[2023年11月12日]ISO-IEC-27001-Lead-Auditor試験問題集、ISO-IEC-27001-Lead-Auditor練習テスト問題 [Q77-Q98]

Share

[2023年11月12日]ISO-IEC-27001-Lead-Auditor試験問題集、ISO-IEC-27001-Lead-Auditor練習テスト問題

無料で使えるISO-IEC-27001-Lead-Auditor学習ガイド試験問題と解答

質問 # 77
Which of the following is a possible event that can have a disruptive effect on the reliability of information?

  • A. Dependency
  • B. Threat
  • C. Risk
  • D. Vulnerability

正解:B

解説:
A possible event that can have a disruptive effect on the reliability of information is a threat. A threat is anything that has the potential to harm an asset or its protection, such as a natural disaster, a human error, a malicious attack, etc. A threat can exploit a vulnerability or weakness in an asset or its protection and cause an adverse impact on the confidentiality, integrity or availability of information. ISO/IEC 27001:2022 defines threat as "potential cause of an unwanted incident, which can result in harm to a system or organization" (see clause 3.48). Reference: [CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course], ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, What is Threat?


質問 # 78
The computer room is protected by a pass reader. Only the System Management department has a pass.
What type of security measure is this?

  • A. a logical security measure
  • B. a repressive security measure
  • C. a corrective security measure
  • D. a physical security measure

正解:D


質問 # 79
You receive the following mail from the IT support team: Dear User,Starting next week, we will be deleting all inactive email accounts in order to create spaceshare the below details in order to continue using your account. In case of no response, Name:
Email ID:
Password:
DOB:
Kindly contact the webmail team for any further support. Thanks for your attention.
Which of the following is the best response?

  • A. Ignore the email
  • B. One should not respond to these mails and report such email to your supervisor
  • C. Respond it by saying that one should not share the password with anyone

正解:B

解説:
The best response to the email from the IT support team asking for personal details is to not respond to the email and report it to your supervisor. The email is likely a phishing attempt, which is a form of social engineering that uses deceptive emails or other messages to trick recipients into revealing sensitive information, such as passwords, credit card numbers, bank account details, etc. Phishing emails often impersonate legitimate organizations or individuals and create a sense of urgency or curiosity to lure the victims into clicking on malicious links, opening malicious attachments or providing personal information. The IT support team should never ask for your password or other personal details via email, as this is a violation of information security policies and best practices. Ignoring the email or responding to it by saying that one should not share the password with anyone are not sufficient responses, as they do not alert the IT support team or your supervisor about the phishing attempt, which could affect other users as well. Reporting the email to your supervisor is a responsible action that could help prevent further damage or compromise of information. ISO/IEC 27001:2022 requires the organization to implement awareness and training programs to make users aware of the risks of social engineering attacks, such as phishing, and how to avoid them (see clause A.7.2.2). Reference: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, What is Phishing?


質問 # 80
What is the purpose of an Information Security policy?

  • A. An information security policy provides insight into threats and the possible consequences
  • B. An information security policy documents the analysis of risks and the search for countermeasures
  • C. An information security policy provides direction and support to the management regarding information security
  • D. An information security policy makes the security plan concrete by providing the necessary details

正解:C


質問 # 81
What is the name of the system that guarantees the coherence of information security in the organization?

  • A. Information Security Management System (ISMS)
  • B. Security regulations for special information for the government
  • C. Information Technology Service Management (ITSM)
  • D. Rootkit

正解:A


質問 # 82
Which is not a requirement of HR prior to hiring?

  • A. Must undergo Awareness training on information security.
  • B. Must successfully pass Background Investigation
  • C. Undergo background verification
  • D. Applicant must complete pre-employment documentation requirements

正解:A

解説:
According to ISO/IEC 27001:2022, clause 7.2.2, the organization shall ensure that all persons who have access to information are aware of the information security policy and their contribution to the effectiveness of the ISMS, including the benefits of improved information security performance2. Therefore, awareness training on information security is a requirement for all persons, not just new hires. Reference: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) | CQI | IRCA


質問 # 83
What is a repressive measure in case of a fire?

  • A. Repairing damage caused by the fire
  • B. Taking out a fire insurance
  • C. Putting out a fire after it has been detected by a fire detector

正解:C


質問 # 84
-------------------------is an asset like other important business assets has value to an organization and consequently needs to be protected.

  • A. Information
  • B. Security
  • C. Data
  • D. Infrastructure

正解:A

解説:
Information is an asset like other important business assets, as it has value to an organization and consequently needs to be protected. Information can be in any form, such as electronic, paper, or verbal. Information security is the protection of information from unauthorized access, use, disclosure, modification, or destruction2. Reference: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) | CQI | IRCA


質問 # 85
What is the relationship between data and information?

  • A. Data is structured information.
  • B. Information is the meaning and value assigned to a collection of data.

正解:B

解説:
The relationship between data and information is that information is the meaning and value assigned to a collection of data. Data is a set of facts, figures, symbols or characters that can be processed by a computer or other means. Data by itself has no inherent meaning or context. Information is data that has been processed, organized, interpreted or presented in a way that makes it useful or meaningful for a specific purpose or audience. Information can be used to convey knowledge, support decision making or communicate messages. ISO/IEC 27001:2022 defines data as "representation of facts, concepts or instructions in a formalized manner suitable for communication, interpretation or processing by humans or by automatic means" (see clause 3.12) and information as "meaningful data" (see clause 3.25). Reference: [CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course], ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, What is Data and Information?


質問 # 86
You are performing an ISMS audit at a residential nursing home that provides healthcare services. The next step in your audit plan is to verify the information security incident management process. The IT Security Manager presents the information security incident management procedure and explains that the process is based on ISO/IEC 27035-1:2016.
You review the document and notice a statement "any information security weakness, event, and incident should be reported to the Point of Contact (PoC) within 1 hour after identification". When interviewing staff, you found that there were differences in the understanding of the meaning of "weakness, event, and incident".
You sample incident report records from the event tracking system for the last 6 months with summarized results in the following table.

You would like to further investigate other areas to collect more audit evidence. Select two options that will not be in your audit trail.

  • A. Collect more evidence on how the organization determined no further action was needed after the incident. (Relevant to control A.5.26)
  • B. Collect more evidence by interviewing more staff about their understanding of the reporting process. (Relevant to control A.6.8)
  • C. Collect more evidence on what the service requirements of healthcare monitoring are. (Relevant to clause 4.2)
  • D. Collect more evidence on how the organisation determined the incident recovery time. (Relevant to control A.5.27)
  • E. Collect more evidence on how and when the company pays the ransom fee to unlock the company's mobile phone and data, i.e., credit card, and bank transfer. (Relevant to control A.5.26)
  • F. Collect more evidence on how and when the Human Resources manager pays the ransom fee to unlock personal mobile data, i.e., credit card, and bank transfer. (Relevant to control A.5.26)
  • G. Collect more evidence on the incident recovery procedures. (Relevant to control A.5.26)

正解:C、E

解説:
According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 4.2 requires an organization to determine the needs and expectations of interested parties that are relevant to its ISMS1. This includes identifying the legal, regulatory, contractual and other requirements that apply to its information security activities1. Therefore, collecting more evidence on what the service requirements of healthcare monitoring are may not be relevant to verifying the information security incident management process, as it is not directly related to the audit objective or criteria. This option will not be in the audit trail.


質問 # 87
Below is Purpose of "Integrity", which is one of the Basic Components of Information Security

  • A. the property of safeguarding the accuracy and completeness of assets.
  • B. the property that information is not made available or disclosed to unauthorized individuals
  • C. the property of being accessible and usable upon demand by an authorized entity.
  • D. the property that information is not made available or disclosed to unauthorized individuals

正解:A

解説:
Integrity is one of the basic components of information security, along with confidentiality and availability. Integrity means that information is safeguarded from unauthorized or accidental changes that could affect its accuracy and completeness. Integrity ensures that information is reliable and trustworthy3. Reference: ISO/IEC 27001:2022 Lead Auditor Training Course - BSI


質問 # 88
You work in the office of a large company. You receive a call from a person claiming to be from the Helpdesk. He asks you for your password.
What kind of threat is this?

  • A. Natural threat
  • B. Arason
  • C. Organizational threat
  • D. Social Engineering

正解:D


質問 # 89
During an opening meeting of a Stage 2 audit, the Managing Director of the client organisation invites the audit team to view a new company video lasting 45 minutes. Which two of the following responses should the audit team leader make?

  • A. Suggest that the video could be viewed during a refreshment break
  • B. Invite the Managing Director to the auditors' hotel for a viewing that evening.
  • C. State that the audit team leader will stay behind after the opening meeting to view the video on behalf of the team
  • D. State that the audit team will make a decision on the viewing at a later time
  • E. Advise the Managing Director that the audit team agrees to his request
  • F. Advise the Managing Director that the audit team has to keep to the planned schedule

正解:A、F

解説:
According to ISO 19011:2018, which provides guidelines for auditing management systems, an opening meeting is a formal communication between the audit team and the auditee at the start of an audit1. The purpose of the opening meeting is to confirm the audit objectives, scope and criteria, introduce the audit team and their roles, confirm the audit plan and logistics, explain the audit methods and procedures, and establish the communication channels1. Therefore, if the Managing Director of the client organization invites the audit team to view a new company video lasting 45 minutes during the opening meeting of a Stage 2 audit, the audit team leader should respond in a way that does not compromise the effectiveness and efficiency of the audit or create any misunderstanding or conflict with the auditee. Two possible ways to respond are to advise the Managing Director that the audit team has to keep to the planned schedule, as there may be limited time and resources available for the audit; or to suggest that the video could be viewed during a refreshment break, if it is relevant and useful for the audit and does not interfere with other audit activities1. The other options are not appropriate responses for the audit team leader to make in this situation. For example, stating that the audit team leader will stay behind after the opening meeting to view the video on behalf of the team may imply that the video is not important or relevant for the rest of the audit team; inviting the Managing Director to the auditors' hotel for a viewing that evening may create an impression of bias or favouritism; stating that the audit team will make a decision on the viewing at a later time may be vague or indecisive; and advising the Managing Director that the audit team agrees to his request may result in wasting valuable audit time or losing focus on the audit objectives1. Reference: ISO 19011:2018 - Guidelines for auditing management systems


質問 # 90
Access Control System, CCTV and security guards are form of:

  • A. Environment Security
  • B. Access Control
  • C. Physical Security
  • D. Compliance

正解:C


質問 # 91
The following are definitions of Information, except:

  • A. accurate and timely data
  • B. specific and organized data for a purpose
  • C. mature and measurable data
  • D. can lead to understanding and decrease in uncertainty

正解:C


質問 # 92
Someone from a large tech company calls you on behalf of your company to check the health of your PC, and therefore needs your user-id and password. What type of threat is this?

  • A. Malware threat
  • B. Technical threat
  • C. Social engineering threat
  • D. Organisational threat

正解:C

解説:
The type of threat that occurs when someone from a large tech company calls you on behalf of your company to check the health of your PC, and therefore needs your user-id and password, is a social engineering threat. Social engineering is a technique that manipulates people into revealing confidential or sensitive information, such as passwords, personal data, bank details, etc., by impersonating someone trustworthy or authoritative, such as an IT support staff, a manager, a colleague, etc. Social engineering can be done through various channels, such as phone calls, emails, text messages, etc., and can exploit human emotions, such as curiosity, fear, greed or sympathy. Social engineering is often used by hackers or cybercriminals to gain unauthorized access to information systems or networks, or to perform malicious or fraudulent activities. Reference: [CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course], ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, What is Social Engineering?


質問 # 93
You receive an E-mail from some unknown person claiming to be representative of your bank and asking for your account number and password so that they can fix your account. Such an attempt of social engineering is called

  • A. Mountaineering
  • B. Shoulder Surfing
  • C. Spoofing
  • D. Phishing

正解:D


質問 # 94
You are conducting a third-party surveillance audit when another member of the audit team approaches you seeking clarification. They have been asked to assess the organisation's application of control 5.7 - Threat Intelligence. They are aware that this is one of the new controls introduced in the 2022 edition of ISO/IEC 27001, and they want to make sure they audit the control correctly.
They have prepared a checklist to assist them with their audit and want you to confirm that their planned activities are aligned with the control's requirements.
Which three of the following options represent valid audit trails?

  • A. I will speak to top management to make sure all staff are aware of the importance of reporting threats
  • B. I will review how information relating to information security threats is collected and evaluated to produce threat intelligence
  • C. I will ensure that appropriate measures have been introduced to inform top management as to the effectiveness of current threat intelligence arrangements
  • D. I will ensure that the organisation's risk assessment process begins with effective threat intelligence
  • E. I will ensure that the task of producing threat intelligence is assigned to the organisation s internal audit team
  • F. I will determine whether internal and external sources of information are used in the production of threat intelligence
  • G. I will review the organisation's threat intelligence process and will ensure that this is fully documented
  • H. I will check that threat intelligence is actively used to protect the confidentiality, integrity and availability of the organisation's information assets

正解:F、G、H

解説:
According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), control 5.7 requires an organization to establish and maintain a threat intelligence process to identify and evaluate information security threats that are relevant to its ISMS scope and objectives1. The organization should use internal and external sources of information, such as vulnerability databases, threat feeds, industry reports, etc., to produce threat intelligence that can be used to support risk assessment and treatment, as well as other information security activities1. Therefore, when auditing the organization's application of control 5.7, an ISMS auditor should verify that these aspects are met in accordance with the audit criteria.
Three options that represent valid audit trails for verifying control 5.7 are:
I will review the organisation's threat intelligence process and will ensure that this is fully documented: This option is valid because it can provide evidence of how the organization has established and maintained a threat intelligence process that is consistent with its ISMS scope and objectives. It can also verify that the process is documented according to clause 7.5 of ISO/IEC 27001:20221.
I will check that threat intelligence is actively used to protect the confidentiality, integrity and availability of the organisation's information assets: This option is valid because it can provide evidence of how the organization has used threat intelligence to support its risk assessment and treatment, as well as other information security activities, such as incident response, awareness, or monitoring. It can also verify that the organization has achieved its information security objectives according to clause 6.2 of ISO/IEC 27001:20221.
I will determine whether internal and external sources of information are used in the production of threat intelligence: This option is valid because it can provide evidence of how the organization has used various sources of information, such as vulnerability databases, threat feeds, industry reports, etc., to produce threat intelligence that is relevant and reliable. It can also verify that the organization has complied with the requirement of control 5.7 of ISO/IEC 27001:20221.
The other options are not valid audit trails for verifying control 5.7, as they are not related to the control or its requirements. For example:
I will speak to top management to make sure all staff are aware of the importance of reporting threats: This option is not valid because it does not provide evidence of how the organization has established and maintained a threat intelligence process or used threat intelligence to support its ISMS activities. It may be related to another control or requirement regarding information security awareness or communication, but not specifically to control 5.7.
I will ensure that the task of producing threat intelligence is assigned to the organisation s internal audit team: This option is not valid because it does not provide evidence of how the organization has established and maintained a threat intelligence process or used threat intelligence to support its ISMS activities. It may also contradict the requirement for auditor independence and objectivity, as recommended by ISO 19011:20182, which provides guidelines for auditing management systems.
I will ensure that the organisation's risk assessment process begins with effective threat intelligence: This option is not valid because it does not provide evidence of how the organization has established and maintained a threat intelligence process or used threat intelligence to support its ISMS activities. It may also imply a prescriptive approach to risk assessment that is not consistent with ISO/IEC 27005:20183, which provides guidelines for information security risk management.
I will review how information relating to information security threats is collected and evaluated to produce threat intelligence: This option is not valid because it does not provide evidence of how the organization has established and maintained a threat intelligence process or used threat intelligence to support its ISMS activities. It may also be too vague or broad to be an effective audit trail, as it does not specify what criteria or methods are used for collecting and evaluating information.
I will ensure that appropriate measures have been introduced to inform top management as to the effectiveness of current threat intelligence arrangements: This option is not valid because it does not provide evidence of how the organization has established and maintained a threat intelligence process or used threat intelligence to support its ISMS activities. It may be related to another control or requirement regarding management review or performance evaluation, but not specifically to control 5.7.


質問 # 95
In order to take out a fire insurance policy, an administration office must determine the value of the data that it manages.
Which factor is [b]not[/b] important for determining the value of data for an organization?

  • A. The importance of the business processes that make use of the data.
  • B. The content of data.
  • C. The indispensability of data for the business processes.
  • D. The degree to which missing, incomplete or incorrect data can be recovered.

正解:B

解説:
The content of data is not an important factor for determining the value of data for an organization. The content of data refers to the representation or format of data, such as text, numbers, images, audio, video, etc. The content of data can change depending on how it is processed, stored, or presented, but the value of data is derived from its meaning and usefulness for the organization. Therefore, the content of data is not relevant for taking out a fire insurance policy, as it does not reflect the potential loss or damage that the organization would suffer if the data was destroyed by fire. The other factors, such as the degree of recoverability, the indispensability, and the importance of data for the business processes, are important for determining the value of data for an organization. These factors indicate how critical the data is for the organization's operations, performance, and competitiveness, and how difficult or costly it would be to restore or replace the data in case of a fire. Therefore, the correct answer is A. Reference: Putting a value on data - PwC UK, page 3; What is Data Value? How to Define the Value of Your Data.


質問 # 96
How is the purpose of information security policy best described?

  • A. An information security policy provides direction and support to the management regarding information security.
  • B. An information security policy provides insight into threats and the possible consequences.
  • C. An information security policy makes the security plan concrete by providing it with the necessary details.
  • D. An information security policy documents the analysis of risks and the search for countermeasures.

正解:A

解説:
The purpose of information security policy is best described as providing direction and support to the management regarding information security. An information security policy is a high-level document that defines the organization's vision, objectives, principles and responsibilities for information security. It also sets the scope and context of the information security management system and aligns it with the organization's strategy and culture. An information security policy does not document the analysis of risks or the search for countermeasures, nor does it make the security plan concrete or provide insight into threats and consequences. These are tasks for other documents or processes within the information security management system. ISO/IEC 27001:2022 defines information security policy as "policy that provides direction and support for information security in accordance with business requirements and relevant laws and regulations" (see clause 3.29). Reference: [CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course], ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, What is Information Security Policy?


質問 # 97
Who is authorized to change the classification of a document?

  • A. The administrator of the document
  • B. The owner of the document
  • C. The manager of the owner of the document
  • D. The author of the document

正解:B


質問 # 98
......

ISO-IEC-27001-Lead-Auditor試験問題集、ISO-IEC-27001-Lead-Auditor練習テスト問題:https://www.goshiken.com/PECB/ISO-IEC-27001-Lead-Auditor-mondaishu.html

検証済みISO-IEC-27001-Lead-Auditor問題集PDF資料 [2023年更新]:https://drive.google.com/open?id=1jlCfzQOrUee5ezPnHm33mJ-tCJScenWh