[2024年03月]更新のPECB ISO-IEC-27001-Lead-Auditor試験一発合格保証!
完全版ISO-IEC-27001-Lead-Auditor練習テスト192独特な解答と解釈が待ってます!今すぐ取得せよ!
質問 # 31
Select the words that best complete the sentence to describe an audit finding.
正解:
解説:
Explanation:
"An audit finding is the result of the evaluation of the collected audit evidence against audit criteria." The words that best complete the sentence to describe an audit finding are evaluation and evidence. According to ISO 19011:2022, an audit finding is the result of the evaluation of the collected audit evidence against audit criteria12. The other options are either not related to the definition of an audit finding or do not fit the sentence grammatically. References: 1: ISO 19011:2022, Guidelines for auditing management systems, Clause 3.11
\n2: PECB Certified ISO/IEC 27001 Lead Auditor Exam Preparation Guide, Domain 5: Conducting an ISO/IEC 27001 audit
質問 # 32
A decent visitor is roaming around without visitor's ID. As an employee you should do the following, except:
- A. Escort him to his destination
- B. Say "hi" and offer coffee
- C. Greet and ask him what is his business
- D. Call the receptionist and inform about the visitor
正解:B
解説:
Explanation
As an employee, you should do the following when you see a visitor roaming around without visitor's ID, except saying "hi" and offering coffee. Saying "hi" and offering coffee is not an appropriate action, as it may imply that you are welcoming or endorsing the visitor without verifying their identity or purpose. This may also give the visitor an opportunity to gain your trust or exploit your kindness. Calling the receptionist and informing about the visitor is an appropriate action, as it alerts the responsible staff to handle the situation and ensure that the visitor is authorized and registered. Greeting and asking him what is his business is an appropriate action, as it shows your concern and curiosity about the visitor's presence and intention. Escorting him to his destination is an appropriate action, as it prevents the visitor from wandering around unattended and accessing unauthorized areas or information. References: : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 42. : [ISO/IEC 27001 LEAD AUDITOR - PECB], page 15.
質問 # 33
Which one of the following options describes the main purpose of a Stage 1 audit?
- A. To get to know the organisation
- B. To compile the audit plan
- C. To check for legal compliance by the organisation
- D. To determine readiness for Stage 2
正解:D
解説:
Explanation
The main purpose of a Stage 1 audit is to evaluate the adequacy and effectiveness of the organisation's ISMS documentation, and to assess whether the organisation is prepared for the Stage 2 audit, where the implementation and operation of the ISMS will be verified. The Stage 1 audit also involves verifying the scope, objectives, and context of the ISMS, as well as identifying any areas of concern or nonconformities that need to be addressed before the Stage 2 audit.
References:
ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) objectives and content from Quality.org and PECB ISO/IEC 27006:2015 Information technology - Security techniques - Requirements for bodies providing audit and certification of information security management systems Section 7.3.1
質問 # 34
There is a network printer in the hallway of the company where you work. Many employees don't pick up their printouts immediately and leave them on the printer.
What are the consequences of this to the reliability of the information?
- A. The Security of the information is no longer guaranteed.
- B. The confidentiality of the information is no longer guaranteed.
- C. The availability of the information is no longer guaranteed.
- D. The integrity of the information is no longer guaranteed.
正解:B
解説:
Confidentiality is one of the Confidentiality, Integrity, Availability (CIA) principles of information security that states that only authorized parties should have access to information assets. Confidentiality protects the secrecy and privacy of information from unauthorized disclosure or exposure. Often, people do not pick up their prints from a shared printer. This can affect the confidentiality of information, as anyone who passes by the printer can see or take the printed documents that may contain confidential or personal information. This can lead to information leakage, identity theft, fraud, or other malicious activities. Therefore, the correct answer is C. Reference: ISO/IEC 27000:2022, clause 3.8; How & Where to Print Sensitive Documents on a Shared Printer.
質問 # 35
You are an experienced ISMS audit team leader providing guidance to an auditor in training. She asks you why it is important to have specific criteria relating to the grading of nonconformities.
Which one of the following responses is correct?
- A. Because grading criteria provide a common basis for the evaluation of nonconformities across the organization
- B. Because grading criteria will ensure that all auditors score nonconformities in exactly the same way
- C. Because ISO/IEC 27001:2022 requires it
- D. Because the establishment and implementation of grading criteria demonstrate a high level of commitment to the corrective action process
正解:A
解説:
Explanation
The correct response is A, because grading criteria provide a common basis for the evaluation of nonconformities across the organization. Grading criteria are the rules or standards that define the severity or impact of nonconformities, and help to determine the appropriate corrective actions and follow-up activities.
Grading criteria are important for several reasons, such as:
They ensure consistency and objectivity in the assessment and reporting of nonconformities, and avoid subjective or arbitrary judgments.
They facilitate the communication and understanding of nonconformities among the auditors, the auditees, and the audit clients, and enable the comparison and benchmarking of nonconformities across different processes, functions, or locations.
They support the prioritization and allocation of resources for the resolution of nonconformities, and the monitoring and measurement of the effectiveness of the corrective actions.
They demonstrate the commitment and accountability of the organization to the continual improvement of the ISMS, and the compliance with the ISMS requirements and expectations.
References:
ISO/IEC 27001:2022, Information technology - Security techniques - Information security management systems - Requirements1 PECB Candidate Handbook ISO/IEC 27001 Lead Auditor2 ISO 27001:2022 Lead Auditor - PECB3 ISO 27001:2022 certified ISMS lead auditor - Jisc4 ISO/IEC 27001:2022 Lead Auditor Transition Training Course5 ISO 27001 - Information Security Lead Auditor Course - PwC Training Academy ISO 19011:2022, Guidelines for auditing management systems
質問 # 36
Which of the following is not a type of Information Security attack?
- A. Vehicular Incidents
- B. Technical Vulnerabilities
- C. Legal Incidents
- D. Privacy Incidents
正解:A
解説:
Vehicular incidents are not a type of information security attack. A vehicular incident is an event that involves a vehicle or its driver causing damage or injury to people or property. A vehicular incident may have an impact on information security if it affects the availability or integrity of information or systems that are transported or accessed by vehicles, but it is not an intentional or malicious attack on information security.
Legal incidents are a type of information security attack that involve legal actions or disputes that may compromise the confidentiality or integrity of information or systems. Technical vulnerabilities are a type of information security attack that exploit weaknesses or flaws in software or hardware that may compromise the confidentiality, integrity, or availability of information or systems. Privacy incidents are a type of information security attack that involve unauthorized access or disclosure of personal or sensitive information that may compromise the confidentiality or integrity of information or systems. References: : CQI & IRCA ISO
27001:2022 Lead Auditor Course Handbook, page 25. : [ISO/IEC 27001 LEAD AUDITOR - PECB], page 13.
質問 # 37
You are the lead auditor of the courier company SpeeDelivery. You have carried out a risk analysis and now want to determine your risk strategy. You decide to take measures for the large risks but not for the small risks.
What is this risk strategy called?
- A. Risk bearing
- B. Risk avoidance
- C. Risk skipping
- D. Risk neutral
正解:A
解説:
The risk strategy that involves taking measures for the large risks but not for the small risks is called risk bearing. Risk bearing is a strategy that accepts the existence of risks and their potential consequences without implementing any specific controls to reduce them. Risk bearing is usually applied to risks that have low likelihood and low impact, or when the cost of controls outweighs the benefits. Risk bearing implies that the organization has enough resources and resilience to cope with the risks if they materialize. ISO/IEC 27001:2022 defines risk acceptance as "decision to accept risk" (see clause 3.4). Reference: [CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course], ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, [What is Risk Bearing?]
質問 # 38
Select the words that best complete the sentence below to describe audit resources:
正解:
解説:
Explanation:
According to ISO 19011:2018, clause 5.3, the person responsible for managing the audit programme should determine the resources necessary for the audit programme, such as the audit team members, the budget, the time, the tools, etc. The audit resources should be sufficient and appropriate to ensure the quality and effectiveness of the audit programme and the audit results. The audit resources include the following elements12:
* Essential resources: These are the resources that are required to conduct the audit programme and the individual audits, such as the audit documents, the audit methods, the audit tools, the audit schedule, the audit budget, etc. The essential resources should be identified and allocated based on the audit objectives, scope, and criteria, and the availability and cooperation of the auditee. The essential resources should also be reviewed and updated as necessary to reflect any changes or deviations in the audit programme or the individual audits.
* Competent personnel: These are the audit team members who have the appropriate knowledge, skills, and experience to conduct the audit effectively and efficiently, and to provide credible and reliable audit results and recommendations. The competent personnel should include the audit team leader, the auditors, and any technical experts or observers who support the audit team. The competent personnel should be selected and appointed based on the audit objectives, scope, and criteria, and the specific competence requirements for the audit programme and the individual audits. The competent personnel
* should also be independent and impartial, and avoid any conflicts of interest or self-interest that may affect the audit results or the audit decisions.
References:
* ISO 19011:2018 - Guidelines for auditing management systems, clause 5.3
* PECB Candidate Handbook ISO 27001 Lead Auditor, page 19
質問 # 39
You are conducting a third-party surveillance audit when another member of the audit team approaches you seeking clarification. They have been asked to assess the organisation's application of control 5.7 - Threat Intelligence. They are aware that this is one of the new controls introduced in the 2022 edition of ISO/IEC
27001, and they want to make sure they audit the control correctly.
They have prepared a checklist to assist them with their audit and want you to confirm that their planned activities are aligned with the control's requirements.
Which three of the following options represent valid audit trails?
- A. I will check that the organisation has a fully documented threat intelligence process
- B. I will check that threat intelligence is actively used to protect the confidentiality, integrity and availability of the organisation's information assets
- C. I will ensure that the organisation's risk assessment process begins with effective threat intelligence
- D. I will review how information relating to information security threats is collected and evaluated to produce threat intelligence
- E. I will speak to top management to make sure all staff are aware of the importance of reporting threats
- F. I will ensure that appropriate measures have been introduced to inform top management as to the effectiveness of current threat intelligence arrangements
- G. I will ensure that the task of producing threat intelligence is assigned to the organisation's internal audit team
- H. I will determine whether internal and external sources of information are used in the production of threat intelligence
正解:A、B、H
解説:
The options that represent valid audit trails for assessing the organisation's application of control 5.7 - Threat Intelligence, according to ISO/IEC 27001:2022, are:
Option A: I will determine whether internal and external sources of information are used in the production of threat intelligence. This is relevant because effective threat intelligence typically requires gathering information from multiple sources to be comprehensive.
Option D: I will check that the organisation has a fully documented threat intelligence process. Proper documentation is a core requirement in ISO standards to ensure processes are defined, implemented, and maintained consistently.
Option E: I will check that threat intelligence is actively used to protect the confidentiality, integrity, and availability of the organisation's information assets. This verifies that the output of threat intelligence is being used effectively within the organisation's information security practices.
質問 # 40
Why do we need to test a disaster recovery plan regularly, and keep it up to date?
- A. Otherwise the measures taken and the incident procedures planned may not be adequate
- B. Otherwise it is no longer up to date with the registration of daily occurring faults
- C. Otherwise remotely stored backups may no longer be available to the security team
正解:A
質問 # 41
You are an experienced audit team leader guiding an auditor in training.
Your team is currently conducting a third-party surveillance audit of an organisation that stores data on behalf of external clients. The auditor in training has been tasked with reviewing the PEOPLE controls listed in the Statement of Applicability (SoA) and mplemented at the site.
Select four controls from the following that would you expect the auditor in training to review.
- A. How protection against malware is implemented
- B. The organisation's business continuity arrangements
- C. The organisation's arrangements for information deletion
- D. Remote working arrangements
- E. Confidentiality and nondisclosure agreements
- F. The operation of the site CCTV and door control systems
- G. The conducting of verification checks on personnel
- H. Information security awareness, education and training
正解:D、E、G、H
解説:
Explanation
The PEOPLE controls are related to the human aspects of information security, such as roles and responsibilities, awareness and training, screening and contracts, and remote working. The auditor in training should review the following controls:
Confidentiality and nondisclosure agreements (A): These are contractual obligations that bind the employees and contractors of the organisation to protect the confidentiality of the information they handle, especially the data of external clients. The auditor should check if these agreements are signed, updated, and enforced by the organisation. This control is related to clause A.7.2.1 of ISO/IEC
27001:2022.
Information security awareness, education and training : These are activities that aim to enhance the knowledge, skills, and behaviour of the employees and contractors regarding information security. The auditor should check if these activities are planned, implemented, evaluated, and improved by the organisation. This control is related to clause A.7.2.2 of ISO/IEC 27001:2022.
Remote working arrangements (D): These are policies and procedures that govern the information security aspects of working from locations other than the organisation's premises, such as home or public places. The auditor should check if these arrangements are defined, approved, and monitored by the organisation. This control is related to clause A.6.2.1 of ISO/IEC 27001:2022.
The conducting of verification checks on personnel (E): These are background checks that verify the identity, qualifications, and suitability of the employees and contractors who have access to sensitive information or systems. The auditor should check if these checks are conducted, documented, and reviewed by the organisation. This control is related to clause A.7.1.1 of ISO/IEC 27001:2022.
References:
ISO/IEC 27001:2022, Information technology - Security techniques - Information security management systems - Requirements PECB Candidate Handbook ISO/IEC 27001 Lead Auditor, 1 ISO 27001:2022 Lead Auditor - IECB, 2 ISO 27001:2022 certified ISMS lead auditor - Jisc, 3 ISO/IEC 27001:2022 Lead Auditor Transition Training Course, 4 ISO 27001 - Information Security Lead Auditor Course - PwC Training Academy, 5
質問 # 42
Which three of the following phrases are objectives' in relation to an audit?
- A. Management policy
- B. Regulatory requirements
- C. Confirm the scope of the management system
- D. Complete audit on time
- E. Identify opportunities for improvement
- F. International Standard
正解:B、C、E
解説:
According to ISO 19011:2018, which provides guidelines for auditing management systems, the audit objectives are defined by the audit client and may include determining the extent of conformity or nonconformity of the audited management system against the audit criteria, evaluating the ability of the audited management system to ensure that the organization meets applicable statutory, regulatory and contractual requirements, identifying potential improvement opportunities for the audited management system, and facilitating continual improvement of the audited management system1. Therefore, these three phrases are examples of objectives in relation to an audit. The other options are not objectives, but rather elements or factors that may influence or affect an audit. For example, an international standard is a source of audit criteria, a management policy is a part of the audited management system, and completing an audit on time is a requirement for an effective audit. References: ISO 19011:2018 - Guidelines for auditing management systems
質問 # 43
A key audit process is the way auditors gather information and determine the findings' characteristics. Put the actions listed in the correct order to complete this process. The last one has been done for you.
正解:
解説:
Explanation:
Determine source of information
Collect by means of appropriate sampling
Reviewing
Audit evidence
Evaluating against audit criteria
Audit findings
Audit conclusions
The reviewing step involves checking the accuracy, completeness, and relevance of the collected information.
The audit evidence step involves documenting the information in a verifiable and traceable manner. The evaluating against audit criteria step involves comparing the audit evidence with the requirements of the ISO
27001 standard and the organization's own policies and objectives. The audit findings step involves identifying any nonconformities, weaknesses, or opportunities for improvement in the ISMS. The audit conclusions step involves summarizing the audit results and providing recommendations for corrective actions or enhancements.
質問 # 44
The audit lifecycle describes the ISO 19011 process for conducting an individual audit. Drag and drop the steps of the audit lifecycle into the correct sequence.
正解:
解説:
Explanation:
The correct sequence of the steps of the audit lifecycle according to ISO 19011:2018 is:
Step 1: Audit initiation
Step 2: Audit preparation
Step 3: Conducting the audit
Step 4: Preparing and distributing the audit report
Step 5: Audit completion
Step 6: Audit follow-up
This sequence reflects the logical order of the audit activities, from establishing the audit objectives, scope and criteria, to verifying the implementation and effectiveness of the corrective actions. However, ISO 19011:2018 also recognizes that some audit activities can be iterative or concurrent, depending on the nature and complexity of the audit. For example, audit preparation and conducting the audit can overlap when new information or changes occur during the audit. Similarly, audit follow-up can be integrated with audit completion when the corrective actions are verified shortly after the audit. Therefore, the audit lifecycle should be adapted to the specific context and needs of each audit.
質問 # 45
You are performing an ISMS audit at a European-based residential
nursing home called ABC that provides healthcare services. You find all nursing home residents wear an electronic wristband for monitoring their location, heartbeat, and blood pressure always. You learned that the electronic wristband automatically uploads all data to the artificial intelligence (AI) cloud server for healthcare monitoring and analysis by healthcare staff.
The next step in your audit plan is to verify that the information security policy and objectives have been established by top management.
During the audit, you found the following audit evidence.
Match the audit evidence to the corresponding requirement in ISO/IEC 27001:2022.
正解:
解説:

質問 # 46
Phishing is what type of Information Security Incident?
- A. Private Incidents
- B. Cracker/Hacker Attacks
- C. Technical Vulnerabilities
- D. Legal Incidents
正解:B
質問 # 47
Select the words that best complete the sentence below to describe audit resources:
正解:
解説:
Explanation
According to ISO 19011:2018, clause 5.3, the person responsible for managing the audit programme should determine the resources necessary for the audit programme, such as the audit team members, the budget, the time, the tools, etc. The audit resources should be sufficient and appropriate to ensure the quality and effectiveness of the audit programme and the audit results. The audit resources include the following elements12:
* Essential resources: These are the resources that are required to conduct the audit programme and the individual audits, such as the audit documents, the audit methods, the audit tools, the audit schedule, the audit budget, etc. The essential resources should be identified and allocated based on the audit objectives, scope, and criteria, and the availability and cooperation of the auditee. The essential resources should also be reviewed and updated as necessary to reflect any changes or deviations in the audit programme or the individual audits.
* Competent personnel: These are the audit team members who have the appropriate knowledge, skills, and experience to conduct the audit effectively and efficiently, and to provide credible and reliable audit results and recommendations. The competent personnel should include the audit team leader, the auditors, and any technical experts or observers who support the audit team. The competent personnel should be selected and appointed based on the audit objectives, scope, and criteria, and the specific competence requirements for the audit programme and the individual audits. The competent personnel should also be independent and impartial, and avoid any conflicts of interest or self-interest that may affect the audit results or the audit decisions.
References:
* ISO 19011:2018 - Guidelines for auditing management systems, clause 5.3
* PECB Candidate Handbook ISO 27001 Lead Auditor, page 19
質問 # 48
......
あなたの合格を助けるPECB認証と最新のFast2test ISO-IEC-27001-Lead-Auditor試験問題集解答:https://drive.google.com/open?id=1MgSOeBUg_d7__0LVvQtT6xvxqKUmVX63
最新ISO-IEC-27001-Lead-Auditor問題集試験解答はここにある:https://jp.fast2test.com/ISO-IEC-27001-Lead-Auditor-premium-file.html