[2024年05月08日]ISO-IEC-27001-Lead-Implementer試験問題集でPECB練習テスト問題 [Q41-Q63]

Share

[2024年05月08日]ISO-IEC-27001-Lead-Implementer試験問題集でPECB練習テスト問題

最新でリアルなISO-IEC-27001-Lead-Implementer試験問題集解答


PECB ISO-IEC-27001-LEAD-IMPLEMENTER認定試験は、ITマネージャー、セキュリティコンサルタント、リスク評価者、コンプライアンス担当者など、組織の情報セキュリティの管理を担当する専門家に最適です。認定試験は、ISO/IEC 27001標準を完全に理解し、専門家が標準の要件を満たす情報セキュリティ管理システムを作成、実装、および管理できるようにします。


PECB ISO-IEC-27001-Lead-Implementer試験は、ISO/IEC 27001標準に基づく情報セキュリティ管理システム(ISMS)を実装および管理するために必要な知識とスキルを提供するように設計された認定プログラムです。この認定資格は、様々な分野での専門的な開発と認定を促進および支援する国際的に認知された機関であるProfessional Evaluation and Certification Board(PECB)によって授与されます。

 

質問 # 41
Why is compliance important forthe reliability of the information?

  • A. When an organization employs a standard such as the ISO/IEC 27002 and uses it everywhere, it is compliant and thereforeit guarantees the reliability of its information.
  • B. Compliance is another word for reliability. So, if a company indicates that it is compliant, it means that the information is managed properly.
  • C. By meeting the legislative requirements and theregulations of both the government and internal management, an organization shows that it manages its information in a sound manner.
  • D. When an organization is compliant, it meets the requirements of privacy legislation and, in doing so, protects the reliability of its information.

正解:C


質問 # 42
Based on scenario 9. is the action plan for the identified nonconformities sufficient to eliminate the detected nonconformities?

  • A. No, because the action plan does not include a timeframe for implementation
  • B. Yes, because a separate action plan has been created for the identified nonconformity
  • C. No, because the action plan does not address the root cause of the identified nonconformity

正解:A


質問 # 43
Scenario 10: NetworkFuse develops, manufactures, and sells network hardware. The company has had an operational information security management system (ISMS) based on ISO/IEC 27001 requirements and a quality management system (QMS) based on ISO 9001 for approximately two years. Recently, it has applied for a j^ombined certification audit in order to obtain certification against ISO/IEC 27001 and ISO 9001.
After selecting the certification body, NetworkFuse prepared the employees for the audit The company decided to not conduct a self-evaluation before the audit since, according to the top management, it was not necessary. In addition, it ensured the availability of documented information, including internal audit reports and management reviews, technologies in place, and the general operations of the ISMS and the QMS.
However, the company requested from the certification body that the documentation could not be carried off-site However, the audit was not performed within the scheduled days because NetworkFuse rejected the audit team leader assigned and requested their replacement The company asserted that the same audit team leader issued a recommendation for certification to its main competitor, which, for the company's top management, was a potential conflict of interest. The request was not accepted by the certification body According to scenario 10, NetworkFuse requested from the certification body to review all the documentation only on-site. Is this acceptable?

  • A. No, the certification body decides whether the documentation review takes place on-site or off-site
  • B. Yes, only if a confidentiality agreement is formerly signed by the audit team
  • C. Yes, the auditee may request that the review of the documentation takes place on-site

正解:A

解説:
According to the ISO/IEC 27001:2022 standard, the certification body is responsible for planning and conducting the audit, including the review of the documented information. The certification body may decide to review the documentation on-site or off-site, depending on the audit objectives, scope, criteria, and risks.
The auditee may not impose any restrictions on the access to the documentation, unless there are valid reasons for confidentiality or security. However, such restrictions should be agreed upon before the audit and should not compromise the effectiveness and impartiality of the audit.
References:
* ISO/IEC 27001:2022, clause 9.2.2
* ISO/IEC 27006:2021, clause 7.1.4


質問 # 44
The IT Department of a financial institution decided to implement preventive controls to avoid potential security breaches. Therefore, they separated the development, testing, and operating equipment, secured their offices, and used cryptographic keys. However, they are seeking further measures to enhance their security and minimize the risk of security breaches. Which of the following controls would help the IT Department achieve this objective?

  • A. An access control software to restrict access to sensitive files
  • B. Alarms to detect risks related to heat, smoke, fire, or water
  • C. Change all passwords of all systems

正解:A

解説:
An access control software is a type of preventive control that is designed to limit the access to sensitive files and information based on the user's identity, role, or authorization level. An access control software helps to protect the confidentiality, integrity, and availability of the information by preventing unauthorized users from viewing, modifying, or deleting it. An access control software also helps to create an audit trail that records who accessed what information and when, which can be useful for accountability and compliance purposes.
The IT Department of a financial institution decided to implement preventive controls to avoid potential security breaches. Therefore, they separated the development, testing, and operating equipment, secured their offices, and used cryptographic keys. However, they are seeking further measures to enhance their security and minimize the risk of security breaches. An access control software would help the IT Department achieve this objective by adding another layer of protection to their sensitive files and information, and ensuring that only authorized personnel can access them.
References:
* ISO/IEC 27001:2022 Lead Implementer Course Guide1
* ISO/IEC 27001:2022 Lead Implementer Info Kit2
* ISO/IEC 27001:2022 Information Security Management Systems - Requirements3
* ISO/IEC 27002:2022 Code of Practice for Information Security Controls4
* What are Information Security Controls? - SecurityScorecard4
* What Are the Types of Information Security Controls? - RiskOptics2
* Integrity is the property of safeguarding the accuracy and completeness of information and processing methods. A breach of integrity occurs when information is modified or destroyed in an unauthorized or unintended manner. In this case, Diana accidently modified the order details of a customer without their permission, which resulted in the customer receiving an incorrect product. This means that the information about the customer's order was not accurate or complete, and therefore, the integrity principle was breached. Availability and confidentiality are two other information security principles, but they were not violated in this case. Availability is the property of being accessible and usable upon demand by an authorized entity, and confidentiality is the property of preventing disclosure of information to unauthorized individuals or systems.
* References: ISO/IEC 27001:2022 Lead Implementer Course Content, Module 5: Introduction to Information Security Controls based on ISO/IEC 27001:20221; ISO/IEC 27001:2022 Information Security, Cybersecurity and Privacy Protection, Clause 3.7: Integrity2


質問 # 45
Based on scenario 9, OpenTech has taken all the actions needed, except____________.

  • A. Permanent corrections
  • B. Preventive actions
  • C. Corrective actions

正解:A


質問 # 46
Based on scenario 4, what type of assets were identified during risk assessment?

  • A. Business assets
  • B. Primary assets
  • C. Supporting assets

正解:C


質問 # 47
Which of the situations below can negatively affect the internal audit process?

  • A. Reporting the internal audit results to the top management
  • B. Conducting internal audit interviews with all employees of the organization
  • C. Restricting the internal auditor's access to offices and documentation

正解:C


質問 # 48
Scenario 4: TradeB. a commercial bank that has just entered the market, accepts deposits from its clients and offers basic financial services and loans for investments. TradeB has decided to implement an information security management system (ISMS) based on ISO/IEC 27001 Having no experience of a management
[^system implementation, TradeB's top management contracted two experts to direct and manage the ISMS implementation project.
First, the project team analyzed the 93 controls of ISO/IEC 27001 Annex A and listed only the security controls deemed applicable to the company and their objectives Based on this analysis, they drafted the Statement of Applicability. Afterward, they conducted a risk assessment, during which they identified assets, such as hardware, software, and networks, as well as threats and vulnerabilities, assessed potential consequences and likelihood, and determined the level of risks based on three nonnumerical categories (low, medium, and high). They evaluated the risks based on the risk evaluation criteria and decided to treat only the high risk category They also decided to focus primarily on the unauthorized use of administrator rights and system interruptions due to several hardware failures by establishing a new version of the access control policy, implementing controls to manage and control user access, and implementing a control for ICT readiness for business continuity Lastly, they drafted a risk assessment report, in which they wrote that if after the implementation of these security controls the level of risk is below the acceptable level, the risks will be accepted What should TradeB do in order to deal with residual risks? Refer to scenario 4.

  • A. TradeB should accept the residual risks only above the acceptance level
  • B. TradeB should evaluate, calculate, and document the value of risk reduction following risk treatment
  • C. TradeB should immediately implement new controls to treat all residual risks

正解:B

解説:
Explanation
According to ISO/IEC 27001 : 2022 Lead Implementer, residual risk is the risk remaining after risk treatment.
Residual risk should be compared with the acceptable level of risk, which is the level of risk that the organization is willing to tolerate. If the residual risk is below the acceptable level of risk, then the risk can be accepted. If the residual risk is above the acceptable level of risk, then additional risk treatment options should be considered. Therefore, TradeB should evaluate, calculate, and document the value of risk reduction following risk treatment, which is the difference between the initial risk and the residual risk. This will help TradeB to determine whether the risk treatment was effective and whether the residual risk is acceptable or not.
References:
ISO/IEC 27001 : 2022 Lead Implementer Study guide and documents, section 8.3.2 Risk treatment ISO/IEC 27001 : 2022 Lead Implementer Info Kit, page 14, Risk management process


質問 # 49
The IT Department of a financial institution decided to implement preventive controls to avoid potential security breaches. Therefore, they separated the development, testing, and operating equipment, secured their offices, and used cryptographic keys. However, they are seeking further measures to enhance their security and ^minimize the risk of security breaches. Which of the following controls would help the IT Department achieve this objective?

  • A. An access control software to restrict access to sensitive files
  • B. Alarms to detect risks related to heat, smoke, fire, or water
  • C. Change all passwords of all systems

正解:A


質問 # 50
An organization has implemented a control that enables the company to manage storage media through their life cycle of use. acquisition, transportation and disposal. Which control category does this control belong to?

  • A. Physical
  • B. Organizational
  • C. Technological

正解:A

解説:
According to ISO/IEC 27001:2022, the control that enables the organization to manage storage media through their life cycle of use, acquisition, transportation and disposal belongs to the category of physical and environmental security. This category covers the controls that prevent unauthorized physical access, damage and interference to the organization's information and information processing facilities. The specific control objective for this control is A.11.2.7 Secure disposal or reuse of equipment1, which states that "equipment containing storage media shall be checked to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or reuse."2 References:
* ISO/IEC 27001:2022, Annex A
* ISO/IEC 27002:2022, clause 11.2.7


質問 # 51
An organization documented each security control that it Implemented by describing their functions in detail.
Is this compliant with ISO/IEC 27001?

  • A. No, because the documented information should have a strict format, including the date, version number and author identification
  • B. No, the standard requires to document only the operation of processes and controls, so no description of each security control is needed
  • C. Yes, but documenting each security control and not the process in general will make it difficult to review the documented information

正解:C

解説:
According to ISO/IEC 27001:2022, clause 7.5, an organization is required to maintain documented information to support the operation of its processes and to have confidence that the processes are being carried out as planned. This includes documenting the information security policy, the scope of the ISMS, the risk assessment and treatment methodology, the statement of applicability, the risk treatment plan, the information security objectives, and the results of monitoring, measurement, analysis, evaluation, internal audit, and management review. However, the standard does not specify the level of detail or the format of the documented information, as long as it is suitable for the organization's needs and context. Therefore, documenting each security control that is implemented by describing their functions in detail is not a violation of the standard, but it may not be the most efficient or effective way to document the ISMS. Documenting each security control separately may make it harder to review, update, and communicate the documented information, and may also create unnecessary duplication or inconsistency. A better approach would be to document the processes and activities that involve the use of security controls, and to reference the relevant controls from Annex A or other sources. This way, the documented information would be more aligned with the process approach and the Plan-Do-Check-Act cycle that the standard promotes.
References:
* ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection - Information security management systems - Requirements, clauses 4.3, 5.2, 6.1, 6.2, 7.5, 8.2, 8.3, 9.1, 9.2, 9.3, and Annex A
* ISO/IEC 27001:2022 Lead Implementer objectives and content, 4 and 5


質問 # 52
What supports the continual improvement of an ISMS?

  • A. The update of documented information
  • B. The update of action plans
  • C. The update of eternal audit reports

正解:A

解説:
According to the ISO/IEC 27001:2022 standard, the organization should establish, implement and maintain a process to manage changes that affect the information security management system (ISMS) and to continually improve the suitability, adequacyand effectiveness of the ISMS (section 8.1.3 and 10.2). The standard also states that the organization should update the documented information of the ISMS as necessary to reflect the changes and the results of the improvement process (section 8.1.3.2 and 10.2.2). Therefore, the update of documented information supports the continual improvement of the ISMS by ensuring that the ISMS is aligned with the current and future needs and expectations of the organization and its interested parties.
References:
* ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection - Information security management systems - Requirements1
* ISO/IEC 27001 Lead Implementer Info Kit
* Continual Improvement For ISO 27001 Requirement 10.22


質問 # 53
Scenario 8: SunDee is an American biopharmaceutical company, headquartered in California, the US. It specializes in developing novel human therapeutics, with a focus on cardiovascular diseases, oncology, bone health, and inflammation. The company has had an information security management system (ISMS) based on SO/IEC 27001 in place for the past two years. However, it has not monitored or measured the performance and effectiveness of its ISMS and conducted management reviews regularly Just before the recertification audit, the company decided to conduct an internal audit. It also asked most of their staff to compile the written individual reports of the past two years for their departments. This left the Production Department with less than the optimum workforce, which decreased the company's stock.
Tessa was SunDee's internal auditor. With multiple reports written by 50 different employees, the internal audit process took much longer than planned, was very inconsistent, and had no qualitative measures whatsoever Tessa concluded that SunDee must evaluate the performance of the ISMS adequately. She defined SunDee's negligence of ISMS performance evaluation as a major nonconformity, so she wrote a nonconformity report including the description of the nonconformity, the audit findings, and recommendations. Additionally, Tessa created a new plan which would enable SunDee to resolve these issues and presented it to the top management Based on scenario 8. did the nonconformity report include all the necessary aspects?

  • A. No, the report must also specify the root cause of the nonconformity
  • B. Yes, the report included all the necessary aspects
  • C. No, the report must also specify the audit criteria

正解:A

解説:
According to ISO/IEC 27001:2022, a nonconformity report is a document that records the details of any deviation from the audit criteria that is identified during an audit2. The audit criteria are the set of policies, procedures, requirements, or specifications that are used as a reference against which audit evidence is compared3. Therefore, a nonconformity report must include the following aspects:
* The description of the nonconformity, which should clearly state what the deviation is, where it occurred, and when it was detected
* The audit findings, which should provide the objective evidence that supports the identification of the nonconformity
* The audit criteria, which should specify the reference document or standard that the nonconformity deviates from
* The recommendations, which should suggest the possible corrective actions or improvements that can be taken to address the nonconformity In scenario 8, Tessa's nonconformity report included the description of the nonconformity, the audit findings, and the recommendations, but it did not specify the audit criteria. Therefore, the report did not include all the necessary aspects and was incomplete.
References:
* 1: ISO/IEC 27001:2022, Clause 9.2.3
* 2: ISO/IEC 27001:2022, Clause 3.23
* 3: ISO/IEC 27001:2022, Clause 3.5
* : ISO/IEC 27001:2022, Annex A.9.2.3


質問 # 54
Scenario 3: Socket Inc is a telecommunications company offering mainly wireless products and services. It uses MongoDB. a document model database that offers high availability, scalability, and flexibility.
Last month, Socket Inc. reported an information security incident. A group of hackers compromised its MongoDB database, because the database administrators did not change its default settings, leaving it without a password and publicly accessible.
Fortunately. Socket Inc. performed regular information backups in their MongoDB database, so no information was lost during the incident. In addition, a syslog server allowed Socket Inc. to centralize alllogs in one server. The company found out that no persistent backdoor was placed and that the attack was not initiated from an employee inside the company by reviewing the event logs that record user faults and exceptions.
To prevent similar incidents in the future, Socket Inc. decided to use an access control system that grants access to authorized personnel only. The company also implemented a control in order to define and implement rules for the effective use of cryptography, including cryptographic key management, to protect the database from unauthorized access The implementation was based on all relevant agreements, legislation, and regulations, and the information classification scheme. To improve security and reduce the administrative efforts, network segregation using VPNs was proposed.
Lastly, Socket Inc. implemented a new system to maintain, collect, and analyze information related to information security threats, and integrate information security into project management.
Based on scenario 3. which information security control of Annex A of ISO/IEC 27001 did Socket Inc.
implement by establishing a new system to maintain, collect, and analyze information related to information security threats?

  • A. Annex A 5 7 Threat Intelligence
  • B. Annex A 5.5 Contact with authorities
  • C. Annex A 5.13 Labeling of information

正解:A

解説:
Annex A 5.7 Threat Intelligence is a new control in ISO 27001:2022 that aims to provide the organisation with relevant information regarding the threats and vulnerabilities of its information systems and the potential impacts of information security incidents. By establishing a new system to maintain, collect, and analyze information related to information security threats, Socket Inc. implemented this control and improved its ability to prevent, detect, and respond to information security incidents.
References:
* ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, Annex A 5.7 Threat Intelligence
* ISO/IEC 27002:2022 Information technology - Security techniques - Information security, cybersecurity and privacy protection controls, Clause 5.7 Threat Intelligence
* PECB ISO/IEC 27001:2022 Lead Implementer Course, Module 6: Implementation of Information Security Controls Based on ISO/IEC 27002:2022, Slide 18: A.5.7 Threat Intelligence


質問 # 55
Scenario 6: Skyver offers worldwide shipping of electronic products, including gaming consoles, flat-screen TVs. computers, and printers. In order to ensure information security, the company has decided to implement an information security management system (ISMS) based on the requirements of ISO/IEC 27001.
Colin, the company's best information security expert, decided to hold a training and awareness session for the personnel of the company regarding the information security challenges and other information security-related controls. The session included topics such as Skyver's information security approaches and techniques for mitigating phishing and malware.
One of the participants in the session is Lisa, who works in the HR Department. Although Colin explains the existing Skyver's information security policies and procedures in an honest and fair manner, she finds some of the issues being discussed too technical and does not fully understand the session. Therefore, in a lot of cases, she requests additional help from the trainer and her colleagues Based on the last paragraph of scenario 6, which principles of an effective communication strategy did Colin NOT follow?

  • A. Credibility and responsiveness
  • B. Appropriateness and clarity
  • C. Transparency and credibility

正解:B

解説:
Explanation
According to ISO/IEC 27001 : 2022 Lead Implementer, an effective communication strategy should follow some principles, such as transparency, credibility, appropriateness, clarity, responsiveness, and consistency.
These principles help to ensure that the communication is relevant, accurate, understandable, timely, and coherent. Based on the last paragraph of scenario 6, it seems that Colin did not follow the principles of appropriateness and clarity. Appropriateness means that the communication should be tailored to the needs, expectations, and level of understanding of the audience. Clarity means that the communication should be simple, concise, and precise, avoiding ambiguity and jargon. However, Colin explained the information security issues in a too technical manner, which made Lisa confused and unable to comprehend the session.
Therefore, Colin should have adapted his communication style and content to suit the HR personnel, who may not have the same technical background as him.
References:
ISO/IEC 27001 : 2022 Lead Implementer Study guide and documents, section 7.4 Communication ISO/IEC 27001 : 2022 Lead Implementer Info Kit, page 12, Information security communication
1, ISO 27001 Communication Plan - How to create a good one
2, ISO 27001 Clause 7.4 - Ultimate Certification Guide


質問 # 56
You are the owner of the courier company SpeeDelivery. You have carried out a risk analysis and now want to determine your risk strategy. You decide to take measures for the large risks but not for the small risks. What is this risk strategy called?

  • A. Risk passing
  • B. Risk avoiding
  • C. Risk neutral
  • D. Risk bearing

正解:C


質問 # 57
An organization that has an ISMS in place conducts management reviews at planned intervals, but does not retain documented information on the results. Is this in accordance with the requirements of ISO/IEC 27001?

  • A. Yes. ISO/IEC 27001 requires organizations to document the results of management reviews only if they are conducted ad hoc
  • B. No, ISO/IEC 27001 requires organizations to document the results of management reviews
  • C. Yes. ISO/IEC 27001 does not require organizations to document the results of management reviews

正解:B


質問 # 58
In the context ofcontact with special interest groups, any information-sharing agreements should identify requirements for the protection of _________ information.

  • A. Confidential
  • B. Availability
  • C. Authentic
  • D. Authorization

正解:A


質問 # 59
What should TradeB do in order to deal with residual risks? Refer to scenario 4.

  • A. TradeB should accept the residual risks only above the acceptance level
  • B. TradeB should evaluate, calculate, and document the value of risk reduction following risk treatment
  • C. TradeB should immediately implement new controls to treat all residual risks

正解:B


質問 # 60
Which security controls must be implemented to comply with ISO/IEC 27001?

  • A. Those listed in Annex A of ISO/IEC 27001, without any exception
  • B. Those designed by the organization only
  • C. Those included in the risk treatment plan

正解:C


質問 # 61
Scenario 10: NetworkFuse develops, manufactures, and sells network hardware. The company has had an operational information security management system (ISMS) based on ISO/IEC 27001 requirements and a quality management system (QMS) based on ISO 9001 for approximately two years. Recently, it has applied for a j^ombined certification audit in order to obtain certification against ISO/IEC 27001 and ISO 9001.
After selecting the certification body, NetworkFuse prepared the employees for the audit The company decided to not conduct a self-evaluation before the audit since, according to the top management, it was not necessary. In addition, it ensured the availability of documented information, including internal audit reports and management reviews, technologies in place, and the general operations of the ISMS and the QMS.
However, the company requested from the certification body that the documentation could not be carried off-site However, the audit was not performed within the scheduled days because NetworkFuse rejected the audit team leader assigned and requested their replacement The company asserted that the same audit team leader issued a recommendation for certification to its main competitor, which, for the company's top management, was a potential conflict of interest. The request was not accepted by the certification body Based on the scenario above, answer the following question:
Does NetworkFuse fulfill the prerequisites for a certification audit?

  • A. Yes, because the certification body has been selected
  • B. Yes, because the ISMS must be operational for at least one year prior to the certification audit
  • C. Yes, because internal audits and management reviews have been performed

正解:C

解説:
According to ISO/IEC 27006:2015, the prerequisites for a certification audit are:
* The ISMS must be operational for a period of time that is sufficient to demonstrate its effectiveness and performance.
* The organization must have conducted at least one internal audit and one management review of the ISMS prior to the certification audit.
* The organization must provide the certification body with access to all the relevant documented information, records, personnel, and facilities related to the ISMS.
In the scenario, NetworkFuse has fulfilled these prerequisites, as it has had an operational ISMS for approximately two years, and it has performed internal audits and management reviews. Therefore, the correct answer is B.
References: ISO/IEC 27006:2015, clauses 9.1.1, 9.1.2, and 9.2.1.


質問 # 62
Responsibilities for information security in projects should be defined and allocated to:

  • A. specified roles defined in the used project management method of the organization
  • B. the owner of the involved asset
  • C. the project manager
  • D. the InfoSec officer

正解:A


質問 # 63
......


今日のデジタル時代では、データ侵害とサイバー攻撃がますます一般的になりつつあり、組織が堅牢な情報セキュリティ管理システム(ISM)を実装することが不可欠です。 PECB ISO-IEC-27001-Lead-Plementer認定試験は、ISO/IEC 27001標準に基づいてISMを実装するために必要な知識とスキルを専門家に提供するように設計されています。

 

ISO-IEC-27001-Lead-Implementer認証試験問題集解答を提供しています:https://drive.google.com/open?id=1g_mzy6_vk9Gbx84I2_mc1_bVxmoLtOI_

あなたを簡単に合格させるISO-IEC-27001-Lead-Implementer試験正確なPDF問題:https://jp.fast2test.com/ISO-IEC-27001-Lead-Implementer-premium-file.html


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어