An auditor of organisation A performs an audit of supplier B. Which two of the following actions is likely to represent a breach of confidentiality by the auditor after having identified findings in B's information security management system?
AppFolk, a software development company, is seeking certification against ISO/IEC 27001. In the initial phases of the external audit, the certification body in discussion with the company excluded the marketing division from the audit scope, although they stated in their ISMS scope that the whole company is included. Is this acceptable?
After analyzing the audit conclusions, Company X decided to accept the risk related to one of the detected nonconformities. They claimed that no corrective action was necessary; however, their decision was not documented. Is this acceptable?