検証済みのISO-IEC-27001-Lead-Auditorテスト問題集と解答で正確な192問
PECB ISO-IEC-27001-Lead-AuditorテストエンジンPDFで全問無料問題集
質問 # 21
You see a blue color sticker on certain physical assets. What does this signify?
- A. The asset with blue stickers should be kept air conditioned at all times
- B. The asset is high critical and its failure will affect a group/s/project's work in the organization
- C. The asset is critical and the impact is restricted to an employee only
- D. The asset is very high critical and its failure affects the entire organization
正解:B
解説:
Explanation
You see a blue color sticker on certain physical assets. This signifies that the asset is high critical and its failure will affect a group/s/project's work in the organization. A blue color sticker is a type of label that indicates the level of criticality of an asset, which is a measure of how important an asset is for the organization's operations and objectives. A high critical asset is an asset that has a significant impact on the organization's activities, and its loss or damage would cause major disruption or loss of service. A blue color sticker also implies that the asset requires a high level of protection and security, and should be handled with care. References: : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 36. : [ISO/IEC 27001 Brochures | PECB], page 6.
質問 # 22
You receive an E-mail from some unknown person claiming to be representative of your bank and asking for your account number and password so that they can fix your account. Such an attempt of social engineering is called
- A. Shoulder Surfing
- B. Mountaineering
- C. Phishing
- D. Spoofing
正解:C
解説:
Explanation
An email from some unknown person claiming to be a representative of your bank and asking for your account number and password so that they can fix your account is an example of social engineering called phishing.
Phishing is a form of fraud that uses deceptive emails or other messages to trick recipients into revealing sensitive information, such as passwords, credit card numbers, bank account details, etc. Phishing emails often impersonate legitimate organizations or individuals and create a sense of urgency or curiosity to lure the victims into clicking on malicious links, opening malicious attachments or providing personal information.
ISO/IEC 27001:2022 requires the organization to implement awareness and training programs to make users aware of the risks of social engineering attacks, such as phishing, and how to avoid them (see clause A.7.2.2). References: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course, ISO/IEC
27001:2022 Information technology - Security techniques - Information security management systems - Requirements, What is Phishing?
質問 # 23
Objectives, criteria, and scope are critical features of a third-party ISMS audit. Which two issues are audit objectives?
- A. Evaluate customer processes and functions
- B. Review organisation efficiency
- C. Fulfil the audit plan
- D. Determine the scope of the ISMS
- E. Confirm sites operating the ISMS
- F. Assess conformity with ISO/IEC 27001 requirements
正解:E、F
解説:
Explanation
Audit objectives are the specific purposes or goals that the customer or the certification body wants to achieve through the audit. They define what the audit intends to accomplish and provide the basis for planning and conducting the audit. Audit objectives may vary depending on the type, scope, and criteria of the audit, but they should be clear, measurable, and achievable.
Some examples of audit objectives for a third-party ISMS audit are:
* Assess conformity with ISO/IEC 27001 requirements: This objective means that the audit aims to verify that the organisation's ISMS meets the requirements of the ISO/IEC 27001 standard, which specifies the best practices for establishing, implementing, maintaining, and improving an information security management system. The audit will evaluate the organisation's ISMS documentation, processes, controls, and performance against the standard's clauses and annex A controls.
* Confirm sites operating the ISMS: This objective means that the audit aims to confirm that the organisation's ISMS covers all the relevant sites or locations where the organisation operates or provides its services. The audit will verify that the scope of the ISMS is accurate and consistent with the organisation's context, objectives, and risks.
The other phrases are not audit objectives, but rather:
* Evaluate customer processes and functions: This is not an audit objective, but rather a possible audit criterion or a requirement that the organisation's processes and functions should meet. The audit criterion is the reference against which the audit evidence is compared to determine conformity or nonconformity. The audit criterion may include ISO/IEC 27001 requirements, customer requirements, or other applicable standards or regulations.
* Fulfil the audit plan: This is not an audit objective, but rather a task or an activity that the auditor performs during the audit. The audit plan is a document that describes the arrangements and details of the audit, such as the objectives, scope, criteria, schedule, roles, and responsibilities. The auditor should follow and fulfil the audit plan to ensure that the audit is conducted effectively and efficiently.
* Determine the scope of the ISMS: This is not an audit objective, but rather a prerequisite or an input for conducting the audit. The scope of the ISMS is the extent and boundaries of the information security management system within the organisation. It defines what processes, activities, locations, assets, and
* stakeholders are included or excluded from the ISMS. The scope of the ISMS should be determined by the organisation before applying for certification or undergoing an audit.
* Review organisation efficiency: This is not an audit objective, but rather a possible outcome or a result of conducting an audit. The organisation efficiency is a measure of how well the organisation uses its resources to achieve its goals and objectives. The audit may help review and improve the organisation efficiency by identifying strengths, weaknesses, opportunities, and threats in its information security management system.
References:
* ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) objectives and content from Quality.org and PECB
* ISO 19011:2018 Guidelines for auditing management systems [Section 5.3.1]
質問 # 24
Which two of the following statements are true?
- A. The purpose of an ISMS is to apply a risk management process for preserving information security
- B. The benefit of certifying an ISMS is to obtain contracts from governmental institutions
- C. The purpose of an ISMS is to demonstrate compliance with regulatory requirements
- D. The benefits of implementing an ISMS primarily result from a reduction in information security risks
正解:A、D
解説:
The benefits of implementing an ISMS are not limited to a reduction in information security risks, but also include improved business performance, customer satisfaction, legal compliance, and stakeholder confidence.
The benefit of certifying an ISMS is not only to obtain contracts from governmental institutions, but also to demonstrate the organisation's commitment to information security to other potential customers, partners, and regulators. The purpose of an ISMS is to apply a risk management process for preserving information security, which means identifying, analysing, evaluating, treating, monitoring, and reviewing the information security risks that the organisation faces. The purpose of an ISMS is not to demonstrate compliance with regulatory requirements, but rather to ensure that the organisation meets its own information security objectives and obligations.
References:
* ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) objectives and content from Quality.org and PECB
* ISO/IEC 27001:2013 Information technology - Security techniques - Information security
* management systems - Requirements [Section 0.1] and [Section 1]
質問 # 25
Which of the following is not a type of Information Security attack?
- A. Legal Incidents
- B. Technical Vulnerabilities
- C. Vehicular Incidents
- D. Privacy Incidents
正解:C
解説:
Vehicular incidents are not a type of information security attack. A vehicular incident is an event that involves a vehicle or its driver causing damage or injury to people or property. A vehicular incident may have an impact on information security if it affects the availability or integrity of information or systems that are transported or accessed by vehicles, but it is not an intentional or malicious attack on information security.
Legal incidents are a type of information security attack that involve legal actions or disputes that may compromise the confidentiality or integrity of information or systems. Technical vulnerabilities are a type of information security attack that exploit weaknesses or flaws in software or hardware that may compromise the confidentiality, integrity, or availability of information or systems. Privacy incidents are a type of information security attack that involve unauthorized access or disclosure of personal or sensitive information that may compromise the confidentiality or integrity of information or systems. References: : CQI & IRCA ISO
27001:2022 Lead Auditor Course Handbook, page 25. : [ISO/IEC 27001 LEAD AUDITOR - PECB], page 13.
質問 # 26
Which three of the following options are an advantage of using a sampling plan for the audit?
- A. Gives confidence in the audit results
- B. Use of the plan for consecutive audits
- C. Overrules the auditor's instincts
- D. Misses key issues
- E. Implements the audit plan efficiently
- F. Provides a suitable understanding of the ISMS
正解:A、E、F
解説:
According to ISO 19011:2018, which provides guidelines for auditing management systems, a sampling plan is a method for selecting a representative subset of the audit evidence from a defined population1. A sampling plan can have several advantages for the audit, such as providing a suitable understanding of the ISMS by covering its key processes, activities, and controls; implementing the audit plan efficiently by optimizing the use of time and resources; and giving confidence in the audit results by ensuring that the sample is sufficient, reliable, and unbiased1. Therefore, these three options are examples of advantages of using a sampling plan for the audit. The other options are not advantages, but rather disadvantages or risks of using a sampling plan. For example, overruling the auditor's instincts may lead to missing important evidence or issues that are not covered by the sampling plan; using the same plan for consecutive audits may reduce the effectiveness and validity of the audit results; and missing key issues may result from an inadequate or inappropriate sampling plan1. References: ISO 19011:2018 - Guidelines for auditing management systems
質問 # 27
In the context of a management system audit, please identify the sequence of a typical process of collecting and verifying information. The first one has been done for you.
正解:
解説:
Explanation:
A screenshot of a computer Description automatically generated
* Identifying the source of information (already given)
* Gathering audit evidence: This involves collecting information from various sources such as documents, records, interviews, and observations.
* Sampling the available data: Due to the vast amount of information available, auditors typically use sampling techniques to select representative data for closer scrutiny.
* Verifying objective evidence: This involves checking the accuracy, completeness, and reliability of the collected evidence.
* Evaluating evidence against the audit criteria: Auditors compare the collected evidence to the established criteria (e.g., standards, policies, procedures) to assess compliance and effectiveness.
* Recording audit findings: This involves documenting the results of the evaluation, including observations, conclusions, and recommendations.
* Making audit conclusions: Based on the recorded findings, auditors formulate overall conclusions about the status of the management system.
Therefore, the correct sequence is:
1. Identifying the source of information 2. Gathering audit evidence 3. Sampling the available data 4.
Verifying objective evidence 5. Evaluating evidence against the audit criteria 6. Recording audit findings 7.
Making audit conclusions
質問 # 28
Which reliability aspect of information is compromised when a staff member denies having sent a message?
- A. Integrity
- B. Confidentiality
- C. Availability
- D. Correctness
正解:A
解説:
Explanation
The reliability aspect of information that is compromised when a staff member denies having sent a message is integrity. Integrity is the property of information that ensures its accuracy, completeness, consistency and authenticity. When a staff member denies having sent a message, it implies that the message was either altered, forged, deleted or repudiated by someone else, which violates the integrity of the information.
ISO/IEC 27001:2022 defines integrity as "the property of accuracy and completeness" (see clause
3.24). References: [CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course], ISO/IEC
27001:2022 Information technology - Security techniques - Information security management systems - Requirements, What is Integrity?
質問 # 29
You are conducting a third-party surveillance audit when another member of the audit team approaches you seeking clarification. They have been asked to assess the organisation's application of control 5.7 - Threat Intelligence. They are aware that this is one of the new controls introduced in the 2022 edition of ISO/IEC
27001, and they want to make sure they audit the control correctly.
They have prepared a checklist to assist them with their audit and want you to confirm that their planned activities are aligned with the control's requirements.
Which three of the following options represent valid audit trails?
- A. I will ensure that the task of producing threat intelligence is assigned to the organisation's internal audit team
- B. I will ensure that appropriate measures have been introduced to inform top management as to the effectiveness of current threat intelligence arrangements
- C. I will check that the organisation has a fully documented threat intelligence process
- D. I will determine whether internal and external sources of information are used in the production of threat intelligence
- E. I will review how information relating to information security threats is collected and evaluated to produce threat intelligence
- F. I will check that threat intelligence is actively used to protect the confidentiality, integrity and availability of the organisation's information assets
- G. I will ensure that the organisation's risk assessment process begins with effective threat intelligence
- H. I will speak to top management to make sure all staff are aware of the importance of reporting threats
正解:B、E、F
解説:
Explanation
These three options represent valid audit trails for control 5.7, as they are aligned with the control's requirements and objectives. According to the web search results from my predefined tool, control 5.7 requires organisations to collect and analyse information relating to information security threats and use that information to take mitigation actions12. The control also specifies that threat intelligence should be relevant, perceptive, contextual, and actionable, and that it should be used to prevent, detect, or respond to threats34.
Therefore, the auditor should verify how the organisation collects, analyses, and produces threat intelligence, how it uses threat intelligence to protect its information assets, and how it monitors and evaluates the effectiveness of its threat intelligence arrangements. The other options are not valid audit trails, as they are either irrelevant, incorrect, or incomplete. For example:
*The task of producing threat intelligence is not assigned to the organisation's internal audit team, but to the person or team responsible for the ISMS, such as the information security manager or the information security committee5 .
*The organisation's risk assessment process does not begin with effective threat intelligence, but with the identification of the context, scope, and objectives of the ISMS . Threat intelligence is an input for the risk identification and analysis, but not the starting point of the risk assessment process.
*Speaking to top management to make sure all staff are aware of the importance of reporting threats is not sufficient to audit the control, as it does not address how the organisation collects, analyses, and produces threat intelligence, nor how it uses it to take mitigation actions. The auditor should also speak to the staff involved in the threat intelligence process, and review the relevant documents and records.
*Checking that the organisation has a fully documented threat intelligence process is not enough to audit the control, as it does not verify the implementation and effectiveness of the process. The auditor should also observe the process in action, and examine the outputs and outcomes of the process.
*Determining whether internal and external sources of information are used in the production of threat intelligence is a partial audit trail, as it only covers one aspect of the control. The auditor should also assess the quality, reliability, and relevance of the sources, and how the information is analysed and used.
References: = 1: ISO 27001:2022 Annex A 5.7 - Threat Intelligence - ISMS.online12: ISO 27001 Annex A
5.7 Threat Intelligence - High Table23: ISO/IEC 27001:2022 Information technology - Security techniques
- Information security management systems - Requirements, clause A.5.74: ISO 27002 Emphasizes Need For Threat Intelligence - Rapid745: ISO/IEC 27007:2011 Information technology - Security techniques - Guidelines for information security management systems auditing, clause 6.3.2. : ISO 27001 Statement of Applicability [Updated 2024] - Sprinto3 : ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, clause 6.1.1. : ISO 27001 Requirement 6.1.1 - Actions to address risks and opportunities | ISMS.online1
質問 # 30
In what part of the process to grant access to a system does the user present a token?
- A. Authorisation
- B. Verification
- C. Identification
- D. Authentication
正解:C
解説:
In what part of the process to grant access to a system does the user present a token? The user presents a token in the identification part of the process. Identification is the process of claiming an identity or presenting an identifier to a system. An identifier is a unique name or label that represents a person or entity. A token is a physical device or object that contains or generates an identifier, such as a smart card, a key fob, or a QR code. Identification is used to initiate the access request and associate it with an identity. Identification is followed by authentication, which verifies the identity claim, and authorization, which determines the level of access granted. ISO/IEC 27001:2022 defines identification as "recognition of an entity by an identifier in a particular context" (see clause 3.29). Reference: [CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course], ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, [What is Identification?]
質問 # 31
You are an experienced audit team leader guiding an auditor in training.
Your team is currently conducting a third-party surveillance audit of an organisation that stores data on behalf of external clients. The auditor in training has been tasked with reviewing the ORGANISATIONAL controls listed in the Statement of Applicability (SoA) and implemented at the site.
Select four controls from the following that would you expect the auditor in training to review.
- A. How power and data cables enter the building
- B. How information security has been addressed within supplier agreements
- C. Rules for transferring information within the organisation and to other organisations
- D. The organisation's business continuity arrangements
- E. The development and maintenance of an information asset inventory
- F. Access to and from the loading bay
- G. The operation of the site CCTV and door control systems
- H. Confidentiality and nondisclosure agreements
正解:B、C、E、H
解説:
According to the PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, the auditor in training should review the organisational controls that are related to the information security policy, the roles and responsibilities, the information classification, the information exchange, the supplier relationships, and the information asset management1. These controls are aligned with the ISO/IEC 27001 requirements for clauses
5, 7, 8.2, 8.3, and 8.42. The other controls (A, D, G, and H) are more relevant to the physical and environmental security, the communications security, or the business continuity management, which are not part of the organisational controls3. References: 1: PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 42, section 5.2.32: ISO/IEC 27001:2022, clauses 5, 7, 8.2, 8.3, and 8.43: ISO/IEC 27001:2022, clauses 8.1, 8.5, and 8.6.
質問 # 32
You are an ISMS audit team leader tasked with conducting a follow-up audit at a client's data centre.
Following two days on-site you conclude that of the original 12 minor and 1 major nonconformities that prompted the follow-up audit, only 1 minor nonconformity still remains outstanding.
Select four options for the actions you could take.
- A. Agree with the auditee/audit client how the remaining nonconformity will be cleared, by when, and how its clearance will be verified
- B. Advise the individual managing the audit programme of any decision taken regarding the outstanding nonconformity
- C. Close the follow-up audit as the organisation has demonstrated it is committed to clearing the nonconformities raised
- D. Advise the auditee that you will arrange an online audit to deal with the outstanding nonconformity
- E. Recommend that the outstanding minor nonconformity is dealt with at the next surveillance audit
- F. Book another follow-up audit on-site to review the one outstanding minor nonconformity once it has been cleared
- G. Recommend suspension of the organisation's certification as they have failed to implement the agreed corrections and corrective actions within the agreed timescale
- H. Note the progress made but hold the audit open until all corrective action has been cleared
正解:A、B、C、E
解説:
According to ISO 19011:2018, which provides guidelines for auditing management systems, clause 6.7 requires the audit team leader to conduct a follow-up audit to verify the implementation and effectiveness of the corrective actions taken by the auditee in response to the nonconformities identified during a previous audit1. The follow-up audit should be conducted in accordance with the same principles and processes as the initial audit, and should result in a conclusion on the status of the nonconformities and any remaining issues1.
Therefore, when conducting a follow-up audit, an ISMS auditor should consider the following actions:
* Recommend that the outstanding minor nonconformity is dealt with at the next surveillance audit: This action is appropriate because it reflects the fact that the auditee has cleared most of the nonconformities, including the major one, and only one minor nonconformity remains outstanding. A minor nonconformity is defined as a failure to achieve one or more requirements of ISO/IEC 27001:2022 or a situation which raises significant doubt about the ability of an ISMS process to achieve its intended output, but does not affect its overall effectiveness or conformity2. Therefore, this finding does not prevent or preclude the continuation of certification, as long as it is addressed by appropriate corrective actions within a reasonable time frame. The auditor should recommend that the outstanding minor nonconformity is dealt with at the next surveillance audit, which is a regular audit conducted by the certification body to confirm the ongoing conformity and effectiveness of an ISMS3.
* Agree with the auditee/audit client how the remaining nonconformity will be cleared, by when, and how its clearance will be verified: This action is appropriate because it reflects the fact that the auditee has demonstrated commitment and capability to implement corrective actions for the nonconformities identified during the previous audit. The auditor should agree with the auditee/audit client on a realistic, achievable, and effective corrective action plan for the remaining nonconformity, including a clear deadline and verification method. The auditor should also document this agreement in the follow-up audit report1.
* Advise the individual managing the audit programme of any decision taken regarding the outstanding nonconformity: This action is appropriate because it reflects the fact that the auditor has followed a systematic and consistent approach to conducting and reporting the follow-up audit. The auditor should advise the individual managing the audit programme of any decision taken regarding the outstanding
* nonconformity, such as recommending its closure at the next surveillance audit or agreeing on a corrective action plan with the auditee/audit client. The auditor should also provide sufficient information and evidence to support their decision1.
* Close the follow-up audit as the organisation has demonstrated it is committed to clearing the nonconformities raised: This action is appropriate because it reflects the fact that the organisation has achieved satisfactory results in the follow-up audit. The auditor should close the follow-up audit as the organisation has demonstrated it is committed to clearing the nonconformities raised by implementing effective corrective actions for most of them and agreeing on a plan for the remaining one. The auditor should also communicate the follow-up audit conclusion to the auditee/audit client and other relevant parties1.
質問 # 33
Select the words that best complete the sentence:
To complete the sentence with the best word(s), click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.
正解:
解説:
Explanation
* A third-party audit team leader is a person who leads an audit team that conducts audits on behalf of an external organization, such as a certification body, that provides certification or accreditation services to other organizations12.
* One of the main responsibilities of a third-party audit team leader is to act on behalf of the certification body, which means to represent its interests, policies, and procedures during the audit process12.
* Acting on behalf of the certification body involves communicating with the audit client and the auditee, planning and conducting the audit, reporting and evaluating the audit results, and making recommendations for certification or accreditation decisions12.
* Acting on behalf of the certification body also requires maintaining professional integrity, impartiality, confidentiality, and competence throughout the audit process12.
References :=
* ISO 19011:2022 Guidelines for auditing management systems
* ISO/IEC 17021-1:2022 Conformity assessment - Requirements for bodies providing audit and certification of management systems - Part 1: Requirements
質問 # 34
Select the words that best complete the sentence:
To complete the sentence with the best word(s), click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.
正解:
解説:
質問 # 35
You are an experienced ISMS audit team leader providing guidance to an ISMS auditor in training. They have been asked to carry out an assessment of external providers and have prepared a checklist containing the following activities. They have asked you to review their checklist to confirm that the actions they are proposing are appropriate.
The audit they have been invited to participate in is a third-party surveillance audit of a data centre . The data centre agent is part of a wider telecommunication group. Each data centre within the group operates its own ISMS and holds its own certificate.
- A. I will ensure the organization is regularly monitoring, reviewing and evaluating external provider performance
- B. I will limit my audit activity to externally provided processes as there is no need to audit externally provided products of services
- C. I will ensure the organization is has determined the need to communicate with external providers regarding the ISMS
- D. I will ensure that the organisation has a reserve external provider for each process it has identified as critical to preservation of the confidentiality, integrity and accessibility of its information
- E. I will ensure external providers have a documented process in place to notify the organisation of any risks arising from the use of its products or services
- F. I will ensure that the organisation ranks its external providers and allocates the majority of its work to those providers who are rated the highest
- G. I will check the other data centres are treated as external providers, even though they are part of the same telecommunication group
- H. I will ensure that top management have assigned roles and responsibilities for those providing external ISMS processes as well as internal ISMS processes
正解:A、C、E、G
解説:
Explanation
* A. I will check the other data centres are treated as external providers, even though they are part of the same telecommunication group. This is appropriate because clause 8.1.4 of ISO 27001:2022 requires the organisation to ensure that externally provided processes, products or services that are relevant to the information security management system are controlled. Externally provided processes, products or services are those that are provided by any external party, regardless of the degree of its relationship
* with the organisation. Therefore, the other data centres within the same telecommunication group should be treated as external providers and subject to the same controls as any other external provider12
* B. I will ensure external providers have a documented process in place to notify the organisation of any risks arising from the use of its products or services. This is appropriate because clause 8.1.4 of ISO
27001:2022 requires the organisation to implement appropriate contractual requirements related to information security with external providers. One of the contractual requirements could be the obligation of the external provider to notify the organisation of any risks arising from the use of its products or services, such as security incidents, vulnerabilities, or changes that could affect the information security of the organisation. The external provider should have a documented process in place to ensure that such notification is timely, accurate, and complete12
* E. I will ensure the organisation is regularly monitoring, reviewing and evaluating external provider performance. This is appropriate because clause 8.1.4 of ISO 27001:2022 requires the organisation to monitor, review and evaluate the performance and effectiveness of the externally provided processes, products or services. The organisation should have a process in place to measure and verify the conformity and suitability of the external provider's deliverables and activities, and to provide feedback and improvement actions as necessary. The organisation should also maintain records of the monitoring, review and evaluation results12
* F. I will ensure the organisation has determined the need to communicate with external providers regarding the ISMS. This is appropriate because clause 7.4.2 of ISO 27001:2022 requires the organisation to determine the need for internal and external communications relevant to the information security management system, including the communication with external providers. The organisation should define the purpose, content, frequency, methods, and responsibilities for such communication, and ensure that it is consistent with the information security policy and objectives. The organisation should also retain documented information of the communication as evidence of its implementation12 The following activities are not appropriate for the assessment of external providers according to ISO
27001:2022:
* C. I will ensure that the organisation has a reserve external provider for each process it has identified as critical to preservation of the confidentiality, integrity and accessibility of its information. This is not appropriate because ISO 27001:2022 does not require the organisation to have a reserve external provider for each critical process. The organisation may choose to have a contingency plan or a backup solution in case of failure or disruption of the external provider, but this is not a mandatory requirement. The organisation should assess the risks and opportunities associated with the external provider and determine the appropriate treatment options, which may or may not include having a reserve external provider12
* D. I will limit my audit activity to externally provided processes as there is no need to audit externally provided products or services. This is not appropriate because clause 8.1.4 of ISO 27001:2022 requires the organisation to control the externally provided processes, products or services that are relevant to the information security management system. Externally provided products or services may include software, hardware, data, or cloud services that could affect the information security of the organisation. Therefore, the audit activity should cover both externally provided processes and products or services, as applicable12
* G. I will ensure that top management have assigned roles and responsibilities for those providing external ISMS processes as well as internal ISMS processes. This is not appropriate because clause 5.3 of ISO 27001:2022 requires the top management to assign the roles and responsibilities for the
* information security management system within the organisation, not for the external providers. The external providers are responsible for assigning their own roles and responsibilities for the processes, products or services they provide to the organisation. The organisation should ensure that the external providers have adequate competence and awareness for their roles and responsibilities, and that they are contractually bound to comply with the information security requirements of the organisation12
* H. I will ensure that the organisation ranks its external providers and allocates the majority of its work to those providers who are rated the highest. This is not appropriate because ISO 27001:2022 does not require the organisation to rank its external providers or to allocate its work based on such ranking. The organisation may choose to evaluate and compare the performance and effectiveness of its external providers, but this is not a mandatory requirement. The organisation should select and use its external providers based on the information security criteria and objectives that are relevant to the organisation12 References:
1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1 2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2
質問 # 36
Select two of the following options that are the responsibility of a legal technical expert on the audit team during a certification audit.
- A. Criticising the organisation's legal compliance issues
- B. Evaluating the auditee's legal knowledge
- C. Debating complex legal points with the auditee
- D. Advising on legal checkpoints for the audit team
- E. Verifying the legal status of the organisation
- F. Meeting the organisation's legal representative
正解:D、E
解説:
A legal technical expert (LTE) is a person who provides specific knowledge or expertise related to the legal aspects of the information security management system (ISMS) during a certification audit. The LTE is not an auditor, but a member of the audit team who supports the auditors in collecting and evaluating the audit evidence. The LTE is not responsible for evaluating the auditee's legal knowledge, criticising the organisation's legal compliance issues, or debating complex legal points with the auditee, as these tasks may be beyond the scope of the audit, or may compromise the objectivity and impartiality of the audit. The LTE is responsible for advising on legal checkpoints for the audit team, such as the applicable legal, regulatory, and contractual requirements, the relevant sources of information, the methods of verification, and the criteria of evaluation. The LTE is also responsible for verifying the legal status of the organisation, such as the registration, licensing, authorisation, or accreditation of the organisation, and the compliance with the relevant laws and regulations. References:
* What is the role of a technical expert in ISO audit?
* Roles, Responsibilities & Authorities for ISO 27001 5.3
* Guide to Become an ISO 27001 Lead Auditor
質問 # 37
What type of measure involves the stopping of possible consequences of security incidents?
- A. Detective
- B. Repressive
- C. Preventive
- D. Corrective
正解:B
解説:
A repressive measure is a type of measure that involves the stopping of possible consequences of security incidents. A security incident is an event that compromises the confidentiality, integrity, or availability of information assets3. A repressive measure is a measure that aims to prevent or reduce the harm caused by a security incident after it has occurred. Examples of repressive measures include blocking malicious IP addresses, revoking user access rights, isolating infected systems, or restoring data from backups4. Repressive measures are different from preventive measures, which are measures that aim to avoid or reduce the likelihood of a security incident before it occurs. Examples of preventive measures include installing antivirus software, enforcing password policies, encrypting sensitive data, or conducting security awareness training4. Therefore, the correct answer is C. Reference: ISO/IEC 27000:2022, clause 3.25; Lepide.
質問 # 38
......
100%合格率保証付きの素晴らしいISO-IEC-27001-Lead-Auditor試験問題PDF:https://jp.fast2test.com/ISO-IEC-27001-Lead-Auditor-premium-file.html
手に入れよう!最新ISO-IEC-27001-Lead-Auditor認定有効な試験問題集解答:https://drive.google.com/open?id=1MgSOeBUg_d7__0LVvQtT6xvxqKUmVX63