最新の2025年04月試験ISO-IEC-27001-Lead-Auditor-CN問題集で合格させる認証試験合格させます [Q91-Q115]

Share

最新の2025年04月試験ISO-IEC-27001-Lead-Auditor-CN問題集で合格させる認証試験合格させます

最新でリアルなPECB ISO-IEC-27001-Lead-Auditor-CN試験問題集解答があります

質問 # 91
您正在一家提供醫療保健服務的住宅療養院進行 ISMS 審核。審核計畫的下一步是驗證適用性聲明 (SoA) 是否包含必要的控制措施。
您查看最新的 SoA(版本 5)文檔,對原始程式碼 (A.8.4) 的存取控制進行採樣,並想了解組織如何保護從外包軟體開發人員收到的 ABC 醫療保健行動應用程式原始程式碼。
IT 安全經理解釋說,收到的原始程式碼將被檢查到 SCM 系統中,以確保其完整性和安全性。只有授權使用者才能查看軟體並進行更新。
系統會自動記錄入住和退房活動。版本控制由系統自動管理。
您在 SCM 上總共發現了 10 個使用者帳戶。他們全部來自IT部門。您進一步與人力資源經理核實,並確認其中一位用戶 Scott 已於 9 個月前辭職。 SCM 系統管理員確認 Scott 最後一次檢出原始碼是在 1 個月前。他正在安全區域使用本機網路的授權桌面之一。
您檢查了使用者登出程序,其中規定「管理人員必須確保在辭職批准後立即從相關ICT系統和/或設備註銷使用者帳戶和授權」。用戶Scott沒有註銷記錄。
IT 安全經理解釋說,Scott 是一位非常優秀的軟體工程師、前同事和朋友。
辭職後,他仍然每月回到辦公室提供原始碼維護支援。這就是為什麼他在 SCM 上的帳戶仍然存在。 「我們很了解 Scott,他在加入我們時通過了我們所有的背景調查。因此,我們認為沒有必要僅僅因為他現在是外部提供者而與他同意任何進一步的資訊安全要求」。
您準備審計結果。選出三個正確選項。

  • A. 存在不合格項 (NC)。該組織的存取控制安排未能有效運行,因為不再受該組織僱用的個人被允許訪問療養院的 ICT 系統。這不符合控制措施 A.5.15。
  • B. 存在不合格項 (NC)。操作程序沒有很好的記錄。這使得 SCM 系統管理員無法立即刪除使用者帳戶。這不符合第 9.1 條和控制措施 A.5.37。
  • C. 存在不合格項 (NC)。該組織沒有記錄程序來規定如何使用系統工具來提供原始程式碼的存取和版本控制。這不符合第 9.1 條和控制措施 A.8.4。
  • D. 存在不合格項 (NC)。該組織未能識別與斯科特的帳戶保持開放相關的安全風險,因為他每月只重新使用很短一段時間。這不符合第 8.2 條的規定。
  • E. 存在不合格項 (NC)。 SCM是開源系統軟體。它不安全,不能用於原始碼的存取和版本控制。這不符合第 9.1 條和控制措施 A.8.4。
  • F. 存在不合格項 (NC)。 SCM 將自動記錄原始碼簽入/簽出活動。如果出現問題,團隊可能無法追蹤。這不符合第 9.1 條和控制措施 A.8.4。
  • G. 存在不合格項 (NC)。 IT 安全經理未確保 Scott 的使用者帳戶已從 SCM 中刪除,且在離職後未完成使用者登出流程。
    這不符合第 9.1 條和控制措施 A.5.15。
  • H. 存在不合格項 (NC)。斯科特應該被告知與他與療養院的新關係(外部提供者)相關的適用資訊安全要求。然而,IT 安全經理證實這並沒有發生。這不符合控制措施 A.5.20。

正解:A、D、G

解説:
The correct options are:
* There is a nonconformity (NC). The organisation's access control arrangements are not operating effectively as an individual who is no longer employed by the organisation is being permitted to access the nursing home's ICT systems. This does not conform with control A.5.15. (B): This option is correct because control A.5.15 requires the organization to implement secure log-on procedures and manage user access rights. The organization should ensure that only authorized users can access the ICT systems and that the access rights are revoked or modified when the user status changes. The fact that Scott, who resigned 9 months ago, still has an active account on the SCM and can check out the source code, indicates a failure of the access control arrangements and a nonconformity with the control A.5.15.
* There is a nonconformity (NC). The IT Security manager did not make sure the user account for Scott was removed from the SCM and did not complete the user deregistration process after the resignation. This does not conform with clause 9.1 and control A.5.15. : This option is correct because clause 9.1 requires the organization to monitor, measure, analyze, and evaluate the performance and effectiveness of the ISMS. The organization should have processes and indicators to verify that the ISMS requirements and objectives are met and that the ISMS is continually improved.
The organization should also ensure that the results of the monitoring and measurement are documented and communicated. The fact that the IT Security manager did not follow the user de-registration procedure and did not document or communicate the exception for Scott, indicates a failure of the monitoring and measurement processes and a nonconformity with clause 9.1 and control A.5.15.
* There is a nonconformity (NC). The organisation has failed to identify the security risks associated with leaving Scott's account open when he was only re-engaged for a short period monthly. This does not conform with clause 8.2. (F): This option is correct because clause 8.2 requires the organization to establish and maintain an information security risk management process.
The organization should identify the information security risks, analyze and evaluate the risks, and treat the risks according to the risk criteria and the risk treatment options. The organization should also monitor and review the risks and the risk treatment plan periodically and document the results. The fact that the organization did not identify the security risks associated with Scott's access to the SCM and the source code, such as unauthorized disclosure, modification, or deletion of the information, indicates a failure of the risk management process and a nonconformity with clause 8.2.


質問 # 92
您工作的資料中心目前正在尋求 ISO/IEC27001:2022 認證。在為您的初次認證訪問做準備時,您集團內另一個資料中心的同事已進行了多次內部審核。他們在今年稍早獲得了自己的 ISO/IEC 27001:2022 證書。
您剛剛獲得內部 ISMS 審核員資格,您的經理要求您在外部認證機構到達之前審查審核流程和審核結果,作為最終檢查。
以下哪四項會讓您擔心是否符合 ISO/IEC 27001:2022 要求?

  • A. 審計報告不以硬拷貝形式(即紙本形式)保存。它們僅存儲為*。組織內部網路上的 PDF 文件。
  • B. 審核計畫未引用審核方法或審核職責。
  • C. 審核程序不考慮先前審核的結果。
  • D. 審計計畫顯示一年中不定期進行的管理審查。
  • E. 審核計畫尚未簽署「經最高管理階層批准」。
  • F. 審計流程規定審計結果將提供給「相關」經理,而不是最高管理階層。
  • G. 審核計畫未考慮資訊安全流程的相對重要性。
  • H. 雖然已經定義了每次內部審計的範圍,但尚未為迄今為止進行的審計定義審計標準。

正解:B、C、G、H


質問 # 93
您正在作為審核組組長進行首次第三方 ISMS 監督審核。您目前與審核團隊的另一位成員以及組織的指南一起位於受審核方的資料中心。
您要求進入受密碼鎖和虹膜掃描器保護的上鎖房間。此房間包含幾排不間斷電源以及幾個包含客戶端提供的設備(主要是伺服器和交換器)的資料櫃。
您注意到有一個氣體滅火系統。標籤表示系統需要每 6 個月進行一次測試,但標籤上記錄的最近一次測試是製造商在 12 個月前進行的。
根據上述情況,您現在會採取下列哪兩項操作?

  • A. 需要指南來啟動組織的資訊安全事件流程
  • B. 針對控制 A.7.11「支援公用設施」提出不符合項,因為資訊處理設施沒有充分保護以防止可能的中斷
  • C. 確定記錄滅火器檢查的要求是否在去年進行了修訂。
    如果是這樣,建議在現有標籤上引用這些內容作為改進的機會
  • D. 做筆記,向現場維修經理索取6個月前進行過滅火系統測試的證據
  • E. 由於組織尚未確定需要針對火災威脅採取行動,因此針對控制 A.5.7「威脅情報」提出不符合項
  • F. 如果房間內有水基滅火器,則無需採取進一步行動,因為它們提供了另一種滅火方法

正解:B、D


質問 # 94
您是一位審核小組組長,剛完成了對行動電信供應商的第三方審核。您正在準備審計報告,並即將完成標題為「保密」的部分。
您團隊中受訓的審核員會詢問您是否在任何情況下可以將機密報告發佈給第三方。
以下哪四個答案是錯的?

  • A. 我們的保密義務並不是永遠持續的。作為認證機構,我們可以決定將報告保密多久。此後,第三方可以透過提出主題存取請求來存取它們
  • B. 分包審核員被視為保密方面的第三方,因此通常受保密協議的約束
  • C. 審核機構僱用的任何審核員都可以存取審核報告
  • D. 報告可以發佈給第三方,但必須經過審計客戶的明確事先批准
  • E. 起始立場始終是第三方沒有自動存取審核報告的權利
  • F. 雖然我們建議客戶該報告是保密的,但如果我們認為合理,我們可以決定將其發佈給第三方。我們總是事後告訴客戶
  • G. 在任何情況下都不能將報告發佈給第三方。機密意味著機密,洩漏該文件將構成違反信任
  • H. 如果第三方已獲得我們揭露報告的法律通知,那麼我們必須這樣做。在所有此類情況下,我們都會向審核客戶以及受審核方(如適用)提供建議

正解:A、B、C、F

解説:
The audit report is a confidential document that contains sensitive information about the auditee's ISMS and its performance. The audit team has a duty to protect the confidentiality of the audit report and only disclose it to authorized parties, such as the audit client, the certification body, and the accreditation body. Therefore, the following responses are false:
* A: The audit team cannot decide to release the report to third parties without the consent of the audit client, as this would breach the confidentiality agreement and the audit code of conduct. The audit team should always inform the audit client before disclosing the report to any third party, and obtain their explicit, prior approval.
* F: Not every auditor employed by the auditing organization can access the audit report, as this would violate the principle of need-to-know. Only auditors who are involved in the audit process, such as the audit team leader, the audit team members, the audit programme manager, and the certification decision maker, can access the audit report. Other auditors who are not related to the audit have no legitimate reason to access the report, and should be prevented from doing so by appropriate security measures.
* G: The duty of confidentiality does not expire after a certain period of time, as this would compromise the trust and integrity of the audit process. The audit report remains confidential indefinitely, unless there is a legal or contractual obligation to disclose it, or the audit client agrees to release it. Third parties cannot access the audit report by making a subject access request, as this would infringe the privacy and data protection rights of the audit client and the auditee.
* H: Subcontracted auditors are not considered to be third parties regarding confidentiality, as they are part of the audit team and have a contractual relationship with the auditing organization. Subcontracted auditors are typically bound by the same confidentiality agreement and audit code of conduct as the employed auditors, and have the same rights and responsibilities to access and protect the audit report.
References: =
* ISO/IEC 27001:2022, clause 9.2, Internal audit
* ISO/IEC 27006:2015, clause 7.2.3, Confidentiality
* PECB Candidate Handbook ISO 27001 Lead Auditor, page 22, Audit Report
* PECB Candidate Handbook ISO 27001 Lead Auditor, page 24, Audit Code of Conduct


質問 # 95
當審核團隊的另一位成員向您尋求澄清時,您正在進行第三方監督審核。他們被要求評估組織對控制 5.7 - 威脅情報的應用。他們知道這是 2022 年版 ISO/IEC 中引入的新控制措施之一
27001,他們希望確保正確審核控制。
他們準備了一份清單來協助他們進行審核,並希望您確認他們計劃的活動符合控制要求。
下列哪三個選項代表有效的審計追蹤?

  • A. 我將確保採取適當措施,向最高管理階層通報目前威脅情報安排的有效性
  • B. 我將檢視組織的威脅情報流程,並確保對此進行完整記錄
  • C. 我將確保將產生威脅情報的任務分配給組織的內部稽核團隊
  • D. 我將檢查是否積極使用威脅情報來保護組織資訊資產的機密性、完整性和可用性
  • E. 我將回顧如何收集和評估與資訊安全威脅相關的資訊以產生威脅情報
  • F. 我將確定在威脅情報的生成中是否使用內部和外部資訊來源
  • G. 我將確保組織的風險評估流程從有效的威脅情報開始
  • H. 我將與高階主管交談,以確保所有員工都意識到報告威脅的重要性

正解:B、D、F

解説:
According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), control 5.7 requires an organization to establish and maintain a threat intelligence process to identify and evaluate information security threats that are relevant to its ISMS scope and objectives1. The organization should use internal and external sources of information, such as vulnerability databases, threat feeds, industry reports, etc., to produce threat intelligence that can be used to support risk assessment and treatment, as well as other information security activities1. Therefore, when auditing the organization's application of control 5.7, an ISMS auditor should verify that these aspects are met in accordance with the audit criteria.
Three options that represent valid audit trails for verifying control 5.7 are:
* I will review the organisation's threat intelligence process and will ensure that this is fully documented:
This option is valid because it can provide evidence of how the organization has established and maintained a threat intelligence process that is consistent with its ISMS scope and objectives. It can also verify that the process is documented according to clause 7.5 of ISO/IEC 27001:20221.
* I will check that threat intelligence is actively used to protect the confidentiality, integrity and availability of the organisation's information assets: This option is valid because it can provide evidence of how the organization has used threat intelligence to support its risk assessment and treatment, as well as other information security activities, such as incident response, awareness, or monitoring. It can also verify that the organization has achieved its information security objectives according to clause 6.2 of ISO/IEC 27001:20221.
* I will determine whether internal and external sources of information are used in the production of threat intelligence: This option is valid because it can provide evidence of how the organization has used various sources of information, such as vulnerability databases, threat feeds, industry reports, etc., to produce threat intelligence that is relevant and reliable. It can also verify that the organization has complied with the requirement of control 5.7 of ISO/IEC 27001:20221.
The other options are not valid audit trails for verifying control 5.7, as they are not related to the control or its requirements. For example:
* I will speak to top management to make sure all staff are aware of the importance of reporting threats:
This option is not valid because it does not provide evidence of how the organization has established and maintained a threat intelligence process or used threat intelligence to support its ISMS activities. It may be related to another control or requirement regarding information security awareness or communication, but not specifically to control 5.7.
* I will ensure that the task of producing threat intelligence is assigned to the organisation s internal audit team: This option is not valid because it does not provide evidence of how the organization has established and maintained a threat intelligence process or used threat intelligence to support its ISMS activities. It may also contradict the requirement for auditor independence and objectivity, as recommended by ISO 19011:20182, which provides guidelines for auditing management systems.
* I will ensure that the organisation's risk assessment process begins with effective threat intelligence:
This option is not valid because it does not provide evidence of how the organization has established and maintained a threat intelligence process or used threat intelligence to support its ISMS activities. It may also imply a prescriptive approach to risk assessment that is not consistent with ISO/IEC 27005:
20183, which provides guidelines for information security risk management.
* I will review how information relating to information security threats is collected and evaluated to produce threat intelligence: This option is not valid because it does not provide evidence of how the organization has established and maintained a threat intelligence process or used threat intelligence to support its ISMS activities. It may also be too vague or broad to be an effective audit trail, as it does not specify what criteria or methods are used for collecting and evaluating information.
* I will ensure that appropriate measures have been introduced to inform top management as to the effectiveness of current threat intelligence arrangements: This option is not valid because it does not provide evidence of how the organization has established and maintained a threat intelligence process or used threat intelligence to support its ISMS activities. It may be related to another control or requirement regarding management review or performance evaluation, but not specifically to control
5.7.
References: ISO/IEC 27001:2022 - Information technology - Security techniques - Information security management systems - Requirements, ISO 19011:2018 - Guidelines for auditing management systems, ISO
/IEC 27005:2018 - Information technology - Security techniques - Information security risk management


質問 # 96
您正在 ABC Healthcare Services 的療養院執行 ISO 27001 ISMS 監督審核。 ABC 使用由供應商 WeCare 設計和維護的醫療保健行動應用程式來監控居民的健康狀況。在審計過程中,您了解到90%的居民家庭成員每週一次透過電子郵件和簡訊定期收到WeCare的醫療器材廣告。 ABC 與 WeCare 之間的服務協議禁止供應商使用居民的個人資料。美國廣播公司已收到許多居民及其家人的投訴。
服務經理表示,這些投訴作為資訊安全事件進行了調查,發現這些投訴是合理的。已根據不合格和糾正措施管理程序規劃並實施糾正措施。
您寫了一份不合格項“ABC 未能遵守與居民及其家庭成員的個人資料相關的資訊安全控制 A.5.34(隱私和 PII 保護)。供應商 WeCare 使用居民的個人資訊向家庭成員”,從列出的糾正和糾正措施中選擇您希望ABC 針對不合格項採取的三個選項

  • A. 農行指示全體員工遵守與居民家屬簽署的醫療服務協議
  • B. 服務經理實施糾正措施,客戶服務代表評估所實施糾正措施的有效性
  • C. ABC 在對不符合項採取行動之前需要收集更多證據,說明資訊安全風險評估與已識別的不符合項之間的關係
  • D. 服務經理提供不合格原因分析的證據以及 ABC 如何評估已實施的糾正措施的有效性
  • E. ABC 確認資訊安全控制 A.5.34 包含在適用性聲明 (SoA) 中
  • F. ABC 需要收集更多關於組織如何定義管理系統範圍的證據,並找出他們是否涵蓋醫療設備製造商 WeCare
  • G. ABC 識別並檢查是否遵守涉及第三方的所有適用法律和合約要求
  • H. ABC 進行管理審查,以考慮居民家庭成員的回饋

正解:B、D、G

解説:
According to the ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) course, the following corrections and corrective actions are expected from ABC in response to the nonconformity:
* B. The Service Manager provides evidence of analysis of the cause of nonconformity and how the ABC evaluates the effectiveness of implemented corrective actions. This is part of the requirement of clause
10.1 of ISO/IEC 27001:2022, which states that the organization shall determine the causes of nonconformities and evaluate the need for action to ensure that they do not recur or occur elsewhere12.
The organization shall also evaluate the effectiveness of any corrective actions taken12.
* F. ABC identifies and checks compliance with all applicable legislation and contractual requirements involving third parties. This is part of the requirement of clause 4.2 of ISO/IEC 27001:2022, which states that the organization shall determine the external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system12. This includes the legal and contractual requirements related to the information security aspects of the organization's activities, products and services12.
* G. The Service Manager implements the corrective actions and Customer Service Representatives evaluate the effectiveness of implemented corrective actions. This is part of the requirement of clause
10.1 of ISO/IEC 27001:2022, which states that the organization shall implement any action needed and retain documented information as evidence of the results of any action taken12. The organization shall also monitor, measure, analyze and evaluate the information security performance and the effectiveness of the information security management system12.
References:
* 1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) course, CQI and IRCA Certified Training, 1
* 2: ISO/IEC 27001 Lead Auditor Training Course, PECB, 2


質問 # 97
認證審核的審核計畫不需要下列哪兩個資訊選項?

  • A. 管理系統所代表的工作經驗
  • B. 組織的財務報表
  • C. 文件審查
  • D. 審核計劃
  • E. 審核清單
  • F. 抽樣計劃

正解:A、B

解説:
These two options are not required for audit planning of a certification audit, as they are not relevant to the audit objectives, scope, criteria, and methods. The working experience of the management system representative is not a requirement of ISO/IEC 27001, nor does it affect the conformity or effectiveness of the ISMS. The organisation's financial statement is not part of the ISMS documentation, nor does it provide evidence of the ISMS performance or improvement. The other options are required for audit planning, as they help to determine the audit activities, resources, schedule, and sampling strategy. References: PECB Candidate Handbook1, page 19-20; ISO 9001 Auditing Practices Group Guidance on2, page 1-2; ISO/IEC
27001:2022 (en)3, clause 9.2.


質問 # 98
哪一項不是 HR 在招募前的要求?

  • A. 申請人必須完成就業前文件要求
  • B. 必須成功通過背景調查
  • C. 接受背景驗證
  • D. 必須接受資訊安全意識訓練。

正解:D

解説:
According to ISO/IEC 27001:2022, clause 7.2.2, the organization shall ensure that all persons who have access to information are aware of the information security policy and their contribution to the effectiveness of the ISMS, including the benefits of improved information security performance2. Therefore, awareness training on information security is a requirement for all persons, not just new hires. References: ISO/IEC
27001:2022 Lead Auditor (Information Security Management Systems) | CQI | IRCA


質問 # 99
我們在 ACT 中做什麼 - 來自 PDCA 循環

  • A. 採取行動持續監控流程績效
  • B. 採取行動持續監控流程績效
  • C. 採取行動不斷提升人員績效
  • D. 採取行動持續改善流程績效

正解:D

解説:
In the Act phase of the PDCA cycle, the process is reviewed and evaluated based on the results from the Check phase. The actions taken in this phase aim to continually improve the process performance by addressing the root causes of problems, implementing corrective and preventive actions, and updating the process documentation1. References: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) | CQI | IRCA


質問 # 100
您是一位經驗豐富的 ISMS 內部稽核師。
當 IT 經理找到您並要求您協助修改公司的適用性聲明時,您剛剛完成了組織的預定資訊安全審核。
IT 經理正在嘗試將基於 ISO/IEC 27001:2013 的適用性聲明更新為與 ISO/IEC 27001:2022 中的 4 個控制主題(組織控制、人員控制、實體控制、技術控制)一致的聲明。
IT 經理對控制權的重新分配感到滿意,但以下情況除外。他詢問您以下每個控制類別應出現在哪四個控制類別下。

正解:

解説:

Explanation:

8.1 Information stored on, processed by, or accessible via user endpoint devices shall be protected
= Technological control 7.8 Equipment shall be sited securely and protected = Physical control 5.2 Information security roles and responsibilities shall be defined and allocated according to the organisation's needs = Organisational control 6.7 Security measures shall be implemented when personnel are working remotely to protect information processed, processed, or stored outside the organisation's premises = People control Explanation: According to the web search results from my predefined tool, ISO 27001:2022 has restructured and consolidated the Annex A controls into four categories: organisational, people, physical, and technological12. These categories reflect the different aspects and dimensions of information security, and are aligned with the cybersecurity concepts of identify, protect, detect, respond, and recover3. The controls in each category are as follows4:
* Organisational controls: These are controls that relate to the governance, management, and coordination of information security activities within the organisation. They include controls such as information security policies, roles and responsibilities, risk assessment and treatment, performance evaluation, and improvement.
* People controls: These are controls that relate to the behaviour, awareness, and competence of the people involved in information security, both within and outside the organisation. They include controls such as human resource security, training and awareness, access control, incident management, and business continuity.
* Physical controls: These are controls that relate to the protection of physical assets and environments that store, process, or transmit information. They include controls such as physical security, environmental security, equipment security, and media security.
* Technological controls: These are controls that relate to the use of technology to implement, monitor, and maintain information security. They include controls such as cryptography, network security, system security, application security, and threat intelligence.
Based on these categories, the controls listed in the question can be matched as follows:
* 8.1 Information stored on, processed by, or accessible via user endpoint devices shall be protected: This is a technological control, as it involves the use of technology to protect information on devices such as laptops, smartphones, tablets, etc. It may include measures such as encryption, authentication, antivirus, firewall, etc.
* 7.8 Equipment shall be sited securely and protected: This is a physical control, as it involves the protection of physical assets and environments that store, process, or transmit information. It may include measures such as locks, alarms, CCTV, fire suppression, etc.
* 5.2 Information security roles and responsibilities shall be defined and allocated according to the organisation's needs: This is an organisational control, as it involves the governance, management, and coordination of information security activities within the organisation. It may include measures such as defining the authority and accountability of information security personnel, establishing reporting lines and communication channels, assigning tasks and duties, etc.
* 6.7 Security measures shall be implemented when personnel are working remotely to protect information processed, processed, or stored outside the organisation's premises: This is a people control, as it involves the behaviour, awareness, and competence of the people involved in information security, both within and outside the organisation. It may include measures such as providing guidance and training on remote working, enforcing policies and procedures, monitoring and auditing remote activities, etc.
References: = 1: A Breakdown of ISO 27001:2022 Annex A Controls - BARR Advisory42: ISO 27001:2022 Annex A Controls - What's New? | ISMS.Online13: How many controls are there in ISO 27001:2022? - Strike Graph34: ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, Annex A.


質問 # 101
場景 2:Knight 是一家來自美國北加州的電子公司,開發電玩遊戲機。 Knight 在全球擁有 300 多名員工。在成立五週年之際,他們決定推出 G-Console,這是一款面向全球市場的新一代電玩遊戲機。 G-Console被認為是2021年的終極媒體機,將為玩家帶來最佳的遊戲體驗。
主機包將包括一副 VR 耳機、兩個
遊戲和其他禮物。
多年來,公司透過誠信、誠實和尊重客戶而建立了良好的聲譽。這種良好的聲譽是大多數熱衷遊戲玩家在Knight的G-console一上市就想擁有它的原因之一。
Knight 除了是一家非常以客戶為導向的公司之外,
也因其開發品質獲得了遊戲產業的廣泛認可。他們的價格比合理標準允許的要高一些。
儘管如此,對於 Knight 的大多數忠實客戶來說,這並不是一個問題,因為它們的品質是一流的。
作為世界頂級視訊遊戲機開發商之一,Knight 也經常成為惡意活動的焦點。該公司的 ISMS 已投入運作一年多了。 ISMS 範圍包括 Knight 的所有部門(財務和人力資源部門除外)。
最近,奈特的一些包含專有資訊的文件被駭客洩露。 Knight 的事件回應團隊 (IRT) 立即開始分析系統的每個部分以及事件的詳細資訊。
IRT 的第一個懷疑是 Knight 的員工使用了弱密碼,因此很容易被未經授權存取其帳戶的駭客破解。然而,在仔細調查該事件後,IRT 確定駭客透過擷取檔案傳輸協定 (FTP) 流量來存取帳戶。
FTP 是一種用於在帳戶之間傳輸檔案的網路協定。它使用明文密碼進行身份驗證。
受此資訊安全事件的影響,在IRT的建議下,Knight決定用Secure Shell (SSH)協定取代FTP,這樣任何捕獲流量的人都只能看到加密的資料。
在這些變化之後,奈特進行了風險評估,以驗證控制措施的實施是否已將類似事件的風險降至最低。該過程的結果得到了 ISMS 專案經理的批准,他聲稱實施新控制措施後的風險等級符合公司的風險接受程度。
根據該場景,回答以下問題:
FTP 使用明文密碼進行驗證。這是一個 FTP:

  • A. 漏洞
  • B. 威脅
  • C. 風險

正解:A

解説:
The use of clear text passwords for authentication in FTP is a vulnerability because it is a weakness that can be exploited by threat actors. Clear text passwords can be intercepted easily by network sniffers or through man-in-the-middle attacks, making them a significant security risk1. References: = This explanation is consistent with the understanding of vulnerabilities within the field of information security, particularly as it relates to network protocols like FTP and their associated risks


質問 # 102
下列哪三個選項是使用抽樣計畫進行審核的優點?

  • A. 否定審核員的直覺
  • B. 讓審核結果充滿信心
  • C. 遺漏關鍵問題
  • D. 有效實施審核計劃
  • E. 提供對 ISMS 的適當理解
  • F. 使用計劃進行連續審核

正解:B、D、E

解説:
According to ISO 19011:2018, which provides guidelines for auditing management systems, a sampling plan is a method for selecting a representative subset of the audit evidence from a defined population1. A sampling plan can have several advantages for the audit, such as providing a suitable understanding of the ISMS by covering its key processes, activities, and controls; implementing the audit plan efficiently by optimizing the use of time and resources; and giving confidence in the audit results by ensuring that the sample is sufficient, reliable, and unbiased1. Therefore, these three options are examples of advantages of using a sampling plan for the audit. The other options are not advantages, but rather disadvantages or risks of using a sampling plan. For example, overruling the auditor's instincts may lead to missing important evidence or issues that are not covered by the sampling plan; using the same plan for consecutive audits may reduce the effectiveness and validity of the audit results; and missing key issues may result from an inadequate or inappropriate sampling plan1. References: ISO 19011:2018 - Guidelines for auditing management systems


質問 # 103
關鍵的審計流程是審計員收集資訊並確定調查結果特徵的方式。按正確的順序列出列出的操作以完成此過程。最後一項已為您完成。

正解:

解説:

Explanation:
* Determine source of information
* Collect by means of appropriate sampling
* Reviewing
* Audit evidence
* Evaluating against audit criteria
* Audit findings
* Audit conclusions
The reviewing step involves checking the accuracy, completeness, and relevance of the collected information.
The audit evidence step involves documenting the information in a verifiable and traceable manner. The evaluating against audit criteria step involves comparing the audit evidence with the requirements of the ISO
27001 standard and the organization's own policies and objectives. The audit findings step involves identifying any nonconformities, weaknesses, or opportunities for improvement in the ISMS. The audit conclusions step involves summarizing the audit results and providing recommendations for corrective actions or enhancements.


質問 # 104
下列哪一項最能描述第二階段第三方審核的主要目的?

  • A. 辨識不符合標準的情況
  • B. 檢查組織是否遵守法律
  • C. 確定認證準備狀況
  • D. 了解組織的管理體系

正解:A

解説:
The main purpose of a Stage 2 third-party audit is to evaluate the implementation and effectiveness of the organisation's management system and to identify any nonconformances against the requirements of the standard12. The other options are either the objectives of a Stage 1 audit (A, D) or a specific aspect of the audit scope (B). References: 1: ISO/IEC 27006:2022, Information technology - Security techniques - Requirements for bodies providing audit and certification of information security management systems, Clause 9.2 \n2: PECB Certified ISO/IEC 27001 Lead Auditor Exam Preparation Guide, Domain 4: Preparing an ISO/IEC 27001 audit


質問 # 105
在管理系統審核的背景下,請確定收集和驗證資訊的典型流程的順序。第一個已經為你完成了。

正解:

解説:

Explanation:

* Identifying the source of information (already given)
* Gathering audit evidence: This involves collecting information from various sources such as documents, records, interviews, and observations.
* Sampling the available data: Due to the vast amount of information available, auditors typically use sampling techniques to select representative data for closer scrutiny.
* Verifying objective evidence: This involves checking the accuracy, completeness, and reliability of the collected evidence.
* Evaluating evidence against the audit criteria: Auditors compare the collected evidence to the established criteria (e.g., standards, policies, procedures) to assess compliance and effectiveness.
* Recording audit findings: This involves documenting the results of the evaluation, including observations, conclusions, and recommendations.
* Making audit conclusions: Based on the recorded findings, auditors formulate overall conclusions about the status of the management system.
Therefore, the correct sequence is:
1. Identifying the source of information 2. Gathering audit evidence 3. Sampling the available data 4.
Verifying objective evidence 5. Evaluating evidence against the audit criteria 6. Recording audit findings 7.
Making audit conclusions


質問 # 106
場景 7:Lawsy 是一家領先的律師事務所,在新澤西州和紐約市設有辦公室。它擁有 50 多名律師,為商業法、智慧財產權、銀行和金融服務領域的客戶提供完善的法律服務。他們相信,由於他們致力於實施資訊安全最佳實踐並跟上技術發展的步伐,他們在市場上佔據了有利的地位。
Lawsy 已經嚴格實施、評估和進行 ISMS 內部審核兩年了。
現在,他們已向知名且值得信賴的認證機構ISMA申請ISO/IEC 27001認證。
在第一階段審核期間,審核小組審查了實施過程中所建立的所有 ISMS 文件。
他們還審查和評估了管理審查和內部審計的記錄。
Lawsy 提交了證據記錄,表明在必要時對不合格項採取了糾正措施,因此審核組約談了內部審核員。訪談透過提供對內部稽核計畫和程序的詳細了解,驗證了內部稽核的充分性和頻率。
審計小組繼續驗證戰略文件,包括資訊安全政策和風險評估標準。在資訊安全政策審查期間,團隊注意到描述治理框架(即資訊安全政策)的記錄資訊與程序之間存在不一致。
儘管允許員工將筆記型電腦帶到工作場所之外,但 Lawsy 並沒有製定有關在這種情況下使用筆記型電腦的程序。此政策僅提供有關筆記型電腦使用的一般資訊。該公司依靠員工的常識來保護筆記型電腦中儲存的資訊的機密性和完整性。該問題已記錄在第一階段審計報告中。
完成第一階段審核後,審核組長準備了審核計劃,其中規定了審核目標、範圍、標準和程序。
在第二階段審核期間,審核小組約談了資安經理,資安經理起草了資訊安全政策。他透過指出 Lawsy 每三個月舉辦一次強制性資訊安全培訓和意識課程來證明第一階段中確定的問題的合理性。
面談後,審核小組檢查了 15 份員工培訓記錄(共 50 份),得出的結論是 Lawsy 符合 ISO/IEC 27001 有關培訓和意識的要求。為了支持這個結論,他們影印了檢查過的員工訓練記錄。
根據上述場景,回答以下問題:
審核員是否應在審核完成後將員工訓練記錄的副本存檔?請參閱場景 7。

  • A. 否,文件副本通常不會儲存為審核記錄
  • B. 是的,如審計協議中所述,審計員擁有文件副本
  • C. 是的,審核期間產生的所有文件化資訊應保留為審核記錄

正解:A

解説:
No, copies of files are not generally kept as audit records unless specifically required and agreed upon in the audit plan. Audit records typically include notes and observations made by auditors, not copies of the auditee's files, unless these are essential and explicitly allowed by the auditee.
References: ISO 19011:2018, Guidelines for auditing management systems


質問 # 107
在第二階段審核的開幕會議上,客戶組織的總經理邀請審核團隊觀看 45 分鐘的新公司影片。審核組長應做出下列哪兩項回應?

  • A. 通知總經理審計團隊同意他的請求
  • B. 說明審核組長將在開幕會議後留下來代表團隊觀看視頻
  • C. 建議總經理審計團隊必須遵守計畫的時間表
  • D. 說明審核小組將在稍後對觀看做出決定
  • E. 建議可以在茶歇期間觀看該視頻
  • F. 邀請總經理當晚到審計師下榻的飯店參觀。

正解:C、E

解説:
According to ISO 19011:2018, which provides guidelines for auditing management systems, an opening meeting is a formal communication between the audit team and the auditee at the start of an audit1. The purpose of the opening meeting is to confirm the audit objectives, scope and criteria, introduce the audit team and their roles, confirm the audit plan and logistics, explain the audit methods and procedures, and establish the communication channels1. Therefore, if the Managing Director of the client organization invites the audit team to view a new company video lasting 45 minutes during the opening meeting of a Stage 2 audit, the audit team leader should respond in a way that does not compromise the effectiveness and efficiency of the audit or create any misunderstanding or conflict with the auditee. Two possible ways to respond are to advise the Managing Director that the audit team has to keep to the planned schedule, as there may be limited time and resources available for the audit; or to suggest that the video could be viewed during a refreshment break, if it is relevant and useful for the audit and does not interfere with other audit activities1. The other options are not appropriate responses for the audit team leader to make in this situation. For example, stating that the audit team leader will stay behind after the opening meeting to view the video on behalf of the team may imply that the video is not important or relevant for the rest of the audit team; inviting the Managing Director to the auditors' hotel for a viewing that evening may create an impression of bias or favouritism; stating that the audit team will make a decision on the viewing at a later time may be vague or indecisive; and advising the Managing Director that the audit team agrees to his request may result in wasting valuable audit time or losing focus on the audit objectives1. References: ISO 19011:2018 - Guidelines for auditing management systems


質問 # 108
根據 ISO/IEC 27001,資訊安全管理系統旨在保護下列哪兩項?

  • A. 資訊的機密性
  • B. 資訊整合
  • C. 資訊的一致性
  • D. 訊息的真實性
  • E. 資訊的完整性
  • F. 資訊的可訪問性

正解:A、E

解説:
ISO/IEC 27001 focuses on the core principles of the CIA triad:
*Confidentiality: Ensuring information is accessible only to authorized individuals.
*Integrity: Maintaining the accuracy and completeness of information, protecting it from unauthorized modification.
*Availability: Information should be accessible to authorized users when needed (this is also important, but not one of the choices in this specific question).
References:
*ISO/IEC 27001:2022, Section 4.2 (Understanding the needs and expectations of interested parties): This section highlights the importance of determining relevant interested parties and their requirements related to information security, which includes addressing confidentiality, integrity, and availability.
*PECB Candidate Handbook, ISO/IEC 27001 Lead Auditor: This handbook often emphasizes the foundational role of the CIA triad within an effective Information Security Management System (ISMS).


質問 # 109
情境 6:Sinvestment 是一家提供家庭保險、商業保險和人壽保險的保險公司。該公司成立於北卡羅來納州,但最近在其他地區進行了擴張,包括歐洲和非洲。
Sinvestment 致力於遵守適用於其行業的法律法規,並防止任何資訊安全事件。他們實施了基於 ISO/IEC 27001 的 ISMS 並申請了 ISO/IEC 27001 認證。
認證機構指派兩名審核員進行審核。與Sinvestment簽訂保密協議後。他們開始了審計活動。首先,他們審查了標準要求的文件,包括 ISMS 範圍聲明、資訊安全政策和內部稽核報告。審查過程並不容易,因為儘管 Sinvestment 表示他們已製定文件程序,但並非所有文件都具有相同的格式。
隨後,審計小組對Sinvestment的高階主管進行了多次訪談,以了解他們在ISMS實施中的作用。第一階段審計的所有活動都是遠端進行的,除了根據 Sinvestment 的要求在現場進行的文件資訊審查之外。
在此階段,審計人員發現沒有與資訊安全培訓和意識計劃相關的文件。被問及時,Sinvestment代表表示,公司已為所有員工提供資訊安全培訓課程。第一階段審計讓審計團隊對 Sinvestment 的營運和 ISMS 有了整體了解。
第二階段審核在第一階段審核三週後進行。審計小組觀察到,行銷部門(未包含在審計範圍內)沒有適當的程序來控制員工的存取權限。由於控制員工的存取權限是ISO/IEC 27001的要求之一,並且已包含在公司的資訊安全政策中,因此該問題包含在審計報告中。此外,在第二階段審計中,審計小組觀察到Sinvestment沒有記錄使用者活動日誌。
該公司的程序規定“記錄用戶活動的日誌應保留並定期審查”,但該公司沒有提供任何執行該程序的證據。
在所有審核活動中,審核員透過觀察、訪談、文件化資訊審查、分析和技術驗證來收集資訊和證據。對第一階段和第二階段的所有審核結果進行了分析,審核小組決定發布積極的認證建議。
根據ISO/IEC 27001要求,公司是否需要提供執行有關記錄使用者活動的日誌程式的證據?請參閱場景 6。

  • A. 是的,記錄使用者活動的事件日誌必須保存並定期審查
  • B. 否,因為該流程的實施不是標準的要求
  • C. 否,本公司僅建議實施此程序

正解:A

解説:
Yes, according to ISO/IEC 27001, the company needs to provide evidence of the implementation of procedures regarding the logging of user activities. This requirement is essential to ensure that events are recorded and regularly reviewed, supporting the detection and prevention of security incidents.
References: ISO/IEC 27001:2013, Clause A.12.4 (Logging and monitoring)


質問 # 110
您是一位經驗豐富的 ISMS 審核團隊負責人,正在與分配給您的審核團隊的正在接受培訓的審核員進行交談。您希望確保他們了解計劃-實施-檢查-行動週期的檢查階段對於資訊安全管理系統的運作的重要性。
您可以透過要求他選擇最能完成句子的單字來做到這一點:
要使用最佳單字完成句子,請按一下要完成的空白部分,使其以紅色突出顯示,然後從下面的選項中按一下適用的文字。或者,您可以將該選項拖曳到適當的空白部分。

正解:

解説:

Explanation:
* Review is the third stage of the Plan-Do-Check-Act (PDCA) cycle, which is a four-step model for implementing and improving an information security management system (ISMS) according to ISO
/IEC 27001:202212. Review involves assessing and measuring the performance of the ISMS against the established policies, objectives, and criteria12.
* Assess is the verb that describes the action of reviewing the ISMS. Assess means to evaluate, analyze, or measure something in a systematic and objective manner3. Assessing the ISMS involves collecting and verifying audit evidence, identifying strengths and weaknesses, and determining the degree of conformity or nonconformity12.
* Regular is the adjective that describes the frequency or interval of reviewing the ISMS. Regular means occurring or done at fixed or uniform intervals4. Reviewing the ISMS at regular intervals means conducting internal audits and management reviews periodically, such as annually, quarterly, or monthly, depending on the needs and risks of the organization12.
* Suitability is one of the attributes that describes the quality or outcome of reviewing the ISMS. Suitability means being appropriate or fitting for a particular purpose, person, or situation5. Reviewing the ISMS for suitability means ensuring that it is aligned with the organization's strategic direction, business objectives, and information security requirements12.
References :=
* ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements
* ISO/IEC 27003:2022 Information technology - Security techniques - Information security management systems - Guidance
* Assess | Definition of Assess by Merriam-Webster
* Regular | Definition of Regular by Merriam-Webster
* Suitability | Definition of Suitability by Merriam-Webster


質問 # 111
您是負責管理審核計劃並決定特定審核的審核團隊的規模和組成的人。選擇應考慮的兩個因素。

  • A. 客戶關係
  • B. 審核組組長的資歷
  • C. 審核範圍與標準
  • D. 審核團隊實現審核目標所需的整體能力
  • E. 審核成本
  • F. 受審核方首選的持續時間

正解:C、D

解説:
The overall competence of the12:
* The audit scope and criteria: The audit scope defines the extent and boundaries of the audit, such as the locations, processes, functions, and time period to be audited. The audit criteria are the set of policies, procedures, standards, or requirements used as a reference against which the audit evidence is compared. The audit scope and criteria determine the complexity and extent of the audit, and thus influence the number and expertise of the auditors needed to cover all the relevant aspects of the audit.
* The overall competence of the audit team needed to achieve audit objectives: The audit team should have the appropriate knowledge, skills, and experience to conduct the audit effectively and efficiently, and to provide credible and reliable audit results. The audit team competence should include the following elements12:
* Generic competence: The ability to apply the principles and methods of auditing, such as planning, conducting, reporting, and following up the audit, as well as the personal behaviour and attributes of the auditors, such as ethical conduct, fair presentation, professional care, independence, and impartiality.
* Discipline and sector-specific competence: The ability to understand and apply the audit criteria and the relevant technical or industry aspects of the audited organization, such as the information security management system (ISMS) requirements, the information security risks and controls, the legal and regulatory obligations, the organizational context and culture, the processes and activities, the products and services, etc.
* Audit team leader competence: The ability to manage the audit team and the audit process, such as coordinating the audit activities, communicating with the audit programme manager and the auditee, resolving any audit-related problems, ensuring the quality and consistency of the audit work and the audit report, etc.
The person responsible for managing the audit programme should not consider the following factors when deciding the size and composition of the audit team for a specific audit, as they are either irrelevant or inappropriate for the audit process12:
* Customer relationships: The audit team should not be influenced by any personal or professional relationships with the auditee or other interested parties, as this may compromise the objectivity and impartiality of the audit. The audit team should avoid any conflicts of interest or self-interest that may affect the audit results or the audit decisions.
* Seniority of the audit team leader: The audit team leader should be selected based on their competence and experience, not on their seniority or rank within the organization or the audit programme. The audit team leader should have the authority and responsibility to manage the audit team and the audit process, regardless of their seniority or position.
* The cost of the audit: The cost of the audit should not be the primary factor for determining the size and composition of the audit team, as this may compromise the quality and effectiveness of the audit. The audit team should have sufficient resources and time to conduct the audit in accordance with the audit objectives, scope, and criteria, and to provide accurate and reliable audit results and recommendations.
* The duration preferred by the auditee: The duration of the audit should be based on the audit objectives, scope, and criteria, and the availability and cooperation of the auditee, not on the preference or convenience of the auditee. The audit team should have enough time to conduct the audit in a thorough and systematic manner, and to collect and evaluate sufficient and relevant audit evidence.
References:
* ISO 19011:2018 - Guidelines for auditing management systems
* PECB Candidate Handbook ISO 27001 Lead Auditor, pages 19-20


質問 # 112
選擇最能完成下面句子的字詞來描述審計資源:

正解:

解説:

Explanation:
According to ISO 19011:2018, clause 5.3, the person responsible for managing the audit programme should determine the resources necessary for the audit programme, such as the audit team members, the budget, the time, the tools, etc. The audit resources should be sufficient and appropriate to ensure the quality and effectiveness of the audit programme and the audit results. The audit resources include the following elements12:
* Essential resources: These are the resources that are required to conduct the audit programme and the individual audits, such as the audit documents, the audit methods, the audit tools, the audit schedule, the audit budget, etc. The essential resources should be identified and allocated based on the audit objectives, scope, and criteria, and the availability and cooperation of the auditee. The essential resources should also be reviewed and updated as necessary to reflect any changes or deviations in the audit programme or the individual audits.
* Competent personnel: These are the audit team members who have the appropriate knowledge, skills, and experience to conduct the audit effectively and efficiently, and to provide credible and reliable audit results and recommendations. The competent personnel should include the audit team leader, the auditors, and any technical experts or observers who support the audit team. The competent personnel should be selected and appointed based on the audit objectives, scope, and criteria, and the specific competence requirements for the audit programme and the individual audits. The competent personnel should also be independent and impartial, and avoid any conflicts of interest or self-interest that may affect the audit results or the audit decisions.
References:
* ISO 19011:2018 - Guidelines for auditing management systems, clause 5.3
* PECB Candidate Handbook ISO 27001 Lead Auditor, page 19


質問 # 113
大數據等新科技的使用對審計有何影響?

  • A. 它會造成嚴重中斷,例如,引入對於傳統資料庫管理工具處理來說太大或太複雜的數據
  • B. 透過使審核員能夠收集更高品質的審核證據來提高審核質量
  • C. 它提出了新的挑戰,例如,結合結構化和非結構化數據

正解:C

解説:
The use of new technologies such as big data presents new challenges in auditing, particularly the issue of combining structured and unstructured data. Big data environments often include diverse data sets that auditors need to understand and interpret, which requires new skills and approaches to ensure effective and comprehensive audit coverage.
References: ISO/IEC 27001:2013 Standards and supplementary literature on the impact of technology on auditing practices


質問 # 114
您正在療養院進行 ISMS 審核,療養院的住戶總是戴著電子腕帶來監測他們的位置、心跳和血壓。腕帶會自動將這些資料上傳到雲端伺服器,供工作人員進行醫療保健監控和分析。
您現在希望驗證最高管理層是否已製定資訊安全策略和目標。您正在對行動裝置策略進行抽樣,並確定該策略的安全目標是「確保遠端辦公和行動裝置使用的安全」。
禁止個人行動裝置連接至療養院網路、處理和儲存居民資料。
本公司在ISMS範圍內的行動裝置應在資產登記冊中登記。
本公司的行動裝置應實施或啟用實體保護,即密碼保護的螢幕鎖定/解鎖、臉部或指紋解鎖裝置。
本公司的行動裝置應定期備份。
若要驗證行動裝置策略和目標是否已實施且有效,請為稽核追蹤選擇三個選項。

  • A. 採訪設備供應商,確保他們了解 ISMS 政策
  • B. 從值班醫護人員處抽取部分行動設備,並與資產登記冊驗證行動裝置資訊
  • C. 查看訪客登記簿,確保任何訪客都不能在療養院內攜帶個人手機
  • D. 與高階主管面談,核實他們參與制定資訊安全政策和資訊安全目標的情況
  • E. 與接待人員面談,確保在進入療養院之前檢查所有訪客和員工的行李
  • F. 查看內部審核報告以確保 IT 部門已接受審核
  • G. 檢查資產註冊以確保所有個人行動裝置已註冊
  • H. 檢查資產註冊以確保所有公司的行動裝置已註冊

正解:B、F、H

解説:
According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 5.2 requires top management to establish an information security policy that provides the framework for setting information security objectives1. Clause 6.2 requires top management to ensure that the information security objectives are established at relevant functions and levels1. Therefore, when verifying that the information security policy and objectives have been established by top management, an ISMS auditor should review relevant documents and records that demonstrate top management's involvement and commitment.
To verify that the mobile device policy and objectives are implemented and effective, an ISMS auditor should review relevant documents and records that demonstrate how the policy and objectives are communicated, monitored, measured, analyzed, and evaluated. The auditor should also sample and verify the implementation of the controls that are stated in the policy.
Three options for the audit trail that are relevant to verifying the mobile device policy and objectives are:
* Review the internal audit report to make sure the IT department has been audited: This option is relevant because it can provide evidence of how the IT department, which is responsible for managing the mobile devices and their security, has been evaluated for its conformity and effectiveness in implementing the mobile device policy and objectives. The internal audit report can also reveal any nonconformities, corrective actions, or opportunities for improvement related to the mobile device policy and objectives.
* Sampling some mobile devices from on-duty medical staff and validate the mobile device information with the asset register: This option is relevant because it can provide evidence of how the mobile devices that are used by the medical staff, who are involved in processing and storing residents' data, are registered in the asset register and have physical protection enabled. This can verify the implementation and effectiveness of two of the controls that are stated in the mobile device policy.
* Review the asset register to make sure all company's mobile devices are registered: This option is relevant because it can provide evidence of how the company's mobile devices that are within the ISMS scope are identified and accounted for. This can verify the implementation and effectiveness of one of the controls that are stated in the mobile device policy.
The other options for the audit trail are not relevant to verifying the mobile device policy and objectives, as they are not related to the policy or objectives or their implementation or effectiveness. For example:
* Interview the reception personnel to make sure all visitor and employee bags are checked before entering the nursing home: This option is not relevant because it does not provide evidence of how the mobile device policy and objectives are implemented or effective. It may be related to another policy or objective regarding physical security or access control, but not specifically to mobile devices.
* Review visitors' register book to make sure no visitor can have their personal mobile phone in the nursing home: This option is not relevant because it does not provide evidence of how the mobile device policy and objectives are implemented or effective. It may be related to another policy or objective regarding information security awareness or compliance, but not specifically to mobile devices.
* Interview the supplier of the devices to make sure they are aware of the ISMS policy: This option is not relevant because it does not provide evidence of how the mobile device policy and objectives are implemented or effective. It may be related to another policy or objective regarding information security within supplier relationships, but not specifically to mobile devices.
* Interview top management to verify their involvement in establishing the information security policy and the information security objectives: This option is not relevant because it does not provide evidence of how the mobile device policy and objectives are implemented or effective. It may be related to verifying that the information security policy and objectives have been established by top management, but not specifically to mobile devices.
References: ISO/IEC 27001:2022 - Information technology - Security techniques - Information security management systems - Requirements


質問 # 115
......

ISO-IEC-27001-Lead-Auditor-CN問題集を使って一日でISO 27001試験最速合格:https://jp.fast2test.com/ISO-IEC-27001-Lead-Auditor-CN-premium-file.html

100% 高得点合格保証されるISO-IEC-27001-Lead-Auditor-CN無制限290解答:https://drive.google.com/open?id=1YlRyQObjyIl-5JL1k8G5tEb7-bNiNwwe


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어