Exam ISO-IEC-27001-Lead-Auditor Topic 3 Question 297 Discussion
Actual exam question for PECB's ISO-IEC-27001-Lead-Auditor exam
Question #: 297
Topic #: 3
Question #: 297
Topic #: 3
An auditor of organisation A performs an audit of supplier B.
Which two of the following actions is likely to represent a breach of confidentiality by the auditor after having identified findings in B's information security management system?
Which two of the following actions is likely to represent a breach of confidentiality by the auditor after having identified findings in B's information security management system?
Suggested Answer: A,D Vote an answer
According to the PECB Candidate Handbook1, one of the principles of auditing is confidentiality, which means that auditors should respect the confidentiality of information obtained during the audit and not disclose it to unauthorized parties. The handbook also states that auditors should only report audit results to those who have a legitimate need to know, such as the client, the auditee, and the certification body. Therefore, sharing the findings with other relevant managers in A or B's other customers would be a breach of confidentiality, as they are not directly involved in the audit process or the information security management system of B.
Sharing the findings with B's Information Security Manager or other relevant managers in B would be appropriate, as they are part of the auditee organization and responsible for the implementation and improvement of the ISMS. Sharing the findings with A's supplier evaluation team or B's certification body would also be acceptable, as they have a legitimate need to know the audit results for the purpose of supplier selection or certification, respectively. Reference: 1: PECB Candidate Handbook - ISO 27001 Lead Auditor, pages 7-8.
Sharing the findings with B's Information Security Manager or other relevant managers in B would be appropriate, as they are part of the auditee organization and responsible for the implementation and improvement of the ISMS. Sharing the findings with A's supplier evaluation team or B's certification body would also be acceptable, as they have a legitimate need to know the audit results for the purpose of supplier selection or certification, respectively. Reference: 1: PECB Candidate Handbook - ISO 27001 Lead Auditor, pages 7-8.
by Tobey at Feb 03, 2026, 12:59 PM
Contact Us
If you have any question please leave me your email address, we will reply and send email to you in 12 hours.
Our Working Time: ( GMT 0:00-15:00 ) From Monday to Saturday
Support: Contact now
Comments
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Report Comment
Commenting
You can sign-up / login (it's free).