelines to protect your password, except:

  A. Don't use the same password for various company system security access
  B. Do not share passwords with anyone
  C. For easy recall, use the same password for company and personal accounts
  D. Change a temporary password on first log-on
  B. Do not share passwords with anyone
  C. For easy recall, use the same password for company and personal accounts

  ---

  The following are guidelines to protect your password, except for easy recall use the same password for company and personal accounts; do not share passwords with anyone. Using the same password for company and personal accounts is not a guideline to protect your password, as it increases the risk of compromising your password if one of your accounts is hacked or breached. You should use different and unique passwords for each account, and change them regularly. Sharing passwords with anyone is not a guideline to protect your password, as it reduces the security and accountability of your password. You should keep your password confidential and never disclose it to anyone, even if they claim to be authorized or trustworthy. Don't use the same password for various company system security access is a guideline to protect your password, as it prevents unauthorized access or misuse of your password if one of the systems is compromised or breached. You should use different and complex passwords for each system, and follow the password policies and standards of the organization. Change a temporary password on first log-on is a guideline to protect your password, as it prevents unauthorized access or misuse of your password if the temporary password is intercepted or leaked. You should change the temporary password to a personal and secure password as soon as possible, and avoid using default or predictable passwords.

  References: CQI and IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 43. : [ISO/IEC 27001 LEAD AUDITOR - PECB], page 15.

• Question 115:

  Scenario:

  Rebuildy is a construction company located in Bangkok.. Thailand, that specializes in designing, building, and maintaining residential buildings. To ensure the security of sensitive project data and client information, Rebuildy decided to implement an ISMS based on ISO/IEC 27001. This included a comprehensive understanding of information security risks, a defined continual improvement approach, and robust business solutions.

  The ISMS implementation outcomes are presented below

  -

  Information security is achieved by applying a set of security controls and establishing policies, processes, and procedures.

  -

  Security controls are implemented based on risk assessment and aim to eliminate or reduce risks to an acceptable level.

  -

  All processes ensure the continual improvement of the ISMS based on the plan-do-check-act (PDCA) model.

  -

  The information security policy is part of a security manual drafted based on best security practices Therefore, it is not a stand-alone document.

  -

  Information security roles and responsibilities have been clearly stated in every employees job description

  -

  Management reviews of the ISMS are conducted at planned intervals.

  Rebuildy applied for certification after two midterm management reviews and one annual internal audit Before the certification audit one of Rebuildy's former employees approached one of the audit team members to tell them that Rebuildy has several security problems that the company is trying to conceal. The former employee presented the documented evidence to the audit team member Electra, a key client of Rebuildy, also submitted evidence on the same issues, and the auditor determined to retain this

  evidence instead of the former employee's. The audit team member remained in contact with Electra until the audit was completed, discussing the nonconformities found during the audit. Electra provided additional evidence to support these findings.

  At the beginning of the audit, the audit team interviewed the company's top management They discussed, among other things, the top management's commitment to the ISMS implementation. The evidence obtained from these discussions was documented in written confirmation, which was used to determine Rebuildy's conformity to several clauses of ISO/IEC 27001

  The documented evidence obtained from Electra was attached to the audit report, along with the nonconformities report. Among others, the following nonconformities were detected:

  -

  An instance of improper user access control settings was detected within the company's financial reporting system.

  -

  A stand-alone information security policy has not been established. Instead, the company uses a security manual drafted based on best security practices.

  After receiving these documents from the audit team, the team leader met Rebuildy's top management to present the audit findings. The audit team reported the findings related to the financial reporting system and the lack of a stand-alone information security policy. The top management expressed dissatisfaction with the findings and suggested that the audit team leader's conduct was unprofessional, implying they might request a replacement. Under pressure, the audit team leader decided to cooperate

  with top management to downplay the significance of the detected nonconformities. Consequently, the audit team leader adjusted the report to present a more favorable view, thus misrepresenting the true extent of Rebuildy's compliance issues.

  Based on the scenario above, answer the following question:

  Question:

  Based on the last paragraph of Scenario, what did the audit team leader commit?

  A. Ordinary negligence
  B. Gross negligence
  C. Fraud
  C. Fraud

  ---

  C. Fraud (Correct Answer):

  The audit team leader knowingly falsified the audit report to downplay nonconformities.

  Fraud involves intentional deception or misrepresentation of information, making this a fraudulent act.

  A. Ordinary negligence (Incorrect):

  Ordinary negligence is a failure to exercise reasonable care , but this case involved intentional misconduct .

  B. Gross negligence (Incorrect):

  Gross negligence is extreme carelessness but does not involve deliberate misrepresentation .

  Relevant Standard Reference:

  ISO 19011:2018 Clause 4 (Principles of Auditing: Integrity and Objectivity)

• Question 116:

  During a Stage 1 audit opening meeting, the Management System Representative (MSR) asks to extend the audit scope to include a new site overseas which they have expanded into since the certification application was made. Select two options for how the auditor should respond.

  A. Advise the MSR that an extension of the scope may be incorporated but will have to go through established procedures
  B. Advise the MSR that the audit scope has been determined based on their initial application so the audit has to proceed as planned
  C. Suggest that the MSR cancels the audit contract and reapplies for the new situation
  D. Determine whether the Management System covers the processes at the new site and, if so, proceed with the audit
  E. Advise the MSR that, within the existing scope, the new work area can be included without any problem
  F. Confirm that the auditor will advise the auditee that the audit scope will be revised to include the new work area
  A. Advise the MSR that an extension of the scope may be incorporated but will have to go through established procedures
  D. Determine whether the Management System covers the processes at the new site and, if so, proceed with the audit

  ---

  The correct options for how the auditor should respond are: Advise the MSR that an extension of the scope may be incorporated but will have to go through established procedures Determine whether the Management System covers the processes at the new site and, if so, proceed with the audit

  These options are consistent with the ISO/IEC 27006:2015 standard, which states that any changes to the scope of certification should be notified by the client to the certification body, and that the certification body should evaluate and decide on these changes in accordance with its procedures1. The auditor should also verify that the ISMS is implemented and maintained at all sites included in the scope of certification.

  The other options are not appropriate for how the auditor should respond, because: Advise the MSR that the audit scope has been determined based on their initial application so the audit has to proceed as planned: This option is too rigid and does not allow for any flexibility or adaptation to the client's situation. The auditor should be open to consider any changes to the scope of certification that may have occurred since the initial application, as long as they are properly notified and evaluated by the certification body. Suggest that the MSR cancels the audit contract and reapplies for the new situation: This option is too drastic and unnecessary, as it would cause delays and costs for both the client and the certification body. The auditor should not suggest that the client cancels the audit contract, but rather that they follow the established procedures for requesting and approving an extension of the scope of certification. Advise the MSR that, within the existing scope, the new work area can be included without any problem: This option is too lenient and does not ensure that the new work area meets the requirements of ISO/IEC 27001 and the ISMS. The auditor should not assume that the new work area can be included within the existing scope without any problem, but rather that they need to verify that the ISMS is implemented and maintained at the new site, and that any changes to the scope of certification are approved by the certification body. Confirm that the auditor will advise the auditee that the audit scope will be revised to include the new work area: This option is too presumptuous and does not respect the authority of the certification body. The auditor should not confirm that they will revise the audit scope to include the new work area, but rather that they will advise the certification body of the client's request for an extension of the scope of certification, and wait for their decision.

• Question 117:

  Which two of the following options do not participate in a first-party audit?

  A. A certification body auditor
  B. An audit team from an accreditation body
  C. An auditor certified by CQI and IRCA
  D. An auditor from a consultancy organisation
  E. An auditor trained in the CQI and IRCA scheme
  F. An auditor trained in the organization
  A. A certification body auditor
  B. An audit team from an accreditation body

  ---

  A first-party audit is an internal audit in which the organization's own staff or contractors check the conformity and effectiveness of the ISMS. A certification body auditor and an audit team from an accreditation body are external auditors who conduct audits for the purpose of certification or accreditation. They do not participate in a first-party audit, but rather in a third-party audit.

  References: First and Second Party Audits - operational services, The ISO 27001 Audit Process | Blog | OneTrust, The ISO 27001 Audit Process | A Beginner's Guide - IAS USA

• Question 118:

  Which four of the following statements about audit reports are true?

  A. Audit reports should be produced by the audit team leader with input from the audit team
  B. Audit reports should include or refer to the audit plan
  C. Audit reports should be sent to the organisation's top management first because their contents could be embarrassing
  D. Audit reports should be assumed suitable for general circulation unless they are specifically marked confidential
  E. Audit reports should only evidence nonconformity
  F. Audit reports should be produced within an agreed timescale
  G. Audit reports that are no longer required can be destroyed as part of the organisation's general waste
  H. Audit reports should always be reviewed by the client, dated, and signed as 'accepted'
  A. Audit reports should be produced by the audit team leader with input from the audit team
  B. Audit reports should include or refer to the audit plan
  F. Audit reports should be produced within an agreed timescale
  H. Audit reports should always be reviewed by the client, dated, and signed as 'accepted'

  ---

  According to the PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, the audit reports should be produced by the audit team leader with input from the audit team, as they are responsible for collecting and analysing the audit evidence1. The audit reports should also include or refer to the audit plan, as it provides the basis for the audit objectives, scope, criteria, and methodology. Furthermore, the audit reports should be produced within an agreed timescale, as it is part of the audit programme

  management and ensures timely communication of the audit results3. Additionally, the audit reports should always be reviewed by the client, dated, and signed as `accepted', as it confirms the audit completion and the formal agreement on the audit findings and conclusions.

  The other statements are false because:

  Audit reports should not be sent to the organisation's top management first because their contents could be embarrassing, as this would compromise the audit impartiality and confidentiality5. Audit reports should be distributed according to the audit programme procedures and the audit plan. Audit reports should not be assumed suitable for general circulation unless they are specifically marked confidential, as this would violate the audit confidentiality and the protection of personal information. Audit reports

  should be treated as confidential documents and only shared with the authorised parties. Audit reports should not only evidence nonconformity, as this would limit the audit scope and value. Audit reports should also evidence conformity, improvement opportunities, good practices, and audit observations. Audit reports that are no longer required should not be destroyed as part of the organisation's general waste, as this would pose a risk to the audit confidentiality and the information security. Audit reports

  should be retained, disposed, or destroyed according to the audit programme procedures and the applicable legal requirements.

  References:

  1: PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 32, section 4.4.3

  2: PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 33, section 4.4.4

  3: PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 31, section 4.4.1

  4: PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 34, section 4.4.5

  5: PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 24, section 4.3.1. : PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 33, section 4.4.4. :

  PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 24, section 4.3.1. : PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 33, section 4.4.4. : PECB Candidate Handbook for ISO /IEC 27001 Lead Auditor, page 32, section 4.4.3. : PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 33, section 4.4.4. : PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 24, section 4.3.1. : PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 34,

  section 4.4.5.

• Question 119:

  You are performing an ISMS audit at a residential nursing home called ABC that provides healthcare services. You find all nursing home residents wear an electronic wristband for monitoring their location, heartbeat, and blood pressure always. You learned that the electronic wristband automatically uploads all data to the artificial intelligence (AI) cloud server for healthcare monitoring and analysis by healthcare staff.

  To verify the scope of ISMS, you interview the management system representative (MSR) who explains that the ISMS scope covers an outsourced data center.

  Select three options for the audit evidence you need to find to verify the scope of the ISMS.

  A. The auditee has identified the resident's needs and expectations on the facility and environmental safety
  B. The auditee has ISO 9001 certification
  C. The auditee has identified the governmental authorities' needs and expectations on healthcare services and patient data handling
  D. The auditee has identified the resident's needs and expectations on how they should protect the resident's personal data
  E. The auditee has identified the resident's needs and expectations on the comfort facility, medical professional's competence, and clean environment
  F. The auditee has identified the resident's needs and expectations on healthcare medical treatment services
  G. The IT service agreement with the data center where the artificial intelligence (AI) cloud server is located
  H. The auditee is considering the purchase of a healthcare monitoring app from an external software company
  C. The auditee has identified the governmental authorities' needs and expectations on healthcare services and patient data handling
  D. The auditee has identified the resident's needs and expectations on how they should protect the resident's personal data
  G. The IT service agreement with the data center where the artificial intelligence (AI) cloud server is located

  ---

  According to ISO 27001:2022 clause 4.3, the organisation shall determine the scope of the information security management system (ISMS) by considering the internal and external issues, the requirements of interested parties, and the interfaces and dependencies with other organisations In this case, the ISMS scope covers an outsourced data center that hosts the artificial intelligence (AI) cloud server for healthcare monitoring and analysis of the residents' data. Therefore, the audit evidence you need to find to verify the scope of the ISMS should include: The auditee has identified the governmental authorities' needs and expectations on healthcare services and patient data handling. This is an external issue and an interested party requirement that affects the ISMS scope, as the auditee has to comply with the relevant laws and regulations regarding the quality, safety, and privacy of healthcare services and patient data The auditee has identified the resident's needs and expectations on how they should protect the resident' s personal data. This is an external issue and an interested party requirement that affects the ISMS scope, as the auditee has to ensure the confidentiality, integrity, and availability of the resident's personal data that is collected, processed, and stored by the electronic wristband and the AI cloud server The IT service agreement with the data center where the artificial intelligence (AI) cloud server is located. This is an interface and dependency with another organisation that affects the ISMS scope, as the auditee has to control the externally provided processes, products, and services that are relevant to the ISMS, and to implement appropriate contractual requirements related to information security The following options are not relevant or sufficient for verifying the scope of the ISMS: The auditee has identified the resident's needs and expectations on the facility and environmental safety. This is an external issue and an interested party requirement, but it does not affect the ISMS scope, as it is not related to information security The auditee has ISO 9001 certification. This is an indication of the auditee's quality management system, but it does not verify the scope of the ISMS, as it is not related to information security The auditee has identified the resident's needs and expectations on the comfort facility, medical professional's competence, and clean environment. These are external issues and interested party requirements, but they do not affect the ISMS scope, as they are not related to information security The auditee has identified the resident's needs and expectations on healthcare medical treatment services. These are external issues and interested party requirements, but they do not verify the scope of the ISMS, as they are not specific to information security The auditee is considering the purchase of a healthcare monitoring app from an external software company. This is a potential change that may affect the ISMS scope in the future, but it does not verify the current scope of the ISMS, as it is not yet implemented or controlled

  References:

  1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1

  2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2

• Question 120:

  Scenario: MetroUni operates a university network. The ISMS procedure states: "Privileged access requests must be approved by the asset owner and logged." During the audit, you sample 12 privileged access requests and find 4 were approved by IT operations without asset owner approval, although logs exist. How should this audit finding be classified?

  A. Opportunity for improvement, because approvals exist and logs exist
  B. Nonconformity, because the organization did not follow its own documented procedure
  C. Observation, because only 4 of 12 requests were affected
  D. Acceptable, because IT operations can substitute for the asset owner
  B. Nonconformity, because the organization did not follow its own documented procedure

  ---

  B is correct. Failure to follow established documented procedures indicates nonconformity with operational control (clause 8.1) and control of documented information implementation expectations. The organization set a requirement (asset owner approval) but did not consistently meet it.

  A is incorrect because this is more than a suggestion; it is a failure to fulfil an internal requirement.

  C is incorrect because sampling indicates a systemic issue; the proportion strengthens the case for nonconformity rather than reducing it.

  D is incorrect unless the procedure defines IT operations as the asset owner (not stated).

  References: ISO/IEC 27001:2022 clause 8.1