問題集を購入するなら最新の2024年12月14日 ISO-IEC-27001-Lead-Implementer試験問題と解答PDFで一年間無料更新 [Q70-Q87]

問題集を購入するなら最新の2024年12月14日 ISO-IEC-27001-Lead-Implementer試験問題と解答PDFで一年間無料更新

時間限定無料ダウンロード！最新のISO-IEC-27001-Lead-Implementer問題集で2024年最新のISO-IEC-27001-Lead-Implementer試験問題

質問 # 70
According to scenario 9, TroNlcon SPEC aimed to eliminate the causes of adverse events By focusing on:

• A. Preventing information security incidents rather than correcting them
• B. Detecting information security incidents rather than correcting them
• C. Correcting information security Incidents rather than preventing them

正解：A

質問 # 71
Scenario 5: Operaze is a small software development company that develops applications for various companies around the world. Recently, the company conducted a risk assessment to assess the information security risks that could arise from operating in a digital landscape. Using different testing methods, including penetration Resting and code review, the company identified some issues in its ICT systems, including improper user permissions, misconfigured security settings, and insecure network configurations. To resolve these issues and enhance information security, Operaze decided to implement an information security management system (ISMS) based on ISO/IEC 27001.
Considering that Operaze is a small company, the entire IT team was involved in the ISMS implementation project. Initially, the company analyzed the business requirements and the internal and external environment, identified its key processes and activities, and identified and analyzed the interested parties In addition, the top management of Operaze decided to Include most of the company's departments within the ISMS scope. The defined scope included the organizational and physical boundaries. The IT team drafted an information security policy and communicated it to all relevant interested parties In addition, other specific policies were developed to elaborate on security issues and the roles and responsibilities were assigned to all interested parties.
Following that, the HR manager claimed that the paperwork created by ISMS does not justify its value and the implementation of the ISMS should be canceled However, the top management determined that this claim was invalid and organized an awareness session to explain the benefits of the ISMS to all interested parties.
Operaze decided to migrate Its physical servers to their virtual servers on third-party infrastructure. The new cloud computing solution brought additional changes to the company Operaze's top management, on the other hand, aimed to not only implement an effective ISMS but also ensure the smooth running of the ISMS operations. In this situation, Operaze's top management concluded that the services of external experts were required to implement their information security strategies. The IT team, on the other hand, decided to initiate a change in the ISMS scope and implemented the required modifications to the processes of the company.
Based on scenario 5. after migrating to cloud. Operaze's IT team changed the ISMS scope and implemented all the required modifications Is this acceptable?

• A. No, because any change in ISMS scope should be accepted by the management
• B. No, because the company has already defined the ISMS scope
• C. Yes, because the ISMS scope should be changed when there are changes to the external environment

正解：A

解説：
Explanation
According to ISO/IEC 27001:2022, clause 4.3, the organization shall determine the scope of the ISMS by considering the internal and external issues, the requirements of interested parties, and the interfaces and dependencies with other organizations. The scope shall be available as documented information and shall state what is included and what is excluded from the ISMS. The scope shall be reviewed and updated as necessary, and any changes shall be approved by the top management. Therefore, it is not acceptable for the IT team to change the ISMS scope and implement the required modifications without the approval of the management.
References: ISO/IEC 27001:2022, clause 4.3; PECB ISO/IEC 27001 Lead Implementer Course, Module 4, slide 10.

質問 # 72
Scenario 8: SunDee is an American biopharmaceutical company, headquartered in California, the US. It specializes in developing novel human therapeutics, with a focus on cardiovascular diseases, oncology, bone health, and inflammation. The company has had an information security management system (ISMS) based on SO/IEC 27001 in place for the past two years. However, it has not monitored or measured the performance and effectiveness of its ISMS and conducted management reviews regularly Just before the recertification audit, the company decided to conduct an internal audit. It also asked most of their staff to compile the written individual reports of the past two years for their departments. This left the Production Department with less than the optimum workforce, which decreased the company's stock.
Tessa was SunDee's internal auditor. With multiple reports written by 50 different employees, the internal audit process took much longer than planned, was very inconsistent, and had no qualitative measures whatsoever Tessa concluded that SunDee must evaluate the performance of the ISMS adequately. She defined SunDee's negligence of ISMS performance evaluation as a major nonconformity, so she wrote a nonconformity report including the description of the nonconformity, the audit findings, and recommendations. Additionally, Tessa created a new plan which would enable SunDee to resolve these issues and presented it to the top management Based on the scenario above, answer the following question:
What caused SunDee's workforce disruption?

• A. The inconsistency of reports written by different employees
• B. The negligence of performance evaluation and monitoring and measurement procedures
• C. The voluminous written reports

正解：B

解説：
Explanation
According to ISO/IEC 27001:2013, clause 9.1, an organization must monitor, measure, analyze and evaluate its information security performance and effectiveness. This includes determining what needs to be monitored and measured, the methods for doing so, when and by whom the monitoring and measurement shall be performed, when the results shall be analyzed and evaluated, and who shall be responsible for ensuring that the actions arising from the analysis and evaluation are taken 1.
SunDee failed to comply with this requirement and did not monitor or measure the performance and effectiveness of its ISMS for the past two years. As a result, the company did not have any objective evidence or indicators to demonstrate the achievement of its information security objectives, the effectiveness of its controls, the satisfaction of its interested parties, or the identification and treatment of its risks. This also meant that the company did not conduct regular management reviews of its ISMS, as required by clause 9.3, which would provide an opportunity for the top management to ensure the continuing suitability, adequacy and effectiveness of the ISMS, and to decide on any changes or improvements needed 1.
Just before the recertification audit, the company decided to conduct an internal audit, as required by clause
9.2, which is a systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled 1. However, the company did not have a well-defined audit program, scope, criteria, or methodology, and relied on the written reports of its staff for the past two years. This caused a disruption in the workforce, as most of the staff had to compile their reports for their departments, leaving the Production Department with less than the optimum workforce, which decreased the company's stock. Moreover, the internal audit process was very inconsistent, as the reports were written by different employees with different styles, formats, and levels of detail. The internal audit process also lacked any qualitative measures, such as performance indicators, metrics, or benchmarks, to evaluate the performance and effectiveness of the ISMS.
Therefore, the cause of SunDee's workforce disruption was the negligence of performance evaluation and monitoring and measurement procedures, which led to a lack of objective evidence, a poorly planned and executed internal audit, and a decrease in the company's productivity and stock value.
References: 1: ISO/IEC 27001:2013, Information technology - Security techniques - Information security management systems - Requirements

質問 # 73
The IT Department of a financial institution decided to implement preventive controls to avoid potential security breaches. Therefore, they separated the development, testing, and operating equipment, secured their offices, and used cryptographic keys. However, they are seeking further measures to enhance their security and minimize the risk of security breaches. Which of the following controls would help the IT Department achieve this objective?

• A. Alarms to detect risks related to heat, smoke, fire, or water
• B. An access control software to restrict access to sensitive files
• C. Change all passwords of all systems

正解：B

解説：
An access control software is a type of preventive control that is designed to limit the access to sensitive files and information based on the user's identity, role, or authorization level. An access control software helps to protect the confidentiality, integrity, and availability of the information by preventing unauthorized users from viewing, modifying, or deleting it. An access control software also helps to create an audit trail that records who accessed what information and when, which can be useful for accountability and compliance purposes.
The IT Department of a financial institution decided to implement preventive controls to avoid potential security breaches. Therefore, they separated the development, testing, and operating equipment, secured their offices, and used cryptographic keys. However, they are seeking further measures to enhance their security and minimize the risk of security breaches. An access control software would help the IT Department achieve this objective by adding another layer of protection to their sensitive files and information, and ensuring that only authorized personnel can access them.
Reference:
ISO/IEC 27001:2022 Lead Implementer Course Guide1
ISO/IEC 27001:2022 Lead Implementer Info Kit2
ISO/IEC 27001:2022 Information Security Management Systems - Requirements3 ISO/IEC 27002:2022 Code of Practice for Information Security Controls4 What are Information Security Controls? - SecurityScorecard4 What Are the Types of Information Security Controls? - RiskOptics2 Integrity is the property of safeguarding the accuracy and completeness of information and processing methods. A breach of integrity occurs when information is modified or destroyed in an unauthorized or unintended manner. In this case, Diana accidently modified the order details of a customer without their permission, which resulted in the customer receiving an incorrect product. This means that the information about the customer's order was not accurate or complete, and therefore, the integrity principle was breached. Availability and confidentiality are two other information security principles, but they were not violated in this case. Availability is the property of being accessible and usable upon demand by an authorized entity, and confidentiality is the property of preventing disclosure of information to unauthorized individuals or systems.

質問 # 74
Which statement is an example of risk retention?

• A. An organization has implemented a data loss protection software
• B. An organization terminates work in the construction site during a severe storm
• C. An organization has decided to release the software even though some minor bugs have not been fixed yet

正解：C

解説：
According to ISO/IEC 27001 : 2022 Lead Implementer, risk retention is one of the four risk treatment options that an organization can choose to deal with unacceptable risks. Risk retention means that the organization accepts the risk without taking any action to reduce its likelihood or impact. It applies to risks that are either too costly or impractical to address, or that have a low probability or impact. Therefore, an example of risk retention is when an organization decides to release the software even though some minor bugs have not been fixed yet. This implies that the organization has assessed the risk of releasing the software with bugs and has determined that it is acceptable, either because the bugs are not critical or because the cost of fixing them would outweigh the benefits.
References:
* ISO/IEC 27001 : 2022 Lead Implementer Study guide and documents, section 8.3.2 Risk treatment
* ISO/IEC 27001 : 2022 Lead Implementer Info Kit, page 14, Risk management process
* 3, ISO 27001: Top risk treatment options and controls explained

質問 # 75
An organization has implemented a control that enables the company to manage storage media through their life cycle of use. acquisition, transportation and disposal. Which control category does this control belong to?

• A. Physical
• B. Organizational
• C. Technological

正解：C

質問 # 76
Scenario 2: Beauty is a cosmetics company that has recently switched to an e-commerce model, leaving the traditional retail. The top management has decided to build their own custom platform in-house and outsource the payment process to an external provider operating online payments systems that support online money transfers.
Due to this transformation of the business model, a number of security controls were implemented based on the identified threats and vulnerabilities associated to critical assets. To protect customers' information. Beauty's employees had to sign a confidentiality agreement. In addition, the company reviewed all user access rights so that only authorized personnel can have access to sensitive files and drafted a new segregation of duties chart.
However, the transition was difficult for the IT team, who had to deal with a security incident not long after transitioning to the e commerce model. After investigating the incident, the team concluded that due to the out-of-date anti-malware software, an attacker gamed access to their files and exposed customers' information, including their names and home addresses.
The IT team decided to stop using the old anti-malware software and install a new one which would automatically remove malicious code in case of similar incidents. The new software was installed in every workstation within the company. After installing the new software, the team updated it with the latest malware definitions and enabled the automatic update feature to keep it up to date at all times. Additionally, they established an authentication process that requires a user identification and password when accessing sensitive information.
In addition, Beauty conducted a number of information security awareness sessions for the IT team and other employees that have access to confidential information in order to raise awareness on the importance of system and network security.
According to scenario 2. Beauty has reviewed all user access rights. What type of control is this?

• A. Detective and administrative
• B. Corrective and managerial
• C. Legal and technical

正解：A

解説：
Preventive controls: These are controls that aim to prevent or deter the occurrence of a security incident or reduce its likelihood. Examples of preventive controls are encryption, firewalls, locks, policies, etc.
Detective controls: These are controls that aim to detect or discover the occurrence of a security incident or its symptoms. Examples of detective controls are logs, alarms, audits, etc.
Corrective controls: These are controls that aim to correct or restore the normal state of an asset or a process after a security incident or mitigate its impact. Examples of corrective controls are backups, recovery plans, incident response teams, etc.
Administrative controls: These are controls that involve the management and governance of information security, such as policies, procedures, roles, responsibilities, awareness, training, etc.
Technical controls: These are controls that involve the use of technology or software to implement information security, such as encryption, firewalls, anti-malware, authentication, etc.
Physical controls: These are controls that involve the protection of physical assets or locations from unauthorized access, damage, or theft, such as locks, fences, cameras, guards, etc.
Legal controls: These are controls that involve the compliance with laws, regulations, contracts, or agreements related to information security, such as privacy laws, data protection laws, confidentiality agreements, etc.
In scenario 2, the action of Beauty reviewing all user access rights is best described as a "Preventive and Administrative" control.
Preventive Control: The review of user access rights is a preventive measure. It is designed to prevent unauthorized access to sensitive information by ensuring that only authorized personnel have access to specific files. By controlling access rights, the organization aims to prevent potential security breaches and protect sensitive data.
Administrative Control: This action also falls under administrative controls, sometimes referred to as managerial controls. These controls involve policies, procedures, and practices related to the management of the organization and its employees. In this case, the review of access rights is a part of the company's administrative procedures to manage the security of information systems.
Reference:
ISO/IEC 27001:2022 - Information security, cybersecurity and privacy protection - Information security management systems - Requirements

質問 # 77
Peter works at the company Midwest Insurance. His manager, Linda, asks him to send the terms and conditions for a life insurance policy to Rachel, a client. Who determines the value of the information in the insurance terms and conditions document?

• A. The recipient, Rachel
• B. The manager, Linda
• C. The sender, Peter
• D. The person who drafted the insurance terms and conditions

正解：A

質問 # 78
Scenario 4: TradeB. a commercial bank that has just entered the market, accepts deposits from its clients and offers basic financial services and loans for investments. TradeB has decided to implement an information security management system (ISMS) based on ISO/IEC 27001 Having no experience of a management
[^system implementation, TradeB's top management contracted two experts to direct and manage the ISMS implementation project.
First, the project team analyzed the 93 controls of ISO/IEC 27001 Annex A and listed only the security controls deemed applicable to the company and their objectives Based on this analysis, they drafted the Statement of Applicability. Afterward, they conducted a risk assessment, during which they identified assets, such as hardware, software, and networks, as well as threats and vulnerabilities, assessed potential consequences and likelihood, and determined the level of risks based on three nonnumerical categories (low, medium, and high). They evaluated the risks based on the risk evaluation criteria and decided to treat only the high risk category They also decided to focus primarily on the unauthorized use of administrator rights and system interruptions due to several hardware failures by establishing a new version of the access control policy, implementing controls to manage and control user access, and implementing a control for ICT readiness for business continuity Lastly, they drafted a risk assessment report, in which they wrote that if after the implementation of these security controls the level of risk is below the acceptable level, the risks will be accepted Based on scenario 4, what type of assets were identified during risk assessment?

• A. Supporting assets
• B. Primary assets
• C. Business assets

正解：A

解説：
According to ISO/IEC 27005:2021, there are three types of assets in information security risk management:
primary assets, supporting assets, and business assets. Primary assets are the information and business processes that support the organization's objectives and operations. Supporting assets are the resources that enable the primary assets to function, such as hardware, software, networks, people, facilities, etc. Business assets are the outcomes or benefits that the organization expects from the primary assets, such as reputation, market share, customer satisfaction, etc. (Must be taken from ISO/IEC 27001 : 2022 Lead Implementer resources) In scenario 4, the assets that were identified during risk assessment are hardware, software, and networks, which are examples of supporting assets. These assets are necessary for the information and business processes of TradeB to operate, but they are not the main focus of the risk assessment. The risk assessment should also consider the primary assets and the business assets, as well as the threats and vulnerabilities that affect them, and the potential impacts and likelihood of information security incidents.
References: ISO/IEC 27001 : 2022 Lead Implementer Study guide and documents, specifically:
* ISO/IEC 27001:2022, clause 6.1.2 Information security risk assessment
* ISO/IEC 27005:2021, clause 5.2 Asset identification and valuation
* PECB ISO/IEC 27001 Lead Implementer Course, Module 6: Risk Management

質問 # 79
Scenario 5: Operaze is a small software development company that develops applications for various companies around the world. Recently, the company conducted a risk assessment to assess the information security risks that could arise from operating in a digital landscape. Using different testing methods, including penetration Resting and code review, the company identified some issues in its ICT systems, including improper user permissions, misconfigured security settings, and insecure network configurations. To resolve these issues and enhance information security, Operaze decided to implement an information security management system (ISMS) based on ISO/IEC 27001.
Considering that Operaze is a small company, the entire IT team was involved in the ISMS implementation project. Initially, the company analyzed the business requirements and the internal and external environment, identified its key processes and activities, and identified and analyzed the interested parties In addition, the top management of Operaze decided to Include most of the company's departments within the ISMS scope. The defined scope included the organizational and physical boundaries. The IT team drafted an information security policy and communicated it to all relevant interested parties In addition, other specific policies were developed to elaborate on security issues and the roles and responsibilities were assigned to all interested parties.
Following that, the HR manager claimed that the paperwork created by ISMS does not justify its value and the implementation of the ISMS should be canceled However, the top management determined that this claim was invalid and organized an awareness session to explain the benefits of the ISMS to all interested parties.
Operaze decided to migrate Its physical servers to their virtual servers on third-party infrastructure. The new cloud computing solution brought additional changes to the company Operaze's top management, on the other hand, aimed to not only implement an effective ISMS but also ensure the smooth running of the ISMS operations. In this situation, Operaze's top management concluded that the services of external experts were required to implement their information security strategies. The IT team, on the other hand, decided to initiate a change in the ISMS scope and implemented the required modifications to the processes of the company.
Based on the scenario above, answer the following question:
What led Operaze to implement the ISMS?

• A. Identification of assets
• B. Identification of threats
• C. Identification of vulnerabilities

正解：C

質問 # 80
Prior to employment, _________ as well as terms & conditions of employment are included as controls in ISO
27002 to ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered.

• A. screening
• B. authorizing
• C. controlling
• D. flexing

正解：A

質問 # 81
Which tool is used to identify, analyze, and manage interested parties?

• A. The probability/impact matrix
• B. The power/interest matrix
• C. The likelihood/severity matrix

正解：B

解説：
The power/interest matrix is a tool that can be used to identify, analyze, and manage interested parties according to ISO/IEC 27001:2022. The power/interest matrix is a two-dimensional diagram that plots the level of power and interest of each interested party in relation to the organization's information security objectives.
The power/interest matrix can help the organization to prioritize the interested parties, understand their expectations and needs, and develop appropriate communication and engagement strategies. The power/interest matrix can also help the organization to identify potential risks and opportunities related to the interested parties.
References: ISO/IEC 27001:2022, clause 4.2; PECB ISO/IEC 27001 Lead Implementer Course, Module 4, slide 12.

質問 # 82
You are the owner of a growing company, SpeeDelivery, which provides courier services. You decide that it is time to draw up a risk analysis for your information system. This includes an inventoryof threats and risks.
What is the relation between a threat, risk and risk analysis?

• A. A risk analysis is used to clarify which threats are relevant and what risks they involve.
• B. A riskanalysis is used to remove the risk of a threat.
• C. A risk analysis identifies threats from the known risks.
• D. Risk analyses help to find a balance between threats and risks.

正解：A

質問 # 83
An organization has implemented a control that enables the company to manage storage media through their life cycle of use. acquisition, transportation and disposal. Which control category does this control belong to?

• A. Physical
• B. Organizational
• C. Technological

正解：A

解説：
According to ISO/IEC 27001:2022, the control that enables the organization to manage storage media through their life cycle of use, acquisition, transportation and disposal belongs to the category of physical and environmental security. This category covers the controls that prevent unauthorized physical access, damage and interference to the organization's information and information processing facilities. The specific control objective for this control is A.11.2.7 Secure disposal or reuse of equipment1, which states that "equipment containing storage media shall be checked to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or reuse."2 Reference:
ISO/IEC 27001:2022, Annex A
ISO/IEC 27002:2022, clause 11.2.7

質問 # 84
An organization that has an ISMS in place conducts management reviews at planned intervals, but does not retain documented information on the results. Is this in accordance with the requirements of ISO/IEC 27001?

• A. Yes. ISO/IEC 27001 does not require organizations to document the results of management reviews
• B. No, ISO/IEC 27001 requires organizations to document the results of management reviews
• C. Yes. ISO/IEC 27001 requires organizations to document the results of management reviews only if they are conducted ad hoc

正解：B

解説：
According to ISO/IEC 27001:2022, clause 9.3.3, the organization must retain documented information as evidence of the results of management reviews. The results of management reviews must include decisions and actions related to the ISMS policy, objectives, risks, opportunities, resources, and communication.
Documenting the results of management reviews is important to ensure the accountability, traceability, and effectiveness of the ISMS. It also helps the organization to monitor and measure the performance and improvement of the ISMS, and to demonstrate compliance with the requirements of ISO/IEC 27001:2022.
Therefore, an organization that has an ISMS in place and conducts management reviews at planned intervals, but does not retain documented information on the results, is not in accordance with the requirements of ISO/IEC 27001. (From the PECB ISO/IEC 27001 Lead Implementer Course Manual, page 107) References:
* PECB ISO/IEC 27001 Lead Implementer Course Manual, page 107
* PECB ISO/IEC 27001 Lead Implementer Info Kit, page 7
* ISO/IEC 27001:2022 (en), Information security, cybersecurity and privacy protection - Information security management systems - Requirements, clause 9.3.3 1

質問 # 85
Based on scenario 6. when should Colin deliver the next training and awareness session?

• A. After he conducts a competence needs analysis and records the competence related issues
• B. After he ensures that the group of employees targeted have satisfied the organization's needs
• C. After he determines the employees' availability and motivation

正解：A

質問 # 86
Which of the following is NOT part of the steps required by ISO/IEC 27001 that an organization must take when a nonconformity is detected?

• A. Evaluate the need for action to eliminate the causes of the nonconformity so that it does not recur or occur elsewhere
• B. Communicate the details of the nonconformity to every employee of the organization and suspend the employee that caused the nonconformity
• C. React to the nonconformity, take action to control and correct it. and deal with its consequences

正解：B

解説：
According to the ISO/IEC 27001 : 2022 Lead Implementer course, the steps required by ISO/IEC 27001 that an organization must take when a nonconformity is detected are as follows1:
* React to the nonconformity, take action to control and correct it, and deal with its consequences
* Evaluate the need for action to eliminate the causes of the nonconformity so that it does not recur or occur elsewhere
* Implement any action needed
* Review the effectiveness of the corrective action
* Make changes to the information security management system (ISMS) if necessary Therefore, communicating the details of the nonconformity to every employee of the organization and suspending the employee that caused the nonconformity is not part of the steps required by ISO/IEC
27001. This option is not only unnecessary, but also potentially harmful, as it could violate the principles of confidentiality, integrity, and availability of information, as well as the human rights and dignity of the employee involved2. Instead, the organization should follow the established procedures for reporting, recording, and analyzing nonconformities, and ensure that the corrective actions are appropriate, proportional, and fair3.
References: 1: PECB, ISO/IEC 27001 Lead Implementer Course, Module 10: Nonconformity and Corrective Action, slide 9 2: PECB, ISO/IEC 27001 Lead Implementer Course, Module 10: Nonconformity and Corrective Action, slide 10 3: PECB, ISO/IEC 27001 Lead Implementer Course, Module 10: Nonconformity and Corrective Action, slide 11

質問 # 87
......

検証済みのISO-IEC-27001-Lead-Implementer問題集と解答で一年間無料最速更新：https://www.goshiken.com/PECB/ISO-IEC-27001-Lead-Implementer-mondaishu.html

最新のPECB ISO-IEC-27001-Lead-Implementer認定の練習テスト問題：https://drive.google.com/open?id=1oa6VSupVW15ZbeFpm6ZQ8IywhoQcjMmY