View all questions & answers for the ISO-IEC-27001-Lead-Auditor exam
Question:
Which of the following can be considered a minor nonconformity?
Employees lack training to recognize phishing attempts, increasing malware risks
Lack of multi-factor authentication leaves accounts vulnerable to unauthorized access
The information security policy lacks reference to continual ISMS improvement
Comprehensive and Detailed In-Depth Explanation:
C. Correct Answer:
A missing reference to continual improvement is a documentation issue, not an immediate security risk, making it a minor nonconformity.
A. Incorrect:
Lack of employee training poses a direct security risk (major nonconformity).
B. Incorrect:
Missing multi-factor authentication significantly weakens security (major nonconformity).
Relevant Standard Reference:
ISO/IEC 27001:2022 Clause 10.1 (Continual Improvement)
Submit