According to ISO 27001:2022 clause 4.3, the organisation shall determine the scope of the information security management system (ISMS) by considering the internal and external issues, the requirements of interested parties, and the interfaces and dependencies with other organisations12

In this case, the ISMS scope covers an outsourced data center that hosts the artificial intelligence (AI) cloud server for healthcare monitoring and analysis of the residents’ data. Therefore, the audit evidence you need to find to verify the scope of the ISMS should include:

The auditee has identified the governmental authorities’ needs and expectations on healthcare services and patient data handling. This is an external issue and an interested party requirement that affects the ISMS scope, as the auditee has to comply with the relevant laws and regulations regarding the quality, safety, and privacy of healthcare services and patient data12

The auditee has identified the resident’s needs and expectations on how they should protect the resident’s personal data. This is an external issue and an interested party requirement that affects the ISMS scope, as the auditee has to ensure the confidentiality, integrity, and availability of the resident’s personal data that is collected, processed, and stored by the electronic wristband and the AI cloud server12

The IT service agreement with the data center where the artificial intelligence (AI) cloud server is located. This is an interface and dependency with another organisation that affects the ISMS scope, as the auditee has to control the externally provided processes, products, and services that are relevant to the ISMS, and to implement appropriate contractual requirements related to information security12

The following options are not relevant or sufficient for verifying the scope of the ISMS:

The auditee has identified the resident’s needs and expectations on the facility and environmental safety. This is an external issue and an interested party requirement, but it does not affect the ISMS scope, as it is not related to information security12

The auditee has ISO 9001 certification. This is an indication of the auditee’s quality management system, but it does not verify the scope of the ISMS, as it is not related to information security12

The auditee has identified the resident’s needs and expectations on the comfort facility, medical professional’s competence, and clean environment. These are external issues and interested party requirements, but they do not affect the ISMS scope, as they are not related to information security12

The auditee has identified the resident’s needs and expectations on healthcare medical treatment services. These are external issues and interested party requirements, but they do not verify the scope of the ISMS, as they are not specific to information security12

The auditee is considering the purchase of a healthcare monitoring app from an external software company. This is a potential change that may affect the ISMS scope in the future, but it does not verify the current scope of the ISMS, as it is not yet implemented or controlled12

These three characteristics are the fundamental properties of information security, as defined by the ISO/IEC 27000 standard, which provides the overview and vocabulary of information security, cybersecurity, and privacy protection12. They are also the basis for the information security objectives and controls of the ISO/IEC 27001 standard, which specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system34. The definitions of these characteristics are as follows12:

•Availability: The property of being accessible and usable upon demand by an authorized entity.

•Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes.

•Integrity: The property of safeguarding the accuracy and completeness of information and processing methods.

The other characteristics listed in the question, such as clarity, accessibility, completeness, importance, and efficiency, are not directly related to information security, although they may be relevant for other aspects of information management, such as quality, usability, or performance.

Management review is a crucial component of an ISMS that helps determine opportunities for continual improvement. Through management review, an organization assesses the performance and effectiveness of its ISMS, including reviewing opportunities for improvements and the need for changes to the ISMS, including the security policy and security objectives.

According to ISO 27001:2022 Annex A Control 8.30, the organisation shall ensure that externally provided processes, products or services that are relevant to the information security management system are controlled. This includes developing and entering into licensing agreements that cover code ownership and intellectual property rights, and implementing appropriate contractual requirements related to secure design and coding in accordance with Annex A 8.25 and 8.2912

In this case, the organisation and the developer have performed security tests that failed, which indicates that the secure design and coding requirements of Annex A 8.29 were not met. The IT Manager explains that the encryption and pseudonymisation functions failed because they slowed down the system and service performance, and that an extra 150% of resources are needed to cover this. However, this does not justify the acceptance of the test results by the Service Manager, who is not authorised to approve the test according to the software security management procedure. The Service Manager should have consulted with the IT Manager, who is the owner of the process, and followed the procedure for handling nonconformities and corrective actions. The Service Manager’s decision to continue the service based on access control alone exposes the organisation to the risk of compromising the confidentiality, integrity, and availability of personal data processed by the mobile app. Therefore, there is a nonconformity (NC) with clause 8.1, control A.8.30.

This scenario represents ordinary negligence, making option A the correct answer. Ordinary negligence occurs when an individual fails to exercise the level of care, competence, or diligence that would reasonably be expected under similar circumstances. In the context of ISO/IEC 27001 certification audits, this includes failing to follow established audit procedures, best practices, or competence requirements, even if there is no intent to cause harm.

In the scenario, the audit team leader failed to follow established best practices and lacked sufficient expertise in certain complex ISMS areas. These shortcomings resulted in weak audit coverage and suboptimal outcomes. However, the audit was still conducted, findings were reported, and there is no indication of reckless disregard, willful misconduct, or intentional violation of duties. This distinction is important when assessing the severity of negligence.

Gross negligence would require evidence of a serious departure from accepted standards, such as knowingly ignoring mandatory audit requirements, deliberately conducting an audit without any competence, or showing reckless indifference to the consequences. That threshold is not met here. Similarly, option C is incorrect because the presence of procedural failures and competence gaps clearly indicates some level of negligence.

ISO 19011:2018 emphasizes auditor competence, due professional care, and adherence to audit principles. Failure to meet these expectations constitutes negligence, but in this case, it remains within the bounds of ordinary negligence rather than gross negligence.

This activity is permitted, provided that the certification body minimizes disturbance to the certification process, making option A the correct answer. ISO/IEC 17021-1, which governs certification bodies providing management system certification, explicitly allows certification bodies to evaluate the competence and performance of their auditors. This includes on-site witnessing of auditors during actual certification audits.

The purpose of such evaluations is to ensure auditor competence, consistency, and adherence to certification procedures. ISO/IEC 17021-1 requires certification bodies to maintain confidence in their certification activities by monitoring and evaluating auditors in real audit situations. Conducting these evaluations on-site is a common and accepted practice, especially for initial competence assessments or periodic performance reviews.

However, the certification body must ensure that the evaluation does not interfere with the audit objectives or disrupt the client’s operations. Option B is incorrect because there is no requirement or justification for suspending the client’s business activities. Certification audits are designed to be conducted alongside normal operations whenever possible. Option C is incorrect because while remote evaluations may be used in some circumstances, the standard does not prohibit on-site evaluations.

Therefore, an on-site evaluation of an auditor during a certification audit is permitted, provided that it is carefully managed and does not disrupt the certification process or the auditee’s normal operations.

From Exact Extract:

Explanation for C (Correct Response):

The audit team leader ' s primary responsibility is to manage the audit process effectively and efficiently according to the agreed-upon audit plan and schedule. A Stage 2 audit schedule is typically tightly managed to ensure all required elements of the management system are sampled within the allocated time. A 45-minute video presentation is a significant time commitment that would disrupt the planned audit activities. Politely but firmly stating the need to adhere to the schedule is professional and critical for maintaining audit integrity and achieving the audit objectives.

The incorrect statement is B, because auditors are permitted to adjust the audit plan based on materiality considerations identified during the stage 2 audit. ISO 19011 explicitly allows auditors to adapt audit plans as new information emerges, provided such changes are justified and documented. Preventing adjustments would contradict the principles of risk-based and evidence-based auditing.

Materiality is evaluated throughout the audit lifecycle. During initial contact and audit planning, inherent risks and organizational complexity influence audit duration and resource allocation, making statement A correct. During stage 1 audits, auditors review documentation and high-level processes to identify key areas that warrant deeper examination during stage 2, making statement C correct.

Statement B incorrectly suggests that once stage 2 begins, the audit plan is fixed and cannot be adjusted. In practice, if auditors discover that certain processes or assets are more material than initially assessed, they may legitimately reallocate audit time or adjust focus to ensure sufficient coverage of high-impact areas. This flexibility is essential to achieve reasonable assurance.

Therefore, statement B is not correct, as it contradicts established auditing norms and ISO guidance on audit adaptability.

The correct statement which defines the content of the scope of the ISMS is that the ISMS scope should take any information security issues that have occurred and any interested parties’ requirements into consideration. According to ISO/IEC 27001:2022, the scope of the ISMS should be determined by considering the internal and external issues, the requirements and expectations of interested parties, the interfaces and dependencies between the organisation and other parties, and the information security risks. The scope of the ISMS should also be aligned with the strategic direction of the organisation and be appropriate to its purpose and context. The scope of the ISMS should not be limited by the government’s recommendation, nor exclude external service providers, nor be based on a single department or function, unless these are justified by the risk assessment and the needs and expectations of interested parties. References: = ISO/IEC 27001:2022, clause 4.3; PECB Candidate Handbook ISO 27001 Lead Auditor, page 15; ISO 27001 scope statement | How to set the scope of your ISMS - Advisera.