
合格目指せISO-IEC-27001-Lead-Implementer試験最新のISO-IEC-27001-Lead-Implementer試験問題集PDF 2024年更新
ISO-IEC-27001-Lead-Implementer試験問題集、365日更新無料サンプル
PECB認定ISO/IEC 27001のリード実装認証の達成は、専門家がISO/IEC 27001標準に基づいて情報セキュリティ管理システムを実装および管理するために必要な知識とスキルを持っていることを示しています。この認定は、専門家が情報セキュリティ管理のキャリアを進め、組織に価値を高めるのに役立ちます。また、組織が情報セキュリティ管理へのコミットメントを実証し、全体的なセキュリティ姿勢を改善するのに役立ちます。
PECB ISO-IEC-27001-LEAD-IMPLEMENTER試験は、ISO/IEC 27001標準に基づいて情報セキュリティ管理システムの実装と管理における専門家のスキルと知識を検証する認定です。この認定は、情報技術、品質管理、およびその他の関連分野の分野でのトレーニング、試験、認定サービスのグローバルプロバイダーである専門的評価および認定委員会(PECB)によって提供されます。認定試験は、あらゆる規模と種類の組織に情報セキュリティ管理システムの実装と管理を担当する専門家向けに設計されています。
質問 # 16
According to ISO/IEC 270G1. why shall organizations document nonconformities?
- A. To provide evidence of the requirements set by internal audit after reviewing their audit reports
- B. To provide evidence of regulations set by external sources that need to be followed by the organization
- C. To provide evidence of the results of the corrective actions and the nature of the nonconformities
正解:C
質問 # 17
Scenario 10: NetworkFuse develops, manufactures, and sells network hardware. The company has had an operational information security management system (ISMS) based on ISO/IEC 27001 requirements and a quality management system (QMS) based on ISO 9001 for approximately two years. Recently, it has applied for a j^ombined certification audit in order to obtain certification against ISO/IEC 27001 and ISO 9001.
After selecting the certification body, NetworkFuse prepared the employees for the audit The company decided to not conduct a self-evaluation before the audit since, according to the top management, it was not necessary. In addition, it ensured the availability of documented information, including internal audit reports and management reviews, technologies in place, and the general operations of the ISMS and the QMS.
However, the company requested from the certification body that the documentation could not be carried off-site However, the audit was not performed within the scheduled days because NetworkFuse rejected the audit team leader assigned and requested their replacement The company asserted that the same audit team leader issued a recommendation for certification to its main competitor, which, for the company's top management, was a potential conflict of interest. The request was not accepted by the certification body According to scenario 10, NetworkFuse requested from the certification body to review all the documentation only on-site. Is this acceptable?
- A. Yes, only if a confidentiality agreement is formerly signed by the audit team
- B. Yes, the auditee may request that the review of the documentation takes place on-site
- C. No, the certification body decides whether the documentation review takes place on-site or off-site
正解:C
解説:
Explanation
According to the ISO/IEC 27001:2022 standard, the certification body is responsible for planning and conducting the audit, including the review of the documented information. The certification body may decide to review the documentation on-site or off-site, depending on the audit objectives, scope, criteria, and risks.
The auditee may not impose any restrictions on the access to the documentation, unless there are valid reasons for confidentiality or security. However, such restrictions should be agreed upon before the audit and should not compromise the effectiveness and impartiality of the audit.
References:
ISO/IEC 27001:2022, clause 9.2.2
ISO/IEC 27006:2021, clause 7.1.4
質問 # 18
Scenario 8: SunDee is an American biopharmaceutical company, headquartered in California, the US. It specializes in developing novel human therapeutics, with a focus on cardiovascular diseases, oncology, bone health, and inflammation. The company has had an information security management system (ISMS) based on SO/IEC 27001 in place for the past two years. However, it has not monitored or measured the performance and effectiveness of its ISMS and conducted management reviews regularly Just before the recertification audit, the company decided to conduct an internal audit. It also asked most of their staff to compile the written individual reports of the past two years for their departments. This left the Production Department with less than the optimum workforce, which decreased the company's stock.
Tessa was SunDee's internal auditor. With multiple reports written by 50 different employees, the internal audit process took much longer than planned, was very inconsistent, and had no qualitative measures whatsoever Tessa concluded that SunDee must evaluate the performance of the ISMS adequately. She defined SunDee's negligence of ISMS performance evaluation as a major nonconformity, so she wrote a nonconformity report including the description of the nonconformity, the audit findings, and recommendations. Additionally, Tessa created a new plan which would enable SunDee to resolve these issues and presented it to the top management Based on scenario 8. did the nonconformity report include all the necessary aspects?
- A. No, the report must also specify the root cause of the nonconformity
- B. No, the report must also specify the audit criteria
- C. Yes, the report included all the necessary aspects
正解:A
解説:
Explanation
According to ISO/IEC 27001:2022, a nonconformity report is a document that records the details of any deviation from the audit criteria that is identified during an audit2. The audit criteria are the set of policies, procedures, requirements, or specifications that are used as a reference against which audit evidence is compared3. Therefore, a nonconformity report must include the following aspects:
The description of the nonconformity, which should clearly state what the deviation is, where it occurred, and when it was detected The audit findings, which should provide the objective evidence that supports the identification of the nonconformity The audit criteria, which should specify the reference document or standard that the nonconformity deviates from The recommendations, which should suggest the possible corrective actions or improvements that can be taken to address the nonconformity In scenario 8, Tessa's nonconformity report included the description of the nonconformity, the audit findings, and the recommendations, but it did not specify the audit criteria. Therefore, the report did not include all the necessary aspects and was incomplete.
References:
1: ISO/IEC 27001:2022, Clause 9.2.3
2: ISO/IEC 27001:2022, Clause 3.23
3: ISO/IEC 27001:2022, Clause 3.5
4: ISO/IEC 27001:2022, Annex A.9.2.3
質問 # 19
Scenario 4: TradeB. a commercial bank that has just entered the market, accepts deposits from its clients and offers basic financial services and loans for investments. TradeB has decided to implement an information security management system (ISMS) based on ISO/IEC 27001 Having no experience of a management
[^system implementation, TradeB's top management contracted two experts to direct and manage the ISMS implementation project.
First, the project team analyzed the 93 controls of ISO/IEC 27001 Annex A and listed only the security controls deemed applicable to the company and their objectives Based on this analysis, they drafted the Statement of Applicability. Afterward, they conducted a risk assessment, during which they identified assets, such as hardware, software, and networks, as well as threats and vulnerabilities, assessed potential consequences and likelihood, and determined the level of risks based on three nonnumerical categories (low, medium, and high). They evaluated the risks based on the risk evaluation criteria and decided to treat only the high risk category They also decided to focus primarily on the unauthorized use of administrator rights and system interruptions due to several hardware failures by establishing a new version of the access control policy, implementing controls to manage and control user access, and implementing a control for ICT readiness for business continuity Lastly, they drafted a risk assessment report, in which they wrote that if after the implementation of these security controls the level of risk is below the acceptable level, the risks will be accepted Based on the scenario above, answer the following question:
The decision to treat only risks that were classified as high indicates that Trade B has:
- A. Accepted other risk categories based on risk acceptance criteria
- B. Modified other risk categories based on risk evaluation criteria
- C. Evaluated other risk categories based on risk treatment criteria
正解:A
解説:
Explanation
According to ISO/IEC 27001 : 2022, risk acceptance criteria are the criteria used to decide whether a risk can be accepted or not1. Risk acceptance criteria are often based on a maximum level of acceptable risks, on cost-benefits considerations, or on consequences for the organization2. In the scenario, TradeB decided to treat only the high risk category, which implies that
質問 # 20
Scenario 2: Beauty is a cosmetics company that has recently switched to an e-commerce model, leaving the traditional retail. The top management has decided to build their own custom platform in-house and outsource the payment process to an external provider operating online payments systems that support online money transfers.
Due to this transformation of the business model, a number of security controls were implemented based on the identified threats and vulnerabilities associated to critical assets. To protect customers' information. Beauty's employees had to sign a confidentiality agreement. In addition, the company reviewed all user access rights so that only authorized personnel can have access to sensitive files and drafted a new segregation of duties chart.
However, the transition was difficult for the IT team, who had to deal with a security incident not long after transitioning to the e commerce model. After investigating the incident, the team concluded that due to the out-of-date anti-malware software, an attacker gamed access to their files and exposed customers' information, including their names and home addresses.
The IT team decided to stop using the old anti-malware software and install a new one which would automatically remove malicious code in case of similar incidents. The new software was installed in every workstation within the company. After installing the new software, the team updated it with the latest malware definitions and enabled the automatic update feature to keep it up to date at all times. Additionally, they established an authentication process that requires a user identification and password when accessing sensitive information.
In addition, Beauty conducted a number of information security awareness sessions for the IT team and other employees that have access to confidential information in order to raise awareness on the importance of system and network security.
Based on scenario 2, Beauty should have implemented (1)_____________________________ to detect (2)_________________________.
- A. (1) An intrusion detection system, (2) intrusions on networks
- B. (1) Network intrusions, (2) technical vulnerabilities
- C. (1) An access control software, (2) patches
正解:A
解説:
An intrusion detection system (IDS) is a device or software application that monitors network activities, looking for malicious behaviors or policy violations, and reports their findings to a management station. An IDS can help an organization to detect intrusions on networks, which are unauthorized attempts to access, manipulate, or harm network resources or data. In the scenario, Beauty should have implemented an IDS to detect intrusions on networks, such as the one that exposed customers' information due to the out-of-date anti-malware software. An IDS could have alerted the IT team about the suspicious network activity and helped them to respond faster and more effectively. Therefore, the correct answer is C.
質問 # 21
Scenario 4: TradeB. a commercial bank that has just entered the market, accepts deposits from its clients and offers basic financial services and loans for investments. TradeB has decided to implement an information security management system (ISMS) based on ISO/IEC 27001 Having no experience of a management [^system implementation, TradeB's top management contracted two experts to direct and manage the ISMS implementation project.
First, the project team analyzed the 93 controls of ISO/IEC 27001 Annex A and listed only the security controls deemed applicable to the company and their objectives Based on this analysis, they drafted the Statement of Applicability. Afterward, they conducted a risk assessment, during which they identified assets, such as hardware, software, and networks, as well as threats and vulnerabilities, assessed potential consequences and likelihood, and determined the level of risks based on three nonnumerical categories (low, medium, and high). They evaluated the risks based on the risk evaluation criteria and decided to treat only the high risk category They also decided to focus primarily on the unauthorized use of administrator rights and system interruptions due to several hardware failures by establishing a new version of the access control policy, implementing controls to manage and control user access, and implementing a control for ICT readiness for business continuity Lastly, they drafted a risk assessment report, in which they wrote that if after the implementation of these security controls the level of risk is below the acceptable level, the risks will be accepted Based on scenario 4, the fact that TradeB defined the level of risk based on three nonnumerical categories indicates that;
- A. The level of risk will be evaluated using quantitative analysis
- B. The level of risk will be defined using a formula
- C. The level of risk will be evaluated against qualitative criteria
正解:C
解説:
Qualitative risk assessment is a method of evaluating risks based on nonnumerical categories, such as low, medium, and high. It is often used when there is not enough data or resources to perform a quantitative risk assessment, which involves numerical values and calculations. Qualitative risk assessment relies on the subjective judgment and experience of the risk assessors, and it can be influenced by various factors, such as the context, the stakeholders, and the criteria. According to ISO/IEC 27001:2022, Annex A, control A.8.2.1 states: "The organization shall define and apply an information security risk assessment process that: ... d) identifies the risk owners; e) analyses the risks: i) assesses the consequences that would result if the risks identified were to materialize; ii) assesses the realistic likelihood of the occurrence of the risks; f) identifies and evaluates options for the treatment of risks; g) determines the levels of residual risk and whether these are acceptable; and h) identifies the risk owners for the residual risks." Therefore, TradeB's decision to define the level of risk based on three nonnumerical categories indicates that they used a qualitative risk assessment process.
Reference:
ISO/IEC 27001:2022, Annex A, control A.8.2.1
PECB ISO/IEC 27001 Lead Implementer Course, Module 7, slides 12-13
質問 # 22
Scenario 6: Skyver offers worldwide shipping of electronic products, including gaming consoles, flat-screen TVs. computers, and printers. In order to ensure information security, the company has decided to implement an information security management system (ISMS) based on the requirements of ISO/IEC 27001.
Colin, the company's best information security expert, decided to hold a training and awareness session for the personnel of the company regarding the information security challenges and other information security-related controls. The session included topics such as Skyver's information security approaches and techniques for mitigating phishing and malware.
One of the participants in the session is Lisa, who works in the HR Department. Although Colin explains the existing Skyver's information security policies and procedures in an honest and fair manner, she finds some of the issues being discussed too technical and does not fully understand the session. Therefore, in a lot of cases, she requests additional help from the trainer and her colleagues Based on the last paragraph of scenario 6, which principles of an effective communication strategy did Colin NOT follow?
- A. Transparency and credibility
- B. Appropriateness and clarity
- C. Credibility and responsiveness
正解:B
解説:
According to ISO/IEC 27001 : 2022 Lead Implementer, an effective communication strategy should follow some principles, such as transparency, credibility, appropriateness, clarity, responsiveness, and consistency. These principles help to ensure that the communication is relevant, accurate, understandable, timely, and coherent. Based on the last paragraph of scenario 6, it seems that Colin did not follow the principles of appropriateness and clarity. Appropriateness means that the communication should be tailored to the needs, expectations, and level of understanding of the audience. Clarity means that the communication should be simple, concise, and precise, avoiding ambiguity and jargon. However, Colin explained the information security issues in a too technical manner, which made Lisa confused and unable to comprehend the session. Therefore, Colin should have adapted his communication style and content to suit the HR personnel, who may not have the same technical background as him.
Reference:
ISO/IEC 27001 : 2022 Lead Implementer Study guide and documents, section 7.4 Communication ISO/IEC 27001 : 2022 Lead Implementer Info Kit, page 12, Information security communication
1, ISO 27001 Communication Plan - How to create a good one
2, ISO 27001 Clause 7.4 - Ultimate Certification Guide
質問 # 23
An organization has implemented a control that enables the company to manage storage media through their life cycle of use. acquisition, transportation and disposal. Which control category does this control belong to?
- A. Physical
- B. Organizational
- C. Technological
正解:A
解説:
According to ISO/IEC 27001:2022, the control that enables the organization to manage storage media through their life cycle of use, acquisition, transportation and disposal belongs to the category of physical and environmental security. This category covers the controls that prevent unauthorized physical access, damage and interference to the organization's information and information processing facilities. The specific control objective for this control is A.11.2.7 Secure disposal or reuse of equipment1, which states that "equipment containing storage media shall be checked to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or reuse."2 References:
* ISO/IEC 27001:2022, Annex A
* ISO/IEC 27002:2022, clause 11.2.7
質問 # 24
Scenario 5: Operaze is a small software development company that develops applications for various companies around the world. Recently, the company conducted a risk assessment to assess the information security risks that could arise from operating in a digital landscape. Using different testing methods, including penetration Resting and code review, the company identified some issues in its ICT systems, including improper user permissions, misconfigured security settings, and insecure network configurations. To resolve these issues and enhance information security, Operaze decided to implement an information security management system (ISMS) based on ISO/IEC 27001.
Considering that Operaze is a small company, the entire IT team was involved in the ISMS implementation project. Initially, the company analyzed the business requirements and the internal and external environment, identified its key processes and activities, and identified and analyzed theinterested parties In addition, the top management of Operaze decided to Include most of the company's departments within the ISMS scope. The defined scope included the organizational and physical boundaries. The IT team drafted an information security policy and communicated it to all relevant interested parties In addition, other specific policies were developed to elaborate on security issues and the roles and responsibilities were assigned to all interested parties.
Following that, the HR manager claimed that the paperwork created by ISMS does not justify its value and the implementation of the ISMS should be canceled However, the top management determined that this claim was invalid and organized an awareness session to explain the benefits of the ISMS to all interested parties.
Operaze decided to migrate Its physical servers to their virtual servers on third-party infrastructure. The new cloud computing solution brought additional changes to the company Operaze's top management, on the other hand, aimed to not only implement an effective ISMS but also ensure the smooth running of the ISMS operations. In this situation, Operaze's top management concluded that the services of external experts were required to implement their information security strategies. The IT team, on the other hand, decided to initiate a change in the ISMS scope and implemented the required modifications to the processes of the company.
What is the next step that Operaze's ISMS implementation team should take after drafting the information security policy? Refer to scenario 5.
- A. Implement the information security policy
- B. Obtain top management's approval for the information security policy
- C. Communicate the information security policy to all employees
正解:B
解説:
According to ISO/IEC 27001 : 2022 Lead Implementer, the information security policy is a high-level document that defines the organization's objectives, principles, and commitments regarding information security. The policy should be aligned with the organization's strategic direction and context, and should provide a framework for setting information security objectives and establishing the ISMS. The policy should also be approved by top management, who are ultimately responsible for the ISMS and its performance.
Therefore, after drafting the information security policy, the next step that Operaze's ISMS implementation team should take is to obtain top management's approval for the policy. This will ensure that the policy is consistent with the organization's vision and values, and that it has the necessary support and resources for its implementation and maintenance.
References:
* ISO/IEC 27001 : 2022 Lead Implementer Study guide and documents, section 5.2 Policy
* ISO/IEC 27001 : 2022 Lead Implementer Info Kit, page 12, Information security policy
質問 # 25
Scenario 9: OpenTech provides IT and communications services. It helps data communication enterprises and network operators become multi-service providers During an internal audit, its internal auditor, Tim, has identified nonconformities related to the monitoring procedures He identified and evaluated several system Invulnerabilities.
Tim found out that user IDs for systems and services that process sensitive information have been reused and the access control policy has not been followed After analyzing the root causes of this nonconformity, the ISMS project manager developed a list of possible actions to resolve the nonconformity. Then, the ISMS project manager analyzed the list and selected the activities that would allow the elimination of the root cause and the prevention of a similar situation in the future. These activities were included in an action plan The action plan, approved by the top management, was written as follows:
A new version of the access control policy will be established and new restrictions will be created to ensure that network access is effectively managed and monitored by the Information and Communication Technology (ICT) Department The approved action plan was implemented and all actions described in the plan were documented.
Based on scenario 9, OpenTech has taken all the actions needed, except____________.
- A. Preventive actions
- B. Permanent corrections
- C. Corrective actions
正解:A
解説:
According to ISO/IEC 27001:2022, clause 10.1, corrective actions are actions taken to eliminate the root causes of nonconformities and prevent their recurrence, while preventive actions are actions taken to eliminate the root causes of potential nonconformities and prevent their occurrence. In scenario 9, OpenTech has taken corrective actions to address the nonconformity related to the monitoring procedures, but not preventive actions to avoid similar nonconformities in the future. For example, OpenTech could have taken preventive actions such as conducting regular reviews of the access control policy, providing training and awareness to the staff on the policy, or implementing automated controls to prevent user ID reuse.
References:
* ISO/IEC 27001:2022, Information technology - Security techniques - Information security management systems - Requirements, clause 10.1
* PECB, ISO/IEC 27001 Lead Implementer Course, Module 8: Performance evaluation, improvement and certification audit of an ISMS, slide 8.3.1.1
質問 # 26
What is the main purpose of Annex A 7.1 Physical security perimeters of ISO/IEC 27001?
- A. To prevent unauthorized physical access, damage, and interference to the organization's information and other associated assets
- B. To maintain the confidentiality of information that is accessible by personnel or external parties
- C. To ensure access to information and other associated assets is defined and authorized
正解:A
解説:
Explanation
Annex A 7.1 of ISO/IEC 27001 : 2022 is a control that requires an organization to define and implement security perimeters and use them to protect areas that contain information and other associated assets.
Information and information security assets can include data, infrastructure, software, hardware, and personnel. The main purpose of this control is to prevent unauthorized physical access, damage, and interference to these assets, which could compromise the confidentiality, integrity, and availability of the information. Physical security perimeters can include fences, walls, gates, locks, alarms, cameras, and other barriers or devices that restrict or monitor access to the facility or area. The organization should also consider the environmental and fire protection of the assets, as well as the disposal of any waste or media that could contain sensitive information.
References:
ISO/IEC 27001 : 2022 Lead Implementer Study Guide, Section 5.3.1.7, page 101 ISO/IEC 27001 : 2022 Lead Implementer Info Kit, page 17 ISO/IEC 27002 : 2022, Control 7.1 - Physical Security Perimeters123
質問 # 27
Scenario 8: SunDee is an American biopharmaceutical company, headquartered in California, the US. It specializes in developing novel human therapeutics, with a focus on cardiovascular diseases, oncology, bone health, and inflammation. The company has had an information security management system (ISMS) based on SO/IEC 27001 in place for the past two years. However, it has not monitored or measured the performance and effectiveness of its ISMS and conducted management reviews regularly Just before the recertification audit, the company decided to conduct an internal audit. It also asked most of their staff to compile the written individual reports of the past two years for their departments. This left the Production Department with less than the optimum workforce, which decreased the company's stock.
Tessa was SunDee's internal auditor. With multiple reports written by 50 different employees, the internal audit process took much longer than planned, was very inconsistent, and had no qualitative measures whatsoever Tessa concluded that SunDee must evaluate the performance of the ISMS adequately. She defined SunDee's negligence of ISMS performance evaluation as a major nonconformity, so she wrote a nonconformity report including the description of the nonconformity, the audit findings, and recommendations. Additionally, Tessa created a new plan which would enable SunDee to resolve these issues and presented it to the top management Based on scenario 8. did the nonconformity report include all the necessary aspects?
- A. No, the report must also specify the root cause of the nonconformity
- B. No, the report must also specify the audit criteria
- C. Yes, the report included all the necessary aspects
正解:A
解説:
According to ISO/IEC 27001:2022, a nonconformity report is a document that records the details of any deviation from the audit criteria that is identified during an audit2. The audit criteria are the set of policies, procedures, requirements, or specifications that are used as a reference against which audit evidence is compared3. Therefore, a nonconformity report must include the following aspects:
The description of the nonconformity, which should clearly state what the deviation is, where it occurred, and when it was detected The audit findings, which should provide the objective evidence that supports the identification of the nonconformity The audit criteria, which should specify the reference document or standard that the nonconformity deviates from The recommendations, which should suggest the possible corrective actions or improvements that can be taken to address the nonconformity In scenario 8, Tessa's nonconformity report included the description of the nonconformity, the audit findings, and the recommendations, but it did not specify the audit criteria. Therefore, the report did not include all the necessary aspects and was incomplete.
Reference:
1: ISO/IEC 27001:2022, Clause 9.2.3
2: ISO/IEC 27001:2022, Clause 3.23
3: ISO/IEC 27001:2022, Clause 3.5
4: ISO/IEC 27001:2022, Annex A.9.2.3
質問 # 28
Scenario 5: Operaze is a small software development company that develops applications for various companies around the world. Recently, the company conducted a risk assessment to assess the information security risks that could arise from operating in a digital landscape. Using different testing methods, including penetration Resting and code review, the company identified some issues in its ICT systems, including improper user permissions, misconfigured security settings, and insecure network configurations. To resolve these issues and enhance information security, Operaze decided to implement an information security management system (ISMS) based on ISO/IEC 27001.
Considering that Operaze is a small company, the entire IT team was involved in the ISMS implementation project. Initially, the company analyzed the business requirements and the internal and external environment, identified its key processes and activities, and identified and analyzed the interested parties In addition, the top management of Operaze decided to Include most of the company's departments within the ISMS scope. The defined scope included the organizational and physical boundaries. The IT team drafted an information security policy and communicated it to all relevant interested parties In addition, other specific policies were developed to elaborate on security issues and the roles and responsibilities were assigned to all interested parties.
Following that, the HR manager claimed that the paperwork created by ISMS does not justify its value and the implementation of the ISMS should be canceled However, the top management determined that this claim was invalid and organized an awareness session to explain the benefits of the ISMS to all interested parties.
Operaze decided to migrate Its physical servers to their virtual servers on third-party infrastructure. The new cloud computing solution brought additional changes to the company Operaze's top management, on the other hand, aimed to not only implement an effective ISMS but also ensure the smooth running of the ISMS operations. In this situation, Operaze's top management concluded that the services of external experts were required to implement their information security strategies. The IT team, on the other hand, decided to initiate a change in the ISMS scope and implemented the required modifications to the processes of the company.
Based on the scenario above, answer the following question:
What led Operaze to implement the ISMS?
- A. Identification of assets
- B. Identification of threats
- C. Identification of vulnerabilities
正解:C
解説:
According to the scenario, Operaze conducted a risk assessment to assess the information security risks that could arise from operating in a digital landscape. Using different testing methods, including penetration testing and code review, the company identified some issues in its ICT systems, such as improper user permissions, misconfigured security settings, and insecure network configurations. These issues are examples of vulnerabilities, which are weaknesses or gaps in the protection of an asset that can be exploited by a threat.
Therefore, the identification of vulnerabilities led Operaze to implement the ISMS.
References:
* ISO/IEC 27001:2022 Lead Implementer Training Course Guide1
* ISO/IEC 27001:2022 Lead Implementer Info Kit2
質問 # 29
Based on scenario 10. NetworkFuse did not conduct a self-evaluation of the ISMS before the audit. Is this compliant to ISO/IEC 27001?
- A. Yes, the standard does not require to conduct a self-evaluation before the audit but it is a good practice to follow
- B. Yes, the standard indicates that the auditee shall rely only on internal audit and management review reports to prepare for the certification audit
- C. No, the auditee must review the requirements of clauses 4 to 10 before the conduct of a certification audit
正解:C
質問 # 30
Scenario 5: Operaze is a small software development company that develops applications for various companies around the world. Recently, the company conducted a risk assessment to assess the information security risks that could arise from operating in a digital landscape. Using different testing methods, including penetration Resting and code review, the company identified some issues in its ICT systems, including improper user permissions, misconfigured security settings, and insecure network configurations. To resolve these issues and enhance information security, Operaze decided to implement an information security management system (ISMS) based on ISO/IEC 27001.
Considering that Operaze is a small company, the entire IT team was involved in the ISMS implementation project. Initially, the company analyzed the business requirements and the internal and external environment, identified its key processes and activities, and identified and analyzed the interested parties In addition, the top management of Operaze decided to Include most of the company's departments within the ISMS scope. The defined scope included the organizational and physical boundaries. The IT team drafted an information security policy and communicated it to all relevant interested parties In addition, other specific policies were developed to elaborate on security issues and the roles and responsibilities were assigned to all interested parties.
Following that, the HR manager claimed that the paperwork created by ISMS does not justify its value and the implementation of the ISMS should be canceled However, the top management determined that this claim was invalid and organized an awareness session to explain the benefits of the ISMS to all interested parties.
Operaze decided to migrate Its physical servers to their virtual servers on third-party infrastructure. The new cloud computing solution brought additional changes to the company Operaze's top management, on the other hand, aimed to not only implement an effective ISMS but also ensure the smooth running of the ISMS operations. In this situation, Operaze's top management concluded that the services of external experts were required to implement their information security strategies. The IT team, on the other hand, decided to initiate a change in the ISMS scope and implemented the required modifications to the processes of the company.
What is the next step that Operaze's ISMS implementation team should take after drafting the information security policy? Refer to scenario 5.
- A. Implement the information security policy
- B. Obtain top management's approval for the information security policy
- C. Communicate the information security policy to all employees
正解:B
解説:
Explanation
According to ISO/IEC 27001 : 2022 Lead Implementer, the information security policy is a high-level document that defines the organization's objectives, principles, and commitments regarding information security. The policy should be aligned with the organization's strategic direction and context, and should provide a framework for setting information security objectives and establishing the ISMS. The policy should also be approved by top management, who are ultimately responsible for the ISMS and its performance.
Therefore, after drafting the information security policy, the next step that Operaze's ISMS implementation team should take is to obtain top management's approval for the policy. This will ensure that the policy is consistent with the organization's vision and values, and that it has the necessary support and resources for its implementation and maintenance.
References:
ISO/IEC 27001 : 2022 Lead Implementer Study guide and documents, section 5.2 Policy ISO/IEC 27001 : 2022 Lead Implementer Info Kit, page 12, Information security policy
質問 # 31
Based on scenario 9. is the action plan for the identified nonconformities sufficient to eliminate the detected nonconformities?
- A. No, because the action plan does not include a timeframe for implementation
- B. Yes, because a separate action plan has been created for the identified nonconformity
- C. No, because the action plan does not address the root cause of the identified nonconformity
正解:A
質問 # 32
Which statement is an example of risk retention?
- A. An organization has implemented a data loss protection software
- B. An organization has decided to release the software even though some minor bugs have not been fixed yet
- C. An organization terminates work in the construction site during a severe storm
正解:B
解説:
According to ISO/IEC 27001 : 2022 Lead Implementer, risk retention is one of the four risk treatment options that an organization can choose to deal with unacceptable risks. Risk retention means that the organization accepts the risk without taking any action to reduce its likelihood or impact. It applies to risks that are either too costly or impractical to address, or that have a low probability or impact. Therefore, an example of risk retention is when an organization decides to release the software even though some minor bugs have not been fixed yet. This implies that the organization has assessed the risk of releasing the software with bugs and has determined that it is acceptable, either because the bugs are not critical or because the cost of fixing them would outweigh the benefits.
Reference:
ISO/IEC 27001 : 2022 Lead Implementer Study guide and documents, section 8.3.2 Risk treatment ISO/IEC 27001 : 2022 Lead Implementer Info Kit, page 14, Risk management process
3, ISO 27001: Top risk treatment options and controls explained
質問 # 33
Based on scenario 8. how does the HealthGenic's negligence affect the ISMS certificate?
- A. HealthGenic will be able to renew the ISMS certificate, as they did not detect any information security incident in the past two years
- B. HealthGenic might not be able to renew the ISMS certificate, as it has not conducted management reviews at planned intervals
- C. HealthGenic might not be able to renew the ISMS certificate, as the internal audit lasted longer than planned
正解:B
質問 # 34
......
ISO-IEC-27001-Lead-Implementer問題集、あなたを合格させる認証試験:https://jp.fast2test.com/ISO-IEC-27001-Lead-Implementer-premium-file.html
まもなくセール終了!リアルISO-IEC-27001-Lead-ImplementerのPDF解答を使おう:https://drive.google.com/open?id=1fjeNIA9ipWHPw5QeQKBJ-RA09eUA1Cp1