The auditor has noticed that the auditee does not have a Statement of Applicability. What audit conclusion should the auditor reach?

Prepare for the PECB Certified ISO/IEC 27001 Lead Auditor Exam with our comprehensive quiz. Test your knowledge with multiple-choice questions and detailed explanations. Get exam-ready!

The absence of a Statement of Applicability (SoA) during an audit is a significant finding regarding compliance with the ISO/IEC 27001 standard. The SoA is a crucial document that outlines which controls from the ISO/IEC 27001 Annex A are applicable to the organization, and it serves as a key component for understanding the scope of an Information Security Management System (ISMS) and demonstrating how risks are managed.

When an auditor identifies that the auditee does not have an SoA, this indicates a failure to meet one of the fundamental requirements of the standard. An SoA is necessary for documenting the chosen controls, their applicability, and ensuring that the organization has adequately assessed its information security risks. The absence of such a document suggests that the organization may not have performed a proper risk assessment or may not be effectively managing its information security measures.

Determining this situation as a major nonconformity is appropriate because it reflects a critical gap in the compliance with ISO/IEC 27001. Major nonconformities typically signify systemic issues and a lack of essential processes, which can pose a serious risk to the organization’s information security posture. This is different from minor nonconformities, which usually pertain to less significant breakdown

Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy