Exam ISO-IEC-27001-Lead-Implementer Topic 3 Question 75 Discussion

Actual exam question for PECB's ISO-IEC-27001-Lead-Implementer exam
Question #: 75
Topic #: 3
NeuroTrustMed is a leading medical technology company based in Seoul, South Korea. The company specializes in developing AI-assisted neuroimaging solutions used in early diagnosis and treatment planning for neurological disorders. As a data-intensive company handling sensitive patient health records and medical research data, NeuroTrustMed places a strong emphasis on cybersecurity and regulatory compliance. The company has maintained an ISO/IEC 27001-certified ISMS for the past three years. It continuously reviews and improves its ISMS to address emerging threats, support innovation in medical diagnostics, and maintain stakeholder trust. As part of its commitment to continual improvement, NeuroTrustMed actively tracks potential nonconformities, performs root-cause analyses, implements corrective and preventive actions, and ensures all changes are documented and aligned with the company's strategic objectives. When a new data protection regulation came into effect affecting cross-regional data handling, the information security team conducted a gap assessment between current policies and the new regulation. Then, it updated relevant documentation and processes to meet compliance. Following these revisions, NeuroTrustMed updated the ISMS documentation and added a new entry in the improvement register. The register, maintained in the form of a structured spreadsheet, included a unique change number, a description of the update, and a high-priority classification due to legal compliance, the dates of initiation and completion, and the sign-off by the information security manager. Around the same period, during a scheduled management review, the information security team also identified a pattern of onboarding errors. While these had not resulted in any data breaches, they posed a risk of unauthorized access. In response, the onboarding procedure was revised and an automated verification step was added to ensure accuracy before access is granted. To understand the underlying cause, the team collected data on the provisioning process. They analyzed process logs, interviewed onboarding staff, and traced access errors back to a misconfigured step in the HR-to-IT handover workflow. The team validated this finding through test cases before implementing any changes. Once confirmed, the information security team documented the nonconformity in the ISMS log. The documentation included a description of the issue, impacted systems, affected users, and a brief risk assessment of potential consequences related to access management. Based on the scenario above, answer the following question.
What type of change caused the ISMS update at NeuroTrustMed?

Suggested Answer: B Vote an answer

The ISMS update at NeuroTrustMed was triggered by an external change, making Option B the correct answer.
The scenario clearly states that a new data protection regulation came into effect affecting cross-regional data handling. Regulatory changes originate outside the organization and represent external issues under ISO/IEC
27001:2022.
ISO/IEC 27001:2022 Clause 4.1 - Understanding the organization and its context requires organizations to determine external issues relevant to the ISMS, including legal and regulatory changes. Furthermore, Clause
6.3 - Planning of changes requires that ISMS changes be carried out in a planned manner when such issues arise.
NeuroTrustMed responded appropriately by:
* Conducting a gap assessment against the new regulation,
* Updating documentation and processes,
* Recording the change in the improvement register with priority, dates, and approval.
* Option A is incorrect because the change was not driven by internal role restructuring.
* Option C is incorrect because the organization itself did not change structure or strategy; it responded to an external regulatory trigger.

by Darnell at Mar 13, 2026, 09:46 PM

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Nick name: Submit Cancel
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

Contact Us

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Our Working Time: ( GMT 0:00-15:00 ) From Monday to Saturday

Support: Contact now 

日本語 Deutsch 繁体中文 한국어