最新のISO-IEC-27001-Lead-Auditor試験問題集でPECB試験にはトレーニングを提供しています [Q114-Q139]

Share

最新のISO-IEC-27001-Lead-Auditor試験問題集でPECB試験にはトレーニングを提供しています

合格できるPECB PECB Certified ISO/IEC 27001 Lead Auditor examのPDF問題集は最近更新された192問あります


PECB ISO-IEC-27001-Lead-Auditor(PECB Certified ISO/IEC 27001 Lead Auditor)認定試験は、ISO/IEC 27001標準に基づく情報セキュリティマネジメントシステム(ISMS)監査を主導および管理する専門家の専門知識を証明することを目的としています。この認定試験は、グローバルに認められ、内部および外部監査を実施および管理する個人の知識とスキルを検証します。


PECB ISO-IEC-27001-LEAD-AUDITOR認定試験は、ISO/に従って情報セキュリティ管理システム(ISMS)監査の主要、計画、実行、および報告における個人の専門知識と知識を検証するグローバルに認められた資格情報です。 IEC 27001標準。この認定試験は、専門的な評価および認定委員会(PECB)によって提供され、ISMS監査の実施に有能で熟練したい専門家を対象としています。


ISO/IEC 27001リーダー監査人認定は、個人が組織の情報セキュリティ管理システム(ISM)を効果的に監査するために必要なスキルと知識を開発するのを支援するように設計されています。この認証は、ISO/IEC 27001標準に基づいています。これは、ISMの要件を概説する国際標準です。この認定は、リスク管理、情報セキュリティ管理、監査手法など、さまざまなトピックをカバーしています。

 

質問 # 114
After a fire has occurred, what repressive measure can be taken?

  • A. Repairing all systems after the fire
  • B. Buying in a proper fire insurance policy
  • C. Extinguishing the fire after the fire alarm sounds

正解:C


質問 # 115
Which reliability aspect of information is compromised when a staff member denies having sent a message?

  • A. Integrity
  • B. Confidentiality
  • C. Correctness
  • D. Availability

正解:A

解説:
The reliability aspect of information that is compromised when a staff member denies having sent a message is integrity. Integrity is the property of information that ensures its accuracy, completeness, consistency and authenticity. When a staff member denies having sent a message, it implies that the message was either altered, forged, deleted or repudiated by someone else, which violates the integrity of the information. ISO/IEC 27001:2022 defines integrity as "the property of accuracy and completeness" (see clause 3.24). Reference: [CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course], ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, What is Integrity?


質問 # 116
Select the words that best complete the sentence below to describe a third-party audit plan.
To complete the sentence with the best word(s), click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.

正解:

解説:

Explanation:
The words that best complete the sentence are assess and recommendation. The sentence would read as follows:
"An audit plan is a statement of the intent of the audit team to assess all areas of the company with a view to determining a recommendation for certification approval." Explanation: According to the web search results from my predefined tool, a third-party audit plan is a document that describes the scope, objectives, criteria, and methodology of an external audit conducted by an independent certification body to verify the conformity of an organization's ISMS with the ISO 27001 standard12. The audit plan also includes the audit schedule, the audit team, the audit locations, and the audit deliverables23. One of the main deliverables of a third-party audit is the audit report, which summarizes the audit findings, the audit conclusions, and the audit recommendation34. The audit recommendation is the opinion of the audit team on whether the organization's ISMS meets the certification requirements and whether the certification should be granted, maintained, suspended, or withdrawn45.
Therefore, the purpose of the audit plan is to state the intention of the audit team to assess all areas of the company, meaning to evaluate the performance and effectiveness of the ISMS, and to determine a recommendation for certification approval, meaning to provide a judgment on the certification status of the ISMS. The other words in the options, such as verdict, permit, report, inspect, and question, do not accurately reflect the meaning of the audit plan. A verdict is a formal decision made by a judge or a jury, not by an audit team. A permit is a legal authorization to do something, not a certification of conformity. A report is a document that presents the audit results, not the audit intention. An inspection is a visual examination of something, not a comprehensive assessment of an ISMS. A question is a request for information, not a determination of a recommendation.


質問 # 117
Which one of the following options best describes the main purpose of a Stage 1 third-party audit?

  • A. To check for legal compliance by the organisation
  • B. To determine redness for a stage 2 audit
  • C. To get to know the organisation's customers
  • D. To prepare an independent audit report
  • E. To learn about the organisation's procurement
  • F. To introduce the audit team to the client

正解:B

解説:
Explanation
The main purpose of a Stage 1 third-party audit is to determine readiness for a Stage 2 audit. A Stage 1 audit is a preliminary assessment that evaluates the organization's ISMS documentation, scope, context, and objectives, and identifies any major gaps or nonconformities that need to be addressed before the Stage 2 audit. A Stage 1 audit does not introduce the audit team to the client, as this is done during the audit planning phase. A Stage 1 audit does not check for legal compliance by the organization, as this is done during the Stage 2 audit. A Stage 1 audit does not prepare an independent audit report, as this is done after the Stage 2 audit. References: : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 70. : ISO/IEC 27001 LEAD AUDITOR - PECB, page 23.


質問 # 118
You are performing an ISMS audit at a European-based residential nursing home called ABC that provides healthcare services. The next step in your audit plan is to verify the effectiveness of the continual improvement process.
During the audit, you learned most of the residents' family members (90%) receive WeCare medical devices promotion advertisements through email and SMS once a week via ABC's healthcare mobile app. All of them do not agree on the use of the collected personal data for marketing or any other purposes than nursing and medical care on the signed service agreement with ABC. They have very strong reason to believe that ABC is leaking residents' and family members' personal information to a non-relevant third party and they have filed complaints.
The Service Manager says that, after investigation, all these complaints have been treated as nonconformities.
The corrective actions have been planned and implemented according to the nonconformity and corrective management procedure (Document reference ID: ISMS_L2_10.1, version 1).
You write a nonconformity which you will follow up on later. Select the words that best complete the sentence:

正解:

解説:

Explanation
One possible way to complete the sentence is:
"When reviewing the effectiveness of action taken in response to a nonconformity, an auditor seeks evidence of change that will prevent recurrence of the issue." According to ISO/IEC 27001:2022, clause 10.1, the organization shall continually improve the suitability, adequacy, and effectiveness of the ISMS by evaluating the performance and the effectiveness of the ISMS, ensuring that the policy and objectives are aligned with the strategic direction of the organization, and taking actions to achieve the intended outcomes of the ISMS. One of the ways to achieve continual improvement is to identify and correct nonconformities and take actions to eliminate their causes and prevent their recurrence.
Therefore, when reviewing the effectiveness of the corrective actions, an auditor should look for evidence that the organization has analyzed the root cause of the nonconformity, implemented appropriate changes to the ISMS, and verified that the changes have resulted in the desired improvement and prevented the recurrence of the issue. References: =
* ISO/IEC 27001:2022, clause 10.1, Nonconformity and corrective action
* ISO/IEC 27001:2022, clause 10.2, Continual improvement
* PECB Candidate Handbook ISO 27001 Lead Auditor, page 19, Audit Process
* PECB Candidate Handbook ISO 27001 Lead Auditor, page 21, Audit Findings


質問 # 119
Cabling Security is associated with Power, telecommunication and network cabling carrying information are protected from interception and damage.

  • A. True
  • B. False

正解:A

解説:
Cabling security is associated with power, telecommunication and network cabling carrying information are protected from interception and damage. This statement is true, as cabling security is a part of physical and environmental security that aims to prevent unauthorized physical access, damage and interference to information and information processing facilities. Cabling security involves securing the cables that transmit information from one device or location to another, such as power cables, telephone cables, network cables, etc. Cabling security can prevent eavesdropping, tampering, interruption or destruction of information by physical means, such as cutting, tapping, bending or exposing the cables. ISO/IEC 27001:2022 requires the organization to implement physical and environmental security controls to prevent unauthorized physical access, damage and interference to the organization's information and information processing facilities (see clause A.11). Reference: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, What is Cabling Security?


質問 # 120
Availability means

  • A. Service should be accessible at the required time and usable only by the authorized entity
  • B. Service should not be accessible when required
  • C. Service should be accessible at the required time and usable by all

正解:A

解説:
Explanation
Availability means that service should be accessible at the required time and usable only by the authorized entity. Availability is one of the three main objectives of information security, along with confidentiality and integrity. Availability ensures that information and systems are not disrupted or denied by unauthorized actions or events. References: : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 24. ISO/IEC 27001 Brochures | PECB, page 4.


質問 # 121
You are an experienced ISMS audit team leader guiding an auditor in training. You decide to test her knowledge of follow-up audits by asking her a series of questions. Here are your questions and her answers.
Which four of your questions has she answered correctly?

  • A. Q: Should the outcome from a follow-up audit be reported to the audit client? A:No
  • B. Q: Could an outcome from a follow-up audit be another follow-up audit if required? A:YES
  • C. Q: Are follow-up audits required for all audits? A:No
  • D. Q: Is the purpose of a follow-up audit to verify the completion of corrections, corrective actions, and opportunities for improvement? A:YES
  • E. Q: Should follow-up audits consider agreed opportunities for improvement as well as corrective action?
    A:No
  • F. Q: Should follow-up audits seek to ensure nonconformities have been effectively addressed? A:YES
  • G. Q: Should the outcome from a follow-up audit be reported to the audit team leader who carried out the audit at which the NCs were originally identified? A:YES
  • H. Q: Should a follow-up audit seek to identify new nonconformities? A:YES

正解:B、C、D、F

解説:
Based on the understanding of follow-up audits, especially in the context of Information Security Management Systems (ISMS) and the guidelines provided by ISO 19011:2018, here are the four questions from your list that the auditor in training has answered correctly:
B: Q: Should follow-up audits seek to ensure nonconformities have been effectively addressed? A: YES This is correct. The primary purpose of follow-up audits is to verify that nonconformities identified in previous audits have been effectively addressed and the corrective actions taken are suitable and effective.
D: Q: Is the purpose of a follow-up audit to verify the completion of corrections, corrective actions, and opportunities for improvement? A: YES Yes, the follow-up audit aims to verify the completion and effectiveness of corrections and corrective actions. It may also consider the implementation of opportunities for improvement identified during the initial audit.
E: Q: Are follow-up audits required for all audits? A: NO This is correct. Follow-up audits are not automatically required for all audits. They are typically conducted when nonconformities or other significant issues were identified in an earlier audit and there's a need to verify the implementation and effectiveness of the corrective actions.
H: Q: Could an outcome from a follow-up audit be another follow-up audit if required? A: YES Yes, this is a possible outcome. If the follow-up audit finds that the corrective actions have not been fully effective, or if new issues are identified, it may be necessary to conduct another follow-up audit.
The other responses provided by the auditor in training require some clarification or correction. For instance, while a follow-up audit primarily focuses on previously identified nonconformities and corrective actions, it can still identify new nonconformities if observed (A). Opportunities for improvement are generally considered in the scope of regular audits more so than in follow-up audits, which are more narrowly focused on corrective actions (C). Also, the outcomes of follow-up audits should typically be reported to both the audit team leader and the audit client (F and G), ensuring transparency and accountability.
The four questions that the auditor in training has answered correctly are B, D, E, and H. These questions and answers are consistent with the definition and purpose of a follow-up audit as specified in ISO 19011:2018, Clause 6.712. A follow-up audit is conducted to verify the completion and effectiveness of corrective actions taken as a result of a previous audit (B, D). Follow-up audits are not mandatory for all audits, but they may be required by the audit program, the audit client, or other interested parties (E). The outcome of a follow-up audit may be another follow-up audit if the corrective actions are not satisfactory or not completed within the agreed time frame (H). The other questions and answers are either incorrect or irrelevant. A follow-up audit should not seek to identify new nonconformities, as this is not its objective (A). Follow-up audits should consider agreed opportunities for improvement as well as corrective actions, as they are both outputs of a previous audit . The outcome of a follow-up audit should be reported to the audit client, as well as to other relevant parties, such as the audit team leader who carried out the previous audit (F, G). References: 1: ISO
19011:2018, Guidelines for auditing management systems, Clause 6.7 \n2: PECB Certified ISO/IEC 27001 Lead Auditor Exam Preparation Guide, Domain 6: Closing an ISO/IEC 27001 audit


質問 # 122
You are an ISMS audit team leader assigned by your certification body to carry out a follow-up audit of a Data Centre client.
According to ISO 19011:2018, the purpose of a follow-up audit is to verify which one of the following?

  • A. Completion and effectiveness of corrective actions
  • B. The effectiveness of the management system
  • C. Implementation of risk treatment plans
  • D. Implementation of ISMS objectives

正解:A

解説:
The purpose of a follow-up audit is to verify the completion and effectiveness of corrective actions taken by the auditee in response to the nonconformities identified in a previous audit1. A follow-up audit is a type of audit that is conducted after an initial audit, and it focuses on the specific areas where nonconformities were found and corrective actions were agreed upon2. A follow-up audit can be conducted as a separate audit or as part of a scheduled audit, depending on the nature and severity of the nonconformities and the audit programme objectives3.
The other options are not the purpose of a follow-up audit, but rather the purpose of other types of audits. For example:
*Option A is the purpose of a performance audit, which is a type of audit that evaluates the effectiveness of the management system in achieving its intended results4.
*Option B is the purpose of a compliance audit, which is a type of audit that verifies the conformity of the management system with the specified requirements, such as the ISMS objectives5.
*Option C is the purpose of a process audit, which is a type of audit that examines the inputs, activities, outputs, and interactions of a specific process within the management system, such as the risk treatment process.
References: 1: ISO 19011:2018, 6.7; 2: ISO 19011:2018, 3.7; 3: ISO 19011:2018, 5.5.2; 4: ISO 19011:2018, 3.6; 5: ISO 19011:2018, 3.5; : ISO 19011:2018, 3.4; : ISO 19011:2018; : ISO 19011:2018; : ISO 19011:2018; : ISO 19011:2018; : ISO 19011:2018; : [ISO 19011:2018]


質問 # 123
You are an ISMS auditor conducting a third-party surveillance audit of a telecom's provider. You are in the equipment staging room where network switches are pre-programmed before being despatched to clients. You note that recently there has been a significant increase in the number of switches failing their initial configuration test and being returned for reprogramming.
You ask the Chief Tester why and she says, 'It's a result of the recent ISMS upgrade'. Before the upgrade each technician had their own hard copy work instructions. Now, the eight members of my team have to share two laptops to access the clients' configuration instructions online. These delays put pressure on the technicians, resulting in more mistakes being made'.
Based solely on the information above, which clause of ISO to raise a nonconformity against' Select one.

  • A. Clause 7.5 - Documented information
  • B. Clause 7.4 - Communication
  • C. Clause 7.2 - Competence
  • D. Clause 10.2 - Nonconformity and corrective action
  • E. Clause 7.3 - Awareness
  • F. Clause 8.1 - Operational planning and control

正解:F

解説:
According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 8.1 requires an organization to plan, implement and control its processes needed to meet ISMS requirements2. This includes determining what needs to be done, how it will be done, who will do it, when it will be done, what resources are required, how performance will be evaluated, etc2. Therefore, if an ISMS auditor conducting a third-party surveillance audit of a telecom's provider notes that there has been a significant increase in the number of switches failing their initial configuration test and being returned for reprogramming due to a recent ISMS upgrade that reduced access to work instructions, this indicates a nonconformity against clause 8.1 of ISO/IEC 27001:2022. The organization has failed to plan and control its operational processes effectively to ensure information security and quality2. The other options are not correct clauses to raise a nonconformity against based solely on this information. For example, clause 7.5 deals with documented information required by ISMS or determined by an organization as necessary for its effectiveness2, but it does not specify how many copies or formats of work instructions should be available; clause 10.2 deals with nonconformity and corrective action as a response to an identified problem or incident2, but it does not address how to prevent or avoid such problems or incidents in operational processes; clause 7.3 deals with awareness of ISMS policy, objectives, roles and responsibilities among persons doing work under an organization's control2, but it does not relate to how work instructions are accessed or followed; clause 7.2 deals with competence of persons doing work under an organization's control that affects its ISMS performance2, but it does not imply that lack of competence is caused by insufficient work instructions; clause
7.4 deals with communication about ISMS among internal and external interested parties2, but it does not cover how operational information is communicated within an organization. References: ISO/IEC 27001:2022
- Information technology - Security techniques - Information security management systems - Requirements


質問 # 124
You are an experienced ISMS audit team leader providing guidance to an auditor in training. She asks you why it is important to have specific criteria relating to the grading of nonconformities.
Which one of the following responses is correct?

  • A. Because the establishment and implementation of grading criteria demonstrate a high level of commitment to the corrective action process
  • B. Because grading criteria provide a common basis for the evaluation of nonconformities across the organization
  • C. Because grading criteria will ensure that all auditors score nonconformities in exactly the same way
  • D. Because ISO/IEC 27001:2022 requires it

正解:B

解説:
Explanation
The correct response is A, because grading criteria provide a common basis for the evaluation of nonconformities across the organization. Grading criteria are the rules or standards that define the severity or impact of nonconformities, and help to determine the appropriate corrective actions and follow-up activities.
Grading criteria are important for several reasons, such as:
They ensure consistency and objectivity in the assessment and reporting of nonconformities, and avoid subjective or arbitrary judgments.
They facilitate the communication and understanding of nonconformities among the auditors, the auditees, and the audit clients, and enable the comparison and benchmarking of nonconformities across different processes, functions, or locations.
They support the prioritization and allocation of resources for the resolution of nonconformities, and the monitoring and measurement of the effectiveness of the corrective actions.
They demonstrate the commitment and accountability of the organization to the continual improvement of the ISMS, and the compliance with the ISMS requirements and expectations.
References:
ISO/IEC 27001:2022, Information technology - Security techniques - Information security management systems - Requirements1 PECB Candidate Handbook ISO/IEC 27001 Lead Auditor2 ISO 27001:2022 Lead Auditor - PECB3 ISO 27001:2022 certified ISMS lead auditor - Jisc4 ISO/IEC 27001:2022 Lead Auditor Transition Training Course5 ISO 27001 - Information Security Lead Auditor Course - PwC Training Academy ISO 19011:2022, Guidelines for auditing management systems


質問 # 125
You are an experienced ISMS auditor, currently providing support to an ISMS auditor in training who is carrying out her first initial certification audit. She asks you what she should be verifying when auditing an organisation's Information Security objectives. You ask her what she has included in her audit checklist and she provides the following replies.
Which three of these responses would you cause you concern in relation to conformity with ISO/IEC
27001:2022?

  • A. I am going to check that a completion date has been set for each objective and that there are no objectives with missing 'achieve by' dates
  • B. I am going to check that top management have determined the Information Security objectives for the current year. If not, I will check that this task has been programmed to be completed
  • C. I am going to check how each Information Security objective has been communicated to those who need to be aware of it in order for the objective to be achieved
  • D. I am going to check that all the Information Security objectives are measurable. If they are not measurable the organisation will not be able to track progress against them
  • E. I am going to check that the Information Security objectives are written down on paper so that everyone is clear on what needs to be achieved, how it will be achieved, and by when it will be achieved
  • F. I am going to check that the necessary budget, manpower and materials to achieve each objective has been determined
  • G. I am going to check that there is a process in place to periodically revisit Information Security objectives, with a view to amending or cancelling them if circumstances necessitate this

正解:A、B、E

解説:
Explanation
According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 6.2 requires an organization to establish information security objectives at relevant functions and levels1. The objectives should be consistent with the information security policy; measurable (if practicable) or capable of being evaluated; monitored; communicated; updated as appropriate1. Therefore, when auditing an organization's information security objectives, an ISMS auditor should verify these aspects in accordance with the audit criteria.
Three responses from the ISMS auditor in training that would cause concern in relation to conformity with ISO/IEC 27001:2022 are:
* I am going to check that top management have determined the Information Security objectives for the
* current year. If not, I will check that this task has been programmed to be completed: This response would cause concern because it implies that the auditor in training is not aware of the requirement to establish information security objectives at relevant functions and levels, not just at the top management level. It also implies that the auditor in training is willing to accept a delay or postponement in determining the information security objectives, which may affect the ISMS performance and effectiveness.
* I am going to check that the Information Security objectives are written down on paper so that everyone is clear on what needs to be achieved, how it will be achieved, and by when it will be achieved: This response would cause concern because it implies that the auditor in training is not aware of the requirement to establish information security objectives that are measurable (if practicable) or capable of being evaluated, not just written down on paper. It also implies that the auditor in training is not aware of the flexibility and suitability of different media or formats for documenting and communicating information security objectives, such as electronic or digital records, posters, newsletters, etc.
* I am going to check that a completion date has been set for each objective and that there are no objectives with missing 'achieve by' dates: This response would cause concern because it implies that the auditor in training is not aware of the requirement to establish information security objectives that are monitored, not just completed by a certain date. It also implies that the auditor in training is not aware of the possibility and necessity of updating information security objectives as appropriate, such as when changes occur in the internal or external context of the organization, or when new risks or opportunities arise.
The other responses from the ISMS auditor in training are acceptable and do not cause concern in relation to conformity with ISO/IEC 27001:2022. For example, checking how each Information Security objective has been communicated to those who need to be aware of it in order for the objective to be achieved is relevant to verifying the communication aspect of clause 6.2; checking that there is a process in place to periodically revisit Information Security objectives, with a view to amending or cancelling them if circumstances necessitate this is relevant to verifying the updating aspect of clause 6.2; checking that the necessary budget, manpower and materials to achieve each objective has been determined is relevant to verifying the planning aspect of clause 6.2; checking that all the Information Security objectives are measurable. If they are not measurable the organisation will not be able to track progress against them is relevant to verifying the measurability aspect of clause 6.2. References: ISO/IEC 27001:2022 - Information technology - Security techniques - Information security management systems - Requirements


質問 # 126
In the event of an Information security incident, system users' roles and responsibilities are to be observed, except:

  • A. Report suspected or known incidents upon discovery through the Servicedesk
  • B. Preserve evidence if necessary
  • C. Cooperate with investigative personnel during investigation if needed
  • D. Make the information security incident details known to all employees

正解:D


質問 # 127
An employee caught temporarily storing an MP3 file in his workstation will not receive an IR.

  • A. False
  • B. True

正解:A

解説:
Explanation
An employee caught temporarily storing an MP3 file in his workstation will receive an IR, because this is also a violation of the organization's information security policy and acceptable use policy. An MP3 file is a type of media file that may contain copyrighted or illegal content, or may introduce malware or viruses into the organization's network. The employee should not store any unauthorized or personal files in his workstation, as this may compromise the confidentiality, integrity and availability of the organization's information assets. References: [CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course], [ISO/IEC
27001:2022 Information technology - Security techniques - Information security management systems - Requirements], Example of an information security policy, Example of an acceptable use policy


質問 # 128
You are performing an ISMS audit at a nursing home where residents always wear an electronic wristband for monitoring their location, heartbeat, and blood pressure. The wristband automatically uploads this data to a cloud server for healthcare monitoring and analysis by staff.
You now wish to verify that the information security policy and objectives have been established by top management. You are sampling the mobile device policy and identify a security objective of this policy is "to ensure the security of teleworking and use of mobile devices" The policy states the following controls will be applied in order to achieve this.
Personal mobile devices are prohibited from connecting to the nursing home network, processing, and storing residents' data.
The company's mobile devices within the ISMS scope shall be registered in the asset register.
The company's mobile devices shall implement or enable physical protection, i.e., pin-code protected screen lock/unlock, facial or fingerprint to unlock the device.
The company's mobile devices shall have a regular backup.
To verify that the mobile device policy and objectives are implemented and effective, select three options for your audit trail.

  • A. Review visitors' register book to make sure no visitor can have their personal mobile phone in the nursing home
  • B. Review the asset register to make sure all company's mobile devices are registered
  • C. Review the internal audit report to make sure the IT department has been audited
  • D. Review the asset register to make sure all personal mobile devices are registered
  • E. Interview top management to verify their involvement in establishing the information security policy and the information security objectives
  • F. Interview the reception personnel to make sure all visitor and employee bags are checked before entering the nursing home
  • G. Interview the supplier of the devices to make sure they are aware of the ISMS policy
  • H. Sampling some mobile devices from on-duty medical staff and validate the mobile device information with the asset register

正解:B、C、H

解説:
Explanation
According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 5.2 requires top management to establish an information security policy that provides the framework for setting information security objectives1. Clause 6.2 requires top management to ensure that the information security objectives are established at relevant functions and levels1. Therefore, when verifying that the information security policy and objectives have been established by top management, an ISMS auditor should review relevant documents and records that demonstrate top management's involvement and commitment.
To verify that the mobile device policy and objectives are implemented and effective, an ISMS auditor should review relevant documents and records that demonstrate how the policy and objectives are communicated, monitored, measured, analyzed, and evaluated. The auditor should also sample and verify the implementation of the controls that are stated in the policy.
Three options for the audit trail that are relevant to verifying the mobile device policy and objectives are:
* Review the internal audit report to make sure the IT department has been audited: This option is relevant because it can provide evidence of how the IT department, which is responsible for managing the mobile devices and their security, has been evaluated for its conformity and effectiveness in implementing the mobile device policy and objectives. The internal audit report can also reveal any nonconformities, corrective actions, or opportunities for improvement related to the mobile device policy and objectives.
* Sampling some mobile devices from on-duty medical staff and validate the mobile device information with the asset register: This option is relevant because it can provide evidence of how the mobile devices that are used by the medical staff, who are involved in processing and storing residents' data, are registered in the asset register and have physical protection enabled. This can verify the implementation and effectiveness of two of the controls that are stated in the mobile device policy.
* Review the asset register to make sure all company's mobile devices are registered: This option is relevant because it can provide evidence of how the company's mobile devices that are within the ISMS scope are identified and accounted for. This can verify the implementation and effectiveness of one of the controls that are stated in the mobile device policy.
The other options for the audit trail are not relevant to verifying the mobile device policy and objectives, as they are not related to the policy or objectives or their implementation or effectiveness. For example:
* Interview the reception personnel to make sure all visitor and employee bags are checked before entering the nursing home: This option is not relevant because it does not provide evidence of how the mobile device policy and objectives are implemented or effective. It may be related to another policy or objective regarding physical security or access control, but not specifically to mobile devices.
* Review visitors' register book to make sure no visitor can have their personal mobile phone in the nursing home: This option is not relevant because it does not provide evidence of how the mobile device policy and objectives are implemented or effective. It may be related to another policy or objective regarding information security awareness or compliance, but not specifically to mobile devices.
* Interview the supplier of the devices to make sure they are aware of the ISMS policy: This option is not relevant because it does not provide evidence of how the mobile device policy and objectives are implemented or effective. It may be related to another policy or objective regarding information security within supplier relationships, but not specifically to mobile devices.
* Interview top management to verify their involvement in establishing the information security policy and the information security objectives: This option is not relevant because it does not provide evidence
* of how the mobile device policy and objectives are implemented or effective. It may be related to verifying that the information security policy and objectives have been established by top management, but not specifically to mobile devices.
References: ISO/IEC 27001:2022 - Information technology - Security techniques - Information security management systems - Requirements


質問 # 129
You are conducting an ISMS audit in the despatch department of an international logistics organisation that provides shipping services to large organisations including local hospitals and government offices. Parcels typically contain pharmaceutical products, biological samples, and documents such as passports and driving licences. You note that the company records show a very large number of returned items with causes including misaddressed labels and, in 15% of cases, two or more labels for different addresses for the one package. You are interviewing the Shipping Manager (SM).
You: Are items checked before being dispatched?
SM: Any obviously damaged items are removed by the duty staff before being dispatched, but the small profit margin makes it uneconomic to implement a formal checking process.
You: What action is taken when items are returned?
SM: Most of these contracts are relatively low value, therefore it has been decided that it is easier and more convenient to simply reprint the label and re-send individual parcels than it is to implement an investigation.
You raise a nonconformity against ISO 27001:2022 based on the lack of control of the labelling process.
At the closing meeting, the Shipping Manager issues an apology to you that his comments may have been misunderstood. He says that he did not realise that there is a background IT process that automatically checks that the right label goes onto the right parcel otherwise the parcel is ejected at labelling. He asks that you withdraw your nonconformity.
Select three options of the correct responses that you as the audit team leader would make to the request of the Shipping Manager.

  • A. Advise the Shipping Manager that his request will be included in the audit report
  • B. Advise management that the new information provided will be discussed when the auditors have more time
  • C. Indicate that the nonconformity is evidence of a deeper system failure that needs to be rectified
  • D. Inform the Shipping Manager that the nonconformity is minor and should be quickly corrected
  • E. Ask the audit team members to state what they think should happen
  • F. Thank the Shipping Manager for his honesty but advise that withdrawing the nonconformity is not the right way to proceed
  • G. Inform him of your understanding and withdraw the nonconformity
  • H. Advise the Shipping Manager that the nonconformity must stand since the evidence obtained for it was dear

正解:A、B、F

解説:
* A. Advise the Shipping Manager that his request will be included in the audit report. This is true because the audit report should document all the relevant information and evidence related to the audit, including any requests or objections raised by the auditee. The audit report should also provide the rationale for the audit conclusions and recommendations12.
* B. Advise management that the new information provided will be discussed when the auditors have more time. This is true because the auditors should not make hasty decisions based on incomplete or unverified information. The auditors should review and evaluate the new information in a systematic and objective manner, and determine whether it affects the audit findings, nonconformities, or conclusions12.
* F. Thank the Shipping Manager for his honesty but advise that withdrawing the nonconformity is not the right way to proceed. This is true because the auditors should acknowledge and appreciate the cooperation and transparency of the auditee, but also maintain their professional integrity and independence. The auditors should not withdraw a nonconformity unless they are satisfied that it was raised in error or that it has been effectively corrected and verified12.
References :=
* ISO 19011:2022 Guidelines for auditing management systems
* ISO/IEC 17021-1:2022 Conformity assessment - Requirements for bodies providing audit and certification of management systems - Part 1: Requirements


質問 # 130
Auditor competence is a combination of knowledge and skills. Which two of the following activities are predominately related to "knowledge"?

  • A. Designing a checklist
  • B. Determining what evidence to gather
  • C. Understanding how to identify findings
  • D. Follow an audit trail deviating from the prepared checklist
  • E. Determining how to seek evidence from the auditee
  • F. Communicate with the auditee

正解:A、B

解説:
Knowledge is the understanding of facts, concepts, principles, theories and practices related to a specific subject or discipline. Skills are the ability to apply knowledge and use know-how to complete tasks and solve problems. According to ISO 19011:2018, the knowledge and skills of an auditor include the following:
Knowledge of audit principles, procedures and methods
Knowledge of management system standards and reference documents
Knowledge of the organization's context, scope, processes and objectives Knowledge of relevant legal, regulatory and contractual requirements Knowledge of applicable industry, sector or technical disciplines Knowledge of risk management and risk-based thinking Skill in collecting and verifying information Skill in evaluating conformity and effectiveness of management systems Skill in reporting and communicating audit results Skill in managing audit activities and teams Based on this, the activities that are predominately related to knowledge are designing a checklist and determining what evidence to gather, as they require the auditor to understand the audit criteria, scope, objectives and methods, as well as the organization's context, processes and risks. The other activities are more related to skills, as they involve applying knowledge and using know-how to perform tasks and solve problems during the audit.
References:
ISO 19011:2018, Guidelines for auditing management systems, clauses 7.2.1, 7.2.2 and 7.2.3 PECB Candidate Handbook - ISO 27001 Lead Auditor, pages 9-10 and 16-17 ISO 9001 Auditing Practices Group Guidance on: Auditing Competence, pages 2-3 and 8


質問 # 131
You are preparing the audit findings. Select two options that are correct.

  • A. There is no nonconformance. The information security handling training has performed, and its effectiveness was evaluated. This conforms with clause 7.2 and control A.6.3.
  • B. There is a nonconformity (NC). The information security incident training has failed. This is not conforming with clause 7.2 and control A.6.3.
  • C. There is an opportunity for improvement (OFI). The information security weaknesses, events, and madents are reported. This is relevant to clause 9.1 and control A.5.24.
  • D. There is an opportunity for improvement (OFI). The iLiirmation security incident training effectiveness can be improved. This is relevant to clause 7.2 and control A.6.3.
  • E. There is no nonconformance. The information security weaknesses, events, and incidents are reported.
    This conforms with clause 9.1 and control A.5.24.
  • F. There is a nonconformity (NC). Based on sampling interview results, none of the interviewees were able to describe the incident management procedure reporting process including the role and responsibilities of personnel. This is not conforming with clause 9.1 and control A.5.24.

正解:D、F

解説:
Explanation
According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 7.2 requires an organization to determine the necessary competence of persons doing work under its control that affects its ISMS performance, and to provide training or take other actions to acquire or maintain the necessary competence1. Control A.6.3 requires an organization to ensure that all employees and contractors are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational policies and procedures in this respect2. Therefore, if an ISMS auditor finds that the information security incident training effectiveness can be improved, this indicates an opportunity for improvement (OFI) that is relevant to clause 7.2 and control A.6.3.
According to ISO/IEC 27001:2022, clause 9.1 requires an organization to monitor, measure, analyze and evaluate its ISMS performance and effectiveness1. Control A.5.24 requires an organization to define and apply procedures for reporting information security events and weaknesses2. Therefore, if an ISMS auditor finds that based on sampling interview results, none of the interviewees were able to describe the incident management procedure reporting process including the role and responsibilities of personnel, this indicates a nonconformity (NC) that is not conforming with clause 9.1 and control A.5.24.
The other options are not correct options for preparing the audit findings based on the given information. For example, there is no nonconformance if the information security weaknesses, events, and incidents are reported, as this conforms with clause 9.1 and control A.5.24; there is no nonconformance if the information security handling training has performed, and its effectiveness was evaluated, as this conforms with clause 7.2 and control A.6.3; there is no nonconformity if the information security incident training has failed, as this may not necessarily indicate a lack of conformity with clause 7.2 or control A.6.3; there is no opportunity for improvement if the information security weaknesses, events, and incidents are reported, as this is already conforming with clause 9.1 and control A.5.24. References: ISO/IEC 27001:2022 - Information technology - Security techniques - Information security management systems - Requirements, ISO/IEC 27002:2013 - Information technology - Security techniques - Code of practice for information security controls


質問 # 132
Which measure is a preventive measure?

  • A. Shutting down all internet traffic after a hacker has gained access to the company systems
  • B. Putting sensitive information in a safe
  • C. Installing a logging system that enables changes in a system to be recognized

正解:B


質問 # 133
You are performing an ISO 27001 ISMS surveillance audit at a residential nursing home, ABC Healthcare Services. ABC uses a healthcare mobile app designed and maintained by a supplier, WeCare, to monitor residents' well-being. During the audit, you learn that 90% of the residents' family members regularly receive medical device advertisements from WeCare, by email and SMS once a week. The service agreement between ABC and WeCare prohibits the supplier from using residents' personal data. ABC has received many complaints from residents and their family members.
The Service Manager says that the complaints were investigated as an information security incident which found that they were justified.
Corrective actions have been planned and implemented according to the nonconformity and corrective action management procedure.
You write a nonconformity "ABC failed to comply with information security control A.5.34 (Privacy and protection of PII) relating to the personal data of residents' and their family members. A supplier, WeCare, used residents' personal information to send advertisements to family members." Select three options of the corrections and corrective actions listed that you would expect ABC to make in response to the nonconformity.

  • A. ABC periodically monitors compliance with all applicable legislation and contractual requirements involving third parties.
  • B. ABC cancels the service agreement with WeCare.
  • C. ABC asks an ISMS consultant to test the ABC Healthcare mobile app for protection against cyber-crime.
  • D. ABC takes legal action against WeCare for breach of contract.
  • E. ABC discontinues the use of the ABC Healthcare mobile app.
  • F. ABC trains all staff on the importance of maintaining information security protocols.
  • G. ABC confirms that information security control A.5.34 is contained in the Statement of Applicability (SoA).
  • H. ABC introduces background checks on information security performance for all suppliers.

正解:A、B、H

解説:
Explanation
The three options of the corrections and corrective actions listed that you would expect ABC to make in response to the nonconformity are:
B: ABC cancels the service agreement with WeCare.
E: ABC introduces background checks on information security performance for all suppliers.
F: ABC periodically monitors compliance with all applicable legislation and contractual requirements involving third parties.
B: This option is a possible correction and corrective action that ABC could take to address the nonconformity. A correction is the action taken to eliminate a detected nonconformity, while a corrective action is the action taken to eliminate the cause of a nonconformity and to prevent its recurrence1. By cancelling the service agreement with WeCare, ABC could stop the unauthorized use of residents' personal data and protect their privacy and rights. This could also prevent further complaints and legal issues from the residents and their family members. However, this option may also have some drawbacks, such as the loss of a service provider, the need to find an alternative solution, and the potential impact on the residents' well-being.
E: This option is a possible corrective action that ABC could take to address the nonconformity. By introducing background checks on information security performance for all suppliers, ABC could ensure that they select and work with reliable and trustworthy partners who respect the confidentiality, integrity, and availability of the information they handle. This could also help ABC to comply with information security control A.15.1.1 (Information security policy for supplier relationships), which requires the organisation to agree and document information security requirements for mitigating the risks associated with supplier access to the organisation's assets2.
F: This option is a possible corrective action that ABC could take to address the nonconformity. By periodically monitoring compliance with all applicable legislation and contractual requirements involving third parties, ABC could verify that the suppliers are fulfilling their obligations and responsibilities regarding information security. This could also help ABC to comply with information security control A.18.1.1 (Identification of applicable legislation and contractual requirements), which requires the organisation to identify, document, and keep up to date the relevant legislative, regulatory, contractual, and other requirements to which the organisation is subject3.
References:
1: ISO 27000:2018 - Information technology - Security techniques - Information security management systems - Overview and vocabulary, clause 3.9 and 3.10 2: ISO/IEC 27001:2022 - Information technology
- Security techniques - Information security management systems - Requirements, Annex A, control A.15.1.1 3: ISO/IEC 27001:2022 - Information technology - Security techniques - Information security management systems - Requirements, Annex A, control A.18.1.1


質問 # 134
Stages of Information

  • A. creation, use, disposition, maintenance, evolution
  • B. creation, distribution, maintenance, disposition, use
  • C. creation, distribution, use, maintenance, disposition
  • D. creation, evolution, maintenance, use, disposition

正解:C


質問 # 135
You are an ISMS audit team leader who has been assigned by your certification body to carry out a follow-up audit of a client. You are preparing your audit plan for this audit.
Which two of the following statements are true?

  • A. Corrective actions should be reviewed first, followed by corrections and finally opportunities for improvement
  • B. Opportunities for improvement should be verified first, followed by corrections and finally corrective actions
  • C. Verification should focus on whether any action undertaken is complete
  • D. Corrections should be verified first, followed by corrective actions and finally opportunities for improvement
  • E. Verification should focus on whether any action undertaken has been undertaken effectively
  • F. Verification should focus on whether any action undertaken taken has been undertaken efficiently

正解:C、E

解説:
Explanation
According to ISO 27001:2022 clause 9.1.2, the organisation shall conduct internal audits at planned intervals to provide information on whether the information security management system conforms to the organisation's own requirements, the requirements of ISO 27001:2022, and is effectively implemented and maintained12 According to ISO 27001:2022 clause 10.1, the organisation shall react to the nonconformities and take action, as applicable, to control and correct them and deal with the consequences. The organisation shall also evaluate the need for action to eliminate the causes of nonconformities, in order to prevent recurrence or occurrence.
The organisation shall implement any action needed, review the effectiveness of any corrective action taken, and make changes to the information security management system, if necessary12 A follow-up audit is a type of internal audit that is conducted after a previous audit to verify whether the nonconformities and corrective actions have been addressed and resolved, and whether the information security management system has been improved12 Therefore, the following statements are true for preparing a follow-up audit plan:
* Verification should focus on whether any action undertaken is complete. This means that the auditor should check whether the organisation has implemented all the planned actions to correct and prevent the nonconformities, and whether the actions have been documented and communicated as required12
* Verification should focus on whether any action undertaken has been undertaken effectively. This means that the auditor should check whether the organisation has achieved the intended results and objectives of the actions, and whether the actions have eliminated or reduced the nonconformities and their causes and consequences12 The following statements are false for preparing a follow-up audit plan:
* Verification should focus on whether any action undertaken has been undertaken efficiently. This is false because efficiency is not a criterion for verifying the actions taken to address the nonconformities and corrective actions. Efficiency refers to the optimal use of resources to achieve the desired outcomes,
* but it is not a requirement of ISO 27001:2022. The auditor should focus on the effectiveness and completeness of the actions, not on the efficiency12
* Corrections should be verified first, followed by corrective actions and finally opportunities for improvement. This is false because there is no prescribed order for verifying the corrections, corrective actions, and opportunities for improvement. The auditor should verify all the actions taken by the organisation, regardless of their sequence or priority. The auditor may choose to verify the actions based on their relevance, significance, or impact, but this is not a mandatory requirement12
* Opportunities for improvement should be verified first, followed by corrections and finally corrective actions. This is false because there is no prescribed order for verifying the opportunities for improvement, corrections, and corrective actions. The auditor should verify all the actions taken by the organisation, regardless of their sequence or priority. The auditor may choose to verify the actions based on their relevance, significance, or impact, but this is not a mandatory requirement12
* Corrective actions should be reviewed first, followed by corrections and finally opportunities for improvement. This is false because there is no prescribed order for reviewing the corrective actions, corrections, and opportunities for improvement. The auditor should review all the actions taken by the organisation, regardless of their sequence or priority. The auditor may choose to review the actions based on their relevance, significance, or impact, but this is not a mandatory requirement12 References:
1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1 2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2


質問 # 136
Select the words that best complete the sentence:
To complete the sentence with the word(s) click on the blank section you want to complete so that it is highlighted in red, and then click on the application text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.

正解:

解説:

Explanation:
competence of the audit team and decision made by the certification body According to ISO/IEC 17021-1, which specifies the requirements for bodies providing audit and certification of management systems, an accredited certification means that the certification body has been evaluated by an accreditation body against recognized standards to demonstrate its competence, impartiality and performance capability1. Therefore, an accredited certification assures the competence of the audit team that conducts the audit in accordance with ISO 19011 and ISO/IEC 27001:2022, and the decision made by the certification body that grants or maintains the certification based on the audit evidence and findings2. References: ISO/IEC
17021-1:2015 - Conformity assessment - Requirements for bodies providing audit and certification of management systems - Part 1: Requirements, ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) | CQI | IRCA


質問 # 137
Below is Purpose of "Integrity", which is one of the Basic Components of Information Security

  • A. the property that information is not made available or disclosed to unauthorized individuals
  • B. the property of safeguarding the accuracy and completeness of assets.
  • C. the property of being accessible and usable upon demand by an authorized entity.
  • D. the property that information is not made available or disclosed to unauthorized individuals

正解:B


質問 # 138
Which two of the following statements are true?

  • A. The role of a certification body auditor involves evaluating the organisation's processes for ensuring compliance with their legal requirements
  • B. Curing a third-party audit, the auditor evaluates how the organisation ensures that 4 6 made aware of changes to the legal requirements
  • C. As part of a certification body audit the auditor is resporable for verifying the organisation's legal compliance status

正解:A、B

解説:
Explanation
The following statements are true:
* The role of a certification body auditor involves evaluating the organization's processes for ensuring compliance with their legal requirements. This is part of the auditor's responsibility to assess the effectiveness and conformity of the organization's ISMS against the ISO/IEC 27001:2022 standard and the applicable legal and regulatory requirements.
* During a third-party audit, the auditor evaluates how the organization ensures that they are made aware of changes to the legal requirements. This is part of the auditor's responsibility to verify that the organization has established and maintained a process for identifying and updating their legal and other requirements related to information security. The following statement is false:
* As part of a certification body audit, the auditor is responsible for verifying the organization's legal compliance status. This is not true, as the auditor is not authorized or qualified to provide legal advice or
* judgment on the organization's compliance status. The auditor can only report on the evidence of compliance or noncompliance observed during the audit, but the ultimate responsibility for ensuring legal compliance lies with the organization. References: : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 66. : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 67.
ISO/IEC 27001 LEAD AUDITOR - PECB, page 22.


質問 # 139
......

更新されたテストエンジン練習ISO-IEC-27001-Lead-Auditor問題集と練習試験で使おう:https://jp.fast2test.com/ISO-IEC-27001-Lead-Auditor-premium-file.html

問題集お試しセットISO-IEC-27001-Lead-Auditorテストエンジン問題集トレーニングには192問あります:https://drive.google.com/open?id=1MgSOeBUg_d7__0LVvQtT6xvxqKUmVX63


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어